Okta setup with SAML2

[plozano]

Hi,

We are trying to set SAML2 and trying to use okta at the same time. In our set up we are using the single sing on url witch we are getting from the metadata.php file http://www.example.com/moodle/auth/saml2/sp/metadata.php.

In the binding in the xml file I get this url created. We are trying to configure the url that we should add to the field and we are using the one below. Which path is usually used for the single sing on url.

http://www.example.com/moodle/auth/saml2/sp/saml1-acs.php/www.example.com

Thank you for your help.

[brendanheywood]

We are trying to set SAML2 and trying to use okta

So okta by the looks of it is a SAML IDP? Are you trying to authenticate solely with okta or do you want dual authentication with local moodle logins + okta logins?

Either way you shouldn't need to configure the 'single signon url', the IDP (ie okta?) will provide this on the fly when the user tries to authenticate and will redirect them there. In any case the single sign on url won't be inside moodle, it will off inside whatever your IDP is. I'd imagine the SSO url would be something vaguely like https://mycompany.okta.com/login/

[plozano]

Thank you so much for replying!

We are trying to authenticate solely with okta. Is it easier to authenticate with both?

[brendanheywood]

We are trying to authenticate solely with okta. Is it easier to authenticate with both?

It's just a checkbox on the moodle side so easy either way - but the login experience is always better if there is only 1 login page so I tend to avoid dual auth unless the client really needs it. Even with dual auth off there is still the 'backdoor' manual login which you can use for moodle admins or who ever in emergencies is the saml idp is down or the connection is broken.

[plozano]

You are awesome! Waiting to hear from the OKTA admin to change the path. Thank you for your help.

[plozano]

The path that the admin was adding to the single sing on URL is http://www.example.com/moodle/auth/saml2/sp/saml1-acs.php/www.example.com. That not working though. We get a flickering effect of a constant redirect. What should they be adding on that field?

[brendanheywood]

That gui doesn't make any sense to me, okta should be providing that url not moodle. It shouldn't even be a config item on their end!? I can't really provide support on okta

[plozano]

That makes sense. Thank you for helping me again.

[LukeCarrier]

@plozano we have this working -- figured I'd document it here for posterity since it took several hours of debugging (Okta's attempts at making SAML2 more accessible are awful; their terminology is too abstract).

The settings we changed from the new application defaults are as follows:

Okta name	Sane name	Value
Single sign on URL	ACS URL	https://example.com/auth/saml2/sp/saml2-acs.php/example.com
Audience URI	Entity ID	https://example.com/auth/saml2/sp/metadata.php
Enable Single Log Out	Enable Single Log Out	True
Single Logout URL	Single Logout URL	https://example.com/auth/saml2/sp/saml2-logout.php/example.com
Assertion Encryption	Assertion Encryption	Encrypted

And our attribute mapping:

Name	Value
Login	user.login
FirstName	user.firstName
LastName	user.lastName
Email	user.email

[brendanheywood]

thanks heaps @LukeCarrier - I don't think there is anything actionable from a code point of view here, and that table is a good help to others with the same issue. So I will close this. If you feel like opening a pull request to add some words to the README.md file in the gotchas section specifically to Okta that would be cool too

[gplozano]

Thank you for replying. This was really helpful.

[brendanheywood]

I've just cut and pasted that table to the gotchas section of the readme