Azure Enterprise Application - Cannot retrieve metadata for IdP

[dev90001]

Occasionally we are getting the following error when a user logs into Moodle:

SAML2 exception: Cannot retrieve metadata for IdP 'https://sts.windows.net/guid_removed/' because it isn't a valid IdP for this SP.

Is this the correct way to configure the SAML2 plugin for an Azure AD Enterprise Application? This appears to be working most of the time, however the exception above is thrown sometimes upon login.

Basic Saml Configuration

Name	Value
Identifier (Entity ID)	https://example.com/myapp/auth/saml2/sp.metadata.php
Reply URL (Assertion Consumer Service URL)	https://example.com/myapp/auth/saml2/saml2-acs.php
Sign on URL (optional)	(blank)
Relay State (optional)	(blank)
Logout Url (optional)	https://example.com/myapp/auth/saml2/loutput.php

There does not appear to be any documentation relating to how to config Azure AD Enterprise Application using SAML SSO. Is this scenario supported?

Currently using: 27_34STABLE

[anku57]

The error message you're seeing indicates that there might be an issue with the configuration between Moodle's SAML2 plugin and Azure AD. Although the configuration might be working intermittently, it's possible that some settings are not aligned properly, causing the error occasionally.

Here’s a breakdown of your current configuration, along with possible areas to check:

1. Identifier (Entity ID):
   Current Value: https://example.com/myapp/auth/saml2/sp.metadata.php
   Azure AD Configuration: Ensure that the Entity ID set in Azure AD matches this URL. The Entity ID in Azure AD should correspond to the value in Moodle's SAML2 plugin configuration.
   Recommendation: Verify that the Entity ID matches the metadata URL in both the SAML2 plugin in Moodle and in the Azure AD configuration. Double-check for any typos or inconsistencies.
2. Reply URL (Assertion Consumer Service URL):
   Current Value: https://example.com/myapp/auth/saml2/saml2-acs.php
   This is where Azure AD sends the SAML response after authentication. Ensure that the Reply URL in Azure AD matches this exactly, including any trailing slashes.
3. Logout URL:
   Current Value: https://example.com/myapp/auth/saml2/loutput.php
   Ensure this is correctly configured in both Moodle and Azure AD to handle logout processes properly.
4. IdP Configuration in Moodle:
   Error: Cannot retrieve metadata for IdP 'https://sts.windows.net/guid_removed/' because it isn't a valid IdP for this SP
   The sts.windows.net/guid_removed URL is generated by Azure AD, and it must be properly configured in the SAML2 plugin. This URL represents your Azure AD's IdP metadata.
   Recommendation: Ensure that the IdP metadata URL in Moodle's configuration is properly set to match the metadata URL provided by Azure AD. You may need to manually configure the IdP metadata URL or upload the metadata XML file from Azure AD to Moodle.
5. Periodic Login Issues:
   The error being thrown intermittently could be related to network issues or temporary problems retrieving metadata from Azure AD.
   Recommendation: Verify that the metadata URL for Azure AD is publicly accessible and is not experiencing intermittent connectivity issues. It might also help to check if there’s any caching mechanism in place that could cause outdated metadata to be used.
   Additional Considerations:
   Automatic Metadata Retrieval: Ensure that Moodle’s SAML2 plugin is configured to automatically retrieve the IdP metadata from Azure AD. If you’re providing the metadata manually, verify that it’s up to date.
   Azure AD Enterprise Application: Ensure that the SAML-based single sign-on configuration in Azure AD is correctly set up and that the application is assigned to all required users.
   Conclusion:
   It is indeed possible to configure Azure AD with Moodle’s SAML2 plugin for Single Sign-On (SSO). However, to resolve the error, ensure the configuration between Moodle and Azure AD is correct, particularly with the Entity ID, Assertion Consumer Service URL, and IdP metadata. Additionally, ensure proper metadata retrieval and troubleshoot any network issues that might cause intermittent errors.