This plugin gives you the ability to issue custom SSO cookies (from Moodle) so that other services/applications within the cookie domain may authenticate and validate logged-in Moodle users.
For organizations that do not have a readily available CAS, Shibboleth, or similar environment, achieving true (roaming) single sign-on with Moodle isn't as easy as it should be.
This authentication module is geared for environments where roaming SSO is needed between Moodle (acting as the source) and custom (modifiable) applications.
This module has been tested to work with Moodle 2.1.1+ (Build: 20110916), but should reasonably work with any Moodle 2.x.x installation. Please let me know if this isn't the case.
$ apt-get install php5-mcrypt
$ /etc/init.d/apache2 restart
$ cd /path/to/your/moodle/installation
$ cd auth
$ git clone https://github.com/marvinpinto/moodle-ssso.git ssso
Then log in as a user with administrator rights and go to Site Administration -> Notifications where you will install this like any other Moodle plugin.
Don't forget to set the appropriate web permissions on the auth/ssso
directory.
After successfully installing this module, log in as a user with administrator
rights and go to Site Administration -> Plugins -> Authentication -> Manage Authentication. Proceed to enable the module named Simple Single Sign-On (SSSO). Ensure that this module is given the lowest priority in the
Available authentication plugins list.
-
Cookie name: The name that will be used to distinguish this cookie from others. -
Path: Used to identify the scope of the cookie, see Wikipedia for more information. Do not change the default value of/unless you know what you're doing! -
Domain: Once again used to identify the scope of the cookie, see Wikipedia for more information. Remember that in order for SSO to work, both Moodle and the cookie consumer (application) need to belong to the same domain. -
Expiry: Cookie validity time in hours. -
Secret: Secret 32 bit passphrase which will be used to encrypt and decrypt the shared cookie. Have a look at this PC Tools generator for some interesting ideas. -
Salt: 32 bit salt which will be used to encrypt and decrypt the shared cookie. Have a look at this PC Tools generator for some interesting ideas.
In order for a user to seamlessly roam between two SSSO enabled systems, the following protocol will need to be adhered to:
-
Consumer will read in and decrypt the domain cookie using the supplied passphrase (salt).
-
Consumer will then verify that the user's actual IP address matches the value specified in the cookie.
-
If
2fails, consider this is a bogus login attempt and redirect the user to the appropriate login page. -
It goes without saying but if this cookie is not present, the user is not logged in and will need to be redirected or pointed to the appropriate login page.
username=<moodle username>|email=<full email>|IP=<a.b.c.d>
- Also note that each field is delimited by the
|(bar) character so it should go without saying that Moodle usernames should not contain the|character.
This cookie is recreated and destroyed each time a user (actively) logs in and out of Moodle. It is for this reason that users should be encouraged to (actively) log out after their session is complete and administrators should also try to keep cookie validity period reasonably low.
The major security concern associated with a scheme using cookies is session hijacking. This is alleviated right off the bat by using HTTPS and also encrypting the cookie contents (separately).
The main purpose of encrypting the contents of the cookie is to thwart "casual snoopers" and combined with the following guidelines should (theoretically) reduce the probability of a session hijacking (or similar cookie related exploit) to negligible levels:
-
Change the salt passphrase at least once a month.
-
Minimize the cookie validity as much as possible.
-
Respect the SSSO protocol.
The plaintext cookie can be encrypted using either OpenSSL DES in CBC mode or AES256. Look through the lib.php file for the relevant functions.
Have a look through the lib.php file for PHP examples.
Here's an ASP.NET (C#) example copied verbatim from this page:
public static string DecryptRJ256(string prm_key, string prm_iv,
string prm_text_to_decrypt) {
var sEncryptedString = prm_text_to_decrypt;
var myRijndael = new RijndaelManaged() {
Padding = PaddingMode.Zeros,
Mode = CipherMode.CBC,
KeySize = 256,
BlockSize = 256
};
var key = Encoding.ASCII.GetBytes(prm_key);
var IV = Encoding.ASCII.GetBytes(prm_iv);
var decryptor = myRijndael.CreateDecryptor(key, IV);
var sEncrypted = Convert.FromBase64String(sEncryptedString);
var fromEncrypt = new byte[sEncrypted.Length];
var msDecrypt = new MemoryStream(sEncrypted);
var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
csDecrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return (Encoding.ASCII.GetString(fromEncrypt));
}
public static string EncryptRJ256(string prm_key, string prm_iv,
string prm_text_to_encrypt) {
var sToEncrypt = prm_text_to_encrypt;
var myRijndael = new RijndaelManaged() {
Padding = PaddingMode.Zeros,
Mode = CipherMode.CBC,
KeySize = 256,
BlockSize = 256
};
var key = Encoding.ASCII.GetBytes(prm_key);
var IV = Encoding.ASCII.GetBytes(prm_iv);
var encryptor = myRijndael.CreateEncryptor(key, IV);
var msEncrypt = new MemoryStream();
var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write);
var toEncrypt = Encoding.ASCII.GetBytes(sToEncrypt);
csEncrypt.Write(toEncrypt, 0, toEncrypt.Length);
csEncrypt.FlushFinalBlock();
var encrypted = msEncrypt.ToArray();
return (Convert.ToBase64String(encrypted));
}
protected void Page_Load(object sender, EventArgs e) {
//Shared 256 bit Key and IV here
//32 chr shared ascii string (32 * 8 = 256 bit)
string sKy = " lkirwf897+22#bbtrm8814z5qq=498j5 ";
//32 chr shared ascii string (32 * 8 = 256 bit)
string sIV = " 741952hheeyy66#cs!9hjv887mxx7@8y ";
if(Request.QueryString["t"]!=null) {
string t = Request.QueryString["t"].ToString();
t = t.Trim().Replace(" ", "+");
Button1.Text = DecryptRJ256(sKy, sIV, t);
}
}Using the following key and salt values:
- Key:
9iebLEDo8SiunOewl1ciE7lAvoaQlekI - Salt:
biastO6fIu02Az8APrletIuY0u36A1IU
AES256 encrypted cookie:
T5Ew+cLmle3wcubDbcrx/dDN374ntABXJpqj+CX9TwwbqovXitI5HIa5TTzydq18oGIsE/mV3Bu9M2ksAux0sw==
OpenSSL encrypted cookie:
OfRbBd/Cx+mGlwVoxN/Dh/wGxMVNF5UaIxXlIrNOIzL4h3r27HjjKQzRzS8TLzTDdbEBb96narBb5OSdl8nBcg==
Decrypted contents:
username=admin|[email protected]|IP=130.63.69.53
Please report issues on the GitHub issue tracker. Patches are preferred as GitHub pull requests. Please use topic branches when sending pull requests rather than committing directly to master in order to minimize unnecessary merge commit clutter.
Copyright 2012 Marvin Pinto ([email protected])
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- Zip: marvinpinto-moodle-ssso.zip
- Tarball: marvinpinto-moodle-ssso.tar.gz
- Source code: marvinpinto/moodle-ssso
- Name: Marvin Pinto
- Email:
[email protected] - This is me on: