Applications (as IdP)
Integration Guides
Moodle

Moodle SSO with MojoAuth

Connect your Moodle site to MojoAuth using SAML 2.0 and the community SAML2 authentication plugin (auth_saml2). MojoAuth acts as the Identity Provider (IdP); Moodle acts as the Service Provider (SP). Once configured, Moodle shows an SSO login button alongside (or instead of) its normal manual login form, and users can sign in via SP-initiated login (from Moodle) or IdP-initiated login (from your MojoAuth-hosted login page).

How it works

Prerequisites

  • A MojoAuth project (test or live) with admin access to Developers → Applications.
  • A Moodle site (self-hosted or Moodle Cloud) with Site administration access, and permission to install plugins (self-hosted) or request them (Moodle Cloud/hosted environments).
  • The SAML2 authentication plugin (auth_saml2) installed — it is not part of Moodle core and does not ship enabled by default.
  • Decide which Moodle field will match incoming users — email or username — and confirm existing Moodle accounts populate that field consistently.
⚠️

Enabling SAML2 does not remove Moodle's manual login form by default — both appear on the login page. Keep manual login available and test with a non-admin account until SSO is confirmed working, so you don't lock out your own admin account.

Step 1 — Create the MojoAuth SAML connection

  1. In the MojoAuth dashboard, go to Developers → Applications → New Application → SAML 2.0 SSO.
  2. Enter a connection name (e.g. Moodle – Production) and click Create connection. This creates a draft connection and auto-issues a signing certificate.
  3. Leave this tab open — you'll come back to copy the IdP metadata URL and, later, paste Moodle's SP details.

See SAML SSO Connections for the full concept walkthrough.

Step 2 — Install and configure the SAML2 plugin in Moodle

Install the SAML2 plugin

If it isn't already installed, go to Site administration → Plugins → Install plugins, search the plugins directory for SAML2 (auth_saml2), and install it — or download it from the Moodle plugins directory and upload it under auth/saml2 on your server, then complete the upgrade from Site administration → Notifications.

Open the SAML2 settings

Navigate to Site administration → Plugins → Authentication → Manage authentication, find SAML2 in the list, and click its settings (gear) icon to open Site administration → Plugins → Authentication → SAML2.

Import MojoAuth's IdP metadata

The simplest path: in the "IdP metadata xml OR public xml URL" field, paste your MojoAuth IdP metadata URL:

{BASE}/saml/{projectId}/sps/{spId}/metadata

Save the settings page. Moodle fetches the metadata and auto-loads:

  • The IdP entity ID
  • The IdP SSO URL (single sign-on endpoint)
  • The IdP's signing certificate

Or configure manually

If your Moodle server can't reach the metadata URL outbound, leave that field blank and fill in the equivalent fields by hand elsewhere in the plugin settings (IdP entity ID, SSO URL, and certificate), using the values below.

Moodle SAML2 fieldValue
IdP metadata xml OR public xml URL{BASE}/saml/{projectId}/sps/{spId}/metadata
IdP entity ID (if entering manually){BASE}/saml/{projectId}/sps/{spId}/metadata
IdP SSO URL (if entering manually){BASE}/saml/{projectId}/sps/{spId}/sso
IdP Single Logout URL (if entering manually){BASE}/saml/{projectId}/sps/{spId}/slo
IdP signing certificate (if entering manually)Paste the PEM from Copy PEM (or upload the downloaded .crt) on the MojoAuth connection page

Note Moodle's own SP metadata

The SAML2 plugin publishes Moodle's SP metadata at a fixed URL on your site:

https://<moodle>/auth/saml2/sp/metadata.php

Open this URL (or note it) — you'll give MojoAuth either this URL directly or the Entity ID and ACS URL it contains in the next step.

Step 3 — Give Moodle's SP details back to MojoAuth

Back on the MojoAuth SAML connection page:

  1. Use Import from metadata and paste Moodle's SP metadata URL:
    https://<moodle>/auth/saml2/sp/metadata.php
    MojoAuth fetches it and auto-fills the SP Entity ID and ACS URL.
  2. If your Moodle server isn't reachable from MojoAuth, choose Manual configuration instead and enter:
    • SP Entity ID: https://<moodle>/auth/saml2/sp/metadata.php (or the custom entity ID shown on the SAML2 settings page, if you set one)
    • ACS URL: https://<moodle>/auth/saml2/sp/saml2-acs.php/<moodle>
  3. Set NameID format to emailAddress if Moodle will match users on email, or unspecified/ persistent if matching on username — this must agree with the field/attribute used to match users you configure in Moodle (Step 4).
  4. Click Save.

Step 4 — Attribute mapping and user matching

The SAML2 plugin settings page has a "Mapping IdP to Moodle" section where you map incoming SAML attributes to Moodle profile fields, plus a setting for which field identifies the user (matched against the SAML NameID or a mapped attribute) — typically email or username.

Moodle fieldMojoAuth saml_nameMojoAuth sourcename_format
Field used to match users (email or username)email or identifier (matches the field Moodle is configured to match on)
emailemailemailbasic
firstnamefirstnamefirstNamebasic
lastnamelastnamelastNamebasic

Configure on the MojoAuth connection's Attribute mappings section, and in Moodle:

  • On the SAML2 settings page, set the "Field/attribute used to match users" (or equivalent user matching setting) to email, and set the connection's NameID format to emailAddress with source: email mapped to the subject — this is the simplest setup for most sites.
  • If matching on username instead, map source: identifier (or userId, depending on your directory) to the NameID, and set NameID format to unspecified or persistent.
  • Add the email, firstname, lastname attribute rows above and map them in the "Mapping IdP to Moodle" section so Moodle can populate (and, on later logins, refresh) the profile.
  • To let Moodle create accounts automatically for first-time SSO users, enable the plugin's auto-create users setting (JIT provisioning). Without it, a matching Moodle account must already exist before SSO login will succeed.

Moodle also needs a value for email format / duplicate-email handling if your site allows multiple accounts to share an email — check Site administration → Users → Permissions → User policies for allowaccountssameemail if users report "duplicate email" errors during account matching.

Step 5 — Enable the auth method and test

  1. Back on Site administration → Plugins → Authentication → Manage authentication, find SAML2 in the list and click the eye icon to enable it. Confirm it's enabled and, if desired, drag it above Manual accounts and other methods in the display order.
  2. Visit your Moodle login page — you should now see an SSO button (commonly labelled with your IdP name or "Log in via SAML2") in addition to the manual username/password form.
  3. Use the plugin's built-in "Test settings" tool (on the SAML2 settings page) to run an SP-initiated test SAML exchange against MojoAuth and confirm the metadata, endpoints, and certificate are wired up correctly before testing with a live user.
  4. From the MojoAuth connection page, use Test SSO to run an IdP-initiated login and confirm a valid signed assertion reaches Moodle's ACS URL.
  5. Test an end-to-end login with a non-admin test account in a private/incognito browser window, keeping your own admin session on manual login until you've confirmed the flow works.

Troubleshooting

Metadata import fails or shows stale values The SAML2 plugin caches metadata it fetches from the IdP metadata URL. If you rotate MojoAuth's signing certificate or change endpoints, return to Site administration → Plugins → Authentication → SAML2 and re-save (or re-enter) the "IdP metadata xml OR public xml URL" field to force a refresh — Moodle does not always poll automatically.

"User not found" / account not matched on login The field/attribute used to match users on the SAML2 settings page doesn't line up with what MojoAuth sends in the NameID or mapped attribute. Confirm the connection's NameID format and mapped source (Step 4) correspond to a real, populated value (email or username) on an existing Moodle user, or enable auto-create users if you want new accounts provisioned automatically.

Duplicate/conflicting email errors during account matching Moodle enforces unique emails per account by default. If two Moodle users share (or would share) an email address, matching fails or creates a conflict. Check allowaccountssameemail under Site administration → Users → Permissions → User policies, and clean up duplicate accounts before enabling SSO broadly.

Certificate / signature validation errors The X.509 certificate Moodle has on file for MojoAuth is stale (certificates rotate periodically) or was entered incorrectly. Re-import the IdP metadata URL to refresh it automatically, or re-copy the PEM from Copy PEM on the MojoAuth connection page and paste it into the manual certificate field.

ACS URL / Entity ID mismatch ("Invalid Destination" or audience errors) The SP Entity ID or ACS URL saved on the MojoAuth connection doesn't exactly match what https://<moodle>/auth/saml2/sp/metadata.php publishes. Re-import Moodle's SP metadata URL on the MojoAuth connection page rather than typing the values by hand, since the ACS path includes your site's exact hostname.

"Test settings" tool reports a failure Run the SAML2 plugin's Test settings link (on the settings page) first — it reports specific mismatches (missing certificate, unreachable metadata URL, endpoint errors) before you attempt a real login, which is faster to debug than reading raw SSO failures from an end user's browser.

SSO button appears but manual login is gone (or vice versa) Whether both login options appear depends on the plugin's display-name and ordering settings on Manage authentication, and on whether Manual accounts is still enabled. If you need to keep a fallback for admins, ensure Manual accounts stays enabled and ordered alongside SAML2 rather than disabling it.

Attributes (name, email) not updating on repeat logins Confirm the mapping rows in "Mapping IdP to Moodle" (Step 4) exist for every field you expect to sync, and that the MojoAuth connection's attribute mappings send them on every login, not just first login — some Moodle configurations only update profile fields during account creation unless updates are explicitly allowed.

Related docs