From 6805d106c545edaa7c7126c49a54e680d3c3fb18 Mon Sep 17 00:00:00 2001 From: Szabolcs Varhegyi Date: Wed, 11 Jun 2025 11:16:39 +0200 Subject: [PATCH 1/3] implement ForceAuthn properties --- classes/auth.php | 6 +++++- lang/en/auth_saml2.php | 2 ++ settings.php | 9 +++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/classes/auth.php b/classes/auth.php index a03b6c067..b5a09171a 100644 --- a/classes/auth.php +++ b/classes/auth.php @@ -646,7 +646,11 @@ public function saml_login() { $params['ErrorURL'] = (new moodle_url('/login/index.php', ['saml' => 0]))->out(false); } $params['AllowCreate'] = $this->config->allowcreate == 1; - + $forceauthn = get_config('auth_saml2', 'forceauthn'); + if($forceauthn && $forceauthn == '1') { + $params['ForceAuthn'] = true; + } + $auth = new \SimpleSAML\Auth\Simple($this->spname); // Redirect to IdP login page for authentication. $auth->requireAuth($params); diff --git a/lang/en/auth_saml2.php b/lang/en/auth_saml2.php index f0974abc5..e49277c38 100644 --- a/lang/en/auth_saml2.php +++ b/lang/en/auth_saml2.php @@ -48,6 +48,8 @@ $string['authncontext_help'] = 'Allows augmentation of assertions. Leave blank unless required'; $string['autocreate'] = 'Auto create users'; $string['autocreate_help'] = 'Allow creation of Moodle users on demand'; +$string['forceauthn'] = 'ForceAuthn'; +$string['forceauthn_help'] = 'Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.'; $string['autologin'] = 'Auto-login'; $string['autologin_help'] = 'On pages that allow guest access without login, automatically log users into Moodle with a real user account if they are logged in to the IdP (using passive authentication).'; $string['autologinbycookie'] = 'Check when the specified cookie exists or changes'; diff --git a/settings.php b/settings.php index 27fe83781..df4ae6187 100644 --- a/settings.php +++ b/settings.php @@ -253,6 +253,15 @@ '' )); + //ForceAuthn properties + $forceauthn = new admin_setting_configselect( + 'auth_saml2/forceauthn', + get_string('forceauthn', 'auth_saml2'), + get_string('forceauthn_help', 'auth_saml2'), + 0, $yesno); + $forceauthn->set_updatedcallback('auth_saml2_update_forceauthn'); + $settings->add($forceauthn); + // Auto login. $autologinoptions = [ saml2_settings::OPTION_AUTO_LOGIN_NO => get_string('no'), From f774f7cc817bb1f46a824b6142d1d51afcfa6e76 Mon Sep 17 00:00:00 2001 From: Szabolcs Varhegyi Date: Thu, 12 Jun 2025 13:29:04 +0200 Subject: [PATCH 2/3] implement logout method based on settings --- logout.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/logout.php b/logout.php index 15a73ae43..5c5f573c2 100644 --- a/logout.php +++ b/logout.php @@ -33,6 +33,15 @@ // order to properly re-log into Moodle. It's a rare edge case // probably only used when configuring or testing but nice to have. -$auth = new SimpleSAML\Auth\Simple($saml2auth->spname); -$auth->logout('/'); +$attemptsignout = get_config('auth_saml2', 'attemptsignout'); +if($attemptsignout && $attemptsignout == '1') { + $auth = new SimpleSAML\Auth\Simple($saml2auth->spname); + $auth->logout('/'); +} else { + $alterlogout = get_config('auth_saml2', 'alterlogout'); + if($alterlogout && $alterlogout != '') { + redirect($alterlogout); + } + redirect(new moodle_url('/')); +} \ No newline at end of file From 8f51cd3e4d1dd7f87065bcba170902585f38fd43 Mon Sep 17 00:00:00 2001 From: Szabolcs Varhegyi Date: Mon, 28 Jul 2025 12:08:07 +0200 Subject: [PATCH 3/3] fix logout --- logout.php | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/logout.php b/logout.php index 5c5f573c2..642b85060 100644 --- a/logout.php +++ b/logout.php @@ -33,15 +33,5 @@ // order to properly re-log into Moodle. It's a rare edge case // probably only used when configuring or testing but nice to have. -$attemptsignout = get_config('auth_saml2', 'attemptsignout'); - -if($attemptsignout && $attemptsignout == '1') { - $auth = new SimpleSAML\Auth\Simple($saml2auth->spname); - $auth->logout('/'); -} else { - $alterlogout = get_config('auth_saml2', 'alterlogout'); - if($alterlogout && $alterlogout != '') { - redirect($alterlogout); - } - redirect(new moodle_url('/')); -} \ No newline at end of file +$auth = new SimpleSAML\Auth\Simple($saml2auth->spname); +$auth->logout('/'); \ No newline at end of file