SAML: .Net to Totara


I have a requirement to set up SSO from Umbraco(.Net) to Totara(PHP).

Totara is built upon the Moodle platform and is used to create Learning Management Systems.

Whilst waiting for the Totara site to be set up I created a proof of concept using Umbraco(.Net) as the IDP and Umbraco(.Net) as the SP. This worked great using your SAML High Level API.

Now my challenge is to communicate with Totara as the (SP).

Do you have any documentation on setting this up?



Hi Darren
I’m afraid we don’t.
It should just be a matter of exchanging configuration information.
We can certainly assist if you have any questions setting up the configuration in your IdP.

Thank you for your response.

Within the Totara (Service Provider) authorisation settings for SAML 2 it is asking for:

1) IdP metadata xml OR public xml URL

with an example of:

To use multiple IdPs enter each public metadata url on a new line.
To override a name, place text before the http. eg. “Forced IdP Name <a href=“http://ssp.local/simplesaml/saml2/idp/metadata.php””>http://ssp.local/simplesaml/saml2/idp/metadata.php"

Can you confirm that this is the SAML.config file e.g. on my .Net IDP application.

2) NameID Policy

with the following options:
  • - urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
  • - urn:oasis:names:tc:SAML:2.0:nameid-format:entity
  • - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • - urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Do you know which option I would use to work with your code?


The IdP metadata is different from the saml.config.
Metadata is the standard format for exchanging configuration information between SAML providers.
The saml.config file is the internal SAML configuration required to support the SAML implementation.
You can generate SAML metadata from your saml.config using the ExportMetadata console application.
You’ll find the project under the Examples\Metadata folder.
Here’s an example of running ExportMetadata to generate metadata for the ExampleIdentityProvider.

SAML configuration file to export [saml.config]: \SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\saml.config
X.509 certificate file [None]: \SAMLv20\Examples\SSO\HighLevelAPI\WebForms\ExampleIdentityProvider\certificates\idp.cer
Single SignOn Service URL [None]: http://localhost:51801/SAML/SSOService.aspx
Single Logout Service URL [None]: http://localhost:51801/SAML/SLOService.aspx
Partner Service Provider Name [None]:
SAML metadata file [metadata.xml]:

The NameID policy describes the type of Name ID the service provider would like your identity provider to return.
The Name ID is the primary piece of user identity information returned in the SAML assertion by the identity provider.
We don’t place any restrictions on this and it’s something you need to agree to with the service provider.
I suggest choosing the policy type that matches closest with the Name ID type that you’ll be returning.