SAML Integration Option does not appear on Login screen

raj-vlabs · July 23, 2020, 7:46am

Hi,
I have been trying to integrate my institute’s SAML IdP with my Tutor installation. However, I have not been able to make the Login option appear on the Login page. I have followed the official Edx page for integration along with this discussion.
Following are the steps I did:

Configure my site as a SAML provider.
Configure SAML Provider using the following settings:
backend: tpa-saml
Enabled: true
Visible: true
I can see that the ‘Metadata Ready’ flag is green and I can see the data in the Provider Data section. So apparently this part is working.
I did/verified the following settings:
lms.env.json:
“THIRD_PARTY_AUTH_BACKENDS”: [“third_party_auth.saml.SAMLAuthBackend”],
Features {
“ENABLE_COMBINED_LOGIN_REGISTRATION”: true,
“ENABLE_THIRD_PARTY_AUTH”: true
}
I stepped into the lms container and verified these settings.
In the lms Production.py:
THIRD_PARTY_AUTH_BACKENDS = “third_party_auth.saml.SAMLAuthBackend”
Afterwards I restarted the service multiple times but the login screen does not show the option for my IdP. In fact it only shows the username/password option.
I have built the distribution from sources.
I am running Edx behind a Reverse Proxy so the Edx system is running without SSL/HTTPS. The SSL connection is terminated at the Reverse Proxy and after that it’s http upto the Edx server. I have a wildcard SSL certificate for my domain, which is served from the Reverse Proxy.

My only guess is that there is probably a dependency that I have to install before it can work, however, I have not been able to find any such mention anywhere.

I have tried most documentation and resources on the Internet. Could someone please let me know what I may be missing?
Also, is there a way to set log level as debug on a Production build?
Any help is greatly appreciated.

raj-vlabs · July 31, 2020, 2:26am

After some effort, I was able to resolve the issue. Following is what happened:
When we create a SAML Configuration at <BASE_URL>/admin/third_party_auth/samlconfiguration/, the slug has to be specified as ‘default’. In the Registry, the function that returns enabled backends only considers SAML backends where there is a SAML configuration named as ‘default’. As I had named my slug differently, the SAML option for login was not even considered and subsequently no SAML login option was provided on the Login screen.
Following is the code responsible for this behaviour:

github.com

edx/edx-platform/blob/d1f23422ca6d181821f40d60d0667b9e51cf0e58/common/djangoapps/third_party_auth/provider.py#L38


def _enabled_providers(cls):
    """
    Helper method that returns a generator used to iterate over all providers
    of the current site.
    """
    oauth2_backend_names = OAuth2ProviderConfig.key_values('backend_name', flat=True)
    for oauth2_backend_name in oauth2_backend_names:
        provider = OAuth2ProviderConfig.current(oauth2_backend_name)
        if provider.enabled_for_current_site and provider.backend_name in _PSA_OAUTH2_BACKENDS:
            yield provider
    if SAMLConfiguration.is_enabled(Site.objects.get_current(get_current_request()), 'default'):
        idp_slugs = SAMLProviderConfig.key_values('slug', flat=True)
        for idp_slug in idp_slugs:
            provider = SAMLProviderConfig.current(idp_slug)
            if provider.enabled_for_current_site and provider.backend_name in _PSA_SAML_BACKENDS:
                yield provider
    for consumer_key in LTIProviderConfig.key_values('lti_consumer_key', flat=True):
        provider = LTIProviderConfig.current(consumer_key)
        if provider.enabled_for_current_site and provider.backend_name in _LTI_BACKENDS:
            yield provider