The default backends for both SAML or Oauth aren’t available in the
/admin/third_party_auth/oauth2providerconfig/add/
or
/admin/third_party_auth/samlproviderconfig/add/
pages. Has anyone gotten SSO working with Tutor? If so how did you do it? Thanks
1 Like
Hi @pdebruic! I don’t quite understand what kind of default provider you expect to see there. It’s not possible for Tutor to guess the configuration parameters of your own custom providers.
Note that there are instructions on how to add a new SAML configuration when you click on “Add SAML configuration” in the admin: /admin/third_party_auth/samlconfiguration/add/
However there are no equivalent instructions for Oauth.
Hi there @pdebruic
I think I know what you’re looking for:
You have to enable the backends through a config file in order for the backends to appear in the dropdown menu in http://yoursite/admin/third_party_auth/yourchosenauth. You can enable it through a patch in the plugin architecture for Tutor, either by the cookiecutter or YAML approach.
For example, use the patch “openedx-lms-common-settings” and add THIRD_PARTY_AUTH_BACKENDS = "third_party_auth.saml.SAMLAuthBackend"
This discussion might also be relevant for you:
Update: SSO with SOME works, tho I only tried LinkedIn. I’m having trouble getting the SAML IdP configuration to pull the metadata source, and the metadata ready symbol remains red.
According to this documentation for SAML in Open edX, I should be able to run ./manage.py lms saml --pull --settings=production to trigger the update/fetch.
But when I first run tutor local run lms bash and the line above, I get the following error:
root@5d7486eb3983:/openedx/edx-platform# ./manage.py lms saml --pull --settings=production
WARNING:py.warnings:/openedx/edx-platform/lms/djangoapps/courseware/__init__.py:5: DeprecationWarning: Importing 'lms.djangoapps.courseware' as 'courseware' is no longer supported
warnings.warn("Importing 'lms.djangoapps.courseware' as 'courseware' is no longer supported", DeprecationWarning)
Traceback (most recent call last):
File "./manage.py", line 120, in <module>
startup.run()
File "/openedx/edx-platform/lms/startup.py", line 19, in run
django.setup()
File "/openedx/venv/local/lib/python2.7/site-packages/django/__init__.py", line 22, in setup
configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
File "/openedx/venv/local/lib/python2.7/site-packages/django/utils/log.py", line 75, in configure_logging
logging_config_func(logging_settings)
File "/usr/lib/python2.7/logging/config.py", line 794, in dictConfig
dictConfigClass(config).configure()
File "/usr/lib/python2.7/logging/config.py", line 576, in configure
'%r: %s' % (name, e))
ValueError: Unable to configure handler 'local': [Errno 2] No such file or directory
EDIT:
I guess Tutor uses --settings=tutor.production. But it still skips my provider and gives me:
root@5d7486eb3983:/openedx/edx-platform# ./manage.py lms saml --pull --settings=tutor.production
WARNING:py.warnings:/openedx/edx-platform/lms/djangoapps/courseware/__init__.py:5: DeprecationWarning: Importing 'lms.djangoapps.courseware' as 'courseware' is no longer supported
warnings.warn("Importing 'lms.djangoapps.courseware' as 'courseware' is no longer supported", DeprecationWarning)
2020-01-16 14:14:57,553 WARNING 1140 [enterprise.utils] utils.py:50 - Could not import Registry from third_party_auth.provider
2020-01-16 14:14:57,556 WARNING 1140 [enterprise.utils] utils.py:51 - cannot import name _LTI_BACKENDS
Done.
1 provider(s) found in database.
1 skipped and 0 attempted.
0 updated and 0 failed.Hello
Thanks for trying to help me out. I’m new to both tutor and open edX. I thought there was a default because of the docs here
In the backend name bullet they mention tpa-saml
I think you’re correct that I need to add it to my install and that @ak0001 has shown me how. I’ll give it a shot once I’m at the computer.
Thanks again
I made a YAML plugin to change the setting, which does add the setting to the production.py and development.py files after enabling it and rebuilding.
But the dropdown on the saml IdP “add a configuration” page that lets a person pick the backend is still empty.
So I’m more familiar with how to configure openedx & tutor than I was but still stuck as I don’t know where else to look to figure out what I’m doing wrong. Do you guys just read the openedx source when doing this stuff?
Says I need to add
"ENABLE_THIRD_PARTY_AUTH": true
to the “FEATURES” section of the lms.env.json file.
How do I do that in tutor? Is there anyway to see that it was done once it is done? Like an “acitve settings report” or something?
How did you learn about the THIRD_PARTY_AUTH_BACKENDS setting and also its possible values and also that it needed to be set somewhere? I get the impression I’m missing a map or something in all the openedx & tutor docs.
Here is the yml file I’m using to try to do it:
name: saml
version: 0.1.0
patches:
openedx-common-features: |
# saml special settings
ENABLE_THIRD_PARTY_AUTH = "true"
openedx-lms-common-settings: |
# saml special settings
THIRD_PARTY_AUTH_BACKENDS = "third_party_auth.saml.SAMLAuthBackend"
I also made a cookiecutter python plugin here (https://github.com/pdebruic/tutor-saml) but tutor doesn’t add it to the list of plugins. Do the plugin install commands need to be run in a special directory that isn’t listed in the tutor plugin creation docs?
Thanks for your guidance.
After sleeping on it I figureed it out. Thanks again
This plugin yml file worked:
name: saml
version: 0.1.0
patches:
common-env-features: |
"ENABLE_THIRD_PARTY_AUTH" : true
openedx-lms-common-settings: |
# saml special settings
THIRD_PARTY_AUTH_BACKENDS = "third_party_auth.saml.SAMLAuthBackend"
openedx-auth: |
"SOCIAL_AUTH_SAML_SP_PRIVATE_KEY" : "secret key"
"SOCIAL_AUTH_SAML_SP_PUBLIC_CERT" : "public cert"
I’m still not sure about why the python package didn’t get picked up but am ok with it.
1 Like
Good you found the solution! I forgot to mention the prerequisites for THIRD_PARTY_AUTH, as I assumed you already had that.
For the python package I’ve noticed that I need to add the -e and EGG to the pip install command. I’m not a programmer, so I don’t know why, but it seems to work.
E.g. pip install -e git+https://github.com/USER/TUTOR-PLUGIN-NAME#egg=TUTOR-PLUGIN-NAME
If I run without, the plugin doesn’t show in tutor plugins list.
Good job figuring out the solution @pdebruic!
No, not really. The plugin needs to be installed in the same virtual environment, if you created one, as the tutor-openedx package. If you downloaded the pre-built tutor binary file then it’s not possible to load external python packages.
This is really cool! Would you like to publish this, for instance as a github gist? You could add the following configuration entries to make it possible to easily modify the private and public keys:
name: saml
version: 0.1.0
config:
defaults:
PRIVATE_KEY: setme
PUBLIC_CERT: setme
patches:
...
openedx-auth: |
"SOCIAL_AUTH_SAML_SP_PRIVATE_KEY" : "{{ SAML_PRIVATE_KEY }}"
"SOCIAL_AUTH_SAML_SP_PUBLIC_CERT" : "{{ SAML_PUBLIC_CERT }}"
Hello, thank you for paving the way here 
I’ve tried following this setup and now I am getting the below error in the logs:
lms_1 | 2021-03-08 09:44:22,243 INFO 20 [social] [user None] [ip xxx.xxx.xxx.xxx] middleware.py:40 - Authentication failed: SAML login failed: [‘invalid_response’] (The response was received at https://courses.domain.io:8000/auth/complete/tpa-saml/ instead of https://courses.domain.io/auth/complete/tpa-saml/)
For whatever reason the redirect URL being constructed is adding in the port 8000. Have you set any other flags to work around this behavior?
so i worked around this by patching
/home/ubuntu/.local/share/tutor/env/apps/nginx/lms.conf
like so
location @proxy_to_lms_app {
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_pass http://lms-backend;
}
This is assuming you have https on
@ryo your patch will be unnecessary once we merge this: Fix SAML 'Invalid Request' Error by Ant1x · Pull Request #406 · overhangio/tutor · GitHub