API to link Open edX account with the account on third party authentication providers

I integrated Keycloak SAML Idp with my Open edX for third party authentication.

Upon a new user registers on my Keycloak authentication server. I would like to call API to

  1. create account on Open edX, and
  2. link the Open edX account with the account on Keycloak (so that the user will not be prompt to link account).

Appreciate if anyone can provide a pointer to the API document to achieve above.

Wong Liong Hung

I think there may be another way to achieve this that’s worth considering. It doesn’t involve any API.

It is possible to bypass registration, email confirmation etc. for a specific SAML provider. You can check “Skip hinted login dialog”, and “Skip registration form”. You could also “Skip email verification” if that makes sense for your use case.

This will allow users to simply click on the Keycloak link on the login page, and they can be automatically be signed in and registered.

To further simplify this, you can automatically redirect users to http://your.edx.site/dashboard?tpa_hint=provider_id after they register. This will make the LMS automatically redirect to your IdP to log in. Since the user is already logged into the IdP at this point, and registration etc is automatic, they can automatically end up registered and logged into the edx site with their new account.

Some caveats:

  • The user may not automatically be logged into the IdP when redirected there from the LMS depending on the settings for the IdP
  • The user will end up in the LMS. This might not be what you want if you just wanted the registration and account setup to happen in the background. In this case though, you can just redirect the user via the above tpa_hint link when they actually want to access the LMS instead of automatically after registration.

Thanks for your reply. The solution to go to http://your.edx.site/dashboard?tpa_hint=provider_id doesn’t work all the times. It failed intermittently. Sometimes I got the page shown below.
In the failure case, based on my observation using Django administration and database, the account was created in Open edX but the account was not linked to the account in Idp (No record added to social_auth_usersocialauth).

A user need to be activated before they can be linked to an IdP. What I mean by that is, if you create an account as user.one@example.com, you don’t confirm/activate that account, and now you try to log in as user.one@example.com via your SAML IdP, it will not automatically link the account. This is a security precaution.

Was this user activated? If not this is definitely unexpected. What release of Open edX are you using?

I have an automated end-to-end test which performs the following

  1. register user on Idp (Keycloak in this case)
  2. navigate to http://your.edx.site/dashboard?tpa_hint=provider_id

I executed the test multiple times. I did get success cases, just that it failed intermittently.

Skip registration form and Skip email verification checkboxes on Provider Configuration (SAML IdP) of Django Administration are checked. And, for those users who failed to be redirected to dashboard directly when I check on Django Administration/Authentication and Authorization/Users the Permissions/Active checkbox is checked.

When I sign in using to IdP and then navigate to /dashboard?tpa_hint=provider_id, I got the follwoing

If I populate the social_auth_usersocialauth record manually for those users, I will be redirected to dashboard when go to the link.

Another observation is for those who failed, the firstname and lastname field are not populated. But for those successfully redirected to dashboard the firstname and lastname are populated. I have configured mapping on Keycloak.

I am using Ironwood release. Installed based on Native Open edX Ubuntu 16.04 64 bit Installation