I integrated Keycloak SAML Idp with my Open edX for third party authentication.
Upon a new user registers on my Keycloak authentication server. I would like to call API to
Appreciate if anyone can provide a pointer to the API document to achieve above.
Regards,
Wong Liong Hung
I think there may be another way to achieve this that’s worth considering. It doesn’t involve any API.
It is possible to bypass registration, email confirmation etc. for a specific SAML provider. You can check “Skip hinted login dialog”, and “Skip registration form”. You could also “Skip email verification” if that makes sense for your use case.
This will allow users to simply click on the Keycloak link on the login page, and they can be automatically be signed in and registered.
To further simplify this, you can automatically redirect users to http://your.edx.site/dashboard?tpa_hint=provider_id after they register. This will make the LMS automatically redirect to your IdP to log in. Since the user is already logged into the IdP at this point, and registration etc is automatic, they can automatically end up registered and logged into the edx site with their new account.
Some caveats:
Thanks for your reply. The solution to go to http://your.edx.site/dashboard?tpa_hint=provider_id doesn’t work all the times. It failed intermittently. Sometimes I got the page shown below.
In the failure case, based on my observation using Django administration and database, the account was created in Open edX but the account was not linked to the account in Idp (No record added to social_auth_usersocialauth).
A user need to be activated before they can be linked to an IdP. What I mean by that is, if you create an account as user.one@example.com, you don’t confirm/activate that account, and now you try to log in as user.one@example.com via your SAML IdP, it will not automatically link the account. This is a security precaution.
Was this user activated? If not this is definitely unexpected. What release of Open edX are you using?
I have an automated end-to-end test which performs the following
I executed the test multiple times. I did get success cases, just that it failed intermittently.
Skip registration form and Skip email verification checkboxes on Provider Configuration (SAML IdP) of Django Administration are checked. And, for those users who failed to be redirected to dashboard directly when I check on Django Administration/Authentication and Authorization/Users the Permissions/Active checkbox is checked.
When I sign in using to IdP and then navigate to /dashboard?tpa_hint=provider_id, I got the follwoing
If I populate the social_auth_usersocialauth record manually for those users, I will be redirected to dashboard when go to the link.
Another observation is for those who failed, the firstname and lastname field are not populated. But for those successfully redirected to dashboard the firstname and lastname are populated. I have configured mapping on Keycloak.
I am using Ironwood release. Installed based on Native Open edX Ubuntu 16.04 64 bit Installation
Hi,
I just deployed koa with tutor and bumped into the same issue.
It turns out that local accounts are required:
I hope it helps.
Best regards,
Sebastian
