Can OpenEdX act as a SAML2/OIDC Identity provider?

Hi,

For our OpenEdX platform, we use a thirdparty authentication to log into OpenEdX, so we know how to configure OpenEdX as a service provider (to SAML or other types of SSO), and there is documentation for that (Configuring your Open edX Site as a SAML Service Provider — Latest documentation).

I note however that access to Superset seems to use the Identities of OpenEdX, not the third party. That means somehow, OpenEdX is an identity provider to Superset. In addition, OpenEdX can be an identity provider through LTI, which we use for JupyterHub.

We have an internal service which we want to bind to OpenEdX identity. From that service’s perspective, it supports SAML2 as an identity provider. Is there documentation on how to configure OpenEdX to act as a SAML2 Identity (not service) Provider for another service ?

Thanks

Fascinating question! @TyHob any thoughts?

Aspects uses OAuth and JWT to connect the platform account to Superset. I don’t know much about how we use SAML, but I don’t think we do IdP or that any of the libraries in our stack do. You would probably need to make a plugin using a different package with custom endpoints to make it work. @feanil might have more insight than I do, though.

Ok, it might be easier to patch the other application to support OAuth/JWT instead then. It is also a Django application, so I’m told it shouldn’t be too hard.

Yeah, I don’t think we ever implemented SAML IdP support, just SAML SP (Service Provider) support. Since Open edX already supports acting as an IdP via OAuth, it’s going to be easier to do it that way if you can manage.

Thanks. I will look into that direction then.

So, I got a possible implementation of OAuth in the tool, using mozilla-django-oidc.

Assuming that the code works, I need the following settings:

# OpenID Connect Provider configurations:
OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://your-idp.example.com/auth'
OIDC_OP_TOKEN_ENDPOINT = 'https://your-idp.example.com/token'
OIDC_OP_USERINFO_ENDPOINT = 'https://your-idp.example.com/userinfo'
OIDC_OP_JWKS_ENDPOINT = 'https://your-idp.example.com/jwks'

OIDC_RP_CLIENT_ID = 'your-client-id'
OIDC_RP_CLIENT_SECRET = 'your-client-secret'

# Algorithm for verifying JWT signatures (e.g. RS256, HS256)
OIDC_RP_SIGN_ALGO = 'RS256'

# Custom scopes if needed
OIDC_RP_SCOPES = ['openid', 'email', 'profile']

# If set to True, a new Django user will be created if one does not exist
OIDC_CREATE_USER = True

# Username claim to use for matching the LDAP username.
# Our custom staffOIDCBackend cleans the domain part if the claim contains an email or full principal name.
OIDC_USERNAME_CLAIM = 'preferred_username'

Any idea what those would be for using the OAuth IdP of OpenEdX ? and where I would generate the client ID and secrets ?

I think the auth endpoint is {lms_url}/oauth2/authorize/ and the token endpoint is {lms_url}/oauth2/access_token/.

On the Open edX side, everything is done via the Django admin, e.g. {lms_url}/admin/oauth2_provider/application/

Hopefully that’s enough to get you going.

That does not seem to be enough. It expects a OIDC_OP_USERINFO_ENDPOINT and OIDC_OP_JWKS_ENDPOINT

What would help is if someone pointed me to the code where studio or superset authentify to the LMS, so I can see how it’s done.

Hum, I found this. Apparently support for OIDC was removed in 2020… That’s too bad, as it is a widely used standard in our environment.