Configuring Open edX as SP

Hi!

I’m on Juniper running devstack and I’m trying to configure the open edx platform as a service provider so that I can authenticate with some external SAML identity provider.

I’ve followed the steps in the documentation, but when trying to access my metadata at http://localhost:18000/auth/saml/metadata.xml I only get 404 Not Found.

I see that there are many entrypoints for setting configurations (/edx/app/edxapp/lms.auth.json, /edx/etc/lms.yml, /edx-platform/lms/envs/common.py, LMS/admin) and I’m not sure which one to use, but for now the key-certificate pair is copied into both lms.auth.json and lms.yml, and I’ve set ENABLE_THIRD_PARTY_AUTH: true in both lms.yml and common.py

Hi @simenve,

As far as I know, there are only two reasons you could see a 404 at http://localhost:18000/auth/saml/metadata.xml :

  1. You don’t have ENABLE_THIRD_PARTY_AUTH enabled. Try running make lms-shell and then ./manage.py lms shell and then from django.conf import settings and settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH') - make sure it prints True. If not, check your /edx/etc/lms.yml.
  2. You don’t have a SAML Configuration - check Django Admin > Third Party Auth > SAML Configuration and make sure there is a configuration entry as described at https://edx.readthedocs.io/projects/edx-installing-configuring-and-running/en/latest/configuration/tpa/tpa_SAML_SP.html#configure-your-open-edx-site-as-a-service-provider

Thanks for the reply. Everything seems to be working fine except the metadata route. I’m able to verify that ENABLE_THIRD_PARTY_AUTH is set to true and that my key/cert pairs are loaded into django settings. See images below.

Could the issue be related to site configurations?



In the first screenshot, under “Key Summary”, it says “key pair incomplete/missing” - that means there is some problem with the keys you entered. They’re either missing, invalid, or in the wrong format. So try generating and configuring new keys.

Other than that, it could be a sites issue, yes. Check the Sites section of the django admin and make sure you have only one site listed there (the localhost:18000 site), unless you need more sites.

The “key pair incomplete/missing” message was probably displayed because I inserted the keys directly into the configuration files. I tried to paste them in the admin panel and the error message disappeared, but with the same result.

Tracing the call back to the django-view it should only respond with 404 if the TPA feature is disabled (https://github.com/edx/edx-platform/blob/b13f207e1f5ec313998d08a106d7c0d2d4eee6c6/common/djangoapps/third_party_auth/views.py#L60). I checked the TPA configuration value in the same way the django-view does it, and it returned true.

When it comes to the site configuration my understading is that a site represtents an instance of the LMS? I’m not interesteded in hosting multiple sites for the moment, but the SAML configuration requires a site, so I tried to match the domain the LMS is running on.

My bad I looked at the wrong ‘is_enabled’ method. Seems like third_party_auth is not enabled on my site even though it is set to true in every configuration file I could find. Either that or the is_enabled method did not find ‘localhost:18000’ site and returned false by default?

Any idea how I can enable third_party_auth in ‘Site Configurations’ in the admin panel? This format did not work:

{“ENABLE_THIRD_PARTY_AUTH”:true}

Resolved the issue by using the default ‘example’ site.