Configuring SAML Authentication: Encryption and Logout

Alareo · October 30, 2023, 9:36am

Hi,

I’ve configured SAML authentication with my Open edX instance as an SP, and now I have access to the metadata. However, I am facing two problems:

I don’t know how to configure a Logout URL.
I’d like to force SSL encryption, but I don’t know how to do it. My instance is running behind a load balancer that provides SSL and forces HTTPS, but I use HTTP connections behind this proxy, so some URLs in the metadata.xml are HTTP instead of HTTPS. For example, this line: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://openedxinstance.myhost.com/auth/complete/tpa-saml/" index="1"/>. Other URLs are defined in the configuration, but this one seems to be dynamically built, and I have no idea how to force it to use HTTPS.

My security configuration now looks like this:

"SECURITY_CONFIG": {
    "metadataCacheDuration": 604800,
    "signMetadata": true,
    "nameIdEncrypted": true,
    "authnRequestsSigned": true,
    "logoutRequestSigned": true,
    "logoutResponseSigned": true,
    "wantMessagesSigned": true,
    "wantAssertionsSigned": true,
    "wantNameIdEncrypted": true
}

Any suggestions would be greatly appreciated.

Thanks in advance!

braden · October 30, 2023, 6:36pm

For the second part of your question (about HTTPS), see this thread: SSO and SSL: tpa-saml - #3 by braden

Alareo · November 8, 2023, 4:08pm

Thanks, @braden! I manage to solve the issue forcing https in the request.

Now my SECURITY_CONFIG now looks like this:

"SECURITY_CONFIG": {
    "metadataCacheDuration": 604800,
    "signMetadata": true,
    "nameIdEncrypted": false,
    "authnRequestsSigned": true,
    "wantMessagesSigned": true,
    "wantAssertionsSigned": true,
    "wantNameIdEncrypted": false
}

Note that nameIdEncrypted and wantNameIdEncrypted are now set to false. Also, I removed logout-related entries since I still didn’t find a way to configure logout.

I have a different problem now during login:

Authentication failed: SAML login failed: ['invalid_response'] (The status code of the Response was not Success, was Responder -> No authentication sources exist for the requested AuthnContextClassRefs: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)

I don’t know if I should (or can) change the authentication method.

Tim_McCormack · November 8, 2023, 6:17pm

For #1, does TPA_AUTOMATIC_LOGOUT_ENABLED help?

braden · November 9, 2023, 5:52pm

Yeah, you might need to change a setting on the IdP side, to allow PasswordProtectedTransport. But I’m not totally sure. It’s been a while since I was working on the details of SAML setup.

Topic		Replies	Views
SAML Configuration Issues Site Operations Help	2	735	May 14, 2023
SSO and SSL: tpa-saml Site Operations Help	7	1199	February 19, 2022
Missing metadata.xml while configuring SAML third party auth on Ironwood edx Site Operators	4	1128	August 14, 2020
Configuring Open edX as SP Site Operations Help juniper	6	996	July 20, 2020
Configure Open edX as a SAML Service Provider Site Operations Help	2	869	May 14, 2020

Configuring SAML Authentication: Encryption and Logout

Related topics