I’ve configured SAML authentication with my Open edX instance as an SP, and now I have access to the metadata. However, I am facing two problems:
I don’t know how to configure a Logout URL.
I’d like to force SSL encryption, but I don’t know how to do it. My instance is running behind a load balancer that provides SSL and forces HTTPS, but I use HTTP connections behind this proxy, so some URLs in the metadata.xml are HTTP instead of HTTPS. For example, this line:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://openedxinstance.myhost.com/auth/complete/tpa-saml/" index="1"/>. Other URLs are defined in the configuration, but this one seems to be dynamically built, and I have no idea how to force it to use HTTPS.
My security configuration now looks like this:
Any suggestions would be greatly appreciated.
Thanks in advance!
For the second part of your question (about HTTPS), see this thread: SSO and SSL: tpa-saml - #3 by braden
Thanks, @braden! I manage to solve the issue forcing https in the request.
Now my SECURITY_CONFIG now looks like this:
wantNameIdEncrypted are now set to false. Also, I removed logout-related entries since I still didn’t find a way to configure logout.
I have a different problem now during login:
Authentication failed: SAML login failed: ['invalid_response'] (The status code of the Response was not Success, was Responder -> No authentication sources exist for the requested AuthnContextClassRefs: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)
I don’t know if I should (or can) change the authentication method.
For #1, does
Yeah, you might need to change a setting on the IdP side, to allow
PasswordProtectedTransport. But I’m not totally sure. It’s been a while since I was working on the details of SAML setup.