Hi @tsvetelin ! I’ve set up SAML auth with Okta and Open edX before, and here’s a sanitized version of the settings we used.
Open edX SAML settings
- Enabled: Yes
- Icon class: fa-sign-in
- Icon image: None
- Name: <Insert name here>
- Slug: <Insert short name here>
Must match the Default Relay State on the Okta application. - Secondary: No
- Site: <Link to site entry>
- Skip hinted login dialog: Yes
- Skip registration form: No
- Skip email verification: Yes
- Send welcome email: Optional
- Visible: Yes
- Max session length (seconds): (blank)
- Send to registration first: No
- Sync learner profile data: Yes
- Enable sso id verification: Yes
- Backend name: tpa-saml
- Enable automatic metadata refresh: Yes
- Identity Provider Type: Standard SAML Provider
- Advanced settings: {“PROVIDER_READ_ONLY_FIELDS”: [ “email”, “name” ]}
These values come from your Okta setup:
- Entity ID: http://www.okta.com/<okta app id>
- Metadata source: https://<app-name>.oktapreview.com/app/<okta app id>/sso/saml/metadata
- Debug mode: No
These attribute names must match those set up as “Attribute statements” in the Okta application:
- User ID Attribute: username
- Full Name Attribute: fullName
- Default Value for Full Name: (blank)
- First Name Attribute: firstName
- Default Value for First Name: (blank)
- Last Name Attribute: lastName
- Default Value for Last Name: (blank)
- Username Hint Attribute: username
- Default Value for Username: (blank)
- Email Attribute: email
- Default Value for Email: (blank)
Open edX site configuration
These ansible variables must be set to allow cross-origin requests and CSRF cookies to be shared across domains.
EDXAPP_FEATURES:
ENABLE_CROSS_DOMAIN_CSRF_COOKIE: true
EDXAPP_CROSS_DOMAIN_CSRF_COOKIE_NAME: "okta-csrftoken"
EDXAPP_CROSS_DOMAIN_CSRF_COOKIE_DOMAIN: " .\<app-name>.oktapreview.com"
EDXAPP_CSRF_COOKIE_SECURE: true
# EDXAPP_CORS_ORIGIN_ALLOW_ALL: true # unsafe
EDXAPP_CORS_ORIGIN_WHITELIST: ["<app-name>.oktapreview.com"]
Okta application SAML settings
General
- Single Sign On URL: https://<lms url>/auth/complete/tpa-saml/
- Recipient URL: https://<lms url>/auth/complete/tpa-saml/
- Destination URL: https://<lms url>/auth/complete/tpa-saml/
- Audience Restriction: https://<lms url>
- Default Relay State: <Insert short name here>
Must match the Slug on the Open edX SAML. - Name ID Format: Unspecified
- Application username: Okta username
- Update application username on: Create and update
- Response: Signed
- Assertion Signature: Signed
- Signature Algorithm: RSA_SHA256
- Digest Algorithm: SHA256
- Assertion Encryption: Unencrypted
- SAML Single Logout: Disabled
- authnContextClassRef: PasswordProtectedTransport
- Honor Force Authentication: Yes
- Assertion Inline Hook: None (disabled)
- SAML Issuer ID: http://www.okta.com/${org.externalKey}
Attribute Statements
All “Name Formats” are Unspecified.
- firstName:
user.firstName
- lastName:
user.lastName
- email:
user.login
- username:
String.len(user.nickName) > 0 ? user.nickName : substringBefore(user.login, "@")
- fullName:
String.join(" ", user.firstName, user.lastName)
Group Attribute Statements
None.