Juniper and SAML Authentication

Hello, I am trying to add SAML (Shibboleth) authentication to my Juniper site and I believe I have everything setup, however the IDP I want to sign in with does not show up on the login page, nor does the page https://online.server.org/auth/saml/metadata.xml. I get the LMS UI with the page not found error message.

I am not seeing anything in the lms logs that talk about it.

The following options are set in my server-vars.yml

ENABLE_THIRD_PARTY_AUTH: true
EDXAPP_SOCIAL_AUTH_SAML_SP_PUBLIC_CERT
EDXAPP_SOCIAL_AUTH_SAML_SP_PRIVATE_KEY

The IDP configuration appears correct, and is pulling metadata nightly via celery.

I have tried setting the private/public key in the django SAML configuration as well as leaving it blank and having it utilize the variables above stored in the lms config files in juniper.

For Organization Info box I have the following:

{
“en-US”: {
“url”: “https://online.newliteraciesalliance.org”,
“name”: “ksul_nla_openedx”,
“displayname”: “NLA OpenEdx”
}
}

and for Other config str I have:

{
“SECURITY_CONFIG”: {
“wantAssertionsSigned”: true,
“requestedAuthnContext”: true,
“metadataCacheDuration”: 604800,
“wantAssertionsEncrypted”: true,
“authnRequestsSigned”: true
}
}

Any ideas what else to check or try would be greatly appreciated. Thank you!

Ok, I think I have it almost working. Apparently the slug for the profile has to be “default”.

I found this post (Missing metadata.xml while configuring SAML third party auth on Ironwood edx) that talks about it.

I am now able to access the metadata but the ACS url being generated is http instead of https. Any idea on how I can change this?

Looks like I am getting a little closer, but this is partially due to the ACS being http.

Error Details:
Authentication failed: SAML login failed: [‘invalid_response’] (The response was received at http://online.example.org:8000/auth/complete/tpa-saml/ instead of http://online.example.org/auth/complete/tpa-saml/)

Studio/LMS are both running on port 443 through nginx, so not sure where the 8000 is coming from.

Added later

Just putting these here. I had to enable the following:

I set these values and it works now with any mixed content errors.

NGINX_REDIRECT_TO_HTTPS: True
NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"
NGINX_SET_X_FORWARDED_HEADERS: True

Once I did this, the urls were generated with https.

Tom

Glad to hear you got it working, and thanks so much for posting your solution! I’m sure some future people with the same problem will really appreciate it.

1 Like