Juniper and SAML Authentication

misilot · August 26, 2020, 9:50pm

Hello, I am trying to add SAML (Shibboleth) authentication to my Juniper site and I believe I have everything setup, however the IDP I want to sign in with does not show up on the login page, nor does the page https://online.server.org/auth/saml/metadata.xml. I get the LMS UI with the page not found error message.

I am not seeing anything in the lms logs that talk about it.

The following options are set in my server-vars.yml

ENABLE_THIRD_PARTY_AUTH: true
EDXAPP_SOCIAL_AUTH_SAML_SP_PUBLIC_CERT
EDXAPP_SOCIAL_AUTH_SAML_SP_PRIVATE_KEY

The IDP configuration appears correct, and is pulling metadata nightly via celery.

I have tried setting the private/public key in the django SAML configuration as well as leaving it blank and having it utilize the variables above stored in the lms config files in juniper.

For Organization Info box I have the following:

{
“en-US”: {
“url”: “https://online.newliteraciesalliance.org”,
“name”: “ksul_nla_openedx”,
“displayname”: “NLA OpenEdx”
}
}

and for Other config str I have:

{
“SECURITY_CONFIG”: {
“wantAssertionsSigned”: true,
“requestedAuthnContext”: true,
“metadataCacheDuration”: 604800,
“wantAssertionsEncrypted”: true,
“authnRequestsSigned”: true
}
}

Any ideas what else to check or try would be greatly appreciated. Thank you!

misilot · August 28, 2020, 1:02am

Ok, I think I have it almost working. Apparently the slug for the profile has to be “default”.

I found this post (Missing metadata.xml while configuring SAML third party auth on Ironwood edx - #4 by braden) that talks about it.

I am now able to access the metadata but the ACS url being generated is http instead of https. Any idea on how I can change this?

Looks like I am getting a little closer, but this is partially due to the ACS being http.

Error Details:
Authentication failed: SAML login failed: [‘invalid_response’] (The response was received at http://online.example.org:8000/auth/complete/tpa-saml/ instead of http://online.example.org/auth/complete/tpa-saml/)

Studio/LMS are both running on port 443 through nginx, so not sure where the 8000 is coming from.

Added later

Just putting these here. I had to enable the following:

I set these values and it works now with any mixed content errors.

NGINX_REDIRECT_TO_HTTPS: True
NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"
NGINX_SET_X_FORWARDED_HEADERS: True

Once I did this, the urls were generated with https.

Tom

braden · August 29, 2020, 12:21am

Glad to hear you got it working, and thanks so much for posting your solution! I’m sure some future people with the same problem will really appreciate it.

Topic		Replies	Views
Configuring Open edX as SP Site Operations Help juniper	6	991	July 20, 2020
Missing metadata.xml while configuring SAML third party auth on Ironwood edx Site Operators	4	1126	August 14, 2020
SAML Configuration Issues Site Operations Help	2	728	May 14, 2023
SAML metadata - Page not found Site Operations Help	3	733	November 26, 2020
Third Auth Saml button only visible on one Open edX site on my devstack installation Site Operations Help juniper , devstack	1	357	September 13, 2021

Juniper and SAML Authentication

Added later

Related topics