Migrating from one SAML IdP to another, with minimal learner disruption

Hi everyone,

suppose we are running an Open edX platform with hundreds of users, all of whom register and authenticate through a SAML IdP. We now want to migrate from that SAML IdP to another. All our user data has been duplicated into the new IdP; specifically, user accounts in the old and new SAML backends user the same email addresses. That is to say, John Doe from Example, Inc. is john.doe@example.com in both IdPs.

We can now add the new IdP to our Open edX configuration, and any new user on your platform will be able to seamlessly register and authenticate just like before.

However, for a learner like John Doe, who already had an account on the Open edX platform pre-migration, things are less streamlined: if John attempts to log in using the new SAML IdP, Open edX notifies him that an address john.doe@example.com already exists in the system, and that in order to link the new IdP to his existing account, he will have to enter his password.

This is somewhat confusing and disruptive, because John has never had to set a password on his Open edX account. And rather than immediately attempting to reset his password, John might get confused and attempt to authenticate with the password he uses to authenticate against his SAML IdP, which won’t work, confusing and frustrating him further.

John could of course avoid this pain by logging in using the old IdP, going to his Account page, selecting Linked Accounts, and linking the new SAML IdP (and possibly unlinking the old one), but that too seems like a tedious extra step — after all it’s not John who is adding a new SSO option for himself, rather it’s us (the site operator) who is running a migration that John presumably couldn’t care less about.

So my question is this: is there a way for us to make this easier for John? For example, do we have a clever way of setting up a SAML IdP so that when John logs in, he isn’t asked for his password but is instead transparently redirected to log in via another IdP?

Or, can we configure two IdPs but not in a side-by-side fashion, but rather in “B (new) replaces A (old)” mode? That is to say, if John’s account is already linked to A, and he now logs in with B, and the email address attribute returned by B matches John’s, John’s account gets automatically linked to B without prompting him for his password?

@dave - any thoughts on this? Or who I might tag?

At a guess: @blarghmatey, @pdpinch , and @robrap

What we did in this situation previously was to manufacture the records in the user social auth which is what links the auth_user record with the IDP. To do that if you look at some accounts that were created with the new IDP it should show you a structural pattern of the records which you can duplicate with a script to iterate through your existing accounts and make sure that they all have the right linkages.

Sorry - I’m not going to be of much help on this one.

Thanks to all who replied. If I may summarise, it looks like (at least presently), no really elegant or universal approach exists, and people have resorted to low-level database modifications in the past to make this smoother for learners.

If we do figure something out, I’ll add a write-up to this thread.

Thanks again!