Missing metadata.xml while configuring SAML third party auth on Ironwood edx

Hi all,

I’ve been setting up new installation of Open edX for my local Uni. We’ve already been running older release for some time and are planning to replace this with the newer release (and subsequently create an upgrade workflow).

Part of the requirements is a functional third party authentication. The older release has configuration for Google+ and Facebook OAuth2 and our own university Shibboleth SSO. Therein lies my problem, since I cannot for the life of me integrate the university log in option.

I have a clean install (only SSL has been setup) of latest Ironwood release at my disposal on our dev server, no custom data, no other configuration. I followed this manual. After long and numerous unsuccessful attempts I noticed, while configuring my edx as a SAML SP, that the key pair I generated and inserted into /edx/app/edxapp/lms.auth.json seems not to load since I’m seeing “key pair incomplete/missing”. I even tried using key pair from the current running installation which is known to work, but I get the same thing.

Now, while I wanted to avoid doing that, I placed the key pair directly into configuration in django admin console in admin/third_party_auth/samlconfiguration/. The key pair then does show in the SAML configuration overview, but I am still unable to access the metadata (which should be located in auth/saml/metadata.xml). All I get is the edX Page not found site.

I’ve looked for answers here and I’ve stumbled upon this post: Configuring Open edX as SP. However, in this case it’s Juniper edX, and also I have the site set to default from the begining. But my edX definitely has third party auth enabled (it was actually enabled by default, contrary to what the docs say).

I’ve been over the docs so many times I think I’m starting to remember them by heart. I’m pretty sure I’m missing something in the workflow, but there’s nothing in the docs and I’m extremely reluctant adventuring into the code itself as it would take a lot of time and the management is already breathing on my neck. As such I would greatly appreciate any assistance with this issue. I should be able to provide more data if it’s needed to better identify the problem.


Hi @mringer,

The older release has configuration for Google+ and Facebook OAuth2

Are the other third party auth providers like Google working on the new setup?

and also I have the site set to default from the begining

If you go to the “Sites” configuration in the Django admin, is there only one entry, and does its URL match the URL of your newer installation?

Can you post screenshots of the admin/third_party_auth/samlconfiguration/ details, blocking out any confidential info or private keys etc.?

thanks for the reply. First of all, yes, both Facebook and Google+ are working just fine:
OAuth configuration in Django (apparently, I cannot upload screenshots here directly)
Login form in the LMS

As for the sites, I tried it both with example.com site and with the actual URL of the server. There is always only one configuration at any time, I just update the values. The OAuth2 configurations are working with both example.com and actual URL site configurations.

The SAML configuration is done exactly by the official documentation:
SAML configuration in Django

It doesn’t matter if I setup site config with URL or leave it at example, the SAML config keeps saying “key pair missing/incomplete”. I have the keys in lms.auth.json, as of now they’ve been generated by the exact command Django recommends (but I’ve already tried working key pair from current live installation). I can copy the keys directly into Django. However, while they do show up in the config overview, the metadata.xml is still unavailable (/auth/saml/metadata.xml ends in edx “page not found”).

Thanks for the help.

Ok, well the metadata definitely won’t work if it says that, so make sure you do whatever you need to avoid that - i.e. put the key into the django admin directly. Once you get it working, you can later generate new keys and move them into lms.auth.json properly.

I would definitely change it to the domain name of the server (leave out the protocol) and leave it at that.

Anyhow, I think I found your issue: a change made two years ago and never documented requires that the slug value be set to default (which it is by default, but it seems that you have changed it here to “muni”). I suspect if you change that back to default it will solve the problem. If that solves your issue, please mark this as the solution and then I’ll try to get the docs updated.

1 Like

That seems to be indeed the case. After I switched the slug to default, the keys were properly loaded up from lms.auth.json and metadata.xml is now accessible. I did not imagine this would be the problem since the current running installation, which is an older release, has these slugs set to custom values.

Anyway, thanks a lot for your help!