Restrict registration to specific authentication mechanism

We are trying to set up our installation to rely on the SAML integration via the social-auth pipeline. The login and registration piece is functional, but in order to allow everything to operate it also enables public account creation via the login/registration form. We don’t want the general public to be able to create accounts on our installation, and instead rely on our SAML IDP as the source of truth for who can and cannot be on the platform.

From what I have been able to find, there is not currently any capability to restrict the allowed authentication mechanism for login/registration, meaning that it is not possible for the SAML integration to fully satisfy our needs. Has anyone done any work to lock down the allowed auth backend, and is there any plan to allow for this as a standard feature in the edX platform?

Has anyone at OpenCraft or Racoon Gang dealt with this, like @jill or @RuslanSkiraRaccoonga ?

  1. in lms/envs/devstack.py -> need to add FEATURES[‘ENABLE_THIRD_PARTY_AUTH’] = True
  2. http://localhost:8000/admin/third_party_auth/oauth2providerconfig/add/
    2.1 Enable and Visible flags should be active

Thank you for following up, but the problem isn’t currently with getting the SAML login working, the problem is that in order to get it functional it also opens up public account creation for anyone who uses the registration form or the API. We want to set things up so that SAML is the only way to log in or create an account.

Unfortunately only hide the registration form and leave your loginbutton.
I didn’t find other opportunities or build in functionality.

Thank you for that feedback, I just wanted to make sure there wasn’t something that I had missed.

You’ll have to modify /edx/etc/lms.yml with:

"FEATURES": {
...
  "ALLOW_PUBLIC_ACCOUNT_CREATION" : false
}

This will remove the REGISTER button from the templates and make sure the user api doesn’t not accept an user create request.

Unfortunately it’s not so simple as that. In order for the SAML integration to be able to create new users that flag needs to be set to True, which is what then puts us in the situation of needing to restrict which authentication methods are allowed to create the accounts. Thank you for the input though!

@blarghmatey There’s a feature called Hinted Sign In which should help you here. When Hinted Sign In is enabled, the login/registration pages to automatically redirect to the indicated authentication provider, so nobody gets to see those pages without going through your provider first.

Originally, this “hint” had to be made by adding an extra parameter to the /login or /register page links (see docs). You can test this by adding ?tpa_hint=saml-providerslug to the end of your LMS /login or /registration URL, where providerslug is the “Slug” value you assigned your Provider Configuration (SAML IdP).

We contributed a feature with Ginkgo which makes it possible to enforce this “hinting” for every hit to your login/registration pages without having to change the links (cf edx-platform#15587).

Steps:

  1. Login to your LMS Django Admin as a superuser.
  2. Locate the Site Configuration, and add or update the entry for your LMS site.
  3. Set THIRD_PARTY_AUTH_HINT, e.g.
    {
       "THIRD_PARTY_AUTH_HINT": "saml-providerslug"
    }
    
    The Site Configuration value describes a JSON Object, so it’s fussy about the format. See JSON structures :: Object if you have trouble getting your changes to save.
  4. Wait 3 minutes for the site configuration cache to clear.
  5. Logout, and visit your LMS’s normal /login or /register page, and watch it redirect to your SAML provider.

Alternatively, you can use settings.FEATURES.THIRD_PARTY_AUTH_HINT, but it’s nice to be able to do this with Site Configuration, so you don’t have to restart (or redeply) your whole LMS to make the change.

1 Like