@blarghmatey There’s a feature called Hinted Sign In which should help you here. When Hinted Sign In is enabled, the login/registration pages to automatically redirect to the indicated authentication provider, so nobody gets to see those pages without going through your provider first.
Originally, this “hint” had to be made by adding an extra parameter to the /login or /register page links (see docs). You can test this by adding ?tpa_hint=saml-providerslug to the end of your LMS /login or /registration URL, where providerslug is the “Slug” value you assigned your Provider Configuration (SAML IdP).
We contributed a feature with Ginkgo which makes it possible to enforce this “hinting” for every hit to your login/registration pages without having to change the links (cf edx-platform#15587).
Steps:
- Login to your LMS Django Admin as a superuser.
- Locate the Site Configuration, and add or update the entry for your LMS site.
- Set
THIRD_PARTY_AUTH_HINT, e.g.
The Site Configuration value describes a JSON Object, so it’s fussy about the format. See JSON structures :: Object if you have trouble getting your changes to save.{ "THIRD_PARTY_AUTH_HINT": "saml-providerslug" } - Wait 3 minutes for the site configuration cache to clear.
- Logout, and visit your LMS’s normal
/loginor/registerpage, and watch it redirect to your SAML provider.
Alternatively, you can use settings.FEATURES.THIRD_PARTY_AUTH_HINT, but it’s nice to be able to do this with Site Configuration, so you don’t have to restart (or redeply) your whole LMS to make the change.