Running several sites with SAML authentication

Site Operators
,
1

Hello all,

I’m sorry if this is a repost but I couldn’t find a solution on this forum.

I’m a running two different edx sites with devstack on the same server. Each site has its own edxapp database and its own domain name for each lms docker container.

I’m trying to setup SAML authentication on the two sites but I can’t have the login button visible on both sites. Only one is showing and when I’m updating one or the other saml provider configuration in the admin page the button for the configuration I just updated is now showing.

I tried to change the slugs values for both to default then put unique values to each config but no matter the slug value I couldn’t get both button to show on both sites.

I can have however the two buttons showing on the same site but not one button for each site.

Any advice on how to run several edX sites on the same server ? Or maybe can someone share his experience on how to run two edX sites on the same server ?

Thanks in advance,

Regards,
Lucas

2

@recyclop Can you perhaps upload some screenshots of your SAML configuration and your login pages, with any sensitive information blocked out? It’s a little hard for me to understand what problem you’re having.

I can have however the two buttons showing on the same site

which two buttons? Do you have two SAML identity providers?

Each site has its own edxapp database and its own domain name for each lms docker container.

If that’s the case, it’s hard to imagine how they could be interfering with each other. They should be completely separate.

Any advice on how to run several edX sites on the same server ? Or maybe can someone share his experience on how to run two edX sites on the same server ?

First, you’re talking about development and testing only right? devstack is not meant for production use.

If so, check out Developing on Open edX named release branches — Open edX Devstack Unversioned documentation and Multiple isolated devstacks on the same host - #6 by Zachary_Trabookis

By the way, you can also use the platform’s “Sites” framework to have just one single LMS container running (with one edxapp database) but which can be accessed at two different URLs, with each URL having different name/appearance, different courses, and different SAML providers (but user accounts are shared between them). Just mentioning that in case it’s a simpler option.

3

First of all thank you for your detailed answer that gives me a lot of options to explore.

Sorry for the long post I hope I managed to give a clearer idea of what I’m trying to achieve below.

I should have explained here that my goal is to have on my production stack edx site several instances on the same server in order to have something like one course catalog for internal usage and one for external partners and customers.

I would like to have two sites on the same server and only allow users to connect to one site and not the other.

At the moment I’m exploring ways to achieve that on devstack before doing the same architecture on production stack.

Regarding my issue with the saml third authentication login so I have two different SAML applications on Okta to serve as identity provider. And I’m trying to integrate those two providers on edX.

About the saml configuration I have right now see below :

on the first site hosted in domain.example.com I created a SAML configuration with the unique slug = internal I created my set of keys and left the advanced config by default

{
“SECURITY_CONFIG”: {
“metadataCacheDuration”: 604800,
“signMetadata”: false
}
}

And I have basically the same config for my second site hosted on otherdomain.example.com with another set of keys and the slug = external

Then I create two saml identity providers configuration one for each site to use those samlconfiguration one with the slug internal the other external. They are basically identical except for the entity and metadata source fields that each points to the correct Okta third party identity provider.

My issue is that I can only see on one site’s login page the third auth button to redirect the user to the third party authentication page. For the other one the button is not visible and when I update one saml provider config the button appears on the site login but dissapears from the other site from which it was visible before.

I tried having two sites on the same LMS container and on the same DB as well but I have the same issue only one site at a time can have the button visible on my configuration.

I will try to use the links you provided to create two completely separated devstack.

4

You should be able to do that with one server, one database, one Open edX installation, and just configure the “sites” framework to act as multiple sites (white labelling). There should only be one edxapp database, in the simple version of this.

If you want all data to be fully separate though, then use two separate servers and two separate Open edX installations.

Perhaps I am misunderstanding, but if you want to run Open edX on two separate domains (two sites), and on each site you want to have two SAML provider login options, then you will need to create four identity provider configurations: internal-A, internal-B, external-A, external-B. Then on the domain A.example.com you’d see “internal” and “external” and on the domain B.example.com you would also see “internal” and “external”. Each configuration is only shown on one site/domain, which is why you’d need four.

5

Thank you again Braden for your response,

I managed to achieve my goal but using the sites framework. I configured 2 saml identity provider per site to allow me to separate my users on two different sites. Each site can have its own configuration which allowed me to create two different course catalog.

Thank you again for your feedback.

Best regards,
Lucas