SAML in local MFE authn development environment

Dear all,

I’m trying to modify the authn MFE a bit using a local tutor development environment. The environment itself runs fine, but I can’t get the SAML login button to appear locally.

I’m using an identical copy of the settings on our production instance (both are olive.2), but the SAML login button is not showing up. Essentially, the MFE is doing a GET request to http://local.overhang.io:8000/api/mfe_context?next=/ which returns an empty providers list, so the MFE is behaving as expected, the LMS is not.

I’ll put some details below, but essentially I did the following:

  • Enable a python plugin to enable ENABLE_COMBINED_LOGIN_REGISTRATION and ENABLE_THIRD_PARTY_AUTH , as well as setting the AUTHENTICATION_BACKENDS and public / private key.
  • Add a SAML configuration, same settings as production
  • Add a SAML provider configuration (SAML IdP) and verify that Metadata Ready is ok

I access the authn MFE diretly using http://apps.local.overhang.io:1999/authn/ , somehow I wonder if there is some error in the site settings or something stupid like that.Would appreciate any help or pointers on how to get additional help.

This is the saml.py file I use as plugin:

$ cat "$(tutor plugins printroot)/saml.py"
from tutor import hooks
 
hooks.Filters.ENV_PATCHES.add_item(
    (
        "common-env-features",
        "ALLOW_PUBLIC_ACCOUNT_CREATION: false"
    )
)
 
hooks.Filters.ENV_PATCHES.add_item(
    (
        "common-env-features",
        "ENABLE_COMBINED_LOGIN_REGISTRATION: true"
    )
)
 
hooks.Filters.ENV_PATCHES.add_item(
    (
        "common-env-features",
        "ENABLE_THIRD_PARTY_AUTH: true"
    )
 
hooks.Filters.ENV_PATCHES.add_item(
    (
        "openedx-lms-common-settings",
        'AUTHENTICATION_BACKENDS += ["common.djangoapps.third_party_auth.saml.SAMLAuthBackend", "django.contrib.auth.backends.ModelBackend"]'
    )
)
 
# Private and public key for SAML
# Note that the lines must not be indented, otherwise they will also be in the YAML file
hooks.Filters.ENV_PATCHES.add_item(
    (
        "openedx-auth",
        """
SOCIAL_AUTH_SAML_SP_PRIVATE_KEY: "-----BEGIN PRIVATE KEY-----xxx\n-----END PRIVATE KEY-----"
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT: "-----BEGIN CERTIFICATE-----xxx\n-----END CERTIFICATE-----"
        """
    ),
)

I verified that the settings are indeed set:

$ grep -rnw . -e "AUTHENTICATION_BACKENDS"
./env/apps/openedx/settings/lms/development.py:284:AUTHENTICATION_BACKENDS += ["common.djangoapps.third_party_auth.saml.SAMLAuthBackend", "django.contrib.auth.backends.ModelBackend"]

$ grep -rnw . -e "ENABLE_THIRD_PARTY_AUTH"
./env/apps/openedx/config/lms.env.yml:10:  ENABLE_THIRD_PARTY_AUTH: true
./env/apps/openedx/config/lms.env.yml:26:  ENABLE_THIRD_PARTY_AUTH: true
./env/apps/openedx/config/cms.env.yml:10:  ENABLE_THIRD_PARTY_AUTH: true

# Not sure why its in there twice, but I guess that doesn't hurt

$ grep -rnw . -e "SOCIAL_AUTH_SAML_SP_PRIVATE_KEY"
./env/apps/openedx/config/lms.env.yml:56:SOCIAL_AUTH_SAML_SP_PRIVATE_KEY: "-----BEGIN PRIVATE KEY-----
./env/apps/openedx/config/cms.env.yml:49:SOCIAL_AUTH_SAML_SP_PRIVATE_KEY: "-----BEGIN PRIVATE KEY-----

In case it matters, I do see this message during launch:

Your models in app(s): 'third_party_auth' have changes that are not yet reflected in a migration, and so won't be applied.
  Run 'manage.py makemigrations' to make new migrations, and then re-run 'manage.py migrate' to apply them.

I cannot tell why, but at some point it simply started to work. Is there something like a regular task or cronjob that needs to run first?