SAML Login / Account Provisioning with Public Account Creation disabled

Dear all,

I want to achieve basically this:

  • Public Account Creation should be disabled (that is, no-one can simply go to the site and register an account
  • SAML account creation should work (people can login through SAML and have their account created automatically, without the need to pre-provision them beforehand)

SAML login in general works, but I am getting redirected to a page saying that I successfully logged in against the SAML provider, but the account is not linked.

AUTHENTICATION_BACKENDS += ["common.djangoapps.third_party_auth.saml.SAMLAuthBackend", "django.contrib.auth.backends.ModelBackend"]

Long story short - how can I get SAML to work with automatic account creation while disallowing others to simply register themselves?

When changing ALLOW_PUBLIC_ACCOUNT_CREATION to true, SAML login and automatic account registration works as expected.

Using tutor version 14.0.5 in case that matters, its a pretty fresh installation.

Do you have the skip_email_verification setting turned on for this SAML IdP? It seems like that is used to determine whether or not to “force account creation”.

If you do have that setting on, then I’m not sure… The SAML account creation flow actually requires sending the user to the registration page, although with the right settings the user won’t even see it and the “register your account” form gets submitted automatically, creating their account and taking them to the home page. If the ALLOW_PUBLIC_ACCOUNT_CREATION setting disables the registration page completely, it may also be disabling SAML registration.

That said, I haven’t worked on the auth flow in a long time and I’m not familiar with the nuances of the new Auth MFE, so perhaps someone else may have better insight.

Hi braden,

thank you so much for your time to reply!

Both Skip email verification and Skip registration form are turned on for the SAML IdP. With ALLOW_PUBLIC_ACCOUNT_CREATION=true users don’t even see the registration form, just as you described. With the flag set to false, the form is shown though, the button to submit the registration is greyed out though.

OK. Let’s see if anyone else has ideas, but I suspect that you may need to modify the code to achieve what you want. You can either leave the setting True and edit the registration form to hide the registration link, and/or change the registration workflow to throw an exception if the account is not associated with a SAML provider at the time the registration form is submitted.