SSO and SSL: tpa-saml

hi
I have an issue with open edx,
after I set up the setting of open edx for SSO and the metadata was generated, there is an issue for the HTTP it is without “S” even I already have an SSL certificate in a domain?

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lmsdomain/auth/complete/tpa-saml/" index="1"/>
    </md:SPSSODescriptor>

because of this issue, when I tried to login by SSO the page appears to me.



and this is the error shown when I tried to add "s" to HTTP

 Internal Server Error: /auth/complete/tpa-saml/
Traceback (most recent call last):
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 249, in _legacy_get_response
    response = self._get_response(request)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/utils/decorators.py", line 185, in inner
    return func(*args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_django/views.py", line 33, in complete
    *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/actions.py", line 41, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/backends/saml.py", line 295, in auth_complete
    idp_name = self.strategy.request_data()['RelayState']
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/utils/datastructures.py", line 85, in __getitem__
    raise MultiValueDictKeyError(repr(key))
MultiValueDictKeyError: "'RelayState'"

appreciate your support @braden @giovannicimolin

First, make sure you use HTTPS when fetching the metadata from Open edX. Otherwise it will use http in the metadata.

Second, when you view the metadata, if you are accessing the metadata over HTTPS but it contains an http URL, then django is mis-configured. Whatever proxy server is handling your HTTPS connection should be passing some headers to Django to indicate that the request was HTTPS, but Django isn’t seeing those headers. Check the SECURE_PROXY_SSL_HEADER setting, which should be what you need to change to fix it.

Hi @braden
Thank you so much. appreciate that.

I have a question, for fetching the metadata from Open edX? you mean run this link https://lmsdomian/auth/saml/metadata.xml, right? if is it, yes I used HTTPS
but still, contain HTTP this

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lmsdomian/auth/complete/tpa-saml/" index="1"/>

I followed these steps:

1- Generate key and cert
2- Add key and cert at the LMS configuration file auth.env

SOCIAL_AUTH_SAML_SP_PRIVATE_KEY
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT

3- and update these at the LMS configuration file lms.env

"FEATURES": {
...
"ENABLE_THIRD_PARTY_AUTH": true,
....
},
"THIRD_PARTY_AUTH_BACKENDS": [
        "third_party_auth.saml.SAMLAuthBackend"
    ],

4- add configration on admin/third_party_auth/samlconfiguration/

5- Run restart lms command
6- The metatda enabled https://lmsdomian/auth/saml/metadata.xml


resource: 4.24.4. Configuring your Open edX Site as a SAML Service Provider — Installing, Configuring, and Running the Open edX Platform documentation

Are there any other configurations that I missed?

And for SECURE_PROXY_SSL_HEADER
This is the default value at LMS

path: edx-platform/lms/envs/aws.py

# IMPORTANT: With this enabled, the server must always be behind a proxy that
# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,
# a user can fool our server into thinking it was an https connection.
# See
# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
# for other warnings.
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

also, this is server-side setup

users ======(https)====>Haproxy ====(http)==>Nginx====(http)===>LMS

haproxy config :

#adding front-end
frontend LMS_DEV
bind *:80
bind *:443 ssl crt lms_dev.pem crt mysite.pem no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4
http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Proto https```

There is probably something wrong either with your haproxy config, your nginx config, or your django config, and it’s resulting in Django not knowing that the connection is secure.

I suspect that your haproxy config is correct but nginx is stripping out the X-Forwarded-Proto header before it gets to the LMS.

1 Like

Thanks, Mr. @braden really appreciate your support.
it is working now by adding

http-request set-header X-Forwarded-Proto https```