SSO and SSL: tpa-saml

muneera_salah · November 14, 2021, 9:13am

hi
I have an issue with open edx,
after I set up the setting of open edx for SSO and the metadata was generated, there is an issue for the HTTP it is without “S” even I already have an SSL certificate in a domain?

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lmsdomain/auth/complete/tpa-saml/" index="1"/>
    </md:SPSSODescriptor>

because of this issue, when I tried to login by SSO the page appears to me.

and this is the error shown when I tried to add "s" to HTTP

 Internal Server Error: /auth/complete/tpa-saml/
Traceback (most recent call last):
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 249, in _legacy_get_response
    response = self._get_response(request)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/utils/decorators.py", line 185, in inner
    return func(*args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_django/views.py", line 33, in complete
    *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/actions.py", line 41, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/backends/saml.py", line 295, in auth_complete
    idp_name = self.strategy.request_data()['RelayState']
  File "/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/django/utils/datastructures.py", line 85, in __getitem__
    raise MultiValueDictKeyError(repr(key))
MultiValueDictKeyError: "'RelayState'"

muneera_salah · November 15, 2021, 9:30am

appreciate your support @braden @giovannicimolin

braden · November 15, 2021, 7:10pm

First, make sure you use HTTPS when fetching the metadata from Open edX. Otherwise it will use http in the metadata.

Second, when you view the metadata, if you are accessing the metadata over HTTPS but it contains an http URL, then django is mis-configured. Whatever proxy server is handling your HTTPS connection should be passing some headers to Django to indicate that the request was HTTPS, but Django isn’t seeing those headers. Check the SECURE_PROXY_SSL_HEADER setting, which should be what you need to change to fix it.

muneera_salah · November 16, 2021, 8:48am

Hi @braden
Thank you so much. appreciate that.

I have a question, for fetching the metadata from Open edX? you mean run this link https://lmsdomian/auth/saml/metadata.xml, right? if is it, yes I used HTTPS
but still, contain HTTP this

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://lmsdomian/auth/complete/tpa-saml/" index="1"/>

I followed these steps:

1- Generate key and cert
2- Add key and cert at the LMS configuration file auth.env

SOCIAL_AUTH_SAML_SP_PRIVATE_KEY
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT

3- and update these at the LMS configuration file lms.env

"FEATURES": {
...
"ENABLE_THIRD_PARTY_AUTH": true,
....
},
"THIRD_PARTY_AUTH_BACKENDS": [
        "third_party_auth.saml.SAMLAuthBackend"
    ],

4- add configration on admin/third_party_auth/samlconfiguration/

5- Run restart lms command
6- The metatda enabled https://lmsdomian/auth/saml/metadata.xml

resource: 4.24.4. Configuring your Open edX Site as a SAML Service Provider — Installing, Configuring, and Running the Open edX Platform documentation

Are there any other configurations that I missed?

And for SECURE_PROXY_SSL_HEADER
This is the default value at LMS

path: edx-platform/lms/envs/aws.py

# IMPORTANT: With this enabled, the server must always be behind a proxy that
# strips the header HTTP_X_FORWARDED_PROTO from client requests. Otherwise,
# a user can fool our server into thinking it was an https connection.
# See
# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header
# for other warnings.
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

muneera_salah · November 16, 2021, 9:34am

also, this is server-side setup

users ======(https)====>Haproxy ====(http)==>Nginx====(http)===>LMS

haproxy config :

#adding front-end
frontend LMS_DEV
bind *:80
bind *:443 ssl crt lms_dev.pem crt mysite.pem no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4
http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Proto https```

braden · November 17, 2021, 7:09pm

There is probably something wrong either with your haproxy config, your nginx config, or your django config, and it’s resulting in Django not knowing that the connection is secure.

I suspect that your haproxy config is correct but nginx is stripping out the X-Forwarded-Proto header before it gets to the LMS.

muneera_salah · November 21, 2021, 9:00am

Thanks, Mr. @braden really appreciate your support.
it is working now by adding

http-request set-header X-Forwarded-Proto https```

system · February 19, 2022, 9:01am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SAML Configuration Issues Site Operations Help	2	735	May 14, 2023
Open Edx SAML User Attribute Error Site Operations Help	1	1015	October 21, 2019
Third Party Authentication with SAML Provider Error Site Operations Help	1	1749	October 21, 2019
Configuring SAML Authentication: Encryption and Logout Site Operators	4	346	November 9, 2023
User has no social auth with backend_name tpa-saml Site Operations Help how-to , tutor	1	189	June 16, 2024

SSO and SSL: tpa-saml

Related topics