Hi, We are migrating our LMS to Open edX and we want to have an SSO authentication on Open edX so that if a user signs in or registers on our platform he’ll be authenticated on Open edX as well.
The approach we thought and came up with:
- Use Open edX registration and login apis to register and login the user.
- Set the cookies from the response of the login api from Open edX to our lms domain (learn.ourcompany.com) in the response we send back to the client.
- Redirect the client to the lms domain.
Problems we are facing with this approach:
- We have google oauth in our existing application and users who signup or signin through oauth do not have a password attached to them. This requires us to create random passwords and store them in a different table using a two-way hashing algorithm like fernet. So that when the user needs to login again we get the password from the table, decrypt it and send it in the login api of Open edX and authenticate the user.
The above method is highly insecure such that if a hacker gets access to the key we are using to encrypt and decrypt the passwords its all over.
What we want
- A secure way of authenticating and logging in users from our platform to Open edX. The login and registration pages reside in our platform and after logging in or signing up we would redirect them to the LMS and they would be authenticated there also.
- We want to make this SSO between our platform and Open edX to be passwordless and use a single source of truth for passwords i.e our users table.
What is the best way to do this? (or) What is the best way to implement SSO on Open edX generally from a third party platform such as ourselves?
Any help or guidance is appreciated. Thanks.
Hi @Sam_Joel, the Open edX platform already supports a variety of auth workflows via a third-party auth plugin.
These docs are a little out of date but should give you the general idea of how to set up 3rd party auth: 4.24. Enabling Third Party Authentication — Installing, Configuring, and Running the Open edX Platform documentation
One thing that you might not expect compared to other 3rd party auth solutions as that the flow for first time login is a little bit different but that’s covered in the SSO Behavior docs so pay particular attention to that to see if it’s what you need.
Hi @feanil thank you for responding. We were exploring the solutions you proposed for our SSO for the past one and half days, but the flow that the SSO of openedx provides is,
- User lands on openedx.
- Sees our auth button (signin with company button) clicks on it and is taken thorugh the entire oauth flow and he is authenticated.
- So in this case our company’s server is the AuthProvider and Openedx uses it.
(Please correct me if I am wrong about this flow.)
P.S: There was also an option called Secondary Providers where Openedx would display our login/signup forms on its login/signup pages, but that’s not what we are looking for either.
What we are looking for
- User signs in our login/signup pages.
- Our application auto logs him in the openedx instance also.
We are open to using plugins for this auth process as well.
Any help or guidance is appreciated . Thanks
@Sam_Joel it seems like what you would want is to control the auth flow with your auth provider and then have the LMS accept the session token that your auth provider generates as a valid session token for the user.
It seems like a SAML login flow might be the thing you’re looking for?
Current docs on setting up SAML.
I think the missing piece then would be something that says that if the user is not logged in, to take them to your identity provider login page rather than the standard LMS login page. I’m not sure this feature exists right now but if others are aware, feel free to chime in.
Thanks @feanil will look into this flow. For redirecting back to our login pages we are configuring it in the caddy server. So whenever a user tries to access the login page of openedx caddy will redirect to our auth pages.