SSO login issue

Hello all,

We have done Open edX SSO with WordPress site. Here, Open edX is IdP (identity provider) and WordPress is SP (service provider). It is done using miniOrange & eduNEXT WordPress plugins.

On the LMS side we have created an application at https://lms.example.com/admin/oauth2_provider/application/ with the following configurations:

And the value of SESSION_COOKIE_DOMAIN is .example.com in the lms.yml file.

Problem statement:

From the initial finding, we found that logged in cookies are set but in request, we are getting anonymous user.

Can anyone help with this issue?

Thanks!

Thanks for the very clear writeup of your problem.

We’ve done similar things and I seem to recall encountering similar issues.

Is there some issue with HTTP vs. HTTPS URLs? This is a frequent source of authentication issues e.g. when you come from Wordpress, you’re on the secure site, but when you open a new tab, you’re on the insecure site.

What happens in the following scenario?

  • User opens the LMS login page (https://lms.example.com/login/)
  • User enters their credentials to log into the LMS
  • User visits the WordPress home page (https://wordpress.example.com/)
  • User clicks login
  • Now user should immediately be logged in to Wordpress
  • Now, if the user opens the LMS link in the new tab, they should still be logged in there too

From the initial finding, we found that logged in cookies are set but in request, we are getting anonymous user .

Hmm, so either the cookie is invalid (it has expired, or a newer cookie has been issued, the session cache was cleared, or the user was logged out), or the cookie isn’t sufficient to authenticate the user. But from some quick tests, it seems like only the sessionid cookie is required for the user to access the LMS dashboard. So likely the cookie is invalid.

Is it possible that wordpress is somehow overwriting the Open edX sessionid cookie when the user returns to Wordpress? Since they are running on a common domain, that is one possibility.

There is an easy(ish) way to test if the problem is Wordpress or the LMS. When you are entering credentials on the LMS login page, shut down wordpress so it’s not running. Then continue logging in to the LMS. You’ll be redirected to wordpress, but wordpress won’t load. Now return to the LMS. Are you still logged in?

If none of those work, can you compare the cookies that get set when logging in “directly” to the LMS vs. when logging in via Wordpress? Is there any difference?

1 Like

@braden thanks for your detailed answer.

Just set PREVENT_CONCURRENT_LOGINS to False and the login is working now.

This gave me the pointer about concurrent login 'cause when opened the LMS link in new tab user was not logged in.

Now, we are looking for logout. If the user logs out from LMS then he/she should be logged out of the WordPress site, too and vice versa is true (Right now it is not working, will check and update here if get anything).

Thanks a lot!

Ah, yes. That same setting has bit me before, and I was trying to remember it for you, but couldn’t think of what it was. Glad you figured it out!

1 Like