Third Party Authentication with SAML Provider Error

Site Operators Site Operations Help
1

Hi,

I am getting an 500 internal server error on SAML authentication with idp.

SP: Open edx ginkgo version
Idp: SimpleSAMLPHP identity provider.

i had configured an Idp using SimpleSAMLPHP in one of my development server then i had open edx installed in another server. There i configured open edx SAML via django admin.
I am able to get Idp login button at my open edx Login page, once i click on that button it redirects me to my idp server user authentication page, once i successfully enter user’s credentials it Redirects back me to Open edx http://myexampleopenedx.com/auth/complete/tpa-saml/ page, where i am getting 500 internal error.

When i check edx.log file i got following error.

File “/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/backends/saml.py”, line 283, in get_user_id
uid = idp.get_user_permanent_id(response[‘attributes’])
File “/edx/app/edxapp/venvs/edxapp/local/lib/python2.7/site-packages/social_core/backends/saml.py”, line 46, in get_user_permanent_id
self.conf.get(‘attr_user_permanent_id’, OID_USERID)
KeyError: u’urn.oid:0.9.2342.19200300.100.1.1’

may be this is some kind of user attribute error, please help me to fix it.

Configuration done in Django admin > Provider Configuration (SAML IdPs) > add new provider and enter following configuration.

Identity Provider Type: Standard SAML provider
Backend name: tpa-saml
Idp slug: tpa-saml
Entity ID: http://<mysite.com>/simplesaml/saml2/idp/metadata.php
Metadata source: http://<mysite.com>/simplesaml/saml2/idp/metadata.xml

User ID Attribute: urn.oid:0.9.2342.19200300.100.1.1

Full Name Attribute:
Rest attribute i left blank.

Part of SAML Response:
saml:AttributeStatement
<saml:Attribute Name=“uid” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>101</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“name” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>mac</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“email” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>mac@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“username” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>user02</saml:AttributeValue>
</saml:Attribute>

1 Like
2

Hi,

I had able to resolve it. i had done following steps.

SP: Open edx ginkgo version
Idp: SimpleSAMLPHP identity provider.

At idp i modify the SQL query as below in auth source
‘SELECT id as userid,name as givenName,email as mail,username FROM users WHERE email = :username AND password = :password’

changing this query will generate following SAML Response from Idp (part of which is follows)

saml:AttributeStatement
<saml:Attribute Name=“userid” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>joe@example.com</saml:AttributeValue>
</saml:Attribute><saml:Attribute Name=“givenName” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>joe</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name=“mail” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>joe@example.com</saml:AttributeValue></saml:Attribute>
<saml:Attribute Name=“username” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:basic”>
<saml:AttributeValue xsi:type=“xs:string”>user03</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

Then in edx Django admin - Add Provider configration (SAML Idp), I then added givenName for Full Name attribute, userid for the user id attribute as follows.

Identity Provider Type: Standard SAML provider
Backend name: tpa-saml
Idp slug: tpa-saml
Entity ID: http://<mysite.com>/simplesaml/saml2/idp/metadata.php
Metadata source: http://<mysite.com>/simplesaml/saml2/idp/metadata.xml
User ID Atrribute: userid
Full Name Atrribute: givenName
Email Atrribute: mail
Identity Provider Type: Standard SAMl provider.

I save above settings and it works for me.
Once successful authentication done from Idp, it redirects user back to registration page with pre-fill data from Idp.