TPA-hinted links with the Learning MFE

Hi all!

I’d like to follow up on an older topic here: What's the deal with TPA hinted links in Nutmeg/Olive?

Some time has passed now and we no longer need to consider if we are using a legacy auth or courseware pages, only MFE’s it is now.

So, talking about the TPA-hinted links (I am currently testing with Quince), they are working fine with the dashboard:

https://<hostname>/learner-dashboard/?tpa_hint=saml-<slug> (interestingly, it’s necessary to have the / before the ?, otherwise I get a blank page)

However, the links are not working with the learning pages:



in both cases I land on the course home page, with a warning message “To see course content, sign in or register.”

The documentation still has an example (although with legacy URLs) for this functionality, so I assume it was meant to work at some point. Is the functionality deprecated and the documentation is simply outdated? Was it never meant to work in the Learning MFE or will this be added in the future? Would a patch to fix/add this be welcome upstream? (I am not sure I could volunteer myself as I am not good with react but I am generally curious).



Hey there,

we’ve made the same observation and are missing this feature quite heavily. I’ve found that you can do something like this as a workaround:

This works when the user is not logged in. Then the user gets transparently redirected to the SSO provider and gets redirected back to the course. If the user is already logged in though, this approach redirects the user to the /learner-dashboard/ URL for whatever reason. In practice, this isn’t very useful either :frowning:

I had a look into some MFE codes (account, learning, learner dashboard) and can’t find any hint about the tpa_hint parameter. So… guess the question is, if that’s something that’s just missing right now or something that’s deprecated?

//Edit: Just after writing this, I discovered that this works as a workaround:

Or in other words:

<lms_url>/login?tpa_hint=oa2-<provider>&next=<url encoded course URL>

Hi @Wasabi

thanks for the info, much appreciated! I tried the links you suggested but I still land on the dashboard every time :confused:
But in any case, as you said, this is not a real solution as it works only when the user is not logged in, meaning that we cannot create reliable links anyway.

My thoughts exactly, so I reported an issue for the documentation: Outdated documentation for "Hinted Sign In" · Issue #2245 · openedx/edx-documentation · GitHub
Perhaps this will help us get some insight.

Hi @mrtmm ,

for me, the last setup (in the edit) works reliably. Be aware it’s not any MFE link, it’s the original LMS URL.

So basically we’re redirecting the user to the legacy LMS login URL, with a TPA hint + a redirect URL (which in turn can easily be an MFE). That works fine in our setup, no matter if the user is logged in or not.

Interesting, I wonder if there is some differences with SAML vs OAuth2 then. From your examples I see that you are using OAuth while we are using SAML. I get logged in with any of these examples but only land on the dashboard.

This is a bit scary in general as well, how long can we count on a workaround that relies on any legacy URLs? I wonder if this still works for you in Redwood; I’ve tested with SAML in Palm and Quince and it’s not working.

That’s certainly possible. We’ve migrated from SAML to OAuth2, but I have not tested this setup before the migration. There are is one setting that we needed to be adjusted (it’s a tutor plugin in our case):

    ("lms-env-features", "THIRD_PARTY_AUTH_HINT: \"oa2-keycloak\"")

Maybe this configuration is missing for you? In your case obviously saml-xyz

Honestly this is what I am scared about as well. We’re running Quince right now, and we’ll need to thoroughly test this in Redwood before updating. This functionality is quite important for us. Still hoping for some feedback on the Github issue you raised.

That is missing indeed, I’ll give that a try, thanks!
However, do you happen to know also how would this work if we need to have more than one SAML IdP’s configured for one site?