What's the deal with TPA hinted links in Nutmeg/Olive?

Hi everyone,

The “legacy” learning experience has, for a long time, supported Hinted Sign-In (aka “TPA[1] hints”), which is the ability to simultaneously log a learner into a third-party single sign-on service (an OAuth2 provider or a SAML idP), and then immediately redirect them to course content.

People would typically use that to allow learners to access a course start page, or the course About page, while simultaneously authenticating against the SSO service, like so:


A link like this would first authenticate the learner against the SAML idP with the slug blah, and once properly authenticated, the learner would land on the About page for the myrun run of the mycourse course in the foobar organization. (There, they could presumably hit the course enrollment button.)

This behavior doesn’t appear to work as documented at all in Nutmeg, even in the legacy learning experience. The tpa_hint parameter is apparently simply ignored.

What does work, though, again in the legacy learning experience, is hand-crafting the URL that adding the tpa_hint parameter is supposed to create, namely:


That is, the learner hits the /auth/login/tpa-saml/ path, with the following query params:

  • auth_entry, which must be the string login,
  • idp, which must be the SAML IdP slug,
  • next, which must be the URL-encoded path of the page to redirect the user to.

Clearly, though, that approach will only work for

  • deep-linking course content in the legacy learning experience,
  • linking to the About page (which, to the best of my knowledge, is still rendered by the legacy LMS even on systems where the learning MFE is enabled, because it does not appear to have an equivalent in the Learning MFE),
  • linking to any static other URLs exposed by the LMS,

but not for deep-linking anything that lives in MFEs.

So, I have a couple of questions here:

  1. How can I craft TPA hinted deep-links into course content rendered by the Learning MFE?
  2. What is the deal with the About page? Is it going away in Olive? Or does it move into the Learning MFE? Or something else?

Thanks in advance for any insight you might be able to share on the matter. :slight_smile:

  1. “TPA” standing for “third-party authentication”. ↩︎

1 Like

Hi again,

just taking the liberty to follow up on this one. :slight_smile: I know that @jill, @Tim_McCormack, and @Zia_Fazal have worked on TPA hinted links before, maybe one of you has run into this issue and would be able to share suggestions?

I don’t have any particular experience with third-party auth in Open edX (although I may have touched nearby code). But I wonder if this is something that was lost with the introduction of the Authn MFE?

Hmm, the code that implements tpa_hint is still in the codebase, as are some tests for it.

Are you using the authn MFE or the classic registration page?

BTW tpa_hint should work from any page on the site that requires login, because the way it works is that anytime you try to access a page without being logged in, you get redirected to /login?next=…

e.g. /whatever/page?tpa_hint=foo should redirect to
/login/?next=%2Fwhatever%2Fpage%3Ftpa_hint%3Dfoo <— the key point is that the tpa_hint should be preserved and found in the next URL, and this does not require any special behavior at all, just making sure that the code to “redirect users who aren’t logged in” preserves whatever query parameters are there.

So: when you say

is the problem that the tpa_hint is not preserved in the ?next= URL that gets passed to the login page? Or is the login page getting a ?next=...tpa_hint%3Dfoo but ignoring it?

In Nutmeg, we’re apparently not supposed to use the authn MFE in production; at least that’s how I read this issue:

Accordingly, Tutor’s MFE plugin does not include it. So, classic registration page it is.

Good point. With all MFEs disabled, I tested a few different links (all checked while not logged in):

  • https://<hostname>/dashboard?tpa_hint=saml-<slug>: works correctly. Redirects me to my SAML IdP, authenticates me, drops me onto my dashboard.
  • https://<hostname>/u/<myusername>?tpa_hint=saml-<slug>: Same, with my learner profile.
  • https://<hostname>/account/settings?tpa_hint=saml-<slug>: Same, with my account settings page.
  • https://<hostname>/courses/course-v1:<course-id>/about?tpa_hint=saml-<slug>: Never attempts to redirect me. I land on the course About page immediately, without authentication.

The latter appears to be true for any link in the courses/ path.

Looks like it’s actually neither of these. Rather, within courses/ specifically, adding a tpa_hint query param seems to not do anything.

Please let me know if that information is helpful. Thank you!

I see. That may be expected behavior then. The tpa_hint only works if the URL in question requires login. If login is not required, it won’t redirect you to any login page, regardless of the tpa_hint setting.

You could try making the course completely private, perhaps?

Can you elaborate on what you mean by “completely private”? The course does set

    "invitation_only": true,
    "ispublic": false,

… in its policy.json. I’m not sure if that’s all that’s needed to make it completely private for TPA hinting purposes, though.

Also, I don’t want to lose sight of these original questions:

Do you happen to have ideas on those, as well?

Sorry, all I mean is that when you go to the URL without being logged in, it needs to redirect you to the login page. If it instead shows you some other message or a preview of the course, the tpa_hint won’t work. So I meant to check if there is some combination of settings or a different form of the URL you can use so that when users click on it without being logged in, they get redirected to login. As long as you have that working, then tpa_hint should also work.

No idea about the about page, sorry.

Hi all, I’ll join in here as I’ve been testing the same :slight_smile:

Interesting, so I tried the following example:

https://<hostname>/courses/course-v1:<course-id>/courseware/<location_id> : this redirects me to the login page.

So, that URL should then work with tpa_hint right?

But, if I try:

https://<hostname>/courses/course-v1:<course-id>/courseware/<location_id>?tpa_hint=saml-<slug>: I am also redirected to the login page, I do not get logged in and redirected but I do see in the URL that the next parameter is added as:

https://<hostname>/login?next=/courses/course-v1%3Acourse-id>/courseware/<location_id>/<location_id>%3Factivate_block_id%3 …

To add to what Maari said, the documentation on TPA hinted links specifically uses a course link in its example for a TPA hinted URL, so it would be surprising if TPA hints somehow weren’t expected to work with course links. :slight_smile:

So, I now enabled the MFE’s on the site again and noticed this:

  • https://<lms-hostname>/u/<myusername>?tpa_hint=saml-<slug>: I get logged in and redirected to the Profile MFE page
  • https://<mfe-hostname>/profile/u/<myusername>?tpa_hint=saml-<slug>: I am also logged in and redirected to the Profile MFE page

Same happens with the account page:

  • https://<lms-hostname>/account/settings?tpa_hint=saml-<slug>: I am logged in and redirected to the Account MFE page
  • https://<mfe-hostname>/account?tpa_hint=saml-<slug>: I am also logged in and redirected to the Account MFE page

So that means that the TPA hints work with the mfe-hostname, even without the frontend-app-authn being enabled?

Or has it something to do with the flags we set, the learner_profile.redirect_to_microfrontend and account.redirect_to_microfrontend?

As I mentioned above, https://<lms-hostname>/courses/course-v1:<course-id>/courseware/<location_id>?tpa_hint=saml-<slug> redirects me to the login page (I don’t get logged in nor redirected)

And if I try any URL that points to course content in the Learning MFE:
https://<mfe-hostname>/learning/course/course-v1:<course-id>/ ... while I am logged out (with or without the ?tpa_hint=saml-<slug> addition), I don’t even get redirected to the login page, instead I see “There was an error loading this course.”:

Internal Server Error: /api/courseware/course/course-v1:<course_id>

TypeError at /api/courseware/course/course-v1:<course_id>
Field 'id' expected a number but got <django.contrib.auth.models.AnonymousUser object at 0x7fd3513d6b20>.

Is there a specific way to construct URL’s pointing to course content with the Learning MFE that I am not aware of?

Is there a way to tell the LMS to redirect to the Learning MFE similarly to the account and profile pages?

@mrtmm @fghaas Hmm, in that case it looks like whatever code is adding the activate_block_id parameter is also stripping out the tpa_hint - perhaps this line. But what I don’t understand is that that code hasn’t been changed in years from what I see in the git history.

Okay, so maybe tpa_hint URLs have been broken in the courseware for ages and the documentation is stale. But this bit still holds true:

So, do we have a way to make this work with the Learning MFE, in Nutmeg?

Looks like this is a prime candidate to be added to the community testing plan. @Dean, is there still time to add something to the list? @fghaas, would you or @mrtmm be willing to be assigned the testing?

If the unannounced deprecation is confirmed, I’m of the opinion it’s a bug and we should rally around fixing it.

Okay so if I read it correctly, then the community testing plan presently doesn’t seem to include testing TPA against SAML IdPs at all (it only mentions Facebook, Google, and Microsoft SSO which, if I remember correctly, all use OAuth2). So just so I understand what testing would entail, do I understand correctly that we would

  1. set up a SAML IdP (where? Would https://samltest.id/ work, or does tCRIL/2U/someone else have a reference SAML IdP instance set up for this purpose?);
  2. configure the demo instance to authenticate against that SAML IdP as a TPA provider;
  3. test whether regular TPA works correctly for SAML (presumably covering both the registration and the login workflow);
  4. test whether TPA hinted links work with SAML?

If so, then in order to do meaningful testing it would be good to understand how TPA hinted links should work against the learning MFE, and how TPA in general is meant to work with SAML with the authn MFE, which is something that hasn’t become entirely clear in the thread that I cross-referenced. :slight_smile: Can you help shed some light on that?

It just occurred to me that I might be dragging this thread off on a tangent which I don’t think I want to do; should we open a separate topic instead?

1 Like

Hello @arbrandes and @fghaas.

Yes new Test Cases (TCs) can be added. The normal procedure is:

(1) Add your idea/request to the SUGGESTIONS tab in the Community Testing Plan: Olive - Open edX® Community Test Plan - Google Sheets

Create a comment and assign me if it’s urgent and you want it in right away, so I can bring it up with BTR group in Slack immediately to see if there are any objections.

(2) If approved, it will be added the very next Friday. i.e. we will add new test cases on a weekly cadence. (or it can be added sooner, on the same day if it’s urgent, if it gets verbal/written support from senior BTR members like you etc).

Feel free to tell me what you want, I’m just here to coordinate.

Great stuff, thanks!

@fghaas indeed to me this sounds exactly like the flow of the testing for this proposed test case!

You’ve been added to the Test Sheet in case you want to assign yourself to something in the meantime:

Is Cleura is your chosen company name to represent yourself in the community?

Yeah hold on a jiffy please, I’m not volunteering yet because I’d quite like to know what testing would actually entail, hence my question above. We’re still quite busy getting all our platforms to Nutmeg, precisely because the combination of Learning MFE and TPA has been a rather bumpy ride considering the authn MFE didn’t make it into Nutmeg. So I need to know how much time we should realistically expect to put into testing Olive, and how much time that’ll take out of our Nutmeg migration budget.

1 Like

That seems to be the case, yes, for the simple fact nobody suggested it… yet. :slight_smile:

First question I’d raise is if TPA hints work with OAuth2. If they don’t, it might reduce the set of test cases: we could just test TPA with OAuth2, which might make the process easier (since folk are already testing for Oauth2 anyway).

I’m not aware of reference SAML IdPs, but I can’t speak for 2U. I don’t think anybody’d object to samltest.id, though, if with that we can achieve the results we want.

We’d have to take this one up with @regis, who AFAIK is managing the demo server tests are conducted against. He’ll probably just ask for a PR to GitHub - overhangio/openedx-release-demo: Open edX Nutmeg demo platform CD with the workflow changes that would set the integration up.

Otherwise, yes, I figure that is what testing would entail.

I don’t have an answer for either. @jristau1984, I’m told you might be the one to ask about the Learning MFE - any clue on TPA hinted links?