Third Party Authentication with SAML Provider

[Lucas Rittié]

Hello everyone,

I'm trying to follow the docs to integrate edx with Okta as a SAML service Provider. (edx.readthedocs)

I'm working with edx latest release Hawthorn in the devstack environment.

The site is configured with HTTPS & SSL Let's encrypt using a traefik container.

The issue is when I try to connect via Okta my third party auth, I get an http 403 error.as below when redirected to edx.

Forbidden (403)

CSRF verification failed. Request aborted.

You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests.

Help

Reason given for failure:

    Referer checking failed - no Referer.
    

I've looked for similar issue but could't quite understand how people solve this issue.My question is how to workaround this issue ? I'm not sure if I have to modify edx default forms with crsf tags and which oneto modify the form to include in the POST the right parameters. or else is there another way to solve this.

Thanks in advance for your help,

Lucas

[Lucas Rittié]

Hello again,

After further investigation it looks like the issue is with the SAML endpoint.  When I click on the IdP login button, I'm well redirected to the IdP login portal. I enter my login and the identity provider logs shows that the user is logged in but when I get redirected to edx I get the error 403.

It looks that I'm not redirecting to the right edx Url once logged in. Right now the IdP is configured to redirect to the LMS dashboard.

My question is the next : To what end URL should the IdP redirect the user to ? I tried the LMS BASE and LMS/dashboard.

I can't really find this information in edx.readthedocs unfortunately.

Has someone encountered the same the issue ? Or can someone share to what URL he redirect the IdP requests to maybe ?

Thanks in advance for your help

Best Regards,

Lucas

[Lucas Rittié]

Part 3 of the investigation.

We now have configured properly the Idp provider Okta with the right entityId & location URL found in the edx metadata.xml (in {LMS_ROOT}//auth/saml/metadata.xml




The 403 error is now gone since we redirect the post request to the right & expected URL.

Yet when we try to login we get a new error : "Authentication failed: SAML login failed: ['invalid_response'] (There is no AttributeStatement on the Response)".

There is already a post (https://groups.google.com/forum/#!topic/openedx-ops/d-rmACND180) for this with a solution that unfortunately did not work.

Again if anyone has face this error message it would be great to have some help, I guess I need to edit the attributes to make it correspond with the Idp format ?

In parrallel we opened an issue on the Idp provider side.

Thanks in advance your help

Stay tuned for more ! 

[Lucas Rittié]

End of investigation !

Finally we managed to make the third party auth features works.

All it took was to read the SAML sent by the Identity Provider check the user id tag and add it in the in the SAML(Idps) configuration in django admin

So edx can parse and read the values from the SAML response.

Thanks !

Lucas

[Ernesto Sanchez]

hi Lucas, can you share us how you did the config?

[Lucas Rittié]

Sure sorry for the delay.

Basically I spoke with the Identity Provider support people. In the Saml sent by Okta (the identity provider), they were no SAML attributes and I think edx is expected to find the user id inside the attributes but Okta were sending them inside another tag.

So we changed the Identity provider configuration so now it's sending in the SAML attributes the user id, mail, name.

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute........

Then in edx django admin SAML configuration I added in the Attributes fields (email, user id , name) the corresponding tag value "Attribute Name" from the Saml.

SAML sample

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="givenName"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >Lucas</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="userid"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >lri...@dalet.com</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>

So in edx I then added givenName for First Name attribute, userid for the user id attribute etc.. etc...

Don't hesitate to ask me I feel I'm not very clear ^^

Best,

Lucas