About possibility of Open edX + SimpleSAMLphp

[roger...@veriguide.org]

Hi all,

My organization uses SimpleSAMLphp as an Identity Provider for various web applications.

Recently, I need to add Single Sign On feature to an Open edX fullstack project. I have read a lot of article on web and find that there is no direct method to do it; or say, someone claimed some approaches but the instruction is unclear, rather complicated or no guarantee.

Both SAML and edx/django are new to me, thus writing a new SAML plug in for Open edX is almost impossible to me. I would like to ask weather some developers have encountered similar problem and could share their insight.

Thanks,
Roger

By the way,
- Does shibboleth actually work with Open edX? And can I use my own simpleSAMLphp as IDP in such case?
https://github.com/edx/configuration/wiki/Setting-Up-External-Authentication#shibboleth
- I added Google SSO/OAuth to my Open edX deployment, it is easy and works good. If I built my own OAuth Authorization Server, will it work similarly?

[Ali Hasan]

+1

[roger...@veriguide.org]

I am now half on my way, making the Shibboleth plugin works as originally designed. If you are interested, you may note my summary below:

About the Shibboleth plugin:

- Created by Stanford for their *specific* use (I feel that it is really made for their own, don't know why it is shipped with open edx release...)

- *Not* a general plugin for SSO that applies to all courses, it only serves particular courses (e.g. Stanford internal course) that have "External Login Domain" configured in edx-studio

- Open edx runs on Ruby & Django; whereas shib2 (an apache module) runs on apache

In case you want to try, the following note may help:

- You need to install Apache + shibboleth SP on the same machine of Open edX

- For Shibboleth IDP, simply use http://www.testshib.org/

- Also need to install wsgi (an apache module) because Apache need to run part of Open edX's python code

- You need a proxy mechanism e.g.

http://openedx.abc.com/Shibboleth.sso/* -> apache

http://openedx.abc.com/shib-login -> apache (require wsgi)

http://openedx.abc.com/* -> ruby

reference: https://github.com/edx/configuration/blob/master/playbooks/roles/apache/templates/lms.j2#L27

note: I used apache for proxy and run Ruby in other port (e.g. 8080)

To achieve the original goal, we still need to customizes it in the following way:

1. let Shibboleth SP auth with SimpleSAMLphp IDP

2. make it auth for all courses instead of particular course

[Nedyalko Dyakov]

Hello Roger,

Any updates on using SAML as SSO for Open edX?

Were you able to use your SAML provider with Shibboleth (as Identity Provider)?

If so, can you provide more detailed how-to on the topic? Also how did you go about the user registration in edX?
We have custom SAML provider that we want to integrate with Open edX.

Thanks in advance,

Ned

The information in this e-mail and any accompanying files is intended only for the recipients named above. This message may contain CONFIDENTIAL INFORMATION THAT IS LEGALLY PRIVILEGED. If you are not an intended recipient, you may not download, copy, disseminate, distribute or use in any way the information in this e-mail. Any of these actions can be a criminal offense. If you have received this e-mail in error, please notify Astea Solutions AD immediately by reply e-mail, and delete this e-mail and any copies of it.

[roger...@veriguide.org]

Yes. Shibboleth2 use SAML2.0 standard and can auth with SimpleSAMLphp - SAML 2.0 Idp

- Set up apache2/shib2 to run on other port e.g. 8443 with SSL

It is not related to edX at all. You should make it able to login your SAML idp with

https://your.domain.com:8443/Shibboleth.sso/Login

also, check session and log out

https://your.domain.com:8443/Shibboeth.sso/Session
https://your.domain.com:8443/Shibboeth.sso/Logout

For troubleshoot

$ shibd -t

/var/log/shibboleth/*

- transform attribute returned by idp to what edX is needed, the most critical one is REMOTE_USER

in /etc/shibboleth/attribute-map.xml

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="idp_user_unique_id" id="user_unique_id" />

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="idp_mail" id="mail" />

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="idp_displayName" id="displayName" />

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="idp_givenName" id="givenName" />

<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="idp_sn" id="sn" />

in /etc/shibboleth/shibboleth2.xml

<ApplicationDefaults entityID="https://your.domain.com/" REMOTE_USER="user_unique_id">

You should check your result in

https://your.domain.com/Shibboeth.sso/Session , need to update <Handler type="Session" Location="/Session" showAttributeValues="true"/> in /etc/shibboleth/shibboleth2.xml to see attribute value

- set up edX/nginx to proxy_pass /Shibboleth.sso and /shib-login to 127.0.0.1:8443, at the same time, you need to get rid of :8443 in sp metadata because nginx (default https port) becomes the front end

and set up apache to handle the request

https://github.com/edx/configuration/blob/master/playbooks/roles/apache/templates/lms.j2#L27

update /edx/app/edxapp/edx-platform/lms/envs/common.py to enable

go to edx studio, update 'External Login Domain'

Thereafter, it's about edX code change for whatever purpose

It is hard, check log and find troubleshooting tool are necessary throughout the process.

Cheers,

Roger

[Nedyalko Dyakov]

Thank you Roger!
We succeeded to install Shibboleth2 with Apache2 (or at least we think so).
We were able to initialize a session with testshib.org.

Can you provide a sample configuration for the nginx proxy? We are unable to link the edx with the shibboleth.

The configuration in shibboleth2.xml is correct, but the localhost:(edxport)/shib-login doesn't redirect to the shib-login in apache for the moment.

Thanks once more,

Nedyalko 

[Claudy Focan]

On my edx i implement https://pypi.python.org/pypi/djangosaml2
i will publish soon if edx want

[roger...@veriguide.org]

# vi /edx/app/nginx/sites-available/lms

upstream apache-lms-backend {  server 127.0.0.1:8443 fail_timeout=0; } server {  location @proxy_to_apache_lms {    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;    proxy_set_header X-Forwarded-For $http_x_forwarded_for;    proxy_set_header Host $http_host;    proxy_redirect off;    proxy_pass https://apache-lms-backend;  }  # pass /Shibboleth.sso on to apache  location /Shibboleth.sso {    try_files $uri @proxy_to_apache_lms;  }  # pass shib-login on to apache  location ~ ^/shib-login/?$ {    try_files $uri @proxy_to_apache_lms;  } }

You should also need wsgi

# apt-get install libapache2-mod-wsgi

And in apache2

# vi /etc/apache2/sites-available/default

# Shibboleth WSGIPythonHome /edx/app/edxapp/venvs/edxapp WSGIRestrictEmbedded On <VirtualHost *:8443> Servername https://edx.example.com SSLEngine On SSLCertificateFile ???.crt SSLCertificateKeyFile ???.key SSLCertificateChainFile ???.crt SetEnv SERVICE_VARIANT lms WSGIScriptAlias / /edx/app/edxapp/edx-platform/lms/wsgi_apache_lms.py <Directory /edx/app/edxapp/edx-platform/lms> <Files wsgi_apache_lms.py> Order deny,allow Allow from all </Files> </Directory> <Location /Shibboleth.sso> SetHandler shib Satisfy Any Allow from all AuthType None Require all granted </Location> <Location '/shib-login'> AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user </Location> WSGIDaemonProcess lms user=www-data group=adm processes=1 python-path=/edx/app/edxapp/edx-platform:/edx/app/edxapp/venvs/edxapp/lib/python2.7/site-packages display-name=%{GROUP} WSGIProcessGroup lms WSGIApplicationGroup %{GLOBAL} ErrorLog /var/log/apache2/apache-edx-error.log LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" apache-edx CustomLog /var/log/apache2/apache-edx-access.log apache-edx </VirtualHost>

Hope it helps.

[Nedyalko Dyakov]

Thank you, Roger! We will try this today.

> On my edx i implement https://pypi.python.org/pypi/djangosaml2
> i will publish soon if edx want

Claudy, I think the open edX license would require you to publish those changes. I would be interested to see what was the outcome. We were thinking about using djangosaml2, but we decided to give Shibboleth a shot first. If you publish the code, please provide a link to the repo here, thank you!

Thanks to all of you, this is helping a lot!