Hi John,This is really great! I'm thinking about (actually working on) authenticate my users with a PowerSchool system as an Identity Provider via SAML2 standard. Are the Google and LinkedIn providers using SAML2?
Yes, I'm working on it right now. My work is based on the pysaml2 (https://github.com/rohe/pysaml2) and https://bitbucket.org/lgs/djangosaml2.
John, this is great stuff.I have a clarifying question.Like Stanford, Berkeley (and others) use Shibboleth for SSO. I understand Stanford had gotten Shibboleth auth working with edX, since they used it to restrict access to some internal-only courses to Stanford folks.Is Stanford's Shibboleth implementation a provider that talks to your module? Or is it a separate effort?
Either way, assuming we can make it so that Shibboleth becomes one of the supported auth providers using your module, and assuming many universities rely on Shibboleth (as I believe is the case), and assuming we could get edX to deploy both your module and the Shib provider as part of the edx.org and edge.edx.org hosted deployments:...how could we allow multiple institutions to take advantage of this without each institutions' secrets and servernames having to be added to the deployed edx code base?(that is: institutions X,Y,Z all use auth providers that are rolled into edx.org, but each institution has its own server names and secrets for the auth providers; how can we decouple the process of "adding another university" to the provider dictionary from having to make source changes that affect the deployed code?)This might be a conversation to have with edX, but having working 3rd party auth in the core production deployment would be huge.
I setup a wiki page for configuring the other external authentication methods ( CAS and SSL client certificates) at https://github.com/edx/configuration/wiki/Setting-Up-External-Authentication. We use shibboleth through CAS so I don't have it documented there, but it would nice to have it.
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Hint: https://domain.edu
An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.
This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.
Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.
Error Message: No peer endpoint available to which to send SAML response<VirtualHost *:8080>
ServerName https://class.stanford.edu
ServerAlias *.class.stanford.edu
UseCanonicalName On
which seems to match what you have as well. So I don't think that needs to change.
Because you said that https://domain.edu:5253/secure/test.php is working for you, I suspect that your IdP thinks that the SP is at https://domain.edu:5253 rather than https://domain.edu, probably because of previously submitted Metadata when you were first setting things up. If your apache conf explicitly set ServerName like in the stanza above, Shib will default to reporting that it's on the apache port that's listening (so 5253 in your case) and generate Metadata that way--and I suspect this version is what your IdP has. It would make sense that it raises Error Message: No peer endpoint available to which to send SAML response , because now your SP asks the IdP to return the auth assertions on port 443, which isn't what the IdP "agreed to" during setup.
The way to fix this is to resubmit your Metadata. You can check your Metadata at https://domain.edu/Shibboleth.sso/Metadata with your current settings, and you want to make sure that it's https and has no explicit port specification. Then you want to submit this Metadata to your IdP through whatever process they have.
Note this setup just means that all shib requests are proxied from nginx to apache instead of reaching apache directly, which I think is fine and doesn't limit what you want to do with Shib.
Finally, I want to set the user's browser URL to be https://domain.edu rather than https://domain.edu:5253 when authentication succeeds (which is why ServerName has no port), because the browser will then be asked to set a logged-in session cookie. Since the server domain is used to scope this cookie, and I think it's good hygiene to have the server port at this point be what the rest of the edX application is on as well (which is implicit 443). (It seems that cookie scopes may not actually include port, so using 5253 might work, but I like keeping hygiene).
Jason
Jason
...Definitely agreed on the value of third_party_auth on <a href="http://edx.org" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fedx.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHi5Mnxw08dCV73o_22du8T1cGhWw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fedx.org\46sa\75D\46sntz\07
...
...
Jason
...I wasn't sure if I needed to install the Service Provider (SP) https://shibboleth.net/products/service-provider.html or work with FastCGI <a href="https://wiki.shibboleth.net/confluence/display/SHIB2/Integrating+Nginx+and+a+Shibboleth+SP+with+FastCGI" target="_blank" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fwiki.shibbolet
...I've put up some preliminary docs here <a href="https://github.com/edx/configuration/wiki/Setting-Up-Extern
Yes, please: pull request!
That's a good way for community to code review / comment at this point also.
With google you have to enter the redirect page on the developer console. Did you do that?
https://github.com/edx/edx-platform/blob/master/common/djangoapps/third_party_auth/pipeline.py
http://johnmcox.blogspot.de/2014/05/understanding-edx-third-party.html?m=1
Did you change the first file to change all the oauth entry points?
I don't know enough about django or oauth but I would say your answer probably lies somewhere in a hard coded variable in the third_party_author folder.
sudo apt-get update -y
sudo apt-get upgrade -y
sudo reboot
sudo su -
OPENEDX_RELEASE=aspen.1 wget https://raw.githubusercontent.com/edx/configuration/master/util/install/vagrant.sh -O - | bash
# Settings for enabling and configuring third party authorization
EDXAPP_ENABLE_THIRD_PARTY_AUTH: true
EDXAPP_THIRD_PARTY_AUTH: {
"Google": {
"SOCIAL_AUTH_GOOGLE_OAUTH2_KEY": "15435345345-1usdffdv57hn979n3js90v7n1b.apps.googleusercontent.com",
"SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET": "SDF34L7Ulinksndf-q5"
}
}
sudo /edx/bin/update edx-platform release
On Wednesday, May 7, 2014 5:34:35 PM UTC-7, Trinh Nguyen wrote:Hi John,This is really great! I'm thinking about (actually working on) authenticate my users with a PowerSchool system as an Identity Provider via SAML2 standard. Are the Google and LinkedIn providers using SAML2?Google and LinkedIn are both Oauth 2.0. The underlying library we use, python-social-auth, supports a host of OpenID, Oauth 1.0/2.0, and BrowserID providers out of the box, and there are extension points for other protocols.We'd love for people to add additional protocols to the third_party_auth module -- please reach out to me if you're interested in writing a SAML extension.
--
You received this message because you are subscribed to the Google Groups "General Open edX discussion" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/edx-code/0b872414-4263-4ba4-a0ec-270ef3f27c47%40googlegroups.com.
Hi all. Google and edX are pleased to announce the addition of a third-party authentication module to Open edX.With this module, you can let your users sign in to your Open edX deployment with their accounts on external services. This is both more convenient and more secure for end users than creating a new password on your Open edX deployment. The module is deactivated by default, and using it is entirely optional.It comes with full implementations for Google and LinkedIn, and was designed from the ground up to be extensible and testable. If you are interested in adding new external authentication providers (for example, if you want to use your University’s SSO system), please reach out to us.If you want to use the module, we’ve written a getting started guide that covers turning the feature on and configuring it.Enjoy,John (for the edX Identity Working Group)