We want students to login via SAML 2.0 (Shibboleth) using the accounts they already have at their university.
1. enabled third party authentication in lms.env.json
2. configured the service provider in the django admin console
3. configured the identity provider in the django admin console
1. click on sign in
2. click on "use my institution/campus credentials"
3. click on institution in the list
4. the browser redirects to the institutions SSO page
5. enter the credentials and click on login
6. the browser redirects to the openedx welcome page, not logged in.
An error occurred when signing you in to Your Platform Name Here.
Have a look at the lms/edx.log file it seems that the authentication at the identity provider worked fine.
Feb 9 09:45:38 kcs-openedx [service_variant=lms][third_party_auth.saml][env:sandbox] INFO [kcs-openedx 2549] [saml.py:87] - SAML login response for IdP sso-tugraz. XML is:
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="
http://www.w3.org/2001/XMLSchema" ID="_8228eebbf770ce8dc74c43c14b7f9d6b" IssueInstant="2018-02-09T08:45:38.571Z" Version="2.0">
<ds:SignedInfo>
<ds:Reference URI="#_8228eebbf770ce8dc74c43c14b7f9d6b">
<ds:Transforms>
</ds:Transform>
</ds:Transforms>
<ds:DigestValue>nz0zuRG4dLfKfhyMmkS7gGnd9WE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>aIsa/SgzX4klTajW4J1a4lzf3mC1TxFSxWJDKN0K1upwLNOl6zdMqM6LTgJwbJPAhhta+ohCvD4C7NxNi8YdYsq+cB+10jJUAiFEq9cfK0L3NFhbqg4Qc3Pz7x8L05UFmqiOlPeCixZ6UsWLxR7oNYCgAgMvKwbdCbb5X2L2UMOBnTng1T7OtDjbqSqYDDRPAS7gX1//JVaMdJ8lXGFPSj2kU5MPeiYGdC4DT62TDJd1yed6L7D/jNqE38rg81JVBdMcE1CQUUb6eUEsgCqWNzc+dNI1YE5YirW/4a5vENCvX44qAcDH3x4UnIPwi1q63m029AEgX75LKaHvyHDWZQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHzCCAgegAwIBAgIUG6ra0BvXswfyErcCDmzw3AV+uI0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
A1UEAxMNc3NvLnR1Z3Jhei5hdDAeFw0xMDAzMjkxNzEzMTZaFw0zMDAzMjkxODEzMTZaMBgxFjAU
BgNVBAMTDXNzby50dWdyYXouYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEyQxH
IM1zxbBnXn60Ksg7B7HcPLPcN7bXLrLPOFXtkZxm0YkHY5Rxignm7wHD7C81U09DFS2eT8qRCcVt
Vz+kuwdgS54fC/alg9oLxXk4CgKjhtZZ2ECLdTHfUXOA5uOLlpoN1LY6VpIjSYe3UEX3HxfhXx/f
PeE8VInGCKnml8Too22G30htB/EU44A2yqrR3LUngJIaq//N0QbeMYitNh02o6xB5+bp6k6noM7D
H6S9phe0kCEibaiLaCf7k9LpNnAz9bPtQVth0gdJqoUry/iK1QBTFTEXvvJynFEp0+5Wz/XFmEcF
hsaK8OcHd0R9FfpX5Z2fewA2Q0SLKz+bAgMBAAGjYTBfMD4GA1UdEQQ3MDWCDXNzby50dWdyYXou
YXSGJGh0dHBzOi8vc3NvLnR1Z3Jhei5hdC9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4EFgQUXd76PcSi
XR6wFna5qQi+S0W/9Y0wDQYJKoZIhvcNAQEFBQADggEBACgkQqxBtYY1OcuoAUP/P+ukJW7XyofK
89qs2dkGClx7s0hR/1zImWgljgfguLJOSfC/CWE1wfNK9bTi4Fu9809PmOoaCxkNmniFRAyaOiBo
Uz5XIpJniW7wBo+YBpBlXZXi5PmU2DOsfZxo7fs4se32dHO1WqgJodqkK2Wa4HDiigh42trZ9i3u
S73uHSSCeIJYQNj84BMJ+ifgj3Zi/TgLS+IX7Ayy2bkDzIzIRnj7ULQ/MgfacGXQXJPHyp+w+Yvy
dQalPAWc43+5DkNacN34K8cE3XjHq1kx/BgYOtQ7M2Xa1oApLzPoHO4D2kaf6FCgGR8Mx7GVAz0a
QVxfB8I=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-02-09T08:45:38.571Z" NotOnOrAfter="2018-02-09T08:50:38.571Z">
<saml2:AudienceRestriction>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-02-09T08:45:38.494Z" SessionIndex="_aba22f73a6816727097b70a270b6981a" SessionNotOnOrAfter="2018-02-09T18:45:38.571Z">
<saml2:SubjectLocality Address="129.27.219.242" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="userid" Name="urn.oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
</saml2:Attribute>
<saml2:Attribute FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
</saml2:Attribute>
<saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
</saml2:Attribute>
<saml2:Attribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Feb 9 09:45:38 kcs-openedx [service_variant=lms][social][env:sandbox] ERROR [kcs-openedx 2549] [middleware.py:41] - auth_entry missing or invalid
The error is logged in the parse_query_params method in the edxapp\edx-platform\common\djangoapps\third_party_auth\pipeline.py
Can you explain me how to add debug statements which are logged into edx.log? I added some in the python file but the changes or not reflected in the logs.