Sure sorry for the delay.
Basically I spoke with the Identity Provider support people. In the Saml
sent by Okta (the identity provider), they were no SAML attributes and I
think edx is expected to find the user id inside the attributes but Okta
were sending them inside another tag.
So we changed the Identity provider configuration so now it's sending in
the SAML attributes the user id, mail, name.
<saml2:AttributeStatement xmlns:saml2=
"urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute........
Then in edx django admin SAML configuration I added in the Attributes
fields (email, user id , name) the corresponding tag value "Attribute Name"
from the Saml.
SAML sample
<saml2:AttributeStatement
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="
*givenName*"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
> <saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string"
>Lucas</saml2:AttributeValue>
</saml2:Attribute> <saml2:Attribute Name="*userid*"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
> <saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string"
>lrit...@dalet.com</saml2:AttributeValue> </saml2:Attribute>
</saml2:AttributeStatement>
So in edx I then added *givenName *for First Name attribute, *userid *for
the user id attribute etc.. etc...
Don't hesitate to ask me I feel I'm not very clear ^^
Best,
Lucas
Le mercredi 10 avril 2019 19:49:51 UTC+2, Ernesto Sanchez a écrit :
>
> hi Lucas, can you share us how you did the config?
>
>
> El miércoles, 10 de abril de 2019, 7:48:18 (UTC-5), Lucas Rittié escribió:
>>
>> End of investigation !
>>
>> Finally we managed to make the third party auth features works.
>>
>> All it took was to read the SAML sent by the Identity Provider check the
>> user id tag and add it in the in the SAML(Idps) configuration in django
>> admin
>>
>> So edx can parse and read the values from the SAML response.
>>
>>
>> Thanks !
>> Lucas
>>
>> Le mercredi 27 mars 2019 16:52:49 UTC+1, Lucas Rittié a écrit :
>>>
>>> Part 3 of the investigation.
>>>
>>> We now have configured properly the Idp provider Okta with the right
>>> entityId & location URL found in the edx metadata.xml (in {LMS_ROOT}/
>>> /auth/saml/metadata.xml
>>>
>>> The 403 error is now gone since we redirect the post request to the
>>> right & expected URL.
>>>
>>> Yet when we try to login we get a new error : "Authentication failed:
>>> SAML login failed: ['invalid_response'] (There is no AttributeStatement on
>>> the Response)".
>>>
>>> There is already a post (
>>> https://groups.google.com/forum/#!topic/openedx-ops/d-rmACND180) for
>>> this with a solution that unfortunately did not work.
>>>
>>> Again if anyone has face this error message it would be great to have
>>> some help, I guess I need to edit the attributes to make it correspond with
>>> the Idp format ?
>>>
>>> In parrallel we opened an issue on the Idp provider side.
>>>
>>> Thanks in advance your help
>>> Stay tuned for more !
>>> Le mardi 26 mars 2019 14:19:41 UTC+1, Lucas Rittié a écrit :
>>>>
>>>> Hello again,
>>>>
>>>> After further investigation it looks like the issue is with the SAML
>>>> endpoint. When I click on the IdP login button, I'm well redirected to
>>>> the
>>>> IdP login portal. I enter my login and the identity provider logs shows
>>>> that the user is logged in but when I get redirected to edx I get the
>>>> error
>>>> 403.
>>>>
>>>> It looks that I'm not redirecting to the right edx Url once logged in.
>>>> Right now the IdP is configured to redirect to the LMS dashboard.
>>>>
>>>> My question is the next : To what end URL should the IdP redirect the
>>>> user to ? I tried the LMS BASE and LMS/dashboard.
>>>>
>>>> I can't really find this information in edx.readthedocs unfortunately.
>>>>
>>>> Has someone encountered the same the issue ? Or can someone share to
>>>> what URL he redirect the IdP requests to maybe ?
>>>>
>>>> Thanks in advance for your help
>>>>
>>>> Best Regards,
>>>> Lucas
>>>>
>>>> Le mardi 12 mars 2019 12:01:02 UTC+1, Lucas Rittié a écrit :
>>>>>
>>>>> Hello everyone,
>>>>>
>>>>> I'm trying to follow the docs to integrate edx with Okta as a SAML
>>>>> service Provider. (edx.readthedocs
>>>>> <https://edx.readthedocs.io/projects/edx-installing-configuring-and-running/en/latest/configuration/tpa/tpa_integrate_open/tpa_SAML_IdP.html>
>>>>> )
>>>>>
>>>>> I'm working with edx latest release Hawthorn in the devstack
>>>>> environment.
>>>>>
>>>>> The site is configured with HTTPS & SSL Let's encrypt using a traefik
>>>>> container.
>>>>>
>>>>> The issue is when I try to connect via Okta my third party auth, I get
>>>>> an http 403 error.as below when redirected to edx.
>>>>>
>>>>> Forbidden (403)
>>>>>
>>>>> CSRF verification failed. Request aborted.
>>>>>
>>>>> You are seeing this message because this HTTPS site requires a
>>>>> 'Referer header' to be sent by your Web browser, but none was sent. This
>>>>> header is required for security reasons, to ensure that your browser is
>>>>> not
>>>>> being hijacked by third parties.
>>>>>
>>>>> If you have configured your browser to disable 'Referer' headers,
>>>>> please re-enable them, at least for this site, or for HTTPS connections,
>>>>> or
>>>>> for 'same-origin' requests.
>>>>> Help
>>>>>
>>>>> Reason given for failure:
>>>>>
>>>>> Referer checking failed - no Referer.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I've looked for similar issue but could't quite understand how people
>>>>> solve this issue.My question is how to workaround this issue ? I'm not
>>>>> sure
>>>>> if I have to modify edx default forms with crsf tags and which oneto
>>>>> modify
>>>>> the form to include in the POST the right parameters. or else is there
>>>>> another way to solve this.
>>>>>
>>>>>
>>>>> Thanks in advance for your help,
>>>>> Lucas
>>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"General Open edX discussion" group.
To view this discussion on the web visit
https://groups.google.com/d/msgid/edx-code/e4fb4905-33fc-4223-b427-efaa0b65bff9%40googlegroups.com.
