The first step in configuring your Open edX installation to act as a SAML SP (service provider) is to create a credential key pair to ensure secure data transfers with identity providers. To complete the configuration procedure, you configure your Open edX installation as a SAML service provider which creates your metadata XML file.
After you complete this configuration, you can share your metadata file with SAML identity providers, and configure them to assert identity and access rights for users to your installation. For more information, see Integrating with a SAML Identity Provider.
To generate the keys for your Open edX installation, follow these steps.
On your local computer or on the server, open Terminal or a Command Prompt and run the following command.
openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.key
Provide information at each prompt.
Two files, saml.crt
and saml.key
, are created in the directory where
you ran the command.
To configure your Open edX installation as a SAML service provider, follow these steps.
http://{your_URL}/admin
.
Private key: Use a text editor to open the
saml.key
file, and then copy the RSA private key into this field.Public key: Use a text editor to open the
saml.crt
file, and then copy the certificate into this field.Entity ID: Enter a URI for the server. To ensure that this value uniquely identifies your site, the naming convention that edX recommends is to include the server’s domain name. For example,
http://saml.mydomain.com/
.Organization Info: Use the format in the example that follows to specify a language and locale code and identifying information for your installation.
{ "en-US": { "url": "http://www.mydomain.com", "displayname": "{Complete Name}", "name": "{Short Name}" } }Other config str: Define the security settings for the IdP metadata files. For more information about the security settings, see the Python SAML Toolkit. An example follows.
{ "SECURITY_CONFIG": { "signMetadata": false, "metadataCacheDuration": "" } }
{your LMS URL}/auth/saml/metadata.xml
for your metadata file.By default, SAML is included as an approved data format for identity providers.
The default configuration of the /edx/app/edxapp/lms.env.json
file does not
explicitly include the THIRD_PARTY_AUTH_BACKENDS
setting.
If you have customized this file and added the THIRD_PARTY_AUTH_BACKENDS
setting to it, you might need to verify that the
third_party_auth.saml.SAMLAuthBackend
python-social-auth backend class is
specified for it. That backend is required before you can add SAML IdPs.
To verify that the SAML authentication backend is loaded on a devstack or
fullstack installation, review the /edx/app/edxapp/lms.env.json
file.