4.23.2. SSO Behavior
The following behavior applies to all three types of provider (OAuth, SAML, and LTI).
4.23.2.1. New Learner Registration
- When a user signs in by using single sign on (SSO) for the first time, their
account is not normally created automatically. Instead, the user information
sent by the provider is used to pre-fill the registration form. The user can
then edit any of the information before finalizing the creation of their
account. The user could also cancel the registration process at this point,
and no account would be created for them.
- The user information that is passed from the external authentication provider
to Open edX varies depending on the provider. For example, Google, Facebook,
a university’s SAML provider, and a corporate SAML provider may all provide
different user information. Some providers may pass the user’s full name,
first name, last name, username, email address, external user ID, and more.
Other providers may pass only an opaque “user token” that can be used to
permanently and consistently identify that user, but which is not considered
personal information and does not correspond to any other public identifier.
- After a user submits the registration form, their user account is created and
is automatically “linked” to the external provider. For more information, see
Linking Accounts.
- When a user creates an account by using SSO, the password field on the
registration form is hidden. User accounts created by using SSO will have a
random and highly secure password assigned to their account. The user will
not know (or need to know) this password. However, the user can always use
the “reset password” feature to change their password, if they would also
like to be able to use a traditional password-based sign in method.
Important
No matter which type of sign in method is used, a full and independent Open
edX user account is always created for the new user, with a copy of the
user’s information. As a result, if the external provider updates the user’s
information (such as name or email address), that information will not be
automatically updated in the user’s Open edX account. In other words, the use
of the external account as a reference that provides user details is a one-
time event, not an ongoing connection.
4.23.2.2. Linking Accounts
To be able to sign in by using an external provider such as Google, the
user’s Open edX account must be “linked” to that provider. For example, if a
user’s account is linked to Google, the user can click the Login with
Google button, and will be automatically signed in to their Open edX
account.
User accounts can be linked to zero, one, or many external providers.
Any provider can be linked or unlinked from an account at any time.
If an external provider is used to register a new account, the newly created
account will automatically be linked to that provider.
If a user tries to sign in by using an external provider that is not yet
linked to any Open edX account, the user will be given the following options.
- Sign in to an existing account (using a password), which will then link
the new provider to that existing account.
- Create a new account.