Open edX, SSO, and the Skip Registration Form login scenarios for Tahoe Sites

This is article is specifically for Tahoe account Administrators and anyone charged with the management of Single Sign On for their organization.
If your organization has an Appsembler Tahoe subscription and currently uses Single Sign-On (SSO), you may want to make it easy for your users to log into Open edX using their existing SSO credentials. 
These accounts can belong to the same or different Identity Providers (IdP) including:
  • OneLogin
  • Okta
  • Ping Identity
  • Google GSuite
  • Auth0
  • and others
Note: The following scenarios explain how Open edX works with SSO by default. 

There are many, many options and every instance may be different. This document provides some basic scenarios and workflows for illustrative purposes. If you don’t see your scenario below, please let us know via  support@appsembler.com

The Open edX login process will behave differently, depending on the following:
  1. If the user has an SSO account or not
  2. If the user has an Open edX account or not
  3. If the "Disable login fields and Register button" option is enabled or not in the Tahoe Management Console

Disabling registration

The first step before enabling SSO is to disable the registration form to ensure that all users are registered using your authentication system, not Open edX's. 
First, log into your Tahoe account at https://amc-app.appsembler.com and navigate to General Settings.
Select General Setting s, the Site settings tab, and look at the Registration settingsBy default, "Enable the registration form", "Enable registration button in site navigation", and "Enable link to registration form on the login page" are selected (enabled). "Disable login fields and Register button" is not selected (disabled).

For SSO to work properly, you need to disable "Enable registration button in site navigation" and "Enable link to registration form on the login page". You need to select "Disable login fields and Register button". Disabling the login fields and Register button causes the standard login form on '/login' to only display IdPs (identity providers), meaning users cannot log in using their email and password.

Lastly, you want to prevent users from accidentally removing their linked SSO accounts, so it's important to hide that option from them. To do this select "Hide access to Linked accounts".

Configuring SSO

In the Management Console, select Single Sign-on (SAML) in the left-hand navigation:

Make certain that Enabled option is selected and follow the on-page directions for completing the Service Provider Configuration.

Remember to save your work!

Then select the Identity Providers Management tab and select Add new:

After clicking Add new, you'll see the following page:

Make certain to click "Enabled". Then follow the very clear on-page directions and explanations for completing the Identity Provider information. Please note that the Name, Identity Provider EntityID, and Metadata source are required fields.

Remember to save your work!

SSO is now enabled on the LMS for all of the following scenarios. Please review them carefully to identify the scenario that aligns with your use case. As always, if you have questions, please email us at  support@appsembler.com.

Disable login fields and Register button Status User Open edX Account Status User SSO Account Status Resulting workflow
1 Enabled Does NOT have a Open edX account User HAS an SSO account A new Open edX account will be  automatically created using the IdP data consisting of User Name, Full Name, and email address. User arrives at Open edX dashboard.
2 Enabled Does NOT have a Open edX account User HAS an SSO account If IdP only returns email address for account, Open edX won’t be able to successfully create an account as it requires email, user name, and full name.
The user will arrive at the Open edX registration page with user name and Full name highlighted in red as required fields.
3 Enabled Does NOT have a Open edX account User DOES NOT HAVE an SSO account User must get an SSO account.
Then Scenario One and Two apply..
4 Enabled Does NOT have a Open edX account User HAS an SSO account If multiple IdPs are connected to Open edX, user names may be duplicated in both IdPs but for different people.
Open edX won’t be able to successfully create an account and will return the registration page with the user name highlighted in red and a message that the user name is already in use.
User will enter a new use name and be able to register.
5 Not Enabled Does NOT have an Open edX account User HAS an SSO account If User is on the Open edX login page and click on IdP button, log in, then returned to Open edX and sees the following message:
“You've successfully logged into your {idp_name} account, but this account isn't linked with an {tahoe_site_name} account yet. Use your {tahoe_site_name} username and password to log into Open edX or click ”
User needs to click on “Create Account” and the Open edX registration form will be displayed with some or all of the user information from the IdP pre-filled on the form (depends on the settings on the IdP).

The User can complete or change the Open edX registration information and then click “Create Account”.

The Open edX account will be created and linked to the SSO account.

6 Not Enabled HAS an Open edX but it is not connected to an IdP. User HAS an SSO account If User is on the Open edX login page and click on IdP button, log in, then returned to Open edX and sees the following message:

“You've successfully logged into your {idp_name} account, but this account isn't linked with an {idp_name} account yet. Use your {tahoe_site_name} username and password to log into {tahoe_site_name} below, and then link your {platform_name} account with {idp_name} from your dashboard. If you don't have an {tahoe_site_name} account yet, click Register at the top of the page.”

User will then need to enter their Open edX credentials and login. After login, the Open edX and SSO accounts will be linked.

Related Articles