You are here

Third Party Authentication using SAML Protocol

 Printer Version PDF Version

Summary

Over the past several months, edX partners and Open edX community members designed and implemented new sign in capabilities that allow learners to use their campus credentials to access edX courses. Similar to the way that edX currently supports sign in with Google or Facebook, learners at participating institutions can authenticate into edX using their school’s identity provider. Additionally, institutions can choose to share data with edX to provide a more personalized experience, such as first and last name to auto populate learners’ edX profiles, or unique student identifiers in order to build support later for roster or grade synchronization.

The Feature

When learners visit the edX Edge environment, they will be presented with the option to sign in using their institution or campus credentials. Learners will also be able to access this alternative login method when starting from their online campus systems or visiting the site through a special invitation link that course teams can email out.

Screenshot of the edX Edge Login Screen

When learners browse directly to edge.edx.org, first they choose “use my institution/campus credentials.”

Edge login page showing sample list of institutional providers

Then, they are linked to their institution’s sign in page.

Login page that confirms if users wish to sign in using their institutional account

When learners are invited to enroll in a course, they are directed straight to this sign in page. If learners follow a link from a campus system, they may be immediately signed in, be prompted to sign in with credentials from that campus, or be shown the regular sign in page. The behavior depends on how the link was constructed, whether the learner has signed in before, whether or not the learner is signed in to the campus system, and how the integration is configured.

In all cases, however, upon supplying appropriate credentials (depending on the requirements of their particular institution), learners are automatically redirected to the edX resource requested. When learners first log in, they are asked to fill in some additional account details (for example, name and email address). This information is used to associate the learner’s account-based identity with his or her edX identity. The learner does not need to take this action again unless she unlinks the accounts.

The Technology

This feature uses SAML 2.0 (Security Assertion Markup Language, version 2.0), which provides a standardized means of exchanging authentication and authorization data between parties. In a SAML exchange, the identity provider securely asserts the identity and access rights of an end user to a service provider -- and therefore allows the user to gain access to the resources specified. In this case, the identity provider is any of the currently implemented institutional sign in services and the service provider is edX. Once authentication is complete, the learner gains access to any resource available on edge.edx.org, provided he or she is  enrolled in the course associated with that resource.

Because it is built with SAML, the new sign in service is fully compatible with Shibboleth, an open source implementation of the SAML protocol that is widely used by higher education institutions. In a survey of our working group members, we quickly found that everyone had at least some portion of their learner base on Shibboleth and some institutions have all their users in single Shibboleth-based identity stores. In our initial release, we are configuring edX Edge to support Shibboleth logins; in subsequent releases, we plan to expand support to other SAML2-compliant identity providers, based on demand.

This feature builds upon our existing third party authentication implementation, contributed in 2014 by John Cox of Google. It also takes advantage of the ConfigurationModel functionality, implemented by Cale Pennington of edX, which provides a “configuration-via-database” solution for Django.

We also relied heavily upon the work of two other open source projects: Python Social Auth and Python-saml. Both project teams were very responsive, and this collaboration between three open source projects is worthy of note. Braden MacDonald, the principal developer, contributed changes that added support for SAML to Python Social Auth, as well as adding features that we needed to Python-saml. The upstream reviewers made an effort to review and incorporate the contributions in a timely way, ensuring an on-time release of the feature in late June. Instead of forking the code and making these changes only for edX, the whole Python community can now benefit from this work.

These projects allowed us to take advantage of the large body of existing work and focus on the unique integration features we needed for the Open edX platform, thus reducing overall development time substantially.

The Process

The third party authentication project arose out of needs identified in the edX Campus Applications Working Group, which convenes to address campus integration challenges. The group was founded with the principle that all members would contribute one of the following to the process:

  1. Thought capital in the form of participation in discussions and review of documents, especially surfacing different use cases to address a wide array of needs.
  2. Application development in the form of contributions to the Open edX code base.
  3. Validation in the form of testing the solutions developed by its members.

To support the working group and any resultant projects -- which currently include this authentication project as well as a project to support edX as an LTI tool provider -- edX provides ongoing product development support, creating a structure for engagement, guiding architecture decisions, and ultimately evaluating solutions for inclusion in the Open edX platform.

What's Next?

Today, this feature is deployed on edge.edx.org and is in use by one partner, the University of British Columbia. We are working with other partners to test and deploy the solution for their learners. In the future, we hope to extend the capabilities in the following interesting ways:

  • Create a mechanism for partner schools with strong privacy restrictions to pass in their opaque student ID and get back the edX user ID, for analytics and integration purposes.
  • Integrate with Shibboleth federations like InCommon, so that students at virtually any US University can use SSO.
  • Customize the sign-in experience with partner branding.

If anyone in the Open edX community is interested in working on these features, please contact the edX Open Source team.

Thanks!

Special thanks go to our SSO project team:

Xavier Antoviaque, OpenCraft
Braden MacDonald, OpenCraft (lead developer)
Derek White, UBC
Pan Luo, UBC
William Ono, UBC
Brian Talbot, edX
Frances Botsford, edX

Please don’t hesitate to reach out to me for additional information about the project, or inspect the source on GitHub (https://github.com/edx/edx-platform/tree/master/common/djangoapps/third_party_auth).