openedx
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎common/djangoapps/third_party_auth/docs/how_tos/testing_saml_locally.rst‎
Lines changed: 334 additions & 0 deletions b/‎common/djangoapps/third_party_auth/docs/how_tos/testing_saml_locally.rst‎
Lines changed: 334 additions & 0 deletions
diff --git a/‎common/djangoapps/third_party_auth/migrations/0014_samlproviderconfig_optional_email_checkboxes.py‎
Lines changed: 26 additions & 0 deletions b/‎common/djangoapps/third_party_auth/migrations/0014_samlproviderconfig_optional_email_checkboxes.py‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎common/djangoapps/third_party_auth/models.py‎
Lines changed: 8 additions & 0 deletions b/‎common/djangoapps/third_party_auth/models.py‎
Lines changed: 8 additions & 0 deletions
@@ -13,6 +13,7 @@ lms/envs/private.py
 cms/envs/private.py
 .venv/
 CLAUDE.md
+.claude/
 AGENTS.md
 # end-noclean
 
 
@@ -0,0 +1,334 @@
+Testing SAML Authentication Locally with MockSAML
+==================================================
+
+This guide walks through setting up and testing SAML authentication in a local Open edX devstack environment using MockSAML.com as a test Identity Provider (IdP).
+
+Overview
+--------
+
+SAML (Security Assertion Markup Language) authentication in Open edX requires three configuration objects to work together:
+
+1. **SAMLConfiguration**: Configures the Service Provider (SP) metadata - entity ID, keys, and organization info
+2. **SAMLProviderConfig**: Configures a specific Identity Provider (IdP) connection with metadata URL and attribute mappings
+3. **SAMLProviderData**: Stores the IdP's metadata (SSO URL, public key) fetched from the IdP's metadata endpoint
+
+**Critical Requirement**: The SAMLConfiguration object MUST have the slug "default" because this value is hardcoded in the authentication execution path at ``common/djangoapps/third_party_auth/models.py:906``.
+
+Prerequisites
+-------------
+
+* Local Open edX devstack running
+* Access to Django admin at http://localhost:18000/admin/
+* MockSAML.com account (free service for SAML testing)
+
+Step 1: Configure SAMLConfiguration
+------------------------------------
+
+The SAMLConfiguration defines your Open edX instance as a SAML Service Provider (SP).
+
+1. Navigate to Django Admin → Third Party Auth → SAML Configurations
+2. Click "Add SAML Configuration"
+3. Configure with these **required** values:
+
+   ============  ===================================================
+   Field         Value
+   ============  ===================================================
+   Site          localhost:18000
+   **Slug**      **default** (MUST be "default" - hardcoded in code)
+   Entity ID     https://saml.example.com/entityid
+   Enabled       ✓ (checked)
+   ============  ===================================================
+
+4. Generate a key pair for signing/encryption (optional for testing):
+
+   .. code-block:: bash
+
+      openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.key
+
+   Then paste the contents of ``saml.key`` into "Private Key" and ``saml.crt`` into "Public Key" (the headers/footers will be stripped automatically).
+
+   **Note**: For local testing with MockSAML, you can leave the keys blank.
+
+5. Configure Organization Info (use default or customize):
+
+   .. code-block:: json
+
+      {
+        "en-US": {
+          "url": "http://localhost:18000",
+          "displayname": "Local Open edX",
+          "name": "localhost"
+        }
+      }
+
+6. Click "Save"
+
+Step 2: Configure SAMLProviderConfig
+-------------------------------------
+
+The SAMLProviderConfig connects to a specific SAML Identity Provider (MockSAML in this case).
+
+1. Navigate to Django Admin → Third Party Auth → Provider Configuration (SAML IdPs)
+2. Click "Add Provider Configuration (SAML IdP)"
+3. Configure with these values:
+
+   =========================  ===================================================
+   Field                      Value
+   =========================  ===================================================
+   Name                       Test Localhost (or any descriptive name)
+   Slug                       default (to match test URLs)
+   Backend Name               tpa-saml
+   Entity ID                  https://saml.example.com/entityid
+   Metadata Source            https://mocksaml.com/api/saml/metadata
+   Site                       localhost:18000
+   SAML Configuration         Select the SAMLConfiguration created in Step 1
+   Enabled                    ✓ (checked)
+   Visible                    ☐ (unchecked for testing)
+   Skip hinted login dialog   ✓ (checked - recommended)
+   Skip registration form     ✓ (checked - recommended)
+   Skip email verification    ✓ (checked - recommended)
+   Send to registration first ✓ (checked - recommended)
+   =========================  ===================================================
+
+4. Leave all attribute mappings (User ID, Email, Full Name, etc.) blank to use defaults
+5. Click "Save"
+
+**Important**: The Entity ID in SAMLProviderConfig MUST match the Entity ID in SAMLConfiguration.
+
+Step 3: Fetch IdP Metadata
+---------------------------
+
+The SAMLProviderData stores metadata from the Identity Provider (MockSAML).
+
+Run the SAML pull command to fetch IdP metadata:
+
+.. code-block:: bash
+
+   docker exec edx.devstack.lms bash -c "python manage.py lms saml pull"
+
+This command will:
+
+* Fetch metadata from https://mocksaml.com/api/saml/metadata
+* Extract the SSO URL and public key certificate
+* Create a SAMLProviderData record with:
+
+  - **Entity ID**: https://saml.example.com/entityid
+  - **SSO URL**: https://mocksaml.com/api/saml/sso
+  - **Public Key**: The IdP's signing certificate
+  - **Expires At**: Set to 1 year from fetch time
+
+Verify the data was fetched successfully:
+
+.. code-block:: bash
+
+   docker exec edx.devstack.lms bash -c "python manage.py lms shell -c \\\"
+   from common.djangoapps.third_party_auth.models import SAMLProviderData
+   data = SAMLProviderData.objects.filter(entity_id='https://saml.example.com/entityid').first()
+   print(f'SSO URL: {data.sso_url}')
+   print(f'Is Valid: {data.is_valid()}')
+   \\\""
+
+Expected output:
+
+.. code-block:: text
+
+   SSO URL: https://mocksaml.com/api/saml/sso
+   Is Valid: True
+
+Step 4: Configure MockSAML.com
+-------------------------------
+
+1. Go to https://mocksaml.com/
+2. Log in or create a free account
+3. Configure the SP (Service Provider) settings:
+
+   ===================  ===================================================
+   Field                Value
+   ===================  ===================================================
+   SP Entity ID         https://saml.example.com/entityid
+   ACS URL              http://localhost:18000/auth/complete/tpa-saml/
+   Single Logout URL    http://localhost:18000/auth/complete/tpa-saml/
+   ===================  ===================================================
+
+4. Configure test user attributes in MockSAML:
+
+   * **Email**: Use any valid email format (e.g., [email protected])
+   * **First Name**: Test
+   * **Last Name**: User
+   * **UID**: testuser123 (unique identifier)
+
+Step 5: Test SAML Authentication
+---------------------------------
+
+Method 1: Direct Login URL
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Navigate to the SAML login URL with the IdP hint:
+
+.. code-block:: text
+
+   http://localhost:18000/login?tpa_hint=saml-default
+
+This will redirect to MockSAML for authentication.
+
+Method 2: TPA Test Page
+^^^^^^^^^^^^^^^^^^^^^^^
+
+1. Navigate to: http://localhost:18000/auth/login/tpa-saml/?auth_entry=login&idp=default
+2. You should be redirected to MockSAML.com
+3. Complete the authentication on MockSAML
+4. You should be redirected back to Open edX
+5. If this is a new user, you'll see the registration form
+6. After registration, you should be logged in
+
+Expected Behavior
+^^^^^^^^^^^^^^^^^
+
+1. Initial redirect to MockSAML (https://mocksaml.com/api/saml/sso)
+2. MockSAML displays the login page
+3. After authentication, MockSAML POSTs the SAML assertion back to Open edX
+4. Open edX validates the assertion and creates/logs in the user
+5. User is redirected to the dashboard or registration form (if new user)
+
+Troubleshooting
+---------------
+
+Common Issues
+^^^^^^^^^^^^^
+
+**SAMLConfiguration slug is not "default"**
+   The slug MUST be "default" for the code to find it. See line 906 in ``models.py``:
+
+   .. code-block:: python
+
+      conf['saml_sp_configuration'] = (
+          self.saml_configuration or
+          SAMLConfiguration.current(self.site.id, 'default')  # Hardcoded!
+      )
+
+**Entity IDs don't match**
+   Ensure all three configurations use the same Entity ID:
+
+   * SAMLConfiguration.entity_id
+   * SAMLProviderConfig.entity_id
+   * SAMLProviderData.entity_id
+   * MockSAML SP Entity ID
+
+**SAMLProviderData not found**
+   Run the pull command again:
+
+   .. code-block:: bash
+
+      docker exec edx.devstack.lms bash -c "python manage.py lms saml pull"
+
+**ACS URL mismatch**
+   Verify the Assertion Consumer Service (ACS) URL in MockSAML matches:
+
+   .. code-block:: text
+
+      http://localhost:18000/auth/complete/tpa-saml/
+
+**Debug Mode**
+   Enable debug mode in SAMLProviderConfig to see all SAML XML requests/responses in logs:
+
+   1. Edit your SAMLProviderConfig in Django admin
+   2. Check "Debug Mode"
+   3. Save and test again
+   4. Check logs: ``docker logs edx.devstack.lms``
+
+   **Warning**: Disable debug mode before production use!
+
+Verifying Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+Check that all three objects are configured correctly:
+
+.. code-block:: bash
+
+   docker exec edx.devstack.lms bash -c "python manage.py lms shell -c \\\"
+   from common.djangoapps.third_party_auth.models import SAMLProviderConfig, SAMLConfiguration, SAMLProviderData
+
+   # Check SAMLConfiguration
+   config = SAMLConfiguration.objects.filter(site__domain='localhost:18000', slug='default').first()
+   print(f'SAMLConfiguration: {config}')
+   print(f'  Entity ID: {config.entity_id if config else None}')
+   print(f'  Enabled: {config.enabled if config else None}')
+   print()
+
+   # Check SAMLProviderConfig
+   provider = SAMLProviderConfig.objects.filter(slug='default', site__domain='localhost:18000').first()
+   print(f'SAMLProviderConfig: {provider}')
+   print(f'  Entity ID: {provider.entity_id if provider else None}')
+   print(f'  Metadata: {provider.metadata_source if provider else None}')
+   print(f'  Enabled: {provider.enabled if provider else None}')
+   print()
+
+   # Check SAMLProviderData
+   data = SAMLProviderData.objects.filter(entity_id='https://saml.example.com/entityid').first()
+   print(f'SAMLProviderData: {data.id if data else None}')
+   print(f'  SSO URL: {data.sso_url if data else None}')
+   print(f'  Valid: {data.is_valid() if data else None}')
+   \\\""
+
+Expected output should show all three objects with matching entity IDs and enabled status.
+
+Testing with Different Entity IDs
+----------------------------------
+
+If you need to test with a different entity ID (not ``https://saml.example.com/entityid``):
+
+1. Update **all three** configurations to use the same new entity ID:
+
+   * SAMLConfiguration → Entity ID
+   * SAMLProviderConfig → Entity ID
+   * Re-run ``manage.py lms saml pull`` to fetch new SAMLProviderData
+
+2. Update MockSAML SP Entity ID to match
+
+3. Ensure all URLs and slugs remain consistent
+
+Related Documentation
+---------------------
+
+* SAML Architecture: ``docs/decisions/`` (search for SAML-related ADRs)
+* Model Definitions: ``common/djangoapps/third_party_auth/models.py``
+* SAML Backend: ``common/djangoapps/third_party_auth/saml.py``
+* Management Command: ``common/djangoapps/third_party_auth/management/commands/saml.py``
+
+Reference Configuration
+-----------------------
+
+Here's a summary of a working test configuration:
+
+**SAMLConfiguration** (id=6):
+
+* Site: localhost:18000
+* Slug: **default**
+* Entity ID: https://saml.example.com/entityid
+* Enabled: True
+
+**SAMLProviderConfig** (id=11):
+
+* Name: Test Localhost
+* Slug: default
+* Entity ID: https://saml.example.com/entityid
+* Metadata Source: https://mocksaml.com/api/saml/metadata
+* Backend Name: tpa-saml
+* Site: localhost:18000
+* SAML Configuration: → SAMLConfiguration (id=6)
+* Enabled: True
+
+**SAMLProviderData** (id=3):
+
+* Entity ID: https://saml.example.com/entityid
+* SSO URL: https://mocksaml.com/api/saml/sso
+* Public Key: (certificate from MockSAML metadata)
+* Fetched At: 2026-02-27 18:05:40+00:00
+* Expires At: 2027-02-27 18:05:41+00:00
+* Valid: True
+
+**MockSAML Configuration**:
+
+* SP Entity ID: https://saml.example.com/entityid
+* ACS URL: http://localhost:18000/auth/complete/tpa-saml/
+* Test User Attributes: email, firstName, lastName, uid
@@ -0,0 +1,26 @@
+# Generated migration for adding optional checkbox skip configuration field
+
+from django.db import migrations, models
+import django.utils.translation
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('third_party_auth', '0013_default_site_id_wrapper_function'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='samlproviderconfig',
+            name='skip_registration_optional_checkboxes',
+            field=models.BooleanField(
+                default=False,
+                help_text=django.utils.translation.gettext_lazy(
+                    "If enabled, optional checkboxes (marketing emails opt-in, etc.) will not be rendered "
+                    "on the registration form for users registering via this provider. When these checkboxes "
+                    "are skipped, their values are inferred as False (opted out)."
+                ),
+            ),
+        ),
+    ]
@@ -745,6 +745,14 @@ class SAMLProviderConfig(ProviderConfig):
             "immediately after authenticating with the third party instead of the login page."
         ),
     )
+    skip_registration_optional_checkboxes = models.BooleanField(
+        default=False,
+        help_text=_(
+            "If enabled, optional checkboxes (marketing emails opt-in, etc.) will not be rendered "
+            "on the registration form for users registering via this provider. When these checkboxes "
+            "are skipped, their values are inferred as False (opted out)."
+        ),
+    )
     other_settings = models.TextField(
         verbose_name="Advanced settings", blank=True,
         help_text=(