SSO with LMS not working

[angonz]

As per instructions, it should be possible to log in using an existing LMS user. However this is not working. This screenshot was taken using the admin user of the Sumac sandbox. I have noticed the same in Quince.

Looks like the user is created, but the staff and superuser status is not set.

[DawoudSheraz]

@angonz Hi, what steps did you take? I was checking discovery locally. I hit courses endpoint, it redirected to auth page, and when I logged in using admin, I was able to access discovery API because admin user was logged in there. As for staff/superuser setting, the auth_backend does not seem to set this, it only creates the user https://github.com/openedx/auth-backends/blob/master/auth_backends/strategies.py#L29. However, anyone else with more context on this can better comment. This does not seem to be an issue with tutor-discovery.

[DawoudSheraz]

@angonz Hi, following up on this issue. Thanks

[angonz]

Hi @DawoudSheraz,
When you install from scratch and try to log into Discovery admin, the user is created by SSO. However, the user is not granted superuser permissions, so it will not be able to access the admin site of discovery. The workaround is to create the user with --staff --superuser options using Tutor command into the discovery plugin before attempting to login. I don't know if there will be a better solution for this.

[DawoudSheraz]

Hi @DawoudSheraz, When you install from scratch and try to log into Discovery admin, the user is created by SSO. However, the user is not granted superuser permissions, so it will not be able to access the admin site of discovery. The workaround is to create the user with --staff --superuser options using Tutor command into the discovery plugin before attempting to login. I don't know if there will be a better solution for this.

Currently, I am not sure if we can plugin tutor in Open edX SSO flow. SSO flow is independent of Tutor workflow. We can use tutor-discovery to create a new user with default email and it can have staff/superuser permissions that one can use to login. I don't think the plugin can add anything to SSO as it lies outside the domain of Tutor and is much in-grained in Open edX flow.

[mlabeeb03]

Hi @DawoudSheraz, When you install from scratch and try to log into Discovery admin, the user is created by SSO. However, the user is not granted superuser permissions, so it will not be able to access the admin site of discovery. The workaround is to create the user with --staff --superuser options using Tutor command into the discovery plugin before attempting to login. I don't know if there will be a better solution for this.

Hi @angonz
I think this is the only way, a superuser has to give admin access to the existing LMS users. Any workaround for this will be specific to tutor-discovery and would have to be done separately for other services as well. As mentioned above, the course-discovery does not set the superuser & is_staff. We can update the instructions to mention this scenario to avoid confusion in the future.

[angonz]

Fully agree. A note in the README for me would be good to close this case.