Saml redirect mfe

[leoaulasneo98]

Description
This pull request fixes a bug in the authentication microfrontend (MFE) redirection logic. It ensures that enterprise users who are authenticating via a SAML identity provider are not incorrectly redirected to the MFE.
The change involves modifying the should_redirect_to_authn_microfrontend() function to add an additional check for the presence of an enterprise customer and a SAML-based third-party authentication provider. If both conditions are met, the user will not be redirected to the MFE, and the authentication flow will be handled within the LMS.
This change impacts "Developer" and "Operator" roles, as it affects the authentication and authorization logic within the Open edX platform.
Supporting information
The issue was discovered during internal testing and is not currently reported in any public issue trackers. The change is based on the analysis and solution proposed in the following commits:

Commit 1: Redirect non-enterprise SAML to authn MFE
Commit 2: Add test for enterprise SAML authentication MFE redirection logic

Testing instructions
To test this change:

Ensure the authentication MFE is enabled in your Open edX environment.
Create a test enterprise customer in the platform.
Configure a SAML identity provider for the enterprise customer.
Authenticate as a user who belongs to the enterprise customer and is using the SAML provider.
Verify that the user is not redirected to the authentication MFE, but instead the authentication flow is handled within the LMS.
Repeat the test with a non-enterprise user who is authenticating via SAML. Ensure they are redirected to the authentication MFE.

Deadline
There is no urgent deadline for this change. It can be included in the next scheduled release of the Open edX platform.
Other information
This change does not depend on any other changes elsewhere in the codebase. There are no special concerns or limitations, and the change does not involve any database migrations. CopyRetryClaude does not have internet access. Links provided may not be accurate or up to date.

[openedx-webhooks]

Thanks for the pull request, @leoaulasneo98!

This repository is currently maintained by @openedx/wg-maintenance-edx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[deborahgu]

Hi, @leoaulasneo98. While we do a code review of this change, could you look into getting a signed Contributor Agreement? That's necessarily a blocker before we can merge. Thank you, and welcome!

[leoaulasneo98]

Hi, @leoaulasneo98. While we do a code review of this change, could you look into getting a signed Contributor Agreement? That's necessarily a blocker before we can merge. Thank you, and welcome!

Hello, thank you very much, I will then follow the indicated steps

[mphilbrick211]

Hi, @leoaulasneo98. While we do a code review of this change, could you look into getting a signed Contributor Agreement? That's necessarily a blocker before we can merge. Thank you, and welcome!

Hello, thank you very much, I will then follow the indicated steps

@leoaulasneo98 you can be added to the existing entity CLA (agreement) we have with Aulasneo. Please ask your manager to send the request to oscm@axim.org. Thanks!

[leoaulasneo98]

getting a signed Contributor Agreement: Hello Michelle, greetings, I understand that I can handle it. Thank you very much for the guidance.

[mphilbrick211]

@leoaulasneo98 hi there! You can try running the checks again on this, as your CLA has been processed.

[leoaulasneo98]

@leoaulasneo98 hi there! You can try running the checks again on this, as your CLA has been processed.

Hi Michelle, yes sure. Sorry for not answering, I'm already processing it.

[Copilot]

PR Overview

This pull request fixes a bug in the authentication microfrontend redirection logic for enterprise users authenticating via SAML. The changes include adding parameterized tests in test_logistration.py to cover enterprise SAML redirection scenarios and updating the redirection condition in login_form.py to prevent redirecting enterprise SAML users to the authentication MFE.

Reviewed Changes

File	Description
openedx/core/djangoapps/user_authn/views/tests/test_logistration.py	Added tests to verify redirection behavior for enterprise customers using SAML authentication
openedx/core/djangoapps/user_authn/views/login_form.py	Modified redirection logic to bypass MFE redirection for enterprise SAML users

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (2)

openedx/core/djangoapps/user_authn/views/login_form.py:200

• [nitpick] The combined condition may be hard to read and could risk misinterpretation of the intended logic. Consider refactoring or breaking up the condition into clearer, separately named sub-conditions to improve maintainability.

if should_redirect_to_authn_microfrontend() and not (enterprise_customer and tpa_hint_provider and saml_provider):

openedx/core/djangoapps/user_authn/views/login_form.py:190

• [nitpick] The inline comment above the redirection condition could be more explicit by stating that redirection is skipped only if all three conditions (enterprise customer, tpa_hint_provider, and SAML provider) are met. Clarifying this would help maintainers understand the updated logic.

# except if user is an enterprise user with tpa_hint_provider coming from a SAML IDP.

[edx-pipeline-bot]

2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production.

[edx-pipeline-bot]

2U Release Notice: This PR has been deployed to the edX production environment.