feat: add single sign on by saml

[RawanMatar89]

Describtion:

as in iOS, we added a new button in sign in view named "Sign in with SSO" to be use for opening single sign on web view

TODO:

• Revert previous Android SAML implementation to unify with iOS PR feat: Support for login and registration via a browser custom tab #371
• Initial SAML support, tested and verified
• YAML configuration documentation
• Fixed conflicts with the develop branch
• Initial review by RG team
• Final review by RG team
• Fix lint issues after the final review

Screenshots:

Before	After (both)	After (SSO only)

[openedx-webhooks]

Thanks for the pull request, @RawanMatar89!

This repository is currently maintained by @openedx/openedx-mobile-maintainers.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[github-advanced-security]

detekt found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[e0d]

@RawanMatar89 it looks like there are some failing tests and checks, can you have a look. We can review this when the checks are passing.

I also want to make sure we ensure this work meshes will with this:

#371

@xitij2000 can you chime in here?

[xitij2000]

@RawanMatar89 it looks like there are some failing tests and checks, can you have a look. We can review this when the checks are passing.

I also want to make sure we ensure this work meshes will with this:

#371

@xitij2000 can you chime in here?

I am currently unable to test the code or have a deeper look; however, I do see some overlap. #371 adds a web-browser based flow that will initiate an OAuth flow with the LMS, delegating the actual login mechanism to whatever IdPs are set up at the LMS including any SAML-based ones. So from what I understand, what this PR is doing is already possible using the existing code.

[OmarIthawi]

I am currently unable to test the code or have a deeper look; however, I do see some overlap. #371 adds a web-browser based flow that will initiate an OAuth flow with the LMS, delegating the actual login mechanism to whatever IdPs are set up at the LMS including any SAML-based ones. So from what I understand, what this PR is doing is already possible using the existing code.

@xitij2000 good note that what I was thinking of when I looked at your WebView code. For a background, the original work has been done in the iOS app and is already merged since July 2024:

• feat: add single sign on feature using SAML openedx-app-ios#447

This PR has gone stale a bit due to the review process and our internal prioritizations.

My recommendation is to keep the iOS and the Android in a very similar flow in regards to backend integration and YAML configurations.

@e0d @volodymyr-chekyrta How do you recommend going on with this?

[volodymyr-chekyrta]

I am currently unable to test the code or have a deeper look; however, I do see some overlap. #371 adds a web-browser based flow that will initiate an OAuth flow with the LMS, delegating the actual login mechanism to whatever IdPs are set up at the LMS including any SAML-based ones. So from what I understand, what this PR is doing is already possible using the existing code.

@xitij2000 good note that what I was thinking of when I looked at your WebView code. For a background, the original work has been done in the iOS app and is already merged since July 2024:

• feat: add single sign on feature using SAML openedx-app-ios#447

This PR has gone stale a bit due to the review process and our internal prioritizations.

My recommendation is to keep the iOS and the Android in a very similar flow in regards to backend integration and YAML configurations.

@e0d @volodymyr-chekyrta How do you recommend going on with this?

Good question. I would like to see a similar approach and feature flags for both platforms.
It may be a good discussion for the Mobile: Product SubGroup Meeting.

[RawanMatar89]

Plan for this PR:

• Resolve Conflicts: First, I will address the existing conflicts in this PR to ensure everything is aligned correctly.
• Revert Web base LMS Auth PR: To maintain consistency between Android and iOS code, I will re the changes from Web base LMS Auth PR for now.
• Cover Missing Cases: After the rollback, I will review the changes from Web base LMS Auth PR and ensure that any cases not already covered in our PR are addressed.

This approach will help keep both the Android and iOS code versions in sync while maintaining any necessary improvements from Web base LMS Auth PR work.

cc: @xijit and @valimir

[RawanMatar89]

dears, This PR is now ready for review.
Just to highlight, the approach used here is more advanced than the one in the reverted PR. With our implementation, both default and browser-based login options can coexist and be supported simultaneously. In contrast, the previous approach only allowed one login method to be available at a time.
Looking forward to your feedback!

@volodymyr-chekyrta , @xitij2000 , @valimir

[mphilbrick211]

Hi @openedx/openedx-mobile-maintainers! Would someone be able to please take a look at this?

[mphilbrick211]

Hi @openedx/openedx-mobile-maintainers! Would someone be able to please take a look at this?

Friendly ping on this @openedx/openedx-mobile-maintainers

[volodymyr-chekyrta]

@RawanMatar89, could you please resolve conflicts on this PR? We will take it to review.
@IvanStepanok @PavloNetrebchuk fyi

[OmarIthawi]

@RawanMatar89 another ping for the rebase and conflict fixing.

This is still on our plate and we'll push for it to get merged.

Thanks @mphilbrick211 and @volodymyr-chekyrta for reviving it.

[RawanMatar89]

@volodymyr-chekyrta, @OmarIthawi
Thanks for the reminder! I’ve resolved all conflicts, and the PR is now ready for review.

[IvanStepanok]

I’m worried about the SSO login flow here. In SSOWebContentScreen we read cookies without null checks and immediately split them,

openedx-app-android/core/src/main/java/org/openedx/core/ui/SSOWebContentScreen.kt

Lines 171 to 176 in 2207571

	fun getCookie(siteName: String?, cookieName: String?): String? {
	var cookieValue: String? = ""
	val cookieManager = CookieManager.getInstance()
	val cookies = cookieManager.getCookie(siteName)
	val temp = cookies.split(";".toRegex()).dropLastWhile { it.isEmpty() }

so the very first onPageFinished can throw an NPE, and even when it doesn’t we concatenate header/payload/signature without the separating dot.

openedx-app-android/core/src/main/java/org/openedx/core/ui/SSOWebContentScreen.kt

Lines 125 to 126 in 2207571

	val jwtToken = getCookie(url, "edx-jwt-cookie-header-payload") + getCookie(url, "edx-jwt-cookie-signature")
	onWebPageUpdated(jwtToken)

SSOWebContentFragment treats any non-empty result as success and pops the stack,

openedx-app-android/core/src/main/java/org/openedx/core/presentation/global/webview/SSOWebContentFragment.kt

Lines 43 to 45 in 2207571

	if (token.isNotEmpty()){
	setFragmentResult("requestKey", bundleOf("bundleKey" to token))
	requireActivity().supportFragmentManager.popBackStack()

and SignInFragment then hands ssoLogin the requestKey instead of the token from the bundle.

openedx-app-android/auth/src/main/java/org/openedx/auth/presentation/signin/SignInFragment.kt

Lines 47 to 48 in 2207571

	setFragmentResultListener("requestKey") { requestKey, bundle ->
	viewModel.ssoLogin(token = requestKey)

Combined, this means ssoLogin ends up with garbage and the SSO attempt can never finish successfully.

[IvanStepanok]

if (!state.isLoginRegistrationFormEnabled) {

According to iOS implementation we need to hide this title in case when isLoginRegistrationFormEnabled = true

[IvanStepanok]

We are ignoring SSO_BUTTON_TITLE parameter on config file here

[IvanStepanok]

lang is lowercased here but in
SSO_BUTTON_TITLE:
AR: "الدخول عبر SSO"
EN: "Sign in with SSO"

parameters are uppercased. Can’t check this because in current implementation we are ignoring SSO_BUTTON_TITLE

[IvanStepanok]

We need to add the same logic as on default Login where we have a clean calendar and synchronize FCM if users are changed.

[IvanStepanok]

I cant check this, but looks like we will return here duplicates of "JWT". Like "JWTJWT token1323231232".

[IvanStepanok]

Do we need to update accessTokenExpiresAt here?