User Management & SSO
Overview
User Management & SSO covers platform-level user account administration — creating and managing accounts, assigning platform roles, configuring SSO providers (SAML/OAuth2), managing staff permissions, and handling user data compliance (GDPR/FERPA data deletion).
This area differs from the Learner Identity & Accounts feature area: that area covers learner self-service (registration, account settings); this area covers administrator control over the user system.
Current State (2026)
- Django admin: Primary user management UI; administrators can view/edit users, assign roles, reset passwords, retire accounts
- SSO configuration: SAML and OAuth2 providers configured via Django admin (
ThirdPartyAuthConfiguration); managed per-site - RBAC:
edx-rbacprovides role-based access control framework;CourseRole,OrganizationRole, system-wide roles - User retirement: GDPR/FERPA-compliant retirement workflow in
edx-platform; anonymizes PII on request - Enterprise admin portal:
frontend-app-admin-portalprovides B2B admins a more user-friendly interface for their learner populations
Architecture
- User model: Custom
auth_user+UserProfileinedx-platform; user data spread across multiple tables - SSO:
python-social-authinedx-platformwithauth-backendsfor institutional SAML/OAuth2;ThirdPartyAuthConfigurationmodel - RBAC:
edx-rbacJWT-based role system; roles encoded in JWT tokens at login - Data retirement:
UserRetirementStatusworkflow inedx-platform; staged process for PII removal - Org-scoped permissions: Organization administrators can manage users within their org scope via enterprise features
Relevant Repositories
| Repository | Role in This Feature | Activity Level | Notes |
|---|---|---|---|
| openedx/openedx-platform | User model, SSO config, retirement workflow | High | Core user management |
| openedx/auth-backends | SAML and OAuth2 backend implementations | Medium | SSO backends |
| openedx/edx-rbac | Role-based access control framework | Medium | Permission system |
| openedx/frontend-app-admin-portal | B2B admin portal for enterprise user management | High | Enterprise admin UI |
| openedx/openedx-authz | Authorization service (early development) | Low | Future auth system |
Recent Changes
- Enterprise user management improvements in
frontend-app-admin-portal - Ongoing work on
openedx-authzas future authorization layer
History
Origin
- Year introduced: 2012 (user accounts from initial edX launch)
- Initial implementation: Standard Django auth with custom
UserProfile; SSO added later - Context: edX.org initially used simple email/password accounts; enterprise customers drove SSO requirements
Key Milestones
| Year | Milestone | Teams / People Involved |
|---|---|---|
| 2012 | Basic Django user accounts | Unknown |
| ~2014–2015 | SAML SSO support added for enterprise | Unknown |
| ~2018 | GDPR user retirement workflow introduced | Unknown |
| ~2019 | edx-rbac JWT roles | Unknown |
People Who Shaped This Area
- Engineering: Unknown — open question for interview
- Product: Unknown — open question for interview
- Design: Unknown — open question for interview
Open Questions
- [ ] When was SAML SSO first added and what enterprise customer drove it?
- [ ] How does the user retirement workflow handle edge cases (active enrollments, certificates)?
- [ ] How does the JWT role encoding work with
edx-rbac? - [ ] What are the most complex SSO configurations seen in production?
- [ ] What drove the decision to build
openedx-authzas a separate service?