diff --git a/openedx/core/djangoapps/user_authn/views/login_form.py b/openedx/core/djangoapps/user_authn/views/login_form.py index 4f43efb9c5..bc45dd955f 100644 --- a/openedx/core/djangoapps/user_authn/views/login_form.py +++ b/openedx/core/djangoapps/user_authn/views/login_form.py @@ -164,6 +164,7 @@ def login_and_registration_form(request, initial_mode="login"): # Our ?next= URL may itself contain a parameter 'tpa_hint=x' that we need to check. # If present, we display a login page focused on third-party auth with that provider. third_party_auth_hint = None + tpa_hint_provider = None if '?' in redirect_to: # lint-amnesty, pylint: disable=too-many-nested-blocks try: next_args = urllib.parse.parse_qs(urllib.parse.urlparse(redirect_to).query) @@ -186,16 +187,26 @@ def login_and_registration_form(request, initial_mode="login"): except (KeyError, ValueError, IndexError) as ex: log.exception("Unknown tpa_hint provider: %s", ex) - # Redirect to authn MFE if it is enabled or user is not an enterprise user or not coming from a SAML IDP. + # Redirect to authn MFE if it is enabled + # AND + # user is not an enterprise user + # AND + # tpa_hint_provider is not available + # AND + # user is not coming from a SAML IDP. saml_provider = False running_pipeline = pipeline.get(request) - enterprise_customer = enterprise_customer_for_request(request) if running_pipeline: saml_provider, __ = third_party_auth.utils.is_saml_provider( running_pipeline.get('backend'), running_pipeline.get('kwargs') ) - if should_redirect_to_authn_microfrontend() and not enterprise_customer and not saml_provider: + enterprise_customer = enterprise_customer_for_request(request) + + if should_redirect_to_authn_microfrontend() and \ + not enterprise_customer and \ + not tpa_hint_provider and \ + not saml_provider: # This is to handle a case where a logged-in cookie is not present but the user is authenticated. # Note: If we don't handle this learner is redirected to authn MFE and then back to dashboard