As a developer of Django3 applications I need to integrate a SAML2 based
Single-Sign-On (SSO) User authentication system, for example with
Okta. I know there are a number of existing packages
out there, but I want something super-simple that does not require a lot of
configuration in my settings.py
file. I also need this integration to work
with exsitng Django solutions that do not allow me to modify settings.py
directly, as is the case with
Netbox.
This django3_auth_saml2
package was inspired by the existing
django-saml2-auth.
Notable Changes:
- Django3 / Python3 code base
- Provides two Views: one for the login redirect to the SSO and the other for the SSO signin
- Uses Django RemoteUserBackend (or subclass) to handle User creation and configuration process
- Provide the SAML2 authenticate response payload in
response.META['SAML2_AUTH_RESPONSE']
- Any errors result in
PermissionDenied
exceptions to allow for app specific handling - Configuration can be store in
django3_auth_saml2.config.SAML2_AUTH_CONFIG
as an alternative to using the Djangosettings.py
file
This package requires the xmlsec
library to be installed.
This package provides two views:
login
- The URL View should be called when the User attempts to login directly to the applogout
- The URL View should be called when the User attempts to logout directly to the appacs
- This URL View should be called by the SSO system (Okta)
When the User attempts to use login
, the View will redirect the User's web
browser to the SSO system for authentication. Once the User authenticates at
the SSO system, the SSO system will then call the acs
URL view to sign into
the Django app.
In your ROOT_URLCONF.urlpatterns you will need to define two URLs. The first is for the SSO system, and the second is your login URL that will force the User to authenticate via the SSO first. You can change these to suit your specific app API.
Keep in mind that the 'django3_auth_saml2.urls' provides the 'acs' view, so that the example below would result in the app API "/sso/acs/" and "/sso/login/".
urlpatterns = [
path('sso/', include('django3_auth_saml2.urls')),
path('login/', RedirectView.as_view(url='/sso/login/')),
path('logout/', RedirectView.as_view(url='/sso/logout/')),
]
The options have been streamlined from the original django-sam2-auth package, only the following are supported:
AUTHENTICATION_BACKEND
(NEW) the dotted string name of the backend, for example:
"django.contrib.auth.backends.RemoteUserBackend"
One of:
A) METADATA_AUTO_CONF_URL
The URL to the SSO system where the metadata document can be retrieved, for example:
"https://mycorp.oktapreview.com/app/sadjfalkdsflkads/sso/saml/metadata"
B) METADATA_LOCAL_FILE_PATH
As an alternative to using the URL, you can store the metadata contents to a local file, for example:
"/etc/oktapreview-netbox-metadata.xml"
DEFAULT_NEXT_URL
The next URL used to redirect the User after login is successful. Defaults to /
.
DEFAULT_SSO_ACS_URL
The URL to be used for SSO sign-in purposes. Defaults to /sso/acs/
.
ENTITY_ID
This is generally the URL to your application, for example:
"https://okta-devtest.ngrok.io"
ASSERTION_URL - same
This is generally the URL to your application, for example:
"https://okta-devtest.ngrok.io"
NAME_ID_FORMAT
Identifies the format of the User name, see docs for options.
This value defaults to using email.
By default the User name value will be taken from the SAML response
name_id.text
value. For example, if the NAME_ID_FORMAT is set to use email,
then the User name value will be the User's email address.
For more information on these terms, refer to docs.
You should create the SAML2_AUTH_CONFIG
dictionary in the Django settings.py
file,
for example:
SAML2_AUTH_CONFIG = {
# Using default remote backend
'AUTHENTICATION_BACKEND': 'django.contrib.auth.backends.RemoteUserBackend',
# Metadata is required, choose either remote url or local file path
'METADATA_AUTO_CONF_URL': "https://mycorp.oktapreview.com/app/sadjfalkdsflkads/sso/saml/metadata"
}
By default acs
will define the remote_user
parameter from the
saml2_auth_resp.name_id.text
value when it calls the backend authenticate()
method. For example, if the SSO system (Okta) has configured the name ID
format as email (as shown in the example above), then the User name will be the
Users email address.
The acs
View will set the response.META['SAML2_AUTH_RESPONSE']
to the
saml2.response.AuthnResponse
instance so that you can access this
information.
When acs
calls the backend authenticate()
, the User will be created if it
does not exist by defaul; see class property create_unknown_user
. In this
case the RemoteUserBackend.configure_user()
method is called.
You can subclass RemoteUserBackend, implemeting your own authenticate()
and
configure_user()
methods to use the response.META['SAML2_AUTH_RESPONSE']
data. You can to access the SAML2 user identiy attributes. See samples in
backends.py.
If you are using Netbox and you do
not want to fork/modify the system settings.py
file, please refer to
netbox-plugin-auth-saml2