An extension to enable Single Sign On(SSO) for CKAN data portals via SAML2 Authentication.
Project description
ckanext-saml2auth
Requirements
This extension works with CKAN 2.9+.
Installation
To install ckanext-saml2auth:
Install the required packages:
sudo apt install xmlsec1
Activate your CKAN virtual environment, for example:
. /usr/lib/ckan/default/bin/activate
Install the ckanext-saml2auth Python package into your virtual environment:
pip install ckanext-saml2auth
Install the python modules required by the extension (adjusting the path according to where ckanext-saml2auth was installed in the previous step):
# rustc and cargo are neeeded to build cryptography if no binary wheel exists sudo apt install rustc cargo pip install -r requirements.txt
Add saml2auth to the ckan.plugins setting in your CKAN config file (by default the config file is located at /etc/ckan/default/ckan.ini).
Restart CKAN. For example if you’ve deployed CKAN with Apache on Ubuntu:
sudo service apache2 reload
Config settings
Required:
# Specifies the metadata location type # Options: local or remote ckanext.saml2auth.idp_metadata.location = remote # Path to a local file accessible on the server the service runs on # Ignore this config if the idp metadata location is set to: remote ckanext.saml2auth.idp_metadata.local_path = /opt/metadata/idp.xml # A remote URL serving aggregate metadata # Ignore this config if the idp metadata location is set to: local ckanext.saml2auth.idp_metadata.remote_url = https://kalmar2.org/simplesaml/module.php/aggregator/?id=kalmarcentral2&set=saml2 # Path to a local file accessible on the server the service runs on # Ignore this config if the idp metadata location is set to: local ckanext.saml2auth.idp_metadata.remote_cert = /opt/metadata/kalmar2.cert # Corresponding SAML user field for firstname ckanext.saml2auth.user_firstname = firstname # Corresponding SAML user field for lastname ckanext.saml2auth.user_lastname = lastname # Corresponding SAML user field for fullname # (Optional: Can be used as an alternative to firstname + lastname) ckanext.saml2auth.user_fullname = fullname # Corresponding SAML user field for email ckanext.saml2auth.user_email = email
Optional:
# URL route of the endpoint where the SAML assertion is sent, also known as Assertion Consumer Service (ACS). # Default: /acs ckanext.saml2auth.acs_endpoint = /sso/post # Configuration setting that enables CKAN's internal register/login functionality as well # Default: False ckanext.saml2auth.enable_ckan_internal_login = True # List of email addresses from users that should be created as sysadmins (system administrators) # Note that this means that CKAN sysadmins will _only_ be managed based on this config option and will override existing user permissions in the CKAN database # If not set then it is ignored and CKAN sysadmins are managed through normal means # Default: <Not set> ckanext.saml2auth.sysadmins_list = mail@domain.com mail2@domain.com mail3@domain.com # Indicates that attributes that are not recognized (they are not configured in attribute-mapping), # will not be discarded. # Default: True ckanext.saml2auth.allow_unknown_attributes = False # A list of string values that will be used to set the <NameIDFormat> element of the metadata of an entity. # Default: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ckanext.saml2auth.sp.name_id_format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient # A string value that will be used to set the Format attribute of the <NameIDPolicy> element of the metadata of an entity. # Default: <Not set> ckanext.saml2auth.sp.name_id_policy_format = urn:oasis:names:tc:SAML:2.0:nameid-format:persistent # Entity ID (also know as Issuer) # Define the entity ID. Default is urn:mace:umu.se:saml:ckan:sp ckanext.saml2auth.entity_id = urn:gov:gsa:SAML:2.0.profiles:sp:sso:gsa:catalog-dev # Signed responses and assertions ckanext.saml2auth.want_response_signed = False ckanext.saml2auth.want_assertions_signed = False ckanext.saml2auth.want_assertions_or_response_signed = True # Cert & key files ckanext.saml2auth.key_file_path = /path/to/mykey.pem ckanext.saml2auth.cert_file_path = /path/to/mycert.pem # Attribute map directory ckanext.saml2auth.attribute_map_dir = /path/to/dir/attributemaps # Authentication context request before redirect to login # e.g. to ask for a PIV card with login.gov provider (https://developers.login.gov/oidc/#aal-values) use: ckanext.saml2auth.requested_authn_context = http://idmanagement.gov/ns/assurance/aal/3?hspd12=true # You can use multiple context separated by spaces ckanext.saml2auth.requested_authn_context = req1 req2 # Define the comparison value for RequestedAuthnContext # Comparison could be one of this: exact, minimum, maximum or better ckanext.saml2auth.requested_authn_context_comparison = exact
Developer installation
To install ckanext-saml2auth for development, activate your CKAN virtualenv and do:
sudo apt install xmlsec1 git clone https://github.com/duskobogdanovski/ckanext-saml2auth.git cd ckanext-saml2auth python setup.py develop pip install -r dev-requirements.txt
Tests
To run the tests, do:
pytest --ckan-ini=test.ini
To run the tests and produce a coverage report, first make sure you have pytest-cov installed in your virtualenv (pip install pytest-cov) then run:
pytest --ckan-ini=test.ini --cov=ckanext.saml2auth
Releasing a new version of ckanext-saml2auth
ckanext-saml2auth should be available on PyPI as https://pypi.org/project/ckanext-saml2auth. To publish a new version to PyPI follow these steps:
Update the version number in the setup.py file. See PEP 440 for how to choose version numbers.
Make sure you have the latest version of necessary packages:
pip install --upgrade setuptools wheel twine
Create a source and binary distributions of the new version:
python setup.py sdist bdist_wheel && twine check dist/*
Fix any errors you get.
Upload the source distribution to PyPI:
twine upload dist/*
Commit any outstanding changes:
git commit -a git push
Tag the new release of the project on GitHub with the version number from the setup.py file. For example if the version number in setup.py is 0.0.1 then do:
git tag 0.0.1 git push --tags
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ckanext_saml2auth-1.0.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a464ad71359d42d73575ab4313e77a20820454ace21e5dc53aa3763f74ba65e9 |
|
MD5 | a3a06fe47c81ee8b03c61e143d6e100a |
|
BLAKE2b-256 | efa370499a8223f870f9f36c6b975732328843e2b6753c009c61b7e54495675a |