A Django App that adds SAML 2.0 endpoints to dj-rest-auth
Project description
dj-rest-auth-saml
Overview
dj-rest-auth-saml is a Django App that is actually a plugin for the dj-rest-auth that gives it the possibility to interact with django-allauth with SAML 2.0 support.
Requirements:
Make sure that django-allauth is installed with the SAML 2.0 extension:
pip install django-allauth[SAML]
Installation
To install dj-rest-auth-saml run:
pip install dj-rest-auth-saml
In the settings.py you should have the following:
INSTALLED_APPS = [
# ...
"django.contrib.sites",
"corsheaders",
"rest_framework",
"rest_framework.authtoken",
"allauth", # this is django-allauth
"allauth.account",
"allauth.socialaccount",
"allauth.socialaccount.providers.saml", # saml support from django-allauth
"dj_rest_auth", # this is dj-rest-auth
"dj_rest_auth_saml" # this package
]
SITE_ID = 1
MIDDLEWARE = [
"corsheaders.middleware.CorsMiddleware",
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"allauth.account.middleware.AccountMiddleware", # this is important for allauth
]
SOCIAL_LOGIN_SAML_ENABLED = True
SOCIALACCOUNT_PROVIDERS = {
"saml": {"Apps": [
]}
}
Configurations:
follow the detailed in the following link to add your SAML provider(s) in the SOCIALACCOUNT_PROVIDERS["saml"]["Apps"] list:
https://docs.allauth.org/en/latest/socialaccount/providers/saml.html
alternatively you can add a migration that adds your SAML provider to the database using the utility function dj_rest_auth_saml.utils.add_default_saml_application that requires the following configurations to be set in the settings.py file:
SOCIAL_LOGIN_SAML_IDP_PROVIDER_ID = "IDP_PROVIDER_ID" # For Google as a provider "https://accounts.google.com/o/saml2?idpid=XXXXXXXXX"
SOCIAL_LOGIN_SAML_SP_ID = "example" # The SP ID used at the IDP
SOCIAL_LOGIN_SAML_IDP_SSO_URL = "https://idp_sso_url" # The url for the IDP SSO, for google: "https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX"
SOCIAL_LOGIN_SAML_IDP_X509CERT = "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----" # the X509 IDP CERT
SOCIAL_LOGIN_SAML_ATTRIBUTE_MAPPING={
"uid": "uid",
"email": "email",
"email_verified": "email_verified",
"first_name": "first_name",
"last_name": "last_name"
}
SOCIAL_LOGIN_SAML_AUTHN_REQUEST_SIGNED = False # authn_request_signed
SOCIAL_LOGIN_SAML_DIGEST_ALGORITHM = digest_algorithm = 'http://www.w3.org/2001/04/xmlenc#sha256' # OneLogin_Saml2_Constants.SHA256,
SOCIAL_LOGIN_SAML_LOGOUT_REQUEST_SINGED = False # logout_request_signed
SOCIAL_LOGIN_SAML_LOGOUT_RESPONSE_SIGNED = False # logout_response_signed
SOCIAL_LOGIN_SAML_SIGNATURE_ALGORITHM = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' # signature_algorithm OneLogin_Saml2_Constants.RSA_SHA256
SOCIAL_LOGIN_SAML_METADATA_SIGNED = False # metadata_signed
SOCIAL_LOGIN_SAML_WANT_ASSERTION_ENCRYPTED = False # want_assertion_encrypted
SOCIAL_LOGIN_SAML_WANT_ASSERTION_SIGNED = False # want_assertion_signed
SOCIAL_LOGIN_SAML_WANT_MESSAGE_SIGNED = False # want_message_signed
SOCIAL_LOGIN_SAML_NAME_ID_ENCRYPTED = False # name_id_encrypted
SOCIAL_LOGIN_SAML_WANT_NAME_ID_ENCRYPTED = False # want_name_id_encrypted
SOCIAL_LOGIN_SAML_ALLOW_SINGLE_LABEL_DOMAINS = False # important for Unit testing
SOCIAL_LOGIN_SAML_REJECT_DEPRECATED_ALGORITHM = True # reject_deprecated_algorithm
SOCIAL_LOGIN_SAML_WANT_NAME_ID = False # want_name_id
SOCIAL_LOGIN_SAML_WANT_ATTRIBUTE_STATEMENT = True # want_attribute_statement
SOCIAL_LOGIN_SAML_ALLOW_REPEAT_ATTRIBUTE_NAME = True # allow_repeat_attribute_name
APP_HOST = "example.com" the hostname of this backend
Also make sure to take a hard look at the django-allauth settings as well as at the dj-rest-auth settings.
For instance, the following could be something you want to add to your application
SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True
SOCIALACCOUNT_EMAIL_AUTHENTICATION = True
ACCOUNT_UNIQUE_EMAIL = True
ACCOUNT_EMAIL_VERIFICATION = "mandatory"
SAML flow:
Contributing
Contributions to this project are welcomed! The Contributing Guide is still under construction.
When creating a pull request make sure to use the following template:
Change Summary
- item one
- item two
Related issue number
- issue a
- issue b
Checklist
[ ] code is ready
[ ] add tests
[ ] all tests passing
[ ] test coverage did not drop
[ ] PR is ready for review
License
dj-rest-auth-saml is licensed under the MIT License - see the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file dj-rest-auth-saml-0.0.5.tar.gz.
File metadata
- Download URL: dj-rest-auth-saml-0.0.5.tar.gz
- Upload date:
- Size: 69.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e63639706b034c5d8e1ae7842cb853a5d28174be6e0e582f9338646bef24c539 |
|
| MD5 | 0019313b6b00b74553771a8d1cba4e57 |
|
| BLAKE2b-256 | 0dbf8f031573c81d84f8e6eb201b3d1a7efbb03340c8fc2bc410478d0e685be1 |
File details
Details for the file dj_rest_auth_saml-0.0.5-py3-none-any.whl.
File metadata
- Download URL: dj_rest_auth_saml-0.0.5-py3-none-any.whl
- Upload date:
- Size: 9.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | db029a10ee4fe19c6f50898b0d5ffe860307b83953646066366716a9f8c87561 |
|
| MD5 | 0bd04bc3dbed84cacef308b56927df0b |
|
| BLAKE2b-256 | 870489b1c898331635e72baa50eef2048a862083127b9977b67e0bc544f5cffe |
