Skip to main content

A Django authentication backend for Microsoft ADFS and AzureAD

Project description

ADFS Authentication for Django

Documentation Status https://img.shields.io/pypi/v/django-auth-adfs.svg https://img.shields.io/pypi/pyversions/django-auth-adfs.svg https://img.shields.io/pypi/djversions/django-auth-adfs.svg https://travis-ci.org/jobec/django-auth-adfs.svg?branch=master https://codecov.io/github/jobec/django-auth-adfs/coverage.svg?branch=master

A Django authentication backend for Microsoft ADFS and Azure AD

Features

  • Integrates Django with Active Directory on Windows 2012 R2, 2016 or Azure AD in the cloud.

  • Provides seamless single sign on (SSO) for your Django project on intranet environments.

  • Auto creates users and adds them to Django groups based on info received from ADFS.

Installation

Python package:

pip install django-auth-adfs

In your project’s settings.py add these settings.

AUTHENTICATION_BACKENDS = (
    ...
    'django_auth_adfs.backend.AdfsBackend',
    ...
)

INSTALLED_APPS = (
    ...
    'django_auth_adfs',
    ...

# checkout the documentation for more settings
AUTH_ADFS = {
    "SERVER": "adfs.yourcompany.com",
    "CLIENT_ID": "your-configured-client-id",
    "RELYING_PARTY_ID": "your-adfs-RPT-name",
    # Make sure to read the documentation about the AUDIENCE setting
    # when you configured the identifier as a URL!
    "AUDIENCE": "microsoft:identityserver:your-RelyingPartyTrust-identifier",
    "CA_BUNDLE": "/path/to/ca-bundle.pem",
    "CLAIM_MAPPING": {"first_name": "given_name",
                      "last_name": "family_name",
                      "email": "email"},
}

# Configure django to redirect users to the right URL for login
LOGIN_URL = "django_auth_adfs:login"
LOGIN_REDIRECT_URL = "/"

########################
# OPTIONAL SETTINGS
########################

MIDDLEWARE = (
    ...
    # With this you can force a user to login without using
    # the LoginRequiredMixin on every view class
    #
    # You can specify URLs for which login is not enforced by
    # specifying them in LOGIN_EXEMPT_URLS in setting.
    'django_auth_adfs.middleware.LoginRequiredMiddleware',
)

In your project’s urls.py add these paths:

urlpatterns = [
    ...
    path('oauth2/', include('django_auth_adfs.urls')),
]

This will add 3 paths to Django:

  • /oauth2/login where users are redirected to, to initiate the login with ADFS.

  • /oauth2/callback where ADFS redirects back to after login. So make sure you set the redirect URI on ADFS to this.

  • /oauth2/logout which logs out the user from both Django and ADFS.

Contributing

Contributions to the code are more then welcome. For more details have a look at the CONTRIBUTING.rst file.

Changelog

1.0.0 - Not yet released

This version contains backwards incompatible changes. Make sure to read the entire release notes

  • Windows 2016 (a.k.a. ADFS 4.0) Support

  • AzureAD support (check the setting TENANT_ID)

  • Django 2.1 support

  • All settings that can be determined automatically are now set automatically

  • Users are now redirected back to the page that triggered the login instead of the main page.

  • Groups a user belongs to can now be automatically created in Django (check the MIRROR_GROUPS setting)

  • When a claim mapped to a non-required field in the user model is missing, a warning is logged instead of an exception raised

  • Add a RETRIES and TIMEOUT setting for requests towards the ADFS server.

Incompatible changes

  • these settings are now loaded from ADFS metadata automatically and have been deprecated:

    • AUTHORIZE_PATH

    • LOGIN_REDIRECT_URL

    • ISSUER

    • REDIR_URI

    • SIGNING_CERT

    • TOKEN_PATH

  • Because of the login and logout views that were added, the redirect URI back from ADFS should now point to /oauth2/callback. Keeping it at /oauth2/login would have caused a potential redirect loop.

0.2.1 - 2017-10-20

  • Django 2.0 support and tests.

0.2.0 - 2017-09-14

  • Fixed a bug were authentication failed when the last ADFS signing key was not the one that signed the JWT token.

  • Django 1.11 support and tests.

  • Proper handling the absence of ‘code’ query parameter after ADFS redirect.

  • Added ADFS configuration guide to docs.

  • Allow boolean user model fields to be set based on claims.

  • The namespace argument for include() is not needed anymore on Django >=1.9.

  • Fixed some Django 2.0 deprecation warnings, improving future django support.

0.1.2 - 2017-03-11

  • Support for django 1.10 new style middleware using the MIDDLEWARE setting.

0.1.1 - 2016-12-13

  • Numerous typos fixed in code and documentation.

  • Proper handling of class variables to allow inheriting from the class AdfsBackend.

0.1.0 - 2016-12-11

  • By default, the ADFS signing certificate is loaded from the FederationMetadata.xml file every 24 hours. Allowing to automatically follow certificate updates when the ADFS settings for AutoCertificateRollover is set to True (the default).

  • Group assignment optimisation. Users are not removed and added to all groups anymore. Instead only the groups that need to be removed or added are handled.

Backwards incompatible changes

  • The redundant ADFS_ prefix was removed from the configuration variables.

  • The REQUIRE_LOGIN_EXEMPT_URLS variable was renamed to LOGIN_EXEMPT_URLS

0.0.5 - 2016-12-10

  • User update code in authentication backend split into separate functions.

0.0.4 - 2016-03-14

  • Made the absence of the group claim non-fatal to allow users without a group.

0.0.3 - 2016-02-21

  • ADFS_REDIR_URI is now a required setting

  • Now supports Python 2.7, 3.4 and 3.5

  • Now supports Django 1.7, 1.8 and 1.9

  • Added debug logging to aid in troubleshooting

  • Added unit tests

  • Lot’s of code cleanup

0.0.2 - 2016-02-11

  • Fixed a possible issue with the cryptography package when used with apache + mod_wsgi.

  • Added a optional context processor to make the ADFS authentication URL available as a template variable (ADFS_AUTH_URL).

  • Added a optional middleware class to be able force an anonymous user to authenticate.

0.0.1 - 2016-02-09

  • Initial release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-auth-adfs-1.0.0rc3.tar.gz (1.1 MB view details)

Uploaded Source

Built Distribution

django_auth_adfs-1.0.0rc3-py2.py3-none-any.whl (23.3 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file django-auth-adfs-1.0.0rc3.tar.gz.

File metadata

  • Download URL: django-auth-adfs-1.0.0rc3.tar.gz
  • Upload date:
  • Size: 1.1 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/35.0.2 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.5.3

File hashes

Hashes for django-auth-adfs-1.0.0rc3.tar.gz
Algorithm Hash digest
SHA256 29d7ed1b48b5a6afb8e66abe855c4ddb382a645249f7cc93906fba754597bcd3
MD5 af1e52353857625c139cf6517c1e4c2e
BLAKE2b-256 9fe5fc1999410e479cc4deb73b704f7d1c6d26eff041cd68da96424b4b1c324e

See more details on using hashes here.

File details

Details for the file django_auth_adfs-1.0.0rc3-py2.py3-none-any.whl.

File metadata

  • Download URL: django_auth_adfs-1.0.0rc3-py2.py3-none-any.whl
  • Upload date:
  • Size: 23.3 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.18.4 setuptools/35.0.2 requests-toolbelt/0.8.0 tqdm/4.26.0 CPython/3.5.3

File hashes

Hashes for django_auth_adfs-1.0.0rc3-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 e5c857ae1b6a29e5c3bc8018e22cf61fc10b722529caf214cf141f57c4ac5ddc
MD5 0b96240972597476fb78c77510cb735f
BLAKE2b-256 560b5ee3169b47a972d7a3f6d43809f375fb0c3c131985a97bf48cd01508627c

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page