Django app for managing multiple SAML Identity Providers.
Project description
Django Simple SAML
Django app to manage SAML Identity Providers
Version support
This app supports Python 3.12+ and Django 5.2-6.0.
Background
This library builds on top of social-auth-app-django and
python3-saml, which together handle the heavy lifting of a SAML
authentication flow. It assumes that you are building a service that
will act as the Service Provider (SP) in the flow, and that you will be
integrating with a number of external Identity Providers (IdP) for user
authentication.
The core change to those libraries that this package adds is a new
SAMLAuth backend called SimpleSAMLAuth that reads in IdP data from a
model (i.e. the database) rather than using the settings config dict
SOCIAL_AUTH_SAML_ENABLED_IDPS.
The reason for this is to make it easy to update / test new IdPs on a live environment without having to deploy. If you are running a platform that offers SSO to clients as a feature, having to embed their IdP details in the settings (which also requires a redeployment) isn't a practical option.
The IdP data is input via the Django admin site.
Settings
This package relies on the existing python-social-auth settings. See
their documentation for details, or refer to the demo.settings.base
module for an example.
Configuration
Click this button to deploy to Heroku:
You must supply three SAML settings that should be available from your test IdP provider. If you have a Google Workspace account, that can be used - see https://admin.google.com/ac/security/ssocert for details.
IdentityProvider model
django-simple-saml stores each SAML Identity Provider in
simple_saml.models.IdentityProvider.
The existing IdP metadata and attribute mapping fields still populate the
social-auth-app-django / python-social-auth IdP configuration.
Requested authentication context is configured separately per IdP via these fields:
requested_authn_context_moderequested_authn_context_valuesrequested_authn_context_comparison
This configuration is merged into the generated python3-saml
security settings when the AuthnRequest is built.
RequestedAuthnContext configuration
By default, django-simple-saml now disables
RequestedAuthnContext for every IdentityProvider.
That means new and existing IdentityProvider rows behave like:
security["requestedAuthnContext"] = False
This overrides the upstream python3-saml default, which would
otherwise send the password-based context implicitly.
Modes
DISABLED
Do not send RequestedAuthnContext.
Equivalent python3-saml security config:
requestedAuthnContext = False
PASSWORD
Send the upstream password-based context:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Equivalent python3-saml security config:
requestedAuthnContext = TruerequestedAuthnContextComparison = <configured comparison>
This preserves the previous package behavior for IdPs that still require
it, but it must now be enabled explicitly per IdentityProvider.
CUSTOM
Send one or more explicit AuthnContext class refs.
Equivalent python3-saml security config:
requestedAuthnContext = <list of configured values>requestedAuthnContextComparison = <configured comparison>
CUSTOM requires at least one value in
requested_authn_context_values.
Supported comparison values
requested_authn_context_comparison is stored in the database as one of:
EXACTMINIMUMMAXIMUMBETTER
Those values are mapped to the lowercase python3-saml equivalents.
Example
from simple_saml.models import IdentityProvider
IdentityProvider.objects.create(
label="acme",
provider="Acme Okta",
entity_id="https://acme.okta.example/app/sso/saml/metadata",
sso_url="https://acme.okta.example/app/sso/saml",
x509_cert="MIIC...",
user_permanent_id_attr="email",
requested_authn_context_mode=IdentityProvider.RequestedAuthnContextMode.CUSTOM,
requested_authn_context_values=[
"urn:example:loa:2",
"urn:example:loa:3",
],
requested_authn_context_comparison=(
IdentityProvider.RequestedAuthnContextComparison.MINIMUM
),
)
Admin support
The Django admin exposes the RequestedAuthnContext fields directly on the
IdentityProvider form.
Validation rules:
CUSTOMrequires at least one authn context value.DISABLEDandPASSWORDignore stored custom values.requested_authn_context_comparisonis restricted to the supportedpython3-samlvalues.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file django_simple_saml-2.0.0.tar.gz.
File metadata
- Download URL: django_simple_saml-2.0.0.tar.gz
- Upload date:
- Size: 11.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.0.0 CPython/3.12.7 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fae975ff638c5a20b7e56dec7b31d2f994207e4fda55786356d24e70457f6b94
|
|
| MD5 |
f807d457f1fe8557f559bb29f14eee70
|
|
| BLAKE2b-256 |
da8411d725eaf9ddf81e2a47c26d6195897280b2d6b25c0595b9b0f757c3fae1
|
File details
Details for the file django_simple_saml-2.0.0-py3-none-any.whl.
File metadata
- Download URL: django_simple_saml-2.0.0-py3-none-any.whl
- Upload date:
- Size: 13.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.0.0 CPython/3.12.7 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
22a5020a006072e2c3a9942d3d0745a9298bb1e02d55189c85cfb102f1aaf343
|
|
| MD5 |
9606bb5bd5ce30a344135fa3fb183894
|
|
| BLAKE2b-256 |
c9dfbbe5eba4be4c456be51ee5a7fc31087d52797a915636271f99d76b7424e2
|
