misc: remove documentation files (#53764)
3
README
|
@ -17,7 +17,8 @@ specifications of SAML2.
|
|||
|
||||
Authentic 2 requires Python 2.7 and Django 1.7.
|
||||
|
||||
Full documentation available on http://authentic2.readthedocs.org/en/stable/.
|
||||
Full documentation available on http://authentic2.readthedocs.org/en/stable/,
|
||||
maintained in a distinct repository https://git.entrouvert.org/authentic2-doc.git/.
|
||||
|
||||
Features
|
||||
--------
|
||||
|
|
153
doc/Makefile
|
@ -1,153 +0,0 @@
|
|||
# Makefile for Sphinx documentation
|
||||
#
|
||||
|
||||
# You can set these variables from the command line.
|
||||
SPHINXOPTS =
|
||||
SPHINXBUILD = sphinx-build
|
||||
PAPER =
|
||||
BUILDDIR = _build
|
||||
|
||||
# Internal variables.
|
||||
PAPEROPT_a4 = -D latex_paper_size=a4
|
||||
PAPEROPT_letter = -D latex_paper_size=letter
|
||||
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
|
||||
# the i18n builder cannot share the environment and doctrees with the others
|
||||
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
|
||||
|
||||
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
|
||||
|
||||
help:
|
||||
@echo "Please use \`make <target>' where <target> is one of"
|
||||
@echo " html to make standalone HTML files"
|
||||
@echo " dirhtml to make HTML files named index.html in directories"
|
||||
@echo " singlehtml to make a single large HTML file"
|
||||
@echo " pickle to make pickle files"
|
||||
@echo " json to make JSON files"
|
||||
@echo " htmlhelp to make HTML files and a HTML help project"
|
||||
@echo " qthelp to make HTML files and a qthelp project"
|
||||
@echo " devhelp to make HTML files and a Devhelp project"
|
||||
@echo " epub to make an epub"
|
||||
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
|
||||
@echo " latexpdf to make LaTeX files and run them through pdflatex"
|
||||
@echo " text to make text files"
|
||||
@echo " man to make manual pages"
|
||||
@echo " texinfo to make Texinfo files"
|
||||
@echo " info to make Texinfo files and run them through makeinfo"
|
||||
@echo " gettext to make PO message catalogs"
|
||||
@echo " changes to make an overview of all changed/added/deprecated items"
|
||||
@echo " linkcheck to check all external links for integrity"
|
||||
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
|
||||
|
||||
clean:
|
||||
-rm -rf $(BUILDDIR)/*
|
||||
|
||||
html:
|
||||
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
|
||||
@echo
|
||||
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
|
||||
|
||||
dirhtml:
|
||||
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
|
||||
@echo
|
||||
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
|
||||
|
||||
singlehtml:
|
||||
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
|
||||
@echo
|
||||
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
|
||||
|
||||
pickle:
|
||||
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
|
||||
@echo
|
||||
@echo "Build finished; now you can process the pickle files."
|
||||
|
||||
json:
|
||||
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
|
||||
@echo
|
||||
@echo "Build finished; now you can process the JSON files."
|
||||
|
||||
htmlhelp:
|
||||
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
|
||||
@echo
|
||||
@echo "Build finished; now you can run HTML Help Workshop with the" \
|
||||
".hhp project file in $(BUILDDIR)/htmlhelp."
|
||||
|
||||
qthelp:
|
||||
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
|
||||
@echo
|
||||
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
|
||||
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
|
||||
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Authentic2.qhcp"
|
||||
@echo "To view the help file:"
|
||||
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Authentic2.qhc"
|
||||
|
||||
devhelp:
|
||||
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
|
||||
@echo
|
||||
@echo "Build finished."
|
||||
@echo "To view the help file:"
|
||||
@echo "# mkdir -p $$HOME/.local/share/devhelp/Authentic2"
|
||||
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Authentic2"
|
||||
@echo "# devhelp"
|
||||
|
||||
epub:
|
||||
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
|
||||
@echo
|
||||
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
|
||||
|
||||
latex:
|
||||
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||
@echo
|
||||
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
|
||||
@echo "Run \`make' in that directory to run these through (pdf)latex" \
|
||||
"(use \`make latexpdf' here to do that automatically)."
|
||||
|
||||
latexpdf:
|
||||
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||
@echo "Running LaTeX files through pdflatex..."
|
||||
$(MAKE) -C $(BUILDDIR)/latex all-pdf
|
||||
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||
|
||||
text:
|
||||
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
|
||||
@echo
|
||||
@echo "Build finished. The text files are in $(BUILDDIR)/text."
|
||||
|
||||
man:
|
||||
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
|
||||
@echo
|
||||
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
|
||||
|
||||
texinfo:
|
||||
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||
@echo
|
||||
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
|
||||
@echo "Run \`make' in that directory to run these through makeinfo" \
|
||||
"(use \`make info' here to do that automatically)."
|
||||
|
||||
info:
|
||||
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||
@echo "Running Texinfo files through makeinfo..."
|
||||
make -C $(BUILDDIR)/texinfo info
|
||||
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
|
||||
|
||||
gettext:
|
||||
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
|
||||
@echo
|
||||
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
|
||||
|
||||
changes:
|
||||
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
|
||||
@echo
|
||||
@echo "The overview file is in $(BUILDDIR)/changes."
|
||||
|
||||
linkcheck:
|
||||
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
|
||||
@echo
|
||||
@echo "Link check complete; look for any errors in the above output " \
|
||||
"or in $(BUILDDIR)/linkcheck/output.txt."
|
||||
|
||||
doctest:
|
||||
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
|
||||
@echo "Testing of doctests in the sources finished, look at the " \
|
||||
"results in $(BUILDDIR)/doctest/output.txt."
|
|
@ -1,16 +0,0 @@
|
|||
.. _admin_access:
|
||||
|
||||
============================================
|
||||
Access the grapical administration interface
|
||||
============================================
|
||||
|
||||
The grapical administration interface is the 'Django admin' part of a Django
|
||||
project. See for more information.
|
||||
|
||||
Just acces the admin url at http[s]://your.domain.com/admin.
|
||||
|
||||
At first you log with the superuser you created at the very first database
|
||||
initialization.
|
||||
|
||||
Then you can configure other accesses to the admin checking the is_staff
|
||||
option displayed on a user in the admin.
|
|
@ -1,37 +0,0 @@
|
|||
.. _administration_with_policies:
|
||||
|
||||
==================
|
||||
Work with policies
|
||||
==================
|
||||
|
||||
The policy management with global policies is nearly used for any kind of
|
||||
policy in Authentic 2.
|
||||
|
||||
For each kind of these policies, the system takes in account two special
|
||||
global policies named 'Default' and 'All':
|
||||
|
||||
* There is always a system default that does not correspond to the 'Default'
|
||||
policy. This is used to make Authentic 2 boot without initial
|
||||
configuration. When you add a 'Default' policy, the system default are not
|
||||
used anymore.
|
||||
* A policy has always a name, 'Default' and 'All' are the names of two special
|
||||
policies with their name hardcoded. But you can create or delete them.
|
||||
* If no other policy applies, the policy 'Default' applies.
|
||||
* A policy can be created and attached to any related object. This policy is
|
||||
authoritative on the policy 'Default'.
|
||||
* If the policy 'All' exists, it is authoritative on any other policy.
|
||||
* The global policies 'All' and 'Default' are created by the administrator if
|
||||
necessary.
|
||||
* A policy is taken in account only if it is enabled.
|
||||
* When a regular policy is associated with an object, it is taken in account
|
||||
only if the option 'enable the following policy' is checked on the oject.
|
||||
|
||||
It is advised to add a 'Default' global policy when it is expected to apply a
|
||||
policy to all related objects. A 'Default' global policy should be defined to
|
||||
avoid misonfiguration.
|
||||
|
||||
Add a regular policy to some objects are used to handle particular
|
||||
configurations for a subset of related objects.
|
||||
|
||||
An 'All' global policy should be used to enforce a global configuration for
|
||||
all related objects or for testing purposes.
|
125
doc/advanced.rst
|
@ -1,125 +0,0 @@
|
|||
.. _advanced:
|
||||
|
||||
===============
|
||||
Advanced topics
|
||||
===============
|
||||
|
||||
|
||||
- :ref:`attributes_in_session`
|
||||
- :ref:`writing_migrations`
|
||||
- :ref:`write_new_kind_policy`
|
||||
|
||||
.. _attributes_in_session:
|
||||
|
||||
Attributes in session pushed by third SAML2 identity providers
|
||||
==============================================================
|
||||
|
||||
When an assertion is received, assertion data, including attributes, are
|
||||
pushed in the Django session dictionnary.
|
||||
|
||||
It leads to the creation of the following dictionnary::
|
||||
|
||||
request.session['multisource_attributes']
|
||||
|
||||
The keys of the dictionnary are the source names, i.e. the entity Id for
|
||||
SAML2 identity providers.
|
||||
|
||||
The values are list of data extracted from assertions. Indeed, this is done
|
||||
to store multiple assertion received from a same source in a same Django
|
||||
session::
|
||||
|
||||
request.session['multisource_attributes'] \
|
||||
[source_name] = list()
|
||||
|
||||
The items of this list are dictionnaries with the keys 'certificate_type' and
|
||||
'attributes'.
|
||||
|
||||
For a saml2 assertion, all the keys are::
|
||||
|
||||
a8n['certificate_type'] = 'SAML2_assertion'
|
||||
a8n['nameid'] = ...
|
||||
a8n['subject_confirmation_method'] = ...
|
||||
a8n['not_before'] = ...
|
||||
a8n['not_on_or_after'] = ...
|
||||
a8n['authn_context'] = ...
|
||||
a8n['authn_instant'] = ...
|
||||
a8n['attributes'] = attrs
|
||||
|
||||
a8n['attributes'] has the following structure::
|
||||
|
||||
attributes = {}
|
||||
attributes[name] = (value1, value2, )
|
||||
attributes[(name, format)] = (value1, value2, )
|
||||
attributes[(name, format, nickname)] = (value1, value2, )
|
||||
a8n['attributes'] = attributes
|
||||
|
||||
.. _writing_migrations:
|
||||
|
||||
Writing migrations
|
||||
==================
|
||||
|
||||
Migration containing reference to the user model must be rewritten manually to
|
||||
refer to the user model name indirectly. The followind modifications must be applied.
|
||||
|
||||
1. First import the `user_model_label` from the `authentic2.compat` module:
|
||||
|
||||
::
|
||||
|
||||
from authentic2.compat import user_model_label
|
||||
|
||||
Any reference to `orm['auth.User']` or `orm['authentic2.User']` must be
|
||||
rewritten into `orm[user_model_label]`. For example this line:::
|
||||
|
||||
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['authentic2.User'])),
|
||||
|
||||
must be changed to:::
|
||||
|
||||
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm[user_model_label])),
|
||||
|
||||
2. The user model when appearing in the `models` field like this:
|
||||
|
||||
::
|
||||
|
||||
'auth.user': {
|
||||
'meta': {'object_name': 'User',
|
||||
|
||||
must be rewritten like that:::
|
||||
|
||||
user_model_label: {
|
||||
'Meta': {'object_name': user_model_label.split('.')[-1]},
|
||||
|
||||
3. If the user model is referred inside the `to` field of a foreign key
|
||||
declaration like this:
|
||||
|
||||
::
|
||||
|
||||
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['auth.User']"})
|
||||
|
||||
must be rewritten like that:::
|
||||
|
||||
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['%s']" user_model_label})
|
||||
|
||||
.. _write_new_kind_policy:
|
||||
|
||||
Add a new kind of administration policy
|
||||
=======================================
|
||||
|
||||
See how policies works :ref:`administration_with_policies`. Then, the bahavior
|
||||
should look like::
|
||||
|
||||
def get_sample_policy(any_object):
|
||||
# Look for a global policy 'All'
|
||||
try:
|
||||
return SamplePolicy.objects.get(name='All', enabled=True)
|
||||
except SamplePolicy.DoesNotExist:
|
||||
pass
|
||||
# Look for a regular policy
|
||||
if any_object.enable_following_sample_policy:
|
||||
if any_object.sample_policy:
|
||||
return any_object.sample_policy
|
||||
# Look for a global policy 'Default'
|
||||
try:
|
||||
return SamplePolicy.objects.get(name='Default', enabled=True)
|
||||
except SamplePolicy.DoesNotExist:
|
||||
pass
|
||||
return None
|
|
@ -1,443 +0,0 @@
|
|||
.. _attribute_management:
|
||||
|
||||
===================================
|
||||
Attribute Management in Authentic 2
|
||||
===================================
|
||||
|
||||
Summary
|
||||
=======
|
||||
|
||||
Attribute management currently allows to configure attribute policies
|
||||
associated with SAML2 service providers to define attributes that are
|
||||
pushed in SAML2 successful authentication response delivered by Authentic 2.
|
||||
|
||||
User attributes can be taken from LDAP directories, the user Django
|
||||
profile or taken from the user Django session if Authentic 2 is also configured
|
||||
as a SAML2 service provider.
|
||||
|
||||
Indeed, when Authentic 2 acts also as a SAML2 service provider,
|
||||
attributes contained in the SAML2 assertion received from third IdP are put in
|
||||
the user session.
|
||||
|
||||
Attributes can thus be proxyfied during SSO with Authentic 2
|
||||
configured as a SAML2 proxy.
|
||||
|
||||
*If there is no attribute policy associate with a service provider, no
|
||||
attribute is forwarded to it.*
|
||||
|
||||
The namespace of attributes received from another SAML2 IdP and of attributes
|
||||
pushed in the assertion given to service providers can be configured per
|
||||
attribute or per service provider.
|
||||
|
||||
By default, the namespace and format of attributes in assertion is conformant
|
||||
to the SAMLV2.0 X500/LDAP Attribute profile::
|
||||
|
||||
<saml:Attribute
|
||||
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
Name="urn:oid:2.5.4.42" FriendlyName="givenName">
|
||||
<saml:AttributeValue xsi:type="xs:string"
|
||||
x500:Encoding="LDAP">Mikaël</saml:AttributeValue>
|
||||
</saml:Attribute>
|
||||
|
||||
But the http://schemas.xmlsoap.org/ws/2005/05/identity/claims from the ISI
|
||||
profile can also be used, for instance::
|
||||
|
||||
<saml:Attribute
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
|
||||
FriendlyName="First Name">
|
||||
<saml:AttributeValue>Mikaël</saml:AttributeValue>
|
||||
</saml:Attribute>
|
||||
|
||||
Configuration
|
||||
=============
|
||||
|
||||
Configure local sources of attributes
|
||||
-------------------------------------
|
||||
|
||||
The source of attributes for authentic2 are of two kinds. The LDAP sources and
|
||||
the user django profile.
|
||||
|
||||
Declare the Django profile source
|
||||
_________________________________
|
||||
|
||||
Add an attribute source named USER_PROFILE with namespace 'Default'.
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/
|
||||
|
||||
2. Write 'USER_PROFILE' in name field
|
||||
|
||||
.. image:: pictures/user_profile_source.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/user_profile_source_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Add an LDAP Source
|
||||
__________________
|
||||
|
||||
For LDAP sources, objects of type 'LDAPSource' must be created.
|
||||
|
||||
**Even if the authentication is based on LDAP authentification, thus that a
|
||||
server is configured in settings.py, it is
|
||||
necessary to create a corresponding 'LDAPSource' to use it as a source of
|
||||
attribute.**
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/ldapsource/add/
|
||||
|
||||
2. Fill form fields
|
||||
|
||||
Only the field Name, Server, User, Password, Base and Port are used for now.
|
||||
**The namespace of LDAP source must be kept to 'Default', since the system
|
||||
namespace is based on LDAP.**
|
||||
|
||||
.. image:: pictures/ldapsource.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/ldapsource_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Manage user distinguished names in LDAP directories
|
||||
___________________________________________________
|
||||
|
||||
To find the user in a LDAP directory, authentic2 must know its distinguished
|
||||
name (DN). If this LDAP has been used when the user has authenticated,
|
||||
Authentic 2 learn the user DN. Nothing has to be done from this point of view.
|
||||
|
||||
However, if it is expected that user attributes be taken in a directory that
|
||||
is not used by the user for authentication, it is necessary to manually
|
||||
indicate to Authentic 2 what is the user DN in the directory. For this, a
|
||||
user alias in source is created for the user:
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/useraliasinsource/add/
|
||||
|
||||
2. Fill form fields
|
||||
|
||||
.. image:: pictures/alias_in_source.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/alias_in_source_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Configure attributes from local sources pushed to SAML2 service providers in SSO response
|
||||
-----------------------------------------------------------------------------------------
|
||||
|
||||
Reminder:
|
||||
|
||||
- The default name format in SAML2 assertions is URI
|
||||
- The default namespace called 'Default' is LDAP
|
||||
|
||||
In summary:
|
||||
|
||||
1. Create attribute items indicating an attribute name, a source, the name format expected and the namespace expected for the attribute name and friendly name if any.
|
||||
|
||||
2. Create a named list of attribute items.
|
||||
|
||||
3. Create an attribute policy and associate the previous list or associate the previous list to a existing attribute policy.
|
||||
|
||||
4. Associate the policy to a service provider.
|
||||
|
||||
Create attribute items
|
||||
______________________
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/idp/attributeitem/add/
|
||||
|
||||
2. Fill form fields
|
||||
|
||||
.. image:: pictures/attribute_item.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/attribute_item_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Create a named list of attribute items
|
||||
______________________________________
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/idp/attributelist/add/
|
||||
|
||||
2. Name the list and add items to list
|
||||
|
||||
.. image:: pictures/attribute_list.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/attribute_list_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Create or modify an attribute policy
|
||||
____________________________________
|
||||
|
||||
You can create a global policy 'All' or 'Default'. For details, see :ref:`administration_with_policies`.
|
||||
Or you can create a regular policy and associate it to a service provider.
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/idp/attributepolicy/add/
|
||||
|
||||
2. Add list to the policy
|
||||
|
||||
.. image:: pictures/policy_pull.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/policy_pull_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Associate the policy to a service provider
|
||||
__________________________________________
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/saml/libertyprovider/1/
|
||||
|
||||
2. Associate the policy to the service provider and **enable it**
|
||||
|
||||
.. image:: pictures/sp_policy_pull.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/sp_policy_pull_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
4. The display name of the policy has changed
|
||||
|
||||
.. image:: pictures/policy_pull_renamed.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Handle attributes provided by other Identity providers and pushed to SAML2 service providers in SSO response (proxy attributes)
|
||||
-------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
To have these kind of attributes to forward, authentic must be configured as a
|
||||
SAML2 service provider, see the corresponding administration page
|
||||
:ref:`config_saml2_idp`.
|
||||
|
||||
Forward all attributes in session without any modification
|
||||
__________________________________________________________
|
||||
|
||||
Create or modify an attribute policy activating the option 'Forward attributes from push sources' and save.
|
||||
|
||||
**No other option below must be used.**
|
||||
|
||||
.. image:: pictures/attr_policy_forward.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
**Attach policy to the service provider if it is not yet the case.**
|
||||
|
||||
**No need to deal with namespace here.**
|
||||
|
||||
Filter attributes from source only
|
||||
__________________________________
|
||||
|
||||
Here, you want to forward **all** attributes of selected source of attributes.
|
||||
|
||||
First of all you need to create objects corresponding to the sources of
|
||||
attributes.
|
||||
|
||||
**The name of the source object must be the entity ID of the SAML2
|
||||
identity provider.**
|
||||
|
||||
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/
|
||||
|
||||
2. Set the name (No need to change the namespace)
|
||||
|
||||
.. image:: pictures/attr_source_idp.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/attr_source_idp_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**.
|
||||
You then select the source you want to forward attributes through the selection box and you save.
|
||||
|
||||
.. image:: pictures/attr_policy_filter_source.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
**Attach policy to the service provider if it is not yet the case.**
|
||||
|
||||
**No need to deal with namespace here.**
|
||||
|
||||
|
||||
Modify namespace of attributes forwarded when attributes forwarded are not filtered or when filtered according to the source
|
||||
____________________________________________________________________________________________________________________________
|
||||
|
||||
The system needs to 'recognise the attributes' to perform the mapping.
|
||||
For this, you need to indicate the namespace of attributes received per source
|
||||
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu*
|
||||
and supann).
|
||||
|
||||
In other words if the source provides attributes in a different namespace, you
|
||||
need to create objects corresponding to the sources of attributes and indicate
|
||||
there the right namespace. By default, the only other supported namespace is
|
||||
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
|
||||
|
||||
.. image:: pictures/attr_source_idp_claims.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Then create or modify an attribute policy activating the options 'Forward attributes from push sources',
|
||||
**'Map attributes from push sources'**. You also choose the output namespace expected with the
|
||||
parameters **'Output name format'** and **'Output namespace'**.
|
||||
|
||||
.. image:: pictures/attr_policy_map_ns.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Remind that the default namespace is X500/LDAP + edu* + supann and the only other supported namespace is
|
||||
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
|
||||
|
||||
**Attach policy to the service provider if it is not yet the case.**
|
||||
|
||||
Filter attributes with a list of attributes, with or without choosing the source
|
||||
________________________________________________________________________________
|
||||
|
||||
The system needs to 'recognise the attributes' to filter the attributes
|
||||
according to a list of attributes.
|
||||
For this, you need to indicate the namespace of attributes received per source
|
||||
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu*
|
||||
and supann).
|
||||
|
||||
In other words if the source provides attributes in a different namespace, you
|
||||
need to create objects corresponding to the sources of attributes and indicate
|
||||
there the right namespace. By default, the only other supported namespace is
|
||||
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
|
||||
|
||||
.. image:: pictures/attr_source_idp_claims.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
You then create an attribute list as described in section *'Create a named list of attribute items'*.
|
||||
|
||||
Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**.
|
||||
You then associate the list of attributes.
|
||||
|
||||
.. image:: pictures/attr_policy_filter_attributes.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
If you want to also filter according to the source you can configure it as defined in section *'Filter attributes from source only'*. You can also choose to filter
|
||||
with the source indicate per attribute item of the list. For this select the option **'Filter source of filtered attributes'**.
|
||||
|
||||
.. image:: pictures/attr_policy_filter_attributes_source.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/attribute_item.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
The default name format is URI. You can however change the name format and namespace with the option **'Map attributes from push sources'** and the parameters **'Output name format'** and **'Output namespace'**.
|
||||
|
||||
Using the option **'Map attributes of filtered attributes'** the output name format and namespace are the ones indicated per attribute item of the list.
|
||||
|
||||
.. image:: pictures/attr_policy_filter_attributes_map.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/attribute_item.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
|
||||
Push manually (writing bits of code) attributes to SAML2 service providers in SSO response
|
||||
------------------------------------------------------------------------------------------
|
||||
|
||||
In idp/signals.py connect to the add_attributes_to_response signal::
|
||||
|
||||
add_attributes_to_response.connect(your_function)
|
||||
|
||||
Your function must return an attribute dictionnary as follows::
|
||||
|
||||
dic = {}
|
||||
attributes = {}
|
||||
attributes[name] = (value1, value2, )
|
||||
attributes[(name, format)] = (value1, value2, )
|
||||
attributes[(name, format, nickname)] = (value1, value2, )
|
||||
dic['attributes'] = attributes
|
||||
return dic
|
||||
|
||||
*format* must be in (lasso.SAML2_ATTRIBUTE_NAME_FORMAT_URI,
|
||||
lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC)
|
||||
|
||||
You can use the attributes form the local source and the attributes in the
|
||||
session that are pushed by other identity providers.
|
||||
|
||||
Attributes in the session are in::
|
||||
|
||||
request.session['multisource_attributes']
|
||||
|
||||
See the page :ref:`attributes_in_session`.
|
||||
|
||||
If you want to use local source of attributes and use mapping capabilities
|
||||
of the UserAttributeProfile see the page :ref:`attribute_management_explained`.
|
||||
Use the file idp/attributes.py as an exemple.
|
||||
|
||||
Modifying supported namespaces and attribute name mappings
|
||||
==========================================================
|
||||
|
||||
The mapping is defined in the file attribute_aggregator/mapping.py
|
||||
|
||||
The mapping can be modified with the variables ATTRIBUTE_NAMESPACES and
|
||||
ATTRIBUTE_MAPPING that can be redefined using settings.
|
||||
|
||||
Add new namespaces in ATTRIBUTE_NAMESPACES.
|
||||
|
||||
To extend the default schema add key/value in ATTRIBUTE_MAPPING, for instance::
|
||||
|
||||
"displayName": {
|
||||
"oid": "2.16.840.1.113730.3.1.241",
|
||||
"display_name": _("displayName"),
|
||||
"type": "http://www.w3.org/2001/XMLSchema#string",
|
||||
"syntax": "1.3.6.1.4.1.1466.115.121.1.15",
|
||||
},
|
||||
|
||||
Add mapping of attribute name extending attribute entries in ATTRIBUTE_MAPPING,
|
||||
for instance::
|
||||
|
||||
"sn": {
|
||||
"oid": "2.5.4.4",
|
||||
"display_name": _("sn surname"),
|
||||
"alias": ['surname'],
|
||||
"profile_field_name": 'last_name',
|
||||
"type": "http://www.w3.org/2001/XMLSchema#string",
|
||||
"namespaces": {
|
||||
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
|
||||
"identifiers":
|
||||
[
|
||||
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
|
||||
],
|
||||
"friendly_names":
|
||||
[
|
||||
"Last Name",
|
||||
],
|
||||
}
|
||||
}
|
||||
},
|
|
@ -1,61 +0,0 @@
|
|||
.. _auth_ldap:
|
||||
|
||||
==============================================
|
||||
Authentication with an existing LDAP directory
|
||||
==============================================
|
||||
|
||||
Authentic use the module django_auth_ldap to synchronize the Django user tables
|
||||
with an LDAP. For complex use case, we will refer you to the django_auth_ldap
|
||||
documentation, see http://packages.python.org/django-auth-ldap/.
|
||||
|
||||
How to authenticate users against an LDAP server with anonymous binding ?
|
||||
-------------------------------------------------------------------------
|
||||
|
||||
1. Install the django_auth_ldap module for Django::
|
||||
|
||||
pip install django_auth_ldap
|
||||
|
||||
|
||||
2. Configure your local_settings.py file for authenticating against LDAP.
|
||||
|
||||
The next lines must be added::
|
||||
|
||||
AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', )
|
||||
|
||||
import ldap
|
||||
from django_auth_ldap.config import LDAPSearch
|
||||
|
||||
# Here put the LDAP URL of your server
|
||||
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com'
|
||||
# Let the bind DN and bind password blank for anonymous binding
|
||||
AUTH_LDAP_BIND_DN = ""
|
||||
AUTH_LDAP_BIND_PASSWORD = ""
|
||||
# Lookup user under the branch o=base and by mathcing their uid against the
|
||||
# received login name
|
||||
AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base",
|
||||
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
|
||||
|
||||
How to allow members of an LDAP group to manage Authentic ?
|
||||
-----------------------------------------------------------
|
||||
|
||||
1. First you must know the objectClass of groups in your LDAP schema, this FAQ
|
||||
will show you the configuration for two usual classes: groupOfNames and
|
||||
groupOfUniqueNames.
|
||||
|
||||
2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany
|
||||
|
||||
3. Add the following lines::
|
||||
|
||||
from django_auth_ldap.config import GroupOfNamesType
|
||||
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
|
||||
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany",
|
||||
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
|
||||
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
||||
"is_staff": "cn=admin,o=mycompany"
|
||||
}
|
||||
|
||||
For an objectClass of groupOfUniqueNames you would change the string
|
||||
GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to
|
||||
groupOfUniqueNames. For more complex cases see the django_auth_ldap
|
||||
documentation.
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
.. _change_db:
|
||||
|
||||
===============================
|
||||
Specifying a different database
|
||||
===============================
|
||||
|
||||
This is done by modifying the DATABASES dictionary in your local_settings.py
|
||||
file (create it in Authentic project directory); for example::
|
||||
|
||||
DATABASES['default'] = {
|
||||
'ENGINE': 'django.db.backends.postgresql',
|
||||
'NAME': 'authentic',
|
||||
'USER': 'admindb',
|
||||
'PASSWORD': 'foobar',
|
||||
'HOST': 'db.example.com',
|
||||
'PORT': '', # empty string means default value
|
||||
}
|
||||
|
||||
You should refer to the Django documentation on databases settings at
|
||||
http://docs.djangoproject.com/en/dev/ref/settings/#databases for all
|
||||
the details.
|
254
doc/conf.py
|
@ -1,254 +0,0 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Authentic2 documentation build configuration file, created by
|
||||
# sphinx-quickstart on Thu Oct 13 14:38:32 2011.
|
||||
#
|
||||
# This file is exec()d with the current directory set to its containing dir.
|
||||
#
|
||||
# Note that not all possible configuration values are present in this
|
||||
# autogenerated file.
|
||||
#
|
||||
# All configuration values have a default; values that are commented out
|
||||
# serve to show the default.
|
||||
|
||||
|
||||
# If extensions (or modules to document with autodoc) are in another directory,
|
||||
# add these directories to sys.path here. If the directory is relative to the
|
||||
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||
# sys.path.insert(0, os.path.abspath('.'))
|
||||
|
||||
# -- General configuration -----------------------------------------------------
|
||||
|
||||
# If your documentation needs a minimal Sphinx version, state it here.
|
||||
# needs_sphinx = '1.0'
|
||||
|
||||
# Add any Sphinx extension module names here, as strings. They can be extensions
|
||||
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
|
||||
extensions = [
|
||||
'sphinx.ext.autodoc',
|
||||
'sphinx.ext.doctest',
|
||||
'sphinx.ext.intersphinx',
|
||||
'sphinx.ext.todo',
|
||||
'sphinx.ext.coverage',
|
||||
'sphinx.ext.imgmath',
|
||||
'sphinx.ext.ifconfig',
|
||||
'sphinx.ext.viewcode',
|
||||
]
|
||||
|
||||
# Add any paths that contain templates here, relative to this directory.
|
||||
templates_path = ['_templates']
|
||||
|
||||
# The suffix of source filenames.
|
||||
source_suffix = '.rst'
|
||||
|
||||
# The encoding of source files.
|
||||
# source_encoding = 'utf-8-sig'
|
||||
|
||||
# The master toctree document.
|
||||
master_doc = 'index'
|
||||
|
||||
# General information about the project.
|
||||
project = 'Authentic 2'
|
||||
copyright = '2012, 2011, 2010, Entr\'ouvert'
|
||||
|
||||
# The version info for the project you're documenting, acts as replacement for
|
||||
# |version| and |release|, also used in various other places throughout the
|
||||
# built documents.
|
||||
#
|
||||
# The short X.Y version.
|
||||
version = '2'
|
||||
# The full version, including alpha/beta/rc tags.
|
||||
release = '2.0.2'
|
||||
|
||||
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||
# for a list of supported languages.
|
||||
# language = None
|
||||
|
||||
# There are two options for replacing |today|: either, you set today to some
|
||||
# non-false value, then it is used:
|
||||
# today = ''
|
||||
# Else, today_fmt is used as the format for a strftime call.
|
||||
# today_fmt = '%B %d, %Y'
|
||||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
exclude_patterns = ['_build']
|
||||
|
||||
# The reST default role (used for this markup: `text`) to use for all documents.
|
||||
# default_role = None
|
||||
|
||||
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||
# add_function_parentheses = True
|
||||
|
||||
# If true, the current module name will be prepended to all description
|
||||
# unit titles (such as .. function::).
|
||||
# add_module_names = True
|
||||
|
||||
# If true, sectionauthor and moduleauthor directives will be shown in the
|
||||
# output. They are ignored by default.
|
||||
# show_authors = False
|
||||
|
||||
# The name of the Pygments (syntax highlighting) style to use.
|
||||
pygments_style = 'sphinx'
|
||||
|
||||
# A list of ignored prefixes for module index sorting.
|
||||
# modindex_common_prefix = []
|
||||
|
||||
|
||||
# -- Options for HTML output ---------------------------------------------------
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||
# a list of builtin themes.
|
||||
html_theme = 'default'
|
||||
|
||||
# Theme options are theme-specific and customize the look and feel of a theme
|
||||
# further. For a list of options available for each theme, see the
|
||||
# documentation.
|
||||
# html_theme_options = {}
|
||||
|
||||
# Add any paths that contain custom themes here, relative to this directory.
|
||||
# html_theme_path = []
|
||||
|
||||
# The name for this set of Sphinx documents. If None, it defaults to
|
||||
# "<project> v<release> documentation".
|
||||
# html_title = None
|
||||
|
||||
# A shorter title for the navigation bar. Default is the same as html_title.
|
||||
# html_short_title = None
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top
|
||||
# of the sidebar.
|
||||
html_logo = 'pictures/eo_logo_t.png'
|
||||
|
||||
# The name of an image file (within the static path) to use as favicon of the
|
||||
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
|
||||
# pixels large.
|
||||
# html_favicon = None
|
||||
|
||||
# Add any paths that contain custom static files (such as style sheets) here,
|
||||
# relative to this directory. They are copied after the builtin static files,
|
||||
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||
html_static_path = ['_static']
|
||||
|
||||
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
||||
# using the given strftime format.
|
||||
# html_last_updated_fmt = '%b %d, %Y'
|
||||
|
||||
# If true, SmartyPants will be used to convert quotes and dashes to
|
||||
# typographically correct entities.
|
||||
# html_use_smartypants = True
|
||||
|
||||
# Custom sidebar templates, maps document names to template names.
|
||||
# html_sidebars = {}
|
||||
|
||||
# Additional templates that should be rendered to pages, maps page names to
|
||||
# template names.
|
||||
# html_additional_pages = {}
|
||||
|
||||
# If false, no module index is generated.
|
||||
# html_domain_indices = True
|
||||
|
||||
# If false, no index is generated.
|
||||
# html_use_index = True
|
||||
|
||||
# If true, the index is split into individual pages for each letter.
|
||||
# html_split_index = False
|
||||
|
||||
# If true, links to the reST sources are added to the pages.
|
||||
# html_show_sourcelink = True
|
||||
|
||||
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
|
||||
# html_show_sphinx = True
|
||||
|
||||
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
|
||||
# html_show_copyright = True
|
||||
|
||||
# If true, an OpenSearch description file will be output, and all pages will
|
||||
# contain a <link> tag referring to it. The value of this option must be the
|
||||
# base URL from which the finished HTML is served.
|
||||
# html_use_opensearch = ''
|
||||
|
||||
# This is the file name suffix for HTML files (e.g. ".xhtml").
|
||||
# html_file_suffix = None
|
||||
|
||||
# Output file base name for HTML help builder.
|
||||
htmlhelp_basename = 'Authentic2doc'
|
||||
|
||||
|
||||
# -- Options for LaTeX output --------------------------------------------------
|
||||
|
||||
latex_elements = {
|
||||
# The paper size ('letterpaper' or 'a4paper').
|
||||
#'papersize': 'letterpaper',
|
||||
# The font size ('10pt', '11pt' or '12pt').
|
||||
#'pointsize': '10pt',
|
||||
# Additional stuff for the LaTeX preamble.
|
||||
#'preamble': '',
|
||||
}
|
||||
|
||||
# Grouping the document tree into LaTeX files. List of tuples
|
||||
# (source start file, target name, title, author, documentclass [howto/manual]).
|
||||
latex_documents = [
|
||||
('index', 'Authentic2.tex', 'Authentic2 Documentation', 'Entr\'ouvert', 'manual'),
|
||||
]
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top of
|
||||
# the title page.
|
||||
latex_logo = 'pictures/eo_logo.png'
|
||||
|
||||
# For "manual" documents, if this is true, then toplevel headings are parts,
|
||||
# not chapters.
|
||||
# latex_use_parts = False
|
||||
|
||||
# If true, show page references after internal links.
|
||||
# latex_show_pagerefs = False
|
||||
|
||||
# If true, show URL addresses after external links.
|
||||
# latex_show_urls = False
|
||||
|
||||
# Documents to append as an appendix to all manuals.
|
||||
# latex_appendices = []
|
||||
|
||||
# If false, no module index is generated.
|
||||
# latex_domain_indices = True
|
||||
|
||||
|
||||
# -- Options for manual page output --------------------------------------------
|
||||
|
||||
# One entry per manual page. List of tuples
|
||||
# (source start file, name, description, authors, manual section).
|
||||
man_pages = [('index', 'authentic2', 'Authentic2 Documentation', [u'Mikaël Ates'], 1)]
|
||||
|
||||
# If true, show URL addresses after external links.
|
||||
# man_show_urls = False
|
||||
|
||||
|
||||
# -- Options for Texinfo output ------------------------------------------------
|
||||
|
||||
# Grouping the document tree into Texinfo files. List of tuples
|
||||
# (source start file, target name, title, author,
|
||||
# dir menu entry, description, category)
|
||||
texinfo_documents = [
|
||||
(
|
||||
'index',
|
||||
'Authentic2',
|
||||
'Authentic2 Documentation',
|
||||
'Mikaël Ates',
|
||||
'Authentic2',
|
||||
'One line description of project.',
|
||||
'Miscellaneous',
|
||||
),
|
||||
]
|
||||
|
||||
# Documents to append as an appendix to all manuals.
|
||||
# texinfo_appendices = []
|
||||
|
||||
# If false, no module index is generated.
|
||||
# texinfo_domain_indices = True
|
||||
|
||||
# How to display URL addresses: 'footnote', 'no', or 'inline'.
|
||||
# texinfo_show_urls = 'footnote'
|
||||
|
||||
|
||||
# Example configuration for intersphinx: refer to the Python standard library.
|
||||
intersphinx_mapping = {'http://docs.python.org/': None}
|
|
@ -1,28 +0,0 @@
|
|||
.. _config_cas_sp:
|
||||
|
||||
=====================================
|
||||
Configure Authentic 2 as a CAS server
|
||||
=====================================
|
||||
|
||||
How to use Authentic 2 as a CAS 1.0 or CAS 2.0 identity provider ?
|
||||
------------------------------------------------------------------
|
||||
|
||||
1. Activate CAS IdP support in settings.py::
|
||||
|
||||
IDP_CAS = True
|
||||
|
||||
2. Then create the database table to hold CAS service tickets::
|
||||
|
||||
python authentic2/manage.py syncdb --migrate
|
||||
|
||||
3. Also configure authentic2 to authenticate against your LDAP directory (see
|
||||
above) if your want your user attributes to be accessible from your service,
|
||||
if it is not necessary you can use the normal relational database storage
|
||||
for you users.
|
||||
|
||||
4. Finally configure your service to point to the CAS endpoint at:
|
||||
|
||||
http[s]://your.domain.com/idp/cas/
|
||||
|
||||
5. If needed configure your service to resolve authenticated user with your
|
||||
LDAP directory (if user attributes are needed for your service)
|
|
@ -1,167 +0,0 @@
|
|||
.. _config_saml2_idp:
|
||||
|
||||
==================================================================
|
||||
Configure Authentic 2 as a SAML2 service provider or a SAML2 proxy
|
||||
==================================================================
|
||||
|
||||
**The configuration to make Authentic 2 a SAML2 service provider or a SAML2
|
||||
proxy is the same. The difference comes from that Authentic 2 is may be
|
||||
configured or not as a SAML2 identity provider.**
|
||||
|
||||
How do I authenticate against a third SAML2 identity provider?
|
||||
==============================================================
|
||||
|
||||
1. Declare Authentic 2 as a SAML2 service provider on your SAML2 identity provider using the SAML2 service provider metadata of Authentic 2.
|
||||
|
||||
Go to http[s]://your.domain.com/authsaml2/metadata
|
||||
|
||||
2. Add and configure a SAML2 identity provider entry in Authentic 2 using the metadata of the identity provider.
|
||||
|
||||
How do I add and configure a SAML2 identity provider in Authentic 2?
|
||||
====================================================================
|
||||
|
||||
You first need to create a SAML2 identity provider entry with the SAML2
|
||||
metadata of the identity provider. Then, you configure it.
|
||||
|
||||
If your identity provider is Authentic 2, the metadata are available at:
|
||||
|
||||
http[s]://your.domain.com/idp/saml2/metadata
|
||||
|
||||
See :ref:`where_metadata` for more information.
|
||||
|
||||
Create a SAML2 identity provider entry
|
||||
--------------------------------------
|
||||
|
||||
You first need to create a new SAML2 identity provider entry. This requires
|
||||
the SAML2 metadata of the identity provider.
|
||||
|
||||
1. Go to
|
||||
|
||||
http[s]://your.domain.com/admin/saml/libertyprovider/add/
|
||||
|
||||
2. Fill the form fields
|
||||
|
||||
.. image:: pictures/new_saml2_idp_1.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/new_saml2_idp_2.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
**The identity provider must be enabled.**
|
||||
|
||||
See below about configuring the identity provider with policies:
|
||||
|
||||
* options of the identity provider
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/new_saml2_idp_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Apply a SAML2 identity provider options policy
|
||||
----------------------------------------------
|
||||
|
||||
The SAML2 options of the identity provider are configured using idp options
|
||||
policies. For the explanation of the options see the following section.
|
||||
|
||||
See the *administration with policy principle* page :ref:`administration_with_policies`.
|
||||
|
||||
You may create a regular policy and configure your service provider to use it.
|
||||
|
||||
Go to:
|
||||
|
||||
http[s]://your.domain.com/admin/saml/idpoptionssppolicy/add/
|
||||
|
||||
Configure your policy and save:
|
||||
|
||||
.. image:: pictures/idp_options_regular.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/idp_options_regular_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Apply the policy to the identity provider:
|
||||
|
||||
.. image:: pictures/idp_options_regular_modify_sp.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Example with a policy 'Default':
|
||||
|
||||
.. image:: pictures/idp_options_default.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Example with a policy 'All':
|
||||
|
||||
.. image:: pictures/idp_options_all.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
If no policy is found for the configuration of the SAML2 options of an identity
|
||||
provider, the following error is displayed to the users when a SSO request is
|
||||
initiated.
|
||||
|
||||
.. image:: pictures/error_no_idp_options.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
SAML2 identity provider options explained
|
||||
-----------------------------------------
|
||||
|
||||
Behavior with persistent nameID
|
||||
_______________________________
|
||||
|
||||
This option applies when an assertion with a persistent nameID is received and
|
||||
the nameID is not recognized as an existing federation.
|
||||
|
||||
Two values are possible: "Create new account" and "Account linking by authentication".
|
||||
|
||||
The value "Create new account" makes Authentic 2 create a user account associated
|
||||
to the nameID received.
|
||||
|
||||
The value "Account linking by authentication" makes Authentic 2 ask the user to
|
||||
authenticate with an existing account to associate the nameID to this account.
|
||||
|
||||
Behavior with transient nameID
|
||||
_______________________________
|
||||
|
||||
This option applies when an assertion with a transient nameID is received and
|
||||
there isn't a session opened for the user yet.
|
||||
|
||||
Two values are possible: "Open a session" and "Ask authentication".
|
||||
|
||||
The value "Open a session" makes Authentic 2 open a session.
|
||||
|
||||
The value "Ask authentication" makes Authentic 2 ask for a user authentication,
|
||||
even when a valid assertion is received. That may have sense for instance if
|
||||
the SSO login is used only to receive signed attributes for users with existing
|
||||
accounts.
|
||||
|
||||
|
||||
How to refresh the metadata of an identity provider hosted at a Well-Known Location?
|
||||
====================================================================================
|
||||
|
||||
The Well-Known Location (WKL) means that the entity Id of the provider is a
|
||||
URL at which the provider metadata are hosted.
|
||||
|
||||
To refresh them, select the provider on the list of provider, then select in
|
||||
the menu 'Update metadata', then click on 'Go'.
|
||||
|
||||
.. image:: pictures/update_metadata.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/update_metadata_done.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
How to create in bulk identity providers with the sync-metadata script?
|
||||
=======================================================================
|
||||
|
||||
See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`.
|
|
@ -1,142 +0,0 @@
|
|||
.. _config_saml2_sp:
|
||||
|
||||
====================================
|
||||
Configure SAML 2.0 service providers
|
||||
====================================
|
||||
|
||||
How do I authenticate against Authentic 2 with a SAML2 service provider?
|
||||
========================================================================
|
||||
|
||||
1. Declare Authentic 2 as a SAML2 identity provider on your SAML2 service provider using the SAML2 identity provider metadata of Authentic 2.
|
||||
|
||||
Go to http[s]://your.domain.com/idp/saml2/metadata
|
||||
|
||||
2. Add and configure a SAML2 service provider in Authentic 2 using the metadata of the service provider.
|
||||
|
||||
How do I add and configure a SAML2 service provider in Authentic 2?
|
||||
===================================================================
|
||||
|
||||
You first need to create a new SAML2 service provider entry. This requires the
|
||||
SAML2 metadata of the service provider.
|
||||
|
||||
If your service provider is Authentic 2, the metadata are available at:
|
||||
|
||||
http[s]://your.domain.com/authsaml2/metadata
|
||||
|
||||
See :ref:`where_metadata` for more information.
|
||||
|
||||
Create a SAML2 service provider entry
|
||||
-------------------------------------
|
||||
|
||||
1. Go to
|
||||
|
||||
http[s]://your.domain.com/admin/saml/libertyprovider/add/
|
||||
|
||||
2. Fill the form fields
|
||||
|
||||
.. image:: pictures/new_saml2_sp_1.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/new_saml2_sp_2.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
**Note:** The service provider must be enabled.
|
||||
|
||||
See below about configuring the service provider with policies:
|
||||
|
||||
* options of the service provider
|
||||
|
||||
* protocol policy
|
||||
|
||||
* attribute policy
|
||||
|
||||
|
||||
3. Save
|
||||
|
||||
.. image:: pictures/new_saml2_sp_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Apply a SAML2 service provider options policy
|
||||
---------------------------------------------
|
||||
|
||||
The SAML2 options of the service provider are configured using sp options
|
||||
policies.
|
||||
|
||||
See the *administration with policy principle* page :ref:`administration_with_policies`.
|
||||
|
||||
You may create a regular policy and configure your service provider to use it.
|
||||
|
||||
Go to:
|
||||
|
||||
http[s]://your.domain.com/admin/saml/spoptionsidppolicy/add/
|
||||
|
||||
Configure your policy and save:
|
||||
|
||||
.. image:: pictures/sp_options_regular.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/sp_options_regular_saved.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Apply the policy to the service provider:
|
||||
|
||||
.. image:: pictures/sp_options_regular_modify_sp.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Example with a policy 'Default':
|
||||
|
||||
.. image:: pictures/sp_options_default.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Example with a policy 'All':
|
||||
|
||||
.. image:: pictures/sp_options_all.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
If no policy is found for the configuration of the SAML2 options of a service
|
||||
provider, the following error is displayed to the users when a SSO request is
|
||||
received.
|
||||
|
||||
.. image:: pictures/error_no_sp_options.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Configure the SAML2 service provider protocol options
|
||||
-----------------------------------------------------
|
||||
|
||||
This kind of policy does not use the policy management using global policies.
|
||||
|
||||
You should use the default option except if your service provider is a
|
||||
Shibboleth service provider, then you should use the option "Shibboleth SP
|
||||
(AuthnRequest Signature: Does not check signatures)".
|
||||
|
||||
Configure the attribute policy of the service provider
|
||||
------------------------------------------------------
|
||||
|
||||
See the attribute management page :ref:`attribute_management`.
|
||||
|
||||
How to refresh the metadata of a service provider hosted at a Well-Known Location?
|
||||
==================================================================================
|
||||
|
||||
The Well-Known Location (WKL) means that the entity Id of the provider is a
|
||||
URL at which the provider metadata are hosted.
|
||||
|
||||
To refresh them, select the provider on the list of provider, then select in
|
||||
the menu 'Update metadata', then click on 'Go'.
|
||||
|
||||
.. image:: pictures/update_metadata.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
How to create in bulk service providers with the sync-metadata script?
|
||||
======================================================================
|
||||
|
||||
See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`.
|
|
@ -1,86 +0,0 @@
|
|||
.. _configuration:
|
||||
|
||||
=============
|
||||
Configuration
|
||||
=============
|
||||
|
||||
Configuration with settings
|
||||
===========================
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
settings
|
||||
|
||||
settings_listing
|
||||
|
||||
Configuration with the administration interface
|
||||
===============================================
|
||||
|
||||
Basics
|
||||
------
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
admin_access
|
||||
|
||||
administration_with_policies
|
||||
|
||||
Authentication backends
|
||||
-----------------------
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
auth_ldap
|
||||
|
||||
SAML2
|
||||
-----
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
where_metadata
|
||||
|
||||
config_saml2_sp
|
||||
|
||||
config_saml2_idp
|
||||
|
||||
saml2_slo
|
||||
|
||||
CAS
|
||||
---
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
config_cas_sp
|
||||
|
||||
Attributes
|
||||
----------
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
attribute_management
|
||||
|
||||
User interfaces and interactions
|
||||
--------------------------------
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
consent_management
|
||||
|
||||
Administration
|
||||
==============
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
translation
|
||||
|
||||
cronjobs
|
||||
|
||||
sync-metadata_script
|
|
@ -1,84 +0,0 @@
|
|||
.. _consent_management:
|
||||
|
||||
=================================
|
||||
Consent Management in Authentic 2
|
||||
=================================
|
||||
|
||||
What is the SAML2 federation consent aka account linking consent?
|
||||
=================================================================
|
||||
|
||||
At the first single sign on process on the identity provider side, the user
|
||||
may be asked if she agrees to federation its local account with the remote
|
||||
account on the service provider side.
|
||||
|
||||
The account linking also called a federation means that the nameID is
|
||||
persistent and will link the two accounts. This signed identifier allows to
|
||||
the service provider to login the user without reauthentication during the
|
||||
following single sign on process.
|
||||
|
||||
How the consent is collected is determined by the identity provider. The
|
||||
service provider receives in the authnRequest the consent attribute
|
||||
indicating how the user consent was managed.
|
||||
|
||||
|
||||
Account linking consent management on the identity provider side
|
||||
================================================================
|
||||
|
||||
The consent is managed per service provider according to the options policy
|
||||
that applies to the service provider.
|
||||
|
||||
The parameter 'Ask user for consent when creating a federation' determine
|
||||
if the user consent must be asked to the user.
|
||||
|
||||
.. image:: pictures/federation_consent_idp.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
*Take care that is the identity provider provides the service provider with
|
||||
a transient nameID, there is no account linking, so there is no need for a
|
||||
consent.*
|
||||
|
||||
*The user consent is only asked once. In other words, if the user already has
|
||||
a federation, the consent won't be asked anymore.*
|
||||
|
||||
If the policy requires the user consent, this can be bypassed using the signal
|
||||
'avoid_consent'.
|
||||
|
||||
Account linking consent management on the service provider side
|
||||
===============================================================
|
||||
|
||||
The service provider may refuse a valid single sign on if the user consent
|
||||
was not asked.
|
||||
|
||||
The parameter 'Require the user consent be given at account linking' of the
|
||||
identity provider options policy determine the service provider behavior.
|
||||
|
||||
.. image:: pictures/federation_consent_sp.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
How manage attribute forwarding consent?
|
||||
========================================
|
||||
|
||||
*If there is no attribute policy associate with a service provider, no
|
||||
attribute is forwarded.*
|
||||
|
||||
When an attribute policy applies you can configure the consent rules per
|
||||
service provider.
|
||||
|
||||
The choices are:
|
||||
|
||||
- Don't ask the user consent
|
||||
- Ask the consent in all-or-nothing mode
|
||||
- Allow attribute selection
|
||||
|
||||
To ask the user consent, tick the parameter 'Ask the user consent before
|
||||
forwarding attributes' of the attribute policy that applies to the service
|
||||
provider.
|
||||
|
||||
To allow the attribute selection on the attribute consent page, tick the
|
||||
parameter 'Allow the user to select the forwarding attributes'.
|
||||
|
||||
.. image:: pictures/attributes_consent.png
|
||||
:width: 800 px
|
||||
:align: center
|
|
@ -1,12 +0,0 @@
|
|||
.. _copyright:
|
||||
|
||||
=========
|
||||
Copyright
|
||||
=========
|
||||
|
||||
Authentic and Authentic 2 are copyrighted by Entr'ouvert and are licensed
|
||||
through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of
|
||||
the whole license text is available in the COPYING file.
|
||||
|
||||
The Documentation is under the licence Creative Commons
|
||||
`CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
|
|
@ -1,11 +0,0 @@
|
|||
.. _cronjobs:
|
||||
|
||||
|
||||
Cronjobs and cleaning
|
||||
=====================
|
||||
|
||||
The following cronjob must be run to clean deleted accounts and temporary objects::
|
||||
|
||||
5 0 * * * athentic2-ctl cleanup
|
||||
|
||||
It's made to run every day at 00:05.
|
|
@ -1,60 +0,0 @@
|
|||
.. _deployment:
|
||||
|
||||
==================================================
|
||||
Running Authentic 2 for real (Nginx, Apache, etc.)
|
||||
==================================================
|
||||
|
||||
|
||||
DEBUG Mode by default, static files and the Django debug toolbar dependency ?
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
By default, Authentic 2 is in the DEBUG mode. We made this default choice
|
||||
because most of the Authentic 2's users will begin with Authentic 2 using
|
||||
the Django development server (runserver command) and we want to avoid them
|
||||
a bad first impression because static files would not be served. As a matter
|
||||
of fact, static files are served by the Django development server only when
|
||||
the project is run in the DEBUG mode.
|
||||
|
||||
In the DEBUG mode, the Django debug toolbar is used what adds a dependency.
|
||||
|
||||
In production, the Django development server should not be used to serve
|
||||
Authentic 2 and a dedicated server should also be used to serve the static
|
||||
files.
|
||||
|
||||
Set Authentic into the no DEBUG Mode
|
||||
------------------------------------
|
||||
|
||||
It is enough to edit authentic2/settings.py and set::
|
||||
|
||||
DEBUG = False
|
||||
|
||||
From then on the django-debug-toolbar package is not necessary anymore.
|
||||
|
||||
Use dedicated HTTP servers and serve static files
|
||||
-------------------------------------------------
|
||||
|
||||
The best is to use a server dedicated to serve the Django applications and a
|
||||
different server to serve the static files.
|
||||
|
||||
You could for instance use apache with mod_wsgi to serve Authentic 2. You will
|
||||
find configuration file examples in the debian directory of the Authentic 2
|
||||
sources.
|
||||
|
||||
Then you may want to use nginx to serve the static files.
|
||||
|
||||
First you need to collect the Authentic 2 static files. The static files are
|
||||
collected using the collectstatic command that is configured in the
|
||||
settings.py.
|
||||
|
||||
By default, running collectstatic will create a static directory in the parent
|
||||
directory of the authentic2 directory::
|
||||
|
||||
$python authentic2/manage.py collectstatic
|
||||
|
||||
That static directory will contain all the static files of Authentic 2.
|
||||
|
||||
If you want to change the path of the static directory you can edit
|
||||
STATIC_ROOT of the settings file.
|
||||
|
||||
See https://docs.djangoproject.com/en/dev/ref/contrib/staticfiles/ for more
|
||||
information about collectstatic.
|
|
@ -1,86 +0,0 @@
|
|||
.. _development:
|
||||
|
||||
===========
|
||||
Development
|
||||
===========
|
||||
|
||||
Get the code and the dependencies
|
||||
=================================
|
||||
|
||||
1. Clone the repository::
|
||||
|
||||
$ git clone https://git.entrouvert.org/authentic.git
|
||||
|
||||
2. Install `lasso <http://lasso.entrouvert.org>`_ python packages::
|
||||
|
||||
$ curl https://deb.entrouvert.org/entrouvert.gpg | sudo apt-key add -
|
||||
$ echo deb http://deb.entrouvert.org/ buster main | \
|
||||
sudo tee /etc/apt/sources.list.d/entrouvert.list
|
||||
$ sudo apt-get update
|
||||
$ sudo apt-get install python-lasso python3-lasso
|
||||
|
||||
3. Install dependencies::
|
||||
|
||||
$ sudo apt-get install postgresql build-essential gettext sassc \
|
||||
libldap2-dev libsasl2-dev python3-dev
|
||||
|
||||
Run the tests
|
||||
=============
|
||||
|
||||
1. Setup a virtualenv::
|
||||
|
||||
$ sudo apt-get install direnv
|
||||
$ echo layout python3 > authentic/.envrc
|
||||
$ direnv allow authentic
|
||||
$ cd authentic
|
||||
$ pip install tox
|
||||
|
||||
2. Run::
|
||||
|
||||
$ JENKINS_URL=fakeurl pg_virtualenv tox
|
||||
|
||||
.. note::
|
||||
|
||||
`tests/test_ldap.py` will fail if `apparmor_status` reports that
|
||||
`/usr/sbin/slapd` is in enforce mode.
|
||||
|
||||
.. note::
|
||||
|
||||
Setting `JENKINS_URL` instructs tox to run `[tox:jenkins]` instead
|
||||
of the default `[tox]`.
|
||||
|
||||
2. Run with code coverage::
|
||||
|
||||
$ pg_virtualenv tox < /dev/null
|
||||
$ firefox htmlcov/index.html
|
||||
|
||||
.. note::
|
||||
|
||||
When running from an interactive shell `< /dev/null` unsets
|
||||
the `tty` tox sub-type and defines the `COVERAGE` variable.
|
||||
|
||||
Update translations
|
||||
===================
|
||||
|
||||
They are updated upstream before the releases to help keep the
|
||||
vocabulary consistent.
|
||||
|
||||
.. note::
|
||||
|
||||
The only exception would be a trivial fix such as a typo.
|
||||
|
||||
The `.po` files can be updated as follows::
|
||||
|
||||
$ ./update-locales.sh
|
||||
|
||||
Build the documentation
|
||||
=======================
|
||||
|
||||
1. Build::
|
||||
|
||||
$ pip install sphinx
|
||||
$ sphinx-build -b html doc build/html
|
||||
|
||||
2. Display::
|
||||
|
||||
$ firefox build/html/index.html
|
|
@ -1,50 +0,0 @@
|
|||
.. Authentic 2 documentation master file, created by
|
||||
sphinx-quickstart on Thu Oct 13 09:53:03 2011.
|
||||
You can adapt this file completely to your liking, but it should at least
|
||||
contain the root `toctree` directive.
|
||||
|
||||
===========================
|
||||
Authentic 2's documentation
|
||||
===========================
|
||||
|
||||
Authentic 2 is a versatile identity management server aiming to address a
|
||||
broad range of needs, from simple to complex setups; it has support for many
|
||||
protocols and can bridge between them.
|
||||
|
||||
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID,
|
||||
LDAP, X509 and OAUTH2.
|
||||
|
||||
Authentic 2 is under the GNU AGPL version 3 licence.
|
||||
|
||||
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
|
||||
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
|
||||
specifications of SAML2.
|
||||
|
||||
Consult current Authentic 2 activity on the `project site <http://dev.entrouvert.org/projects/authentic>`_
|
||||
|
||||
If you don't find an explanation, you don't understand it or one is missing,
|
||||
please report it on the list.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
overview
|
||||
|
||||
installation
|
||||
|
||||
configuration
|
||||
|
||||
advanced
|
||||
|
||||
development
|
||||
|
||||
copyright
|
||||
|
||||
This documentation is under the licence Creative Commons `CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
|
||||
|
||||
.. Indices and tables
|
||||
.. ==================
|
||||
|
||||
.. * :ref:`genindex`
|
||||
.. * :ref:`modindex`
|
||||
.. * :ref:`search`
|
|
@ -1,58 +0,0 @@
|
|||
.. _installation:
|
||||
|
||||
=====================================
|
||||
Installation and quickstart tutorials
|
||||
=====================================
|
||||
|
||||
You'll find here how to start and configure very quickly Authentic 2 for its
|
||||
main features. You just need Python 2.7 and Django 1.5.
|
||||
|
||||
First of all, you can boot Authentic vwithout root
|
||||
privileges like this:
|
||||
|
||||
1. Initialize a virtualenv::
|
||||
|
||||
virtualenv authentic
|
||||
source ./authentic/bin/activate
|
||||
cd authentic
|
||||
|
||||
2. Install Authentic::
|
||||
|
||||
pip install authentic2
|
||||
|
||||
3. Initialize the database migrations::
|
||||
|
||||
authentic2-ctl syncdb --migrate
|
||||
|
||||
4. Run the HTTP test server::
|
||||
|
||||
authentic2-ctl runserver
|
||||
|
||||
Release cycle
|
||||
-------------
|
||||
|
||||
In addition to the installation from sources, Entr'ouvert maintains `Debian GNU/Linux packages <https://deb.entrouvert.org/>`__ for Authentic that `follow the release cycle of Publik <https://dev.entrouvert.org/projects/publik/wiki/Cycle_de_mises_%C3%A0_jour>`__.
|
||||
|
||||
Quickstart guides and installation guidelines
|
||||
---------------------------------------------
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
|
||||
installation_modes
|
||||
change_db
|
||||
upgrading
|
||||
deployment
|
||||
|
||||
Quickstarts
|
||||
___________
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
quick_oauth2_idp
|
||||
quick_saml2_idp
|
||||
quick_saml2_sp
|
||||
quick_cas_idp
|
||||
quick_ldap_backend
|
|
@ -1,201 +0,0 @@
|
|||
.. _installation_modes:
|
||||
|
||||
==================
|
||||
Installation modes
|
||||
==================
|
||||
|
||||
The current version of Authentic 2 works with Python 2.7 and Django 1.5.
|
||||
|
||||
Authentic 2 python installation script handles all the dependencies,
|
||||
except Lasso, relying on the Setuptools and the pypi repository.
|
||||
|
||||
To run Authentic 2 with SAML2 features, you need to install lasso >= 2.3.6,
|
||||
see :ref:`install-lasso-ref`.
|
||||
|
||||
The other Authentic 2 dependencies are:
|
||||
|
||||
- Django>=1.7.6,<1.9
|
||||
- requests>=2.
|
||||
- django-model-utils>=2
|
||||
- dnspython>=1.12
|
||||
- django-select2>=4.3.0
|
||||
- django-tables2>=1.0
|
||||
- gadjo>=0.6
|
||||
- django-import-export>=0.2.7,<=0.4.5
|
||||
- djangorestframework>=3.3
|
||||
- Markdown>=2.5
|
||||
- python-ldap
|
||||
|
||||
Install Authentic 2:
|
||||
|
||||
- :ref:`install-pypi-ref`
|
||||
- :ref:`obtain-pypi-ref`
|
||||
- :ref:`obtain-git-ref`
|
||||
|
||||
.. _install-lasso-ref:
|
||||
|
||||
Lasso installation
|
||||
------------------
|
||||
|
||||
Lasso is available in the linux debian destribution repositories. If you are
|
||||
installing Authentic 2 on debian, just execute ::
|
||||
|
||||
apt-get install python-lasso
|
||||
|
||||
You'll find more updated packages on http://deb.entrouvert.org/.
|
||||
|
||||
We also provide rpm packages for redhat, see https://dev.entrouvert.org/redhat/README.
|
||||
|
||||
You can also install lasso from sources http://lasso.entrouvert.org/download
|
||||
|
||||
See the `Lasso website <http://lasso.entrouvert.org>`_ for installation details.
|
||||
This is a quick installation example.
|
||||
|
||||
Install the following Lasso dependencies:
|
||||
|
||||
- autoconf
|
||||
- automake
|
||||
- autotools-dev
|
||||
- libtool
|
||||
- gtk-doc-tools
|
||||
- zlib1g-dev
|
||||
- libglib2.0-dev
|
||||
- openssl-dev
|
||||
- libxml2-dev
|
||||
- libxmlsec1-dev
|
||||
- python2.6-dev
|
||||
- python-setuptools
|
||||
|
||||
Obtain Lasso::
|
||||
|
||||
$wget https://dev.entrouvert.org/lasso/lasso-2.3.6.tar.gz
|
||||
$tar xzvf lasso-2.3.6.tar.gz
|
||||
$cd lasso-2.3.6
|
||||
$./autogen.sh
|
||||
|
||||
Be sure that the Python bindings is selected as follows::
|
||||
|
||||
=============
|
||||
Configuration
|
||||
=============
|
||||
|
||||
Main
|
||||
----
|
||||
|
||||
Compiler: gcc
|
||||
CFLAGS:
|
||||
Install prefix: /usr/local
|
||||
Debugging: no
|
||||
Experimental ID-WSF: no
|
||||
|
||||
Optionals builds
|
||||
----------------
|
||||
|
||||
Available languages: java(4.6.1) python(2.7) perl(5.12.4)
|
||||
|
||||
Java binding: yes
|
||||
Perl binding: yes
|
||||
PHP 5 binding: no
|
||||
Python binding: yes
|
||||
|
||||
C API references: yes
|
||||
Tests suite: no
|
||||
|
||||
|
||||
Now type 'make install' to install lasso.
|
||||
|
||||
As indicated, build and install::
|
||||
|
||||
$make install
|
||||
$ldconfig
|
||||
|
||||
Set the lasso python binding in you python path, e.g.::
|
||||
|
||||
$export PYTHONPATH="$PYTHONPATH:/usr/local/lib/python2.6/site-packages"
|
||||
|
||||
Test trying to import Lasso::
|
||||
|
||||
$python
|
||||
>>> import lasso
|
||||
|
||||
.. _install-pypi-ref:
|
||||
|
||||
Install Authentic directly from pypi
|
||||
------------------------------------
|
||||
|
||||
Using pip::
|
||||
|
||||
pip install authentic2
|
||||
|
||||
You can now run Authentic from the installation directory::
|
||||
|
||||
./authentic2-ctl syncdb --migrate
|
||||
./authentic2-ctl runserver
|
||||
|
||||
You should see the following output::
|
||||
|
||||
Validating models...
|
||||
0 errors found
|
||||
|
||||
Django version 1.5, using settings 'authentic.settings'
|
||||
Development server is running at http://127.0.0.1:8000/
|
||||
Quit the server with CONTROL-C.
|
||||
|
||||
You can access the running application on http://127.0.0.1:8000/
|
||||
|
||||
.. _obtain-pypi-ref:
|
||||
|
||||
Obtain the last package archive from pypi
|
||||
-----------------------------------------
|
||||
|
||||
Download the archive on http://pypi.python.org/pypi/authentic2/.
|
||||
|
||||
Then, you can install it directly from the archive using pip::
|
||||
|
||||
pip install authentic2-x.z.y.tar.gz
|
||||
|
||||
You can now run Authentic from the installation directory, e.g.::
|
||||
|
||||
./authentic2-ctl syncdb --migrate
|
||||
./authentic2-ctl runserver
|
||||
|
||||
You should see the following output::
|
||||
|
||||
Validating models...
|
||||
0 errors found
|
||||
|
||||
Django version 1.5, using settings 'authentic.settings'
|
||||
Development server is running at http://127.0.0.1:8000/
|
||||
Quit the server with CONTROL-C.
|
||||
|
||||
You can access the running application on http://127.0.0.1:8000/
|
||||
|
||||
.. _obtain-git-ref:
|
||||
|
||||
Obtain the last sources from the Git repository
|
||||
-----------------------------------------------
|
||||
|
||||
Clone the repository::
|
||||
|
||||
git clone http://repos.entrouvert.org/authentic.git
|
||||
|
||||
Then, you can install it directly using pip::
|
||||
|
||||
cd authentic
|
||||
pip install -e .
|
||||
|
||||
You can now run Authentic from the installation directory, e.g.::
|
||||
|
||||
./authentic2-ctl syncdb --migrate
|
||||
./authentic2-ctl runserver
|
||||
|
||||
You should see the following output::
|
||||
|
||||
Validating models...
|
||||
0 errors found
|
||||
|
||||
Django version 1.5, using settings 'authentic.settings'
|
||||
Development server is running at http://127.0.0.1:8000/
|
||||
Quit the server with CONTROL-C.
|
||||
|
||||
You can access the running application on http://127.0.0.1:8000/
|
|
@ -1,58 +0,0 @@
|
|||
.. _overview:
|
||||
|
||||
========
|
||||
Overview
|
||||
========
|
||||
|
||||
Authentic 2 is a versatile identity management server aiming to address a
|
||||
broad range of needs, from simple to complex setups; it has support for many
|
||||
protocols and can bridge between them.
|
||||
|
||||
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID,
|
||||
LDAP, X509 and OAUTH2.
|
||||
|
||||
Authentic 2 is under the GNU AGPL version 3 licence.
|
||||
|
||||
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
|
||||
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
|
||||
specifications of SAML2.
|
||||
|
||||
Authentic 2 requires Python 2.7 et Django 1.5.
|
||||
|
||||
Features
|
||||
--------
|
||||
|
||||
* SAML 2.0 Identity and service provider
|
||||
* OpenID 1.0 and 2.0 identity provider
|
||||
* Server CAS 1.0 and 2.0 using a plugin
|
||||
* Standards authentication mechanisms:
|
||||
|
||||
* Login/password through internal directory or LDAP
|
||||
* X509 certificate over SSL/TLS
|
||||
|
||||
* Protocol proxying, for instance between OpenID and SAML
|
||||
* Support of LDAP v2 and v3 directories
|
||||
* Support of the PAM backend
|
||||
* One-time password (OATH and Google-Authenticator) using a plugin
|
||||
* Identity attribute management
|
||||
* Plugin system
|
||||
|
||||
|
||||
Source and issue tracker
|
||||
------------------------
|
||||
|
||||
You can find on the project site authentic.entrouvert.org mainly the issue
|
||||
tracker.
|
||||
|
||||
You can find there a viewer of the git repository or clone it::
|
||||
|
||||
git clone http://repos.entrouvert.org/authentic.git
|
||||
|
||||
Support
|
||||
-------
|
||||
Authentic's developpers and users hangs on the mailing list authentic@listes.entrouvert.com.
|
||||
See archives or register at http://listes.entrouvert.com/info/authentic.
|
||||
|
||||
You can open reports or feature request on http://authentic.entrouvert.org.
|
||||
|
||||
Entr'ouvert also provides a commercial support. For information, visit http://www.entrouvert.com.
|
Before Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 32 KiB |
Before Width: | Height: | Size: 87 KiB |
Before Width: | Height: | Size: 88 KiB |
Before Width: | Height: | Size: 87 KiB |
Before Width: | Height: | Size: 84 KiB |
Before Width: | Height: | Size: 78 KiB |
Before Width: | Height: | Size: 87 KiB |
Before Width: | Height: | Size: 24 KiB |
Before Width: | Height: | Size: 30 KiB |
Before Width: | Height: | Size: 33 KiB |
Before Width: | Height: | Size: 36 KiB |
Before Width: | Height: | Size: 46 KiB |
Before Width: | Height: | Size: 43 KiB |
Before Width: | Height: | Size: 33 KiB |
Before Width: | Height: | Size: 94 KiB |
Before Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 98 KiB |
Before Width: | Height: | Size: 103 KiB |
Before Width: | Height: | Size: 69 KiB |
Before Width: | Height: | Size: 94 KiB |
Before Width: | Height: | Size: 83 KiB |
Before Width: | Height: | Size: 81 KiB |
Before Width: | Height: | Size: 82 KiB |
Before Width: | Height: | Size: 22 KiB |
Before Width: | Height: | Size: 30 KiB |
Before Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 28 KiB |
Before Width: | Height: | Size: 33 KiB |
Before Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 44 KiB |
Before Width: | Height: | Size: 33 KiB |
Before Width: | Height: | Size: 49 KiB |
Before Width: | Height: | Size: 37 KiB |
Before Width: | Height: | Size: 82 KiB |
Before Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 33 KiB |
Before Width: | Height: | Size: 94 KiB |
Before Width: | Height: | Size: 90 KiB |
Before Width: | Height: | Size: 70 KiB |
Before Width: | Height: | Size: 68 KiB |
Before Width: | Height: | Size: 65 KiB |
Before Width: | Height: | Size: 63 KiB |
Before Width: | Height: | Size: 30 KiB |
Before Width: | Height: | Size: 66 KiB |
Before Width: | Height: | Size: 30 KiB |
Before Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 32 KiB |
Before Width: | Height: | Size: 41 KiB |
Before Width: | Height: | Size: 50 KiB |
Before Width: | Height: | Size: 44 KiB |
Before Width: | Height: | Size: 23 KiB |
Before Width: | Height: | Size: 29 KiB |
|
@ -1,23 +0,0 @@
|
|||
.. _quick_cas_idp:
|
||||
|
||||
==================================
|
||||
Quickstart a CAS Identity Provider
|
||||
==================================
|
||||
|
||||
1. Activate CAS IdP support in your local_settings.py::
|
||||
|
||||
A2_IDP_CAS_ENABLE = True
|
||||
|
||||
2. Then create the database table to hold CAS service tickets::
|
||||
|
||||
authentic2-ctl syncdb --all
|
||||
authentic2-ctl migrate --fake
|
||||
|
||||
2. Also configure authentic2 to authenticate against your LDAP directory (see
|
||||
above) if your want your user attributes to be accessible from your service,
|
||||
if it is not necessary you can use the normal relational database storage
|
||||
for you users.
|
||||
|
||||
3. Finally configure your service to point to the CAS endpoint at::
|
||||
|
||||
http[s]://your.domain.com/idp/cas/
|
|
@ -1,61 +0,0 @@
|
|||
.. _quick_ldap_backend:
|
||||
|
||||
======================================
|
||||
Quickstart to connect a LDAP Directory
|
||||
======================================
|
||||
|
||||
Authentic use the module django_auth_ldap to synchronize the Django user tables
|
||||
with an LDAP. For complex use case, we will refer you to the django_auth_ldap
|
||||
documentation, see http://packages.python.org/django-auth-ldap/.
|
||||
|
||||
How to authenticate users against an LDAP server with anonymous binding ?
|
||||
-------------------------------------------------------------------------
|
||||
|
||||
1. Install the django_auth_ldap module for Django, for this you need
|
||||
python-ldap, python-ldap needs python developement headers to be installed
|
||||
but is usually packaged by most distributions::
|
||||
|
||||
pip install django_auth_ldap
|
||||
|
||||
|
||||
2. Configure your local_settings.py file for authenticating against LDAP.
|
||||
The next lines must be added::
|
||||
|
||||
AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', )
|
||||
|
||||
import ldap
|
||||
from django_auth_ldap.config import LDAPSearch
|
||||
|
||||
# Here put the LDAP URL of your server
|
||||
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com'
|
||||
# Let the bind DN and bind password blank for anonymous binding
|
||||
AUTH_LDAP_BIND_DN = ""
|
||||
AUTH_LDAP_BIND_PASSWORD = ""
|
||||
# Lookup user under the branch o=base and by mathcing their uid against the
|
||||
# received login name
|
||||
AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base",
|
||||
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
|
||||
|
||||
How to allow members of an LDAP group to manage Authentic ?
|
||||
-----------------------------------------------------------
|
||||
|
||||
1. First you must know the objectClass of groups in your LDAP schema, this FAQ
|
||||
will show you the configuration for two usual classes: groupOfNames and
|
||||
groupOfUniqueNames.
|
||||
|
||||
2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany
|
||||
|
||||
3. Add the following lines::
|
||||
|
||||
from django_auth_ldap.config import GroupOfNamesType
|
||||
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
|
||||
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany",
|
||||
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
|
||||
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
||||
"is_staff": "cn=admin,o=mycompany"
|
||||
}
|
||||
|
||||
For an objectClass of groupOfUniqueNames you would change the string
|
||||
GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to
|
||||
groupOfUniqueNames. For more complex cases see the django_auth_ldap
|
||||
documentation.
|
|
@ -1,9 +0,0 @@
|
|||
.. _quick_oauth2_idp:
|
||||
|
||||
======================================
|
||||
Quickstart an OAuth2 Identity Provider
|
||||
======================================
|
||||
|
||||
This section has to be done. If you need it now, say it on the issue tracker :
|
||||
|
||||
https://dev.entrouvert.org/issues/6053
|
|
@ -1,9 +0,0 @@
|
|||
.. _quick_saml2_idp:
|
||||
|
||||
=====================================
|
||||
Quickstart an SAML2 Identity Provider
|
||||
=====================================
|
||||
|
||||
This section has to be done. If you need it now, say it on the issue tracker :
|
||||
|
||||
https://dev.entrouvert.org/issues/6057
|
|
@ -1,22 +0,0 @@
|
|||
.. _quick_saml2_sp:
|
||||
|
||||
=====================================================
|
||||
Quickstart a connection with a SAML2 Service Provider
|
||||
=====================================================
|
||||
|
||||
1. Get the Identity Provider SAML2 metadata file
|
||||
|
||||
::
|
||||
|
||||
http[s]://your.domain.com/idp/saml2/metadata
|
||||
|
||||
2. Configure your service provider with it.
|
||||
|
||||
3. Go to the providers admin panel on
|
||||
|
||||
::
|
||||
|
||||
http[s]://admin/saml/libertyprovider/add/
|
||||
|
||||
There create a new provider using the service provider metadata and enable it
|
||||
as a service provider.
|
|
@ -1,168 +0,0 @@
|
|||
.. _saml2_slo:
|
||||
|
||||
=======================================
|
||||
Single Logout Management in Authentic 2
|
||||
=======================================
|
||||
|
||||
Explanation
|
||||
===========
|
||||
|
||||
Authentic 2 implements the single logout profile of SAML2 (SLO). Single Logout is
|
||||
used to realise to close user session on distributed applications. The Single
|
||||
Logout is managed by the IdP. However, its exists many profiles all supported
|
||||
by Authentic 2:
|
||||
|
||||
- SLO IdP initiated by SOAP
|
||||
- SLO IdP initiated by Redirect
|
||||
- SLO SP initiated by SOAP
|
||||
- SLO SP initiated by Redirect
|
||||
|
||||
Then, Authentic 2 acting as an IdP but also as a SP (for proxying), a
|
||||
logout request can be received from:
|
||||
|
||||
- the logout button on the user interface;
|
||||
- a service provider;
|
||||
- a third identity provider.
|
||||
|
||||
The configuration by policy allows to refuse SLO request coming from a SP or
|
||||
an IdP.
|
||||
|
||||
**The the SLO request is accepted or comes from the user interface, at the end
|
||||
of the process the local session on Authentic 2 will always be closed.**
|
||||
|
||||
During the process of treatment of the logout request, when the logout request
|
||||
comes from a SP, if the local session was established through a third SAML2 IdP,
|
||||
Authentic 2 sends it a logout request (SLO proxying). Then, Authentic 2
|
||||
sends logout resuests to all service providers with an active session but the
|
||||
requesting service provider.
|
||||
|
||||
During the process of treatment of the logout request, when the logout request
|
||||
comes from an IdP, Authentic 2 sends logout resuests to all service providers
|
||||
with an active session.
|
||||
|
||||
The configuration by policy allows to select which IdP and SP to logout
|
||||
forwarding is done.
|
||||
|
||||
**Note:** When a logout request comes from an IdP, the logout request is always
|
||||
forwarded by soap to the service providers.
|
||||
|
||||
**Note:** When a logout request comes from an SP:
|
||||
- if done by SOAP, the logout request is always forwarded by soap to the
|
||||
identity provider and service providers.
|
||||
- if done by Redirect, the logout request is forwarded to the
|
||||
identity provider according to the idp options policy and to the service
|
||||
providers according to their metadata.
|
||||
|
||||
**Note:** When a logout request comes from the user interface, the logout
|
||||
request is forwarded to the identity provider according to the idp options
|
||||
policy and to the service providers according to their metadata.
|
||||
|
||||
|
||||
**Note:** To make the SLO works, a policy must be found for the
|
||||
source or the desitnation of the logout request. By default, when creating a
|
||||
sp options policy or an IdP options policy the SLO is accepted and forwarded.
|
||||
|
||||
See the *administration with policy principle* page :ref:`administration_with_policies`.
|
||||
|
||||
How to know if a service provider supports the logout request?
|
||||
==============================================================
|
||||
|
||||
Look for the following elements in the service provider metadata:
|
||||
|
||||
- Redirect binding::
|
||||
|
||||
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://sp.mik.lan:8000/authsaml2/singleLogout" ResponseLocation="http://sp.mik.lan:8000/authsaml2/singleLogoutReturn"/>
|
||||
|
||||
- SOAP binding::
|
||||
|
||||
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://sp.mik.lan:8000/authsaml2/singleLogoutSOAP"/>
|
||||
|
||||
How to know if an identity provider supports the logout request?
|
||||
================================================================
|
||||
|
||||
Look for the following elements in the identity provider metadata:
|
||||
|
||||
- Redirect binding::
|
||||
|
||||
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://idp.mik.lan:8001/idp/saml2/slo" ResponseLocation="http://idp.mik.lan:8001/idp/saml2/slo_return" />
|
||||
|
||||
- SOAP binding::
|
||||
|
||||
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp.mik.lan:8001/idp/saml2/slo/soap" />
|
||||
|
||||
|
||||
How activate the SLO?
|
||||
=====================
|
||||
|
||||
No activation is required. However it is required a policy be found for the
|
||||
source or the desitnation of the logout request.
|
||||
|
||||
The sp options policy or idp options policy that applies has parameters to
|
||||
indicate if the sp or idp which the policy applies is allowed to send and
|
||||
receive logout requests.
|
||||
|
||||
Then, create the 'default' options policy and check the both options
|
||||
*Accept to receive Single Logout requests* and *Forward Single Logout requests* as follows:
|
||||
|
||||
.. image:: pictures/slo_sp_options_activated.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/slo_idp_options_activated.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
|
||||
How deactivate the SLO?
|
||||
=======================
|
||||
|
||||
There is no real deactivation process. When it is possible and authorized,
|
||||
Authentic 2 send logout requests when a logout request is received.
|
||||
|
||||
If an options policy is not found for the source or the destination of the
|
||||
logout request, the logout requests are not accepted nor forwarded.
|
||||
|
||||
However it is not the right way. The best is to create the 'all' options
|
||||
policies with the options *Accept to receive Single Logout requests* and *Forward Single Logout requests* unchecked as follows:
|
||||
|
||||
.. image:: pictures/slo_sp_options_deactivated.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
.. image:: pictures/slo_idp_options_deactivated.png
|
||||
:width: 800 px
|
||||
:align: center
|
||||
|
||||
Take care that the 'all' policies are authoritative. To desactivate the SLO
|
||||
but for particular providers, the best is to unchecked these options on the
|
||||
'default' options policies and apply regular policies to those particular
|
||||
providers.
|
||||
|
||||
How refuse SLO from an identity provider?
|
||||
=========================================
|
||||
|
||||
Uncheck the option *Accept to receive Single Logout requests* of the policy that applies to that identity
|
||||
provider.
|
||||
|
||||
How refuse SLO from a service provider?
|
||||
=======================================
|
||||
|
||||
Uncheck the option *Accept to receive Single Logout requests* of the policy that applies to that service
|
||||
provider.
|
||||
|
||||
How indicate identity providers to not forward logout request?
|
||||
==============================================================
|
||||
|
||||
Uncheck the option *Forward Single Logout requests* of the policies that applies to the identity
|
||||
providers logout requests must not be forwarded.
|
||||
|
||||
How indicate service providers to not forward logout request?
|
||||
=============================================================
|
||||
|
||||
Uncheck the option *Forward Single Logout requests* of the policies that applies to the service
|
||||
providers logout requests must not be forwarded.
|
||||
|
||||
How do manage the SLO without closing the local session?
|
||||
========================================================
|
||||
|
||||
Not implemented.
|
|
@ -1,9 +0,0 @@
|
|||
.. _settings:
|
||||
|
||||
===============================
|
||||
Works with authentic 2 settings
|
||||
===============================
|
||||
|
||||
This section has to be done. If you need it now, say it on the issue tracker :
|
||||
|
||||
https://dev.entrouvert.org/issues/6047
|
|
@ -1,97 +0,0 @@
|
|||
.. _settings_listing:
|
||||
|
||||
============
|
||||
All settings
|
||||
============
|
||||
|
||||
Activate or deactivate debug mode
|
||||
=================================
|
||||
|
||||
Variable: DEBUG
|
||||
|
||||
Values:
|
||||
|
||||
* False: deactivate debug mode
|
||||
* True: activate debug mode
|
||||
|
||||
Manage session cookie duration
|
||||
==============================
|
||||
|
||||
Variable: SESSION_EXPIRE_AT_BROWSER_CLOSE
|
||||
|
||||
Values:
|
||||
|
||||
* False: Cookies are not removed when browser is closed.
|
||||
* True: Cookies are removed when browser is closed.
|
||||
|
||||
Variable: SESSION_COOKIE_AGE
|
||||
|
||||
Value:
|
||||
|
||||
* Seconds (36000 equal 10 hours)
|
||||
|
||||
Time zone selection
|
||||
===================
|
||||
|
||||
Variable: TIME_ZONE
|
||||
|
||||
Values:
|
||||
|
||||
* See http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
|
||||
|
||||
Activate or deactivate SSL authentication
|
||||
=========================================
|
||||
|
||||
Variable: AUTH_SSL
|
||||
|
||||
Values:
|
||||
|
||||
* False: deactivate SSL authentication
|
||||
* True: activate SSL authentication
|
||||
|
||||
Activate or deactivate OpenID authentication, Authentic 2 is an OpenID relying party
|
||||
====================================================================================
|
||||
|
||||
Variable: AUTH_OPENID
|
||||
|
||||
Values:
|
||||
|
||||
* False: deactivate OpenID authentication
|
||||
* True: activate OpenID authentication
|
||||
|
||||
Activate or deactivate Authentic 2 as a SAML2 identity provider
|
||||
===============================================================
|
||||
|
||||
Variable: IDP_SAML2
|
||||
|
||||
Values:
|
||||
|
||||
* False: deactivate SAML2 identity provider
|
||||
* True: activate SAML2 identity provider
|
||||
|
||||
Configure SAML2 keys
|
||||
====================
|
||||
|
||||
* SAML_SIGNATURE_PUBLIC_KEY: Certtificate or public key for signature
|
||||
* SAML_SIGNATURE_PRIVATE_KEY: Private key for signature
|
||||
* SAML_ENCRYPTION_PUBLIC_KEY: Certtificate or public key for encryption
|
||||
* SAML_ENCRYPTION_PRIVATE_KEY: Private key for encryption
|
||||
|
||||
Values are pem files of X509 certificate or key, e.g.:
|
||||
SAML_SIGNATURE_PRIVATE_KEY = '''-----BEGIN RSA PRIVATE KEY-----
|
||||
MII...WA==
|
||||
-----END RSA PRIVATE KEY-----'''
|
||||
|
||||
If SAML_ENCRYPTION_PUBLIC_KEY or SAML_ENCRYPTION_PRIVATE_KEY are not given,
|
||||
the signature keys are used for encryption.
|
||||
|
||||
|
||||
Activate or deactivate Authentic 2 as a CAS server
|
||||
==================================================
|
||||
|
||||
Variable: IDP_CAS
|
||||
|
||||
Values:
|
||||
|
||||
* False: deactivate CAS server
|
||||
* True: activate CAS server
|
|
@ -1,192 +0,0 @@
|
|||
.. _sync-metadata_script:
|
||||
|
||||
===========================================================================================================
|
||||
How to create/import and delete in bulk SAML2 identity and service providers with the sync-metadata script?
|
||||
===========================================================================================================
|
||||
|
||||
This section explains hot to use the script sync-metadata.
|
||||
|
||||
Presentation
|
||||
============
|
||||
|
||||
This script allows to create/import and deleted in bulk SAML2 identity and
|
||||
service providers using standard SAML2 metadata files containing entity
|
||||
descriptors.
|
||||
|
||||
An example of such a file used in production is the global metadata file of
|
||||
the identity federation of French universities that can be found at http://...
|
||||
|
||||
Use the following command::
|
||||
|
||||
path_to_project/authentic2$ python manage.py sync-metadata file_name [options]
|
||||
|
||||
Configuration of attributes
|
||||
===========================
|
||||
|
||||
If a service provider has AttributeConsumingService nodes in its
|
||||
SPSSODescriptor then we create an attribute declaration for each declared
|
||||
attribute. If the attribute is optional, the attribute declaration is created
|
||||
disabled.
|
||||
|
||||
Currently it only supports the LDAP and the LDAP attribute profile of SAML,
|
||||
i.e. SAML attribute names must be LDAP attributes oid, the NameFormat must be
|
||||
URI, and an LDAP server must declared so that LDAP attributes can be resolved.
|
||||
Authentic2 contains a databases of the more common LDAP schemas to help the
|
||||
resolution of attributes OIDs.
|
||||
|
||||
Example of an AttributeConsumingService node::
|
||||
|
||||
<md:AttributeConsumingService index="0">
|
||||
<md:ServiceName
|
||||
xml:lang="fr">Université Paris 1 - cours en ligne</md:ServiceName>
|
||||
|
||||
<md:ServiceDescription xml:lang="fr">Cours en ligne de l'université
|
||||
Paris 1 Panthéon - Sorbonne (LMS Moodle)
|
||||
</md:ServiceDescription>
|
||||
|
||||
|
||||
<md:RequestedAttribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
isRequired="true">
|
||||
|
||||
</md:RequestedAttribute>
|
||||
|
||||
<md:RequestedAttribute FriendlyName="mail"
|
||||
Name="urn:oid:0.9.2342.19200300.100.1.3"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
isRequired="true">
|
||||
|
||||
</md:RequestedAttribute>
|
||||
|
||||
<md:RequestedAttribute FriendlyName="displayName"
|
||||
Name="urn:oid:2.16.840.1.113730.3.1.241"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
isRequired="true">
|
||||
|
||||
</md:RequestedAttribute>
|
||||
|
||||
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
|
||||
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
isRequired="true">
|
||||
|
||||
</md:RequestedAttribute>
|
||||
|
||||
<md:RequestedAttribute FriendlyName="eduPersonAffiliation"
|
||||
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
isRequired="true">
|
||||
|
||||
</md:RequestedAttribute>
|
||||
|
||||
<md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
isRequired="true">
|
||||
|
||||
</md:RequestedAttribute>
|
||||
|
||||
<md:RequestedAttribute FriendlyName="cn" Name="urn:oid:2.5.4.3"
|
||||
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||
isRequired="true">
|
||||
|
||||
</md:RequestedAttribute>
|
||||
|
||||
</md:AttributeConsumingService>
|
||||
|
||||
If you do not want the attribute declarations to be automatically created pass
|
||||
the option `--dont-load-attribute-consuming-service` to the `sync-metadata` command.
|
||||
|
||||
Options
|
||||
=======
|
||||
|
||||
* idp
|
||||
|
||||
Load only identity providers of the metadata file.
|
||||
|
||||
* sp
|
||||
|
||||
Load only service providers of the metadata file.
|
||||
|
||||
* source
|
||||
|
||||
Used to tag all imported providers with a label. This option is used to
|
||||
metadata reloading and deletion in bulk.
|
||||
|
||||
Reloading a metadata file, when a provider with same entity is found, it is
|
||||
updated. If a provider in the metadata file does not exist it is created.
|
||||
If a provider exists in the system but not in the metadata file, it is
|
||||
removed.
|
||||
|
||||
**For reloading, a source can only be associated with a unique metadata
|
||||
file. This is due to the fact that all providers of a source not found in
|
||||
the metadata file are removed.** ::
|
||||
|
||||
path_to_project/authentic2$ python manage.py sync-metadata file_name --source=french_federation
|
||||
|
||||
* sp-policy
|
||||
|
||||
To configure the SAML2 parameters of service providers imported with the
|
||||
script, a policy of type SPOptionsIdPPolicy must be created in the
|
||||
the administration interface.
|
||||
Either it is a global policy 'Default' or 'All' or it is a regular policy.
|
||||
If it is a regular policy, the policy name can be specified in parameter
|
||||
of the script with this option.
|
||||
The policy is then associated to all service providers created.
|
||||
|
||||
::
|
||||
|
||||
path_to_project/authentic2$ python manage.py sync-metadata file_name --sp-policy=sp_policy_name
|
||||
|
||||
* idp-policy
|
||||
|
||||
To configure the SAML2 parameters of identity providers imported with the
|
||||
script, a policy of type IdPOptionsSPPolicy must be created in the
|
||||
the administration interface.
|
||||
Either it is a global policy 'Default' or 'All' or it is a regular policy.
|
||||
If it is a regular policy, the policy name can be specified in parameter
|
||||
of the script with this option.
|
||||
The policy is then associated to all service providers created.
|
||||
|
||||
::
|
||||
|
||||
path_to_project/authentic2$ python manage.py sync-metadata file_name --idp-policy=idp_policy_name
|
||||
|
||||
* delete
|
||||
|
||||
With no options, all providers are deleted.
|
||||
|
||||
With the source option, only providers with the source name given are deleted.
|
||||
|
||||
**This option can not be combined with options idp and sp.**
|
||||
|
||||
* ignore-errors
|
||||
|
||||
If loading of one EntityDescriptor fails, continue loading
|
||||
|
||||
* reset-atributes
|
||||
|
||||
When loading shibboleth attribute filter policies, start by removing all
|
||||
existing SAML attributes for each provider, beware that it will delete any
|
||||
customization of the attribute policy for each service provider.
|
||||
|
||||
* dont-load-attribute-consuming-service
|
||||
|
||||
Prevent loading of the attribute policy from AttributeConsumingService nodes
|
||||
in the metadata file.
|
||||
|
||||
* shibboleth-attribute-filter-policy
|
||||
|
||||
Path to a file containing an Attribute Filter Policy for the
|
||||
Shibboleth IdP, that will be used to configure SAML attributes for
|
||||
each provider. The following schema is supported::
|
||||
|
||||
<AttributeFilterPolicy id="<whatever>">
|
||||
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="<entityID>" >
|
||||
[
|
||||
<AttributeRule attributeID="<attribute-name>">
|
||||
<PermitValueRule xsi:type="basic:ANY"/>
|
||||
</AttributeRule>
|
||||
]*
|
||||
</AttributeFilterPolicy>
|
||||
|
||||
Any other kind of attribute filter policy is unsupported.
|
|
@ -1,9 +0,0 @@
|
|||
.. _translation:
|
||||
|
||||
|
||||
Compiling translations
|
||||
======================
|
||||
|
||||
Translations must compiled to be useful, to do that run the following command::
|
||||
|
||||
./setup.py compile_translations
|
|
@ -1,17 +0,0 @@
|
|||
.. _upgrading:
|
||||
|
||||
=========
|
||||
Upgrading
|
||||
=========
|
||||
|
||||
Update using pip::
|
||||
|
||||
pip install -U authentic2
|
||||
|
||||
Authentic store all its data in a relational database as specified in its
|
||||
settings.py or local_settings.py file. So in order to upgrade to a new version
|
||||
of authentic you have to update your database schema using the
|
||||
migration command — you will need to have installed the dependency django-south,
|
||||
see the beginning of this README file.::
|
||||
|
||||
authentic2-ctl syncdb --migrate
|
|
@ -1,18 +0,0 @@
|
|||
.. _where_metadata:
|
||||
|
||||
===============================================
|
||||
Where do I find the Authentic 2 SAML2 metadata?
|
||||
===============================================
|
||||
|
||||
The SAML2 metadata are automatically generated.
|
||||
|
||||
**Authentic 2 will infer from environment variables the host and port to
|
||||
generate the URLs contained in the medatada.**
|
||||
|
||||
The metadata of Authentic 2 SAML2 identity provider are available at:
|
||||
|
||||
http[s]://your.domain.com/idp/saml2/metadata
|
||||
|
||||
The metadata of Authentic 2 SAML2 service provider are available at:
|
||||
|
||||
http[s]://your.domain.com/authsaml2/metadata
|