entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

misc: remove documentation files (#53764)

This commit is contained in:
Valentin Deniaud 2021-05-05 14:12:51 +02:00
parent 7d0303d5df
commit df7fa5df7e
88 changed files with 2 additions and 2788 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README
View File

@ -17,7 +17,8 @@ specifications of SAML2.
Authentic 2 requires Python 2.7 and Django 1.7.
Full documentation available on http://authentic2.readthedocs.org/en/stable/.
Full documentation available on http://authentic2.readthedocs.org/en/stable/,
maintained in a distinct repository https://git.entrouvert.org/authentic2-doc.git/.
Features
--------

153
doc/Makefile
View File

@ -1,153 +0,0 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
PAPER =
BUILDDIR = _build
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
clean:
-rm -rf $(BUILDDIR)/*
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Authentic2.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Authentic2.qhc"
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/Authentic2"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Authentic2"
@echo "# devhelp"
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
man:
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."

16
doc/admin_access.rst
View File

@ -1,16 +0,0 @@
.. _admin_access:
============================================
Access the grapical administration interface
============================================
The grapical administration interface is the 'Django admin' part of a Django
project. See for more information.
Just acces the admin url at http[s]://your.domain.com/admin.
At first you log with the superuser you created at the very first database
initialization.
Then you can configure other accesses to the admin checking the is_staff
option displayed on a user in the admin.

37
doc/administration_with_policies.rst
View File

@ -1,37 +0,0 @@
.. _administration_with_policies:
==================
Work with policies
==================
The policy management with global policies is nearly used for any kind of
policy in Authentic 2.
For each kind of these policies, the system takes in account two special
global policies named 'Default' and 'All':
* There is always a system default that does not correspond to the 'Default'
policy. This is used to make Authentic 2 boot without initial
configuration. When you add a 'Default' policy, the system default are not
used anymore.
* A policy has always a name, 'Default' and 'All' are the names of two special
policies with their name hardcoded. But you can create or delete them.
* If no other policy applies, the policy 'Default' applies.
* A policy can be created and attached to any related object. This policy is
authoritative on the policy 'Default'.
* If the policy 'All' exists, it is authoritative on any other policy.
* The global policies 'All' and 'Default' are created by the administrator if
necessary.
* A policy is taken in account only if it is enabled.
* When a regular policy is associated with an object, it is taken in account
only if the option 'enable the following policy' is checked on the oject.
It is advised to add a 'Default' global policy when it is expected to apply a
policy to all related objects. A 'Default' global policy should be defined to
avoid misonfiguration.
Add a regular policy to some objects are used to handle particular
configurations for a subset of related objects.
An 'All' global policy should be used to enforce a global configuration for
all related objects or for testing purposes.

125
doc/advanced.rst
View File

@ -1,125 +0,0 @@
.. _advanced:
===============
Advanced topics
===============
- :ref:`attributes_in_session`
- :ref:`writing_migrations`
- :ref:`write_new_kind_policy`
.. _attributes_in_session:
Attributes in session pushed by third SAML2 identity providers
==============================================================
When an assertion is received, assertion data, including attributes, are
pushed in the Django session dictionnary.
It leads to the creation of the following dictionnary::
request.session['multisource_attributes']
The keys of the dictionnary are the source names, i.e. the entity Id for
SAML2 identity providers.
The values are list of data extracted from assertions. Indeed, this is done
to store multiple assertion received from a same source in a same Django
session::
request.session['multisource_attributes'] \
[source_name] = list()
The items of this list are dictionnaries with the keys 'certificate_type' and
'attributes'.
For a saml2 assertion, all the keys are::
a8n['certificate_type'] = 'SAML2_assertion'
a8n['nameid'] = ...
a8n['subject_confirmation_method'] = ...
a8n['not_before'] = ...
a8n['not_on_or_after'] = ...
a8n['authn_context'] = ...
a8n['authn_instant'] = ...
a8n['attributes'] = attrs
a8n['attributes'] has the following structure::
attributes = {}
attributes[name] = (value1, value2, )
attributes[(name, format)] = (value1, value2, )
attributes[(name, format, nickname)] = (value1, value2, )
a8n['attributes'] = attributes
.. _writing_migrations:
Writing migrations
==================
Migration containing reference to the user model must be rewritten manually to
refer to the user model name indirectly. The followind modifications must be applied.
1. First import the `user_model_label` from the `authentic2.compat` module:
::
from authentic2.compat import user_model_label
Any reference to `orm['auth.User']` or `orm['authentic2.User']` must be
rewritten into `orm[user_model_label]`. For example this line:::
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['authentic2.User'])),
must be changed to:::
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm[user_model_label])),
2. The user model when appearing in the `models` field like this:
::
'auth.user': {
'meta': {'object_name': 'User',
must be rewritten like that:::
user_model_label: {
'Meta': {'object_name': user_model_label.split('.')[-1]},
3. If the user model is referred inside the `to` field of a foreign key
declaration like this:
::
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['auth.User']"})
must be rewritten like that:::
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['%s']" user_model_label})
.. _write_new_kind_policy:
Add a new kind of administration policy
=======================================
See how policies works :ref:`administration_with_policies`. Then, the bahavior
should look like::
def get_sample_policy(any_object):
# Look for a global policy 'All'
try:
return SamplePolicy.objects.get(name='All', enabled=True)
except SamplePolicy.DoesNotExist:
pass
# Look for a regular policy
if any_object.enable_following_sample_policy:
if any_object.sample_policy:
return any_object.sample_policy
# Look for a global policy 'Default'
try:
return SamplePolicy.objects.get(name='Default', enabled=True)
except SamplePolicy.DoesNotExist:
pass
return None

443
doc/attribute_management.rst
View File

@ -1,443 +0,0 @@
.. _attribute_management:
===================================
Attribute Management in Authentic 2
===================================
Summary
=======
Attribute management currently allows to configure attribute policies
associated with SAML2 service providers to define attributes that are
pushed in SAML2 successful authentication response delivered by Authentic 2.
User attributes can be taken from LDAP directories, the user Django
profile or taken from the user Django session if Authentic 2 is also configured
as a SAML2 service provider.
Indeed, when Authentic 2 acts also as a SAML2 service provider,
attributes contained in the SAML2 assertion received from third IdP are put in
the user session.
Attributes can thus be proxyfied during SSO with Authentic 2
configured as a SAML2 proxy.
*If there is no attribute policy associate with a service provider, no
attribute is forwarded to it.*
The namespace of attributes received from another SAML2 IdP and of attributes
pushed in the assertion given to service providers can be configured per
attribute or per service provider.
By default, the namespace and format of attributes in assertion is conformant
to the SAMLV2.0 X500/LDAP Attribute profile::
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:2.5.4.42" FriendlyName="givenName">
<saml:AttributeValue xsi:type="xs:string"
x500:Encoding="LDAP">Mikaël</saml:AttributeValue>
</saml:Attribute>
But the http://schemas.xmlsoap.org/ws/2005/05/identity/claims from the ISI
profile can also be used, for instance::
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
FriendlyName="First Name">
<saml:AttributeValue>Mikaël</saml:AttributeValue>
</saml:Attribute>
Configuration
=============
Configure local sources of attributes
-------------------------------------
The source of attributes for authentic2 are of two kinds. The LDAP sources and
the user django profile.
Declare the Django profile source
_________________________________
Add an attribute source named USER_PROFILE with namespace 'Default'.
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/
2. Write 'USER_PROFILE' in name field
.. image:: pictures/user_profile_source.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/user_profile_source_saved.png
:width: 800 px
:align: center
Add an LDAP Source
__________________
For LDAP sources, objects of type 'LDAPSource' must be created.
**Even if the authentication is based on LDAP authentification, thus that a
server is configured in settings.py, it is
necessary to create a corresponding 'LDAPSource' to use it as a source of
attribute.**
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/ldapsource/add/
2. Fill form fields
Only the field Name, Server, User, Password, Base and Port are used for now.
**The namespace of LDAP source must be kept to 'Default', since the system
namespace is based on LDAP.**
.. image:: pictures/ldapsource.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/ldapsource_saved.png
:width: 800 px
:align: center
Manage user distinguished names in LDAP directories
___________________________________________________
To find the user in a LDAP directory, authentic2 must know its distinguished
name (DN). If this LDAP has been used when the user has authenticated,
Authentic 2 learn the user DN. Nothing has to be done from this point of view.
However, if it is expected that user attributes be taken in a directory that
is not used by the user for authentication, it is necessary to manually
indicate to Authentic 2 what is the user DN in the directory. For this, a
user alias in source is created for the user:
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/useraliasinsource/add/
2. Fill form fields
.. image:: pictures/alias_in_source.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/alias_in_source_saved.png
:width: 800 px
:align: center
Configure attributes from local sources pushed to SAML2 service providers in SSO response
-----------------------------------------------------------------------------------------
Reminder:
- The default name format in SAML2 assertions is URI
- The default namespace called 'Default' is LDAP
In summary:
1. Create attribute items indicating an attribute name, a source, the name format expected and the namespace expected for the attribute name and friendly name if any.
2. Create a named list of attribute items.
3. Create an attribute policy and associate the previous list or associate the previous list to a existing attribute policy.
4. Associate the policy to a service provider.
Create attribute items
______________________
1. Go to http[s]://your.domain.com/admin/idp/attributeitem/add/
2. Fill form fields
.. image:: pictures/attribute_item.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/attribute_item_saved.png
:width: 800 px
:align: center
Create a named list of attribute items
______________________________________
1. Go to http[s]://your.domain.com/admin/idp/attributelist/add/
2. Name the list and add items to list
.. image:: pictures/attribute_list.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/attribute_list_saved.png
:width: 800 px
:align: center
Create or modify an attribute policy
____________________________________
You can create a global policy 'All' or 'Default'. For details, see :ref:`administration_with_policies`.
Or you can create a regular policy and associate it to a service provider.
1. Go to http[s]://your.domain.com/admin/idp/attributepolicy/add/
2. Add list to the policy
.. image:: pictures/policy_pull.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/policy_pull_saved.png
:width: 800 px
:align: center
Associate the policy to a service provider
__________________________________________
1. Go to http[s]://your.domain.com/admin/saml/libertyprovider/1/
2. Associate the policy to the service provider and **enable it**
.. image:: pictures/sp_policy_pull.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/sp_policy_pull_saved.png
:width: 800 px
:align: center
4. The display name of the policy has changed
.. image:: pictures/policy_pull_renamed.png
:width: 800 px
:align: center
Handle attributes provided by other Identity providers and pushed to SAML2 service providers in SSO response (proxy attributes)
-------------------------------------------------------------------------------------------------------------------------------
To have these kind of attributes to forward, authentic must be configured as a
SAML2 service provider, see the corresponding administration page
:ref:`config_saml2_idp`.
Forward all attributes in session without any modification
__________________________________________________________
Create or modify an attribute policy activating the option 'Forward attributes from push sources' and save.
**No other option below must be used.**
.. image:: pictures/attr_policy_forward.png
:width: 800 px
:align: center
**Attach policy to the service provider if it is not yet the case.**
**No need to deal with namespace here.**
Filter attributes from source only
__________________________________
Here, you want to forward **all** attributes of selected source of attributes.
First of all you need to create objects corresponding to the sources of
attributes.
**The name of the source object must be the entity ID of the SAML2
identity provider.**
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/
2. Set the name (No need to change the namespace)
.. image:: pictures/attr_source_idp.png
:width: 800 px
:align: center
3. Save
.. image:: pictures/attr_source_idp_saved.png
:width: 800 px
:align: center
Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**.
You then select the source you want to forward attributes through the selection box and you save.
.. image:: pictures/attr_policy_filter_source.png
:width: 800 px
:align: center
**Attach policy to the service provider if it is not yet the case.**
**No need to deal with namespace here.**
Modify namespace of attributes forwarded when attributes forwarded are not filtered or when filtered according to the source
____________________________________________________________________________________________________________________________
The system needs to 'recognise the attributes' to perform the mapping.
For this, you need to indicate the namespace of attributes received per source
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu*
and supann).
In other words if the source provides attributes in a different namespace, you
need to create objects corresponding to the sources of attributes and indicate
there the right namespace. By default, the only other supported namespace is
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
.. image:: pictures/attr_source_idp_claims.png
:width: 800 px
:align: center
Then create or modify an attribute policy activating the options 'Forward attributes from push sources',
**'Map attributes from push sources'**. You also choose the output namespace expected with the
parameters **'Output name format'** and **'Output namespace'**.
.. image:: pictures/attr_policy_map_ns.png
:width: 800 px
:align: center
Remind that the default namespace is X500/LDAP + edu* + supann and the only other supported namespace is
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
**Attach policy to the service provider if it is not yet the case.**
Filter attributes with a list of attributes, with or without choosing the source
________________________________________________________________________________
The system needs to 'recognise the attributes' to filter the attributes
according to a list of attributes.
For this, you need to indicate the namespace of attributes received per source
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu*
and supann).
In other words if the source provides attributes in a different namespace, you
need to create objects corresponding to the sources of attributes and indicate
there the right namespace. By default, the only other supported namespace is
http://schemas.xmlsoap.org/ws/2005/05/identity/claims.
.. image:: pictures/attr_source_idp_claims.png
:width: 800 px
:align: center
You then create an attribute list as described in section *'Create a named list of attribute items'*.
Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**.
You then associate the list of attributes.
.. image:: pictures/attr_policy_filter_attributes.png
:width: 800 px
:align: center
If you want to also filter according to the source you can configure it as defined in section *'Filter attributes from source only'*. You can also choose to filter
with the source indicate per attribute item of the list. For this select the option **'Filter source of filtered attributes'**.
.. image:: pictures/attr_policy_filter_attributes_source.png
:width: 800 px
:align: center
.. image:: pictures/attribute_item.png
:width: 800 px
:align: center
The default name format is URI. You can however change the name format and namespace with the option **'Map attributes from push sources'** and the parameters **'Output name format'** and **'Output namespace'**.
Using the option **'Map attributes of filtered attributes'** the output name format and namespace are the ones indicated per attribute item of the list.
.. image:: pictures/attr_policy_filter_attributes_map.png
:width: 800 px
:align: center
.. image:: pictures/attribute_item.png
:width: 800 px
:align: center
Push manually (writing bits of code) attributes to SAML2 service providers in SSO response
------------------------------------------------------------------------------------------
In idp/signals.py connect to the add_attributes_to_response signal::
add_attributes_to_response.connect(your_function)
Your function must return an attribute dictionnary as follows::
dic = {}
attributes = {}
attributes[name] = (value1, value2, )
attributes[(name, format)] = (value1, value2, )
attributes[(name, format, nickname)] = (value1, value2, )
dic['attributes'] = attributes
return dic
*format* must be in (lasso.SAML2_ATTRIBUTE_NAME_FORMAT_URI,
lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC)
You can use the attributes form the local source and the attributes in the
session that are pushed by other identity providers.
Attributes in the session are in::
request.session['multisource_attributes']
See the page :ref:`attributes_in_session`.
If you want to use local source of attributes and use mapping capabilities
of the UserAttributeProfile see the page :ref:`attribute_management_explained`.
Use the file idp/attributes.py as an exemple.
Modifying supported namespaces and attribute name mappings
==========================================================
The mapping is defined in the file attribute_aggregator/mapping.py
The mapping can be modified with the variables ATTRIBUTE_NAMESPACES and
ATTRIBUTE_MAPPING that can be redefined using settings.
Add new namespaces in ATTRIBUTE_NAMESPACES.
To extend the default schema add key/value in ATTRIBUTE_MAPPING, for instance::
"displayName": {
"oid": "2.16.840.1.113730.3.1.241",
"display_name": _("displayName"),
"type": "http://www.w3.org/2001/XMLSchema#string",
"syntax": "1.3.6.1.4.1.1466.115.121.1.15",
},
Add mapping of attribute name extending attribute entries in ATTRIBUTE_MAPPING,
for instance::
"sn": {
"oid": "2.5.4.4",
"display_name": _("sn surname"),
"alias": ['surname'],
"profile_field_name": 'last_name',
"type": "http://www.w3.org/2001/XMLSchema#string",
"namespaces": {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims": {
"identifiers":
[
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
],
"friendly_names":
[
"Last Name",
],
}
}
},

61
doc/auth_ldap.rst
View File

@ -1,61 +0,0 @@
.. _auth_ldap:
==============================================
Authentication with an existing LDAP directory
==============================================
Authentic use the module django_auth_ldap to synchronize the Django user tables
with an LDAP. For complex use case, we will refer you to the django_auth_ldap
documentation, see http://packages.python.org/django-auth-ldap/.
How to authenticate users against an LDAP server with anonymous binding ?
-------------------------------------------------------------------------
1. Install the django_auth_ldap module for Django::
pip install django_auth_ldap
2. Configure your local_settings.py file for authenticating against LDAP.
The next lines must be added::
AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', )
import ldap
from django_auth_ldap.config import LDAPSearch
# Here put the LDAP URL of your server
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com'
# Let the bind DN and bind password blank for anonymous binding
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
# Lookup user under the branch o=base and by mathcing their uid against the
# received login name
AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
How to allow members of an LDAP group to manage Authentic ?
-----------------------------------------------------------
1. First you must know the objectClass of groups in your LDAP schema, this FAQ
will show you the configuration for two usual classes: groupOfNames and
groupOfUniqueNames.
2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany
3. Add the following lines::
from django_auth_ldap.config import GroupOfNamesType
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff": "cn=admin,o=mycompany"
}
For an objectClass of groupOfUniqueNames you would change the string
GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to
groupOfUniqueNames. For more complex cases see the django_auth_ldap
documentation.

21
doc/change_db.rst
View File

@ -1,21 +0,0 @@
.. _change_db:
===============================
Specifying a different database
===============================
This is done by modifying the DATABASES dictionary in your local_settings.py
file (create it in Authentic project directory); for example::
DATABASES['default'] = {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'authentic',
'USER': 'admindb',
'PASSWORD': 'foobar',
'HOST': 'db.example.com',
'PORT': '', # empty string means default value
}
You should refer to the Django documentation on databases settings at
http://docs.djangoproject.com/en/dev/ref/settings/#databases for all
the details.

254
doc/conf.py
View File

@ -1,254 +0,0 @@
# -*- coding: utf-8 -*-
#
# Authentic2 documentation build configuration file, created by
# sphinx-quickstart on Thu Oct 13 14:38:32 2011.
#
# This file is exec()d with the current directory set to its containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
# sys.path.insert(0, os.path.abspath('.'))
# -- General configuration -----------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be extensions
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
extensions = [
'sphinx.ext.autodoc',
'sphinx.ext.doctest',
'sphinx.ext.intersphinx',
'sphinx.ext.todo',
'sphinx.ext.coverage',
'sphinx.ext.imgmath',
'sphinx.ext.ifconfig',
'sphinx.ext.viewcode',
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix of source filenames.
source_suffix = '.rst'
# The encoding of source files.
# source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = 'Authentic 2'
copyright = '2012, 2011, 2010, Entr\'ouvert'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = '2'
# The full version, including alpha/beta/rc tags.
release = '2.0.2'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
# language = None
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
# today = ''
# Else, today_fmt is used as the format for a strftime call.
# today_fmt = '%B %d, %Y'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = ['_build']
# The reST default role (used for this markup: `text`) to use for all documents.
# default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
# add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
# add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
# show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# A list of ignored prefixes for module index sorting.
# modindex_common_prefix = []
# -- Options for HTML output ---------------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'default'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
# html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
# html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
# html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
# html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
html_logo = 'pictures/eo_logo_t.png'
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
# html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
# html_last_updated_fmt = '%b %d, %Y'
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
# html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
# html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
# html_additional_pages = {}
# If false, no module index is generated.
# html_domain_indices = True
# If false, no index is generated.
# html_use_index = True
# If true, the index is split into individual pages for each letter.
# html_split_index = False
# If true, links to the reST sources are added to the pages.
# html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
# html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
# html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
# html_use_opensearch = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
# html_file_suffix = None
# Output file base name for HTML help builder.
htmlhelp_basename = 'Authentic2doc'
# -- Options for LaTeX output --------------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
#'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
#'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
#'preamble': '',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title, author, documentclass [howto/manual]).
latex_documents = [
('index', 'Authentic2.tex', 'Authentic2 Documentation', 'Entr\'ouvert', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
latex_logo = 'pictures/eo_logo.png'
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
# latex_use_parts = False
# If true, show page references after internal links.
# latex_show_pagerefs = False
# If true, show URL addresses after external links.
# latex_show_urls = False
# Documents to append as an appendix to all manuals.
# latex_appendices = []
# If false, no module index is generated.
# latex_domain_indices = True
# -- Options for manual page output --------------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [('index', 'authentic2', 'Authentic2 Documentation', [u'Mikaël Ates'], 1)]
# If true, show URL addresses after external links.
# man_show_urls = False
# -- Options for Texinfo output ------------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(
'index',
'Authentic2',
'Authentic2 Documentation',
'Mikaël Ates',
'Authentic2',
'One line description of project.',
'Miscellaneous',
),
]
# Documents to append as an appendix to all manuals.
# texinfo_appendices = []
# If false, no module index is generated.
# texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
# texinfo_show_urls = 'footnote'
# Example configuration for intersphinx: refer to the Python standard library.
intersphinx_mapping = {'http://docs.python.org/': None}

28
doc/config_cas_sp.rst
View File

@ -1,28 +0,0 @@
.. _config_cas_sp:
=====================================
Configure Authentic 2 as a CAS server
=====================================
How to use Authentic 2 as a CAS 1.0 or CAS 2.0 identity provider ?
------------------------------------------------------------------
1. Activate CAS IdP support in settings.py::
IDP_CAS = True
2. Then create the database table to hold CAS service tickets::
python authentic2/manage.py syncdb --migrate
3. Also configure authentic2 to authenticate against your LDAP directory (see
above) if your want your user attributes to be accessible from your service,
if it is not necessary you can use the normal relational database storage
for you users.
4. Finally configure your service to point to the CAS endpoint at:
http[s]://your.domain.com/idp/cas/
5. If needed configure your service to resolve authenticated user with your
LDAP directory (if user attributes are needed for your service)

167
doc/config_saml2_idp.rst
View File

@ -1,167 +0,0 @@
.. _config_saml2_idp:
==================================================================
Configure Authentic 2 as a SAML2 service provider or a SAML2 proxy
==================================================================
**The configuration to make Authentic 2 a SAML2 service provider or a SAML2
proxy is the same. The difference comes from that Authentic 2 is may be
configured or not as a SAML2 identity provider.**
How do I authenticate against a third SAML2 identity provider?
==============================================================
1. Declare Authentic 2 as a SAML2 service provider on your SAML2 identity provider using the SAML2 service provider metadata of Authentic 2.
Go to http[s]://your.domain.com/authsaml2/metadata
2. Add and configure a SAML2 identity provider entry in Authentic 2 using the metadata of the identity provider.
How do I add and configure a SAML2 identity provider in Authentic 2?
====================================================================
You first need to create a SAML2 identity provider entry with the SAML2
metadata of the identity provider. Then, you configure it.
If your identity provider is Authentic 2, the metadata are available at:
http[s]://your.domain.com/idp/saml2/metadata
See :ref:`where_metadata` for more information.
Create a SAML2 identity provider entry
--------------------------------------
You first need to create a new SAML2 identity provider entry. This requires
the SAML2 metadata of the identity provider.
1. Go to
http[s]://your.domain.com/admin/saml/libertyprovider/add/
2. Fill the form fields
.. image:: pictures/new_saml2_idp_1.png
:width: 800 px
:align: center
.. image:: pictures/new_saml2_idp_2.png
:width: 800 px
:align: center
**The identity provider must be enabled.**
See below about configuring the identity provider with policies:
* options of the identity provider
3. Save
.. image:: pictures/new_saml2_idp_saved.png
:width: 800 px
:align: center
Apply a SAML2 identity provider options policy
----------------------------------------------
The SAML2 options of the identity provider are configured using idp options
policies. For the explanation of the options see the following section.
See the *administration with policy principle* page :ref:`administration_with_policies`.
You may create a regular policy and configure your service provider to use it.
Go to:
http[s]://your.domain.com/admin/saml/idpoptionssppolicy/add/
Configure your policy and save:
.. image:: pictures/idp_options_regular.png
:width: 800 px
:align: center
.. image:: pictures/idp_options_regular_saved.png
:width: 800 px
:align: center
Apply the policy to the identity provider:
.. image:: pictures/idp_options_regular_modify_sp.png
:width: 800 px
:align: center
Example with a policy 'Default':
.. image:: pictures/idp_options_default.png
:width: 800 px
:align: center
Example with a policy 'All':
.. image:: pictures/idp_options_all.png
:width: 800 px
:align: center
If no policy is found for the configuration of the SAML2 options of an identity
provider, the following error is displayed to the users when a SSO request is
initiated.
.. image:: pictures/error_no_idp_options.png
:width: 800 px
:align: center
SAML2 identity provider options explained
-----------------------------------------
Behavior with persistent nameID
_______________________________
This option applies when an assertion with a persistent nameID is received and
the nameID is not recognized as an existing federation.
Two values are possible: "Create new account" and "Account linking by authentication".
The value "Create new account" makes Authentic 2 create a user account associated
to the nameID received.
The value "Account linking by authentication" makes Authentic 2 ask the user to
authenticate with an existing account to associate the nameID to this account.
Behavior with transient nameID
_______________________________
This option applies when an assertion with a transient nameID is received and
there isn't a session opened for the user yet.
Two values are possible: "Open a session" and "Ask authentication".
The value "Open a session" makes Authentic 2 open a session.
The value "Ask authentication" makes Authentic 2 ask for a user authentication,
even when a valid assertion is received. That may have sense for instance if
the SSO login is used only to receive signed attributes for users with existing
accounts.
How to refresh the metadata of an identity provider hosted at a Well-Known Location?
====================================================================================
The Well-Known Location (WKL) means that the entity Id of the provider is a
URL at which the provider metadata are hosted.
To refresh them, select the provider on the list of provider, then select in
the menu 'Update metadata', then click on 'Go'.
.. image:: pictures/update_metadata.png
:width: 800 px
:align: center
.. image:: pictures/update_metadata_done.png
:width: 800 px
:align: center
How to create in bulk identity providers with the sync-metadata script?
=======================================================================
See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`.

142
doc/config_saml2_sp.rst
View File

@ -1,142 +0,0 @@
.. _config_saml2_sp:
====================================
Configure SAML 2.0 service providers
====================================
How do I authenticate against Authentic 2 with a SAML2 service provider?
========================================================================
1. Declare Authentic 2 as a SAML2 identity provider on your SAML2 service provider using the SAML2 identity provider metadata of Authentic 2.
Go to http[s]://your.domain.com/idp/saml2/metadata
2. Add and configure a SAML2 service provider in Authentic 2 using the metadata of the service provider.
How do I add and configure a SAML2 service provider in Authentic 2?
===================================================================
You first need to create a new SAML2 service provider entry. This requires the
SAML2 metadata of the service provider.
If your service provider is Authentic 2, the metadata are available at:
http[s]://your.domain.com/authsaml2/metadata
See :ref:`where_metadata` for more information.
Create a SAML2 service provider entry
-------------------------------------
1. Go to
http[s]://your.domain.com/admin/saml/libertyprovider/add/
2. Fill the form fields
.. image:: pictures/new_saml2_sp_1.png
:width: 800 px
:align: center
.. image:: pictures/new_saml2_sp_2.png
:width: 800 px
:align: center
**Note:** The service provider must be enabled.
See below about configuring the service provider with policies:
* options of the service provider
* protocol policy
* attribute policy
3. Save
.. image:: pictures/new_saml2_sp_saved.png
:width: 800 px
:align: center
Apply a SAML2 service provider options policy
---------------------------------------------
The SAML2 options of the service provider are configured using sp options
policies.
See the *administration with policy principle* page :ref:`administration_with_policies`.
You may create a regular policy and configure your service provider to use it.
Go to:
http[s]://your.domain.com/admin/saml/spoptionsidppolicy/add/
Configure your policy and save:
.. image:: pictures/sp_options_regular.png
:width: 800 px
:align: center
.. image:: pictures/sp_options_regular_saved.png
:width: 800 px
:align: center
Apply the policy to the service provider:
.. image:: pictures/sp_options_regular_modify_sp.png
:width: 800 px
:align: center
Example with a policy 'Default':
.. image:: pictures/sp_options_default.png
:width: 800 px
:align: center
Example with a policy 'All':
.. image:: pictures/sp_options_all.png
:width: 800 px
:align: center
If no policy is found for the configuration of the SAML2 options of a service
provider, the following error is displayed to the users when a SSO request is
received.
.. image:: pictures/error_no_sp_options.png
:width: 800 px
:align: center
Configure the SAML2 service provider protocol options
-----------------------------------------------------
This kind of policy does not use the policy management using global policies.
You should use the default option except if your service provider is a
Shibboleth service provider, then you should use the option "Shibboleth SP
(AuthnRequest Signature: Does not check signatures)".
Configure the attribute policy of the service provider
------------------------------------------------------
See the attribute management page :ref:`attribute_management`.
How to refresh the metadata of a service provider hosted at a Well-Known Location?
==================================================================================
The Well-Known Location (WKL) means that the entity Id of the provider is a
URL at which the provider metadata are hosted.
To refresh them, select the provider on the list of provider, then select in
the menu 'Update metadata', then click on 'Go'.
.. image:: pictures/update_metadata.png
:width: 800 px
:align: center
How to create in bulk service providers with the sync-metadata script?
======================================================================
See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`.

86
doc/configuration.rst
View File

@ -1,86 +0,0 @@
.. _configuration:
=============
Configuration
=============
Configuration with settings
===========================
.. toctree::
:maxdepth: 1
settings
settings_listing
Configuration with the administration interface
===============================================
Basics
------
.. toctree::
:maxdepth: 1
admin_access
administration_with_policies
Authentication backends
-----------------------
.. toctree::
:maxdepth: 1
auth_ldap
SAML2
-----
.. toctree::
:maxdepth: 1
where_metadata
config_saml2_sp
config_saml2_idp
saml2_slo
CAS
---
.. toctree::
:maxdepth: 1
config_cas_sp
Attributes
----------
.. toctree::
:maxdepth: 1
attribute_management
User interfaces and interactions
--------------------------------
.. toctree::
:maxdepth: 1
consent_management
Administration
==============
.. toctree::
:maxdepth: 1
translation
cronjobs
sync-metadata_script

84
doc/consent_management.rst
View File

@ -1,84 +0,0 @@
.. _consent_management:
=================================
Consent Management in Authentic 2
=================================
What is the SAML2 federation consent aka account linking consent?
=================================================================
At the first single sign on process on the identity provider side, the user
may be asked if she agrees to federation its local account with the remote
account on the service provider side.
The account linking also called a federation means that the nameID is
persistent and will link the two accounts. This signed identifier allows to
the service provider to login the user without reauthentication during the
following single sign on process.
How the consent is collected is determined by the identity provider. The
service provider receives in the authnRequest the consent attribute
indicating how the user consent was managed.
Account linking consent management on the identity provider side
================================================================
The consent is managed per service provider according to the options policy
that applies to the service provider.
The parameter 'Ask user for consent when creating a federation' determine
if the user consent must be asked to the user.
.. image:: pictures/federation_consent_idp.png
:width: 800 px
:align: center
*Take care that is the identity provider provides the service provider with
a transient nameID, there is no account linking, so there is no need for a
consent.*
*The user consent is only asked once. In other words, if the user already has
a federation, the consent won't be asked anymore.*
If the policy requires the user consent, this can be bypassed using the signal
'avoid_consent'.
Account linking consent management on the service provider side
===============================================================
The service provider may refuse a valid single sign on if the user consent
was not asked.
The parameter 'Require the user consent be given at account linking' of the
identity provider options policy determine the service provider behavior.
.. image:: pictures/federation_consent_sp.png
:width: 800 px
:align: center
How manage attribute forwarding consent?
========================================
*If there is no attribute policy associate with a service provider, no
attribute is forwarded.*
When an attribute policy applies you can configure the consent rules per
service provider.
The choices are:
- Don't ask the user consent
- Ask the consent in all-or-nothing mode
- Allow attribute selection
To ask the user consent, tick the parameter 'Ask the user consent before
forwarding attributes' of the attribute policy that applies to the service
provider.
To allow the attribute selection on the attribute consent page, tick the
parameter 'Allow the user to select the forwarding attributes'.
.. image:: pictures/attributes_consent.png
:width: 800 px
:align: center

12
doc/copyright.rst
View File

@ -1,12 +0,0 @@
.. _copyright:
=========
Copyright
=========
Authentic and Authentic 2 are copyrighted by Entr'ouvert and are licensed
through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of
the whole license text is available in the COPYING file.
The Documentation is under the licence Creative Commons
`CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.

11
doc/cronjobs.rst
View File

@ -1,11 +0,0 @@
.. _cronjobs:
Cronjobs and cleaning
=====================
The following cronjob must be run to clean deleted accounts and temporary objects::
5 0 * * * athentic2-ctl cleanup
It's made to run every day at 00:05.

60
doc/deployment.rst
View File

@ -1,60 +0,0 @@
.. _deployment:
==================================================
Running Authentic 2 for real (Nginx, Apache, etc.)
==================================================
DEBUG Mode by default, static files and the Django debug toolbar dependency ?
-----------------------------------------------------------------------------
By default, Authentic 2 is in the DEBUG mode. We made this default choice
because most of the Authentic 2's users will begin with Authentic 2 using
the Django development server (runserver command) and we want to avoid them
a bad first impression because static files would not be served. As a matter
of fact, static files are served by the Django development server only when
the project is run in the DEBUG mode.
In the DEBUG mode, the Django debug toolbar is used what adds a dependency.
In production, the Django development server should not be used to serve
Authentic 2 and a dedicated server should also be used to serve the static
files.
Set Authentic into the no DEBUG Mode
------------------------------------
It is enough to edit authentic2/settings.py and set::
DEBUG = False
From then on the django-debug-toolbar package is not necessary anymore.
Use dedicated HTTP servers and serve static files
-------------------------------------------------
The best is to use a server dedicated to serve the Django applications and a
different server to serve the static files.
You could for instance use apache with mod_wsgi to serve Authentic 2. You will
find configuration file examples in the debian directory of the Authentic 2
sources.
Then you may want to use nginx to serve the static files.
First you need to collect the Authentic 2 static files. The static files are
collected using the collectstatic command that is configured in the
settings.py.
By default, running collectstatic will create a static directory in the parent
directory of the authentic2 directory::
$python authentic2/manage.py collectstatic
That static directory will contain all the static files of Authentic 2.
If you want to change the path of the static directory you can edit
STATIC_ROOT of the settings file.
See https://docs.djangoproject.com/en/dev/ref/contrib/staticfiles/ for more
information about collectstatic.

86
doc/development.rst
View File

@ -1,86 +0,0 @@
.. _development:
===========
Development
===========
Get the code and the dependencies
=================================
1. Clone the repository::
$ git clone https://git.entrouvert.org/authentic.git
2. Install `lasso <http://lasso.entrouvert.org>`_ python packages::
$ curl https://deb.entrouvert.org/entrouvert.gpg | sudo apt-key add -
$ echo deb http://deb.entrouvert.org/ buster main | \
sudo tee /etc/apt/sources.list.d/entrouvert.list
$ sudo apt-get update
$ sudo apt-get install python-lasso python3-lasso
3. Install dependencies::
$ sudo apt-get install postgresql build-essential gettext sassc \
libldap2-dev libsasl2-dev python3-dev
Run the tests
=============
1. Setup a virtualenv::
$ sudo apt-get install direnv
$ echo layout python3 > authentic/.envrc
$ direnv allow authentic
$ cd authentic
$ pip install tox
2. Run::
$ JENKINS_URL=fakeurl pg_virtualenv tox
.. note::
`tests/test_ldap.py` will fail if `apparmor_status` reports that
`/usr/sbin/slapd` is in enforce mode.
.. note::
Setting `JENKINS_URL` instructs tox to run `[tox:jenkins]` instead
of the default `[tox]`.
2. Run with code coverage::
$ pg_virtualenv tox < /dev/null
$ firefox htmlcov/index.html
.. note::
When running from an interactive shell `< /dev/null` unsets
the `tty` tox sub-type and defines the `COVERAGE` variable.
Update translations
===================
They are updated upstream before the releases to help keep the
vocabulary consistent.
.. note::
The only exception would be a trivial fix such as a typo.
The `.po` files can be updated as follows::
$ ./update-locales.sh
Build the documentation
=======================
1. Build::
$ pip install sphinx
$ sphinx-build -b html doc build/html
2. Display::
$ firefox build/html/index.html

50
doc/index.rst
View File

@ -1,50 +0,0 @@
.. Authentic 2 documentation master file, created by
sphinx-quickstart on Thu Oct 13 09:53:03 2011.
You can adapt this file completely to your liking, but it should at least
contain the root `toctree` directive.
===========================
Authentic 2's documentation
===========================
Authentic 2 is a versatile identity management server aiming to address a
broad range of needs, from simple to complex setups; it has support for many
protocols and can bridge between them.
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID,
LDAP, X509 and OAUTH2.
Authentic 2 is under the GNU AGPL version 3 licence.
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
specifications of SAML2.
Consult current Authentic 2 activity on the `project site <http://dev.entrouvert.org/projects/authentic>`_
If you don't find an explanation, you don't understand it or one is missing,
please report it on the list.
.. toctree::
:maxdepth: 1
overview
installation
configuration
advanced
development
copyright
This documentation is under the licence Creative Commons `CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
.. Indices and tables
.. ==================
.. * :ref:`genindex`
.. * :ref:`modindex`
.. * :ref:`search`

58
doc/installation.rst
View File

@ -1,58 +0,0 @@
.. _installation:
=====================================
Installation and quickstart tutorials
=====================================
You'll find here how to start and configure very quickly Authentic 2 for its
main features. You just need Python 2.7 and Django 1.5.
First of all, you can boot Authentic vwithout root
privileges like this:
1. Initialize a virtualenv::
virtualenv authentic
source ./authentic/bin/activate
cd authentic
2. Install Authentic::
pip install authentic2
3. Initialize the database migrations::
authentic2-ctl syncdb --migrate
4. Run the HTTP test server::
authentic2-ctl runserver
Release cycle
-------------
In addition to the installation from sources, Entr'ouvert maintains `Debian GNU/Linux packages <https://deb.entrouvert.org/>`__ for Authentic that `follow the release cycle of Publik <https://dev.entrouvert.org/projects/publik/wiki/Cycle_de_mises_%C3%A0_jour>`__.
Quickstart guides and installation guidelines
---------------------------------------------
.. toctree::
:maxdepth: 1
installation_modes
change_db
upgrading
deployment
Quickstarts
___________
.. toctree::
:maxdepth: 1
quick_oauth2_idp
quick_saml2_idp
quick_saml2_sp
quick_cas_idp
quick_ldap_backend

201
doc/installation_modes.rst
View File

@ -1,201 +0,0 @@
.. _installation_modes:
==================
Installation modes
==================
The current version of Authentic 2 works with Python 2.7 and Django 1.5.
Authentic 2 python installation script handles all the dependencies,
except Lasso, relying on the Setuptools and the pypi repository.
To run Authentic 2 with SAML2 features, you need to install lasso >= 2.3.6,
see :ref:`install-lasso-ref`.
The other Authentic 2 dependencies are:
- Django>=1.7.6,<1.9
- requests>=2.
- django-model-utils>=2
- dnspython>=1.12
- django-select2>=4.3.0
- django-tables2>=1.0
- gadjo>=0.6
- django-import-export>=0.2.7,<=0.4.5
- djangorestframework>=3.3
- Markdown>=2.5
- python-ldap
Install Authentic 2:
- :ref:`install-pypi-ref`
- :ref:`obtain-pypi-ref`
- :ref:`obtain-git-ref`
.. _install-lasso-ref:
Lasso installation
------------------
Lasso is available in the linux debian destribution repositories. If you are
installing Authentic 2 on debian, just execute ::
apt-get install python-lasso
You'll find more updated packages on http://deb.entrouvert.org/.
We also provide rpm packages for redhat, see https://dev.entrouvert.org/redhat/README.
You can also install lasso from sources http://lasso.entrouvert.org/download
See the `Lasso website <http://lasso.entrouvert.org>`_ for installation details.
This is a quick installation example.
Install the following Lasso dependencies:
- autoconf
- automake
- autotools-dev
- libtool
- gtk-doc-tools
- zlib1g-dev
- libglib2.0-dev
- openssl-dev
- libxml2-dev
- libxmlsec1-dev
- python2.6-dev
- python-setuptools
Obtain Lasso::
$wget https://dev.entrouvert.org/lasso/lasso-2.3.6.tar.gz
$tar xzvf lasso-2.3.6.tar.gz
$cd lasso-2.3.6
$./autogen.sh
Be sure that the Python bindings is selected as follows::
=============
Configuration
=============
Main
----
Compiler: gcc
CFLAGS:
Install prefix: /usr/local
Debugging: no
Experimental ID-WSF: no
Optionals builds
----------------
Available languages: java(4.6.1) python(2.7) perl(5.12.4)
Java binding: yes
Perl binding: yes
PHP 5 binding: no
Python binding: yes
C API references: yes
Tests suite: no
Now type 'make install' to install lasso.
As indicated, build and install::
$make install
$ldconfig
Set the lasso python binding in you python path, e.g.::
$export PYTHONPATH="$PYTHONPATH:/usr/local/lib/python2.6/site-packages"
Test trying to import Lasso::
$python
>>> import lasso
.. _install-pypi-ref:
Install Authentic directly from pypi
------------------------------------
Using pip::
pip install authentic2
You can now run Authentic from the installation directory::
./authentic2-ctl syncdb --migrate
./authentic2-ctl runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.5, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
.. _obtain-pypi-ref:
Obtain the last package archive from pypi
-----------------------------------------
Download the archive on http://pypi.python.org/pypi/authentic2/.
Then, you can install it directly from the archive using pip::
pip install authentic2-x.z.y.tar.gz
You can now run Authentic from the installation directory, e.g.::
./authentic2-ctl syncdb --migrate
./authentic2-ctl runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.5, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
.. _obtain-git-ref:
Obtain the last sources from the Git repository
-----------------------------------------------
Clone the repository::
git clone http://repos.entrouvert.org/authentic.git
Then, you can install it directly using pip::
cd authentic
pip install -e .
You can now run Authentic from the installation directory, e.g.::
./authentic2-ctl syncdb --migrate
./authentic2-ctl runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.5, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/

58
doc/overview.rst
View File

@ -1,58 +0,0 @@
.. _overview:
========
Overview
========
Authentic 2 is a versatile identity management server aiming to address a
broad range of needs, from simple to complex setups; it has support for many
protocols and can bridge between them.
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID,
LDAP, X509 and OAUTH2.
Authentic 2 is under the GNU AGPL version 3 licence.
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
specifications of SAML2.
Authentic 2 requires Python 2.7 et Django 1.5.
Features
--------
* SAML 2.0 Identity and service provider
* OpenID 1.0 and 2.0 identity provider
* Server CAS 1.0 and 2.0 using a plugin
* Standards authentication mechanisms:
* Login/password through internal directory or LDAP
* X509 certificate over SSL/TLS
* Protocol proxying, for instance between OpenID and SAML
* Support of LDAP v2 and v3 directories
* Support of the PAM backend
* One-time password (OATH and Google-Authenticator) using a plugin
* Identity attribute management
* Plugin system
Source and issue tracker
------------------------
You can find on the project site authentic.entrouvert.org mainly the issue
tracker.
You can find there a viewer of the git repository or clone it::
git clone http://repos.entrouvert.org/authentic.git
Support
-------
Authentic's developpers and users hangs on the mailing list authentic@listes.entrouvert.com.
See archives or register at http://listes.entrouvert.com/info/authentic.
You can open reports or feature request on http://authentic.entrouvert.org.
Entr'ouvert also provides a commercial support. For information, visit http://www.entrouvert.com.

BIN
doc/pictures/alias_in_source.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
doc/pictures/alias_in_source_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 32 KiB

BIN
doc/pictures/attr_policy_filter_attributes.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 87 KiB

BIN
doc/pictures/attr_policy_filter_attributes_map.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 88 KiB

BIN
doc/pictures/attr_policy_filter_attributes_source.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 87 KiB

BIN
doc/pictures/attr_policy_filter_source.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 84 KiB

BIN
doc/pictures/attr_policy_forward.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 78 KiB

BIN
doc/pictures/attr_policy_map_ns.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 87 KiB

BIN
doc/pictures/attr_source_idp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
doc/pictures/attr_source_idp_claims.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
doc/pictures/attr_source_idp_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
doc/pictures/attribute_item.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
doc/pictures/attribute_item_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
doc/pictures/attribute_list.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 43 KiB

BIN
doc/pictures/attribute_list_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
doc/pictures/attributes_consent.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 94 KiB

BIN
doc/pictures/eo_logo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
doc/pictures/eo_logo_t.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
doc/pictures/error_no_idp_options.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 98 KiB

BIN
doc/pictures/error_no_sp_options.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 103 KiB

BIN
doc/pictures/federation_consent_idp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
doc/pictures/federation_consent_sp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 94 KiB

BIN
doc/pictures/idp_options_all.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 83 KiB

BIN
doc/pictures/idp_options_default.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 81 KiB

BIN
doc/pictures/idp_options_regular.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 82 KiB

BIN
doc/pictures/idp_options_regular_modify_sp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
doc/pictures/idp_options_regular_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
doc/pictures/ldapsource.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 39 KiB

BIN
doc/pictures/ldapsource_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB

BIN
doc/pictures/new_saml2_idp_1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
doc/pictures/new_saml2_idp_2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
doc/pictures/new_saml2_idp_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
doc/pictures/new_saml2_sp_1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
doc/pictures/new_saml2_sp_2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 49 KiB

BIN
doc/pictures/new_saml2_sp_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
doc/pictures/policy_pull.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 82 KiB

BIN
doc/pictures/policy_pull_renamed.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
doc/pictures/policy_pull_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 33 KiB

BIN
doc/pictures/slo_idp_options_activated.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 94 KiB

BIN
doc/pictures/slo_idp_options_deactivated.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 KiB

BIN
doc/pictures/slo_sp_options_activated.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 70 KiB

BIN
doc/pictures/slo_sp_options_deactivated.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 68 KiB

BIN
doc/pictures/sp_options_all.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
doc/pictures/sp_options_default.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 63 KiB

BIN
doc/pictures/sp_options_default_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
doc/pictures/sp_options_regular.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 66 KiB

BIN
doc/pictures/sp_options_regular_modify_sp.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
doc/pictures/sp_options_regular_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

BIN
doc/pictures/sp_policy_pull.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 32 KiB

BIN
doc/pictures/sp_policy_pull_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 41 KiB

BIN
doc/pictures/update_metadata.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 50 KiB

BIN
doc/pictures/update_metadata_done.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
doc/pictures/user_profile_source.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
doc/pictures/user_profile_source_saved.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 29 KiB

23
doc/quick_cas_idp.rst
View File

@ -1,23 +0,0 @@
.. _quick_cas_idp:
==================================
Quickstart a CAS Identity Provider
==================================
1. Activate CAS IdP support in your local_settings.py::
A2_IDP_CAS_ENABLE = True
2. Then create the database table to hold CAS service tickets::
authentic2-ctl syncdb --all
authentic2-ctl migrate --fake
2. Also configure authentic2 to authenticate against your LDAP directory (see
above) if your want your user attributes to be accessible from your service,
if it is not necessary you can use the normal relational database storage
for you users.
3. Finally configure your service to point to the CAS endpoint at::
http[s]://your.domain.com/idp/cas/

61
doc/quick_ldap_backend.rst
View File

@ -1,61 +0,0 @@
.. _quick_ldap_backend:
======================================
Quickstart to connect a LDAP Directory
======================================
Authentic use the module django_auth_ldap to synchronize the Django user tables
with an LDAP. For complex use case, we will refer you to the django_auth_ldap
documentation, see http://packages.python.org/django-auth-ldap/.
How to authenticate users against an LDAP server with anonymous binding ?
-------------------------------------------------------------------------
1. Install the django_auth_ldap module for Django, for this you need
python-ldap, python-ldap needs python developement headers to be installed
but is usually packaged by most distributions::
pip install django_auth_ldap
2. Configure your local_settings.py file for authenticating against LDAP.
The next lines must be added::
AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', )
import ldap
from django_auth_ldap.config import LDAPSearch
# Here put the LDAP URL of your server
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com'
# Let the bind DN and bind password blank for anonymous binding
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
# Lookup user under the branch o=base and by mathcing their uid against the
# received login name
AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
How to allow members of an LDAP group to manage Authentic ?
-----------------------------------------------------------
1. First you must know the objectClass of groups in your LDAP schema, this FAQ
will show you the configuration for two usual classes: groupOfNames and
groupOfUniqueNames.
2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany
3. Add the following lines::
from django_auth_ldap.config import GroupOfNamesType
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff": "cn=admin,o=mycompany"
}
For an objectClass of groupOfUniqueNames you would change the string
GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to
groupOfUniqueNames. For more complex cases see the django_auth_ldap
documentation.

9
doc/quick_oauth2_idp.rst
View File

@ -1,9 +0,0 @@
.. _quick_oauth2_idp:
======================================
Quickstart an OAuth2 Identity Provider
======================================
This section has to be done. If you need it now, say it on the issue tracker :
https://dev.entrouvert.org/issues/6053

9
doc/quick_saml2_idp.rst
View File

@ -1,9 +0,0 @@
.. _quick_saml2_idp:
=====================================
Quickstart an SAML2 Identity Provider
=====================================
This section has to be done. If you need it now, say it on the issue tracker :
https://dev.entrouvert.org/issues/6057

22
doc/quick_saml2_sp.rst
View File

@ -1,22 +0,0 @@
.. _quick_saml2_sp:
=====================================================
Quickstart a connection with a SAML2 Service Provider
=====================================================
1. Get the Identity Provider SAML2 metadata file
::
http[s]://your.domain.com/idp/saml2/metadata
2. Configure your service provider with it.
3. Go to the providers admin panel on
::
http[s]://admin/saml/libertyprovider/add/
There create a new provider using the service provider metadata and enable it
as a service provider.

168
doc/saml2_slo.rst
View File

@ -1,168 +0,0 @@
.. _saml2_slo:
=======================================
Single Logout Management in Authentic 2
=======================================
Explanation
===========
Authentic 2 implements the single logout profile of SAML2 (SLO). Single Logout is
used to realise to close user session on distributed applications. The Single
Logout is managed by the IdP. However, its exists many profiles all supported
by Authentic 2:
- SLO IdP initiated by SOAP
- SLO IdP initiated by Redirect
- SLO SP initiated by SOAP
- SLO SP initiated by Redirect
Then, Authentic 2 acting as an IdP but also as a SP (for proxying), a
logout request can be received from:
- the logout button on the user interface;
- a service provider;
- a third identity provider.
The configuration by policy allows to refuse SLO request coming from a SP or
an IdP.
**The the SLO request is accepted or comes from the user interface, at the end
of the process the local session on Authentic 2 will always be closed.**
During the process of treatment of the logout request, when the logout request
comes from a SP, if the local session was established through a third SAML2 IdP,
Authentic 2 sends it a logout request (SLO proxying). Then, Authentic 2
sends logout resuests to all service providers with an active session but the
requesting service provider.
During the process of treatment of the logout request, when the logout request
comes from an IdP, Authentic 2 sends logout resuests to all service providers
with an active session.
The configuration by policy allows to select which IdP and SP to logout
forwarding is done.
**Note:** When a logout request comes from an IdP, the logout request is always
forwarded by soap to the service providers.
**Note:** When a logout request comes from an SP:
- if done by SOAP, the logout request is always forwarded by soap to the
identity provider and service providers.
- if done by Redirect, the logout request is forwarded to the
identity provider according to the idp options policy and to the service
providers according to their metadata.
**Note:** When a logout request comes from the user interface, the logout
request is forwarded to the identity provider according to the idp options
policy and to the service providers according to their metadata.
**Note:** To make the SLO works, a policy must be found for the
source or the desitnation of the logout request. By default, when creating a
sp options policy or an IdP options policy the SLO is accepted and forwarded.
See the *administration with policy principle* page :ref:`administration_with_policies`.
How to know if a service provider supports the logout request?
==============================================================
Look for the following elements in the service provider metadata:
- Redirect binding::
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://sp.mik.lan:8000/authsaml2/singleLogout" ResponseLocation="http://sp.mik.lan:8000/authsaml2/singleLogoutReturn"/>
- SOAP binding::
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://sp.mik.lan:8000/authsaml2/singleLogoutSOAP"/>
How to know if an identity provider supports the logout request?
================================================================
Look for the following elements in the identity provider metadata:
- Redirect binding::
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://idp.mik.lan:8001/idp/saml2/slo" ResponseLocation="http://idp.mik.lan:8001/idp/saml2/slo_return" />
- SOAP binding::
<ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp.mik.lan:8001/idp/saml2/slo/soap" />
How activate the SLO?
=====================
No activation is required. However it is required a policy be found for the
source or the desitnation of the logout request.
The sp options policy or idp options policy that applies has parameters to
indicate if the sp or idp which the policy applies is allowed to send and
receive logout requests.
Then, create the 'default' options policy and check the both options
*Accept to receive Single Logout requests* and *Forward Single Logout requests* as follows:
.. image:: pictures/slo_sp_options_activated.png
:width: 800 px
:align: center
.. image:: pictures/slo_idp_options_activated.png
:width: 800 px
:align: center
How deactivate the SLO?
=======================
There is no real deactivation process. When it is possible and authorized,
Authentic 2 send logout requests when a logout request is received.
If an options policy is not found for the source or the destination of the
logout request, the logout requests are not accepted nor forwarded.
However it is not the right way. The best is to create the 'all' options
policies with the options *Accept to receive Single Logout requests* and *Forward Single Logout requests* unchecked as follows:
.. image:: pictures/slo_sp_options_deactivated.png
:width: 800 px
:align: center
.. image:: pictures/slo_idp_options_deactivated.png
:width: 800 px
:align: center
Take care that the 'all' policies are authoritative. To desactivate the SLO
but for particular providers, the best is to unchecked these options on the
'default' options policies and apply regular policies to those particular
providers.
How refuse SLO from an identity provider?
=========================================
Uncheck the option *Accept to receive Single Logout requests* of the policy that applies to that identity
provider.
How refuse SLO from a service provider?
=======================================
Uncheck the option *Accept to receive Single Logout requests* of the policy that applies to that service
provider.
How indicate identity providers to not forward logout request?
==============================================================
Uncheck the option *Forward Single Logout requests* of the policies that applies to the identity
providers logout requests must not be forwarded.
How indicate service providers to not forward logout request?
=============================================================
Uncheck the option *Forward Single Logout requests* of the policies that applies to the service
providers logout requests must not be forwarded.
How do manage the SLO without closing the local session?
========================================================
Not implemented.

9
doc/settings.rst
View File

@ -1,9 +0,0 @@
.. _settings:
===============================
Works with authentic 2 settings
===============================
This section has to be done. If you need it now, say it on the issue tracker :
https://dev.entrouvert.org/issues/6047

97
doc/settings_listing.rst
View File

@ -1,97 +0,0 @@
.. _settings_listing:
============
All settings
============
Activate or deactivate debug mode
=================================
Variable: DEBUG
Values:
* False: deactivate debug mode
* True: activate debug mode
Manage session cookie duration
==============================
Variable: SESSION_EXPIRE_AT_BROWSER_CLOSE
Values:
* False: Cookies are not removed when browser is closed.
* True: Cookies are removed when browser is closed.
Variable: SESSION_COOKIE_AGE
Value:
* Seconds (36000 equal 10 hours)
Time zone selection
===================
Variable: TIME_ZONE
Values:
* See http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
Activate or deactivate SSL authentication
=========================================
Variable: AUTH_SSL
Values:
* False: deactivate SSL authentication
* True: activate SSL authentication
Activate or deactivate OpenID authentication, Authentic 2 is an OpenID relying party
====================================================================================
Variable: AUTH_OPENID
Values:
* False: deactivate OpenID authentication
* True: activate OpenID authentication
Activate or deactivate Authentic 2 as a SAML2 identity provider
===============================================================
Variable: IDP_SAML2
Values:
* False: deactivate SAML2 identity provider
* True: activate SAML2 identity provider
Configure SAML2 keys
====================
* SAML_SIGNATURE_PUBLIC_KEY: Certtificate or public key for signature
* SAML_SIGNATURE_PRIVATE_KEY: Private key for signature
* SAML_ENCRYPTION_PUBLIC_KEY: Certtificate or public key for encryption
* SAML_ENCRYPTION_PRIVATE_KEY: Private key for encryption
Values are pem files of X509 certificate or key, e.g.:
SAML_SIGNATURE_PRIVATE_KEY = '''-----BEGIN RSA PRIVATE KEY-----
MII...WA==
-----END RSA PRIVATE KEY-----'''
If SAML_ENCRYPTION_PUBLIC_KEY or SAML_ENCRYPTION_PRIVATE_KEY are not given,
the signature keys are used for encryption.
Activate or deactivate Authentic 2 as a CAS server
==================================================
Variable: IDP_CAS
Values:
* False: deactivate CAS server
* True: activate CAS server

192
doc/sync-metadata_script.rst
View File

@ -1,192 +0,0 @@
.. _sync-metadata_script:
===========================================================================================================
How to create/import and delete in bulk SAML2 identity and service providers with the sync-metadata script?
===========================================================================================================
This section explains hot to use the script sync-metadata.
Presentation
============
This script allows to create/import and deleted in bulk SAML2 identity and
service providers using standard SAML2 metadata files containing entity
descriptors.
An example of such a file used in production is the global metadata file of
the identity federation of French universities that can be found at http://...
Use the following command::
path_to_project/authentic2$ python manage.py sync-metadata file_name [options]
Configuration of attributes
===========================
If a service provider has AttributeConsumingService nodes in its
SPSSODescriptor then we create an attribute declaration for each declared
attribute. If the attribute is optional, the attribute declaration is created
disabled.
Currently it only supports the LDAP and the LDAP attribute profile of SAML,
i.e. SAML attribute names must be LDAP attributes oid, the NameFormat must be
URI, and an LDAP server must declared so that LDAP attributes can be resolved.
Authentic2 contains a databases of the more common LDAP schemas to help the
resolution of attributes OIDs.
Example of an AttributeConsumingService node::
<md:AttributeConsumingService index="0">
<md:ServiceName
xml:lang="fr">Université Paris 1 - cours en ligne</md:ServiceName>
<md:ServiceDescription xml:lang="fr">Cours en ligne de l'université
Paris 1 Panthéon - Sorbonne (LMS Moodle)
</md:ServiceDescription>
<md:RequestedAttribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true">
</md:RequestedAttribute>
<md:RequestedAttribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true">
</md:RequestedAttribute>
<md:RequestedAttribute FriendlyName="displayName"
Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true">
</md:RequestedAttribute>
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true">
</md:RequestedAttribute>
<md:RequestedAttribute FriendlyName="eduPersonAffiliation"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true">
</md:RequestedAttribute>
<md:RequestedAttribute FriendlyName="givenName" Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true">
</md:RequestedAttribute>
<md:RequestedAttribute FriendlyName="cn" Name="urn:oid:2.5.4.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true">
</md:RequestedAttribute>
</md:AttributeConsumingService>
If you do not want the attribute declarations to be automatically created pass
the option `--dont-load-attribute-consuming-service` to the `sync-metadata` command.
Options
=======
* idp
Load only identity providers of the metadata file.
* sp
Load only service providers of the metadata file.
* source
Used to tag all imported providers with a label. This option is used to
metadata reloading and deletion in bulk.
Reloading a metadata file, when a provider with same entity is found, it is
updated. If a provider in the metadata file does not exist it is created.
If a provider exists in the system but not in the metadata file, it is
removed.
**For reloading, a source can only be associated with a unique metadata
file. This is due to the fact that all providers of a source not found in
the metadata file are removed.** ::
path_to_project/authentic2$ python manage.py sync-metadata file_name --source=french_federation
* sp-policy
To configure the SAML2 parameters of service providers imported with the
script, a policy of type SPOptionsIdPPolicy must be created in the
the administration interface.
Either it is a global policy 'Default' or 'All' or it is a regular policy.
If it is a regular policy, the policy name can be specified in parameter
of the script with this option.
The policy is then associated to all service providers created.
::
path_to_project/authentic2$ python manage.py sync-metadata file_name --sp-policy=sp_policy_name
* idp-policy
To configure the SAML2 parameters of identity providers imported with the
script, a policy of type IdPOptionsSPPolicy must be created in the
the administration interface.
Either it is a global policy 'Default' or 'All' or it is a regular policy.
If it is a regular policy, the policy name can be specified in parameter
of the script with this option.
The policy is then associated to all service providers created.
::
path_to_project/authentic2$ python manage.py sync-metadata file_name --idp-policy=idp_policy_name
* delete
With no options, all providers are deleted.
With the source option, only providers with the source name given are deleted.
**This option can not be combined with options idp and sp.**
* ignore-errors
If loading of one EntityDescriptor fails, continue loading
* reset-atributes
When loading shibboleth attribute filter policies, start by removing all
existing SAML attributes for each provider, beware that it will delete any
customization of the attribute policy for each service provider.
* dont-load-attribute-consuming-service
Prevent loading of the attribute policy from AttributeConsumingService nodes
in the metadata file.
* shibboleth-attribute-filter-policy
Path to a file containing an Attribute Filter Policy for the
Shibboleth IdP, that will be used to configure SAML attributes for
each provider. The following schema is supported::
<AttributeFilterPolicy id="<whatever>">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="<entityID>" >
[
<AttributeRule attributeID="<attribute-name>">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
]*
</AttributeFilterPolicy>
Any other kind of attribute filter policy is unsupported.

9
doc/translation.rst
View File

@ -1,9 +0,0 @@
.. _translation:
Compiling translations
======================
Translations must compiled to be useful, to do that run the following command::
./setup.py compile_translations

17
doc/upgrading.rst
View File

@ -1,17 +0,0 @@
.. _upgrading:
=========
Upgrading
=========
Update using pip::
pip install -U authentic2
Authentic store all its data in a relational database as specified in its
settings.py or local_settings.py file. So in order to upgrade to a new version
of authentic you have to update your database schema using the
migration command — you will need to have installed the dependency django-south,
see the beginning of this README file.::
authentic2-ctl syncdb --migrate

18
doc/where_metadata.rst
View File

@ -1,18 +0,0 @@
.. _where_metadata:
===============================================
Where do I find the Authentic 2 SAML2 metadata?
===============================================
The SAML2 metadata are automatically generated.
**Authentic 2 will infer from environment variables the host and port to
generate the URLs contained in the medatada.**
The metadata of Authentic 2 SAML2 identity provider are available at:
http[s]://your.domain.com/idp/saml2/metadata
The metadata of Authentic 2 SAML2 service provider are available at:
http[s]://your.domain.com/authsaml2/metadata