entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

documentation: refactor documentation (refs #5455).

This commit is contained in:
Mikaël Ates 2014-12-03 17:10:45 +01:00
parent 19d8120b92
commit e5ebc66215
22 changed files with 937 additions and 468 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/admin_access.rst Normal file
View File

@ -0,0 +1,16 @@
.. _admin_access:
============================================
Access the grapical administration interface
============================================
The grapical administration interface is the 'Django admin' part of a Django
project. See for more information.
Just acces the admin url at http[s]://your.domain.com/admin.
At first you log with the superuser you created at the very first database
initialization.
Then you can configure other accesses to the admin checking the is_staff
option displayed on a user in the admin.

65
doc/administration_with_policies.rst
View File

@ -1,8 +1,8 @@
.. _administration_with_policies:
==========================================================
How global policies are used in Authentic 2 administration
==========================================================
==================
Work with policies
==================
The policy management with global policies is nearly used for any kind of
policy in Authentic 2.
@ -10,43 +10,28 @@ policy in Authentic 2.
For each kind of these policies, the system takes in account two special
global policies named 'Default' and 'All':
* If no other policy applies, the policy 'Default' will apply.
* There is always a system default that does not correspond to the 'Default'
policy. This is used to make Authentic 2 boot without initial
configuration. When you add a 'Default' policy, the system default are not
used anymore.
* A policy has always a name, 'Default' and 'All' are the names of two special
policies with their name hardcoded. But you can create or delete them.
* If no other policy applies, the policy 'Default' applies.
* A policy can be created and attached to any related object. This policy is
authoritative on the policy 'Default'.
* If the policy 'All' exists, it is authoritative on any other policy.
* The global policies 'All' and 'Default' are created by the administrator if
necessary.
* A policy is taken in account only if it is enabled.
* When a regular policy is associated with an object, it is taken in account
only if the option 'enable the following policy' is checked on the oject.
* A policy can be created and attached to any related object. This policy is authoritative on policy 'Default'.
It is advised to add a 'Default' global policy when it is expected to apply a
policy to all related objects. A 'Default' global policy should be defined to
avoid misonfiguration.
* If the policy 'All' exists, it is authoritative on any other policy.
Add a regular policy to some objects are used to handle particular
configurations for a subset of related objects.
* The global policies must be created by the administrator if necessary.
**A policy is taken in account only if it is enabled.**
**When a regular policy is associated with an object, it is taken in account
only if the option 'enable the following policy' is checked.**
::
def get_sample_policy(any_object):
# Look for a global policy 'All'
try:
return SamplePolicy.objects.get(name='All', enabled=True)
except SamplePolicy.DoesNotExist:
pass
# Look for a regular policy
if any_object.enable_following_sample_policy:
if any_object.sample_policy:
return any_object.sample_policy
# Look for a global policy 'Default'
try:
return SamplePolicy.objects.get(name='Default', enabled=True)
except SamplePolicy.DoesNotExist:
pass
return None
*It is advised to add a 'Default' global policy when it is expected to apply a
policy to all related objects. Add e regular policy to some objects are then
used to handle particular configurations.*
*A 'Default' global policy should be defined to avoid misonfiguration.*
*A 'All' global policy should be used to enforce a global configuration for
all related objects or for testing purposes.*
An 'All' global policy should be used to enforce a global configuration for
all related objects or for testing purposes.

125
doc/advanced.rst Normal file
View File

@ -0,0 +1,125 @@
.. _advanced:
===============
Advanced topics
===============
- :ref:`attributes_in_session`
- :ref:`writing_migrations`
- :ref:`write_new_kind_policy`
.. _attributes_in_session:
Attributes in session pushed by third SAML2 identity providers
==============================================================
When an assertion is received, assertion data, including attributes, are
pushed in the Django session dictionnary.
It leads to the creation of the following dictionnary::
request.session['multisource_attributes']
The keys of the dictionnary are the source names, i.e. the entity Id for
SAML2 identity providers.
The values are list of data extracted from assertions. Indeed, this is done
to store multiple assertion received from a same source in a same Django
session::
request.session['multisource_attributes'] \
[source_name] = list()
The items of this list are dictionnaries with the keys 'certificate_type' and
'attributes'.
For a saml2 assertion, all the keys are::
a8n['certificate_type'] = 'SAML2_assertion'
a8n['nameid'] = ...
a8n['subject_confirmation_method'] = ...
a8n['not_before'] = ...
a8n['not_on_or_after'] = ...
a8n['authn_context'] = ...
a8n['authn_instant'] = ...
a8n['attributes'] = attrs
a8n['attributes'] has the following structure::
attributes = {}
attributes[name] = (value1, value2, )
attributes[(name, format)] = (value1, value2, )
attributes[(name, format, nickname)] = (value1, value2, )
a8n['attributes'] = attributes
.. _writing_migrations:
Writing migrations
==================
Migration containing reference to the user model must be rewritten manually to
refer to the user model name indirectly. The followind modifications must be applied.
1. First import the `user_model_label` from the `authentic2.compat` module:
::
from authentic2.compat import user_model_label
Any reference to `orm['auth.User']` or `orm['authentic2.User']` must be
rewritten into `orm[user_model_label]`. For example this line:::
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['authentic2.User'])),
must be changed to:::
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm[user_model_label])),
2. The user model when appearing in the `models` field like this:
::
u'auth.user': {
'meta': {'object_name': 'User',
must be rewritten like that:::
user_model_label: {
'Meta': {'object_name': user_model_label.split('.')[-1]},
3. If the user model is referred inside the `to` field of a foreign key
declaration like this:
::
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['auth.User']"})
must be rewritten like that:::
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['%s']" user_model_label})
.. _write_new_kind_policy:
Add a new kind of administration policy
=======================================
See how policies works :ref:`administration_with_policies`. Then, the bahavior
should look like::
def get_sample_policy(any_object):
# Look for a global policy 'All'
try:
return SamplePolicy.objects.get(name='All', enabled=True)
except SamplePolicy.DoesNotExist:
pass
# Look for a regular policy
if any_object.enable_following_sample_policy:
if any_object.sample_policy:
return any_object.sample_policy
# Look for a global policy 'Default'
try:
return SamplePolicy.objects.get(name='Default', enabled=True)
except SamplePolicy.DoesNotExist:
pass
return None

4
doc/config_saml2_sp.rst
View File

@ -36,11 +36,13 @@ Create a SAML2 service provider entry
.. image:: pictures/new_saml2_sp_1.png
:width: 800 px
:align: center
.. image:: pictures/new_saml2_sp_2.png
:width: 800 px
:align: center
**The service provider must be enabled.**
**Note:** The service provider must be enabled.
See below about configuring the service provider with policies:

88
doc/configuration.rst Normal file
View File

@ -0,0 +1,88 @@
.. _configuration:
=============
Configuration
=============
Configuration with settings
===========================
.. toctree::
:maxdepth: 1
settings
settings_listing
Configuration with the administration interface
===============================================
Basics
------
.. toctree::
:maxdepth: 1
admin_access
administration_with_policies
Authentication backends
-----------------------
.. toctree::
:maxdepth: 1
auth_ldap
auth_pam
SAML2
-----
.. toctree::
:maxdepth: 1
where_metadata
config_saml2_sp
config_saml2_idp
saml2_slo
CAS
---
.. toctree::
:maxdepth: 1
config_cas_sp
Attributes
----------
.. toctree::
:maxdepth: 1
attribute_management
User interfaces and interactions
--------------------------------
.. toctree::
:maxdepth: 1
consent_management
Administration
==============
.. toctree::
:maxdepth: 1
translation
cronjobs
sync-metadata_script

18
doc/copyright.rst Normal file
View File

@ -0,0 +1,18 @@
.. _copyright:
=========
Copyright
=========
Authentic and Authentic 2 are copyrighted by Entr'ouvert and are licensed
through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of
the whole license text is available in the COPYING file.
The OpenID IdP originates in the project django_openid_provider by Roman
Barczyski, which is under the Apache 2.0 licence. This imply that you must
distribute authentic2 under the AGPL3 licence when distributing this part of the
project which is the only AGPL licence version compatible with the Apache 2.0
licence.
The Documentation is under the licence Creative Commons
`CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.

11
doc/cronjobs.rst Normal file
View File

@ -0,0 +1,11 @@
.. _cronjobs:
Cronjobs and cleaning
=====================
The following cronjob must be run to clean deleted accounts and temporary objects::
5 0 * * * athentic2-ctl cleanup
It's made to run every day at 00:05.

60
doc/deployment.rst Normal file
View File

@ -0,0 +1,60 @@
.. _deployment:
==================================================
Running Authentic 2 for real (Nginx, Apache, etc.)
==================================================
DEBUG Mode by default, static files and the Django debug toolbar dependency ?
-----------------------------------------------------------------------------
By default, Authentic 2 is in the DEBUG mode. We made this default choice
because most of the Authentic 2's users will begin with Authentic 2 using
the Django development server (runserver command) and we want to avoid them
a bad first impression because static files would not be served. As a matter
of fact, static files are served by the Django development server only when
the project is run in the DEBUG mode.
In the DEBUG mode, the Django debug toolbar is used what adds a dependency.
In production, the Django development server should not be used to serve
Authentic 2 and a dedicated server should also be used to serve the static
files.
Set Authentic into the no DEBUG Mode
------------------------------------
It is enough to edit authentic2/settings.py and set::
DEBUG = False
From then on the django-debug-toolbar package is not necessary anymore.
Use dedicated HTTP servers and serve static files
-------------------------------------------------
The best is to use a server dedicated to serve the Django applications and a
different server to serve the static files.
You could for instance use apache with mod_wsgi to serve Authentic 2. You will
find configuration file examples in the debian directory of the Authentic 2
sources.
Then you may want to use nginx to serve the static files.
First you need to collect the Authentic 2 static files. The static files are
collected using the collectstatic command that is configured in the
settings.py.
By default, running collectstatic will create a static directory in the parent
directory of the authentic2 directory::
$python authentic2/manage.py collectstatic
That static directory will contain all the static files of Authentic 2.
If you want to change the path of the static directory you can edit
STATIC_ROOT of the settings file.
See https://docs.djangoproject.com/en/dev/ref/contrib/staticfiles/ for more
information about collectstatic.

75
doc/index.rst
View File

@ -7,83 +7,38 @@
Authentic 2's documentation
===========================
Authentic 2 is a versatile identity provider addressing a broad
range of needs, from simple to advanced setups, around web authentication,
attribute sharing and namespace mapping.
Authentic 2 is a versatile identity management server aiming to address a
broad range of needs, from simple to complex setups; it has support for many
protocols and can bridge between them.
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID,
LDAP, X509, OATH, and can bridge between them.
LDAP, X509 and OAUTH2.
Authentic 2 is under the GNU AGPL version 3 licence.
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
specifications of SAML2, ID-FF1.2 and ID-WSF2.
specifications of SAML2.
The Documentation is under the licence Creative Commons `CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
Consult current Authentic 2 activity on the `project site <http://dev.entrouvert.org/projects/authentic>`_
- `Authentic 2 project site <http://dev.entrouvert.org/projects/authentic>`_
- `Authentic 2 roadmap <http://dev.entrouvert.org/projects/authentic/roadmap>`_
Documentation content
=====================
If you don't find an explanation, you don't understand it or one is missing,
please report it on the list.
.. toctree::
:maxdepth: 2
:maxdepth: 1
features
overview
installation
installation
production
configuration
upgrading
advanced
change_db
copyright
settings
auth_ldap
auth_pam
administration_with_policies
where_metadata
config_saml2_sp
config_saml2_idp
saml2_slo
sync-metadata_script
config_cas_sp
attribute_management
attribute_management_explained
attributes_in_session
consent_management
Copyright
=========
Authentic and Authentic 2 are copyrighted by Entr'ouvert and are licensed
through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of
the whole license text is available in the COPYING file.
The OpenID IdP originates in the project django_openid_provider by Roman
Barczyski, which is under the Apache 2.0 licence. This imply that you must
distribute authentic2 under the AGPL3 licence when distributing this part of the
project which is the only AGPL licence version compatible with the Apache 2.0
licence.
The Documentation is under the licence Creative Commons
`CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
This documentation is under the licence Creative Commons `CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
.. Indices and tables
.. ==================

277
doc/installation.rst
View File

@ -1,261 +1,54 @@
.. _installation:
============
Installation
============
=====================================
Installation and quickstart tutorials
=====================================
Authentic 2 installation script handles all the dependencies, except Lasso,
relying on the Setuptools and the pypi repository.
You'll find here how to start and configure very quickly Authentic 2 for its
main features. You just need Python 2.7 and Django 1.5.
To run Authentic 2 you need to install Lasso >=2.3.6. You can obtain Lasso
from:
First of all, you can boot Authentic vwithout root
privileges like this:
- From sources: http://lasso.entrouvert.org/download
- Debian based distribution: http://deb.entrouvert.org/
1. Initialize a virtualenv::
The other Authentic 2 dependencies are:
virtualenv authentic
source ./authentic/bin/activate
cd authentic
- django >= 1.3
- django-profiles >= 0.2
- south >= 0.7.3
- django-authopenid >= 0.9.6
- django-debug-toolbar >= 0.9.0
2. Install Authentic::
Their management depends on how you install Authentic 2:
pip install authentic2
- You can :ref:`install-pypi-ref`
- You can :ref:`obtain-pypi-ref`
- You can :ref:`obtain-git-ref`
3. Initialize the database migrations::
Lasso installation mock-up
--------------------------
authentic2-ctl syncdb --migrate
Please see the Lasso website for installation details. This is a quick
installation example.
4. Run the HTTP test server::
Install the following Lasso dependencies:
authentic2-ctl runserver
- autoconf
- automake
- autotools-dev
- libtool
- gtk-doc-tools
- zlib1g-dev
- libglib2.0-dev
- openssl-dev
- libxml2-dev
- libxmlsec1-dev
- python2.6-dev
- python-setuptools
Quickstart guides and installation guidelines
---------------------------------------------
Obtain Lasso::
.. toctree::
:maxdepth: 1
$wget https://dev.entrouvert.org/lasso/lasso-2.3.6.tar.gz
$tar xzvf lasso-2.3.6.tar.gz
$cd lasso-2.3.6
$./autogen.sh
Be sure that the Python bindings is selected as follows::
installation_modes
change_db
upgrading
deployment
=============
Configuration
=============
Quickstarts
___________
Main
----
.. toctree::
:maxdepth: 1
Compiler: gcc
CFLAGS:
Install prefix: /usr/local
Debugging: no
Experimental ID-WSF: no
Optionals builds
----------------
Available languages: java(4.6.1) python(2.7) perl(5.12.4)
Java binding: yes
Perl binding: yes
PHP 5 binding: no
Python binding: yes
C API references: yes
Tests suite: no
Now type 'make install' to install lasso.
As indicated, build and install::
$make install
$ldconfig
Set the lasso python binding in you python path, e.g.::
$export PYTHONPATH="$PYTHONPATH:/usr/local/lib/python2.6/site-packages"
Test trying to import Lasso::
$python
>>> import lasso
.. _install-pypi-ref:
Install Authentic directly from pypi
------------------------------------
Using pip::
pip install authentic2
or easy_install::
easy_install authentic2
You can now run Authentic from the installation directory, e.g.::
python /usr/local/lib/python2.6/site-packages/authentic2-x.y.z-py2.6.egg/authentic2/manage.py syncdb --migrate
python /usr/local/lib/python2.6/site-packages/authentic2-x.y.z-py2.6.egg/authentic2/manage.py runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.4, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
.. _obtain-pypi-ref:
Obtain the last package archive from pypi
-----------------------------------------
Download the archive on http://pypi.python.org/pypi/authentic2/.
Then, you can install it directly from the archive using pip::
pip install authentic2-x.z.y.tar.gz
or easy_install::
easy_install authentic2-x.z.y.tar.gz
You can now run Authentic from the installation directory, e.g.::
python /usr/local/lib/python2.6/site-packages/authentic2-x.y.z-py2.6.egg/authentic2/manage.py syncdb --migrate
python /usr/local/lib/python2.6/site-packages/authentic2-x.y.z-py2.6.egg/authentic2/manage.py runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.4, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
You may not want to install the authentic2 package or you may want to manage the dependencies
_____________________________________________________________________________________________
Then, extract the archive::
tar xzvf authentic2-x.z.y.tar.gz
cd authentic2-x.z.y
You can now install the dependencies by hands or use pypi to install them as
follows, either::
pip install django django-profiles south django-authopenid django-debug-toolbar
or using the dependencies version requirements::
python setup.py egg_info
pip install -r authentic2.egg-info/requires.txt
Then run Authentic from the extracted directory::
python authentic2/manage.py syncdb --migrate
python authentic2/manage.py runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.4, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
.. _obtain-git-ref:
Obtain the last sources from the Git repository
-----------------------------------------------
Clone the repository::
git clone http://repos.entrouvert.org/authentic.git
Then, you can install it directly using pip::
pip install ./authentic
or easy_install::
easy_install ./authentic
You can now run Authentic from the installation directory, e.g.::
python /usr/local/lib/python2.6/site-packages/authentic2-x.y.z-py2.6.egg/authentic2/manage.py syncdb --migrate
python /usr/local/lib/python2.6/site-packages/authentic2-x.y.z-py2.6.egg/authentic2/manage.py runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.4, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
You may not want to install the authentic2 package or you may want to manage the dependencies
_____________________________________________________________________________________________
Then, extract the archive::
cd authentic
You can now install the dependencies by hands or use pypi to install them as
follows, either::
pip install django django-profiles south django-authopenid django-debug-toolbar
or using the dependencies version requirements::
python setup.py egg_info
pip install -r authentic2.egg-info/requires.txt
Then run Authentic::
python authentic2/manage.py syncdb --migrate
python authentic2/manage.py runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.4, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
quick_oauth2_idp
quick_saml2_idp
quick_saml2_sp
quick_cas_idp
quick_ldap_backend
quick_pam

205
doc/installation_modes.rst Normal file
View File

@ -0,0 +1,205 @@
.. _installation_modes:
==================
Installation modes
==================
The current version of Authentic 2 works with Python 2.7 and Django 1.5.
Authentic 2 python installation script handles all the dependencies,
except Lasso, relying on the Setuptools and the pypi repository.
To run Authentic 2 with SAML2 features, you need to install lasso >= 2.3.6,
see :ref:`install-lasso-ref`.
The other Authentic 2 dependencies are:
- Django<1.6
- south>=0.8.4
- requests
- django-model-utils
- django-registration>=1
- django-debug-toolbar>=1.2,<1.3
- --allow-external django-admin-tools
- --allow-unverified django-admin-tools
- django-admin-tools>=0.5.1
- dnspython
- django-select2
- django-tables2
- gadjo
- django-import-export
- django-sekizai
Install Authentic 2:
- :ref:`install-pypi-ref`
- :ref:`obtain-pypi-ref`
- :ref:`obtain-git-ref`
.. _install-lasso-ref:
Lasso installation
------------------
Lasso is available in the linux debian destribution repositories. If you are
installing Authentic 2 on debian, just execute ::
apt-get install python-lasso
You'll find more updated packages on http://deb.entrouvert.org/.
We also provide rpm packages for redhat, see https://dev.entrouvert.org/redhat/README.
You can also install lasso from sources http://lasso.entrouvert.org/download
See the `Lasso website <http://lasso.entrouvert.org>`_ for installation details.
This is a quick installation example.
Install the following Lasso dependencies:
- autoconf
- automake
- autotools-dev
- libtool
- gtk-doc-tools
- zlib1g-dev
- libglib2.0-dev
- openssl-dev
- libxml2-dev
- libxmlsec1-dev
- python2.6-dev
- python-setuptools
Obtain Lasso::
$wget https://dev.entrouvert.org/lasso/lasso-2.3.6.tar.gz
$tar xzvf lasso-2.3.6.tar.gz
$cd lasso-2.3.6
$./autogen.sh
Be sure that the Python bindings is selected as follows::
=============
Configuration
=============
Main
----
Compiler: gcc
CFLAGS:
Install prefix: /usr/local
Debugging: no
Experimental ID-WSF: no
Optionals builds
----------------
Available languages: java(4.6.1) python(2.7) perl(5.12.4)
Java binding: yes
Perl binding: yes
PHP 5 binding: no
Python binding: yes
C API references: yes
Tests suite: no
Now type 'make install' to install lasso.
As indicated, build and install::
$make install
$ldconfig
Set the lasso python binding in you python path, e.g.::
$export PYTHONPATH="$PYTHONPATH:/usr/local/lib/python2.6/site-packages"
Test trying to import Lasso::
$python
>>> import lasso
.. _install-pypi-ref:
Install Authentic directly from pypi
------------------------------------
Using pip::
pip install authentic2
You can now run Authentic from the installation directory::
./authentic2-ctl syncdb --migrate
./authentic2-ctl runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.5, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
.. _obtain-pypi-ref:
Obtain the last package archive from pypi
-----------------------------------------
Download the archive on http://pypi.python.org/pypi/authentic2/.
Then, you can install it directly from the archive using pip::
pip install authentic2-x.z.y.tar.gz
You can now run Authentic from the installation directory, e.g.::
./authentic2-ctl syncdb --migrate
./authentic2-ctl runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.5, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
.. _obtain-git-ref:
Obtain the last sources from the Git repository
-----------------------------------------------
Clone the repository::
git clone http://repos.entrouvert.org/authentic.git
Then, you can install it directly using pip::
cd authentic
pip install -e .
You can now run Authentic from the installation directory, e.g.::
./authentic2-ctl syncdb --migrate
./authentic2-ctl runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.5, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/

58
doc/overview.rst Normal file
View File

@ -0,0 +1,58 @@
.. _overview:
========
Overview
========
Authentic 2 is a versatile identity management server aiming to address a
broad range of needs, from simple to complex setups; it has support for many
protocols and can bridge between them.
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID,
LDAP, X509 and OAUTH2.
Authentic 2 is under the GNU AGPL version 3 licence.
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
specifications of SAML2.
Authentic 2 requires Python 2.7 et Django 1.5.
Features
--------
* SAML 2.0 Identity and service provider
* OpenID 1.0 and 2.0 identity provider
* Server CAS 1.0 and 2.0 using a plugin
* Standards authentication mechanisms:
* Login/password through internal directory or LDAP
* X509 certificate over SSL/TLS
* Protocol proxying, for instance between OpenID and SAML
* Support of LDAP v2 and v3 directories
* Support of the PAM backend
* One-time password (OATH and Google-Authenticator) using a plugin
* Identity attribute management
* Plugin system
Source and issue tracker
------------------------
You can find on the project site authentic.entrouvert.org mainly the issue
tracker.
You can find there a viewer of the git repository or clone it::
git clone http://repos.entrouvert.org/authentic.git
Support
-------
Authentic's developpers and users hangs on the mailing list authentic@listes.entrouvert.com.
See archives or register at http://listes.entrouvert.com/info/authentic.
You can open reports or feature request on http://authentic.entrouvert.org.
Entr'ouvert also provides a commercial support. For information, visit http://www.entrouvert.com.

23
doc/quick_cas_idp.rst Normal file
View File

@ -0,0 +1,23 @@
.. _quick_cas_idp:
==================================
Quickstart a CAS Identity Provider
==================================
1. Activate CAS IdP support in your local_settings.py::
IDP_CAS = True
2. Then create the database table to hold CAS service tickets::
authentic2-ctl syncdb --all
authentic2-ctl migrate --fake
2. Also configure authentic2 to authenticate against your LDAP directory (see
above) if your want your user attributes to be accessible from your service,
if it is not necessary you can use the normal relational database storage
for you users.
3. Finally configure your service to point to the CAS endpoint at::
http[s]://your.domain.com/idp/cas/

61
doc/quick_ldap_backend.rst Normal file
View File

@ -0,0 +1,61 @@
.. _quick_ldap_backend:
======================================
Quickstart to connect a LDAP Directory
======================================
Authentic use the module django_auth_ldap to synchronize the Django user tables
with an LDAP. For complex use case, we will refer you to the django_auth_ldap
documentation, see http://packages.python.org/django-auth-ldap/.
How to authenticate users against an LDAP server with anonymous binding ?
-------------------------------------------------------------------------
1. Install the django_auth_ldap module for Django, for this you need
python-ldap, python-ldap needs python developement headers to be installed
but is usually packaged by most distributions::
pip install django_auth_ldap
2. Configure your local_settings.py file for authenticating against LDAP.
The next lines must be added::
AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', )
import ldap
from django_auth_ldap.config import LDAPSearch
# Here put the LDAP URL of your server
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com'
# Let the bind DN and bind password blank for anonymous binding
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
# Lookup user under the branch o=base and by mathcing their uid against the
# received login name
AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
How to allow members of an LDAP group to manage Authentic ?
-----------------------------------------------------------
1. First you must know the objectClass of groups in your LDAP schema, this FAQ
will show you the configuration for two usual classes: groupOfNames and
groupOfUniqueNames.
2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany
3. Add the following lines::
from django_auth_ldap.config import GroupOfNamesType
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff": "cn=admin,o=mycompany"
}
For an objectClass of groupOfUniqueNames you would change the string
GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to
groupOfUniqueNames. For more complex cases see the django_auth_ldap
documentation.

9
doc/quick_oauth2_idp.rst Normal file
View File

@ -0,0 +1,9 @@
.. _quick_oauth2_idp:
======================================
Quickstart an OAuth2 Identity Provider
======================================
This section has to be done. If you need it now, say it on the issue tracker :
https://dev.entrouvert.org/issues/6053

26
doc/quick_pam.rst Normal file
View File

@ -0,0 +1,26 @@
.. _quick_pam:
=================================
Quickstart for PAM Authentication
=================================
This module is copied from https://bitbucket.org/wnielson/django-pam/ by Weston
Nielson and the pam ctype module by Chris Atlee http://atlee.ca/software/pam/.
Add 'authentic2.vendor.dpam.backends.PAMBackend' to your
``settings.py``::
AUTHENTICATION_BACKENDS = (
...
'authentic2.vendor.dpam.backends.PAMBackend',
...
)
Now you can login via the system-login credentials. If the user is
successfully authenticated but has never logged-in before, a new ``User``
object is created. By default this new ``User`` has both ``is_staff`` and
``is_superuser`` set to ``False``. You can change this behavior by adding
``PAM_IS_STAFF=True`` and ``PAM_IS_SUPERUSER`` in your ``settings.py`` file.
The default PAM service used is ``login`` but you can change it by setting the
``PAM_SERVICE`` variable in your ``settings.py`` file.

9
doc/quick_saml2_idp.rst Normal file
View File

@ -0,0 +1,9 @@
.. _quick_saml2_idp:
=====================================
Quickstart an SAML2 Identity Provider
=====================================
This section has to be done. If you need it now, say it on the issue tracker :
https://dev.entrouvert.org/issues/6057

22
doc/quick_saml2_sp.rst Normal file
View File

@ -0,0 +1,22 @@
.. _quick_saml2_sp:
=====================================================
Quickstart a connection with a SAML2 Service Provider
=====================================================
1. Get the Identity Provider SAML2 metadata file
::
http[s]://your.domain.com/idp/saml2/metadata
2. Configure your service provider with it.
3. Go to the providers admin panel on
::
http[s]://admin/saml/libertyprovider/add/
There create a new provider using the service provider metadata and enable it
as a service provider.

120
doc/settings.rst
View File

@ -1,119 +1,9 @@
.. _settings:
================
General settings
================
===============================
Works with authentic 2 settings
===============================
How do I configure the general settings ?
=========================================
This section has to be done. If you need it now, say it on the issue tracker :
Edit the file settings.py in the project directory authentic2.
A settings file is a Python module with module-level variables. So configure
general settings is done by modifying those variables and reloading your
application server.
See the django documentation for more details about the settings files
management.
Activate or deactivate debug mode
=================================
Variable: DEBUG
Values:
* False: deactivate debug mode
* True: activate debug mode
Manage session cookie duration
==============================
Variable: SESSION_EXPIRE_AT_BROWSER_CLOSE
Values:
* False: Cookies are not removed when browser is closed.
* True: Cookies are removed when browser is closed.
Variable: SESSION_COOKIE_AGE
Value:
* Seconds (36000 equal 10 hours)
Time zone selection
===================
Variable: TIME_ZONE
Values:
* See http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
Activate or deactivate SSL authentication
=========================================
Variable: AUTH_SSL
Values:
* False: deactivate SSL authentication
* True: activate SSL authentication
Activate or deactivate OpenID authentication, Authentic 2 is an OpenID relying party
====================================================================================
Variable: AUTH_OPENID
Values:
* False: deactivate OpenID authentication
* True: activate OpenID authentication
Activate or deactivate Authentic 2 as a SAML2 identity provider
===============================================================
Variable: IDP_SAML2
Values:
* False: deactivate SAML2 identity provider
* True: activate SAML2 identity provider
Configure SAML2 keys
====================
* SAML_SIGNATURE_PUBLIC_KEY: Certtificate or public key for signature
* SAML_SIGNATURE_PRIVATE_KEY: Private key for signature
* SAML_ENCRYPTION_PUBLIC_KEY: Certtificate or public key for encryption
* SAML_ENCRYPTION_PRIVATE_KEY: Private key for encryption
Values are pem files of X509 certificate or key, e.g.:
SAML_SIGNATURE_PRIVATE_KEY = '''-----BEGIN RSA PRIVATE KEY-----
MII...WA==
-----END RSA PRIVATE KEY-----'''
If SAML_ENCRYPTION_PUBLIC_KEY or SAML_ENCRYPTION_PRIVATE_KEY are not given,
the signature keys are used for encryption.
Activate or deactivate Authentic 2 as an OpenID provider
========================================================
Variable: IDP_OPENID
Values:
* False: deactivate OpenID provider
* True: activate OpenID provider
Activate or deactivate Authentic 2 as a CAS server
==================================================
Variable: IDP_CAS
Values:
* False: deactivate CAS server
* True: activate CAS server
https://dev.entrouvert.org/issues/6047

107
doc/settings_listing.rst Normal file
View File

@ -0,0 +1,107 @@
.. _settings_listing:
============
All settings
============
Activate or deactivate debug mode
=================================
Variable: DEBUG
Values:
* False: deactivate debug mode
* True: activate debug mode
Manage session cookie duration
==============================
Variable: SESSION_EXPIRE_AT_BROWSER_CLOSE
Values:
* False: Cookies are not removed when browser is closed.
* True: Cookies are removed when browser is closed.
Variable: SESSION_COOKIE_AGE
Value:
* Seconds (36000 equal 10 hours)
Time zone selection
===================
Variable: TIME_ZONE
Values:
* See http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
Activate or deactivate SSL authentication
=========================================
Variable: AUTH_SSL
Values:
* False: deactivate SSL authentication
* True: activate SSL authentication
Activate or deactivate OpenID authentication, Authentic 2 is an OpenID relying party
====================================================================================
Variable: AUTH_OPENID
Values:
* False: deactivate OpenID authentication
* True: activate OpenID authentication
Activate or deactivate Authentic 2 as a SAML2 identity provider
===============================================================
Variable: IDP_SAML2
Values:
* False: deactivate SAML2 identity provider
* True: activate SAML2 identity provider
Configure SAML2 keys
====================
* SAML_SIGNATURE_PUBLIC_KEY: Certtificate or public key for signature
* SAML_SIGNATURE_PRIVATE_KEY: Private key for signature
* SAML_ENCRYPTION_PUBLIC_KEY: Certtificate or public key for encryption
* SAML_ENCRYPTION_PRIVATE_KEY: Private key for encryption
Values are pem files of X509 certificate or key, e.g.:
SAML_SIGNATURE_PRIVATE_KEY = '''-----BEGIN RSA PRIVATE KEY-----
MII...WA==
-----END RSA PRIVATE KEY-----'''
If SAML_ENCRYPTION_PUBLIC_KEY or SAML_ENCRYPTION_PRIVATE_KEY are not given,
the signature keys are used for encryption.
Activate or deactivate Authentic 2 as an OpenID provider
========================================================
Variable: IDP_OPENID
Values:
* False: deactivate OpenID provider
* True: activate OpenID provider
Activate or deactivate Authentic 2 as a CAS server
==================================================
Variable: IDP_CAS
Values:
* False: deactivate CAS server
* True: activate CAS server

9
doc/translation.rst Normal file
View File

@ -0,0 +1,9 @@
.. _translation:
Compiling translations
======================
Translations must compiled to be useful, to do that run the following command::
./setup.py compile_translations

17
doc/upgrading.rst
View File

@ -4,17 +4,14 @@
Upgrading
=========
How to upgrade to a new version of authentic ?
----------------------------------------------
Update using pip::
Authentic stores all its data in a relational database as specified in its
pip install -U authentic2
Authentic store all its data in a relational database as specified in its
settings.py or local_settings.py file. So in order to upgrade to a new version
of authentic you have to update your database schema using the
migration command — you will need to have installed the dependency
django-south, see the beginning of this README file.::
migration command — you will need to have installed the dependency django-south,
see the beginning of this README file.::
python ./manage.py migrate
Then you will need to create new tables if there are.::
python ./manage.py syncdb
authentic2-ctl syncdb --migrate