summaryrefslogtreecommitdiffstats
path: root/README
blob: a06e1e97937a71f480e682cbb3c212acb71d0997 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
django-mellon
=============

SAML 2.0 authentication for Django

Usage
=====

You need to have the Python binding for the Lasso library installed, you can
find source and package for Debian on http://lasso.entrouvert.org/download/.

Add mellon to your installed apps::

    INSTALLED_APPS = (
       ...
       'mellon',
    )

Add the SAMLBacked to your authentication backends::

    AUTHENTICATION_BACKENDS = (
        ...
        'mellon.backends.SAMLBackend',
    )

Add mellon urls to your urls::

    urlpatterns = patterns('',
        ...
        url(r'^/accounts/mellon/', include('mellon.urls')),
    )

If SAML 2.0 should be your only authentication method you can define `mellon_login` as you main `LOGIN_URL`::

    LOGIN_URL = 'mellon_login'
    LOGOUT_URL = 'mellon_logout'

Your metadata will be downloadable through HTTP on 

    http://whatever.example.net/accounts/mellon/metadata

If your identity provider ask for your assertion consumer URL it's on

    http://whatever.example.net/accounts/mellon/login

If your identity provider ask for your logout URL it's on

    http://whatever.example.net/accounts/mellon/logout

Session
=======

After an authentication attributes are stored in the session using a
dictionary, the key is `mellon_session`. The dictionary contains:

 - issuer: the EntityID of the identity provider
 - name_id_content: the value of the NameID
 - name_id_format: the format of the NameID
 - authn_instant: the ISO8601 date of the authentication on the identity provider, optional.
 - session_not_on_or_after: the ISO8691 date after which the local
   session should be closed. Note that we automatically set the
   expiration of the Django session to this value if it's available.
 - authn_context_class_ref: the authentication method of the current
   authentication on the identity provider. You can restrict
   authorized authentication methods using the setting
   `MELLON_AUTHN_CLASSREF`.
 - all attributes extracted from the assertion.

Settings
========

All generic setting apart from `MELLON_IDENTITY_PROVIDERS` can be
overridden in the identity provider settings by removing the
`MELLON_` prefix.

MELLON_IDENTITY_PROVIDERS
-------------------------

A list of dictionaries, only one key is mandatory in those
dictionaries `METADATA` it should contain the UTF-8 content of the
metadata file of the identity provider or if it starts with a slash
the absolute path toward a metadata file. All other keys are override
of generic settings.

MELLON_PUBLIC_KEYS
------------------

List of public keys of this service provider, add multiple keys for
doing key roll-over

MELLON_PRIVATE_KEY
------------------

The PKCS#8 PEM encoded private key. If neither MELLON_PRIVATE_KEYS and
MELLON_PRIVATE_KEY are set, request will not be signed.

MELLON_PRIVATE_KEY_PASSWORD
---------------------------

Password for the private key if needed, default is None

MELLON_PRIVATE_KEYS
-------------------

A list of private keys contained in strings (same format ass
MELLON_PRIVATE_KEY) or of tuple paris (private_key, private_key_password). If
MELLON_PRIVATE_KEY is None, the first key in MELLON_PRIVATE_KEYS will be used
to sign messages. Other keys are only for decrypting encrypted assertions.  If
the same key appear in MELLON_PRIVATE_KEY and MELLON_PRIVATE_KEYS it will be
ignored the second time. If neither MELLON_PRIVATE_KEYS and MELLON_PRIVATE_KEY
are set, request will not be signed.

MELLON_NAME_ID_FORMATS
----------------------

NameID formats to advertise in the metadata file, default is ().

MELLON_NAME_ID_POLICY_FORMAT
----------------------------

The NameID format to request, default is None.

MELLON_FORCE_AUTHN
------------------

Whether to force authentication on each authencation request,
default is False.

MELLON_ADAPTER
--------------

A list of class providings methods handling SAML authorization, user
lookup and provisioning. Optional methods on theses classes are

 - authorize(idp, saml_attributes) -> boolean

   If any adapter returns False, the authentication is refused. It's
   possible to raise PermissionDenied to show a specific message on
   the login interface.

 - lookup_user(idp, saml_attributes) -> User / None

   Each adapter is called in the order of the settings, the first
   return value which is not None is kept as the authenticated user.

 - provision(user, idp, saml_attributes -> None

   This method is there to fill an existing user fields with data
   from the SAML attributes or to provision any kind of object in the
   application.

Settings of the default adapter
===============================

The following settings are used by the default adapter
`mellon.adapters.DefaulAdapter` if you use your own adapter you can
ignore them. If your adapter inherit from the default adapter those
settings can still be applicable.

MELLON_REALM
------------

The default realm to associate to user created with the default
adapter, default is 'saml'.

MELLON_PROVISION
----------------

Whether to create user if their username does not already exists,
default is True.

MELLON_USERNAME_TEMPLATE
------------------------

The template to build and/or retrieve a user from its username based
on received attributes, the syntax is the one from the str.format()
method of Python. Available variables are:

 - realm
 - idp (current setting for the idp issuing the assertion)
 - attributes

The default value is `{attributes{name_id_content]}@realm`.

Another example could be `{atttributes[uid][0]}` to set the passed
username as the username of the newly created user.

MELLON_ATTRIBUTE_MAPPING
------------------------

Maps templates based on SAML attributes to field of the user model.
Default is {}. To copy standard LDAP attributes into your Django user
model could for example do that::

    MELLON_ATTRIBUTE_MAPPING = {
        'email': '{attributes[mail][0]',
        'first_name': '{attributes[gn][0]}',
        'last_name': '{attributes[sn][0]}',
    }

MELLON_SUPERUSER_MAPPING
------------------------

Attributes superuser flags to user if a SAML attribute contains a given value,
default is {}. Ex.::

    MELLON_SUPERUSER_MAPPING = {
        'roles': 'Admin',
    }

MELLON_AUTHN_CLASSREF
---------------------

Authorized authentication class references, default is (). Empty
value means everything is authorized. Authentication class reference
must be obtained from your identity provider but SHOULD come from the
SAML 2.0 specification.

MELLON_GROUP_ATTRIBUTE
----------------------

Name of the SAML attribute to map to Django group names, default is None. Ex.:

   MELLON_GROUP_ATTRIBUTE = 'role'

MELLON_CREATE_GROUP
-------------------

Whether to create group or only assign existing groups, default is True.

MELLON_ERROR_URL
----------------

URL for the continue link when authentication fails, default is
None. If not ERROR_URL is None, the RelayState is used. If there is
no RelayState, the LOGIN_REDIRECT_URL, which defaults to /, is used.

MELLON_ERROR_REDIRECT_AFTER_TIMEOUT
-----------------------------------

Timeout in seconds before automatically redirecting the user to the
continue URL when authentication has failed. Default is 120 seconds.

MELLON_VERIFY_SSL_CERTIFICATE
-----------------------------

Verify SSL certificate when doing HTTP requests, used when resolving artifacts.
Default is True.

MELLON_TRANSIENT_FEDERATION_ATTRIBUTE
-------------------------------------

Name of an attribute to use in replacement of the NameID content when the NameID
format is transient. Without it no login using a transient NameID can occur with
the default adapter.
Default is None.

MELLON_DEFAULT_ASSERTION_CONSUMER_BINDING
-----------------------------------------

Should be post or artifact. Default is post. You can refer to the SAML 2.0
specification to learn the difference.

Tests
=====

Unit tests are written using pytest and launched using tox, and can be run with:

   tox

Remarks
=======

To honor the SessionNotOnOrAfter attribute sent by an IdP you must use a specific SessionEngine,
only db and cached_db are supported currently, the equivalent session engines are:

    mellon.sessions_backends.db

and

    mellon.sessions_backends.cached_db

Changes
=======

1.2.26
------
- allow federation with IdP using transient NameID and stable identifier
  attribute
- add support for artifact POST
- replace dateutil by isodate
- do not wrap login view in a transaction (using the non_atomic_request
  decorator), to allow finer use of transaction in the login workflow