diff --git a/README b/README index 7376ae355..abed8869e 100644 --- a/README +++ b/README @@ -17,7 +17,8 @@ specifications of SAML2. Authentic 2 requires Python 2.7 and Django 1.7. -Full documentation available on http://authentic2.readthedocs.org/en/stable/. +Full documentation available on http://authentic2.readthedocs.org/en/stable/, +maintained in a distinct repository https://git.entrouvert.org/authentic2-doc.git/. Features -------- diff --git a/doc/Makefile b/doc/Makefile deleted file mode 100644 index 0cfde7f6f..000000000 --- a/doc/Makefile +++ /dev/null @@ -1,153 +0,0 @@ -# Makefile for Sphinx documentation -# - -# You can set these variables from the command line. -SPHINXOPTS = -SPHINXBUILD = sphinx-build -PAPER = -BUILDDIR = _build - -# Internal variables. -PAPEROPT_a4 = -D latex_paper_size=a4 -PAPEROPT_letter = -D latex_paper_size=letter -ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . -# the i18n builder cannot share the environment and doctrees with the others -I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . - -.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext - -help: - @echo "Please use \`make ' where is one of" - @echo " html to make standalone HTML files" - @echo " dirhtml to make HTML files named index.html in directories" - @echo " singlehtml to make a single large HTML file" - @echo " pickle to make pickle files" - @echo " json to make JSON files" - @echo " htmlhelp to make HTML files and a HTML help project" - @echo " qthelp to make HTML files and a qthelp project" - @echo " devhelp to make HTML files and a Devhelp project" - @echo " epub to make an epub" - @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" - @echo " latexpdf to make LaTeX files and run them through pdflatex" - @echo " text to make text files" - @echo " man to make manual pages" - @echo " texinfo to make Texinfo files" - @echo " info to make Texinfo files and run them through makeinfo" - @echo " gettext to make PO message catalogs" - @echo " changes to make an overview of all changed/added/deprecated items" - @echo " linkcheck to check all external links for integrity" - @echo " doctest to run all doctests embedded in the documentation (if enabled)" - -clean: - -rm -rf $(BUILDDIR)/* - -html: - $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html - @echo - @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." - -dirhtml: - $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml - @echo - @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." - -singlehtml: - $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml - @echo - @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." - -pickle: - $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle - @echo - @echo "Build finished; now you can process the pickle files." - -json: - $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json - @echo - @echo "Build finished; now you can process the JSON files." - -htmlhelp: - $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp - @echo - @echo "Build finished; now you can run HTML Help Workshop with the" \ - ".hhp project file in $(BUILDDIR)/htmlhelp." - -qthelp: - $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp - @echo - @echo "Build finished; now you can run "qcollectiongenerator" with the" \ - ".qhcp project file in $(BUILDDIR)/qthelp, like this:" - @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Authentic2.qhcp" - @echo "To view the help file:" - @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Authentic2.qhc" - -devhelp: - $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp - @echo - @echo "Build finished." - @echo "To view the help file:" - @echo "# mkdir -p $$HOME/.local/share/devhelp/Authentic2" - @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Authentic2" - @echo "# devhelp" - -epub: - $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub - @echo - @echo "Build finished. The epub file is in $(BUILDDIR)/epub." - -latex: - $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex - @echo - @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." - @echo "Run \`make' in that directory to run these through (pdf)latex" \ - "(use \`make latexpdf' here to do that automatically)." - -latexpdf: - $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex - @echo "Running LaTeX files through pdflatex..." - $(MAKE) -C $(BUILDDIR)/latex all-pdf - @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." - -text: - $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text - @echo - @echo "Build finished. The text files are in $(BUILDDIR)/text." - -man: - $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man - @echo - @echo "Build finished. The manual pages are in $(BUILDDIR)/man." - -texinfo: - $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo - @echo - @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." - @echo "Run \`make' in that directory to run these through makeinfo" \ - "(use \`make info' here to do that automatically)." - -info: - $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo - @echo "Running Texinfo files through makeinfo..." - make -C $(BUILDDIR)/texinfo info - @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." - -gettext: - $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale - @echo - @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." - -changes: - $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes - @echo - @echo "The overview file is in $(BUILDDIR)/changes." - -linkcheck: - $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck - @echo - @echo "Link check complete; look for any errors in the above output " \ - "or in $(BUILDDIR)/linkcheck/output.txt." - -doctest: - $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest - @echo "Testing of doctests in the sources finished, look at the " \ - "results in $(BUILDDIR)/doctest/output.txt." diff --git a/doc/admin_access.rst b/doc/admin_access.rst deleted file mode 100644 index 8fcdb1ff6..000000000 --- a/doc/admin_access.rst +++ /dev/null @@ -1,16 +0,0 @@ -.. _admin_access: - -============================================ -Access the grapical administration interface -============================================ - -The grapical administration interface is the 'Django admin' part of a Django -project. See for more information. - -Just acces the admin url at http[s]://your.domain.com/admin. - -At first you log with the superuser you created at the very first database -initialization. - -Then you can configure other accesses to the admin checking the is_staff -option displayed on a user in the admin. diff --git a/doc/administration_with_policies.rst b/doc/administration_with_policies.rst deleted file mode 100644 index e0080324e..000000000 --- a/doc/administration_with_policies.rst +++ /dev/null @@ -1,37 +0,0 @@ -.. _administration_with_policies: - -================== -Work with policies -================== - -The policy management with global policies is nearly used for any kind of -policy in Authentic 2. - -For each kind of these policies, the system takes in account two special -global policies named 'Default' and 'All': - -* There is always a system default that does not correspond to the 'Default' - policy. This is used to make Authentic 2 boot without initial - configuration. When you add a 'Default' policy, the system default are not - used anymore. -* A policy has always a name, 'Default' and 'All' are the names of two special - policies with their name hardcoded. But you can create or delete them. -* If no other policy applies, the policy 'Default' applies. -* A policy can be created and attached to any related object. This policy is - authoritative on the policy 'Default'. -* If the policy 'All' exists, it is authoritative on any other policy. -* The global policies 'All' and 'Default' are created by the administrator if - necessary. -* A policy is taken in account only if it is enabled. -* When a regular policy is associated with an object, it is taken in account - only if the option 'enable the following policy' is checked on the oject. - -It is advised to add a 'Default' global policy when it is expected to apply a -policy to all related objects. A 'Default' global policy should be defined to -avoid misonfiguration. - -Add a regular policy to some objects are used to handle particular -configurations for a subset of related objects. - -An 'All' global policy should be used to enforce a global configuration for -all related objects or for testing purposes. diff --git a/doc/advanced.rst b/doc/advanced.rst deleted file mode 100644 index aa4acf875..000000000 --- a/doc/advanced.rst +++ /dev/null @@ -1,125 +0,0 @@ -.. _advanced: - -=============== -Advanced topics -=============== - - -- :ref:`attributes_in_session` -- :ref:`writing_migrations` -- :ref:`write_new_kind_policy` - -.. _attributes_in_session: - -Attributes in session pushed by third SAML2 identity providers -============================================================== - -When an assertion is received, assertion data, including attributes, are -pushed in the Django session dictionnary. - -It leads to the creation of the following dictionnary:: - - request.session['multisource_attributes'] - -The keys of the dictionnary are the source names, i.e. the entity Id for -SAML2 identity providers. - -The values are list of data extracted from assertions. Indeed, this is done -to store multiple assertion received from a same source in a same Django -session:: - - request.session['multisource_attributes'] \ - [source_name] = list() - -The items of this list are dictionnaries with the keys 'certificate_type' and -'attributes'. - -For a saml2 assertion, all the keys are:: - - a8n['certificate_type'] = 'SAML2_assertion' - a8n['nameid'] = ... - a8n['subject_confirmation_method'] = ... - a8n['not_before'] = ... - a8n['not_on_or_after'] = ... - a8n['authn_context'] = ... - a8n['authn_instant'] = ... - a8n['attributes'] = attrs - -a8n['attributes'] has the following structure:: - - attributes = {} - attributes[name] = (value1, value2, ) - attributes[(name, format)] = (value1, value2, ) - attributes[(name, format, nickname)] = (value1, value2, ) - a8n['attributes'] = attributes - -.. _writing_migrations: - -Writing migrations -================== - -Migration containing reference to the user model must be rewritten manually to -refer to the user model name indirectly. The followind modifications must be applied. - -1. First import the `user_model_label` from the `authentic2.compat` module: - -:: - - from authentic2.compat import user_model_label - -Any reference to `orm['auth.User']` or `orm['authentic2.User']` must be -rewritten into `orm[user_model_label]`. For example this line::: - - ('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['authentic2.User'])), - -must be changed to::: - - ('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm[user_model_label])), - -2. The user model when appearing in the `models` field like this: - -:: - - 'auth.user': { - 'meta': {'object_name': 'User', - -must be rewritten like that::: - - user_model_label: { - 'Meta': {'object_name': user_model_label.split('.')[-1]}, - -3. If the user model is referred inside the `to` field of a foreign key - declaration like this: - -:: - - 'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['auth.User']"}) - - must be rewritten like that::: - - 'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['%s']" user_model_label}) - -.. _write_new_kind_policy: - -Add a new kind of administration policy -======================================= - -See how policies works :ref:`administration_with_policies`. Then, the bahavior -should look like:: - - def get_sample_policy(any_object): - # Look for a global policy 'All' - try: - return SamplePolicy.objects.get(name='All', enabled=True) - except SamplePolicy.DoesNotExist: - pass - # Look for a regular policy - if any_object.enable_following_sample_policy: - if any_object.sample_policy: - return any_object.sample_policy - # Look for a global policy 'Default' - try: - return SamplePolicy.objects.get(name='Default', enabled=True) - except SamplePolicy.DoesNotExist: - pass - return None diff --git a/doc/attribute_management.rst b/doc/attribute_management.rst deleted file mode 100644 index ffef95007..000000000 --- a/doc/attribute_management.rst +++ /dev/null @@ -1,443 +0,0 @@ -.. _attribute_management: - -=================================== -Attribute Management in Authentic 2 -=================================== - -Summary -======= - -Attribute management currently allows to configure attribute policies -associated with SAML2 service providers to define attributes that are -pushed in SAML2 successful authentication response delivered by Authentic 2. - -User attributes can be taken from LDAP directories, the user Django -profile or taken from the user Django session if Authentic 2 is also configured -as a SAML2 service provider. - -Indeed, when Authentic 2 acts also as a SAML2 service provider, -attributes contained in the SAML2 assertion received from third IdP are put in -the user session. - -Attributes can thus be proxyfied during SSO with Authentic 2 -configured as a SAML2 proxy. - -*If there is no attribute policy associate with a service provider, no -attribute is forwarded to it.* - -The namespace of attributes received from another SAML2 IdP and of attributes -pushed in the assertion given to service providers can be configured per -attribute or per service provider. - -By default, the namespace and format of attributes in assertion is conformant -to the SAMLV2.0 X500/LDAP Attribute profile:: - - - Mikaël - - -But the http://schemas.xmlsoap.org/ws/2005/05/identity/claims from the ISI -profile can also be used, for instance:: - - - Mikaël - - -Configuration -============= - -Configure local sources of attributes -------------------------------------- - -The source of attributes for authentic2 are of two kinds. The LDAP sources and -the user django profile. - -Declare the Django profile source -_________________________________ - -Add an attribute source named USER_PROFILE with namespace 'Default'. - -1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/ - -2. Write 'USER_PROFILE' in name field - -.. image:: pictures/user_profile_source.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/user_profile_source_saved.png - :width: 800 px - :align: center - -Add an LDAP Source -__________________ - -For LDAP sources, objects of type 'LDAPSource' must be created. - -**Even if the authentication is based on LDAP authentification, thus that a -server is configured in settings.py, it is -necessary to create a corresponding 'LDAPSource' to use it as a source of -attribute.** - -1. Go to http[s]://your.domain.com/admin/attribute_aggregator/ldapsource/add/ - -2. Fill form fields - -Only the field Name, Server, User, Password, Base and Port are used for now. -**The namespace of LDAP source must be kept to 'Default', since the system -namespace is based on LDAP.** - -.. image:: pictures/ldapsource.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/ldapsource_saved.png - :width: 800 px - :align: center - -Manage user distinguished names in LDAP directories -___________________________________________________ - -To find the user in a LDAP directory, authentic2 must know its distinguished -name (DN). If this LDAP has been used when the user has authenticated, -Authentic 2 learn the user DN. Nothing has to be done from this point of view. - -However, if it is expected that user attributes be taken in a directory that -is not used by the user for authentication, it is necessary to manually -indicate to Authentic 2 what is the user DN in the directory. For this, a -user alias in source is created for the user: - -1. Go to http[s]://your.domain.com/admin/attribute_aggregator/useraliasinsource/add/ - -2. Fill form fields - -.. image:: pictures/alias_in_source.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/alias_in_source_saved.png - :width: 800 px - :align: center - -Configure attributes from local sources pushed to SAML2 service providers in SSO response ------------------------------------------------------------------------------------------ - -Reminder: - -- The default name format in SAML2 assertions is URI -- The default namespace called 'Default' is LDAP - -In summary: - -1. Create attribute items indicating an attribute name, a source, the name format expected and the namespace expected for the attribute name and friendly name if any. - -2. Create a named list of attribute items. - -3. Create an attribute policy and associate the previous list or associate the previous list to a existing attribute policy. - -4. Associate the policy to a service provider. - -Create attribute items -______________________ - -1. Go to http[s]://your.domain.com/admin/idp/attributeitem/add/ - -2. Fill form fields - -.. image:: pictures/attribute_item.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/attribute_item_saved.png - :width: 800 px - :align: center - -Create a named list of attribute items -______________________________________ - -1. Go to http[s]://your.domain.com/admin/idp/attributelist/add/ - -2. Name the list and add items to list - -.. image:: pictures/attribute_list.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/attribute_list_saved.png - :width: 800 px - :align: center - -Create or modify an attribute policy -____________________________________ - -You can create a global policy 'All' or 'Default'. For details, see :ref:`administration_with_policies`. -Or you can create a regular policy and associate it to a service provider. - -1. Go to http[s]://your.domain.com/admin/idp/attributepolicy/add/ - -2. Add list to the policy - -.. image:: pictures/policy_pull.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/policy_pull_saved.png - :width: 800 px - :align: center - -Associate the policy to a service provider -__________________________________________ - -1. Go to http[s]://your.domain.com/admin/saml/libertyprovider/1/ - -2. Associate the policy to the service provider and **enable it** - -.. image:: pictures/sp_policy_pull.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/sp_policy_pull_saved.png - :width: 800 px - :align: center - -4. The display name of the policy has changed - -.. image:: pictures/policy_pull_renamed.png - :width: 800 px - :align: center - -Handle attributes provided by other Identity providers and pushed to SAML2 service providers in SSO response (proxy attributes) -------------------------------------------------------------------------------------------------------------------------------- - -To have these kind of attributes to forward, authentic must be configured as a -SAML2 service provider, see the corresponding administration page -:ref:`config_saml2_idp`. - -Forward all attributes in session without any modification -__________________________________________________________ - -Create or modify an attribute policy activating the option 'Forward attributes from push sources' and save. - -**No other option below must be used.** - -.. image:: pictures/attr_policy_forward.png - :width: 800 px - :align: center - -**Attach policy to the service provider if it is not yet the case.** - -**No need to deal with namespace here.** - -Filter attributes from source only -__________________________________ - -Here, you want to forward **all** attributes of selected source of attributes. - -First of all you need to create objects corresponding to the sources of -attributes. - -**The name of the source object must be the entity ID of the SAML2 -identity provider.** - -1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/ - -2. Set the name (No need to change the namespace) - -.. image:: pictures/attr_source_idp.png - :width: 800 px - :align: center - -3. Save - -.. image:: pictures/attr_source_idp_saved.png - :width: 800 px - :align: center - -Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**. -You then select the source you want to forward attributes through the selection box and you save. - -.. image:: pictures/attr_policy_filter_source.png - :width: 800 px - :align: center - -**Attach policy to the service provider if it is not yet the case.** - -**No need to deal with namespace here.** - - -Modify namespace of attributes forwarded when attributes forwarded are not filtered or when filtered according to the source -____________________________________________________________________________________________________________________________ - -The system needs to 'recognise the attributes' to perform the mapping. -For this, you need to indicate the namespace of attributes received per source -if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu* -and supann). - -In other words if the source provides attributes in a different namespace, you -need to create objects corresponding to the sources of attributes and indicate -there the right namespace. By default, the only other supported namespace is -http://schemas.xmlsoap.org/ws/2005/05/identity/claims. - -.. image:: pictures/attr_source_idp_claims.png - :width: 800 px - :align: center - -Then create or modify an attribute policy activating the options 'Forward attributes from push sources', -**'Map attributes from push sources'**. You also choose the output namespace expected with the -parameters **'Output name format'** and **'Output namespace'**. - -.. image:: pictures/attr_policy_map_ns.png - :width: 800 px - :align: center - -Remind that the default namespace is X500/LDAP + edu* + supann and the only other supported namespace is -http://schemas.xmlsoap.org/ws/2005/05/identity/claims. - -**Attach policy to the service provider if it is not yet the case.** - -Filter attributes with a list of attributes, with or without choosing the source -________________________________________________________________________________ - -The system needs to 'recognise the attributes' to filter the attributes -according to a list of attributes. -For this, you need to indicate the namespace of attributes received per source -if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu* -and supann). - -In other words if the source provides attributes in a different namespace, you -need to create objects corresponding to the sources of attributes and indicate -there the right namespace. By default, the only other supported namespace is -http://schemas.xmlsoap.org/ws/2005/05/identity/claims. - -.. image:: pictures/attr_source_idp_claims.png - :width: 800 px - :align: center - -You then create an attribute list as described in section *'Create a named list of attribute items'*. - -Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**. -You then associate the list of attributes. - -.. image:: pictures/attr_policy_filter_attributes.png - :width: 800 px - :align: center - -If you want to also filter according to the source you can configure it as defined in section *'Filter attributes from source only'*. You can also choose to filter -with the source indicate per attribute item of the list. For this select the option **'Filter source of filtered attributes'**. - -.. image:: pictures/attr_policy_filter_attributes_source.png - :width: 800 px - :align: center - -.. image:: pictures/attribute_item.png - :width: 800 px - :align: center - -The default name format is URI. You can however change the name format and namespace with the option **'Map attributes from push sources'** and the parameters **'Output name format'** and **'Output namespace'**. - -Using the option **'Map attributes of filtered attributes'** the output name format and namespace are the ones indicated per attribute item of the list. - -.. image:: pictures/attr_policy_filter_attributes_map.png - :width: 800 px - :align: center - -.. image:: pictures/attribute_item.png - :width: 800 px - :align: center - - -Push manually (writing bits of code) attributes to SAML2 service providers in SSO response ------------------------------------------------------------------------------------------- - -In idp/signals.py connect to the add_attributes_to_response signal:: - - add_attributes_to_response.connect(your_function) - -Your function must return an attribute dictionnary as follows:: - - dic = {} - attributes = {} - attributes[name] = (value1, value2, ) - attributes[(name, format)] = (value1, value2, ) - attributes[(name, format, nickname)] = (value1, value2, ) - dic['attributes'] = attributes - return dic - -*format* must be in (lasso.SAML2_ATTRIBUTE_NAME_FORMAT_URI, -lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC) - -You can use the attributes form the local source and the attributes in the -session that are pushed by other identity providers. - -Attributes in the session are in:: - - request.session['multisource_attributes'] - -See the page :ref:`attributes_in_session`. - -If you want to use local source of attributes and use mapping capabilities -of the UserAttributeProfile see the page :ref:`attribute_management_explained`. -Use the file idp/attributes.py as an exemple. - -Modifying supported namespaces and attribute name mappings -========================================================== - -The mapping is defined in the file attribute_aggregator/mapping.py - -The mapping can be modified with the variables ATTRIBUTE_NAMESPACES and -ATTRIBUTE_MAPPING that can be redefined using settings. - -Add new namespaces in ATTRIBUTE_NAMESPACES. - -To extend the default schema add key/value in ATTRIBUTE_MAPPING, for instance:: - - "displayName": { - "oid": "2.16.840.1.113730.3.1.241", - "display_name": _("displayName"), - "type": "http://www.w3.org/2001/XMLSchema#string", - "syntax": "1.3.6.1.4.1.1466.115.121.1.15", - }, - -Add mapping of attribute name extending attribute entries in ATTRIBUTE_MAPPING, -for instance:: - - "sn": { - "oid": "2.5.4.4", - "display_name": _("sn surname"), - "alias": ['surname'], - "profile_field_name": 'last_name', - "type": "http://www.w3.org/2001/XMLSchema#string", - "namespaces": { - "http://schemas.xmlsoap.org/ws/2005/05/identity/claims": { - "identifiers": - [ - "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", - ], - "friendly_names": - [ - "Last Name", - ], - } - } - }, diff --git a/doc/auth_ldap.rst b/doc/auth_ldap.rst deleted file mode 100644 index edf6decc2..000000000 --- a/doc/auth_ldap.rst +++ /dev/null @@ -1,61 +0,0 @@ -.. _auth_ldap: - -============================================== -Authentication with an existing LDAP directory -============================================== - -Authentic use the module django_auth_ldap to synchronize the Django user tables -with an LDAP. For complex use case, we will refer you to the django_auth_ldap -documentation, see http://packages.python.org/django-auth-ldap/. - -How to authenticate users against an LDAP server with anonymous binding ? -------------------------------------------------------------------------- - -1. Install the django_auth_ldap module for Django:: - - pip install django_auth_ldap - - -2. Configure your local_settings.py file for authenticating against LDAP. - -The next lines must be added:: - - AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', ) - - import ldap - from django_auth_ldap.config import LDAPSearch - - # Here put the LDAP URL of your server - AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com' - # Let the bind DN and bind password blank for anonymous binding - AUTH_LDAP_BIND_DN = "" - AUTH_LDAP_BIND_PASSWORD = "" - # Lookup user under the branch o=base and by mathcing their uid against the - # received login name - AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base", - ldap.SCOPE_SUBTREE, "(uid=%(user)s)") - -How to allow members of an LDAP group to manage Authentic ? ------------------------------------------------------------ - -1. First you must know the objectClass of groups in your LDAP schema, this FAQ - will show you the configuration for two usual classes: groupOfNames and - groupOfUniqueNames. - -2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany - -3. Add the following lines:: - - from django_auth_ldap.config import GroupOfNamesType - AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() - AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany", - ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)") - AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_staff": "cn=admin,o=mycompany" - } - -For an objectClass of groupOfUniqueNames you would change the string -GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to -groupOfUniqueNames. For more complex cases see the django_auth_ldap -documentation. - diff --git a/doc/change_db.rst b/doc/change_db.rst deleted file mode 100644 index bfbaa928d..000000000 --- a/doc/change_db.rst +++ /dev/null @@ -1,21 +0,0 @@ -.. _change_db: - -=============================== -Specifying a different database -=============================== - -This is done by modifying the DATABASES dictionary in your local_settings.py -file (create it in Authentic project directory); for example:: - - DATABASES['default'] = { - 'ENGINE': 'django.db.backends.postgresql', - 'NAME': 'authentic', - 'USER': 'admindb', - 'PASSWORD': 'foobar', - 'HOST': 'db.example.com', - 'PORT': '', # empty string means default value - } - -You should refer to the Django documentation on databases settings at -http://docs.djangoproject.com/en/dev/ref/settings/#databases for all -the details. diff --git a/doc/conf.py b/doc/conf.py deleted file mode 100644 index aa0f846e4..000000000 --- a/doc/conf.py +++ /dev/null @@ -1,254 +0,0 @@ -# -*- coding: utf-8 -*- -# -# Authentic2 documentation build configuration file, created by -# sphinx-quickstart on Thu Oct 13 14:38:32 2011. -# -# This file is exec()d with the current directory set to its containing dir. -# -# Note that not all possible configuration values are present in this -# autogenerated file. -# -# All configuration values have a default; values that are commented out -# serve to show the default. - - -# If extensions (or modules to document with autodoc) are in another directory, -# add these directories to sys.path here. If the directory is relative to the -# documentation root, use os.path.abspath to make it absolute, like shown here. -# sys.path.insert(0, os.path.abspath('.')) - -# -- General configuration ----------------------------------------------------- - -# If your documentation needs a minimal Sphinx version, state it here. -# needs_sphinx = '1.0' - -# Add any Sphinx extension module names here, as strings. They can be extensions -# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. -extensions = [ - 'sphinx.ext.autodoc', - 'sphinx.ext.doctest', - 'sphinx.ext.intersphinx', - 'sphinx.ext.todo', - 'sphinx.ext.coverage', - 'sphinx.ext.imgmath', - 'sphinx.ext.ifconfig', - 'sphinx.ext.viewcode', -] - -# Add any paths that contain templates here, relative to this directory. -templates_path = ['_templates'] - -# The suffix of source filenames. -source_suffix = '.rst' - -# The encoding of source files. -# source_encoding = 'utf-8-sig' - -# The master toctree document. -master_doc = 'index' - -# General information about the project. -project = 'Authentic 2' -copyright = '2012, 2011, 2010, Entr\'ouvert' - -# The version info for the project you're documenting, acts as replacement for -# |version| and |release|, also used in various other places throughout the -# built documents. -# -# The short X.Y version. -version = '2' -# The full version, including alpha/beta/rc tags. -release = '2.0.2' - -# The language for content autogenerated by Sphinx. Refer to documentation -# for a list of supported languages. -# language = None - -# There are two options for replacing |today|: either, you set today to some -# non-false value, then it is used: -# today = '' -# Else, today_fmt is used as the format for a strftime call. -# today_fmt = '%B %d, %Y' - -# List of patterns, relative to source directory, that match files and -# directories to ignore when looking for source files. -exclude_patterns = ['_build'] - -# The reST default role (used for this markup: `text`) to use for all documents. -# default_role = None - -# If true, '()' will be appended to :func: etc. cross-reference text. -# add_function_parentheses = True - -# If true, the current module name will be prepended to all description -# unit titles (such as .. function::). -# add_module_names = True - -# If true, sectionauthor and moduleauthor directives will be shown in the -# output. They are ignored by default. -# show_authors = False - -# The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' - -# A list of ignored prefixes for module index sorting. -# modindex_common_prefix = [] - - -# -- Options for HTML output --------------------------------------------------- - -# The theme to use for HTML and HTML Help pages. See the documentation for -# a list of builtin themes. -html_theme = 'default' - -# Theme options are theme-specific and customize the look and feel of a theme -# further. For a list of options available for each theme, see the -# documentation. -# html_theme_options = {} - -# Add any paths that contain custom themes here, relative to this directory. -# html_theme_path = [] - -# The name for this set of Sphinx documents. If None, it defaults to -# " v documentation". -# html_title = None - -# A shorter title for the navigation bar. Default is the same as html_title. -# html_short_title = None - -# The name of an image file (relative to this directory) to place at the top -# of the sidebar. -html_logo = 'pictures/eo_logo_t.png' - -# The name of an image file (within the static path) to use as favicon of the -# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 -# pixels large. -# html_favicon = None - -# Add any paths that contain custom static files (such as style sheets) here, -# relative to this directory. They are copied after the builtin static files, -# so a file named "default.css" will overwrite the builtin "default.css". -html_static_path = ['_static'] - -# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, -# using the given strftime format. -# html_last_updated_fmt = '%b %d, %Y' - -# If true, SmartyPants will be used to convert quotes and dashes to -# typographically correct entities. -# html_use_smartypants = True - -# Custom sidebar templates, maps document names to template names. -# html_sidebars = {} - -# Additional templates that should be rendered to pages, maps page names to -# template names. -# html_additional_pages = {} - -# If false, no module index is generated. -# html_domain_indices = True - -# If false, no index is generated. -# html_use_index = True - -# If true, the index is split into individual pages for each letter. -# html_split_index = False - -# If true, links to the reST sources are added to the pages. -# html_show_sourcelink = True - -# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. -# html_show_sphinx = True - -# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. -# html_show_copyright = True - -# If true, an OpenSearch description file will be output, and all pages will -# contain a tag referring to it. The value of this option must be the -# base URL from which the finished HTML is served. -# html_use_opensearch = '' - -# This is the file name suffix for HTML files (e.g. ".xhtml"). -# html_file_suffix = None - -# Output file base name for HTML help builder. -htmlhelp_basename = 'Authentic2doc' - - -# -- Options for LaTeX output -------------------------------------------------- - -latex_elements = { - # The paper size ('letterpaper' or 'a4paper'). - #'papersize': 'letterpaper', - # The font size ('10pt', '11pt' or '12pt'). - #'pointsize': '10pt', - # Additional stuff for the LaTeX preamble. - #'preamble': '', -} - -# Grouping the document tree into LaTeX files. List of tuples -# (source start file, target name, title, author, documentclass [howto/manual]). -latex_documents = [ - ('index', 'Authentic2.tex', 'Authentic2 Documentation', 'Entr\'ouvert', 'manual'), -] - -# The name of an image file (relative to this directory) to place at the top of -# the title page. -latex_logo = 'pictures/eo_logo.png' - -# For "manual" documents, if this is true, then toplevel headings are parts, -# not chapters. -# latex_use_parts = False - -# If true, show page references after internal links. -# latex_show_pagerefs = False - -# If true, show URL addresses after external links. -# latex_show_urls = False - -# Documents to append as an appendix to all manuals. -# latex_appendices = [] - -# If false, no module index is generated. -# latex_domain_indices = True - - -# -- Options for manual page output -------------------------------------------- - -# One entry per manual page. List of tuples -# (source start file, name, description, authors, manual section). -man_pages = [('index', 'authentic2', 'Authentic2 Documentation', [u'Mikaël Ates'], 1)] - -# If true, show URL addresses after external links. -# man_show_urls = False - - -# -- Options for Texinfo output ------------------------------------------------ - -# Grouping the document tree into Texinfo files. List of tuples -# (source start file, target name, title, author, -# dir menu entry, description, category) -texinfo_documents = [ - ( - 'index', - 'Authentic2', - 'Authentic2 Documentation', - 'Mikaël Ates', - 'Authentic2', - 'One line description of project.', - 'Miscellaneous', - ), -] - -# Documents to append as an appendix to all manuals. -# texinfo_appendices = [] - -# If false, no module index is generated. -# texinfo_domain_indices = True - -# How to display URL addresses: 'footnote', 'no', or 'inline'. -# texinfo_show_urls = 'footnote' - - -# Example configuration for intersphinx: refer to the Python standard library. -intersphinx_mapping = {'http://docs.python.org/': None} diff --git a/doc/config_cas_sp.rst b/doc/config_cas_sp.rst deleted file mode 100644 index 1e22f859e..000000000 --- a/doc/config_cas_sp.rst +++ /dev/null @@ -1,28 +0,0 @@ -.. _config_cas_sp: - -===================================== -Configure Authentic 2 as a CAS server -===================================== - -How to use Authentic 2 as a CAS 1.0 or CAS 2.0 identity provider ? ------------------------------------------------------------------- - -1. Activate CAS IdP support in settings.py:: - - IDP_CAS = True - -2. Then create the database table to hold CAS service tickets:: - - python authentic2/manage.py syncdb --migrate - -3. Also configure authentic2 to authenticate against your LDAP directory (see - above) if your want your user attributes to be accessible from your service, - if it is not necessary you can use the normal relational database storage - for you users. - -4. Finally configure your service to point to the CAS endpoint at: - - http[s]://your.domain.com/idp/cas/ - -5. If needed configure your service to resolve authenticated user with your - LDAP directory (if user attributes are needed for your service) diff --git a/doc/config_saml2_idp.rst b/doc/config_saml2_idp.rst deleted file mode 100644 index 0d8a6d601..000000000 --- a/doc/config_saml2_idp.rst +++ /dev/null @@ -1,167 +0,0 @@ -.. _config_saml2_idp: - -================================================================== -Configure Authentic 2 as a SAML2 service provider or a SAML2 proxy -================================================================== - -**The configuration to make Authentic 2 a SAML2 service provider or a SAML2 -proxy is the same. The difference comes from that Authentic 2 is may be -configured or not as a SAML2 identity provider.** - -How do I authenticate against a third SAML2 identity provider? -============================================================== - -1. Declare Authentic 2 as a SAML2 service provider on your SAML2 identity provider using the SAML2 service provider metadata of Authentic 2. - -Go to http[s]://your.domain.com/authsaml2/metadata - -2. Add and configure a SAML2 identity provider entry in Authentic 2 using the metadata of the identity provider. - -How do I add and configure a SAML2 identity provider in Authentic 2? -==================================================================== - -You first need to create a SAML2 identity provider entry with the SAML2 -metadata of the identity provider. Then, you configure it. - -If your identity provider is Authentic 2, the metadata are available at: - - http[s]://your.domain.com/idp/saml2/metadata - -See :ref:`where_metadata` for more information. - -Create a SAML2 identity provider entry --------------------------------------- - -You first need to create a new SAML2 identity provider entry. This requires -the SAML2 metadata of the identity provider. - -1. Go to - - http[s]://your.domain.com/admin/saml/libertyprovider/add/ - -2. Fill the form fields - -.. image:: pictures/new_saml2_idp_1.png - :width: 800 px - :align: center - -.. image:: pictures/new_saml2_idp_2.png - :width: 800 px - :align: center - -**The identity provider must be enabled.** - -See below about configuring the identity provider with policies: - -* options of the identity provider - -3. Save - -.. image:: pictures/new_saml2_idp_saved.png - :width: 800 px - :align: center - -Apply a SAML2 identity provider options policy ----------------------------------------------- - -The SAML2 options of the identity provider are configured using idp options -policies. For the explanation of the options see the following section. - -See the *administration with policy principle* page :ref:`administration_with_policies`. - -You may create a regular policy and configure your service provider to use it. - -Go to: - - http[s]://your.domain.com/admin/saml/idpoptionssppolicy/add/ - -Configure your policy and save: - -.. image:: pictures/idp_options_regular.png - :width: 800 px - :align: center - -.. image:: pictures/idp_options_regular_saved.png - :width: 800 px - :align: center - -Apply the policy to the identity provider: - -.. image:: pictures/idp_options_regular_modify_sp.png - :width: 800 px - :align: center - -Example with a policy 'Default': - -.. image:: pictures/idp_options_default.png - :width: 800 px - :align: center - -Example with a policy 'All': - -.. image:: pictures/idp_options_all.png - :width: 800 px - :align: center - -If no policy is found for the configuration of the SAML2 options of an identity -provider, the following error is displayed to the users when a SSO request is -initiated. - -.. image:: pictures/error_no_idp_options.png - :width: 800 px - :align: center - -SAML2 identity provider options explained ------------------------------------------ - -Behavior with persistent nameID -_______________________________ - -This option applies when an assertion with a persistent nameID is received and -the nameID is not recognized as an existing federation. - -Two values are possible: "Create new account" and "Account linking by authentication". - -The value "Create new account" makes Authentic 2 create a user account associated -to the nameID received. - -The value "Account linking by authentication" makes Authentic 2 ask the user to -authenticate with an existing account to associate the nameID to this account. - -Behavior with transient nameID -_______________________________ - -This option applies when an assertion with a transient nameID is received and -there isn't a session opened for the user yet. - -Two values are possible: "Open a session" and "Ask authentication". - -The value "Open a session" makes Authentic 2 open a session. - -The value "Ask authentication" makes Authentic 2 ask for a user authentication, -even when a valid assertion is received. That may have sense for instance if -the SSO login is used only to receive signed attributes for users with existing -accounts. - - -How to refresh the metadata of an identity provider hosted at a Well-Known Location? -==================================================================================== - -The Well-Known Location (WKL) means that the entity Id of the provider is a -URL at which the provider metadata are hosted. - -To refresh them, select the provider on the list of provider, then select in -the menu 'Update metadata', then click on 'Go'. - -.. image:: pictures/update_metadata.png - :width: 800 px - :align: center - -.. image:: pictures/update_metadata_done.png - :width: 800 px - :align: center - -How to create in bulk identity providers with the sync-metadata script? -======================================================================= - -See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`. diff --git a/doc/config_saml2_sp.rst b/doc/config_saml2_sp.rst deleted file mode 100644 index ee8729d3a..000000000 --- a/doc/config_saml2_sp.rst +++ /dev/null @@ -1,142 +0,0 @@ -.. _config_saml2_sp: - -==================================== -Configure SAML 2.0 service providers -==================================== - -How do I authenticate against Authentic 2 with a SAML2 service provider? -======================================================================== - -1. Declare Authentic 2 as a SAML2 identity provider on your SAML2 service provider using the SAML2 identity provider metadata of Authentic 2. - -Go to http[s]://your.domain.com/idp/saml2/metadata - -2. Add and configure a SAML2 service provider in Authentic 2 using the metadata of the service provider. - -How do I add and configure a SAML2 service provider in Authentic 2? -=================================================================== - -You first need to create a new SAML2 service provider entry. This requires the -SAML2 metadata of the service provider. - -If your service provider is Authentic 2, the metadata are available at: - - http[s]://your.domain.com/authsaml2/metadata - -See :ref:`where_metadata` for more information. - -Create a SAML2 service provider entry -------------------------------------- - -1. Go to - - http[s]://your.domain.com/admin/saml/libertyprovider/add/ - -2. Fill the form fields - -.. image:: pictures/new_saml2_sp_1.png - :width: 800 px - :align: center - -.. image:: pictures/new_saml2_sp_2.png - :width: 800 px - :align: center - -**Note:** The service provider must be enabled. - -See below about configuring the service provider with policies: - -* options of the service provider - -* protocol policy - -* attribute policy - - -3. Save - -.. image:: pictures/new_saml2_sp_saved.png - :width: 800 px - :align: center - -Apply a SAML2 service provider options policy ---------------------------------------------- - -The SAML2 options of the service provider are configured using sp options -policies. - -See the *administration with policy principle* page :ref:`administration_with_policies`. - -You may create a regular policy and configure your service provider to use it. - -Go to: - - http[s]://your.domain.com/admin/saml/spoptionsidppolicy/add/ - -Configure your policy and save: - -.. image:: pictures/sp_options_regular.png - :width: 800 px - :align: center - -.. image:: pictures/sp_options_regular_saved.png - :width: 800 px - :align: center - -Apply the policy to the service provider: - -.. image:: pictures/sp_options_regular_modify_sp.png - :width: 800 px - :align: center - -Example with a policy 'Default': - -.. image:: pictures/sp_options_default.png - :width: 800 px - :align: center - -Example with a policy 'All': - -.. image:: pictures/sp_options_all.png - :width: 800 px - :align: center - -If no policy is found for the configuration of the SAML2 options of a service -provider, the following error is displayed to the users when a SSO request is -received. - -.. image:: pictures/error_no_sp_options.png - :width: 800 px - :align: center - -Configure the SAML2 service provider protocol options ------------------------------------------------------ - -This kind of policy does not use the policy management using global policies. - -You should use the default option except if your service provider is a -Shibboleth service provider, then you should use the option "Shibboleth SP -(AuthnRequest Signature: Does not check signatures)". - -Configure the attribute policy of the service provider ------------------------------------------------------- - -See the attribute management page :ref:`attribute_management`. - -How to refresh the metadata of a service provider hosted at a Well-Known Location? -================================================================================== - -The Well-Known Location (WKL) means that the entity Id of the provider is a -URL at which the provider metadata are hosted. - -To refresh them, select the provider on the list of provider, then select in -the menu 'Update metadata', then click on 'Go'. - -.. image:: pictures/update_metadata.png - :width: 800 px - :align: center - -How to create in bulk service providers with the sync-metadata script? -====================================================================== - -See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`. diff --git a/doc/configuration.rst b/doc/configuration.rst deleted file mode 100644 index d3ae832ce..000000000 --- a/doc/configuration.rst +++ /dev/null @@ -1,86 +0,0 @@ -.. _configuration: - -============= -Configuration -============= - -Configuration with settings -=========================== - -.. toctree:: - :maxdepth: 1 - - settings - - settings_listing - -Configuration with the administration interface -=============================================== - -Basics ------- - -.. toctree:: - :maxdepth: 1 - - admin_access - - administration_with_policies - -Authentication backends ------------------------ - -.. toctree:: - :maxdepth: 1 - - auth_ldap - -SAML2 ------ - -.. toctree:: - :maxdepth: 1 - - where_metadata - - config_saml2_sp - - config_saml2_idp - - saml2_slo - -CAS ---- - -.. toctree:: - :maxdepth: 1 - - config_cas_sp - -Attributes ----------- - -.. toctree:: - :maxdepth: 1 - - attribute_management - -User interfaces and interactions --------------------------------- - -.. toctree:: - :maxdepth: 1 - - consent_management - -Administration -============== - -.. toctree:: - :maxdepth: 1 - - translation - - cronjobs - - sync-metadata_script diff --git a/doc/consent_management.rst b/doc/consent_management.rst deleted file mode 100644 index b468ffd68..000000000 --- a/doc/consent_management.rst +++ /dev/null @@ -1,84 +0,0 @@ -.. _consent_management: - -================================= -Consent Management in Authentic 2 -================================= - -What is the SAML2 federation consent aka account linking consent? -================================================================= - -At the first single sign on process on the identity provider side, the user -may be asked if she agrees to federation its local account with the remote -account on the service provider side. - -The account linking also called a federation means that the nameID is -persistent and will link the two accounts. This signed identifier allows to -the service provider to login the user without reauthentication during the -following single sign on process. - -How the consent is collected is determined by the identity provider. The -service provider receives in the authnRequest the consent attribute -indicating how the user consent was managed. - - -Account linking consent management on the identity provider side -================================================================ - -The consent is managed per service provider according to the options policy -that applies to the service provider. - -The parameter 'Ask user for consent when creating a federation' determine -if the user consent must be asked to the user. - -.. image:: pictures/federation_consent_idp.png - :width: 800 px - :align: center - -*Take care that is the identity provider provides the service provider with -a transient nameID, there is no account linking, so there is no need for a -consent.* - -*The user consent is only asked once. In other words, if the user already has -a federation, the consent won't be asked anymore.* - -If the policy requires the user consent, this can be bypassed using the signal -'avoid_consent'. - -Account linking consent management on the service provider side -=============================================================== - -The service provider may refuse a valid single sign on if the user consent -was not asked. - -The parameter 'Require the user consent be given at account linking' of the -identity provider options policy determine the service provider behavior. - -.. image:: pictures/federation_consent_sp.png - :width: 800 px - :align: center - -How manage attribute forwarding consent? -======================================== - -*If there is no attribute policy associate with a service provider, no -attribute is forwarded.* - -When an attribute policy applies you can configure the consent rules per -service provider. - -The choices are: - -- Don't ask the user consent -- Ask the consent in all-or-nothing mode -- Allow attribute selection - -To ask the user consent, tick the parameter 'Ask the user consent before -forwarding attributes' of the attribute policy that applies to the service -provider. - -To allow the attribute selection on the attribute consent page, tick the -parameter 'Allow the user to select the forwarding attributes'. - -.. image:: pictures/attributes_consent.png - :width: 800 px - :align: center diff --git a/doc/copyright.rst b/doc/copyright.rst deleted file mode 100644 index 107d664ce..000000000 --- a/doc/copyright.rst +++ /dev/null @@ -1,12 +0,0 @@ -.. _copyright: - -========= -Copyright -========= - -Authentic and Authentic 2 are copyrighted by Entr'ouvert and are licensed -through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of -the whole license text is available in the COPYING file. - -The Documentation is under the licence Creative Commons -`CC BY-SA 2.0 `_. diff --git a/doc/cronjobs.rst b/doc/cronjobs.rst deleted file mode 100644 index 534ce15b4..000000000 --- a/doc/cronjobs.rst +++ /dev/null @@ -1,11 +0,0 @@ -.. _cronjobs: - - -Cronjobs and cleaning -===================== - -The following cronjob must be run to clean deleted accounts and temporary objects:: - - 5 0 * * * athentic2-ctl cleanup - -It's made to run every day at 00:05. diff --git a/doc/deployment.rst b/doc/deployment.rst deleted file mode 100644 index ffcfe12af..000000000 --- a/doc/deployment.rst +++ /dev/null @@ -1,60 +0,0 @@ -.. _deployment: - -================================================== -Running Authentic 2 for real (Nginx, Apache, etc.) -================================================== - - -DEBUG Mode by default, static files and the Django debug toolbar dependency ? ------------------------------------------------------------------------------ - -By default, Authentic 2 is in the DEBUG mode. We made this default choice -because most of the Authentic 2's users will begin with Authentic 2 using -the Django development server (runserver command) and we want to avoid them -a bad first impression because static files would not be served. As a matter -of fact, static files are served by the Django development server only when -the project is run in the DEBUG mode. - -In the DEBUG mode, the Django debug toolbar is used what adds a dependency. - -In production, the Django development server should not be used to serve -Authentic 2 and a dedicated server should also be used to serve the static -files. - -Set Authentic into the no DEBUG Mode ------------------------------------- - -It is enough to edit authentic2/settings.py and set:: - - DEBUG = False - -From then on the django-debug-toolbar package is not necessary anymore. - -Use dedicated HTTP servers and serve static files -------------------------------------------------- - -The best is to use a server dedicated to serve the Django applications and a -different server to serve the static files. - -You could for instance use apache with mod_wsgi to serve Authentic 2. You will -find configuration file examples in the debian directory of the Authentic 2 -sources. - -Then you may want to use nginx to serve the static files. - -First you need to collect the Authentic 2 static files. The static files are -collected using the collectstatic command that is configured in the -settings.py. - -By default, running collectstatic will create a static directory in the parent -directory of the authentic2 directory:: - - $python authentic2/manage.py collectstatic - -That static directory will contain all the static files of Authentic 2. - -If you want to change the path of the static directory you can edit -STATIC_ROOT of the settings file. - -See https://docs.djangoproject.com/en/dev/ref/contrib/staticfiles/ for more -information about collectstatic. diff --git a/doc/development.rst b/doc/development.rst deleted file mode 100644 index 86ff8630c..000000000 --- a/doc/development.rst +++ /dev/null @@ -1,86 +0,0 @@ -.. _development: - -=========== -Development -=========== - -Get the code and the dependencies -================================= - -1. Clone the repository:: - - $ git clone https://git.entrouvert.org/authentic.git - -2. Install `lasso `_ python packages:: - - $ curl https://deb.entrouvert.org/entrouvert.gpg | sudo apt-key add - - $ echo deb http://deb.entrouvert.org/ buster main | \ - sudo tee /etc/apt/sources.list.d/entrouvert.list - $ sudo apt-get update - $ sudo apt-get install python-lasso python3-lasso - -3. Install dependencies:: - - $ sudo apt-get install postgresql build-essential gettext sassc \ - libldap2-dev libsasl2-dev python3-dev - -Run the tests -============= - -1. Setup a virtualenv:: - - $ sudo apt-get install direnv - $ echo layout python3 > authentic/.envrc - $ direnv allow authentic - $ cd authentic - $ pip install tox - -2. Run:: - - $ JENKINS_URL=fakeurl pg_virtualenv tox - -.. note:: - - `tests/test_ldap.py` will fail if `apparmor_status` reports that - `/usr/sbin/slapd` is in enforce mode. - -.. note:: - - Setting `JENKINS_URL` instructs tox to run `[tox:jenkins]` instead - of the default `[tox]`. - -2. Run with code coverage:: - - $ pg_virtualenv tox < /dev/null - $ firefox htmlcov/index.html - -.. note:: - - When running from an interactive shell `< /dev/null` unsets - the `tty` tox sub-type and defines the `COVERAGE` variable. - -Update translations -=================== - -They are updated upstream before the releases to help keep the -vocabulary consistent. - -.. note:: - - The only exception would be a trivial fix such as a typo. - -The `.po` files can be updated as follows:: - - $ ./update-locales.sh - -Build the documentation -======================= - -1. Build:: - - $ pip install sphinx - $ sphinx-build -b html doc build/html - -2. Display:: - - $ firefox build/html/index.html diff --git a/doc/index.rst b/doc/index.rst deleted file mode 100644 index a2331f3f0..000000000 --- a/doc/index.rst +++ /dev/null @@ -1,50 +0,0 @@ -.. Authentic 2 documentation master file, created by - sphinx-quickstart on Thu Oct 13 09:53:03 2011. - You can adapt this file completely to your liking, but it should at least - contain the root `toctree` directive. - -=========================== -Authentic 2's documentation -=========================== - -Authentic 2 is a versatile identity management server aiming to address a -broad range of needs, from simple to complex setups; it has support for many -protocols and can bridge between them. - -Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID, -LDAP, X509 and OAUTH2. - -Authentic 2 is under the GNU AGPL version 3 licence. - -It has support for SAMLv2 thanks to `Lasso `_, -a free (GNU GPL) implementation of the Liberty Alliance and OASIS -specifications of SAML2. - -Consult current Authentic 2 activity on the `project site `_ - -If you don't find an explanation, you don't understand it or one is missing, -please report it on the list. - -.. toctree:: - :maxdepth: 1 - - overview - - installation - - configuration - - advanced - - development - - copyright - -This documentation is under the licence Creative Commons `CC BY-SA 2.0 `_. - -.. Indices and tables -.. ================== - -.. * :ref:`genindex` -.. * :ref:`modindex` -.. * :ref:`search` diff --git a/doc/installation.rst b/doc/installation.rst deleted file mode 100644 index 24e356fed..000000000 --- a/doc/installation.rst +++ /dev/null @@ -1,58 +0,0 @@ -.. _installation: - -===================================== -Installation and quickstart tutorials -===================================== - -You'll find here how to start and configure very quickly Authentic 2 for its -main features. You just need Python 2.7 and Django 1.5. - -First of all, you can boot Authentic vwithout root -privileges like this: - -1. Initialize a virtualenv:: - - virtualenv authentic - source ./authentic/bin/activate - cd authentic - -2. Install Authentic:: - - pip install authentic2 - -3. Initialize the database migrations:: - - authentic2-ctl syncdb --migrate - -4. Run the HTTP test server:: - - authentic2-ctl runserver - -Release cycle -------------- - -In addition to the installation from sources, Entr'ouvert maintains `Debian GNU/Linux packages `__ for Authentic that `follow the release cycle of Publik `__. - -Quickstart guides and installation guidelines ---------------------------------------------- - -.. toctree:: - :maxdepth: 1 - - - installation_modes - change_db - upgrading - deployment - -Quickstarts -___________ - -.. toctree:: - :maxdepth: 1 - - quick_oauth2_idp - quick_saml2_idp - quick_saml2_sp - quick_cas_idp - quick_ldap_backend diff --git a/doc/installation_modes.rst b/doc/installation_modes.rst deleted file mode 100644 index 0a5ddcb7b..000000000 --- a/doc/installation_modes.rst +++ /dev/null @@ -1,201 +0,0 @@ -.. _installation_modes: - -================== -Installation modes -================== - -The current version of Authentic 2 works with Python 2.7 and Django 1.5. - -Authentic 2 python installation script handles all the dependencies, -except Lasso, relying on the Setuptools and the pypi repository. - -To run Authentic 2 with SAML2 features, you need to install lasso >= 2.3.6, -see :ref:`install-lasso-ref`. - -The other Authentic 2 dependencies are: - -- Django>=1.7.6,<1.9 -- requests>=2. -- django-model-utils>=2 -- dnspython>=1.12 -- django-select2>=4.3.0 -- django-tables2>=1.0 -- gadjo>=0.6 -- django-import-export>=0.2.7,<=0.4.5 -- djangorestframework>=3.3 -- Markdown>=2.5 -- python-ldap - -Install Authentic 2: - -- :ref:`install-pypi-ref` -- :ref:`obtain-pypi-ref` -- :ref:`obtain-git-ref` - -.. _install-lasso-ref: - -Lasso installation ------------------- - -Lasso is available in the linux debian destribution repositories. If you are -installing Authentic 2 on debian, just execute :: - - apt-get install python-lasso - -You'll find more updated packages on http://deb.entrouvert.org/. - -We also provide rpm packages for redhat, see https://dev.entrouvert.org/redhat/README. - -You can also install lasso from sources http://lasso.entrouvert.org/download - -See the `Lasso website `_ for installation details. -This is a quick installation example. - -Install the following Lasso dependencies: - -- autoconf -- automake -- autotools-dev -- libtool -- gtk-doc-tools -- zlib1g-dev -- libglib2.0-dev -- openssl-dev -- libxml2-dev -- libxmlsec1-dev -- python2.6-dev -- python-setuptools - -Obtain Lasso:: - - $wget https://dev.entrouvert.org/lasso/lasso-2.3.6.tar.gz - $tar xzvf lasso-2.3.6.tar.gz - $cd lasso-2.3.6 - $./autogen.sh - -Be sure that the Python bindings is selected as follows:: - - ============= - Configuration - ============= - - Main - ---- - - Compiler: gcc - CFLAGS: - Install prefix: /usr/local - Debugging: no - Experimental ID-WSF: no - - Optionals builds - ---------------- - - Available languages: java(4.6.1) python(2.7) perl(5.12.4) - - Java binding: yes - Perl binding: yes - PHP 5 binding: no - Python binding: yes - - C API references: yes - Tests suite: no - - - Now type 'make install' to install lasso. - -As indicated, build and install:: - - $make install - $ldconfig - -Set the lasso python binding in you python path, e.g.:: - - $export PYTHONPATH="$PYTHONPATH:/usr/local/lib/python2.6/site-packages" - -Test trying to import Lasso:: - - $python - >>> import lasso - -.. _install-pypi-ref: - -Install Authentic directly from pypi ------------------------------------- - -Using pip:: - - pip install authentic2 - -You can now run Authentic from the installation directory:: - - ./authentic2-ctl syncdb --migrate - ./authentic2-ctl runserver - -You should see the following output:: - - Validating models... - 0 errors found - - Django version 1.5, using settings 'authentic.settings' - Development server is running at http://127.0.0.1:8000/ - Quit the server with CONTROL-C. - - You can access the running application on http://127.0.0.1:8000/ - -.. _obtain-pypi-ref: - -Obtain the last package archive from pypi ------------------------------------------ - -Download the archive on http://pypi.python.org/pypi/authentic2/. - -Then, you can install it directly from the archive using pip:: - - pip install authentic2-x.z.y.tar.gz - -You can now run Authentic from the installation directory, e.g.:: - - ./authentic2-ctl syncdb --migrate - ./authentic2-ctl runserver - -You should see the following output:: - - Validating models... - 0 errors found - - Django version 1.5, using settings 'authentic.settings' - Development server is running at http://127.0.0.1:8000/ - Quit the server with CONTROL-C. - - You can access the running application on http://127.0.0.1:8000/ - -.. _obtain-git-ref: - -Obtain the last sources from the Git repository ------------------------------------------------ - -Clone the repository:: - - git clone http://repos.entrouvert.org/authentic.git - -Then, you can install it directly using pip:: - - cd authentic - pip install -e . - -You can now run Authentic from the installation directory, e.g.:: - - ./authentic2-ctl syncdb --migrate - ./authentic2-ctl runserver - -You should see the following output:: - - Validating models... - 0 errors found - - Django version 1.5, using settings 'authentic.settings' - Development server is running at http://127.0.0.1:8000/ - Quit the server with CONTROL-C. - - You can access the running application on http://127.0.0.1:8000/ diff --git a/doc/overview.rst b/doc/overview.rst deleted file mode 100644 index e95e89402..000000000 --- a/doc/overview.rst +++ /dev/null @@ -1,58 +0,0 @@ -.. _overview: - -======== -Overview -======== - -Authentic 2 is a versatile identity management server aiming to address a -broad range of needs, from simple to complex setups; it has support for many -protocols and can bridge between them. - -Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID, -LDAP, X509 and OAUTH2. - -Authentic 2 is under the GNU AGPL version 3 licence. - -It has support for SAMLv2 thanks to `Lasso `_, -a free (GNU GPL) implementation of the Liberty Alliance and OASIS -specifications of SAML2. - -Authentic 2 requires Python 2.7 et Django 1.5. - -Features --------- - -* SAML 2.0 Identity and service provider -* OpenID 1.0 and 2.0 identity provider -* Server CAS 1.0 and 2.0 using a plugin -* Standards authentication mechanisms: - - * Login/password through internal directory or LDAP - * X509 certificate over SSL/TLS - -* Protocol proxying, for instance between OpenID and SAML -* Support of LDAP v2 and v3 directories -* Support of the PAM backend -* One-time password (OATH and Google-Authenticator) using a plugin -* Identity attribute management -* Plugin system - - -Source and issue tracker ------------------------- - -You can find on the project site authentic.entrouvert.org mainly the issue -tracker. - -You can find there a viewer of the git repository or clone it:: - - git clone http://repos.entrouvert.org/authentic.git - -Support -------- -Authentic's developpers and users hangs on the mailing list authentic@listes.entrouvert.com. -See archives or register at http://listes.entrouvert.com/info/authentic. - -You can open reports or feature request on http://authentic.entrouvert.org. - -Entr'ouvert also provides a commercial support. For information, visit http://www.entrouvert.com. diff --git a/doc/pictures/alias_in_source.png b/doc/pictures/alias_in_source.png deleted file mode 100644 index 448b718b1..000000000 Binary files a/doc/pictures/alias_in_source.png and /dev/null differ diff --git a/doc/pictures/alias_in_source_saved.png b/doc/pictures/alias_in_source_saved.png deleted file mode 100644 index 7fbff27fc..000000000 Binary files a/doc/pictures/alias_in_source_saved.png and /dev/null differ diff --git a/doc/pictures/attr_policy_filter_attributes.png b/doc/pictures/attr_policy_filter_attributes.png deleted file mode 100644 index a8cd24f79..000000000 Binary files a/doc/pictures/attr_policy_filter_attributes.png and /dev/null differ diff --git a/doc/pictures/attr_policy_filter_attributes_map.png b/doc/pictures/attr_policy_filter_attributes_map.png deleted file mode 100644 index 192dbe8d4..000000000 Binary files a/doc/pictures/attr_policy_filter_attributes_map.png and /dev/null differ diff --git a/doc/pictures/attr_policy_filter_attributes_source.png b/doc/pictures/attr_policy_filter_attributes_source.png deleted file mode 100644 index bb098c35d..000000000 Binary files a/doc/pictures/attr_policy_filter_attributes_source.png and /dev/null differ diff --git a/doc/pictures/attr_policy_filter_source.png b/doc/pictures/attr_policy_filter_source.png deleted file mode 100644 index d0637d73e..000000000 Binary files a/doc/pictures/attr_policy_filter_source.png and /dev/null differ diff --git a/doc/pictures/attr_policy_forward.png b/doc/pictures/attr_policy_forward.png deleted file mode 100644 index dcf16cd23..000000000 Binary files a/doc/pictures/attr_policy_forward.png and /dev/null differ diff --git a/doc/pictures/attr_policy_map_ns.png b/doc/pictures/attr_policy_map_ns.png deleted file mode 100644 index cf769746e..000000000 Binary files a/doc/pictures/attr_policy_map_ns.png and /dev/null differ diff --git a/doc/pictures/attr_source_idp.png b/doc/pictures/attr_source_idp.png deleted file mode 100644 index 869e8a166..000000000 Binary files a/doc/pictures/attr_source_idp.png and /dev/null differ diff --git a/doc/pictures/attr_source_idp_claims.png b/doc/pictures/attr_source_idp_claims.png deleted file mode 100644 index 3600793af..000000000 Binary files a/doc/pictures/attr_source_idp_claims.png and /dev/null differ diff --git a/doc/pictures/attr_source_idp_saved.png b/doc/pictures/attr_source_idp_saved.png deleted file mode 100644 index 8f46ab60a..000000000 Binary files a/doc/pictures/attr_source_idp_saved.png and /dev/null differ diff --git a/doc/pictures/attribute_item.png b/doc/pictures/attribute_item.png deleted file mode 100644 index 2061a6fba..000000000 Binary files a/doc/pictures/attribute_item.png and /dev/null differ diff --git a/doc/pictures/attribute_item_saved.png b/doc/pictures/attribute_item_saved.png deleted file mode 100644 index 059e95b04..000000000 Binary files a/doc/pictures/attribute_item_saved.png and /dev/null differ diff --git a/doc/pictures/attribute_list.png b/doc/pictures/attribute_list.png deleted file mode 100644 index 426321538..000000000 Binary files a/doc/pictures/attribute_list.png and /dev/null differ diff --git a/doc/pictures/attribute_list_saved.png b/doc/pictures/attribute_list_saved.png deleted file mode 100644 index e1f533ffa..000000000 Binary files a/doc/pictures/attribute_list_saved.png and /dev/null differ diff --git a/doc/pictures/attributes_consent.png b/doc/pictures/attributes_consent.png deleted file mode 100644 index 608335e2b..000000000 Binary files a/doc/pictures/attributes_consent.png and /dev/null differ diff --git a/doc/pictures/eo_logo.png b/doc/pictures/eo_logo.png deleted file mode 100644 index 2568e2342..000000000 Binary files a/doc/pictures/eo_logo.png and /dev/null differ diff --git a/doc/pictures/eo_logo_t.png b/doc/pictures/eo_logo_t.png deleted file mode 100644 index 54e966372..000000000 Binary files a/doc/pictures/eo_logo_t.png and /dev/null differ diff --git a/doc/pictures/error_no_idp_options.png b/doc/pictures/error_no_idp_options.png deleted file mode 100644 index 3e0b18d9d..000000000 Binary files a/doc/pictures/error_no_idp_options.png and /dev/null differ diff --git a/doc/pictures/error_no_sp_options.png b/doc/pictures/error_no_sp_options.png deleted file mode 100644 index 31ac5139e..000000000 Binary files a/doc/pictures/error_no_sp_options.png and /dev/null differ diff --git a/doc/pictures/federation_consent_idp.png b/doc/pictures/federation_consent_idp.png deleted file mode 100644 index e409540ea..000000000 Binary files a/doc/pictures/federation_consent_idp.png and /dev/null differ diff --git a/doc/pictures/federation_consent_sp.png b/doc/pictures/federation_consent_sp.png deleted file mode 100644 index 3e106169d..000000000 Binary files a/doc/pictures/federation_consent_sp.png and /dev/null differ diff --git a/doc/pictures/idp_options_all.png b/doc/pictures/idp_options_all.png deleted file mode 100644 index bb2b69c79..000000000 Binary files a/doc/pictures/idp_options_all.png and /dev/null differ diff --git a/doc/pictures/idp_options_default.png b/doc/pictures/idp_options_default.png deleted file mode 100644 index a0eb5122e..000000000 Binary files a/doc/pictures/idp_options_default.png and /dev/null differ diff --git a/doc/pictures/idp_options_regular.png b/doc/pictures/idp_options_regular.png deleted file mode 100644 index e78b9e163..000000000 Binary files a/doc/pictures/idp_options_regular.png and /dev/null differ diff --git a/doc/pictures/idp_options_regular_modify_sp.png b/doc/pictures/idp_options_regular_modify_sp.png deleted file mode 100644 index d00a1d82c..000000000 Binary files a/doc/pictures/idp_options_regular_modify_sp.png and /dev/null differ diff --git a/doc/pictures/idp_options_regular_saved.png b/doc/pictures/idp_options_regular_saved.png deleted file mode 100644 index f177a93c6..000000000 Binary files a/doc/pictures/idp_options_regular_saved.png and /dev/null differ diff --git a/doc/pictures/ldapsource.png b/doc/pictures/ldapsource.png deleted file mode 100644 index e0726eab0..000000000 Binary files a/doc/pictures/ldapsource.png and /dev/null differ diff --git a/doc/pictures/ldapsource_saved.png b/doc/pictures/ldapsource_saved.png deleted file mode 100644 index 5a84f29b8..000000000 Binary files a/doc/pictures/ldapsource_saved.png and /dev/null differ diff --git a/doc/pictures/new_saml2_idp_1.png b/doc/pictures/new_saml2_idp_1.png deleted file mode 100644 index 541c07875..000000000 Binary files a/doc/pictures/new_saml2_idp_1.png and /dev/null differ diff --git a/doc/pictures/new_saml2_idp_2.png b/doc/pictures/new_saml2_idp_2.png deleted file mode 100644 index 92448f98c..000000000 Binary files a/doc/pictures/new_saml2_idp_2.png and /dev/null differ diff --git a/doc/pictures/new_saml2_idp_saved.png b/doc/pictures/new_saml2_idp_saved.png deleted file mode 100644 index 47a9f2f7c..000000000 Binary files a/doc/pictures/new_saml2_idp_saved.png and /dev/null differ diff --git a/doc/pictures/new_saml2_sp_1.png b/doc/pictures/new_saml2_sp_1.png deleted file mode 100644 index d85d56b3a..000000000 Binary files a/doc/pictures/new_saml2_sp_1.png and /dev/null differ diff --git a/doc/pictures/new_saml2_sp_2.png b/doc/pictures/new_saml2_sp_2.png deleted file mode 100644 index 2013c5e52..000000000 Binary files a/doc/pictures/new_saml2_sp_2.png and /dev/null differ diff --git a/doc/pictures/new_saml2_sp_saved.png b/doc/pictures/new_saml2_sp_saved.png deleted file mode 100644 index d95a2f3c4..000000000 Binary files a/doc/pictures/new_saml2_sp_saved.png and /dev/null differ diff --git a/doc/pictures/policy_pull.png b/doc/pictures/policy_pull.png deleted file mode 100644 index e3059e681..000000000 Binary files a/doc/pictures/policy_pull.png and /dev/null differ diff --git a/doc/pictures/policy_pull_renamed.png b/doc/pictures/policy_pull_renamed.png deleted file mode 100644 index 61c78950f..000000000 Binary files a/doc/pictures/policy_pull_renamed.png and /dev/null differ diff --git a/doc/pictures/policy_pull_saved.png b/doc/pictures/policy_pull_saved.png deleted file mode 100644 index d970d3c9e..000000000 Binary files a/doc/pictures/policy_pull_saved.png and /dev/null differ diff --git a/doc/pictures/slo_idp_options_activated.png b/doc/pictures/slo_idp_options_activated.png deleted file mode 100644 index 730fb5344..000000000 Binary files a/doc/pictures/slo_idp_options_activated.png and /dev/null differ diff --git a/doc/pictures/slo_idp_options_deactivated.png b/doc/pictures/slo_idp_options_deactivated.png deleted file mode 100644 index 6d96f5c6a..000000000 Binary files a/doc/pictures/slo_idp_options_deactivated.png and /dev/null differ diff --git a/doc/pictures/slo_sp_options_activated.png b/doc/pictures/slo_sp_options_activated.png deleted file mode 100644 index cb0ecd15e..000000000 Binary files a/doc/pictures/slo_sp_options_activated.png and /dev/null differ diff --git a/doc/pictures/slo_sp_options_deactivated.png b/doc/pictures/slo_sp_options_deactivated.png deleted file mode 100644 index 3c232d16d..000000000 Binary files a/doc/pictures/slo_sp_options_deactivated.png and /dev/null differ diff --git a/doc/pictures/sp_options_all.png b/doc/pictures/sp_options_all.png deleted file mode 100644 index 85748be32..000000000 Binary files a/doc/pictures/sp_options_all.png and /dev/null differ diff --git a/doc/pictures/sp_options_default.png b/doc/pictures/sp_options_default.png deleted file mode 100644 index b748a4896..000000000 Binary files a/doc/pictures/sp_options_default.png and /dev/null differ diff --git a/doc/pictures/sp_options_default_saved.png b/doc/pictures/sp_options_default_saved.png deleted file mode 100644 index de69c1e46..000000000 Binary files a/doc/pictures/sp_options_default_saved.png and /dev/null differ diff --git a/doc/pictures/sp_options_regular.png b/doc/pictures/sp_options_regular.png deleted file mode 100644 index 2e13ad159..000000000 Binary files a/doc/pictures/sp_options_regular.png and /dev/null differ diff --git a/doc/pictures/sp_options_regular_modify_sp.png b/doc/pictures/sp_options_regular_modify_sp.png deleted file mode 100644 index 47010a4c8..000000000 Binary files a/doc/pictures/sp_options_regular_modify_sp.png and /dev/null differ diff --git a/doc/pictures/sp_options_regular_saved.png b/doc/pictures/sp_options_regular_saved.png deleted file mode 100644 index 6c38fe71c..000000000 Binary files a/doc/pictures/sp_options_regular_saved.png and /dev/null differ diff --git a/doc/pictures/sp_policy_pull.png b/doc/pictures/sp_policy_pull.png deleted file mode 100644 index 43881a5eb..000000000 Binary files a/doc/pictures/sp_policy_pull.png and /dev/null differ diff --git a/doc/pictures/sp_policy_pull_saved.png b/doc/pictures/sp_policy_pull_saved.png deleted file mode 100644 index cf933b937..000000000 Binary files a/doc/pictures/sp_policy_pull_saved.png and /dev/null differ diff --git a/doc/pictures/update_metadata.png b/doc/pictures/update_metadata.png deleted file mode 100644 index a53b35eec..000000000 Binary files a/doc/pictures/update_metadata.png and /dev/null differ diff --git a/doc/pictures/update_metadata_done.png b/doc/pictures/update_metadata_done.png deleted file mode 100644 index a94cc296f..000000000 Binary files a/doc/pictures/update_metadata_done.png and /dev/null differ diff --git a/doc/pictures/user_profile_source.png b/doc/pictures/user_profile_source.png deleted file mode 100644 index f1ba1626f..000000000 Binary files a/doc/pictures/user_profile_source.png and /dev/null differ diff --git a/doc/pictures/user_profile_source_saved.png b/doc/pictures/user_profile_source_saved.png deleted file mode 100644 index 3cc93a736..000000000 Binary files a/doc/pictures/user_profile_source_saved.png and /dev/null differ diff --git a/doc/quick_cas_idp.rst b/doc/quick_cas_idp.rst deleted file mode 100644 index ba15dca10..000000000 --- a/doc/quick_cas_idp.rst +++ /dev/null @@ -1,23 +0,0 @@ -.. _quick_cas_idp: - -================================== -Quickstart a CAS Identity Provider -================================== - -1. Activate CAS IdP support in your local_settings.py:: - - A2_IDP_CAS_ENABLE = True - -2. Then create the database table to hold CAS service tickets:: - - authentic2-ctl syncdb --all - authentic2-ctl migrate --fake - -2. Also configure authentic2 to authenticate against your LDAP directory (see - above) if your want your user attributes to be accessible from your service, - if it is not necessary you can use the normal relational database storage - for you users. - -3. Finally configure your service to point to the CAS endpoint at:: - - http[s]://your.domain.com/idp/cas/ diff --git a/doc/quick_ldap_backend.rst b/doc/quick_ldap_backend.rst deleted file mode 100644 index 118560857..000000000 --- a/doc/quick_ldap_backend.rst +++ /dev/null @@ -1,61 +0,0 @@ -.. _quick_ldap_backend: - -====================================== -Quickstart to connect a LDAP Directory -====================================== - -Authentic use the module django_auth_ldap to synchronize the Django user tables -with an LDAP. For complex use case, we will refer you to the django_auth_ldap -documentation, see http://packages.python.org/django-auth-ldap/. - -How to authenticate users against an LDAP server with anonymous binding ? -------------------------------------------------------------------------- - -1. Install the django_auth_ldap module for Django, for this you need - python-ldap, python-ldap needs python developement headers to be installed - but is usually packaged by most distributions:: - - pip install django_auth_ldap - - -2. Configure your local_settings.py file for authenticating against LDAP. - The next lines must be added:: - - AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', ) - - import ldap - from django_auth_ldap.config import LDAPSearch - - # Here put the LDAP URL of your server - AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com' - # Let the bind DN and bind password blank for anonymous binding - AUTH_LDAP_BIND_DN = "" - AUTH_LDAP_BIND_PASSWORD = "" - # Lookup user under the branch o=base and by mathcing their uid against the - # received login name - AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base", - ldap.SCOPE_SUBTREE, "(uid=%(user)s)") - -How to allow members of an LDAP group to manage Authentic ? ------------------------------------------------------------ - -1. First you must know the objectClass of groups in your LDAP schema, this FAQ - will show you the configuration for two usual classes: groupOfNames and - groupOfUniqueNames. - -2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany - -3. Add the following lines:: - - from django_auth_ldap.config import GroupOfNamesType - AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() - AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany", - ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)") - AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_staff": "cn=admin,o=mycompany" - } - -For an objectClass of groupOfUniqueNames you would change the string -GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to -groupOfUniqueNames. For more complex cases see the django_auth_ldap -documentation. diff --git a/doc/quick_oauth2_idp.rst b/doc/quick_oauth2_idp.rst deleted file mode 100644 index c93c41f19..000000000 --- a/doc/quick_oauth2_idp.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. _quick_oauth2_idp: - -====================================== -Quickstart an OAuth2 Identity Provider -====================================== - -This section has to be done. If you need it now, say it on the issue tracker : - -https://dev.entrouvert.org/issues/6053 diff --git a/doc/quick_saml2_idp.rst b/doc/quick_saml2_idp.rst deleted file mode 100644 index 63c709416..000000000 --- a/doc/quick_saml2_idp.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. _quick_saml2_idp: - -===================================== -Quickstart an SAML2 Identity Provider -===================================== - -This section has to be done. If you need it now, say it on the issue tracker : - -https://dev.entrouvert.org/issues/6057 diff --git a/doc/quick_saml2_sp.rst b/doc/quick_saml2_sp.rst deleted file mode 100644 index fbe47495f..000000000 --- a/doc/quick_saml2_sp.rst +++ /dev/null @@ -1,22 +0,0 @@ -.. _quick_saml2_sp: - -===================================================== -Quickstart a connection with a SAML2 Service Provider -===================================================== - -1. Get the Identity Provider SAML2 metadata file - -:: - - http[s]://your.domain.com/idp/saml2/metadata - -2. Configure your service provider with it. - -3. Go to the providers admin panel on - -:: - - http[s]://admin/saml/libertyprovider/add/ - -There create a new provider using the service provider metadata and enable it -as a service provider. diff --git a/doc/saml2_slo.rst b/doc/saml2_slo.rst deleted file mode 100644 index d7bb10767..000000000 --- a/doc/saml2_slo.rst +++ /dev/null @@ -1,168 +0,0 @@ -.. _saml2_slo: - -======================================= -Single Logout Management in Authentic 2 -======================================= - -Explanation -=========== - -Authentic 2 implements the single logout profile of SAML2 (SLO). Single Logout is -used to realise to close user session on distributed applications. The Single -Logout is managed by the IdP. However, its exists many profiles all supported -by Authentic 2: - -- SLO IdP initiated by SOAP -- SLO IdP initiated by Redirect -- SLO SP initiated by SOAP -- SLO SP initiated by Redirect - -Then, Authentic 2 acting as an IdP but also as a SP (for proxying), a -logout request can be received from: - -- the logout button on the user interface; -- a service provider; -- a third identity provider. - -The configuration by policy allows to refuse SLO request coming from a SP or -an IdP. - -**The the SLO request is accepted or comes from the user interface, at the end -of the process the local session on Authentic 2 will always be closed.** - -During the process of treatment of the logout request, when the logout request -comes from a SP, if the local session was established through a third SAML2 IdP, -Authentic 2 sends it a logout request (SLO proxying). Then, Authentic 2 -sends logout resuests to all service providers with an active session but the -requesting service provider. - -During the process of treatment of the logout request, when the logout request -comes from an IdP, Authentic 2 sends logout resuests to all service providers -with an active session. - -The configuration by policy allows to select which IdP and SP to logout -forwarding is done. - -**Note:** When a logout request comes from an IdP, the logout request is always -forwarded by soap to the service providers. - -**Note:** When a logout request comes from an SP: -- if done by SOAP, the logout request is always forwarded by soap to the -identity provider and service providers. -- if done by Redirect, the logout request is forwarded to the -identity provider according to the idp options policy and to the service -providers according to their metadata. - -**Note:** When a logout request comes from the user interface, the logout -request is forwarded to the identity provider according to the idp options -policy and to the service providers according to their metadata. - - -**Note:** To make the SLO works, a policy must be found for the -source or the desitnation of the logout request. By default, when creating a -sp options policy or an IdP options policy the SLO is accepted and forwarded. - -See the *administration with policy principle* page :ref:`administration_with_policies`. - -How to know if a service provider supports the logout request? -============================================================== - -Look for the following elements in the service provider metadata: - -- Redirect binding:: - - - -- SOAP binding:: - - - -How to know if an identity provider supports the logout request? -================================================================ - -Look for the following elements in the identity provider metadata: - -- Redirect binding:: - - - -- SOAP binding:: - - - - -How activate the SLO? -===================== - -No activation is required. However it is required a policy be found for the -source or the desitnation of the logout request. - -The sp options policy or idp options policy that applies has parameters to -indicate if the sp or idp which the policy applies is allowed to send and -receive logout requests. - -Then, create the 'default' options policy and check the both options -*Accept to receive Single Logout requests* and *Forward Single Logout requests* as follows: - -.. image:: pictures/slo_sp_options_activated.png - :width: 800 px - :align: center - -.. image:: pictures/slo_idp_options_activated.png - :width: 800 px - :align: center - - -How deactivate the SLO? -======================= - -There is no real deactivation process. When it is possible and authorized, -Authentic 2 send logout requests when a logout request is received. - -If an options policy is not found for the source or the destination of the -logout request, the logout requests are not accepted nor forwarded. - -However it is not the right way. The best is to create the 'all' options -policies with the options *Accept to receive Single Logout requests* and *Forward Single Logout requests* unchecked as follows: - -.. image:: pictures/slo_sp_options_deactivated.png - :width: 800 px - :align: center - -.. image:: pictures/slo_idp_options_deactivated.png - :width: 800 px - :align: center - -Take care that the 'all' policies are authoritative. To desactivate the SLO -but for particular providers, the best is to unchecked these options on the -'default' options policies and apply regular policies to those particular -providers. - -How refuse SLO from an identity provider? -========================================= - -Uncheck the option *Accept to receive Single Logout requests* of the policy that applies to that identity -provider. - -How refuse SLO from a service provider? -======================================= - -Uncheck the option *Accept to receive Single Logout requests* of the policy that applies to that service -provider. - -How indicate identity providers to not forward logout request? -============================================================== - -Uncheck the option *Forward Single Logout requests* of the policies that applies to the identity -providers logout requests must not be forwarded. - -How indicate service providers to not forward logout request? -============================================================= - -Uncheck the option *Forward Single Logout requests* of the policies that applies to the service -providers logout requests must not be forwarded. - -How do manage the SLO without closing the local session? -======================================================== - -Not implemented. diff --git a/doc/settings.rst b/doc/settings.rst deleted file mode 100644 index 7a17d3a64..000000000 --- a/doc/settings.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. _settings: - -=============================== -Works with authentic 2 settings -=============================== - -This section has to be done. If you need it now, say it on the issue tracker : - -https://dev.entrouvert.org/issues/6047 diff --git a/doc/settings_listing.rst b/doc/settings_listing.rst deleted file mode 100644 index 030060c4b..000000000 --- a/doc/settings_listing.rst +++ /dev/null @@ -1,97 +0,0 @@ -.. _settings_listing: - -============ -All settings -============ - -Activate or deactivate debug mode -================================= - -Variable: DEBUG - -Values: - -* False: deactivate debug mode -* True: activate debug mode - -Manage session cookie duration -============================== - -Variable: SESSION_EXPIRE_AT_BROWSER_CLOSE - -Values: - -* False: Cookies are not removed when browser is closed. -* True: Cookies are removed when browser is closed. - -Variable: SESSION_COOKIE_AGE - -Value: - -* Seconds (36000 equal 10 hours) - -Time zone selection -=================== - -Variable: TIME_ZONE - -Values: - -* See http://en.wikipedia.org/wiki/List_of_tz_zones_by_name - -Activate or deactivate SSL authentication -========================================= - -Variable: AUTH_SSL - -Values: - -* False: deactivate SSL authentication -* True: activate SSL authentication - -Activate or deactivate OpenID authentication, Authentic 2 is an OpenID relying party -==================================================================================== - -Variable: AUTH_OPENID - -Values: - -* False: deactivate OpenID authentication -* True: activate OpenID authentication - -Activate or deactivate Authentic 2 as a SAML2 identity provider -=============================================================== - -Variable: IDP_SAML2 - -Values: - -* False: deactivate SAML2 identity provider -* True: activate SAML2 identity provider - -Configure SAML2 keys -==================== - -* SAML_SIGNATURE_PUBLIC_KEY: Certtificate or public key for signature -* SAML_SIGNATURE_PRIVATE_KEY: Private key for signature -* SAML_ENCRYPTION_PUBLIC_KEY: Certtificate or public key for encryption -* SAML_ENCRYPTION_PRIVATE_KEY: Private key for encryption - -Values are pem files of X509 certificate or key, e.g.: -SAML_SIGNATURE_PRIVATE_KEY = '''-----BEGIN RSA PRIVATE KEY----- -MII...WA== ------END RSA PRIVATE KEY-----''' - -If SAML_ENCRYPTION_PUBLIC_KEY or SAML_ENCRYPTION_PRIVATE_KEY are not given, -the signature keys are used for encryption. - - -Activate or deactivate Authentic 2 as a CAS server -================================================== - -Variable: IDP_CAS - -Values: - -* False: deactivate CAS server -* True: activate CAS server diff --git a/doc/sync-metadata_script.rst b/doc/sync-metadata_script.rst deleted file mode 100644 index 4a1188760..000000000 --- a/doc/sync-metadata_script.rst +++ /dev/null @@ -1,192 +0,0 @@ -.. _sync-metadata_script: - -=========================================================================================================== -How to create/import and delete in bulk SAML2 identity and service providers with the sync-metadata script? -=========================================================================================================== - -This section explains hot to use the script sync-metadata. - -Presentation -============ - -This script allows to create/import and deleted in bulk SAML2 identity and -service providers using standard SAML2 metadata files containing entity -descriptors. - -An example of such a file used in production is the global metadata file of -the identity federation of French universities that can be found at http://... - -Use the following command:: - - path_to_project/authentic2$ python manage.py sync-metadata file_name [options] - -Configuration of attributes -=========================== - -If a service provider has AttributeConsumingService nodes in its -SPSSODescriptor then we create an attribute declaration for each declared -attribute. If the attribute is optional, the attribute declaration is created -disabled. - -Currently it only supports the LDAP and the LDAP attribute profile of SAML, -i.e. SAML attribute names must be LDAP attributes oid, the NameFormat must be -URI, and an LDAP server must declared so that LDAP attributes can be resolved. -Authentic2 contains a databases of the more common LDAP schemas to help the -resolution of attributes OIDs. - -Example of an AttributeConsumingService node:: - - - Université Paris 1 - cours en ligne - - Cours en ligne de l'université - Paris 1 Panthéon - Sorbonne (LMS Moodle) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -If you do not want the attribute declarations to be automatically created pass -the option `--dont-load-attribute-consuming-service` to the `sync-metadata` command. - -Options -======= - -* idp - - Load only identity providers of the metadata file. - -* sp - - Load only service providers of the metadata file. - -* source - - Used to tag all imported providers with a label. This option is used to - metadata reloading and deletion in bulk. - - Reloading a metadata file, when a provider with same entity is found, it is - updated. If a provider in the metadata file does not exist it is created. - If a provider exists in the system but not in the metadata file, it is - removed. - - **For reloading, a source can only be associated with a unique metadata - file. This is due to the fact that all providers of a source not found in - the metadata file are removed.** :: - - path_to_project/authentic2$ python manage.py sync-metadata file_name --source=french_federation - -* sp-policy - - To configure the SAML2 parameters of service providers imported with the - script, a policy of type SPOptionsIdPPolicy must be created in the - the administration interface. - Either it is a global policy 'Default' or 'All' or it is a regular policy. - If it is a regular policy, the policy name can be specified in parameter - of the script with this option. - The policy is then associated to all service providers created. - -:: - - path_to_project/authentic2$ python manage.py sync-metadata file_name --sp-policy=sp_policy_name - -* idp-policy - - To configure the SAML2 parameters of identity providers imported with the - script, a policy of type IdPOptionsSPPolicy must be created in the - the administration interface. - Either it is a global policy 'Default' or 'All' or it is a regular policy. - If it is a regular policy, the policy name can be specified in parameter - of the script with this option. - The policy is then associated to all service providers created. - - :: - - path_to_project/authentic2$ python manage.py sync-metadata file_name --idp-policy=idp_policy_name - -* delete - - With no options, all providers are deleted. - - With the source option, only providers with the source name given are deleted. - - **This option can not be combined with options idp and sp.** - -* ignore-errors - - If loading of one EntityDescriptor fails, continue loading - -* reset-atributes - - When loading shibboleth attribute filter policies, start by removing all - existing SAML attributes for each provider, beware that it will delete any - customization of the attribute policy for each service provider. - -* dont-load-attribute-consuming-service - - Prevent loading of the attribute policy from AttributeConsumingService nodes - in the metadata file. - -* shibboleth-attribute-filter-policy - - Path to a file containing an Attribute Filter Policy for the - Shibboleth IdP, that will be used to configure SAML attributes for - each provider. The following schema is supported:: - - - - [ - - - - ]* - - - Any other kind of attribute filter policy is unsupported. diff --git a/doc/translation.rst b/doc/translation.rst deleted file mode 100644 index eae86578c..000000000 --- a/doc/translation.rst +++ /dev/null @@ -1,9 +0,0 @@ -.. _translation: - - -Compiling translations -====================== - -Translations must compiled to be useful, to do that run the following command:: - - ./setup.py compile_translations diff --git a/doc/upgrading.rst b/doc/upgrading.rst deleted file mode 100644 index 301553777..000000000 --- a/doc/upgrading.rst +++ /dev/null @@ -1,17 +0,0 @@ -.. _upgrading: - -========= -Upgrading -========= - -Update using pip:: - - pip install -U authentic2 - -Authentic store all its data in a relational database as specified in its -settings.py or local_settings.py file. So in order to upgrade to a new version -of authentic you have to update your database schema using the -migration command — you will need to have installed the dependency django-south, -see the beginning of this README file.:: - - authentic2-ctl syncdb --migrate diff --git a/doc/where_metadata.rst b/doc/where_metadata.rst deleted file mode 100644 index 626a5be04..000000000 --- a/doc/where_metadata.rst +++ /dev/null @@ -1,18 +0,0 @@ -.. _where_metadata: - -=============================================== -Where do I find the Authentic 2 SAML2 metadata? -=============================================== - -The SAML2 metadata are automatically generated. - -**Authentic 2 will infer from environment variables the host and port to -generate the URLs contained in the medatada.** - -The metadata of Authentic 2 SAML2 identity provider are available at: - - http[s]://your.domain.com/idp/saml2/metadata - -The metadata of Authentic 2 SAML2 service provider are available at: - - http[s]://your.domain.com/authsaml2/metadata