rug-website/rugwebsite/management/commands/settings_template.py



AUTHENTICATION_BACKENDS = [
    'django_saml2_pro_auth.auth.Backend'
]

# identifier for SAML to the service provider.
ENTITY_ID = '{entity_id}'

# Important to make sure redirects and such work properly
BASE_URL = '{base_url}'

# This support information is used for the SAML2 service provider contact information
TECHNICAL_NAME = '{technical_name}'
TECHNICAL_EMAIL = '{technical_email}'
SUPPORT_NAME = '{support_name}'
SUPPORT_EMAIL = '{support_email}'

ORGANISATION = '{organisation}'
ORGANISATION_UNIT = '{organisation_unit}'


SAML_ROUTE = BASE_URL + 'sso/saml/'
# redirection after successful SAML2 login
SAML_REDIRECT = BASE_URL + '/'

# Mapping used to move the SAML2 attributes to the django-auth user database
SAML_USERS_MAP = [{{
  "RuG": {{
    "email": dict(key="urn:mace:dir:attribute-def:mail", index=0),
    "username": dict(key="urn:mace:dir:attribute-def:uid", index=0),
    "first_name": dict(key="urn:mace:dir:attribute-def:gn", index=0),
    "last_name": dict(key="urn:mace:dir:attribute-def:sn", index=0),
  }}
}}]

#Private key stripped from the ---BEGIN ... and ---END ... part
PRIVATE_KEY = """{private_key}"""

# Idem for the certificate
X509 = """{x509}"""

# RuG metadata url, should not change unless you want another service  provider.
SAML_PROVIDER_METADATA_URL = 'https://tst-idp.id.rug.nl/nidp/saml2/metadata'

#Code to get the RuG identity provider certificate
import sys
from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
if sys.version_info[0] == 2:
    import urllib  # python 2
else:
    assert sys.version_info[0] == 3
    import urllib.request as urllib  # python 3

with urllib.urlopen(SAML_PROVIDER_METADATA_URL) as u:
    RUG_PROVIDER_METADATA = u.read()
    RUG_PROVIDER_X509CERT = OneLogin_Saml2_XML.query(
        OneLogin_Saml2_XML.to_etree(RUG_PROVIDER_METADATA),
        '/md:EntityDescriptor/ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate'
    )

    assert len(RUG_PROVIDER_X509CERT) > 0, "Excepted a X509 RUG Provider Certificate"
    assert len(RUG_PROVIDER_X509CERT) == 1, "Excepted no more than 1 X509 RUG Provider Certificate"
    RUG_PROVIDER_X509CERT = RUG_PROVIDER_X509CERT[0].text.strip()


# Construction of the service provider metadata.
SAML_PROVIDERS = [{{
    "RuG": {{
        "strict": True,
        "debug": True,
        "custom_base_path": "",
        "sp": {{
            "entityId": ENTITY_ID,
            "assertionConsumerService": {{
                "url": BASE_URL + "/sso/saml/?provider=RuG&amp;acs",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            }},
            "singleLogoutService": {{
                "url": BASE_URL + "/sso/saml/?provider=RuG",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            }},
            "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
            "x509cert": X509,
            "privateKey": PRIVATE_KEY,
        }},
        "idp": {{
            "entityId": "https://tst-idp.id.rug.nl/nidp/saml2/metadata",
            "singleSignOnService": {{
                "url": "https://tst-idp.id.rug.nl/nidp/saml2/sso",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            }},
            "singleLogoutService": {{
                "url": "https://tst-idp.id.rug.nl/nidp/saml2/spslo",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            }},
            "x509cert": RUG_PROVIDER_X509CERT,
        }},
        "organization": {{
            "en-US": {{
                "name": ORGANISATION,
                "displayname": ORGANISATION + " / " + ORGANISATION_UNIT,
                "url": BASE_URL
            }}
        }},
        "contact_person": {{
            "technical": {{
                "given_name": TECHNICAL_NAME,
                "email_address": TECHNICAL_EMAIL
            }},
            "support": {{
                "given_name": SUPPORT_NAME,
                "email_address": SUPPORT_EMAIL
            }}
        }},
        "security": {{
            "requestedAuthnContext": False,
            "name_id_encrypted": False,
            "authn_requests_signed": True,
            "logout_requests_signed": False,
            "logout_response_signed": False,
            "sign_metadata": False,
            "want_messages_signed": False,
            "want_assertions_signed": True,
            "want_name_id": True,
            "want_name_id_encrypted": False,
            "want_assertions_encrypted": True,
            "signature_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
            "digest_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
        }}
    }}
}}]
create settings 2017-11-28 10:55:28 +01:00

			`AUTHENTICATION_BACKENDS = [`
			`'django_saml2_pro_auth.auth.Backend'`
			`]`

			`# identifier for SAML to the service provider.`
			`ENTITY_ID = '{entity_id}'`

			`# Important to make sure redirects and such work properly`
			`BASE_URL = '{base_url}'`

			`# This support information is used for the SAML2 service provider contact information`
			`TECHNICAL_NAME = '{technical_name}'`
			`TECHNICAL_EMAIL = '{technical_email}'`
			`SUPPORT_NAME = '{support_name}'`
			`SUPPORT_EMAIL = '{support_email}'`

			`ORGANISATION = '{organisation}'`
create settings 2017-11-28 15:02:59 +01:00			`ORGANISATION_UNIT = '{organisation_unit}'`
create settings 2017-11-28 10:55:28 +01:00

			`SAML_ROUTE = BASE_URL + 'sso/saml/'`
			`# redirection after successful SAML2 login`
			`SAML_REDIRECT = BASE_URL + '/'`

			`# Mapping used to move the SAML2 attributes to the django-auth user database`
			`SAML_USERS_MAP = [{{`
			`"RuG": {{`
			`"email": dict(key="urn:mace:dir:attribute-def:mail", index=0),`
			`"username": dict(key="urn:mace:dir:attribute-def:uid", index=0),`
			`"first_name": dict(key="urn:mace:dir:attribute-def:gn", index=0),`
			`"last_name": dict(key="urn:mace:dir:attribute-def:sn", index=0),`
			`}}`
			`}}]`

			`#Private key stripped from the ---BEGIN ... and ---END ... part`
			`PRIVATE_KEY = """{private_key}"""`

			`# Idem for the certificate`
			`X509 = """{x509}"""`

			`# RuG metadata url, should not change unless you want another service provider.`
			`SAML_PROVIDER_METADATA_URL = 'https://tst-idp.id.rug.nl/nidp/saml2/metadata'`

			`#Code to get the RuG identity provider certificate`
			`import sys`
			`from onelogin.saml2.xml_utils import OneLogin_Saml2_XML`
			`if sys.version_info[0] == 2:`
			`import urllib # python 2`
			`else:`
			`assert sys.version_info[0] == 3`
			`import urllib.request as urllib # python 3`

			`with urllib.urlopen(SAML_PROVIDER_METADATA_URL) as u:`
			`RUG_PROVIDER_METADATA = u.read()`
			`RUG_PROVIDER_X509CERT = OneLogin_Saml2_XML.query(`
			`OneLogin_Saml2_XML.to_etree(RUG_PROVIDER_METADATA),`
			`'/md:EntityDescriptor/ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate'`
			`)`

			`assert len(RUG_PROVIDER_X509CERT) > 0, "Excepted a X509 RUG Provider Certificate"`
			`assert len(RUG_PROVIDER_X509CERT) == 1, "Excepted no more than 1 X509 RUG Provider Certificate"`
			`RUG_PROVIDER_X509CERT = RUG_PROVIDER_X509CERT[0].text.strip()`


			`# Construction of the service provider metadata.`
			`SAML_PROVIDERS = [{{`
			`"RuG": {{`
			`"strict": True,`
			`"debug": True,`
			`"custom_base_path": "",`
			`"sp": {{`
			`"entityId": ENTITY_ID,`
			`"assertionConsumerService": {{`
			`"url": BASE_URL + "/sso/saml/?provider=RuG&acs",`
			`"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"`
			`}},`
			`"singleLogoutService": {{`
			`"url": BASE_URL + "/sso/saml/?provider=RuG",`
			`"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"`
			`}},`
			`"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",`
			`"x509cert": X509,`
			`"privateKey": PRIVATE_KEY,`
			`}},`
			`"idp": {{`
			`"entityId": "https://tst-idp.id.rug.nl/nidp/saml2/metadata",`
			`"singleSignOnService": {{`
			`"url": "https://tst-idp.id.rug.nl/nidp/saml2/sso",`
			`"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"`
			`}},`
			`"singleLogoutService": {{`
			`"url": "https://tst-idp.id.rug.nl/nidp/saml2/spslo",`
			`"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"`
			`}},`
			`"x509cert": RUG_PROVIDER_X509CERT,`
			`}},`
			`"organization": {{`
			`"en-US": {{`
			`"name": ORGANISATION,`
readme 2017-11-28 15:39:28 +01:00			`"displayname": ORGANISATION + " / " + ORGANISATION_UNIT,`
create settings 2017-11-28 10:55:28 +01:00			`"url": BASE_URL`
			`}}`
			`}},`
			`"contact_person": {{`
			`"technical": {{`
			`"given_name": TECHNICAL_NAME,`
			`"email_address": TECHNICAL_EMAIL`
			`}},`
			`"support": {{`
			`"given_name": SUPPORT_NAME,`
			`"email_address": SUPPORT_EMAIL`
			`}}`
			`}},`
			`"security": {{`
			`"requestedAuthnContext": False,`
			`"name_id_encrypted": False,`
			`"authn_requests_signed": True,`
			`"logout_requests_signed": False,`
			`"logout_response_signed": False,`
			`"sign_metadata": False,`
			`"want_messages_signed": False,`
			`"want_assertions_signed": True,`
			`"want_name_id": True,`
			`"want_name_id_encrypted": False,`
			`"want_assertions_encrypted": True,`
			`"signature_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",`
			`"digest_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",`
			`}}`
			`}}`
			`}}]`