AUTHENTICATION_BACKENDS = [ 'django_saml2_pro_auth.auth.Backend' ] # identifier for SAML to the service provider. ENTITY_ID = '{entity_id}' # Important to make sure redirects and such work properly BASE_URL = '{base_url}' # This support information is used for the SAML2 service provider contact information TECHNICAL_NAME = '{technical_name}' TECHNICAL_EMAIL = '{technical_email}' SUPPORT_NAME = '{support_name}' SUPPORT_EMAIL = '{support_email}' ORGANISATION = '{organisation}' SAML_ROUTE = BASE_URL + 'sso/saml/' # redirection after successful SAML2 login SAML_REDIRECT = BASE_URL + '/' # Mapping used to move the SAML2 attributes to the django-auth user database SAML_USERS_MAP = [{{ "RuG": {{ "email": dict(key="urn:mace:dir:attribute-def:mail", index=0), "username": dict(key="urn:mace:dir:attribute-def:uid", index=0), "first_name": dict(key="urn:mace:dir:attribute-def:gn", index=0), "last_name": dict(key="urn:mace:dir:attribute-def:sn", index=0), }} }}] #Private key stripped from the ---BEGIN ... and ---END ... part PRIVATE_KEY = """{private_key}""" # Idem for the certificate X509 = """{x509}""" # RuG metadata url, should not change unless you want another service provider. SAML_PROVIDER_METADATA_URL = 'https://tst-idp.id.rug.nl/nidp/saml2/metadata' #Code to get the RuG identity provider certificate import sys from onelogin.saml2.xml_utils import OneLogin_Saml2_XML if sys.version_info[0] == 2: import urllib # python 2 else: assert sys.version_info[0] == 3 import urllib.request as urllib # python 3 with urllib.urlopen(SAML_PROVIDER_METADATA_URL) as u: RUG_PROVIDER_METADATA = u.read() RUG_PROVIDER_X509CERT = OneLogin_Saml2_XML.query( OneLogin_Saml2_XML.to_etree(RUG_PROVIDER_METADATA), '/md:EntityDescriptor/ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate' ) assert len(RUG_PROVIDER_X509CERT) > 0, "Excepted a X509 RUG Provider Certificate" assert len(RUG_PROVIDER_X509CERT) == 1, "Excepted no more than 1 X509 RUG Provider Certificate" RUG_PROVIDER_X509CERT = RUG_PROVIDER_X509CERT[0].text.strip() # Construction of the service provider metadata. SAML_PROVIDERS = [{{ "RuG": {{ "strict": True, "debug": True, "custom_base_path": "", "sp": {{ "entityId": ENTITY_ID, "assertionConsumerService": {{ "url": BASE_URL + "/sso/saml/?provider=RuG&acs", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" }}, "singleLogoutService": {{ "url": BASE_URL + "/sso/saml/?provider=RuG", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }}, "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "x509cert": X509, "privateKey": PRIVATE_KEY, }}, "idp": {{ "entityId": "https://tst-idp.id.rug.nl/nidp/saml2/metadata", "singleSignOnService": {{ "url": "https://tst-idp.id.rug.nl/nidp/saml2/sso", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }}, "singleLogoutService": {{ "url": "https://tst-idp.id.rug.nl/nidp/saml2/spslo", "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" }}, "x509cert": RUG_PROVIDER_X509CERT, }}, "organization": {{ "en-US": {{ "name": ORGANISATION, "displayname": ORGANISATION, "url": BASE_URL }} }}, "contact_person": {{ "technical": {{ "given_name": TECHNICAL_NAME, "email_address": TECHNICAL_EMAIL }}, "support": {{ "given_name": SUPPORT_NAME, "email_address": SUPPORT_EMAIL }} }}, "security": {{ "requestedAuthnContext": False, "name_id_encrypted": False, "authn_requests_signed": True, "logout_requests_signed": False, "logout_response_signed": False, "sign_metadata": False, "want_messages_signed": False, "want_assertions_signed": True, "want_name_id": True, "want_name_id_encrypted": False, "want_assertions_encrypted": True, "signature_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "digest_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1", }} }} }}]