132 lines
4.5 KiB
Python
132 lines
4.5 KiB
Python
|
|
|
|
AUTHENTICATION_BACKENDS = [
|
|
'django_saml2_pro_auth.auth.Backend'
|
|
]
|
|
|
|
# identifier for SAML to the service provider.
|
|
ENTITY_ID = '{entity_id}'
|
|
|
|
# Important to make sure redirects and such work properly
|
|
BASE_URL = '{base_url}'
|
|
|
|
# This support information is used for the SAML2 service provider contact information
|
|
TECHNICAL_NAME = '{technical_name}'
|
|
TECHNICAL_EMAIL = '{technical_email}'
|
|
SUPPORT_NAME = '{support_name}'
|
|
SUPPORT_EMAIL = '{support_email}'
|
|
|
|
ORGANISATION = '{organisation}'
|
|
|
|
|
|
SAML_ROUTE = BASE_URL + 'sso/saml/'
|
|
# redirection after successful SAML2 login
|
|
SAML_REDIRECT = BASE_URL + '/'
|
|
|
|
# Mapping used to move the SAML2 attributes to the django-auth user database
|
|
SAML_USERS_MAP = [{{
|
|
"RuG": {{
|
|
"email": dict(key="urn:mace:dir:attribute-def:mail", index=0),
|
|
"username": dict(key="urn:mace:dir:attribute-def:uid", index=0),
|
|
"first_name": dict(key="urn:mace:dir:attribute-def:gn", index=0),
|
|
"last_name": dict(key="urn:mace:dir:attribute-def:sn", index=0),
|
|
}}
|
|
}}]
|
|
|
|
#Private key stripped from the ---BEGIN ... and ---END ... part
|
|
PRIVATE_KEY = """{private_key}"""
|
|
|
|
# Idem for the certificate
|
|
X509 = """{x509}"""
|
|
|
|
# RuG metadata url, should not change unless you want another service provider.
|
|
SAML_PROVIDER_METADATA_URL = 'https://tst-idp.id.rug.nl/nidp/saml2/metadata'
|
|
|
|
#Code to get the RuG identity provider certificate
|
|
import sys
|
|
from onelogin.saml2.xml_utils import OneLogin_Saml2_XML
|
|
if sys.version_info[0] == 2:
|
|
import urllib # python 2
|
|
else:
|
|
assert sys.version_info[0] == 3
|
|
import urllib.request as urllib # python 3
|
|
|
|
with urllib.urlopen(SAML_PROVIDER_METADATA_URL) as u:
|
|
RUG_PROVIDER_METADATA = u.read()
|
|
RUG_PROVIDER_X509CERT = OneLogin_Saml2_XML.query(
|
|
OneLogin_Saml2_XML.to_etree(RUG_PROVIDER_METADATA),
|
|
'/md:EntityDescriptor/ds:Signature/ds:KeyInfo/ds:X509Data/ds:X509Certificate'
|
|
)
|
|
|
|
assert len(RUG_PROVIDER_X509CERT) > 0, "Excepted a X509 RUG Provider Certificate"
|
|
assert len(RUG_PROVIDER_X509CERT) == 1, "Excepted no more than 1 X509 RUG Provider Certificate"
|
|
RUG_PROVIDER_X509CERT = RUG_PROVIDER_X509CERT[0].text.strip()
|
|
|
|
|
|
# Construction of the service provider metadata.
|
|
SAML_PROVIDERS = [{{
|
|
"RuG": {{
|
|
"strict": True,
|
|
"debug": True,
|
|
"custom_base_path": "",
|
|
"sp": {{
|
|
"entityId": ENTITY_ID,
|
|
"assertionConsumerService": {{
|
|
"url": BASE_URL + "/sso/saml/?provider=RuG&acs",
|
|
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
}},
|
|
"singleLogoutService": {{
|
|
"url": BASE_URL + "/sso/saml/?provider=RuG",
|
|
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
}},
|
|
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
|
|
"x509cert": X509,
|
|
"privateKey": PRIVATE_KEY,
|
|
}},
|
|
"idp": {{
|
|
"entityId": "https://tst-idp.id.rug.nl/nidp/saml2/metadata",
|
|
"singleSignOnService": {{
|
|
"url": "https://tst-idp.id.rug.nl/nidp/saml2/sso",
|
|
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
}},
|
|
"singleLogoutService": {{
|
|
"url": "https://tst-idp.id.rug.nl/nidp/saml2/spslo",
|
|
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
}},
|
|
"x509cert": RUG_PROVIDER_X509CERT,
|
|
}},
|
|
"organization": {{
|
|
"en-US": {{
|
|
"name": ORGANISATION,
|
|
"displayname": ORGANISATION,
|
|
"url": BASE_URL
|
|
}}
|
|
}},
|
|
"contact_person": {{
|
|
"technical": {{
|
|
"given_name": TECHNICAL_NAME,
|
|
"email_address": TECHNICAL_EMAIL
|
|
}},
|
|
"support": {{
|
|
"given_name": SUPPORT_NAME,
|
|
"email_address": SUPPORT_EMAIL
|
|
}}
|
|
}},
|
|
"security": {{
|
|
"requestedAuthnContext": False,
|
|
"name_id_encrypted": False,
|
|
"authn_requests_signed": True,
|
|
"logout_requests_signed": False,
|
|
"logout_response_signed": False,
|
|
"sign_metadata": False,
|
|
"want_messages_signed": False,
|
|
"want_assertions_signed": True,
|
|
"want_name_id": True,
|
|
"want_name_id_encrypted": False,
|
|
"want_assertions_encrypted": True,
|
|
"signature_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
|
|
"digest_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
|
|
}}
|
|
}}
|
|
}}]
|