Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
ssoauth
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Deploy
Releases
Container registry
Model registry
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
GitLab community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
django
ssoauth
Commits
ce7d9bbf
Commit
ce7d9bbf
authored
7 years ago
by
Art
Browse files
Options
Downloads
Patches
Plain Diff
Update README.md
parent
77d88fdf
No related branches found
No related tags found
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
README.md
+61
-42
61 additions, 42 deletions
README.md
with
61 additions
and
42 deletions
README.md
+
61
−
42
View file @
ce7d9bbf
...
@@ -8,49 +8,67 @@
...
@@ -8,49 +8,67 @@
-
SAML/SAML2: It's just another XML-based enterprise-grade standard that will make you cry blood
-
SAML/SAML2: It's just another XML-based enterprise-grade standard that will make you cry blood
####
Integrating the app into your Django project.
####
Necessary stuff
-
Binary dependencies:
`sudo apt install libxml2-dev libxslt1-dev xmlsec1 libxmlsec1-dev pkg-config`
-
Binary dependencies:
`sudo apt install libxml2-dev libxslt1-dev xmlsec1 libxmlsec1-dev pkg-config`
-
Python dependencies: see
`requirements.txt`
or
`setup.py`
-
Python dependencies: see
`requirements.txt`
or
`setup.py`
-
Add the app into
`INSTALLED_APPS`
-
Add the app into
`INSTALLED_APPS`
-
Include the app's
`urls.py`
into the project
`urls.py`
`urlpatterns`
-
Include the app's
`urls.py`
into the project
`urls.py`
`urlpatterns`
, preferably without a prefix
-
Add to the project settings
-
Development
#### Development setup
This is what you normally want during the development.
```
python
```
python
# imports
"""
settings/dev.py
"""
import
socket
import
socket
import
os
import
os
# SP
SP_HOST
=
"
141.71.foo.bar
"
# your SP host or IP address
DO_YOU_WANT_SSO
=
False
if
DO_YOU_WANT_SSO
:
SP_HOST
=
"
localhost
"
SP_PORT
=
8000
SP_PORT
=
8000
SP_SSL
=
False
SP_SSL
=
False
SP_FORCE_ENTITY_ID
=
"
auto-{0}-{1}
"
.
format
(
socket
.
gethostname
(),
os
.
path
.
dirname
(
os
.
path
.
dirname
(
__file__
)))
SP_FORCE_ENTITY_ID
=
"
dev-auto-id-{0}-{1}
"
.
format
(
socket
.
gethostname
(),
os
.
path
.
dirname
(
os
.
path
.
dirname
(
__file__
)))
# IDP
IDP_META_URL
=
"
https://idp-test.it.hs-hannover.de/idp/shibboleth
"
# development
IDP_META_URL
=
"
https://idp-test.it.hs-hannover.de/idp/shibboleth
"
# development
# IDP_IGNORE = True # set to True if you experience problems with the IDP (SSO will NOT work)
else
:
SSO_DISABLED
=
True
```
```
-
Production
Use
`localhost:8000/dev/`
to acces the development view.
The code snippet above disables the actual SSO. If you need it:
-
change
`DO_YOU_WANT_SSO`
to True
-
see the SSO configuration section
#### Production setup
```
python
```
python
# SP
"""
settings/prod.py
"""
SP_HOST
=
"
141.71.foo.bar
"
# your SP host or IP address
SP_HOST
=
"
141.71.foo.bar
"
# your SP host or IP address
# IDP
IDP_META_URL
=
"
https://idp.hs-hannover.de/idp/shibboleth
"
# production
IDP_META_URL
=
"
https://idp.hs-hannover.de/idp/shibboleth
"
# production
```
```
-
generate a new key pair:
You will also need to configure the SSO
#### SSO configuration
-
create a key pair:
-
if you don't need your cert to be signed you can use
`openssl req -new -x509 -days 3650 -nodes -out sp.pem -keyout sp.key`
-
create
`cert`
directory:
-
create
`cert`
directory:
-
inside of project
`settings`
directory if it's a package
-
inside of project
`settings`
directory if it's a package
-
next to project
`settings.py`
file if it's a module
-
next to project
`settings.py`
file if it's a module
-
`openssl req -new -x509 -days 3650 -nodes -out sp.pem -keyout sp.key`
-
`./cert/sp.key`
put the private key here
-
`./cert/sp.key`
put the private key here
-
`./cert/sp.pem`
put the certificate here, signing is optional
-
`./cert/sp.pem`
put the certificate here, signing is optional
-
configure the IdP:
#### Integrating your project into the existing SSO infrastructure
-
**Do this only if you want to use SSO. For development it's usually enough to use the dev view instead.**
-
Ask somebody who knows more. Seriously.
-
Ask somebody who knows more. Seriously.
-
Try on the test IdP before you brick the production!
-
Try on the test IdP before you brick the production!
-
Grab your meta
-
Grab your meta
-
Run your project.
-
Run your project.
-
Find meta of your SP (relative path
`/saml2/meta`
or view name
`sso-saml2-meta`
)
-
Find meta of your SP (relative path
`/saml2/meta`
or view name
`sso-saml2-meta`
)
-
**if using Firefox:**
use "show source code" option or you will get invalid XML
-
Use Ctrl+U ("view source") to get the actual XML, otherwise your browser could mess it up
-
configure the IdP:
-
configure the IdP:
-
`SSH`
to the IdP and locate the Shibboleth directory, most likely
`/opt/shibboleth-idp/`
-
`SSH`
to the IdP and locate the Shibboleth directory, most likely
`/opt/shibboleth-idp/`
-
put your meta into a new file in
`./metadata/`
and give it a nice verbose name
-
put your meta into a new file in
`./metadata/`
and give it a nice verbose name
...
@@ -61,5 +79,6 @@
...
@@ -61,5 +79,6 @@
-
edit
`./conf/attribute-filter.xml`
-
edit
`./conf/attribute-filter.xml`
-
add a new
`<Rule .../>`
element inside of
`<AttributeFilterPolicy id="releaseToDjango">`
-
add a new
`<Rule .../>`
element inside of
`<AttributeFilterPolicy id="releaseToDjango">`
-
`value`
(looks like URI) should be the
`entityID`
of your SP (you find it in your meta)
-
`value`
(looks like URI) should be the
`entityID`
of your SP (you find it in your meta)
-
`systemctl restart tomcat8 & tail -fn0 /opt/shibboleth-idp/logs/idp-warn.log`
(you now have some time to grab you a coffee)
-
`systemctl restart tomcat8`
(you now have some time to grab you a coffee)
-
ensure the IdP works after restarting!
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment