README.md

@@ -8,7 +8,7 @@
 
 
 #### Minimal SSO Intro:
-- [SSO](https://lmddgtfy.net/?q=SSO): Single Sign On
+- [SSO](https://duckduckgo.com/?q=sso): Single Sign On
 - SLO: Single Log Out
 - SP: Service Provider (your web app)
 - IDP: Identity Provider (e.g. Shibboleth)
@@ -17,13 +17,14 @@
 
 
 #### Necessary Stuff
-- Binary dependencies: `sudo apt install libxml2-dev libxslt1-dev xmlsec1 libxmlsec1-dev pkg-config`
+- Binary dependencies: `sudo apt install libxml2-dev libxslt1-dev xmlsec1 libxmlsec1-dev pkg-config` (debian example)
 - Python dependencies: see `requirements.txt` or `setup.py`
 - Add the app into `INSTALLED_APPS`
-- Include the `ssoauth` `urls.py` into the project `urls.py` `urlpatterns`:
+- `urlpatterns`:
+   - In `urls.py` of your project add `path("", include("ssoauth.urls"))` to `urlpatterns`
    - Without a path/prefix: youre done.
    - With a path/prefix:
-     - Reconsider it. It's highly recommended to include `ssoauth` **without** a prefix/path to avoid issues with apps like `contrib.admin` and `wagtail` that provide their own log in pages.
+     - Reconsider it. It better to include `ssoauth` **without** a prefix/path to avoid issues with apps like `django.contrib.admin` and `wagtail` that provide their own login pages at the default path.
      - If you really need to use a path/prefix, make sure to set a setting `LOGIN_URL = urls.reverse_lazy("sso-login")`
 
 
@@ -40,11 +41,11 @@ Use this only if you want an actual SSO with SAML2. For extra details see the de
 import os, socket
 from django import urls
 
-IDP_META_URL = "https://idp-test.it.hs-hannover.de/idp/shibboleth"
-IDP_LOGOUT_URL = "https://idp-test.it.hs-hannover.de/idp/profile/Logout"
+IDP_META_URL = "https://idp.hs-hannover.de/simplesaml/saml2/idp/metadata.php"
+IDP_LOGOUT_URL = "https://idp.hs-hannover.de/simplesaml/module.php/saml/idp/singleLogout"
 
-SP_KEY = "{project_settings}/cert/sp.key"
-SP_CERT = "{project_settings}/cert/sp.pem"
+SP_KEY = "{project_settings}/sso_cert/sp.key"
+SP_CERT = "{project_settings}/sso_cert/sp.pem"
 
 SP_HOST = "localhost"
 SP_PORT = 8000

ssoauth/app_settings/__init__.py

@@ -40,7 +40,7 @@ ONELOGIN_SETTINGS_TEMPLATE = {
         "NameIDFormat": onelogin_constants.NAMEID_TRANSIENT,
     },
     "idp": {
-        "entityId": IDP_META_URL,
+        "entityId": IDP_ENTITY_ID or IDP_META_URL,
         "x509certMulti": {
             "signing": _SET_ON_RUNTIME or dict(),
             "encryption": _SET_ON_RUNTIME or dict(),

ssoauth/app_settings/defaults.py

 import os
+import pathlib
 from django.conf import settings as django_settings
 from datetime import timedelta
 
@@ -20,10 +21,13 @@ SP_PORT = 443
 SP_SSL = True
 
 IDP_META_URL = None  # e.g. "https://idp-test.hs-hannover.de/idp/shibboleth"
+IDP_ENTITY_ID = IDP_META_URL  # these must normally be the same, but a workaround is required as of 18.03.2024
 IDP_LOGOUT_URL = None  # e.g. "https://idp-test.it.hs-hannover.de/idp/profile/Logout"
 
-SP_KEY = "{project_settings}/cert/sp.key"
-SP_CERT = "{project_settings}/cert/sp.pem"
+# paths to the public/private keys for SAML2, either put them into `settings/sso_cert/` or change the settings
+__settings_directory = str(pathlib.Path(os.environ.get("DJANGO_SETTINGS_MODULE").replace(".", "/")).absolute())
+SP_KEY = f"{__settings_directory}/sso_cert/sp.key"
+SP_CERT = f"{__settings_directory}/sso_cert/sp.pem"
 
 SSO_REQUIRED_IN_DEBUG = False
 SSO_REQUIRED_IN_PRODUCTION = False  # disabled because of e.g. collectstatic on the static server

ssoauth/extras/hsh_compat.py

@@ -28,6 +28,6 @@ def get_group_names_for_user(user):
     except (Account.DoesNotExist, Account.MultipleObjectsReturned,) as e:
         logger.error("hsh.Account not found for {user}. {e.__class__.__name__}: {e}".format(user=user, e=e))
         return set()
-    hsh_groups = hsh_account.auth_groups.filter(GROUP_NAME_LOOKUP)
+    hsh_groups = hsh_account.groups.filter(GROUP_NAME_LOOKUP)
     return {g.name for g in hsh_groups}