Instead of:

default_shib_attributes = {
   "Shibboleth-eppn": (True, "username"),
}

how about:

default_shib_attributes = {
   "REMOTE_USER": (True, "username"),
}

The Apache mod_shib will of course set REMOTE_USER as that is the standard environment variable. In my case I did not see Shibboleth-eppn in my environment.

Trevor http://www.appazur.com

I had trouble getting things working, but I fixed it by using the Django base class, django.contrib.auth.backends.RemoteUserBackend, instead of ShibbolethRemoteUserBackend.

ShibbolethRemoteUserBackend will not match existing users based only on the username. Instead, ALL attributes must match (e.g. First Name, Last Name... whatever you've configured):

user = User.objects.get(**shib_user_params)

I would have expected that you could provide attributes for populating new user records, but that you would use a primary key field only (e.g. username) for matching with existing users. For example, what if the application changed a name field after the user was created (or in my case, the account was created without using Shibboleth).

Trevor http://www.appazur.com

Django's RemoteUserBackend (as of 1.11) does not allow login from users with is_active=False This seems like a good thing to have in ShibbolethRemoteUserBackend too. Would you accept a PR for this?

I'm attempting to use django-shibboleth-remoteuser with the permission mixins from Django braces. However, it seems that the session is being lost after the first click. We had a similar issue with CoSign authentication using remote user, which was solved by using the new PersistentRemoteUserMiddleware:

https://docs.djangoproject.com/en/1.9/ref/middleware/#django.contrib.auth.middleware.PersistentRemoteUserMiddleware

We are trying to use the LoginRequiredMixin to protect the site to keep it controlled by Django (so that we could fall back on Django's auth, for example, if Shib isn't available for any reason), and only protect the LOGIN_URL ('/Shibboleth.sso/Login') with Shibboleth's gatekeeper.

I'm not sure the problem is the same, as this is my first time using Shibboleth. We have shibboleth with Apache successfully redirecting to our IdP for login, and when it returns, it creates the user and we've dumped {{ request.username }} successfully into a template. However, on ensuing clicks, it is no longer populated. I'm wondering if anyone has run into this problem. I'm including various settings and code snippets below.

Apache config:

LoadModule wsgi_module modules/mod_wsgi.so

WSGISocketPrefix /var/run/wsgi

Listen 443
<VirtualHost *:443>
  ServerName vagrant.ourserver.com
  ErrorLog /home/vagrant/apache_errors.log

  SSLENGINE on

  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLProtocol all -SSLv2

  WSGIDaemonProcess shibdemo-https python-home=/home/vagrant/.virtualenvs/shibdemo
  WSGIProcessGroup shibdemo-https
  WSGIScriptAlias / /vagrant/html/shibdemo/shibdemo/wsgi.py process-group=shibdemo-https application-group=shibdemo-https
  <Directory /vagrant/html/shibdemo/shibdemo>
    Require all granted
  </Directory>
  Alias /static/ /vagrant/html/shibdemo/static/
  <Directory /vagrant/html/shibdemo/static>
    Require all granted
  </Directory>


  <Location /pennkey>
    AuthType shibboleth
    Require valid-user
    ShibRequireSession on
  </Location>

  <Location /Shibboleth.sso>
    SetHandler shib
  </Location>
</VirtualHost>

Relevant Django settings:

SHIBBOLETH_ATTRIBUTE_MAP = {
    "eppn": (True, "username"),
    "givenName": (True, "first_name"),
    "sn": (True, "last_name"),
    "mail": (False, "email"),
}

MIDDLEWARE_CLASSES = [
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'shibboleth.middleware.ShibbolethRemoteUserMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

INSTALLED_APPS = (
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'shibboleth',
    'pennkey',
    'about',
)

AUTHENTICATION_BACKENDS = [
    'shibboleth.backends.ShibbolethRemoteUserBackend',
    'django.contrib.auth.backends.ModelBackend',
]

LOGIN_URL = '/Shibboleth.sso/Login'

urlpatterns:

urlpatterns = [
    url(r'^$', TemplateView.as_view(template_name='shibdemo/home.html'), name='home'),
    url(r'^other/$', login_required(TemplateView.as_view(template_name='shibdemo/other.html'), login_url='/admin/'), name='home'),
    url(r'^about/$', AboutView.as_view(), name='about'),
    url(r'^admin/', include(admin.site.urls)),
    url(r'^pennkey/', include('pennkey.urls', namespace='pennkey')),
    url(r'^shib/', include('shibboleth.urls', namespace='shibboleth')),
]

Example views for the 'about' Django app:

from django.views.generic import TemplateView
from braces.views import LoginRequiredMixin


class AboutView(LoginRequiredMixin, TemplateView):
    template_name = 'about/about.html'

Our Shibboleth XML files would seem to be okay since we can hit https://vagrant.ourserver.com/Shibboleth.sso/Login and successfully auth with our IdP, and see the returned user created. We're on CentOS 7.2 with Apache 2.4. Apologies if this isn't the right place to ask, and let me know if I should include more details. Thanks in advance.

Hello

I tried to use the template tags
but i have this error :u'shibboleth' is not a registered namespace
in the settings.py file the modified parameter is TEMPLATE_CONTEXT_PROCESSORS

django 1.6

Thanks

I got the following error by running your module to login.

'Options' object has no attribute 'get_fields'

Request Method: 	GET
Request URL: 	https://develop.klewel.com/watch/webcasts/
Django Version: 	1.6.5
Exception Type: 	AttributeError
Exception Value: 	

'Options' object has no attribute 'get_fields'

Exception Location: 	/usr/local/lib/python2.7/dist-packages/shibboleth/backends.py in authenticate, line 35
Python Executable: 	/usr/local/bin/uwsgi
Python Version: 	2.7.6
Python Path: 	

Apparently Django 1.6.5 doesn't support get_fileds() method but get_all_field_names() exists. Should I propose to you a pull request ?

django.test.simple was removed in Django 1.8

Hello,

I'm trying to create a local development environment to update our Shibboleth application. We want to be able to run it locally without the need for a real SAML IdP.

In the app settings file: https://github.com/Brown-University-Library/django-shibboleth-remoteuser/blob/master/shibboleth/app_settings.py#L11-L12 there's a SHIB_MOCK_HEADERS variable that is documented to do exactly what we want. The only issue is that it doesn't seem to do anything (and isn't referenced anywhere else through the code base).

Is there something I'm missing?

Thanks

During logout via the logout-view, the LOGOUT_SESSION_KEY is set, preventing the user from logging in.

As far as I can see, the user cannot log in again unless the login-view is used because only there the key is removed:

https://github.com/Brown-University-Library/django-shibboleth-remoteuser/blob/master/shibboleth/views.py#L55

I might be wrong though because this line does something I don't understand
https://github.com/Brown-University-Library/django-shibboleth-remoteuser/blob/master/shibboleth/middleware.py#L28

There are two possible ways to fix this:

The first one would be to make the login-view mandatory. This would also solve the other issue I have opened, but the settings would require a distinction between
LOGIN_URL and
SHIBBOLETH_LOGIN_URL

as it already exists for the logout process. This also solves my first issue.

The second fix would be to remove the whole LOGOUT_SESSION_KEY mechanism.
This also solves my my third issue.

I will suggest a fix within the next days if the issue is confirmed.

I had configured everything, but getting an unknown url error after a successful login, while being redirected back to my protected page: 'Unknown AssertionConsumerServiceURL '

samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>samlp:StatusMessageUnknown AssertionConsumerServiceURL https://mywebsite/Shibboleth.sso/SAML2/POST</samlp:StatusMessage></samlp:Status>

I found references to SAML2/POST in the C:\opt\shibboleth-sp\etc\shibboleth\protocols.xml, is this not supposed to be implemented by Shibboleth.sso intrinsically?

Not sure if I need to implement that or not... somehow. Any thoughts appreciated.

-thanks a lot!

Hey all. We're running into a strange issue where shibboleth login works a charm when no redirect URL is given via the target querystring parameter, but when that target value is provided, we don't get any of the expected headers in the first request back from shibboleth (REMOTE_USER, SHIB_* variables, AUTH_TYPE: shibboleth, attributes we've requested via the SHIBBOLETH_ATTRIBUTE_MAP setting, etc.) and it results in an infinite redirect loop.

We use Django's login_required decorator to protect resources, and our LOGIN_URL setting is set to /Shibboleth.sso/Login. If we don't explicitly set the REDIRECT_FIELD_NAME to target, Django uses the default next, which shibboleth doesn't understand and is therefore ignored (#8 discusses this too). When we do set the REDIRECT_FIELD_NAME to target, the first request coming back from shibboleth is indeed at the correct redirect URL, but that request does not include any of the headers mentioned above. Don't know if it's relevant, but we do see a _shibsession_* cookie set.

Any ideas about what might be causing this? I can provide config settings if needed. Thanks in advance!

Shibboleth with httpd sso setup integrated with Apex is returning to login page after providing the credentials.

Could you please help on this

When I add a "login_required" decoration to my view, Shibboleth tells me that my request is stale. Anyone ever dealt with this?

Right now it looks like you have to subclass the backend class to have the backend not create Users automatically. Why not add a setting for this, to make it easier to change the functionality?

installed the setup.py and then I checked the shibboleth folder , whre is settings.py file? there is one file with name app_settings.

We would like to use django-shibboleth-remoteuser, but because it is not distributed under any licence, we can't. Is this by design or is it an oversight?

I had to revert back to Django 2.0.8, otherwise, the login never succeeds (even though there is a valid session). I haven't found any error/warning in the logs. Seems to be silently failing and going back to the anonymous user. Reverting back to 2.0.8, reloading apache and refreshing the page reloads the authenticated page.

I have set the LOGIN_URL to mydomain/Shibboleth.sso/Login

If I enter

mydomain/Shibboleth.sso/Login?target=redirectUrl 

I am being redirected corretly. Juding from my browser history, the automatic link created by this package is

mydomain/Shibboleth.sso/Login?next=redirectUrl

Strangely enough, I can't find the bug in the code, so it might as well have another cause.

See documentation here https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionCreationParameters

This might be different for older versions of shibboleth.

Hello,
in my current Django application I have the problem that every user gets authenticated through our IdP. In my particular scenario the application must have special permission for our normal staff. Students should handled different. (I work for a university).

I came up with a solution to map existing shibboleth attributes to permission groups. To illustrate this see following example. I also used the attributes from the testcase at test_shib.py.

I would add following to my settings.py
SHIBBOLETH_GROUP_ATTRIBUTES = ['Shibboleth-affiliation', 'Shibboleth-isMemberOf']

When the user get logged in, it will be added to the Groups ['[email protected]', '[email protected]', 'SCHOOL:COMMUNITY:EMPLOYEE:ADMINISTRATIVE:BASE', 'SCHOOL:COMMUNITY:EMPLOYEE:STAFF:SAC:P', 'COMMUNITY:ALL', 'SCHOOL:COMMUNITY:EMPLOYEE:STAFF:SAC:M']

If the group does not exists, django-shibboleth-remoteuser will create the groups and add the user to this group. The user also will get removed from every other group not defined in the list above. Now you can add any permission from the application to this groups.
If SHIBBOLETH_GROUP_ATTRIBUTES = [] (which I would use for default) there will be no changes to the groups of the user, to ensure backward compatibility.

This is a similar approach like django-auth-ldap, where LDAP group attributes may map to Django permission groups (Which I like a lot.).

I definitely will implement this feature. I have the choice to do the generic approach (like described above) or implement my own ShibbolethRemoteUserBackend. If you would merge this approach (of course with documentation and tests) I would start next week. What do you think?

Hi,

Some of our shibboleth attributes contain accentuated characters (sn). They are incorrectly encoded when the corresponding user is created in the database.

Frédéric => Frédéric

What could be wrong in our configuration ?

Thank you for your help.

Fred

Passing the request variable to the authentication backend would make it easier to extend it.

It would be helpful to add a new release tag that includes the Django 2.0 compatibility commit.

I've put the following in my settings.py file:
SHIBBOLETH_LOGOUT_URL = "https://school.edu/Shibboleth.sso/Logout?return=https://sso.school.edu/idp/logout.jsp"

But on logout I'm getting a type error: "not all arguments converted during string formatting" from line 77 of shibboleth/views.py

Have I set it up incorrectly?

Thanks

First of all, thank you for your work on this project. Much appreciated.

Is this project compatible with Shibboleth Service Provider version 3 (SP3)? Also, does the project make use of server variables as outlined in the SP3 Attribute Access documentation?

The useage of
ShibUseHeaders On
poses a security risk and is not recommended:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-RequestHeaders

It is also not necessary since the shibboleth variables are populated via WSGI into the request.META dictionary. For example, without using ShibUseHeaders On, the META key of my application contains the following attributes:

persistent-id
unscoped-affiliation
orgunit-dn

and more.

This is a neat library - I use it in a couple of projects. It would be great to see it on PyPI and be able to pip install it.

Hi,

0.11 is incompatible with Django 3.0+ due to the removal of django.utils.six, but the most recent fixes merged into master seem to address this. Any idea when we can expect an official 0.12 release available via PyPi? It's much easier to bundle into a requirements.txt file that way.

Thanks!

Thanks for a great module. Is there a default way to call the shibboleth logout page or do I need to write my own template tag, similar to the login tag included in the module?

Thanks

When running the shib tests using the shibboleth app, the urllib throws an error indicating the quote library is not being imported correctly

Hello, I try to create a profile in same time of user registration. I found a make_profile class in your middleware with the purpose to be rewritten in case of needs. So, I wrote something like this:

from shibboleth.middleware import ShibbolethRemoteUserMiddleware
from app.models.UserProfile import UserProfile

class ShibbolethRemoteUserMiddlewareWithProfile(ShibbolethRemoteUserMiddleware):
    def make_profile(self, user, shib_meta):
        UserProfile.objects.create(user=user)

And call this middleware object instead of the original one in my settings.py. But when new user is comming, the profile isn't created and if I put a logger, he will never be triggered.

Perhaps choose I the wrong approach to rewrite this method ?

The way I understood it is that this mechanism allows the user to be logged out of the application while still having an active shibboleth session.

In my eyes this is a security issue because it suggests to the user that he is logged out even though anyone with access to the computer can log back in by removing the LOGOUT_SESSION_KEY.

In my eyes, if a user is logged in to shibboleth he should be logged in to any application that bases on it. After all, Shibboleth is a software to support Single sign-on , and that's exactly what single sign on means.

A fix would be to remove this mechanism.

Hi
I attempted to pip git+shibrepo install while my virtual environment for django project was activated and it still installs to the global python site-packages. Thus, a shibboleth module not found error occurs when running the app. (Testing the app with urls.py pointing to shibboleth.urls and the middleware class added)
Please advise

First: Thanks for this nice application!

May I ask: What are the reasons for checking the value of LOGOUT_SESSION_KEY in the session of the current user in the middleware?
The comment states, that this is needed for logout to work. But in my tests simply deleting the user session in the ShibbolethLogoutView seems to work as well and is cleaner in my opinion:

--- views.py.orig	2017-10-04 21:10:54.571524640 +0000
+++ views.py	2017-10-04 21:10:45.759517570 +0000
@@ -8,6 +8,7 @@
 from django.shortcuts import redirect
 from django.utils.decorators import method_decorator
 from django.views.generic import TemplateView
+from django.contrib.sessions.models import Session
 
 from urllib import quote
 
@@ -69,7 +70,8 @@
         auth.logout(self.request)
         #Set session key that middleware will use to force 
         #Shibboleth reauthentication.
-        self.request.session[LOGOUT_SESSION_KEY] = True
+        #self.request.session[LOGOUT_SESSION_KEY] = True
+        Session.objects.filter(session_key=self.request.session.session_key).delete()
         #Get target url in order of preference.
         target = LOGOUT_REDIRECT_URL or\
                  quote(request.build_absolute_uri())

Am I missing something?
Would you accept a pull request for the change (of course a complete PR, this is only a proof of concept)

We have also hit the issue detailed at:
rdmorganiser/rdmo#77
in a self-developed Django application. I could not find a better approach than the one outlined there, which requires an additional feature in this module (optionally urldecoding the fields).

@jochenklar has implemented this in:
rdmorganiser@e2f6cab

I'm not sure whether the code can be upstreamed, but I believe it would be of general use :-).

We've been looking into installing django-shibboleth-remoteuser, but our sys-admin discovered it doesn't support python build dist. Is this something you all plan on adding or are you satisfied with things as they are. Note: our sys admins won't use pip so that may have been part of the issue. I had no issue installing via pip on my desktop.

Thanks,

Dean

Django 4.x has removed the url() method from django.conf.urls. The preferred replacement is django.urls.path()

https://docs.djangoproject.com/en/4.0/releases/4.0/#features-removed-in-4-0

what is the command to install an older version?
I have an error with this command: sudo pip install django-shibboleth-remoteuser-kennydude == 0.4

Could not find a version that satisfies the requirement django-shibboleth-remoteuser-kennydude == 0.4 (from versions: 0.5.macosx-10.11-intel, 0.6, 0.6.1, 0.6.2)

I connect to a server in ssh.