brown-university-library / django-shibboleth-remoteuser Goto Github PK
View Code? Open in Web Editor NEWMiddleware for using Shibboleth with Django
License: MIT License
Middleware for using Shibboleth with Django
License: MIT License
When running the shib tests using the shibboleth app, the urllib throws an error indicating the quote library is not being imported correctly
We would like to use django-shibboleth-remoteuser, but because it is not distributed under any licence, we can't. Is this by design or is it an oversight?
It would be helpful to add a new release tag that includes the Django 2.0 compatibility commit.
During logout via the logout-view, the LOGOUT_SESSION_KEY is set, preventing the user from logging in.
As far as I can see, the user cannot log in again unless the login-view is used because only there the key is removed:
I might be wrong though because this line does something I don't understand
https://github.com/Brown-University-Library/django-shibboleth-remoteuser/blob/master/shibboleth/middleware.py#L28
There are two possible ways to fix this:
The first one would be to make the login-view mandatory. This would also solve the other issue I have opened, but the settings would require a distinction between
LOGIN_URL and
SHIBBOLETH_LOGIN_URL
as it already exists for the logout process. This also solves my first issue.
The second fix would be to remove the whole LOGOUT_SESSION_KEY mechanism.
This also solves my my third issue.
I will suggest a fix within the next days if the issue is confirmed.
Hello
I tried to use the template tags
but i have this error :u'shibboleth' is not a registered namespace
in the settings.py file the modified parameter is TEMPLATE_CONTEXT_PROCESSORS
django 1.6
Thanks
Passing the request variable to the authentication backend would make it easier to extend it.
Hi
I attempted to pip git+shibrepo install while my virtual environment for django project was activated and it still installs to the global python site-packages. Thus, a shibboleth module not found error occurs when running the app. (Testing the app with urls.py pointing to shibboleth.urls and the middleware class added)
Please advise
Hello,
in my current Django application I have the problem that every user gets authenticated through our IdP. In my particular scenario the application must have special permission for our normal staff. Students should handled different. (I work for a university).
I came up with a solution to map existing shibboleth attributes to permission groups. To illustrate this see following example. I also used the attributes from the testcase at test_shib.py.
I would add following to my settings.py
SHIBBOLETH_GROUP_ATTRIBUTES = ['Shibboleth-affiliation', 'Shibboleth-isMemberOf']
When the user get logged in, it will be added to the Groups ['[email protected]', '[email protected]', 'SCHOOL:COMMUNITY:EMPLOYEE:ADMINISTRATIVE:BASE', 'SCHOOL:COMMUNITY:EMPLOYEE:STAFF:SAC:P', 'COMMUNITY:ALL', 'SCHOOL:COMMUNITY:EMPLOYEE:STAFF:SAC:M']
If the group does not exists, django-shibboleth-remoteuser will create the groups and add the user to this group. The user also will get removed from every other group not defined in the list above. Now you can add any permission from the application to this groups.
If SHIBBOLETH_GROUP_ATTRIBUTES = []
(which I would use for default) there will be no changes to the groups of the user, to ensure backward compatibility.
This is a similar approach like django-auth-ldap
, where LDAP group attributes may map to Django permission groups (Which I like a lot.).
I definitely will implement this feature. I have the choice to do the generic approach (like described above) or implement my own ShibbolethRemoteUserBackend
. If you would merge this approach (of course with documentation and tests) I would start next week. What do you think?
Django's RemoteUserBackend
(as of 1.11) does not allow login from users with is_active=False
This seems like a good thing to have in ShibbolethRemoteUserBackend
too. Would you accept a PR for this?
Hello, I try to create a profile in same time of user registration. I found a make_profile class in your middleware with the purpose to be rewritten in case of needs. So, I wrote something like this:
from shibboleth.middleware import ShibbolethRemoteUserMiddleware
from app.models.UserProfile import UserProfile
class ShibbolethRemoteUserMiddlewareWithProfile(ShibbolethRemoteUserMiddleware):
def make_profile(self, user, shib_meta):
UserProfile.objects.create(user=user)
And call this middleware object instead of the original one in my settings.py. But when new user is comming, the profile isn't created and if I put a logger, he will never be triggered.
Perhaps choose I the wrong approach to rewrite this method ?
The useage of
ShibUseHeaders On
poses a security risk and is not recommended:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-RequestHeaders
It is also not necessary since the shibboleth variables are populated via WSGI into the request.META dictionary. For example, without using ShibUseHeaders On, the META key of my application contains the following attributes:
persistent-id
unscoped-affiliation
orgunit-dn
and more.
I got the following error by running your module to login.
'Options' object has no attribute 'get_fields'
Request Method: GET
Request URL: https://develop.klewel.com/watch/webcasts/
Django Version: 1.6.5
Exception Type: AttributeError
Exception Value:
'Options' object has no attribute 'get_fields'
Exception Location: /usr/local/lib/python2.7/dist-packages/shibboleth/backends.py in authenticate, line 35
Python Executable: /usr/local/bin/uwsgi
Python Version: 2.7.6
Python Path:
Apparently Django 1.6.5 doesn't support get_fileds() method but get_all_field_names() exists. Should I propose to you a pull request ?
Hey all. We're running into a strange issue where shibboleth login works a charm when no redirect URL is given via the target
querystring parameter, but when that target
value is provided, we don't get any of the expected headers in the first request back from shibboleth (REMOTE_USER
, SHIB_*
variables, AUTH_TYPE: shibboleth
, attributes we've requested via the SHIBBOLETH_ATTRIBUTE_MAP
setting, etc.) and it results in an infinite redirect loop.
We use Django's login_required
decorator to protect resources, and our LOGIN_URL
setting is set to /Shibboleth.sso/Login
. If we don't explicitly set the REDIRECT_FIELD_NAME
to target
, Django uses the default next
, which shibboleth doesn't understand and is therefore ignored (#8 discusses this too). When we do set the REDIRECT_FIELD_NAME
to target
, the first request coming back from shibboleth is indeed at the correct redirect URL, but that request does not include any of the headers mentioned above. Don't know if it's relevant, but we do see a _shibsession_*
cookie set.
Any ideas about what might be causing this? I can provide config settings if needed. Thanks in advance!
what is the command to install an older version?
I have an error with this command: sudo pip install django-shibboleth-remoteuser-kennydude == 0.4
Could not find a version that satisfies the requirement django-shibboleth-remoteuser-kennydude == 0.4 (from versions: 0.5.macosx-10.11-intel, 0.6, 0.6.1, 0.6.2)
I connect to a server in ssh.
We've been looking into installing django-shibboleth-remoteuser, but our sys-admin discovered it doesn't support python build dist. Is this something you all plan on adding or are you satisfied with things as they are. Note: our sys admins won't use pip so that may have been part of the issue. I had no issue installing via pip on my desktop.
Thanks,
Dean
The way I understood it is that this mechanism allows the user to be logged out of the application while still having an active shibboleth session.
In my eyes this is a security issue because it suggests to the user that he is logged out even though anyone with access to the computer can log back in by removing the LOGOUT_SESSION_KEY.
In my eyes, if a user is logged in to shibboleth he should be logged in to any application that bases on it. After all, Shibboleth is a software to support Single sign-on , and that's exactly what single sign on means.
A fix would be to remove this mechanism.
This is a neat library - I use it in a couple of projects. It would be great to see it on PyPI and be able to pip install it.
I'm attempting to use django-shibboleth-remoteuser with the permission mixins from Django braces. However, it seems that the session is being lost after the first click. We had a similar issue with CoSign authentication using remote user, which was solved by using the new PersistentRemoteUserMiddleware:
We are trying to use the LoginRequiredMixin to protect the site to keep it controlled by Django (so that we could fall back on Django's auth, for example, if Shib isn't available for any reason), and only protect the LOGIN_URL ('/Shibboleth.sso/Login') with Shibboleth's gatekeeper.
I'm not sure the problem is the same, as this is my first time using Shibboleth. We have shibboleth with Apache successfully redirecting to our IdP for login, and when it returns, it creates the user and we've dumped {{ request.username }} successfully into a template. However, on ensuing clicks, it is no longer populated. I'm wondering if anyone has run into this problem. I'm including various settings and code snippets below.
Apache config:
LoadModule wsgi_module modules/mod_wsgi.so
WSGISocketPrefix /var/run/wsgi
Listen 443
<VirtualHost *:443>
ServerName vagrant.ourserver.com
ErrorLog /home/vagrant/apache_errors.log
SSLENGINE on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLProtocol all -SSLv2
WSGIDaemonProcess shibdemo-https python-home=/home/vagrant/.virtualenvs/shibdemo
WSGIProcessGroup shibdemo-https
WSGIScriptAlias / /vagrant/html/shibdemo/shibdemo/wsgi.py process-group=shibdemo-https application-group=shibdemo-https
<Directory /vagrant/html/shibdemo/shibdemo>
Require all granted
</Directory>
Alias /static/ /vagrant/html/shibdemo/static/
<Directory /vagrant/html/shibdemo/static>
Require all granted
</Directory>
<Location /pennkey>
AuthType shibboleth
Require valid-user
ShibRequireSession on
</Location>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
</VirtualHost>
Relevant Django settings:
SHIBBOLETH_ATTRIBUTE_MAP = {
"eppn": (True, "username"),
"givenName": (True, "first_name"),
"sn": (True, "last_name"),
"mail": (False, "email"),
}
MIDDLEWARE_CLASSES = [
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'shibboleth.middleware.ShibbolethRemoteUserMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
INSTALLED_APPS = (
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'shibboleth',
'pennkey',
'about',
)
AUTHENTICATION_BACKENDS = [
'shibboleth.backends.ShibbolethRemoteUserBackend',
'django.contrib.auth.backends.ModelBackend',
]
LOGIN_URL = '/Shibboleth.sso/Login'
urlpatterns:
urlpatterns = [
url(r'^$', TemplateView.as_view(template_name='shibdemo/home.html'), name='home'),
url(r'^other/$', login_required(TemplateView.as_view(template_name='shibdemo/other.html'), login_url='/admin/'), name='home'),
url(r'^about/$', AboutView.as_view(), name='about'),
url(r'^admin/', include(admin.site.urls)),
url(r'^pennkey/', include('pennkey.urls', namespace='pennkey')),
url(r'^shib/', include('shibboleth.urls', namespace='shibboleth')),
]
Example views for the 'about' Django app:
from django.views.generic import TemplateView
from braces.views import LoginRequiredMixin
class AboutView(LoginRequiredMixin, TemplateView):
template_name = 'about/about.html'
Our Shibboleth XML files would seem to be okay since we can hit https://vagrant.ourserver.com/Shibboleth.sso/Login and successfully auth with our IdP, and see the returned user created. We're on CentOS 7.2 with Apache 2.4. Apologies if this isn't the right place to ask, and let me know if I should include more details. Thanks in advance.
installed the setup.py and then I checked the shibboleth folder , whre is settings.py file? there is one file with name app_settings.
Hi,
0.11 is incompatible with Django 3.0+ due to the removal of django.utils.six
, but the most recent fixes merged into master seem to address this. Any idea when we can expect an official 0.12 release available via PyPi? It's much easier to bundle into a requirements.txt file that way.
Thanks!
Shibboleth with httpd sso setup integrated with Apex is returning to login page after providing the credentials.
Could you please help on this
Thanks for a great module. Is there a default way to call the shibboleth logout page or do I need to write my own template tag, similar to the login tag included in the module?
Thanks
Right now it looks like you have to subclass the backend class to have the backend not create Users automatically. Why not add a setting for this, to make it easier to change the functionality?
I've put the following in my settings.py file:
SHIBBOLETH_LOGOUT_URL = "https://school.edu/Shibboleth.sso/Logout?return=https://sso.school.edu/idp/logout.jsp"
But on logout I'm getting a type error: "not all arguments converted during string formatting" from line 77 of shibboleth/views.py
Have I set it up incorrectly?
Thanks
First: Thanks for this nice application!
May I ask: What are the reasons for checking the value of LOGOUT_SESSION_KEY in the session of the current user in the middleware?
The comment states, that this is needed for logout to work. But in my tests simply deleting the user session in the ShibbolethLogoutView seems to work as well and is cleaner in my opinion:
--- views.py.orig 2017-10-04 21:10:54.571524640 +0000
+++ views.py 2017-10-04 21:10:45.759517570 +0000
@@ -8,6 +8,7 @@
from django.shortcuts import redirect
from django.utils.decorators import method_decorator
from django.views.generic import TemplateView
+from django.contrib.sessions.models import Session
from urllib import quote
@@ -69,7 +70,8 @@
auth.logout(self.request)
#Set session key that middleware will use to force
#Shibboleth reauthentication.
- self.request.session[LOGOUT_SESSION_KEY] = True
+ #self.request.session[LOGOUT_SESSION_KEY] = True
+ Session.objects.filter(session_key=self.request.session.session_key).delete()
#Get target url in order of preference.
target = LOGOUT_REDIRECT_URL or\
quote(request.build_absolute_uri())
Am I missing something?
Would you accept a pull request for the change (of course a complete PR, this is only a proof of concept)
Instead of:
default_shib_attributes = {
"Shibboleth-eppn": (True, "username"),
}
how about:
default_shib_attributes = {
"REMOTE_USER": (True, "username"),
}
The Apache mod_shib will of course set REMOTE_USER as that is the standard environment variable. In my case I did not see Shibboleth-eppn in my environment.
Trevor http://www.appazur.com
django.test.simple was removed in Django 1.8
Hello,
I'm trying to create a local development environment to update our Shibboleth application. We want to be able to run it locally without the need for a real SAML IdP.
In the app settings file: https://github.com/Brown-University-Library/django-shibboleth-remoteuser/blob/master/shibboleth/app_settings.py#L11-L12 there's a SHIB_MOCK_HEADERS
variable that is documented to do exactly what we want. The only issue is that it doesn't seem to do anything (and isn't referenced anywhere else through the code base).
Is there something I'm missing?
Thanks
First of all, thank you for your work on this project. Much appreciated.
Is this project compatible with Shibboleth Service Provider version 3 (SP3)? Also, does the project make use of server variables as outlined in the SP3 Attribute Access documentation?
I had to revert back to Django 2.0.8, otherwise, the login never succeeds (even though there is a valid session). I haven't found any error/warning in the logs. Seems to be silently failing and going back to the anonymous user. Reverting back to 2.0.8, reloading apache and refreshing the page reloads the authenticated page.
I had configured everything, but getting an unknown url error after a successful login, while being redirected back to my protected page: 'Unknown AssertionConsumerServiceURL '
samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester"/>samlp:StatusMessageUnknown AssertionConsumerServiceURL https://mywebsite/Shibboleth.sso/SAML2/POST</samlp:StatusMessage></samlp:Status>
I found references to SAML2/POST in the C:\opt\shibboleth-sp\etc\shibboleth\protocols.xml, is this not supposed to be implemented by Shibboleth.sso intrinsically?
Not sure if I need to implement that or not... somehow. Any thoughts appreciated.
-thanks a lot!
I had trouble getting things working, but I fixed it by using the Django base class, django.contrib.auth.backends.RemoteUserBackend, instead of ShibbolethRemoteUserBackend.
ShibbolethRemoteUserBackend will not match existing users based only on the username. Instead, ALL attributes must match (e.g. First Name, Last Name... whatever you've configured):
user = User.objects.get(**shib_user_params)
I would have expected that you could provide attributes for populating new user records, but that you would use a primary key field only (e.g. username) for matching with existing users. For example, what if the application changed a name field after the user was created (or in my case, the account was created without using Shibboleth).
Trevor http://www.appazur.com
When I add a "login_required" decoration to my view, Shibboleth tells me that my request is stale. Anyone ever dealt with this?
Hi,
Some of our shibboleth attributes contain accentuated characters (sn). They are incorrectly encoded when the corresponding user is created in the database.
Frédéric => Frédéric
What could be wrong in our configuration ?
Thank you for your help.
Fred
We have also hit the issue detailed at:
rdmorganiser/rdmo#77
in a self-developed Django application. I could not find a better approach than the one outlined there, which requires an additional feature in this module (optionally urldecoding the fields).
@jochenklar has implemented this in:
rdmorganiser@e2f6cab
I'm not sure whether the code can be upstreamed, but I believe it would be of general use :-).
Django 4.x has removed the url()
method from django.conf.urls
. The preferred replacement is django.urls.path()
https://docs.djangoproject.com/en/4.0/releases/4.0/#features-removed-in-4-0
I have set the LOGIN_URL to mydomain/Shibboleth.sso/Login
If I enter
mydomain/Shibboleth.sso/Login?target=redirectUrl
I am being redirected corretly. Juding from my browser history, the automatic link created by this package is
mydomain/Shibboleth.sso/Login?next=redirectUrl
Strangely enough, I can't find the bug in the code, so it might as well have another cause.
See documentation here https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionCreationParameters
This might be different for older versions of shibboleth.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.