I was wondering if there was a reason this package hasn't been made available on pypi. This is definitely the most convenient way to be able to download and install python packages. I would also imagine this would increase the discoverability of the package itself too.

The current DEBUG parameter doesn't work as expected, and won't create a log file if enabled.

Hi, I'm facing this error when login http://localhost/accounts/login/

This is my uls.py
from django.contrib import admin
from django.urls import path, include
import django_saml2_auth.views

urlpatterns = [
path('admin/', admin.site.urls),
path(r'saml2_auth/', include('django_saml2_auth.urls')),
path(r'accounts/login/', django_saml2_auth.views.signin),
path(r'admin/login/', django_saml2_auth.views.signin),
]

I have added keycloak url in my settings.py

'METADATA_AUTO_CONF_URL': 'https://localhost:8443/auth/realms/NOC/protocol/saml/descriptor',
Please help to fix this

Sorry, you are not allowed to access this app
To report a problem with your access please contact your system administrator
Error code: 1108
Reason: There was an error processing your request. There was no response from SAML client.

My SAML_AUTH configuration as below:
SAML2_AUTH = {
# Metadata is required, choose either remote url or local file path
'METADATA_AUTO_CONF_URL': 'https://dev-60303895.okta.com/app/exkdgtxgklmzYzqKq5d7/sso/saml/metadata',

# Optional settings below
'DEFAULT_NEXT_URL': '/admin',  # Custom target redirect URL after the user get logged in. Default to /admin if not set. This setting will be overwritten if you have parameter ?next= specificed in the login URL.
'CREATE_USER': True, # Create a new Django user when a new user logs in. Defaults to True.
'NEW_USER_PROFILE': {
    'USER_GROUPS': [],  # The default group name when a new user logs in
    'ACTIVE_STATUS': True,  # The default active status for new users
    'STAFF_STATUS': False,  # The staff status for new users
    'SUPERUSER_STATUS': False,  # The superuser status for new users
},
'ATTRIBUTES_MAP': {  # Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
    'email': 'user.email',
    'username': 'user.username',
    'first_name': 'user.first_name',
    'last_name': 'user.last_name',
    'token': 'Token',  # Mandatory, can be unrequired if TOKEN_REQUIRED is False
},
'TRIGGER': {
    'CREATE_USER': 'path.to.your.new.user.hook.method',
    'BEFORE_LOGIN': 'path.to.your.login.hook.method',
},
'ASSERTION_URL': 'http://localhost', # Custom URL to validate incoming SAML requests against
'ENTITY_ID': 'http://localhost/saml2_auth/acs/', # Populates the Issuer element in authn request
'USE_JWT': True, # Set this to True if you are running a Single Page Application (SPA) with Django Rest Framework (DRF), and are using JWT authentication to authorize client users
'FRONTEND_URL': 'https://myfrontendclient.com', # Redirect URL for the client if you are using JWT auth with DRF. See explanation below
'LOGIN_CASE_SENSITIVE': True,  # whether of not to get the user in case_sentive mode
'AUTHN_REQUESTS_SIGNED': True, # Require each authentication request to be signed
'LOGOUT_REQUESTS_SIGNED': True,  # Require each logout request to be signed
'WANT_ASSERTIONS_SIGNED': True,  # Require each assertion to be signed
'WANT_RESPONSE_SIGNED': True,  # Require response to be signed
'ACCEPTED_TIME_DIFF': None,  # Accepted time difference between your server and the Identity Provider
'ALLOWED_REDIRECT_HOSTS': ["https://myfrontendclient.com"], # Allowed hosts to redirect to using the ?next parameter
'TOKEN_REQUIRED': True,  # Whether or not to require the token parameter in the SAML assertion

}

I have a Python-Django project and I'm trying to integrate with a C#/.NET existing website SAML authentication, using their idp.
I absolutely need to generate a metadata file to give to whoever manages the IdP (C#/.NET website) to implement SSO.
How can I implement it?

Currently if a group from the user_identity and a Group.DoesNotExist is thrown, then the group is skipped.

        groups = []

        for group_name in user["user_identity"][group_attribute]:
            # Group names can optionally be mapped to different names in Django
            if group_map and group_name in group_map:
                group_name_django = group_map[group_name]
            else:
                group_name_django = group_name

            try:
                groups.append(Group.objects.get(name=group_name_django))
            except Group.DoesNotExist:
                pass

It would be nice to have a setting 'CREATE_GROUPS': True, (similar to CREATE_USER) that instead would let us create the group and add it to the list:

        groups = []

        for group_name in user["user_identity"][group_attribute]:
            # Group names can optionally be mapped to different names in Django
            if group_map and group_name in group_map:
                group_name_django = group_map[group_name]
            else:
                group_name_django = group_name

            try:
                groups.append(Group.objects.get(name=group_name_django))
            except Group.DoesNotExist:
                should_create_new_groups = dictor(saml2_auth_settings, "CREATE_GROUPS", False)
                if should_create_new_groups:
                    groups.append(Group.objects.create(name=group_name_django))

I started using this library in local without any problem, everything work perfectly fine, but in my production env I use docker and ECS (AWS). And all my problem started here.. So I decided to used Docker in my local env and i get the same problem, did everyone get this bug ?

The only log i get from this: Internal Server Error: /saml2_auth/acs/

Here my SAML2 Config, which worked perfectly without docker

SAML2_AUTH = {
    # Metadata is required, choose either remote url or local file path
    "METADATA_AUTO_CONF_URL": "https://dev-123123123.okta.com/app/<app-id>/sso/saml/metadata",
    "DEBUG": True,
    # "METADATA_LOCAL_FILE_PATH": os.path.join(BASE_DIR + '/settings/', 'metadata.xml'),
    # Optional settings below
    "DEFAULT_NEXT_URL": "/",
    # Custom target redirect URL after the user get logged in. Default to /admin if not set. This setting will be overwritten if you have parameter ?next= specificed in the login URL.
    "CREATE_USER": "True",  # Create a new Django user when a new user logs in. Defaults to True.
    "NEW_USER_PROFILE": {
        "USER_GROUPS": [],  # The default group name when a new user logs in
        "ACTIVE_STATUS": True,  # The default active status for new users
        "STAFF_STATUS": False,  # The staff status for new users
        "SUPERUSER_STATUS": False,  # The superuser status for new users
    },
    "ATTRIBUTES_MAP": {  # Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
        "email": "Email",
        "username": "UserName",
        "first_name": "FirstName",
        "last_name": "LastName",
    },
    "TOKEN_REQUIRED": False,
    # "TRIGGER": {
    #     # "CREATE_USER": "path.to.your.new.user.hook.method",
    #     "BEFORE_LOGIN": "path.to.your.login.hook.method",
    # },
    "ASSERTION_URL": "http://localhost:8000/saml2_auth/acs/",  # Custom URL to validate incoming SAML requests against
    "ENTITY_ID": "http://localhost:8000",  # Populates the Issuer element in authn request
    "NAME_ID_FORMAT": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",  # # Sets the Format property of authn
    # NameIDPolicy element
    "USE_JWT": False,  # Set this to True if you are running a Single Page Application (SPA) with Django Rest
}

Hope someone already get this problem, thanks in advance !

Hi, Im tryng to create a POC to try to use SAML to authenticate users in a Django project, but I'm blocked after receiving a SAML Response.

This is my current SAML2_AUTH:

SAML2_AUTH = {
    'DEBUG': True,
    'METADATA_AUTO_CONF_URL': 'https://redacted.com/Gsuite/GoogleIDPMetadata.xml',
    'ASSERTION_URL': 'https://127.0.0.1:8000',
    'ENTITY_ID': 'https://127.0.0.1:8000/saml2_auth/acs/',
    'DEFAULT_NEXT_URL': '/',
    'USE_JWT': True,
    'FRONTEND_URL': 'http://127.0.0.1:5173/',
    'AUTHN_REQUESTS_SIGNED': False,  # Require each authentication request to be signed
    'LOGOUT_REQUESTS_SIGNED': False,  # Require each logout request to be signed
    'WANT_ASSERTIONS_SIGNED': False,  # Require each assertion to be signed
    'WANT_RESPONSE_SIGNED': False,  # Require response to be signed
    'TOKEN_REQUIRED': False,
    'NAME_ID_FORMAT': '<urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress>'
}

And this is the response I'm getting:

<?xml 
version="1.0" 
encoding="UTF-8" 
standalone="no"?>
<saml2p:Response 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
    Destination="https://127.0.0.1:8000/saml2_auth/acs/" 
    ID="_2392de0148b141c290591d8e9e279eeb" 
    InResponseTo="id-6E7o8vsnlmwqeuJtd" 
    IssueInstant="2023-07-03T18:40:35.226Z" 
    Version="2.0">
    <saml2:Issuer 
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?
        idpid=C00xoo4uv
    </saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode 
            Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion 
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
        ID="_509f9b945285e09236ad9555ab4d8fd1" 
        IssueInstant="2023-07-03T18:40:35.226Z" 
        Version="2.0">
        <saml2:Issuer>https://accounts.google.com/o/saml2?
            idpid=C00xoo4uv
        </saml2:Issuer>
        <ds:Signature 
            xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod 
                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <ds:SignatureMethod 
                    Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference 
                    URI="#_509f9b945285e09236ad9555ab4d8fd1">
                    <ds:Transforms>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform 
                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </ds:Transforms>
                    <ds:DigestMethod 
                        Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>ncYSkItwHYfojUZrTOhKovFq9XWdyeELoLexeQkE6/
                        Y=
                    </ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>dDPiJ+fMd/cZVQ47MBcKwvmxfpvpCtXg4r/bkk796HJ129aQKZ+
jMJlDlC/h4isX3jK1KSaqFusSiTG16z4aX9aiuRjsnP2Uw1sseoxljLwuA59NpXI7LZStnSdvWt1
2Xk9+YFQRi/
                mk0aA0CuwAbqBWHv8kMbg3jEzlQ==
            </ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509SubjectName>
                        ST=California,
                        C=US,
                        OU=Google For Work,
                        CN=Google,
                        L=Mountain View,
                        O=Google Inc.
                    </ds:X509SubjectName>
                    <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAWqx7+csMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEBIoEaOuX5YZVj0T8l8sSwlmDfY3NMKwK5PtpimHlklVAoy249d
tJE9gy6snxCvrRcJ7IQS0VhBM7X3aC6ZCAxibs7I9XRVUcZsbgqGpzR/NTSwTVCxLrBWjHvTH5
7ZBte+rQdbnJWBiZLaV+fVphyjOo7GPuPwmsMGzvNoYs</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID 
                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]
            </saml2:NameID>
            <saml2:SubjectConfirmation 
                Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData 
                    InResponseTo="id-6E7o8vsnlmwqeuJtd" 
                    NotOnOrAfter="2023-07-03T18:45:35.226Z" 
                    Recipient="https://127.0.0.1:8000/saml2_auth/acs/"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions 
            NotBefore="2023-07-03T18:35:35.226Z" 
            NotOnOrAfter="2023-07-03T18:45:35.226Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>https://127.0.0.1:8000/saml2_auth/acs/</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute 
                Name="Groups">
                <saml2:AttributeValue 
                    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                    xsi:type="xs:anyType">app_stats_access_full_test
                </saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement 
            AuthnInstant="2023-07-03T14:02:48.000Z" 
            SessionIndex="_509f9b945285e09236ad9555ab4d8fd1">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

My problem is that when I get redirected back to my app, the screen says:

Sorry, you are not allowed to access this app
To report a problem with your access please contact your system administrator

Error code: 1114

Reason: Username or email must be configured on the SAML app before logging in.

And the Django logs say:

 No username or email provided.

What am I doing wrong? I'm following this article (https://medium.com/cogito-engineering/enabling-sso-for-your-react-and-django-app-with-saml-2-0-754ef752acc1). The only difference in my case is that I'm using Google instead of Okta.

I'm noticing the token attribute in ATTRIBUTES_MAP is mandatory and an error is raised if it's not specified, why is that? What is it used for? I can't find it in django-saml2-auth, pysaml2 or Django...

Hi, thanks a lot for this library! I was wondering if there is any way of creating a user with my own function. I've seen that the function create_new_user creates the User with the code:

user = user_model.objects.create_user(email, first_name=firstname, last_name=lastname)

But my User model has attributes name and surname instead of first_name and last_name.

It'd be interesting to be able to provide our own function to create it. Is there a way rn? Thanks a lot!

Thank you so much for maintaining this project.
I'm not sure about if its the similar issue (#145)

I am using MS-AAD, for admin urls such as https://dns/admin/django_celery_beat/periodictask/, I enforce login first.
After login, next url is always assigned to default url as code over here.

next_url = request.session.get("login_next_url") or get_default_next_url()

After login, its POST request to acs where new session gets created so request.session.get("login_next_url") is always None.
However I observed that in such cases next_url is passed as relay_state.

So to keep existing behaviour and fix the problem, assigning next_url to relay_state if it's None

Please find PR, #164

When validating a metadata url here it's done by performing a GET request against the URL. This adds quite a bit of delay in the authentication process since if I have several metadata urls in my GET_METADATA_AUTO_CONF_URLS each of them will first be fetched by django-saml2-auth and then actually fetched by saml2.

Can this library work with multiple identity providers? If so, can it be more dynamic than hard coding the settings.py file which requires a restart of the django site to take effect? I'm trying to find something that would allow multiple organizations optionally use their IDP with my site by putting their required configs in the web ui.

By the way, thanks for the work on this fork. Very glad to see that there's an updated version supporting modern versions of django.

Are there some instructions on how to migrate from https://github.com/fangli/django-saml2-auth to this fork?

I'm trying to replace the fangli library with this one, but cannot see anything but a generic "Sorry, you are not allowed to access this app" error - no error code is specified. I'm using Duo as my SAML IdP.

I cannot get a log file to generate, despite enabling the DEBUG setting.

A stack trace shows this line as the last path before handling the exception.

How can I get more info to continue troubleshooting this problem?

I need the token from the CUSTOM_CREATE_JWT trigger and the CUSTOM_TOKEN_QUERY trigger to be the same. However, in the first trigger, I have the token with JTI "123", and in the CUSTOM_TOKEN_QUERY trigger, the token is "124".

Hi,

I just did an implementation using this repo and had a little confusion with the instructions to use /saml2_auth/acs that stuck around in the README from the fangli version. PR to update those references: #269

I would need to add path("acs/<int:customer_id>/", views.acs, name="acs") and then in acs view get configuration based on customer (company) ID.

@csrf_exempt
@exception_handler
def acs(request: HttpRequest, customer_id: int):
    company = Company.objects.get(pk=customer_id)
    saml2_auth_settings = {
        'METADATA_AUTO_CONF_URL': company.sso_metadata_url,
        'ASSERTION_URL': company.sso_assertion_url,
        'ENTITY_ID': company.sso_entity_id
        ...
    }

but in other methods, for example, in saml.py file, configuration is get from settings.SAML2_AUTH and I do not know how to adjust it. Any recommendations?

Hello,
I was wondering if the JWT used in the library is only the one created specifying the JWT properties in settings.SAML2_AUTH or there would be the possibility to use another manager for the JWT?

For instance, I am using DRF Simple JWT library linked to Django Rest Framework.

Whether this would be a new feature, how would you suggest to plug it in?

Thanks in advance.

There is no proper documentation that says multiple IDP's are supported. For ex: if we want to support google as IDP and amazon as another IDP, how do we configure both the metadata xml in django with this library?

Hello!
Is it there a way to specify certificate and key file or information?
Something like it is done within pysaml2:
https://pysaml2.readthedocs.io/en/latest/howto/config.html#cert-file

At the moment when the code execute saml_client = Saml2Client(config=sp_config):

then runs here:
https://github.com/IdentityPython/pysaml2/blob/155910dabffa0f60a2075be862f2cf8c31fad685/src/saml2/sigver.py#L1044

doesn't find the file and return sec_backend = None

Then, here gives error because of the above:
https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/pack.py#L194

Any advice?
Thank you very much.

Having spent many hours on this, I am asking for your help.
IDP is a wordpress site using a mini-Orange plugin for SSO SAML. User logs into this wordpress site, clicks a button, and is transferred via SSO to my django site where user is auto-logged in using django-saml2-auth.

This works fine with a signed Assertion/Request (with SAML2_AUTH.CERT_FILE pointed to the mini-Orange public key file and Encrypted Assertion not enabled.

However, when I enable Encrypted Assertion and provide mini-Orange my openSSL public key and point SAML2_AUTH.KEY_FILE to my private_key.pem, it seems that the decryption (and login) fails with Error Code 1110.

I have separately confirmed the private and public keys match by checking the modulus of each:
openssl rsa -noout -modulus -in private_key.pem | openssl sha256

final debug output is:
[2023-11-22 19:50:36,103] [DEBUG] [saml2.response.parse_assertion] Encrypted assertion/-s
[2023-11-22 19:50:36,104] [DEBUG] [saml2.response.parse_assertion] --- AVA: {}
[2023-11-22 19:50:36,104] [DEBUG] [django_saml2_auth.utils.handle_exception] No name_id in SAML response.

At this point, I am at a loss about what to do next to get Encrypted Assertion working. Any suggestions / help will be greatly appreciated.

'KEY_FILE': os.path.join(CERT_DIR, 'private_key.pem'),
'CERT_FILE': os.path.join(CERT_DIR, 'idp-signing.crt'),

# Require each authentication request to be signed
'AUTHN_REQUESTS_SIGNED': False,
# Require each assertion to be signed
'WANT_ASSERTIONS_SIGNED': True,
# Require response to be signed
'WANT_RESPONSE_SIGNED': False,
# Require each logout request to be signed
'LOGOUT_REQUESTS_SIGNED': False,
'TOKEN_REQUIRED': False,

I am currently running into limitations with the existing triggers in a scenario where a new user attempts to authentication via an IDP-initiated flow with multiple tenants/IDPs on the backend.

Details of my scenario:

• Account administrator sets up an SSO configuration for their app. We save the metadata for this configuration.
• A user on that team attempts to sign in via the IDP app. The user has not yet signed in and therefore has no account.
• The GET_USER_ID_FROM_SAML_RESPONSE cannot find a user since they do not exist.
• We're unable to pass a user_id to GET_METADATA_AUTO_CONF_URLS to pull the organization's specific metadata file.

One option would be to return a different ID (the team ID instead of the user ID) from the GET_USER_ID_FROM_SAML_RESPONSE call, then use that downstream, but it seems like this could have unintended side effects.

Is there a recommended approach for how to handle this situation? Should we consider adding another trigger type or even passing the SAML response into GET_METADATA_AUTO_CONF_URLS so it can pull the proper configuration file?

Let's say we have 3 different environments, dev, staging and production.

Each has a different URL:

dev.company.com
staging.company.com
company.com

Currently we have 3 different apps for each env. The goal is to only have one, and have the user select which one to use.

With AWS, its one app, and we select which account/role to auth to. For example: LINK

Is it possible to achieve the same result? The only difference would be the URL. Maybe the BEFORE_LOGIN hook is what would help here? It's like we need some sort of splash page beforehand.

In my workflow I need to pull some user info from the request and then use that in the GET_METADATA_AUTO_CONF_URLS trigger.

So when I call the acs or signin views I either need to pass in the user_id that I pulled previously, or change the trigger to allow me to pass in a request. Right now these flows pass in no user_id nor the ability to pull the user_id from the trigger.

I'm new to SAML though so perhaps I'm just missing something? My project needs to support multiple organizations using the same provider, which means storing different metadata urls for different users. I'm not seeing any way of doing that with the existing signin and acs views. I don't think my use case is particularly unique though, so I'm wondering how other people are provisioning the metadata currently.

More of a general question than an issue.

We have the implementation working, but this gives everyone superuser status by default:

'NEW_USER_PROFILE': {
    'ACTIVE_STATUS': True,
    'STAFF_STATUS': True,
    'SUPERUSER_STATUS': True,
}

If we wanted a second group of folks who would be staff, but not superusers, what's the best way to achieve this? I was thinking just creating two groups, but am not sure if cherry-picking permissions to assign to that group gives the same abilities as setting a user to staff/superuser.

Hi @mostafa,

I am having the same issue. I am having problem in configuring SAML2_AUTH. Can you please help me. Below are my SAML2_AUTH configuration. I am trying with FusionAuth IDP.

`SAML2_AUTH = {
# Metadata is required, choose either remote url or local file path
'METADATA_AUTO_CONF_URL': 'http://localhost:9011/samlv2/metadata/d7d09513-a3f5-401c-9685-34ab6c552453',
# 'METADATA_LOCAL_FILE_PATH': '[The metadata configuration file path]',
'KEY_FILE': '[The key file path]',
'CERT_FILE': '[The certificate file path]',

# If both `KEY_FILE` and `CERT_FILE` are provided, `ENCRYPTION_KEYPAIRS` will be added automatically. There is no need to provide it unless you wish to override the default value.
'ENCRYPTION_KEYPAIRS': [
    {
        "key_file": '[The key file path]',
        "cert_file": '[The certificate file path]',
    }
],

'DEBUG': False,  # Send debug information to a log file
# Optional logging configuration.
# By default, it won't log anything.
# The following configuration is an example of how to configure the logger,
# which can be used together with the DEBUG option above. Please note that
# the logger configuration follows the Python's logging configuration schema:
# https://docs.python.org/3/library/logging.config.html#logging-config-dictschema
'LOGGING': {
    'version': 1,
    'formatters': {
        'simple': {
            'format': '[%(asctime)s] [%(levelname)s] [%(name)s.%(funcName)s] %(message)s',
        },
    },
    'handlers': {
        'stdout': {
            'class': 'logging.StreamHandler',
            'stream': 'ext://sys.stdout',
            'level': 'DEBUG',
            'formatter': 'simple',
        },
    },
    'loggers': {
        'saml2': {
            'level': 'DEBUG'
        },
    },
    'root': {
        'level': 'DEBUG',
        'handlers': [
            'stdout',
        ],
    },
},

# Optional settings below
'DEFAULT_NEXT_URL': '/admin',
# Custom target redirect URL after the user get logged in. Default to /admin if not set. This setting will be overwritten if you have parameter ?next= specificed in the login URL.
'CREATE_USER': True,  # Create a new Django user when a new user logs in. Defaults to True.
'NEW_USER_PROFILE': {
    'USER_GROUPS': [],  # The default group name when a new user logs in
    'ACTIVE_STATUS': True,  # The default active status for new users
    'STAFF_STATUS': False,  # The staff status for new users
    'SUPERUSER_STATUS': False,  # The superuser status for new users
},
'ATTRIBUTES_MAP': {  # Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
    'email': '[email protected]',
    'username': 'user.username',
    'first_name': 'user.first_name',
    'last_name': 'user.last_name',
    'token': 'Token',  # Mandatory, can be unrequired if TOKEN_REQUIRED is False
    'groups': 'Groups',  # Optional
},
'GROUPS_MAP': {  # Optionally allow mapping SAML2 Groups to Django Groups
    'SAML Group Name': 'Django Group Name',
},
'TRIGGER': {
    # Optional: needs to return a User Model instance or None
    'GET_USER': 'path.to.your.get.user.hook.method',
    'CREATE_USER': 'path.to.your.new.user.hook.method',
    'BEFORE_LOGIN': 'path.to.your.login.hook.method',
    'AFTER_LOGIN': 'path.to.your.after.login.hook.method',
    # Optional. This is executed right before METADATA_AUTO_CONF_URL.
    # For systems with many metadata files registered allows to narrow the search scope.
    'GET_USER_ID_FROM_SAML_RESPONSE': 'path.to.your.get.user.from.saml.hook.method',
    # This can override the METADATA_AUTO_CONF_URL to enumerate all existing metadata autoconf URLs
    'GET_METADATA_AUTO_CONF_URLS': 'path.to.your.get.metadata.conf.hook.method',
},
'ASSERTION_URL': 'http://localhost:9011/',  # Custom URL to validate incoming SAML requests against
'ENTITY_ID': 'http://localhost:9011/saml2_auth/acs/',  # Populates the Issuer element in authn request
# 'NAME_ID_FORMAT': user.email,  # Sets the Format property of authn NameIDPolicy element, e.g. 'user.email'
'USE_JWT': True,
# Set this to True if you are running a Single Page Application (SPA) with Django Rest Framework (DRF), and are using JWT authentication to authorize client users
'JWT_ALGORITHM': 'HS256',  # JWT algorithm to sign the message with
'JWT_SECRET': 'your.jwt.secret',  # JWT secret to sign the message with
'JWT_PRIVATE_KEY': '--- YOUR PRIVATE KEY ---',
# Private key to sign the message with. The algorithm should be set to RSA256 or a more secure alternative.
'JWT_PRIVATE_KEY_PASSPHRASE': 'your.passphrase',
# If your private key is encrypted, you might need to provide a passphrase for decryption
'JWT_PUBLIC_KEY': '--- YOUR PUBLIC KEY ---',  # Public key to decode the signed JWT token
'JWT_EXP': 60,  # JWT expiry time in seconds
'FRONTEND_URL': 'http://localhost:8000/',
# Redirect URL for the client if you are using JWT auth with DRF. See explanation below
'LOGIN_CASE_SENSITIVE': True,  # whether of not to get the user in case_sentive mode
'AUTHN_REQUESTS_SIGNED': True,  # Require each authentication request to be signed
'LOGOUT_REQUESTS_SIGNED': True,  # Require each logout request to be signed
'WANT_ASSERTIONS_SIGNED': True,  # Require each assertion to be signed
'WANT_RESPONSE_SIGNED': True,  # Require response to be signed
'ACCEPTED_TIME_DIFF': None,  # Accepted time difference between your server and the Identity Provider
'ALLOWED_REDIRECT_HOSTS': ["http://localhost:8000/"],
# Allowed hosts to redirect to using the ?next parameter
'TOKEN_REQUIRED': False,  # Whether or not to require the token parameter in the SAML assertion

}`

Originally posted by @PrabhuBose in #205 (comment)

Hi @mostafa,
thanks for support this library!

When i use SPA i want to generate token, but when i use web i want to navigate to the web home page.

In summary i want to switch ON if i login with Single Page Application (need Token redirect), switch OFF when i login from web (need login into django).

How can i do that?
Thanks!

Opening a new issue around the reports at the bottom of #25. The issues reported by all of those users is different than the issue the OP reported.

To summarize, with everything configured on the Okta/IdP side (signing turned on, etc.) and the METADATA_AUTO_CONF_URL set, the login process breaks when Pysaml tries to sign the request using xmlsec without a private key. The com_list in my case looks like

['/usr/local/bin/xmlsec1', '--sign', '--privkey-pem', None, '--id-attr:ID', 'urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest', '--node-id', 'id-DfHiSpJb952UZTS0G']

The last call is below -_runxmlsec in the Pysaml module. The exception generated by this mis-configuration is not an XmlsecError so it's uncaught.

https://github.com/IdentityPython/pysaml2/blob/4fa20a92a9d7fccc2ca34f1f6ad777cc0fd36ef7/src/saml2/sigver.py#L783

The actual error is
TypeError: sequence item 3: expected str instance, NoneType found error

And all I see in the log is

Internal Server Error: /accounts/login/
Internal Server Error: /accounts/login/

I have spent some tracking the code path and context at each step and don't see where the private key could possibly be populated from. That, along with the reports from other users on the same error leads me to believe that the package is broken at the moment. I don't have experience with the package however and would be happy to be proven wrong.

Hi, I have used your package to login sso with Okta IdP.
When call login from browser, it will direct to login page of Okta. After login, it will call to acs/ path. And raise an error [django_saml2_auth.utils.handle_exception] No username or email provided.
I have no idea for this problem. Please help me with that. Thank you so much!
This is my setting:
SAML2_AUTH = {
'DEFAULT_NEXT_URL': '/admin/', # after login, it will redirect to this URL.
'ENTITY_ID': "https://090e-14-176-231-159.ngrok-free.app/sso/acs/",
'NAME_ID_FORMAT': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'USE_JWT': False, # use JWT for info storage, can be True or False
'KEY_FILE': './private_key.pem',
'CERT_FILE': './public_certificate.pem',
'ENCODING': 'UTF-8',
'LOGIN_URL': [http:url/to/okta/login/],
'METADATA_AUTO_CONF_URL': [http:url/to/okta/metadata],
'ASSERTION_URL': 'https://090e-14-176-231-159.ngrok-free.app',
'ATTRIBUTES_MAP': {
# Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
'email': 'user.email',
'username': 'user.username',
'first_name': 'user.first_name',
'last_name': 'user.last_name',
},
'CREATE_USER': True, # Create a new Django user when a new user logs in. Defaults to True.
'NEW_USER_PROFILE': {
'USER_GROUPS': [], # The default group name when a new user logs in
'ACTIVE_STATUS': True, # The default active status for new users
'STAFF_STATUS': False, # The staff status for new users
'SUPERUSER_STATUS': False, # The superuser status for new users
},
'LOGIN_CASE_SENSITIVE': True, # whether of not to get the user in case_sentive mode
'AUTHN_REQUESTS_SIGNED': True, # Require each authentication request to be signed
'WANT_ASSERTIONS_SIGNED': True, # Require each assertion to be signed
'WANT_RESPONSE_SIGNED': True, # Require response to be signed
'LOGGING': {
'version': 1,
'formatters': {
'simple': {
'format': '[%(asctime)s] [%(levelname)s] [%(name)s.%(funcName)s] %(message)s',
},
},
'handlers': {
'stdout': {
'class': 'logging.StreamHandler',
'stream': 'ext://sys.stdout',
'level': 'DEBUG',
'formatter': 'simple',
},
},
'loggers': {
'saml2': {
'level': 'DEBUG'
},
},
'root': {
'level': 'DEBUG',
'handlers': [
'stdout',
],
},
},
}

Hoping you can help - wondering if this is a config problem.

Request is formed:

<ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-3ZwAhtkpJ7Z6z7SBp" Version="2.0" IssueInstant="2023-01-19T13:45:36Z" Destination="https://wgbh.okta.com/app/wgbh_gbhannualreportsaml2_1/exk1qzsalqiXXNp7c0h8/sso/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://cms.local.wgbhdigital.org/sso/acs/"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://cms.local.wgbhdigital.org/saml2_auth/acs/</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ns2:Reference URI="#id-3ZwAhtkpJ7Z6z7SBp"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ns2:DigestValue /></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue /></ns2:Signature></ns0:AuthnRequest>

But then I get this error:
2023-01-19 08:45:36,205 django_saml2_auth.utils:158 DEBUG sequence item 3: expected str instance, NoneType found

I've tried a number of SAML configs, but thing seems to change this. Most recent is:

    SAML2_AUTH = {
        # Metadata is required, choose either remote url or local file path
        'METADATA_AUTO_CONF_URL': os.environ['SAML_METADATA_URL'],
        'METADATA_LOCAL_FILE_PATH': False,   

        'DEBUG': True,

        # Optional settings below
        'DEFAULT_NEXT_URL': '/admin',  # Custom target redirect URL after the user get logged in. Default to /admin if not set. This setting will be overwritten if you have parameter ?next= specificed in the login URL.
        'CREATE_USER': False,   # Create a new Django user when a new user logs in. Defaults to True.
        'NEW_USER_PROFILE': {
            'USER_GROUPS': [],  # The default group name when a new user logs in
            'ACTIVE_STATUS': True,  # The default active status for new users
            'STAFF_STATUS': True,  # The staff status for new users
            'SUPERUSER_STATUS': False,  # The superuser status for new users
        },
        'ATTRIBUTES_MAP': {  # Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
            'email': MAP_SAML_EMAIL,
            'username': MAP_SAML_USERNAME,
            'first_name': MAP_SAML_FIRSTNAME,
            'last_name': MAP_SAML_LASTNAME,
        },
        'TRIGGER': {
            'CREATE_USER': None,
            'BEFORE_LOGIN': None,
            'GET_METADATA_AUTO_CONF_URLS': None
        },
        'ASSERTION_URL': None, # Custom URL to validate incoming SAML requests against
        'ENTITY_ID': f'https://{HOST_DOMAIN}/saml2_auth/acs/', # Populates the Issuer element in authn request
        'NAME_ID_FORMAT': None, # Sets the Format property of authn NameIDPolicy element
        'USE_JWT': False, # Set this to True if you are running a Single Page Application (SPA) with Django Rest Framework (DRF), and are using JWT authentication to authorize client users
        'FRONTEND_URL': None, # Redirect URL for the client if you are using JWT auth with DRF. See explanation below
        'LOGIN_CASE_SENSITIVE': True,  # whether of not to get the user in case_sentive mode
        'AUTHN_REQUESTS_SIGNED': True, # Require each authentication request to be signed
        'LOGOUT_REQUESTS_SIGNED': True,  # Require each logout request to be signed
        'WANT_ASSERTIONS_SIGNED': True,  # Require each assertion to be signed
        'WANT_RESPONSE_SIGNED': True,  # Require response to be signed
        'ACCEPTED_TIME_DIFF': None,  # Accepted time difference between your server and the Identity Provider
        'ALLOWED_REDIRECT_HOSTS': None, # Allowed hosts to redirect to using the ?next parameter
        'TOKEN_REQUIRED': False,  # Whether or not to require the token parameter in the SAML assertion
    }

Thanks for looking.

I've an app working just fine with IdP-initiated login. However, the app is behind a proxy and doesn't replay the POST request from the IdP. It simply issues a GET request for the same URL (domain.com/sso/acs) after authentication. This causes us to have to refresh twice, in order to authenticate with the proxy, and then go through the IdP process again.

To work around this, I figure if I can get the app to redirect to our IdP with a GET request, I'd be good. If I navigate to domain.com/sso/sp/, I seem to get denied. I've played around with the USE_JWT setting, but we don't use JWT for user authentication so I don't think this is the right path. The code for sp_initiated_login seems to require a token, so maybe JWT has to be used? Is there a way to check if you're logged in, and if not, redirect you to your IdP? I'm passing in a RelayState from our IdP in hopes of it redirecting me, but don't think that is right either.

We have forked this library with a few tweaks, wanted to run this by you on adding these to the main branch:

user.py

-def create_new_user(email: str, firstname: str, lastname: str) -> Type[Model]:
+def create_new_user(username: str, email: str, firstname: str, lastname: str) -> Type[Model]:

-        user = user_model.objects.create_user(email, first_name=firstname, last_name=lastname)
+        user = user_model.objects.create_user(username=username, email=email, first_name=firstname, last_name=lastname)

-            target_user = create_new_user(get_user_id(user), user["first_name"], user["last_name"])
+            target_user = create_new_user(user["username"], user["email"], user["first_name"], user["last_name"])

We were originally passing all 4 attributes, and the user was being created, but with a blank email field. Now we are only passing three (email, first, last) and inferring the username below:

saml.py

+    # Infer username from email
+    user["username"] = user["email"].split("@")[0]

To add the username attribute is a non-trivial task with our idP provider. Only one line in Python. Could make a INFER_USERNAME_FROM_EMAIL flag for use in the SAML2_AUTH map.

This is my first time working on a SAML integration and I'm a bit confused. We need to provide an sp metadata URL to our Idp and we can't figure it out. I'm running my django application locally.

In my urls.py, I have
import django_saml2_auth.views

and

urlpatterns = [
 re_path(r'^sso/', include('django_saml2_auth.urls')),
...
]

In settings, I have

INSTALLED_APPS = [
    '...',
    'django_saml2_auth',
]

And

SAML2_AUTH = {
    # Metadata is required, choose either remote url or local file path
    'METADATA_AUTO_CONF_URL': <Our URL>,
    'ENTITY_ID': 'http://django:8000/sso/sp',
}

When I go to any of the URLs (ex. /sso/sp), I get the permission denied page. We haven't set up the SAML integration with our provider yet because they need the sp metadata URL before they can set up things on their end. Can someone let me know where to find this URL? All the views in the app seem to require the SAML integration to already be set up.

Hello there,

I ran into a problem using the package with the following configuration:

• Custom user model
• USERNAME_FIELD set as 'email'

When a user does not exist, he is correctly created but after logout and logging back in, he is not found anymore. The packages tries to create it but as he already exists with the same username, it crashes.

The mail is never set in the create_new_user method even if USERNAME_FIELD is set as email. Check here

I have been able to patch this behaviour using the following TRIGGER.CREATE_USER :

def post_create_user(user_dict, *args, **kwargs):
    user_model = get_user_model()
    user_id = user_dict.get(user_model.USERNAME_FIELD)
    user = user_model.objects.get(username=user_id)
    user.email = user_id
    user.save()

Version 3.8.0 doesn't seem to be downloadable on my end. Error message below:

ERROR: Could not find a version that satisfies the requirement grafana-django-saml2-auth==3.8.0 (from -r /var/folders/mm/n8kv1v8d36n8hmhk82rtvvj40000gn/T/pipenv-7108zoit-requirements/pipenv-ezvkw52z-requirement.txt (line 1)) (from versions: 3.6.0, 3.7.0) ERROR: No matching distribution found for grafana-django-saml2-auth==3.8.0 (from -r /var/folders/mm/n8kv1v8d36n8hmhk82rtvvj40000gn/T/pipenv-7108zoit-requirements/pipenv-ezvkw52z-requirement.txt (line 1))

Pip still has 3.7.0 as latest: https://pypi.org/project/grafana-django-saml2-auth/

Specifically, I'd like to use the new TRIGGER.GET_USER_ID_FROM_SAML_RESPONSE feature!

Any ideas?

If an attribute name contains slashes (like they often do if they follow the claim uri format like e.g. "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress") then this code fails since the slashes in the url are interpreted as dictor path separators.

Currently, the authentication backend passed to the django.contrib.auth.login method is hard-coded to "django.contrib.auth.backends.ModelBackend". This makes it impossible to use this library if you use any other authentication backend, e.g. a custom one. Since the django settings dict is already imported in views.py, one implementation method could be to replace the hard-coded line with

model_backend = dictor(
    settings,
    "AUTHENTICATION_BACKENDS.0",
    default="django.contrib.auth.backends.ModelBackend"
)

This will look at the current list of authentication backends defined in settings.py and return the first one from the list.

All my configuration works fine, except ?next=/path/ is not redirecting me to anywhere else rather than what I have configured as default next url /admin.

Any suggestions on this?

Thank you.

Based on this #25 (comment), it'd be better to have a mock SAML identity provider, so we can integration-test this library.

CC: @sgabb

Resources

• https://sso.tools/
• https://mocksaml.com/
• https://samltest.id/
• https://sptest.iamshowcase.com/
• https://github.com/kristophjunge/docker-test-saml-idp

Hi. I installed 3.11 and I'm still having the same problem as discussed in issue #25 (Certificate and Key File) that was fixed in 3.11. Here is the relevant part of the log file:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/django_saml2_auth/utils.py", line 185, in wrapper
    result = function(request)
  File "/usr/local/lib/python3.9/dist-packages/django_saml2_auth/views.py", line 276, in signin
    _, info = saml_client.prepare_for_authenticate(relay_state=next_url)  # type: ignore
  File "/usr/local/lib/python3.9/dist-packages/saml2/client.py", line 72, in prepare_for_authenticate
    reqid, negotiated_binding, info = self.prepare_for_negotiated_authenticate(
  File "/usr/local/lib/python3.9/dist-packages/saml2/client.py", line 150, in prepare_for_negotiated_authenticate
    reqid, request = self.create_authn_request(
  File "/usr/local/lib/python3.9/dist-packages/saml2/client_base.py", line 446, in create_authn_request
    msg = self._message(
  File "/usr/local/lib/python3.9/dist-packages/saml2/entity.py", line 588, in _message
    signed_req = self.sign(
  File "/usr/local/lib/python3.9/dist-packages/saml2/entity.py", line 524, in sign
    return signed_instance_factory(msg, self.sec, to_sign)
  File "/usr/local/lib/python3.9/dist-packages/saml2/sigver.py", line 331, in signed_instance_factory
    signed_xml = seccont.sign_statement(signed_xml, node_name=node_name, node_id=nodeid)
  File "/usr/local/lib/python3.9/dist-packages/saml2/sigver.py", line 1673, in sign_statement
    return self.crypto.sign_statement(
  File "/usr/local/lib/python3.9/dist-packages/saml2/sigver.py", line 779, in sign_statement
    (stdout, stderr, output) = self._run_xmlsec(com_list, [tmp.name])
  File "/usr/local/lib/python3.9/dist-packages/saml2/sigver.py", line 841, in _run_xmlsec
    logger.debug("xmlsec command: %s", " ".join(com_list))
TypeError: sequence item 3: expected str instance, NoneType found

Internal Server Error: /mailman3/accounts/login/

Hello,

I am using the django-saml2-auth with JWT to integrating to django-restframework. In my project I am using too djangorestframework-simplejwt. However, the jwt token generated after saml authentication in Azure AD is not validated in my API.

When I try to access some endpoint of my API:

{
  "status": "error",
  "code": 401,
  "data": null,
  "message": "Given token not valid for any token type"
}

Some points of my settings:

SIMPLE_JWT = {
    "ACCESS_TOKEN_LIFETIME": timedelta(days=1),
    "REFRESH_TOKEN_LIFETIME": timedelta(days=2),
    'AUTH_HEADER_TYPES': ('Token',),
    'UPDATE_LAST_LOGIN': True,
    "TOKEN_OBTAIN_SERIALIZER": "myapi.token.serializer.CustomTokenObtainPairSerializer",
    "ALGORITHM": "HS256",
}

SAML2_AUTH = {
    'METADATA_LOCAL_FILE_PATH': '/app/static/PSAT-Core-Saml2.xml',

    'KEY_FILE': '/app/static/chave_privada.key',
    'CERT_FILE': '/app/static/certificado.crt',

    'DEBUG': True,
    'DEFAULT_NEXT_URL': '/api',

    'CREATE_USER': 'TRUE',
    'NEW_USER_PROFILE': {
        'USER_GROUPS': [],
        'ACTIVE_STATUS': True,
        'STAFF_STATUS': False,
        'SUPERUSER_STATUS': False,
    },
    'ATTRIBUTES_MAP': {
        'email': 'name',
        'username': 'name',
        'first_name': 'givenname',
        'last_name': 'surname',
    },

    'ASSERTION_URL': 'http://localhost:8000', # Custom URL to validate incoming SAML requests against
    'ENTITY_ID': 'http://localhost:8000/saml2_auth/acs/', # Populates the Issuer element in authn request
    'NAME_ID_FORMAT': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', # Sets the Format property of authn NameIDPolicy element
    'USE_JWT': True,
    'JWT_ALGORITHM': 'HS256',  # JWT algorithm to sign the message with
    'JWT_SECRET': 'your.jwt.secret',  # JWT secret to sign the message with
    'FRONTEND_URL': 'http://localhost:3000/login',
    'WANT_ASSERTIONS_SIGNED': True,
    'AUTHN_REQUESTS_SIGNED': True,
    'WANT_RESPONSE_SIGNED': True,
    'TOKEN_REQUIRED': False
}

I'm glad for any help.

When a user logs into my application from the Okta homepage, they are automatically taken to the default next url instead of their intended destination because the POST request to acs contains their redirect url as a RelayState instead of the "login_next_url" parameter. In the source code, I see that RelayState is sometimes used to pass a JWT, but if RelayState is a redirect url, acs ignores it. Can django-saml2-auth please support redirect urls by way of RelayStates?

(Solving this problem via customizing Okta's signin widget is unfortunately not an option for me.)
Thank you for continuing to maintain django-saml2-auth!

Hi, i'm trying to integrate SAML authentication in my Django 3.2 Project but i'm having a permission denied on /accounts/login/ Sorry, you are not allowed to access this app Error code: 1107 Reason: There was an error processing your request.

I've tried the package djangosaml2 from IdentityPython and it't worked great, I can login and logout with SAML authentication but with your plugin I can't even acces the login page.

Thanks in advanced.

urlpatterns = [
    # django saml auth grafana
    path(r'saml/', include('django_saml2_auth.urls')),
    path(r'accounts/login/', django_saml2_auth.views.signin),
]

SAML2_AUTH = {
    # Metadata is required, choose either remote url or local file path
    'METADATA_LOCAL_FILE_PATH': [os.path.join(BASE_DIR, 'mylocalfile.xml')],

    'DEBUG': True,  # Send debug information to a log file

    # Optional settings below
    'DEFAULT_NEXT_URL': '/admin',  # Custom target redirect URL after the user get logged in. Default to /admin if not set. This setting will be overwritten if you have parameter ?next= specificed in the login URL.
    'CREATE_USER': True,  # Create a new Django user when a new user logs in. Defaults to True.
    'ATTRIBUTES_MAP': {  # Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
        'Email': 'email',
        'UserName': 'username',
        'FirstName': 'first_name',
        'LastName': 'last_name',
    },
    'ASSERTION_URL': 'https://company-name.com/saml/acs',  # Custom URL to validate incoming SAML requests against
    'ENTITY_ID': 'https://company-name.com/',  # Populates the Issuer element in authn request
    'AUTHN_REQUESTS_SIGNED': False, # Require each authentication request to be signed
    'LOGOUT_REQUESTS_SIGNED': False,  # Require each logout request to be signed
    'WANT_ASSERTIONS_SIGNED': False,  # Require each assertion to be signed
    'WANT_RESPONSE_SIGNED': False,  # Require response to be signed
}

I recently started working on SAML, through the previous answers I was able to successfully implement SAML auth, login via Active Directory IDP. But when I ran my code on a development server, I am getting error 1106.

Upon some debugging i have figured out that the reverse generation of acs url is the issue.
acs_url = domain + get_reverse([acs, "acs", "django_saml2_auth:acs"]) # type: ignore

But I am unable to understand why the behaviour changes between a local system and on a server.

My django project urls:
SAML URLs
path('sso/signin/', saml_views.signin),
path('sso/acs/', saml_views.acs),
path('api/v1/redirect/auth', saml_triggers.saml_auth_redirect, name='saml_auth_redirect')

Settings
These are my saml_settings and respective urls:

default_next_url = 'http://127.0.0.1:8003/api/v1/redirect/auth'
assertion_url = 'http://127.0.0.1:8003'
entity_id = 'http://127.0.0.1:8003/'
frontend_url = 'http://localhost:3000/auth/saml'

SAML2_AUTH = {
# Metadata is required, choose either remote url or local file path
'KEY_FILE': os.path.join(BASE_DIR, 'appraisal/views/'),
'CERT_FILE': os.path.join(BASE_DIR, 'appraisal/views/'),

'DEBUG': False,  # Send debug information to a log file

# Optional settings below
'DEFAULT_NEXT_URL': default_next_url,
'ATTRIBUTES_MAP': {  # Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
    'email': 'emailAddress',   # currently fetching user from email
},
'GROUPS_MAP': {  # Optionally allow mapping SAML2 Groups to Django Groups
    'SAML Group Name': 'Django Group Name',
},
'TRIGGER': {
    # Optional: needs to return a User Model instance or None
    # Trigger paths removed they are working
    'GET_USER': 'trigger_path',
    'CUSTOM_CREATE_JWT': 'trigger_path',
    'CUSTOM_TOKEN_QUERY': 'trigger_path',
    'GET_METADATA_AUTO_CONF_URLS': 'trigger_path',
},
'ASSERTION_URL': assertion_url,  # Custom URL to validate incoming SAML requests against
'ENTITY_ID': entity_id,  # Populates the Issuer element in authn request
'NAME_ID_FORMAT': 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',  # Sets the Format property of authn NameIDPolicy element, e.g. 'user.email'
'USE_JWT': True,
# Set this to True if you are running a Single Page Application (SPA) with Django Rest Framework (DRF), and are using JWT authentication to authorize client users
'JWT_ALGORITHM': 'HS256',  # JWT algorithm to sign the message with
'FRONTEND_URL': frontend_url,  # Redirect URL for the client if you are using JWT auth with DRF. See explanation below
'LOGIN_CASE_SENSITIVE': True,  # whether of not to get the user in case_sensitive mode
'AUTHN_REQUESTS_SIGNED': True,  # Require each authentication request to be signed
'LOGOUT_REQUESTS_SIGNED': True,  # Require each logout request to be signed
'WANT_ASSERTIONS_SIGNED': True,  # Require each assertion to be signed
'WANT_RESPONSE_SIGNED': True,  # Require response to be signed
'ACCEPTED_TIME_DIFF': None,  # Accepted time difference between your server and the Identity Provider
'ALLOWED_REDIRECT_HOSTS': ['127.0.0.1:8003'],
'TOKEN_REQUIRED': False,

}

Summary

I apologize if this is a configuration issues, but after attempting to fix this for over a week and reading all the documentation I feel like there is an issue with 'WANT_RESPONSE_SIGNED': True, not actually taking affect. I have also tried removing 'WANT_RESPONSE_SIGNED': True, from the config as this library should default to wanting the SAML Response to be signed.

Background

To give a little bit of background, I have a Django app acting as the SP. Everything works with the SAML login, I browse to my Django app, get redirected to the IdP, enter in the SAML creds, get redirected to the Django app, and now have they attributes from the SAML account in Django. The IdP is sending an XML response properly signed via the metadata file, however I can "strip" that signiture from the SAML Request and the Django app happily grants me with a session ID.

Issue

This can allow an actor to "spoof" their SAML attributes causing the app to grant privileged escalation depending on the Django app.

Screenshots of SAML Raider

This request gets a valid sessionid with the Response being Signed from the IdP. This is expected behavior.

This request has the signature remove by pressing "Remove Signatures". As we can see we still get a valid sessionid. This is bad.

Framework

Python version : 3.9.16
Django version : 3.2.18
django-saml2-auth version : 3.9.0

SAML Config

SAML2_AUTH = {
    'METADATA_LOCAL_FILE_PATH': 'metadatadev.xml',
    'DEFAULT_NEXT_URL': '/',
    'CREATE_USER': True,
    "NEW_USER_PROFILE": {
        "USER_GROUPS": [],
        "ACTIVE_STATUS": True,
        "STAFF_STATUS": False,
        "SUPERUSER_STATUS": False
    },
    'ATTRIBUTES_MAP': {
        'email': 'email',
	'username': 'UserName',
	'first_name': 'FirstName',
        'last_name': 'LastName',
        #'token': 'Token',
    },

    'ENTITY_ID': 'example.net',

    'USE_JWT': False,
    'FRONTEND_URL': 'https://example.net',
    'LOGIN_CASE_SENSITIVE': False,
    'AUTHN_REQUESTS_SIGNED': True,
    'LOGOUT_REQUESTS_SIGNED': True,
    'WANT_ASSERTIONS_SIGNED': True,
    'WANT_RESPONSE_SIGNED': True,
    "ALLOWED_REDIRECT_HOSTS": ["https://app.example.com",
                               "https://api.example.com",
                               "https://example.com"],
    "TOKEN_REQUIRED": True
}

If anyone can help me with some guidance on how to fix this that would be awesome. I am thinking of trying to use the "raw" pysaml library but don't want to run into the same issue if this is something wrong with my app. Thanks for the help!

'ATTRIBUTES_MAP': { 
    'email': 'mail',
    'username': 'eduPersonPrincipalName',
    'first_name': 'givenName',
    'last_name': 'sn',
    'token': False,  # Mandatory, can be unrequired if TOKEN_REQUIRED is False
    'groups': 'Groups',  # Optional

In the settings.py file, it does not get the assignment of the email and username attributes correctly. We have tried to change and put our "mail" attribute in the first_name section that works and it correctly assigns the mail but in the "email" saml attribute you put the "mail" and it does not assign anything. The same goes for the "username" attribute.

Hi !

Out of the box, the package is very silent whenever issues happen.

It's not trivial to set logging correctly (it's not with native Django, and it's even less with possible not clearly defined interference between the native django settings.LOGGING and settings.DEBUG and their counterparts in settings.SAML2_AUTH).

In my case, after trying for over one hour to get output, I got rid of the exception handler and then only got a nice and clear trace indicating the exact issue (which was Cannot find ['xmlsec1']). From the issue tracker, it seem many people struggle in a similar way with uninformative error messages (Sorry, you are not allowed to access this app).

What about completely removing the exception handler when Django's settings.DEBUG=True, so that we get regular debug information ? Arguably even so when DEBUG=False, as I don't see a good reason for this package to provide some custom exception handling ?

Thanks !

For reference, here's a dirty monkey-patch to disable the exception handler (in your settings.py):

# monkey-patch out django_saml2_auth's exception handler to get proper traces
# https://github.com/grafana/django-saml2-auth/issues/275
if DEBUG:
    import django_saml2_auth.utils
    django_saml2_auth.utils.exception_handler = lambda func: func

The python environment on the server is 3.6 and django2.2. Is there a supported version?