AuthnRequest attributes
Justin Steward
I'm trying to get a Django (python web framework) module put together
for authenticating Django users via SAML.
Since a) this list is the best source for SAML knowledge I know of,
and b) I'm building the SP side and the IDP is going to more than
likely be a simplesamlphp instance, I figured I'd ask my questions
here.
My first request would be for a very good piece of documentation on
what an SP needs to do to be able to communicate with SSP.
My second request is more or less a subset of the first: what
attributes need to be in authnrequest for simplesaml to accept it and
be able to respond?
~Justin
Peter Schober
> I'm trying to get a Django (python web framework) module put together
> for authenticating Django users via SAML.
> My first request would be for a very good piece of documentation on
> what an SP needs to do to be able to communicate with SSP.
Implement the necessary parts of the SAML2 specs?
Preferrably using an existing Service Provider (SP) implementation,
for Django that could be the Shibboleth SP or possibly simpleSAMLphp
plus mod_auth_memcookie[1].
There are also SAML toolkits in Python but I haven't used any of those
myself, e.g.:
https://launchpad.net/pysaml2
http://code.google.com/p/python-saml2/
Also http://zxid.org/ includes Python bindings (via SWIG), IIRC.
> My second request is more or less a subset of the first: what
> attributes need to be in authnrequest for simplesaml to accept it and
> be able to respond?
Maybe look at
http://en.wikipedia.org/wiki/SAML_2.0#Authentication_Request_Protocol
or the SAML2 specs. Or register an account at e.g. openidp.feide.no
and use one of the publicly available SPs (e.g. foodle.feide.no) and
see wat simpleSAMLphp itself generates.
cheers,
-peter
[1] http://rnd.feide.no/content/simplesamlphp-advanced-features
Steven_...@brown.edu
>Hi guys,
>
>I'm trying to get a Django (python web framework) module put together
>for authenticating Django users via SAML.
>
I've heard through the grapevine that Roland Hedberg has implemented
a python/SAML package....
Justin Steward
<sp+lists....@univie.ac.at> wrote:
> * Justin Steward <jus...@justinsteward.com> [2009-12-17 08:14]:
>> I'm trying to get a Django (python web framework) module put together
>> for authenticating Django users via SAML.
> [...]
>> My first request would be for a very good piece of documentation on
>> what an SP needs to do to be able to communicate with SSP.
>
> Implement the necessary parts of the SAML2 specs?
> Preferrably using an existing Service Provider (SP) implementation,
> for Django that could be the Shibboleth SP or possibly simpleSAMLphp
> plus mod_auth_memcookie[1].
>
environment a little closer than that, hence why I'm trying to do it
myself.
> There are also SAML toolkits in Python but I haven't used any of those
> myself, e.g.:
> https://launchpad.net/pysaml2
> http://code.google.com/p/python-saml2/
> Also http://zxid.org/ includes Python bindings (via SWIG), IIRC.
Yeah, Python-saml2 seems the most complete of the first two, and I had
planned to use that to generate the XML for me (I abhor XML).
>
>> My second request is more or less a subset of the first: what
>> attributes need to be in authnrequest for simplesaml to accept it and
>> be able to respond?
>
> Maybe look at
> http://en.wikipedia.org/wiki/SAML_2.0#Authentication_Request_Protocol
> or the SAML2 specs. Or register an account at e.g. openidp.feide.no
> and use one of the publicly available SPs (e.g. foodle.feide.no) and
> see wat simpleSAMLphp itself generates.
>
How did I miss that wikipedia entry.... Thanks. =)
~Justin
Justin Steward
>
> I've heard through the grapevine that Roland Hedberg has implemented
> a python/SAML package....
>
Yeah, I have a python/SAML package that I'll be using (Not sure if
it's his) but they only generate the XML for you. I have to do the
rest of the process myself.
I think I'll be cannibalising SimpleSamlPHP to work out the actual process.
~Justin
Olav Morken
If your goal is to duplicate the simpleSAMLphp SP processing, I think
you should look at �modules/saml2/lib/Message.php�, which implements
most of the logic for sending authentication requests and parsing
responses. I.e.:
- buildAuthnRequest
- processResponse
Also, you shouldn't forget logout:
- buildLogoutRequest (+ setting the NameID in the logout request,
handled by the caller of buildLogoutRequest.)
- buildLogoutResponse
Processing of received messages is done by
�modules/saml/www/sp/saml2-logout.php�.
These function do more processing than required if you only target
supporting simpleSAMLphp IdP. E.g. you are unlikely to receive
encrypted NameID from simpleSAMLphp. Same for encrypted assertions.
Signing of logout messages is another example. (Though both encrypted
assertions and signed logout messages can be enabled on the IdP.)
--
Olav Morken
Justin Steward
> If your goal is to duplicate the simpleSAMLphp SP processing, I think
> you should look at «modules/saml2/lib/Message.php», which implements
> most of the logic for sending authentication requests and parsing
> responses. I.e.:
> - buildAuthnRequest
> - processResponse
Thanks for the reference. Now I know where to start! =)
The goal isn't exactly to duplicate simpleSAMLphp, however it's a
pretty good place to start, given that the IdP i'll be authenticating
against (initially, at least) is a simpleSAMLphp IdP.
>
> Also, you shouldn't forget logout:
> - buildLogoutRequest (+ setting the NameID in the logout request,
> handled by the caller of buildLogoutRequest.)
> - buildLogoutResponse
> Processing of received messages is done by
> «modules/saml/www/sp/saml2-logout.php».
>
> These function do more processing than required if you only target
> supporting simpleSAMLphp IdP. E.g. you are unlikely to receive
> encrypted NameID from simpleSAMLphp. Same for encrypted assertions.
> Signing of logout messages is another example. (Though both encrypted
> assertions and signed logout messages can be enabled on the IdP.)
Initially just simple stuff, but I will probably want to implement the
more advanced bits and pieces later on.
Thanks heaps =)
~Justin
Victoriano Giralt
Hash: SHA1
Justin Steward escribi�:
|> These function do more processing than required if you only target
|> supporting simpleSAMLphp IdP. E.g. you are unlikely to receive
|> encrypted NameID from simpleSAMLphp. Same for encrypted assertions.
|> Signing of logout messages is another example. (Though both encrypted
|> assertions and signed logout messages can be enabled on the IdP.)
|
| Initially just simple stuff, but I will probably want to implement the
| more advanced bits and pieces later on.
Hold on! I think you can be reinventing some wheels.
Roland has implemented a full SP and IdP in Python based on the work
published in google code. The author of that code is no longer maintaining
it as he has newer interests (lika a newborn child ;) ).
As far as I know, Roland's SP is fully working and the people from Yaco in
Spain, who are contributors to the Django core, are working in integrating
Roland's code into Django, so there will be a native SAML2 authenticator
middleware in Django.
You might like to join pys...@uma.es mailing list and join forces with the
team. I should be contributing myself but I'm trying to stay away from
computers till the start of the new year (let's call it a vacational cure ;) )
The people in the list have even produced a toy Django project (fedjango),
that acts as an SP connected to a SimpleSAMLphp IdP. You can find it here:
http://bazaar.launchpad.net/~lgs/pysaml2/main/files/head%3A/src/djangosaml2/
- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFLK2kmV6+mDjj1PTgRAr1lAJ4vlW/9FvAskL+cDnbT1pHpxAeDZACdGGrk
y+eY3EMV3+WIBWad4D3PZgQ=
=9S36
-----END PGP SIGNATURE-----
Justin Steward
> You might like to join pys...@uma.es mailing list and join forces with the
> team. I should be contributing myself but I'm trying to stay away from
> computers till the start of the new year (let's call it a vacational cure ;) )
>
Instructions on joining that list?
> The people in the list have even produced a toy Django project (fedjango),
> that acts as an SP connected to a SimpleSAMLphp IdP. You can find it here:
> http://bazaar.launchpad.net/~lgs/pysaml2/main/files/head%3A/src/djangosaml2/
Thanks for the link! =)
~Justin
Victoriano Giralt
Hash: SHA1
Justin Steward wrote:
| Instructions on joining that list?
Go to http://delfos.sci.uma.es/mailman/listinfo/pysaml2
and fill in the form
| Thanks for the link! =)
Just proselytising ;) :)
- --
Victoriano Giralt
Systems Manager
Central ICT Services
University of Malaga
SPAIN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFLLMvzV6+mDjj1PTgRAoBPAJ4pI8tCYMxtMgMLj8cYmoED8ub+JwCgxnXt
JV76IWQAiHp+1OALbFFrkII=
=QKHw
-----END PGP SIGNATURE-----