Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Davidiam]

We have been trying to implement a web2py project on a Windows IIS server for the last few weeks and we are currently considering abandoning the project due to the absence of LDAP and SAML modules for Windows.

We are running python 3.7 with IIS 8.  We managed to get that configuration running pretty easily.  We then tried to integrate ldap.

python-ldap seems to depend on Openldap and from what we can see, doesn't work on Windows for Python 3.7.

Pyldap3 seems to work better, but would need to be integrated into the auth framework of Web2Py but the project decided to prefer SAML so the pyldap3 option was put on hold.

We started trying to implement SAML  Python-saml also seems to have been made for Linux but doesn't seem to work in Windows with Python 3.7.

We then tried Pysaml2, which installed without a problem, but we saw that we also needed xmlsec and then we started running into other errors and still have not managed to install ithe other modules needed like xmlsec (maybe due to our secure environment and firewall settings).

Question : Is it even possible to use SAML with Python 3.7 on Windows ??  We have lost already weeks on this and we don't want to lose more time if in the end it isn't possible.

Has anyone done this ?  How did you do it ?  If it is a lost cause I prefer knowing that now.

It basically looks like most modules needed were built for Linux and not for Windows.and for python 2.7 and not for python 3.X.

You help or input will be greatly appreciated !!  Would especially appreciate any feedback from Massimo if he reads this.

[Nico Zanferrari]

Well,

for the binary build I also had these kind of problems. I was finally able to install it by using the wheel (but I've not tested it): 

"download the file python_ldap-3.1.0-cp37-cp37m-win_amd64.whl from https://www.lfd.uci.edu/~gohlke/pythonlibs/ and install it from that folder with the command 'pip install python_ldap-3.1.0-cp37-cp37m-win_amd64.whl'". 

I hope it helps somehow ;-)

Nico

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/ff2b4602-66ba-4949-b6ca-f405598c9d0d%40googlegroups.com.

[Pbop]

Suggest you research Shibboleth as a SAML layer for your web2py app or if choose to use another framework. You can use Shibboleth to protect a virtual folder to any SAML IDP. If the protected folder is your web2py app, SHIB does the authentication and your web2py app can use any of the identity attributes returned in the header to complete an SSO or registration workflow. We have successfully used Shib to connect to Adfs, azzure, google, shibboleth and custom IDPs. There is a lot to learn about SAML and Shib is extremely well documented.

[Davidiam]

We are working on a Shibboleth implementation now. So far it is working better than the other tests we did on Windows.

We wanted to test it using a localhost Shibboleth sp and idp but it wasn't clear to us how we needed to configure it.

Thanks for the tip!

[Massimo Di Pierro]

web2py or py4web? I could use some help getting it to work for py4web.

[Pbop]

I am not familiar enough with how AUTH works but can offer a perspective that might help to the level you want AUTH to support AD or SAML2 SSOs. 

In both AD and SAML using the Shibboleth IIS Plug-in, you are in essence designating a protected folder on the IIS web-server to require authentication. In other words, if you land to that protected folder and are NOT authenticated, IIS presents to the user an IIS generated Challenge/Response screen to enter credentials for AD or sends you to the IDP server (which can be any SAML2 IDP such as Shibboleth, ADFS, Azzure, Google, Okta... ) for authentication. In both cases once IIS determines you are authenticated (not the web-app), you ultimately are redirected back to the protected folder as an authenticated user. As an authenticated user, your browser header now has your login id in the header for AD and whatever identity attributes are released from the IDP server such as login id, emaiil, employee number, full name, shoe size... The catch to SAML2 is the identity attributes can be whatever you agree to in the initial configuration. 

My point is authentication is managed at the web-server and does not need to be in the web application. What does need to be in the web application, if AUTH is to be used, is some sort of mapping of the browser header variables to appropriate columns and extending the data model if additional identity attributes are needed once the user is authenticated. 

Perhaps I am over simplifying! Hope this helps! 

[Davidiam]

Thank you.  In the meantime we have gotten Shibboleth working correctly and we have just added an auth login to the user method in the default controller for the app.

This way, users are automatically logged in as soon as any routine has they call a method requiring login or a group membership.

So far seems to be working well.  We are still ironing out some finer points of the implementation.

Kind Regards,

David

[Mamisoa Andriantafika]

Hi,

I'm working on it at the moment ie Web2py <-> Shibboleth with Apache <-> 3rd party id provider

Could you give me a hint on how you managed this to work between Web2Py and Shibboleth?

Mamisoa

[Massimo Di Pierro]

I too could use more info about how to use web2py SAML with Shibboleth. In particular I would like some help testing py4web with Shibboleth to make sure it is compliant.