Django and Shibboleth

Question

I'm investigating the options for using Shibboleth in a Django deployment. From what I've found, things look somewhat sparse. Can anyone comment on the following?

Is anyone using the django_shibboleth module (see http://code.arcs.org.au/gitorious/django/django-shibboleth/trees/1.1)? If so, what experiences have you had with this module?
SAML 2 implementations for Django (e.g., django-saml2-sp) and Python in general (e.g., pysaml2) appear to be somewhat experimental and include little documentation. Does anyone know of stable SAML 2 solutions for Django/Python?

Thanks in advance for any help!

What features do you need? Will you only ever authenticate against a single IdP, or do you need DS, WAYF, federation, artifact resolution, logout, and so on? — JimB, Oct 21 '11 at 16:05
Excellent questions! This particular project will need DS, WAYF, etc. — user1007116, Oct 21 '11 at 22:13
Especially if you're going to be using more than the basic SAML features, I would stick with the first part of my answer, and agree with @hrnt. Incorporating the shibboleth native SP will be the most reliable route. — JimB, Oct 24 '11 at 15:20
@JimB : Can I use this django module for multiple Idps ? i need to use Shibboleth for my django web site ? what do you sugest ? apache module or django module? my requirement is use multiple idps. — Lahiruzz, Aug 05 '13 at 04:55
@Lahiruzz: as I said in my answer, the django module requires apache mod_shib. You need to use both. — JimB, Aug 05 '13 at 15:20
@JimB: Is this support multiple idps and I need to know where should i store the different databases — Lahiruzz, Aug 06 '13 at 04:30
@Lahiruzz: mod_shib has been the standard shib SP for years, and is really the canonical implementation of everything supported by shibboleth; meaning yes, you can use multiple IdPs, directly or via federation. I don't know what you mean by "different databases", but these comments aren't really the place for this conversation. — JimB, Aug 06 '13 at 17:23
@JimB: this link http://code.arcs.org.au/gitorious/django/django-shibboleth/trees/1.1 does not work now, don't u have any useful tutorial link for django/shibboleth integration — Lahiruzz, Aug 12 '13 at 04:17
@Lahiruzz: I think they moved the code. The link in my answer points to the current repo. — JimB, Aug 12 '13 at 13:23

score 9 · Answer 1 · edited Apr 22 '13 at 13:58

I would recommend using the Shibboleth Native SP (apache mod_shib). It's well tested, has a large user base, and is very stable.

I took a quick look at the django_shibboleth module, and it seems that it depends on mod_shib, and doesn't do any SAML on it's own. In this respect, that module is very simple, and probably works well.

~~I haven't seen any complete (or mostly complete) python SAML2 implementations, and none that are an active project.~~ The xml security and crypto requirements are a pain in python, and this likely contributes to the lack of libraries.

[EDIT - I'll recant part of that] The pysaml2 library has some development activity, and looks fairly complete from a cursory glance. It uses the xmlsec1 binary directly for signatures and encryption, and therefore doesn't rely on any outdated bindings. This is likely your best bet for using SAML2 directly in python at the moment.

score 3 · Answer 2 · answered Oct 21 '11 at 13:46

While I don't have experience with Django+Shibboleth, I have some with "plain" Shibboleth.

If your Apache has mod_shibboleth configured properly, then integrating it with a web app is relatively trivial. Check out the django_shibboleth module and you can see it does not contain that much code.

In particular, if you have mod_shibboleth already running, don't use a third-party SAML 2 library. Those bring a lot of unnecessary complexity.

score 2 · Answer 3 · answered Jun 13 '14 at 12:45

A django-shibboleth module is available which can be used to obtain attributes from an IdP and map them to users in the Django auth system. Most of the work is done by Shibboleth itself, with only a small amount of code required for the mapping.

The packing is available from here.

linuxsoft.cern.ch/internal/repos/ai6-stable/x86_64/os/Packages/django-shibsso-0.1-1.noarch.rpm

or the source from here.

linuxsoft.cern.ch/internal/repos/ai6-stable/source/SRPMS/django-shibsso-0.1-1.src.rpm

Follow the Shibboleth instructions for setting up your local Shibboleth Service Provider (SP) for use with an IdP.

In the http.conf file or your own app configuration in conf.d, create the following entry.

<Location /shibboleth>
    AuthType shibboleth
    ShibRequireSession On
    ShibUseHeaders On
   require valid-user
</Location>

This should result in the URLs to /shibboleth being directed to the IdP login page. After successfully logging on, a 404 page will be returned.

Add the configuration, replacing app with the name of your app.

<Location "/">
    SetHandler mod_python
    PythonHandler django.core.handlers.modpython
    SetEnv DJANGO_SETTINGS_MODULE app.settings
    PythonDebug Off
</Location>

This should result in the following error after login in via the /shibboleth URL. The current URL, Shibboleth.sso/ADFS, didn't match any of these.

To solve this problem you need to add the following to the configuration.

<Location /Shibboleth.sso>
    SetHandler None
</Location>

/var/log/shibboleth/transaction.log should tell you what attributes are released.

Instead of setting `SetHandler None` on "/Shibboleth.sso", reordering how Apache loads modules can help as well. I bumped into similar situation with mod_passenger + mod_shib2. For example if mod_shib2 is loaded *after* mod_passenger then "/Shibboleth.sso" location is handled by Passenger app (which is not desired behaviour). If mod_shib2 is loaded *before* mod_passenger - everything works as expected. — Tadas Sasnauskas, Jan 05 '16 at 17:58

Django and Shibboleth

3 Answers3