fangli / django-saml2-auth Goto Github PK

Thank you for the awesome lib , I can using the lib to do the authentication for saml2 .

But is there any ways to do the slo server to single logout ?

We discovered recently while experimenting that a site using django-saml2-auth to authenticate against Okta is vulnerable to an open redirect vulnerability. For example, a maliciously crafted URL like https://safe.site/accounts/login_okta?next=//evil.site will redirect the user to Okta for authentication, which will then redirect them to evil.site after they successfully authenticate. The evil site operator can then engage in a phishing attack, or even take advantage of the user's safe.site credentials to compromise the original site.

PR #17 was filed to address this issue.

getting this error:

Whats wrong with the url definitions?
Followed instructions:

from django.conf.urls import include, url
from django.contrib import admin
import django_saml2_auth.views

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^saml2_auth/', include('django_saml2_auth.urls')),
    url(r'^accounts/login/$', django_saml2_auth.views.signin),
    url(r'^admin/login/$', django_saml2_auth.views.signin),
]

Am i missing something obvious?

I am using django 1.11 and getting import error,

importError: cannot import name patterns

Can someone please help me with this.

I'm currently in a situation where I'd rather not create a new Django user if one can't be found. To me, this mimics the idea that the user is authenticated, but not authorized to use the application.

I would be glad to add this setting if others thought it was useful as well. It's a pretty small code change.

Not sure if this is an issue with the app, but maybe you might have insight to my issue.
I posted a question in Stack Overflow.

Is it possible to implement this functionality as an authentication backend, instead of being built directly into views? I would like to use this in conjunction with other authentication packages, such as django-rest-auth, but the current structure of this project makes that very difficult.

Also, I would like to utilize django-rest-framework-jwt as an alternative authentication method, but again, that's difficult with this.

is there any more comprehensive guides?
I am having a lot of issues with this.

setup exactly how the README says.
When testing on my local runserver I get the redirect to ookta login then on the redirect it goes in an infinite loop on firefox with:

clicking continue just reloads and pops up again

Looking at the django log it is constantly looping:

Starting development server at http://0.0.0.0:8006/
Quit the server with CONTROL-C.
[10/Jan/2019 14:02:29] "GET / HTTP/1.1" 302 0
[10/Jan/2019 14:02:30] "GET /accounts/login/?next=/ HTTP/1.1" 302 0
[10/Jan/2019 14:02:32] "POST /saml2_auth/acs/ HTTP/1.1" 302 0
[10/Jan/2019 14:02:33] "GET /accounts/login/?next=/saml2_auth/acs/ HTTP/1.1" 302 0
[10/Jan/2019 14:02:34] "POST /saml2_auth/acs/ HTTP/1.1" 302 0
[10/Jan/2019 14:02:34] "GET /accounts/login/?next=/saml2_auth/acs/ HTTP/1.1" 302 0
[10/Jan/2019 14:02:36] "POST /saml2_auth/acs/ HTTP/1.1" 302 0
[10/Jan/2019 14:02:36] "GET /accounts/login/?next=/saml2_auth/acs/ HTTP/1.1" 302 0

On ookta side:

Had to dig through issues to see that i should configure allow request to other SSos.
And it still doesn't work.

Also authentication backend is default:

AUTHENTICATION_BACKENDS = (                                                                                             
'django.contrib.auth.backends.ModelBackend',
)

I followed all the instruction but their is error with following AttributeError: module 'django_saml2_auth' has no attribute 'urls'.

code !!

from django.contrib import admin
from django.urls import path,include
from . import views
import django_saml2_auth.views

urlpatterns = [
path('', views.login , name='index'),
path('admin/', admin.site.urls),
path('accounts/login/', views.login ),
path('success', views.loggedin),
path('sso_auth/', include(django_saml2_auth.urls)),
]

I just want to know where to pass the .cert file or public key in your plugin.

File "/usr/local/lib/python3.6/site-packages/django_saml2_auth/views.py", line 49, in get_reverse
from django.core.urlresolvers import reverse
ModuleNotFoundError: No module named 'django.core.urlresolvers'

Looks like views.py line #49 should be updated
from:
from django.core.urlresolvers import reverse
to:
from django.urls import reverse

due to code deprecation

When using G-Suite as Identity provider, i get the following 400 error:

Error parsing the request, invalid_sp_id: The <Issuer> element MUST be present in <AuthnRequest> element.

Will this plugin support django 1.11.3?

I am using this plugin for my django application for Okta integration. However I am unable to use it as my metadata url is also authenticated by session which is present in browser but not in my app. Please provide a method so that I can download the contents of metadata url in a xml file and provide path for same in settings instead of url.

Hello i try to use this plugin with okta, when run my app i get the followin error
Internal Server Error: /saml2_auth/acs/
KeyError: 'Email'

I'm trying to setup G-Suite SAML authentication, during the setup process, G-Suite is asking for the ACS url and entity ID, both are required. From reading the README it says that identiy id would be "http://your-domain/saml2_auth/acs/" so what would the ACS url be?

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.7/site-packages/django/core/handlers/base.py", line 126, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/usr/local/lib/python3.7/site-packages/django/core/handlers/base.py", line 124, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.7/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/registry_library/src/django-saml2-auth/django_saml2_auth/views.py", line 160, in acs
    resp, entity.BINDING_HTTP_POST)
  File "/usr/local/lib/python3.7/site-packages/saml2/client_base.py", line 679, in parse_authn_request_response
    if not getattr(self.config, 'entityid', None):
saml2.SAMLError: Missing entity_id specification

I've had to pin my requireemnts to install from master for this project.
But I've also had to pin my requirements for pysaml2 to 4.5.0 cause a release in pysaml2 checks for the existance of the entityid in the pysaml config. When we instantiate the saml client here I think we need to pass in a config object.

cause later in the pysaml2 lib here we are checking for the existance of an attribute config.

I am trying to figure out what's going on in this application and it's kind of impossible cause there's 0 logging.

It would be great if you could enable some logging so I can read the debug logs, and as such hopfully figure out why the CSRF token is failing.
#30

My concern is how we can handle these kind of errors while implementing Azure Active Directory as Identity Provider.

Line no 127, views.py:

authn_response = saml_client.parse_authn_request_response(
resp, entity.BINDING_HTTP_POST)
if authn_response is None:
return HttpResponseRedirect(get_reverse([denied, 'denied', 'django_saml2_auth:denied']))

I am getting None value for this authn_response variable, so my website redirecting to denied page.

I am helpless for this

Trying to access an Active Directory SAML IDP and they are unable to process my request. According to the IDP staff the problem is with the following line in the Request:

<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

They want it to be:
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"

or possibly removed from the request altogether as it is not an attribute they have ever used before. I am having to trust their word as this is my first SAML project and while it worked with Okta, it is erroring on their server.

It can be configured as Service Provider for ADFS 2.0, which operates as Identity Provider?

I received this error when trying to integrate with Okta. I looked at other issues opened, and I do have the url(r'^saml2_auth/', include('django_saml2_auth.urls')), line at the top of my URL patterns, but still have the issue.

Several deprecation warnings appear when running with Django 1.9, as shown below, which need to be handled in order to support Django 1.10.

/.../lib/python3.4/site-packages/django_saml2_auth/urls.py:8: RemovedInDjango110Warning: Support for string view arguments to url() is deprecated and will be removed in Django 1.10 (got acs). Pass the callable instead.
url(r'^acs/$', "acs", name="acs"),

/.../lib/python3.4/site-packages/django_saml2_auth/urls.py:9: RemovedInDjango110Warning: Support for string view arguments to url() is deprecated and will be removed in Django 1.10 (got welcome). Pass the callable instead.
url(r'^welcome/$', "welcome", name="welcome"),

/.../lib/python3.4/site-packages/django_saml2_auth/urls.py:10: RemovedInDjango110Warning: Support for string view arguments to url() is deprecated and will be removed in Django 1.10 (got denied). Pass the callable instead.
url(r'^denied/$', "denied", name="denied"),

/.../lib/python3.4/site-packages/django_saml2_auth/urls.py:10: RemovedInDjango110Warning: django.conf.urls.patterns() is deprecated and will be removed in Django 1.10. Update your urlpatterns to be a list of django.conf.urls.url() instances instead.
url(r'^denied/$', "denied", name="denied"),

Hello.

I'm trying to setup SAML Authentication using a KeyCloak server, I've setup the django app like this :

SAML2_AUTH = {
    # Required setting
    'METADATA_AUTO_CONF_URL': 'https://xxx.xxx.net/auth/realms/xxx/protocol/saml/descriptor',
}

But so far

All the pages related to SAML (/saml2_auth/..., /admin/login/) are returning :

SigverError at /admin/login/
Can't find ['xmlsec1']

And I don't see any incoming request fetching the SAML metadata

What could be the cause ?

Thanks

Hi Fang,
I was excited to find your github for Okta w/ django. I ran into an issue though.

NoReverseMatch at /accounts/login/
u'admin' is not a registered namespace
Request Method: GET
Request URL: http://127.0.0.1:8000/accounts/login/
Django Version: 1.9.5
Exception Type: NoReverseMatch
Exception Value:
u'admin' is not a registered namespace
Exception Location: /Users/mrose/Dropbox/dev/samlauth/venv/lib/python2.7/site-packages/django/core/urlresolvers.py in reverse, line 596
Python Executable: /Users/mrose/Dropbox/dev/samlauth/venv/bin/python
Python Version: 2.7.10

/Users/mrose/Dropbox/dev/samlauth/venv/lib/python2.7/site-packages/django_saml2_auth/views.py in signin
next_url = r.GET.get('next', reverse('admin:index'))

def signin(r):
import urlparse
from urllib import unquote
next_url = r.GET.get('next', reverse('admin:index')) ...
try:
if "next=" in unquote(next_url):
next_url = urlparse.parse_qs(urlparse.urlparse(unquote(next_url)).query)['next'][0]
except:
next_url = r.GET.get('next', reverse('admin:index'))

So i tried adding 'namespace="admin"' to the urlpatterns.

urlpatterns = [
url(r'^saml2_auth/', include('django_saml2_auth.urls', namespace="admin")),`

However, i then received the following error.

Django Version: 1.9.5
Exception Type: NoReverseMatch
Exception Value:
Reverse for 'index' with arguments '()' and keyword arguments '{}' not found. 0 pattern(s) tried: []
Exception Location: /Users/mrose/Dropbox/dev/samlauth/venv/lib/python2.7/site-packages/django/core/urlresolvers.py in _reverse_with_prefix, line 508

Do you know what I'm doing wrong? Thanks for your help!!

More than an issue, this is a question.
I need to implement SAML2 in my django app.

I want it to make it work with http://www.testshib.org

At http://www.testshib.org/register.html they are requesting a Metadata file I believe all Saml service providers must have. But in the documentation, unless I've missed it, I haven't seen anything. The METADATA_AUTO_CONF_URL doesn't seem to be an option in my case. I guess since it is required, there's nothing to do?.

My application required both of these features.

I was able to edit the code of this repo in order to make my use case work.

I will be making a pull request that adds my functionality in a general sense, which will use Django Settings file.

The repo in its current state will only get you a Django session and requires you to use the default Django User model.

If you are using a frontend that requires token auth (in my case JWT), you will need to write some custom code in the views.py.

I will add to the possible settings and to the readme to explain how to use this my newly added functionality.

Expect this pull request early next week.

😄

Although request signing is not required by the protocol, there are some IdPs that may require it.
Is there any option to support SP Metadata and request signing?

Hello
when i try to accede to this url "http://your-domain/saml2_auth/acs/" I am redirected to ... auth / denied /
"Sorry, you are not allowed to access this app"

SSO managed by Renater

Thanks

I am using the main / url to be my login page.

When I set that url to be handled by django-saml2-auth it causes an infinite redirect loop.

Any idea on how to solve this?

Hi,

I'm trying to make my application redirect to / instead of /admin after the login.
In #5, you mention adding the next parameter, but I'm not sure where I should add this.

I'm using this plugin to integrate with Okta.

Cheers,
Mario

Tried out django-saml2-auth with Okta and got this error message

We got a URL reverse issue: ['admin:index']. This is a known issue but please still submit a ticket at https://github.com/fangli/django-saml2-auth/issues/new

Please advise on what additional information you need to assist.

I am new to configuring django auth and saml2. At my work , I am building a single page django application that I want to authenticate access to via okta which has been connected to an identity provider by IT. Within my django app that I am running on my dev laptop:
In my urls.py I added the entry for django_saml2 to handle all urls and in the okta admin console I set all of the settings to django_saml2_auth/acs/

for eg. in urls.py
url(r'^saml2_auth/', include('django_saml2_auth.urls')),

On the console I have
Single Sign On URLhttp://localhost:8000/saml2_auth/acs/

Now when I navigate to my app or to http://localhost:8000/saml2_auth/acs/

I get the error from my django debug toolbar informing below. The error may be in my django app or in my okta-config. Please can you help me figure our where something is going wrong and how I can troubleshoot it.

I also created a dev-okta account so that I have full admin control and it gives me the same error.
Thanks

Request Method: | GET
-- | --
http://127.0.0.1:8000/saml2_auth/acs/
1.11
URLError
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)>
/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/urllib/request.py in do_open, line 1320
/Users/hari/.virtualenvs/ic50project/bin/python
3.6.0
['/Users/hari/ec50_django_project',  '/Applications/PyCharm.app/Contents/helpers/pydev',  '/Users/hari/ec50_django_project',  '/Applications/PyCharm.app/Contents/helpers/pydev',  '/Users/hari/.virtualenvs/ic50project/lib/python36.zip',  '/Users/hari/.virtualenvs/ic50project/lib/python3.6',  '/Users/hari/.virtualenvs/ic50project/lib/python3.6/lib-dynload',  '/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6',  '/Users/hari/.virtualenvs/ic50project/lib/python3.6/site-packages']
Fri, 14 Jul 2017 20:43:12 +0000

Hi all,

How do I enable debug logging for this scenario? Browsing to /saml2_auth/acs immediately redirects me to /saml2_auth/denied and there are no logs available. I have the following logging configuration:

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'console': {
            'class': 'logging.StreamHandler',
        },
    },
    'loggers': {
        'django': {
            'handlers': ['console'],
            'level': 'DEBUG',
        },
        'saml2': {
            'handlers': ['console'],
            'level': 'DEBUG',
        },
        'saml2.client_base': {
            'handlers': ['console'],
            'level': 'DEBUG',
        },
        'saml2.sigver': {
            'handlers': ['console'],
            'level': 'DEBUG',
        },
        'django.request':{
            'handlers': ['console'],
            'level': 'DEBUG',
        },
    },
}

is_safe_url is used in the signin view but Django 2.1 recently just made the allowed_hosts a mandatory parameter for this function.

You'll likely need to add a django.VERSION check and then push through settings.ALLOWED_HOSTS in kwargs if Django is >=2.1.

I'm using windows 10 but it give me missing [xmlsec,xmlsec1]
I tried couple of ways
- pip install`,
- downloaded zip file
but unable to install.

Is there any way to install that I'm not aware of?

Request Method: GET
Request URL: http://127.0.0.1:8000/saml_auth2/acs/acs/
Django Version: 1.9.5
Exception Type: NoReverseMatch
Exception Value:
Reverse for 'acs' with arguments '()' and keyword arguments '{}' not found. 0 pattern(s) tried: []

From this file:

.../venv/lib/python2.7/site-packages/django_saml2_auth-1.0.4-py2.7.egg/django_saml2_auth/views.py in _get_saml_client

    return '{scheme}://{host}'.format(
        scheme=r.scheme,
        host=r.get_host(),
    )
def _get_saml_client(domain):
    acs_url = domain + reverse('acs') ...
    import tempfile
    tmp = tempfile.NamedTemporaryFile()
    f = open(tmp.name, 'w')
    f.write(urllib2.urlopen(settings.SAML2_AUTH['METADATA_AUTO_CONF_URL']).read())
    f.close()
    saml_settings = {

my urls.py file:

urlpatterns = [

    # These are the SAML2 related URLs. You can change "^saml2_auth/" regex to
    # any path you want, like "^sso_auth/", "^sso_login/", etc. (required)
    url(r'^saml_auth2/acs/', include('django_saml2_auth.urls')),

    # The following line will replace the default user login with SAML2 (optional)
    url(r'^accounts/login/$', 'django_saml2_auth.views.signin'),

    # The following line will replace the admin login with SAML2 (optional)
    url(r'^admin/login/$', 'django_saml2_auth.views.signin'),

    # google chrome favicon fix
    url(r'^favicon.ico/$', lambda x: HttpResponseRedirect(settings.STATIC_URL + 'img/favicon.ico')),
    url(r'^$', RedirectView.as_view(url='outage')),
    url(r'^admin/', admin.site.urls),
    url(r'^manage/', admin.site.urls),
    url(r'^outage/', include('comapp.urls')),

I'm not entirely sure where the problem is, so I don't know what files I should post to help troubleshoot.

Hey,

would it be a good idea to make default login page configurable through some setting? we have the scenario that to protect all the views with okta. it does not make sense to redirect to admin:login for all the views.

thanks,

Would it be possible to split the responsibility of this SAML module to be an option for login, instead of "taking over" the login page completely? Seems like maybe this module is an "all or nothing" approach, and I'd like to build a service provider which allows me to use my existing authentication plus add a SAML login (perhaps from a different login landing page) for a third-party IDP.

tried to login with okta, and then it got csrf token error, i checked the request there's csrf token in it. I am running in django 1.11

See error message below.

Please let me know if you need any more info.

rfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware')

Traceback:

File "/Users/sohd001/IdeaProjects/qatools_venv/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
41. response = get_response(request)

File "/Users/sohd001/IdeaProjects/qatools_venv/lib/python3.6/site-packages/django/core/handlers/base.py" in _legacy_get_response
249. response = self._get_response(request)

File "/Users/sohd001/IdeaProjects/qatools_venv/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
187. response = self.process_exception_by_middleware(e, request)

File "/Users/sohd001/IdeaProjects/qatools_venv/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
185. response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/Users/sohd001/IdeaProjects/qatools_venv/lib/python3.6/site-packages/django_saml2_auth/views.py" in signin
180. next_url = r.GET.get('next', settings.SAML2_AUTH.get('DEFAULT_NEXT_URL', get_reverse('admin:index')))

File "/Users/sohd001/IdeaProjects/qatools_venv/lib/python3.6/site-packages/django_saml2_auth/views.py" in get_reverse
58. raise Exception('We got a URL reverse issue: %s. This is a known issue but please still submit a ticket at https://github.com/fangli/django-saml2-auth/issues/new' % str(objs))

Exception Type: Exception at /login/
Exception Value: We got a URL reverse issue: ['admin:index']. This is a known issue but please still submit a ticket at https://github.com/fangli/django-saml2-auth/issues/new

I am using PingOne SSO as IdP , they are not providing dynamic metadata configuration URL , instead of that, they are providing metadata file.

How to configure with that file?

Hello.

Some time ago I decided to use your package but I had to make a few changes. After forking and editing I realized the code isn't of a very high quality. Would you mind if I sent PR with some PEP8 changes and maybe other improvements?

I am following your setup to integrate my django web app with okta but when i try to login after submitting the credential it shows the "BAD SAML REQUEST". I am struggling to find the root cause of this. Please help me out.
This is my OKTA SEttings

This is my settings.py file

Please help me from this ASAP.

Not really sure what to do here. I have nginx running, listening on port 80 and passing to the gunicorn server. I think this may have something to do with it, but really, no clue at this point.

I go to http://mysite.com/admin -> Okta to Authenticate -> redirects to http://mysite.com/saml2_auth/acs/ with a 500.

Would appreciate any help. Thanks!

EDIT: Looks like every time I go to /admin, its successfully authenticates on the Okta side.

Hi-

The idp I have , that is okta, is encrypting the saml response with the public key of my server. I have the private key of the server.

I need to decrypt it to get the user identity.

My saml setting is

saml_settings = {
'metadata': {
"local": [
metadat_xml

        ],           
    },
    'service': {
        'sp': {
            'endpoints': {
                'assertion_consumer_service': [
                    (acs_url, BINDING_HTTP_REDIRECT),
                    (acs_url, BINDING_HTTP_POST),
                    (https_acs_url, BINDING_HTTP_REDIRECT),
                    (https_acs_url, BINDING_HTTP_POST)
                ],
            },
            'allow_unsolicited': True,
            'authn_requests_signed': False,
            'logout_requests_signed': True,
            'want_assertions_signed': True,
            'want_response_signed': False,
        },
    },

    'key_file': "mykey.key",  # private part
    'cert_file': "mykey.crt",  # public part
    'xmlsec_path': '/usr/bin/xmlsec1',
    'encryption_keypairs': [{
        'key_file': 'mykey.key',
        'cert_file': 'mykey.crt',
    }]
}

I am not abel to get the user identity and it says NoneType' object has no attribute 'subject'

I tried decrypting the token using the below url with my private key and I am able to decrypt it.
https://www.samltool.com/decrypt.php

Can you please let me know what I am missing?

We're currently looking into implementing authentication on top of our API, where ADFS/SAML would be the cleanest solution. How ever, only certain user groups in AD should have access.
Reading through the docs here, its not clear whether this package only support pure Django or also DRF?

Thank you for writing this!
I think the logout views references are quoted by accident in the readme.
I submitted a small PR #40