Django and Shibboleth

Asked 21/10, 2011 at 13:38 Answered 13/6, 2014 at 12:45

I'm investigating the options for using Shibboleth in a Django deployment. From what I've found, things look somewhat sparse. Can anyone comment on the following?

Is anyone using the django_shibboleth module (see http://code.arcs.org.au/gitorious/django/django-shibboleth/trees/1.1)? If so, what experiences have you had with this module?
SAML 2 implementations for Django (e.g., django-saml2-sp) and Python in general (e.g., pysaml2) appear to be somewhat experimental and include little documentation. Does anyone know of stable SAML 2 solutions for Django/Python?

Thanks in advance for any help!

Uphold answered 21/10, 2011 at 13:38 Comment(9)

What features do you need? Will you only ever authenticate against a single IdP, or do you need DS, WAYF, federation, artifact resolution, logout, and so on? – Naiad 21/10, 2011 at 16:5

Excellent questions! This particular project will need DS, WAYF, etc. – Uphold 21/10, 2011 at 22:13

Especially if you're going to be using more than the basic SAML features, I would stick with the first part of my answer, and agree with @hrnt. Incorporating the shibboleth native SP will be the most reliable route. – Naiad 24/10, 2011 at 15:20

@Naiad : Can I use this django module for multiple Idps ? i need to use Shibboleth for my django web site ? what do you sugest ? apache module or django module? my requirement is use multiple idps. – Naive 5/8, 2013 at 4:55

@Lahiruzz: as I said in my answer, the django module requires apache mod_shib. You need to use both. – Naiad 5/8, 2013 at 15:20

@JimB: Is this support multiple idps and I need to know where should i store the different databases – Naive 6/8, 2013 at 4:30

@Lahiruzz: mod_shib has been the standard shib SP for years, and is really the canonical implementation of everything supported by shibboleth; meaning yes, you can use multiple IdPs, directly or via federation. I don't know what you mean by "different databases", but these comments aren't really the place for this conversation. – Naiad 6/8, 2013 at 17:23

@JimB: this link code.arcs.org.au/gitorious/django/django-shibboleth/trees/1.1 does not work now, don't u have any useful tutorial link for django/shibboleth integration – Naive 12/8, 2013 at 4:17

@Lahiruzz: I think they moved the code. The link in my answer points to the current repo. – Naiad 12/8, 2013 at 13:23

I would recommend using the Shibboleth Native SP (apache mod_shib). It's well tested, has a large user base, and is very stable.

I took a quick look at the django_shibboleth module, and it seems that it depends on mod_shib, and doesn't do any SAML on it's own. In this respect, that module is very simple, and probably works well.

~~I haven't seen any complete (or mostly complete) python SAML2 implementations, and none that are an active project.~~ The xml security and crypto requirements are a pain in python, and this likely contributes to the lack of libraries.

[EDIT - I'll recant part of that] The pysaml2 library has some development activity, and looks fairly complete from a cursory glance. It uses the xmlsec1 binary directly for signatures and encryption, and therefore doesn't rely on any outdated bindings. This is likely your best bet for using SAML2 directly in python at the moment.

Naiad answered 21/10, 2011 at 16:2 Comment(0)

While I don't have experience with Django+Shibboleth, I have some with "plain" Shibboleth.

If your Apache has mod_shibboleth configured properly, then integrating it with a web app is relatively trivial. Check out the django_shibboleth module and you can see it does not contain that much code.

In particular, if you have mod_shibboleth already running, don't use a third-party SAML 2 library. Those bring a lot of unnecessary complexity.

Rudelson answered 21/10, 2011 at 13:46 Comment(0)

A django-shibboleth module is available which can be used to obtain attributes from an IdP and map them to users in the Django auth system. Most of the work is done by Shibboleth itself, with only a small amount of code required for the mapping.

Follow the Shibboleth instructions for setting up your local Shibboleth Service Provider (SP) for use with an IdP.

In the http.conf file or your own app configuration in conf.d, create the following entry.

<Location /shibboleth>
    AuthType shibboleth
    ShibRequireSession On
    ShibUseHeaders On
   require valid-user
</Location>

This should result in the URLs to /shibboleth being directed to the IdP login page. After successfully logging on, a 404 page will be returned.

Add the configuration, replacing app with the name of your app.

<Location "/">
    SetHandler mod_python
    PythonHandler django.core.handlers.modpython
    SetEnv DJANGO_SETTINGS_MODULE app.settings
    PythonDebug Off
</Location>

This should result in the following error after login in via the /shibboleth URL. The current URL, Shibboleth.sso/ADFS, didn't match any of these.

To solve this problem you need to add the following to the configuration.

<Location /Shibboleth.sso>
    SetHandler None
</Location>

/var/log/shibboleth/transaction.log should tell you what attributes are released.

Allethrin answered 13/6, 2014 at 12:45 Comment(1)

Instead of setting SetHandler None on "/Shibboleth.sso", reordering how Apache loads modules can help as well. I bumped into similar situation with mod_passenger + mod_shib2. For example if mod_shib2 is loaded after mod_passenger then "/Shibboleth.sso" location is handled by Passenger app (which is not desired behaviour). If mod_shib2 is loaded before mod_passenger - everything works as expected. – Dogwood 5/1, 2016 at 17:58

Recommended topics

Hot tags