Best way to Integrate ADFS 2.0 authentication in a Django application

Question

I need to use Active Directory Federation Services (ADFS) authentication in a Django application. I will create an authentication backend, but which tool would someone recommend me to make it as fast as possible, or would it be better to implement authentication from scratch?

I have read some articles from the Microsoft website, and have checked:

• http://claimsid.codeplex.com/

• http://msdn.microsoft.com/en-us/library/ff359102.aspx

But even though they explain some core concepts and ideas about ADFS and SSO, the examples are in my opinion more .NET stack focused.

Answer 1

Writing a basic client in .NET and sniffing the traffic would give you all necessary clues to actually implement the flow in any technology.

Basically, your django app has an endpoint adfs uses to return back. You register the endpoint in adfs (like https://myapp.com/authgateway).

Then, your application initializes the flow by redirecting to https://adfs.address/adfs/ls?wa=wsignin1.0&wtrealm=https://myapp.com/authgateway

Adfs picks the request and validates credentials. Then it creates a SAML token and redirects back to your application with a POST request containing the token.

Then comes the difficult part, the SAML token is a plain xml you can use to establish a local user session. One of the claims contains user name provided by adfs, other claims can contain roles, the email, whatever you configure at the adfs side.

But, to prevent forging, you need to validate the token. The validation consist in checking the XMLdsig signature and verifying that the signing certificate thumbprint matches the thumbprint of the adfs signing certificate. Depending on how much knowledge on x509 certificates and xml validation you have this can be easy or difficult. Try to find any support in django community.

Anyway, as you can see the basic flow is simple, is a matter of two redirects, a 302 from your application to adfs and a POST back from adfs to your application. Although we do this daily in .net, our partners do it in php/java under our guidance.