Django and Shibboleth

Question

I'm investigating the options for using Shibboleth in a Django deployment. From what I've found, things look somewhat sparse. Can anyone comment on the following?

• Is anyone using the django_shibboleth module (see http://code.arcs.org.au/gitorious/django/django-shibboleth/trees/1.1)? If so, what experiences have you had with this module?

• SAML 2 implementations for Django (e.g., django-saml2-sp) and Python in general (e.g., pysaml2) appear to be somewhat experimental and include little documentation. Does anyone know of stable SAML 2 solutions for Django/Python?

Thanks in advance for any help!

Answer 1

I would recommend using the Shibboleth Native SP (apache mod_shib). It's well tested, has a large user base, and is very stable.

I took a quick look at the django_shibboleth module, and it seems that it depends on mod_shib, and doesn't do any SAML on it's own. In this respect, that module is very simple, and probably works well.

I haven't seen any complete (or mostly complete) python SAML2 implementations, and none that are an active project. The xml security and crypto requirements are a pain in python, and this likely contributes to the lack of libraries.

[EDIT - I'll recant part of that] The pysaml2 library has some development activity, and looks fairly complete from a cursory glance. It uses the xmlsec1 binary directly for signatures and encryption, and therefore doesn't rely on any outdated bindings. This is likely your best bet for using SAML2 directly in python at the moment.

Answer 2

While I don't have experience with Django+Shibboleth, I have some with "plain" Shibboleth.

If your Apache has mod_shibboleth configured properly, then integrating it with a web app is relatively trivial. Check out the django_shibboleth module and you can see it does not contain that much code.

In particular, if you have mod_shibboleth already running, don't use a third-party SAML 2 library. Those bring a lot of unnecessary complexity.

Answer 3

A django-shibboleth module is available which can be used to obtain attributes from an IdP and map them to users in the Django auth system. Most of the work is done by Shibboleth itself, with only a small amount of code required for the mapping.

The packing is available from here.

linuxsoft.cern.ch/internal/repos/ai6-stable/x86_64/os/Packages/django-shibsso-0.1-1.noarch.rpm

or the source from here.

linuxsoft.cern.ch/internal/repos/ai6-stable/source/SRPMS/django-shibsso-0.1-1.src.rpm

Follow the Shibboleth instructions for setting up your local Shibboleth Service Provider (SP) for use with an IdP.

In the http.conf file or your own app configuration in conf.d, create the following entry.

<Location /shibboleth>
    AuthType shibboleth
    ShibRequireSession On
    ShibUseHeaders On
   require valid-user
</Location>

This should result in the URLs to /shibboleth being directed to the IdP login page. After successfully logging on, a 404 page will be returned.

Add the configuration, replacing app with the name of your app.

<Location "/">
    SetHandler mod_python
    PythonHandler django.core.handlers.modpython
    SetEnv DJANGO_SETTINGS_MODULE app.settings
    PythonDebug Off
</Location>

This should result in the following error after login in via the /shibboleth URL. The current URL, Shibboleth.sso/ADFS, didn't match any of these.

To solve this problem you need to add the following to the configuration.

<Location /Shibboleth.sso>
    SetHandler None
</Location>

/var/log/shibboleth/transaction.log should tell you what attributes are released.