A quick and dirty IdP for local development with applications using Federated Authentication.
Internally it's follows SurfConext attribute/claim naming, but has built-in profiles to act like the UU IdP.
NOTE: Currently only SAML is implemented, with OpenID possibly being added in the future.
identity provider (IdP) = The entity providing authentication/identification services, in this case the Development-IdP application running locally
service provider (SP) = The entity providing a service for which authentication is required, i.e. the application that is using the Dev-IdP to authenticate users.
SAML service provider = An application that uses SAML for authentication. OpenID Connect service provider = An application that uses OpenID Connect for authentication.
TODO: write this. TL;DR: docker-compose up and ./docker_initial_setup.sh the first time.
- See Dockerfile for system dependencies (gettext, rust, cargo, xmlsec)
- Setup a virtualenv and activate it
- Install Python dependencies
pip install -r requirements.txt - Run migrations
python manage.py migrate - Load initial data
python manage.py loaddata main/fixtures/initial.json - (Optional) Load admin user
python manage.py loaddata main/fixtures/admin-user.json- This will create an admin user with username/pass: admin/admin. Will override any existing user with pk 1
- Otherwise, create an admin user using
python manage.py createsuperuser
- (Optional) Load test users
python manage.py loaddata main/fixtures/surfconext-test-users.json- These test users are identical to the test users in SurfConext's test environment.
- These accounts will override any existing user using a PK between 2 and 40.
- Verify that
BASE_URLintestidp/saml_settings.pyis set to the correct host for your usage- By default this is
localhost:7000, which is probably fine?
- By default this is
- Run the IDP
python manage.py runserver <port>- If you kept using the default, this is
python manage.py runserver 7000
- If you kept using the default, this is
- You're done!
- Make sure your app has SAML already setup and is using
http(s)://localhost:7000/saml/idp/metadataas its IdP- Replacing
localhost:7000with the actual IP of the IdP
- Replacing
- Click 'New' next to Service Provider in the app
- Provide at least your SP's
entity_id1 andmetadata2 (preferably by URL import) - Choose your starting attribute map*
- Done!
- Optionally: review your new SP by editting. You might want to add missing attributes to the attribute map
In SAML, (well, PySAML), the term attribute map is often used and often not even referring to the same thing. This can be confusing, so to clear up:
In the context of this app you'll only have to worry about SP attribute maps, which both maps the attribute name (as stored in the dev-IdP's database) to the name sent to the SP and restricts what attribute names are sent. (Any attribute not in the dict will not be sent back to the SP.)
For example, internally the Solis-ID is named username, but the UU IdP calls
this attribute uuShortId. Thus, we need to map username to
uuShortId.
Thus, you'll get this attribute map:
{
"username": "uuShortId"
}However, with this map the IdP will only supply the SP the solis-id of the logged-in user. Thus, a more common attribute map would be:
{
"username": "uuShortId",
"mail": "mail",
"givenName": "givenName",
"sn": "uuPrefixedSn"
}The app provides a couple preset attribute maps, which can be chosen when
registering an SP in the app. These maps can also be consulted in the file
main/attribute_map_presets.py.
Footnotes
-
this isn't universal, but usually looks as follows:
<ip_of_service_provider>/users/saml2/metadata/or<ip_of_service_provider>/users/saml/metadata/↩ -
Following the link above in your browser, inspect the page by clicking the right mouse-button on the page and selecting "view source" the underlying XML file, which needs to be pasted in full into the metadata text box. ↩