SAML2 bringup

Author: inducer

course/exam.py

@@ -550,13 +550,14 @@ def process_request(self, request):
         resolver_match = resolve(request.path)
 
         from course.exam import check_in_for_exam, issue_exam_ticket
-        from course.auth import (user_profile, sign_in_by_email,
+        from course.auth import (user_profile, sign_in_choice, sign_in_by_email,
                 sign_in_stage2_with_token, sign_in_by_user_pw)
         from course.flow import view_start_flow, view_flow_page
         from django.contrib.auth.views import logout
 
         ok = False
         if resolver_match.func in [
+                sign_in_choice,
                 sign_in_by_email,
                 sign_in_stage2_with_token,
                 sign_in_by_user_pw,
@@ -567,6 +568,9 @@ def process_request(self, request):
                 logout]:
             ok = True
 
+        elif path.startswith("/saml2"):
+            ok = True
+
         elif (
                 (request.user.is_staff
                     or

local_settings.py.example

@@ -132,14 +132,14 @@ RELATE_MAINTENANCE_MODE = False
 # May be set to a string to set a sitewide announcement visible on every page.
 RELATE_SITE_ANNOUNCEMENT = None
 
+# }}}
+
 # Uncomment this to enable i18n, change 'en-us' to locale name your language.
 # Make sure you have generated, translate and compile the message file of your
 # language. If commented, RELATE will use default language 'en-us'.
 
 #LANGUAGE_CODE='en-us'
 
-# }}}
-
 # {{{ exams and testing
 
 RELATE_FACILITIES = {
@@ -157,4 +157,118 @@ RELATE_TICKET_MINUTES_VALID_AFTER_USE = 12*60
 
 # }}}
 
+# {{{ saml2 (optional)
+
+if RELATE_SIGN_IN_BY_SAML2_ENABLED:
+    from os import path
+    import saml2.saml
+    _BASEDIR = path.dirname(path.abspath(__file__))
+
+    _BASE_URL = 'https://relate.cs.illinois.edu'
+
+    SAML_CONFIG = {
+        # full path to the xmlsec1 binary programm
+        'xmlsec_binary': '/usr/bin/xmlsec1',
+
+        # your entity id, usually your subdomain plus the url to the metadata view
+        # (usually no need to change)
+        'entityid': _BASE_URL + '/saml2/metadata/',
+
+        # directory with attribute mapping
+        # (already populated with samples from djangosaml2, usually no need to
+        # change)
+        'attribute_map_dir': path.join(_BASEDIR, 'saml-config', 'attribute-maps'),
+
+        # this block states what services we provide
+        'service': {
+            'sp': {
+                'name': 'RELATE SAML2 SP',
+                'name_id_format': saml2.saml.NAMEID_FORMAT_PERSISTENT,
+                'endpoints': {
+                    # url and binding to the assertion consumer service view
+                    # do not change the binding or service name
+                    'assertion_consumer_service': [
+                        (_BASE_URL + '/saml2/acs/',
+                         saml2.BINDING_HTTP_POST),
+                        ],
+                    # url and binding to the single logout service view
+                    # do not change the binding or service name
+                    'single_logout_service': [
+                        (_BASE_URL + '/saml2/ls/',
+                         saml2.BINDING_HTTP_REDIRECT),
+                        (_BASE_URL + '/saml2/ls/post',
+                         saml2.BINDING_HTTP_POST),
+                        ],
+                    },
+
+                # attributes that this project needs to identify a user
+                'required_attributes': ['uid'],
+
+                # attributes that may be useful to have but not required
+                'optional_attributes': ['eduPersonAffiliation'],
+
+                # in this section the list of IdPs we talk to are defined
+                'idp': {
+                    # Find the entity ID of your IdP and make this the key here:
+                    'urn:mace:incommon:uiuc.edu': {
+                        'single_sign_on_service': {
+                            # Add the POST and REDIRECT bindings for the sign on service here:
+                            saml2.BINDING_HTTP_POST:
+                                'https://shibboleth.illinois.edu/idp/profile/SAML2/POST/SSO',
+                            saml2.BINDING_HTTP_REDIRECT:
+                                'https://shibboleth.illinois.edu/idp/profile/SAML2/Redirect/SSO',
+                            },
+                        'single_logout_service': {
+                            # And the REDIRECT binding for the logout service here:
+                            saml2.BINDING_HTTP_REDIRECT:
+                            'https://shibboleth.illinois.edu/idp/logout.jsp',  # noqa
+                            },
+                        },
+                    },
+                },
+            },
+
+        # You will get this XML file from your institution. It has finite validity
+        # and will need to be re-downloaded periodically.
+        #
+        # "itrust" is an example name that's valid for the University of Illinois.
+        # This particular file is public and lives at
+        # https://discovery.itrust.illinois.edu/itrust-metadata/itrust-metadata.xml
+
+        'metadata': {
+            'local': [path.join(_BASEDIR, 'saml-config', 'itrust-metadata.xml')],
+            },
+
+        # set to 1 to output debugging information
+        'debug': 1,
+
+        # certificate
+        # see saml2-keygen.sh in this directory
+        'key_file': path.join(_BASEDIR, 'saml-config', 'sp-key.pem'),  # private part
+        'cert_file': path.join(_BASEDIR, 'saml-config', 'sp-cert.pem'),  # public part
+
+        # own metadata settings
+        'contact_person': [
+            {'given_name': 'Andreas',
+             'sur_name': 'Kloeckner',
+             'company': 'CS - University of Illinois',
+             'email_address': '[email protected]',
+             'contact_type': 'technical'},
+            {'given_name': 'Andreas',
+             'sur_name': 'Kloeckner',
+             'company': 'CS - University of Illinois',
+             'email_address': '[email protected]',
+             'contact_type': 'administrative'},
+            ],
+        # you can set multilanguage information here
+        'organization': {
+            'name': [('RELATE', 'en')],
+            'display_name': [('RELATE', 'en')],
+            'url': [(_BASE_URL, 'en')],
+            },
+        'valid_for': 24,  # how long is our metadata valid
+        }
+
+# }}}
+
 # vim: filetype=python:foldmethod=marker

relate/settings.py

@@ -275,8 +275,6 @@
     'sn': ('last_name', ),
 }
 
-SAML_CONFIG = join(BASE_DIR, "saml_config.py")
-
 # }}}
 
 # vim: foldmethod=marker

relate/templates/djangosaml2/wayf.html

@@ -0,0 +1,12 @@
+{% extends "base.html" %}
+
+{% load i18n %}
+{% block content %}
+  <h1>{% trans "Institutional Login (SAML2)" %}</h1>
+  <p>{% trans "Please select your Identity Provider from the following list:" %}</p>
+  <ul>
+    {% for url, name in available_idps %}
+    <li><a href="{% url 'djangosaml2.views.login' %}?idp={{ url }}{% if came_from %}&next={{ came_from }}{% endif %}">{{ name }}</a></li>
+    {% endfor %}
+  </ul>
+{% endblock %}

relate/templates/sign-in-choice.html

@@ -9,9 +9,10 @@ <h1>{% trans "Sign in to RELATE" %}</h1>
       <li>
         <a
           class="btn btn-primary"
-          href="#"
+          href="{% url "djangosaml2.views.login" %}"
           role="button"><i class="fa fa-institution"></i>
           {% trans "Sign in using your institution's login" %} &raquo;</a>
+          (not yet working, but getting there)
       </li>
     {% endif %}
     {% if relate_sign_in_by_email_enabled %}

relate/urls.py

@@ -447,12 +447,12 @@
 
 if settings.RELATE_SIGN_IN_BY_SAML2_ENABLED:
     urlpatterns.extend([
-        (r'^saml2/', include('djangosaml2.urls')),
+        url(r'^saml2/', include('djangosaml2.urls')),
         ])
     if settings.DEBUG:
         urlpatterns.extend([
             # Keep commented unless debugging SAML2.
-            (r'^saml2-test/', 'djangosaml2.views.echo_attributes'),
+            url(r'^saml2-test/', 'djangosaml2.views.echo_attributes'),
             ])
 
 # vim: fdm=marker

saml-config/.gitignore

@@ -0,0 +1,2 @@
+*.pem
+*meta*.xml