This is not a complete guide on how to implement Shibboleth with Django. If you simply want to get going and need a step-by-step setup process, check out
my open source implementation of a Shibboleth - Django adapter and follow the README. If you run into troubles, hit me up on GitHub.

Shibboleth is a free open source solution for single sign-on. It is used mainly among public institutions like universities, libraries and government agencies. Django is a python web framework "for people with deadlines". It is widely in use all over the web.

  1. Use an Apache server.
  2. Other servers might work, but Shibboleth is designed for Apache.

  3. The correct Apache configuration for Shibboleth is:
  4.  < Location /app-url >
      AuthType shibboleth
      Require shibboleth
    < /Location >
  5. Do not turn on request headers via the ShibUseHeaders configuration option. This is a security risk.
  6. You really do not need it. The Shibboleth attributes will be passed to the request.META dictionary in the Django Middleware via wsgi. Do not add the headers, even if many people do this.

  7. Login
  8. When installing Shibboleth you will have to configure the login urls. Default is:

    https://your_domain.edu/Shibboleth.sso/Login

    Create a custom login view. From there you send the user to the shibboleth login/logout location. When django redirects the user to the login view, it will pass the next parameter in the GET - request which defines where the user should be redirected after login. Shibboleth uses the target url parameter to specify the redirect. This means you will want to do something like this:

    class CustomLoginView(TemplateView):
        def get(self, *args, **kwargs):
            login=https://your_domain.edu/Shibboleth.sso/Login+'?target=%s'% quote(self.request.GET.get("next))
            return redirect(login)
  9. Use the Django RemoteUserMiddleware together with the RemoteUserBackend
  10. Documentation on these classes can be found here: https://docs.djangoproject.com/en/dev/howto/auth-remote-user/

  11. You will find the Shibboleth attributes in the HttpRequest.META dictionary.
  12. The RemoteUserMiddleware is passed a request object. You find your shibboleth attributes in:

    request.META
  13. You have to choose one shibboleth attribute for authentication. It has to be persistent and unique to the user.
  14. You then have to subclass the RemoteUserMiddleware class and set the header -member variable to the key in request.METAM that refers to this attribute.

  15. If you want to use more Shibboleth attributes to populate fields of the django user object, do it in the RemoteUserBackend.
  16. Subclass the RemoteUserBackend and write your own implementation of the configure_user() - method where you use the other shibboleth attributes in request.META to populate the django user object.
    For that you need to pass the META - dictionary from the middleware to the backend. I do this in my project via the autenticate() - method, which I re-implemented for this purpose. If you have a better idea please let me know.

  17. Logout
  18. Logout means logout from shibboleth AND your application. Do not try to log the user out from you application while keeping him logged in to shibboleth. It is confusing and the user might be mislead to think he has completely logged out.

    Apart from that, logout works pretty much like login. Create a custom view, redirect to

    https://your_domain.edu/Shibboleth.sso/Logout 

    and so on.
    But since you must log out the user from django as well, do not forget to call

    auth.logout(self.request)

    before issuing the redirect.