This is not a complete guide on how to implement Shibboleth with Django. If you simply want to get going and need a step-by-step setup process, check out
my open source implementation of a Shibboleth - Django adapter and follow the README. If you run into troubles, hit me up on GitHub.
Shibboleth is a free open source solution for single sign-on. It is used mainly among public institutions like universities, libraries and government agencies. Django is a python web framework "for people with deadlines". It is widely in use all over the web.
- Use an Apache server.
- The correct Apache configuration for Shibboleth is:
- Do not turn on request headers via the ShibUseHeaders configuration option. This is a security risk.
- Use the Django RemoteUserMiddleware together with the RemoteUserBackend
- You will find the Shibboleth attributes in the HttpRequest.META dictionary.
- You have to choose one shibboleth attribute for authentication. It has to be persistent and unique to the user.
- If you want to use more Shibboleth attributes to populate fields of the django user object, do it in the RemoteUserBackend.
Other servers might work, but Shibboleth is designed for Apache.
< Location /app-url > AuthType shibboleth Require shibboleth < /Location >
You really do not need it. The Shibboleth attributes will be passed to the request.META dictionary in the Django Middleware via wsgi. Do not add the headers, even if many people do this.
When installing Shibboleth you will have to configure the login urls. Default is:
Create a custom login view. From there you send the user to the shibboleth login/logout location. When django redirects the user to the login view, it will pass the
next parameter in the GET - request which defines where the user should be redirected after login. Shibboleth uses the
target url parameter to specify the redirect. This means you will want to do something like this:
class CustomLoginView(TemplateView): def get(self, *args, **kwargs): login=https://your_domain.edu/Shibboleth.sso/Login+'?target=%s'% quote(self.request.GET.get("next)) return redirect(login)
Documentation on these classes can be found here: https://docs.djangoproject.com/en/dev/howto/auth-remote-user/
The RemoteUserMiddleware is passed a request object. You find your shibboleth attributes in:
You then have to subclass the RemoteUserMiddleware class and set the
header -member variable to the key in
request.METAM that refers to this attribute.
Subclass the RemoteUserBackend and write your own implementation of the
configure_user() - method where you use the other shibboleth attributes in
request.META to populate the django user object.
For that you need to pass the META - dictionary from the middleware to the backend. I do this in my project via the
autenticate() - method, which I re-implemented for this purpose. If you have a better idea please let me know.
Logout means logout from shibboleth AND your application. Do not try to log the user out from you application while keeping him logged in to shibboleth. It is confusing and the user might be mislead to think he has completely logged out.
Apart from that, logout works pretty much like login. Create a custom view, redirect to
and so on.
But since you must log out the user from django as well, do not forget to call
before issuing the redirect.