How to (not) use Shibboleth with the Django web framework
This is not a complete guide on how to implement Shibboleth with Django. If you simply want to get going and need a step-by-step setup process, check out
my open source implementation of a Shibboleth - Django adapter and follow the README. If you run into troubles, hit me up on GitHub.
Shibboleth is a free open source solution for single sign-on. It is used mainly among public institutions like universities, libraries and government agencies. Django is a python web framework "for people with deadlines". It is widely in use all over the web.
- Use an Apache server.
- The correct Apache configuration for Shibboleth is:
- Do not turn on request headers via the ShibUseHeaders configuration option. This is a security risk.
- Login
- Use the Django RemoteUserMiddleware together with the RemoteUserBackend
- You will find the Shibboleth attributes in the HttpRequest.META dictionary.
- You have to choose one shibboleth attribute for authentication. It has to be persistent and unique to the user.
- If you want to use more Shibboleth attributes to populate fields of the django user object, do it in the RemoteUserBackend.
- Logout
Other servers might work, but Shibboleth is designed for Apache.
< Location /app-url >
AuthType shibboleth
Require shibboleth
< /Location >
You really do not need it. The Shibboleth attributes will be passed to the request.META dictionary in the Django Middleware via wsgi. Do not add the headers, even if many people do this.
When installing Shibboleth you will have to configure the login urls. Default is:
https://your_domain.edu/Shibboleth.sso/Login
Create a custom login view. From there you send the user to the shibboleth login/logout location. When django redirects the user to the login view, it will pass the next
parameter in the GET - request which defines where the user should be redirected after login. Shibboleth uses the target
url parameter to specify the redirect. This means you will want to do something like this:
class CustomLoginView(TemplateView):
def get(self, *args, **kwargs):
login=https://your_domain.edu/Shibboleth.sso/Login+'?target=%s'% quote(self.request.GET.get("next))
return redirect(login)
Documentation on these classes can be found here: https://docs.djangoproject.com/en/dev/howto/auth-remote-user/
The RemoteUserMiddleware is passed a request object. You find your shibboleth attributes in:
request.META
You then have to subclass the RemoteUserMiddleware class and set the header
-member variable to the key in request.METAM
that refers to this attribute.
Subclass the RemoteUserBackend and write your own implementation of the configure_user()
- method where you use the other shibboleth attributes in request.META
to populate the django user object.
For that you need to pass the META - dictionary from the middleware to the backend. I do this in my project via the autenticate()
- method, which I re-implemented for this purpose. If you have a better idea please let me know.
Logout means logout from shibboleth AND your application. Do not try to log the user out from you application while keeping him logged in to shibboleth. It is confusing and the user might be mislead to think he has completely logged out.
Apart from that, logout works pretty much like login. Create a custom view, redirect to
https://your_domain.edu/Shibboleth.sso/Logout
and so on.
But since you must log out the user from django as well, do not forget to call
auth.logout(self.request)
before issuing the redirect.
Subscribe via RSS