{"id":19756644,"url":"https://github.com/esnet/shibboleth_session_auth","last_synced_at":"2025-04-30T12:30:23.687Z","repository":{"id":49702621,"uuid":"63889090","full_name":"esnet/shibboleth_session_auth","owner":"esnet","description":"Simplistic Shibboleth integration with Django sessions","archived":false,"fork":false,"pushed_at":"2021-06-10T19:21:56.000Z","size":20,"stargazers_count":3,"open_issues_count":2,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-09-15T07:40:28.478Z","etag":null,"topics":["django","python","shibboleth"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/esnet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-07-21T17:28:16.000Z","updated_at":"2021-05-16T04:32:38.000Z","dependencies_parsed_at":"2022-08-30T05:50:17.261Z","dependency_job_id":null,"html_url":"https://github.com/esnet/shibboleth_session_auth","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/esnet%2Fshibboleth_session_auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/esnet%2Fshibboleth_session_auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/esnet%2Fshibboleth_session_auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/esnet%2Fshibboleth_session_auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/esnet","download_url":"https://codeload.github.com/esnet/shibboleth_session_auth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224207899,"owners_count":17273674,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["django","python","shibboleth"],"created_at":"2024-11-12T03:16:32.353Z","updated_at":"2024-11-12T03:16:32.902Z","avatar_url":"https://github.com/esnet.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/esnet/shibboleth_session_auth.svg?branch=master)](https://travis-ci.org/esnet/shibboleth_session_auth) [![Coverage Status](https://coveralls.io/repos/github/esnet/shibboleth_session_auth/badge.svg?branch=master)](https://coveralls.io/github/esnet/shibboleth_session_auth?branch=master)\n\n# shibboleth_session_auth \n## Simplistic Shibboleth integration for Django sessions\n\nThis is a very simple way of allowing users to be authenticated via Shibboleth \nbut to be a part of Django groups and users. This is accomplished by using\nApache `mod_shib` to protect the provided view. If the user is able to\nauthenticate then we extract certain details from the data provided by\nShibboleth. The view will create Django Users and Groups as necessary.\n\n### Apache Config\n\nThis code has only been tested with `mod_shib` for Apache.\n\nHere's the config we use:\n\n```\n\u003cLocation /shibboleth-sso/\u003e\n  AuthType shibboleth\n  ShibCompatWith24 On\n  ShibRequestSetting requireSession true\n  Require shib-attr member staff\n/Location\u003e\n```\n\nYou may want to tweak or remove the `Require` line depending on your needs.\nAs it is, it requires users to be a member of group `staff` in order to be\nable to authenticate.\n\n### Django Setup\n\nYou'll need to add an entry in your `urls.py`, similar to this:\n\n```python\nfrom shibboleth_session_auth.views import shibboleth_session_auth\n\nurlpatterns += [\n    url(r'^shibboleth-sso/', shibboleth_session_auth, name=\"esnet-sso\"),\n]\n```\n\nNote that we use `shibboleth-sso` both here and in the Apache config.\n\n### Django Settings\n\n```python\nSHIBBOLETH_SESSION_AUTH = {\n    'IDP_ATTRIBUTE': 'Shib-Identity-Provider',\n    'AUTHORIZED_IDPS': [\n        'https://${YOUR_IDP}/idp/shibboleth',\n    ],\n    #\n    # note that we use Apache environment variables directly rather than the\n    # HTTP_xxx variables which are derived from the HTTP request headers.\n    # The HTTP_xxx variety is vulnerable to potential spoofing\n    #\n    'USER_ATTRIBUTES': [\n        ('uid', 'username', True),\n        ('mail', 'email', True),\n        ('givenName', 'first_name', False),\n        ('sn', 'last_name', False),\n    ],\n    'GROUP_ATTRIBUTE': 'member',\n    'GROUPS_BY_IDP': {},\n    'DJANGO_STAFF_GROUP': 'webadmin',\n}\n```\n\n`IDP_ATTRIBUTE` defines which Apache environment variable carries the name of\nthe IdP.\n\n`AUTHORIZED_IDPS` is a list of IdPs that we trust. The full URL may vary for\nyour setup -- please check this with whomever runs your IdP..\n\n`USER_ATTRIBUTES` a list of tuples which are used to map from the attribute\nnames provided by the IdP to fields to be used with the Django User model. The\nformat is (`idp_attribute`, `django_model_attribute`, `required`).\n\n`GROUP_ATTRIBUTE` is the name used by the IdP to provide group membership.\nThe user will be added to each group listed in the group attribute. If the\ngroup does not already exist it will be created.  Groups are assumed to be\nseparated by a semicolon (`;`) in the data provided by the IdP.\n\n`GROUPS_BY_IDP` this is a dictionary mapping an IdP (from `AUTHORIZED_IDPS`)\nto a list of groups. If the user is authenticated to the named IdP then\nthe user will be added to each of the groups, creating the groups as necessary.\n\n`DJANGO_STAFF_GROUP` is the name of the group presented by the IdP that will\nbe used to determine if the user has the `is_staff` bit set or not.\n\nWe assume the the IdP is the source of truth for groups and for whether or not\na user should have Django staff privileges. This means that the set of groups\nthe user will be a member of will be exactly the set of groups that the IdP\nsends. This also means that if the user is no longer a member of\n`DJANGO_STAFF_GROUP` that they will lose their staff privileges.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fesnet%2Fshibboleth_session_auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fesnet%2Fshibboleth_session_auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fesnet%2Fshibboleth_session_auth/lists"}