def add_outstanding_query(self, session_id, came_from):
settings.SESSION_ENGINE = 'django.contrib.sessions.backends.db'
engine = import_module(settings.SESSION_ENGINE)
self.saml_session = engine.SessionStore()
self.saml_session.save()
self.oq_cache = OutstandingQueriesCache(self.saml_session)
self.oq_cache.set(session_id
if isinstance(session_id, str) else session_id.decode(),
came_from)
self.saml_session.save()
self.client.cookies[settings.SESSION_COOKIE_NAME] = self.saml_session.session_key
def custom_validation(self, response):
conf = get_config(None, self.request)
# Spid and SAML2 additional tests
accepted_time_diff = conf.accepted_time_diff
recipient = conf._sp_endpoints["assertion_consumer_service"][0][0]
authn_context_classref = settings.SPID_AUTH_CONTEXT
oq_cache = OutstandingQueriesCache(self.request.saml_session)
in_response_to = oq_cache.outstanding_queries()
logger.debug("in_response_to=%r", in_response_to)
validator = Saml2ResponseValidator(
authn_response=response.xmlstr,
recipient=recipient,
accepted_time_diff=accepted_time_diff,
in_response_to=in_response_to,
authn_context_class_ref=authn_context_classref,
return_addrs=response.return_addrs,
)
validator.run()
def login(request,
config_loader_path=None,
wayf_template='djangosaml2/wayf.html',
authorization_error_template='djangosaml2/auth_error.html',
post_binding_form_template='djangosaml2/post_binding_form.html'):
"""SAML Authorization Request initiator
This view initiates the SAML2 Authorization handshake
using the pysaml2 library to create the AuthnRequest.
It uses the SAML 2.0 Http Redirect protocol binding.
* post_binding_form_template - path to a template containing HTML form with
hidden input elements, used to send the SAML message data when HTTP POST
binding is being used. You can customize this template to include custom
branding and/or text explaining the automatic redirection process. Please
see the example template in
templates/djangosaml2/example_post_binding_form.html
If set to None or nonexistent template, default form from the saml2 library
will be rendered.
"""
logger.debug('Login process started')
came_from = request.GET.get('next', settings.LOGIN_REDIRECT_URL)
if not came_from:
logger.warning('The next parameter exists but is empty')
came_from = settings.LOGIN_REDIRECT_URL
# Ensure the user-originating redirection url is safe.
if not is_safe_url(url=came_from, host=request.get_host()):
came_from = settings.LOGIN_REDIRECT_URL
# if the user is already authenticated that maybe because of two reasons:
# A) He has this URL in two browser windows and in the other one he
# has already initiated the authenticated session.
# B) He comes from a view that (incorrectly) send him here because
# he does not have enough permissions. That view should have shown
# an authorization error in the first place.
# We can only make one thing here and that is configurable with the
# SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN setting. If that setting
# is True (default value) we will redirect him to the came_from view.
# Otherwise, we will show an (configurable) authorization error.
if not request.user.is_anonymous():
try:
redirect_authenticated_user = settings.SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN
except AttributeError:
redirect_authenticated_user = True
if redirect_authenticated_user:
return HttpResponseRedirect(came_from)
else:
logger.debug('User is already logged in')
return render(request, authorization_error_template, {
'came_from': came_from,
})
selected_idp = request.GET.get('idp', None)
conf = get_config(config_loader_path, request)
# is a embedded wayf needed?
idps = available_idps(conf)
if selected_idp is None and len(idps) > 1:
logger.debug('A discovery process is needed')
return render(request, wayf_template, {
'available_idps': idps.items(),
'came_from': came_from,
})
# Choose binding (REDIRECT vs. POST).
# When authn_requests_signed is turned on, HTTP Redirect binding cannot be
# used the same way as without signatures; proper usage in this case involves
# stripping out the signature from SAML XML message and creating a new
# signature, following precise steps defined in the SAML2.0 standard.
#
# It is not feasible to implement this since we wouldn't be able to use an
# external (xmlsec1) library to handle the signatures - more (higher level)
# context is needed in order to create such signature (like the value of
# RelayState parameter).
#
# Therefore it is much easier to use the HTTP POST binding in this case, as
# it can relay the whole signed SAML message as is, without the need to
# manipulate the signature or the XML message itself.
#
# Read more in the official SAML2 specs (3.4.4.1):
# http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
binding = BINDING_HTTP_POST if getattr(conf, '_sp_authn_requests_signed',
False) else BINDING_HTTP_REDIRECT
client = Saml2Client(conf)
try:
(session_id, result) = client.prepare_for_authenticate(
entityid=selected_idp,
relay_state=came_from,
binding=binding,
)
except TypeError as e:
logger.error('Unable to know which IdP to use')
return HttpResponse(unicode(e))
logger.debug('Saving the session_id in the OutstandingQueries cache')
oq_cache = OutstandingQueriesCache(request.session)
oq_cache.set(session_id, came_from)
logger.debug('Redirecting user to the IdP via %s binding.',
binding.split(':')[-1])
if binding == BINDING_HTTP_REDIRECT:
return HttpResponseRedirect(get_location(result))
elif binding == BINDING_HTTP_POST:
if not post_binding_form_template:
return HttpResponse(result['data'])
try:
params = get_hidden_form_inputs(result['data'][3])
return render(request, post_binding_form_template, {
'target_url': result['url'],
'params': params,
})
except (DTDForbidden, EntitiesForbidden, ExternalReferenceForbidden):
raise PermissionDenied
except TemplateDoesNotExist:
return HttpResponse(result['data'])
else:
raise NotImplementedError('Unsupported binding: %s', binding)
def assertion_consumer_service(request,
config_loader_path=None,
attribute_mapping=None,
create_unknown_user=None):
"""SAML Authorization Response endpoint
The IdP will send its response to this view, which
will process it with pysaml2 help and log the user
in using the custom Authorization backend
djangosaml2.backends.Saml2Backend that should be
enabled in the settings.py
"""
attribute_mapping = attribute_mapping or get_custom_setting(
'SAML_ATTRIBUTE_MAPPING', {'uid': ('username', )})
create_unknown_user = create_unknown_user or get_custom_setting(
'SAML_CREATE_UNKNOWN_USER', True)
logger.debug('Assertion Consumer Service started')
conf = get_config(config_loader_path, request)
if 'SAMLResponse' not in request.POST:
return HttpResponseBadRequest(
'Couldn\'t find "SAMLResponse" in POST data.')
xmlstr = request.POST['SAMLResponse']
client = Saml2Client(conf, identity_cache=IdentityCache(request.session))
oq_cache = OutstandingQueriesCache(request.session)
outstanding_queries = oq_cache.outstanding_queries()
try:
response = client.parse_authn_request_response(xmlstr,
BINDING_HTTP_POST,
outstanding_queries)
except StatusError:
return render(request, 'djangosaml2/login_error.html', status=403)
except MissingKey:
logger.error('MissingKey error in ACS')
return HttpResponseForbidden(
"The Identity Provider is not configured correctly: "
"the certificate key is missing")
if response is None:
logger.error('SAML response is None')
return HttpResponseBadRequest(
"SAML response has errors. Please check the logs")
session_id = response.session_id()
oq_cache.delete(session_id)
# authenticate the remote user
session_info = response.session_info()
if callable(attribute_mapping):
attribute_mapping = attribute_mapping()
if callable(create_unknown_user):
create_unknown_user = create_unknown_user()
logger.debug('Trying to authenticate the user')
user = auth.authenticate(session_info=session_info,
attribute_mapping=attribute_mapping,
create_unknown_user=create_unknown_user)
if user is None:
logger.error('The user is None')
return render(request,
'djangosaml2/permission_denied.html',
status=403)
auth.login(request, user)
_set_subject_id(request.session, session_info['name_id'])
logger.debug('Sending the post_authenticated signal')
post_authenticated.send_robust(sender=user, session_info=session_info)
# redirect the user to the view where he came from
default_relay_state = get_custom_setting('ACS_DEFAULT_REDIRECT_URL',
settings.LOGIN_REDIRECT_URL)
relay_state = request.POST.get('RelayState', default_relay_state)
if not relay_state:
logger.warning('The RelayState parameter exists but is empty')
relay_state = default_relay_state
if not is_safe_url(url=relay_state, host=request.get_host()):
came_from = settings.LOGIN_REDIRECT_URL
logger.debug('Redirecting to the RelayState: %s', relay_state)
return HttpResponseRedirect(relay_state)
def add_outstanding_query(self, session_id, came_from):
session = self.client.session
oq_cache = OutstandingQueriesCache(session)
oq_cache.set(session_id, came_from)
session.save()
self.client.cookies[settings.SESSION_COOKIE_NAME] = session.session_key
def spid_login(
request,
config_loader_path=None,
wayf_template="wayf.html",
authorization_error_template="djangosaml2/auth_error.html",
):
"""SAML Authorization Request initiator
This view initiates the SAML2 Authorization handshake
using the pysaml2 library to create the AuthnRequest.
It uses the SAML 2.0 Http POST protocol binding.
"""
logger.debug("SPID Login process started")
next_url = request.GET.get("next", settings.LOGIN_REDIRECT_URL)
if not next_url:
logger.warning("The next parameter exists but is empty")
next_url = settings.LOGIN_REDIRECT_URL
# Ensure the user-originating redirection url is safe.
if not validate_referral_url(request, next_url):
next_url = settings.LOGIN_REDIRECT_URL
if request.user.is_authenticated:
redirect_authenticated_user = getattr(
settings, "SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN", True)
if redirect_authenticated_user:
return HttpResponseRedirect(next_url)
else: # pragma: no cover
logger.debug("User is already logged in")
return render(request, authorization_error_template,
{"came_from": next_url})
# this works only if request came from wayf
selected_idp = request.GET.get("idp", None)
conf = get_config(config_loader_path, request)
# is a embedded wayf needed?
idps = available_idps(conf)
if selected_idp is None and len(idps) > 1:
logger.debug("A discovery process is needed")
return render(
request,
wayf_template,
{
"available_idps": idps.items(),
"next_url": next_url
},
)
else:
# otherwise is the first one
_msg = "Unable to know which IdP to use"
try:
selected_idp = selected_idp or list(idps.keys())[0]
except TypeError as e: # pragma: no cover
logger.error(f"{_msg}: {e}")
return HttpResponseNotFound(_msg)
except IndexError as e: # pragma: no cover
logger.error(f"{_msg}: {e}")
return HttpResponseNotFound(_msg)
# ensure our selected binding is supported by the IDP
logger.debug(
f"Trying binding {SAML2_DEFAULT_BINDING} for IDP {selected_idp}")
supported_bindings = get_idp_sso_supported_bindings(selected_idp,
config=conf)
if not supported_bindings:
_msg = "IdP Metadata not found or not valid"
return HttpResponseNotFound(_msg)
if SAML2_DEFAULT_BINDING not in supported_bindings:
_msg = (f"Requested: {SAML2_DEFAULT_BINDING} but the selected "
f"IDP [{selected_idp}] doesn't support "
f"{BINDING_HTTP_POST} or {BINDING_HTTP_REDIRECT}. "
f"Check if IdP Metadata is correctly loaded and updated.")
logger.error(_msg)
raise UnsupportedBinding(_msg)
# SPID things here
try:
login_response = spid_sp_authn_request(conf, selected_idp, next_url)
except UnknownSystemEntity as e: # pragma: no cover
_msg = f"Unknown IDP Entity ID: {selected_idp}"
logger.error(f"{_msg}: {e}")
return HttpResponseNotFound(_msg)
session_id = login_response["session_id"]
http_response = login_response["http_response"]
# success, so save the session ID and return our response
logger.debug(
f"Saving session-id {session_id} in the OutstandingQueries cache")
oq_cache = OutstandingQueriesCache(request.saml_session)
oq_cache.set(session_id, next_url)
if SAML2_DEFAULT_BINDING == saml2.BINDING_HTTP_POST:
return HttpResponse(http_response["data"])
elif SAML2_DEFAULT_BINDING == saml2.BINDING_HTTP_REDIRECT:
headers = dict(login_response["http_response"]["headers"])
return HttpResponseRedirect(headers["Location"])
},
context_instance=RequestContext(request))
client = Saml2Client(conf)
try:
(session_id, result) = client.prepare_for_authenticate(
entityid=selected_idp,
relay_state=came_from,
binding=BINDING_HTTP_REDIRECT,
)
except TypeError, e:
logger.error('Unable to know which IdP to use')
return HttpResponse(unicode(e))
logger.debug('Saving the session_id in the OutstandingQueries cache')
oq_cache = OutstandingQueriesCache(request.session)
oq_cache.set(session_id, came_from)
logger.debug('Redirecting the user to the IdP')
return HttpResponseRedirect(get_location(result))
@require_POST
@csrf_exempt
def assertion_consumer_service(request,
config_loader_path=None,
attribute_mapping=None,
create_unknown_user=None):
"""SAML Authorization Response endpoint
The IdP will send its response to this view, which
def spid_login(request,
config_loader_path=None,
wayf_template='djangosaml2/wayf.html',
authorization_error_template='djangosaml2/auth_error.html'):
"""SAML Authorization Request initiator
This view initiates the SAML2 Authorization handshake
using the pysaml2 library to create the AuthnRequest.
It uses the SAML 2.0 Http POST protocol binding.
"""
logger.debug('SPID Login process started')
came_from = request.GET.get('next', settings.LOGIN_REDIRECT_URL)
if not came_from:
logger.warning('The next parameter exists but is empty')
came_from = settings.LOGIN_REDIRECT_URL
# Ensure the user-originating redirection url is safe.
if not is_safe_url_compat(url=came_from, allowed_hosts={request.get_host()}):
came_from = settings.LOGIN_REDIRECT_URL
# if the user is already authenticated that maybe because of two reasons:
# A) He has this URL in two browser windows and in the other one he
# has already initiated the authenticated session.
# B) He comes from a view that (incorrectly) send him here because
# he does not have enough permissions. That view should have shown
# an authorization error in the first place.
# We can only make one thing here and that is configurable with the
# SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN setting. If that setting
# is True (default value) we will redirect him to the came_from view.
# Otherwise, we will show an (configurable) authorization error.
if callable(request.user.is_authenticated):
redirect_authenticated_user = getattr(settings,
'SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN',
True)
if redirect_authenticated_user:
return HttpResponseRedirect(came_from)
else:
logger.debug('User is already logged in')
return render(request, authorization_error_template, {
'came_from': came_from})
# this works only if request came from wayf
selected_idp = request.GET.get('idp', None)
conf = get_config(config_loader_path, request)
# is a embedded wayf needed?
idps = available_idps(conf)
if selected_idp is None and len(idps) > 1:
logger.debug('A discovery process is needed')
return render(request, wayf_template, {
'available_idps': idps.items(),
'came_from': came_from})
else:
# otherwise is the first one
try:
selected_idp = list(idps.keys())[0]
except TypeError as e:
logger.error('Unable to know which IdP to use')
return HttpResponse(text_type(e))
# choose a binding to try first
# sign_requests = getattr(conf, '_sp_authn_requests_signed', False)
binding = BINDING_HTTP_POST
logger.debug('Trying binding %s for IDP %s', binding, selected_idp)
# ensure our selected binding is supported by the IDP
supported_bindings = get_idp_sso_supported_bindings(selected_idp, config=conf)
if binding != BINDING_HTTP_POST:
raise UnsupportedBinding('IDP %s does not support %s or %s',
selected_idp, BINDING_HTTP_POST, BINDING_HTTP_REDIRECT)
client = Saml2Client(conf)
logger.debug('Redirecting user to the IdP via %s binding.', binding)
# use the html provided by pysaml2 if no template was specified or it didn't exist
# SPID want the fqdn of the IDP, not the SSO endpoint
location_fixed = selected_idp
location = client.sso_location(selected_idp, binding)
# ...hope to see the SSO endpoint soon in spid-testenv2
authn_req = saml2.samlp.AuthnRequest()
authn_req.destination = location_fixed
# spid-testenv2 preleva l'attribute consumer service dalla authnRequest (anche se questo sta già nei metadati...)
authn_req.attribute_consuming_service_index = "0"
# import pdb; pdb.set_trace()
issuer = saml2.saml.Issuer()
issuer.name_qualifier = client.config.entityid
issuer.text = client.config.entityid
issuer.format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
authn_req.issuer = issuer
# message id
authn_req.id = saml2.s_utils.sid()
authn_req.version = saml2.VERSION # "2.0"
authn_req.issue_instant = saml2.time_util.instant()
name_id_policy = saml2.samlp.NameIDPolicy()
# del(name_id_policy.allow_create)
name_id_policy.format = settings.SPID_NAMEID_FORMAT
authn_req.name_id_policy = name_id_policy
authn_context = requested_authn_context(class_ref=settings.SPID_AUTH_CONTEXT)
authn_req.requested_authn_context = authn_context
authn_req.protocol_binding = settings.SPID_DEFAULT_BINDING
assertion_consumer_service_url = client.config._sp_endpoints['assertion_consumer_service'][0][0]
authn_req.assertion_consumer_service_url = assertion_consumer_service_url #'http://sp1.testunical.it:8000/saml2/acs/'
authn_req_signed = client.sign(authn_req, sign_prepare=False,
sign_alg=settings.SPID_ENC_ALG,
digest_alg=settings.SPID_DIG_ALG)
session_id = authn_req.id
_req_str = authn_req_signed
logger.debug('AuthRequest to {}: {}'.format(selected_idp, (_req_str)))
http_info = client.apply_binding(binding,
_req_str, location,
sign=True,
sigalg=settings.SPID_ENC_ALG)
# success, so save the session ID and return our response
logger.debug('Saving the session_id in the OutstandingQueries cache')
oq_cache = OutstandingQueriesCache(request.session)
oq_cache.set(session_id, came_from)
return HttpResponse(http_info['data'])
def assertion_consumer_service(request,
config_loader_path=None,
attribute_mapping=None,
create_unknown_user=None):
"""SAML Authorization Response endpoint
The IdP will send its response to this view, which
will process it with pysaml2 help and log the user
in using the custom Authorization backend
djangosaml2.backends.Saml2Backend that should be
enabled in the settings.py
"""
attribute_mapping = attribute_mapping or get_custom_setting(
'SAML_ATTRIBUTE_MAPPING', {'uid': ('username', )})
create_unknown_user = create_unknown_user if create_unknown_user is not None else \
get_custom_setting('SAML_CREATE_UNKNOWN_USER', True)
conf = get_config(config_loader_path, request)
try:
xmlstr = request.POST['SAMLResponse']
except KeyError:
logger.warning('Missing "SAMLResponse" parameter in POST data.')
raise SuspiciousOperation
client = Saml2Client(conf, identity_cache=IdentityCache(request.session))
oq_cache = OutstandingQueriesCache(request.session)
outstanding_queries = oq_cache.outstanding_queries()
try:
response = client.parse_authn_request_response(xmlstr,
BINDING_HTTP_POST,
outstanding_queries)
except (StatusError, ToEarly):
logger.exception("Error processing SAML Assertion.")
return fail_acs_response(request)
except ResponseLifetimeExceed:
logger.info(
"SAML Assertion is no longer valid. Possibly caused by network delay or replay attack.",
exc_info=True)
return fail_acs_response(request)
except SignatureError:
logger.info("Invalid or malformed SAML Assertion.", exc_info=True)
return fail_acs_response(request)
except StatusAuthnFailed:
logger.info("Authentication denied for user by IdP.", exc_info=True)
return fail_acs_response(request)
except StatusRequestDenied:
logger.warning("Authentication interrupted at IdP.", exc_info=True)
return fail_acs_response(request)
except MissingKey:
logger.exception(
"SAML Identity Provider is not configured correctly: certificate key is missing!"
)
return fail_acs_response(request)
except UnsolicitedResponse:
logger.exception(
"Received SAMLResponse when no request has been made.")
return fail_acs_response(request)
if response is None:
logger.warning("Invalid SAML Assertion received (unknown error).")
return fail_acs_response(request,
status=400,
exc_class=SuspiciousOperation)
session_id = response.session_id()
oq_cache.delete(session_id)
# authenticate the remote user
session_info = response.session_info()
if callable(attribute_mapping):
attribute_mapping = attribute_mapping()
if callable(create_unknown_user):
create_unknown_user = create_unknown_user()
logger.debug('Trying to authenticate the user. Session info: %s',
session_info)
user = auth.authenticate(request=request,
session_info=session_info,
attribute_mapping=attribute_mapping,
create_unknown_user=create_unknown_user)
if user is None:
logger.warning(
"Could not authenticate user received in SAML Assertion. Session info: %s",
session_info)
raise PermissionDenied
auth.login(request, user)
_set_subject_id(request.session, session_info['name_id'])
logger.debug("User %s authenticated via SSO.", user)
logger.debug('Sending the post_authenticated signal')
post_authenticated.send_robust(sender=user, session_info=session_info)
# redirect the user to the view where he came from
default_relay_state = get_custom_setting('ACS_DEFAULT_REDIRECT_URL',
settings.LOGIN_REDIRECT_URL)
relay_state = request.POST.get('RelayState', default_relay_state)
if not relay_state:
logger.warning('The RelayState parameter exists but is empty')
relay_state = default_relay_state
if not is_safe_url_compat(url=relay_state,
allowed_hosts={request.get_host()}):
relay_state = settings.LOGIN_REDIRECT_URL
logger.debug('Redirecting to the RelayState: %s', relay_state)
return HttpResponseRedirect(relay_state)
def spid_login(request,
config_loader_path=None,
wayf_template='wayf.html',
authorization_error_template='djangosaml2/auth_error.html'):
"""SAML Authorization Request initiator
This view initiates the SAML2 Authorization handshake
using the pysaml2 library to create the AuthnRequest.
It uses the SAML 2.0 Http POST protocol binding.
"""
logger.debug('SPID Login process started')
next_url = request.GET.get('next', settings.LOGIN_REDIRECT_URL)
if not next_url:
logger.warning('The next parameter exists but is empty')
next_url = settings.LOGIN_REDIRECT_URL
# Ensure the user-originating redirection url is safe.
if not validate_referral_url(request, next_url):
next_url = settings.LOGIN_REDIRECT_URL
if callable(request.user.is_authenticated):
redirect_authenticated_user = getattr(
settings, 'SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN', True)
if redirect_authenticated_user:
return HttpResponseRedirect(next_url)
else:
logger.debug('User is already logged in')
return render(request, authorization_error_template,
{'came_from': next_url})
# this works only if request came from wayf
selected_idp = request.GET.get('idp', None)
conf = get_config(config_loader_path, request)
# is a embedded wayf needed?
idps = available_idps(conf)
if selected_idp is None and len(idps) > 1:
logger.debug('A discovery process is needed')
return render(request, wayf_template, {
'available_idps': idps.items(),
'next_url': next_url
})
else:
# otherwise is the first one
try:
selected_idp = selected_idp or list(idps.keys())[0]
except TypeError as e:
logger.error('Unable to know which IdP to use')
return HttpResponse(text_type(e))
binding = BINDING_HTTP_POST
logger.debug(f'Trying binding {binding} for IDP {selected_idp}')
# ensure our selected binding is supported by the IDP
supported_bindings = get_idp_sso_supported_bindings(selected_idp,
config=conf)
if binding != BINDING_HTTP_POST:
raise UnsupportedBinding('IDP %s does not support %s or %s',
selected_idp, BINDING_HTTP_POST,
BINDING_HTTP_REDIRECT)
# SPID things here
login_response = spid_sp_authn_request(conf, selected_idp, binding,
settings.SPID_NAMEID_FORMAT,
settings.SPID_AUTH_CONTEXT,
settings.SPID_SIG_ALG,
settings.SPID_DIG_ALG, next_url)
session_id = login_response['session_id']
http_response = login_response['http_response']
# success, so save the session ID and return our response
logger.debug(
f'Saving session-id {session_id} in the OutstandingQueries cache')
oq_cache = OutstandingQueriesCache(request.saml_session)
oq_cache.set(session_id, next_url)
return HttpResponse(http_response['data'])
def test_valid_form(self):
url, data, session_id = self._get_sp_authn_request()
response = self.client.post(url, data, follow=True)
# csrf_regexp = '<input type="hidden" name="csrfmiddlewaretoken" value="(?P<value>[a-zA-Z0-9+=]*)">'
# login_data['csrfmiddlewaretoken'] = re.findall(csrf_regexp, response.content.decode())[0]
self.login_data['password'] = '******'
login_response = self.client.post(login_url,
data=self.login_data,
follow=True)
# is there a SAML response?
saml_resp = re.findall(samlresponse_form_regexp,
login_response.content.decode())
assert saml_resp
# test agreement screens
self.sp.agreement_screen = 1
self.sp.save()
login_response = self.client.post(login_url,
data=self.login_data,
follow=True)
assert 'has requested the following informations' in login_response.content.decode(
)
# don't show again
agr_data = dict(dont_show_again=1, confirm=1)
agr_url = reverse('uniauth:saml_user_agreement')
agr_response = self.client.post(agr_url, data=agr_data, follow=True)
# login again, agreement screen should not be displayed anymore
# purge persistent_id from storage
self.user.persistentid_set.all().delete()
login_response = self.client.post(login_url,
data=self.login_data,
follow=True)
saml_resp = re.findall(samlresponse_form_regexp,
login_response.content.decode())
assert saml_resp
# transient name_id format, remove persistent_id
sp_conf = copy.deepcopy(SAML_SP_CONFIG)
del (sp_conf['service']['sp']['name_id_format'][0])
self.sp_conf.load(sp_conf)
url, data, session_id = self._get_sp_authn_request()
response = self.client.post(url, data, follow=True)
login_response = self.client.post(login_url,
data=self.login_data,
follow=True)
# test logout
session = self.client.session
state = StateCache(session)
identity_cache = IdentityCache(session)
oq_cache = OutstandingQueriesCache(session)
oq_cache.set(session_id, '/')
outstanding_queries = oq_cache.outstanding_queries()
client = Saml2Client(self.sp_conf,
state_cache=state,
identity_cache=IdentityCache(session))
response = client.parse_authn_request_response(saml_resp[0],
BINDING_HTTP_POST,
outstanding_queries)
# this should take name_id dict
# result = client.global_logout(session['SAML']['subject_id'])
logout_result = client.global_logout(response.name_id)
# is there a SAML response?
saml_req_logout = re.findall(samlrequest_form_regexp,
logout_result[idp_eid][1]['data'])
assert saml_req_logout
logout_response = self.client.post(
logout_url, data={'SAMLRequest': saml_req_logout}, follow=True)
def assertion_consumer_service(request,
config_loader_path=None,
attribute_mapping=None,
create_unknown_user=None):
"""SAML Authorization Response endpoint
The IdP will send its response to this view, which
will process it with pysaml2 help and log the user
in using the custom Authorization backend
djangosaml2.backends.Saml2Backend that should be
enabled in the settings.py
"""
attribute_mapping = attribute_mapping or get_custom_setting(
'SAML_ATTRIBUTE_MAPPING', {'uid': ('username', )})
create_unknown_user = create_unknown_user or get_custom_setting(
'SAML_CREATE_UNKNOWN_USER', True)
logger.debug('Assertion Consumer Service started')
conf = get_config(config_loader_path, request)
if 'SAMLResponse' not in request.POST:
return HttpResponseBadRequest(
'Couldn\'t find "SAMLResponse" in POST data.')
post = {'SAMLResponse': request.POST['SAMLResponse']}
client = Saml2Client(conf, identity_cache=IdentityCache(request.session),
logger=logger)
oq_cache = OutstandingQueriesCache(request.session)
outstanding_queries = oq_cache.outstanding_queries()
# process the authentication response
response = client.response(post, outstanding_queries)
if response is None:
logger.error('SAML response is None')
return HttpResponseBadRequest(
"SAML response has errors. Please check the logs")
session_id = response.session_id()
oq_cache.delete(session_id)
# authenticate the remote user
session_info = response.session_info()
if callable(attribute_mapping):
attribute_mapping = attribute_mapping()
if callable(create_unknown_user):
create_unknown_user = create_unknown_user()
logger.debug('Trying to authenticate the user')
user = auth.authenticate(session_info=session_info,
attribute_mapping=attribute_mapping,
create_unknown_user=create_unknown_user)
if user is None:
logger.error('The user is None')
return HttpResponseForbidden("Permission denied")
auth.login(request, user)
_set_subject_id(request.session, session_info['name_id'])
logger.debug('Sending the post_authenticated signal')
post_authenticated.send_robust(sender=user, session_info=session_info)
# redirect the user to the view where he came from
relay_state = request.POST.get('RelayState', '/')
if not relay_state:
logger.warning('The RelayState parameter exists but is empty')
relay_state = settings.LOGIN_REDIRECT_URL
logger.debug('Redirecting to the RelayState: ' + relay_state)
return HttpResponseRedirect(relay_state)
def spid_login(request,
config_loader_path=None,
wayf_template='wayf.html',
authorization_error_template='djangosaml2/auth_error.html'):
"""SAML Authorization Request initiator
This view initiates the SAML2 Authorization handshake
using the pysaml2 library to create the AuthnRequest.
It uses the SAML 2.0 Http POST protocol binding.
"""
logger.debug('SPID Login process started')
next_url = request.GET.get('next', settings.LOGIN_REDIRECT_URL)
if not next_url:
logger.warning('The next parameter exists but is empty')
next_url = settings.LOGIN_REDIRECT_URL
# Ensure the user-originating redirection url is safe.
if not validate_referral_url(request, next_url):
next_url = settings.LOGIN_REDIRECT_URL
if request.user.is_authenticated:
redirect_authenticated_user = getattr(settings,
'SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN',
True)
if redirect_authenticated_user:
return HttpResponseRedirect(next_url)
else: # pragma: no cover
logger.debug('User is already logged in')
return render(request, authorization_error_template, {
'came_from': next_url})
# this works only if request came from wayf
selected_idp = request.GET.get('idp', None)
conf = get_config(config_loader_path, request)
# is a embedded wayf needed?
idps = available_idps(conf)
if selected_idp is None and len(idps) > 1:
logger.debug('A discovery process is needed')
return render(request, wayf_template,
{
'available_idps': idps.items(),
'next_url': next_url
}
)
else:
# otherwise is the first one
_msg = 'Unable to know which IdP to use'
try:
selected_idp = selected_idp or list(idps.keys())[0]
except TypeError as e: # pragma: no cover
logger.error(f'{_msg}: {e}')
return HttpResponseError(_msg)
except IndexError as e: # pragma: no cover
logger.error(f'{_msg}: {e}')
return HttpResponseNotFound(_msg)
binding = settings.SPID_DEFAULT_BINDING
logger.debug(f'Trying binding {binding} for IDP {selected_idp}')
# ensure our selected binding is supported by the IDP
supported_bindings = get_idp_sso_supported_bindings(selected_idp, config=conf)
if binding not in supported_bindings:
_msg = (
f"Requested: {binding} but the selected "
f"IDP [{selected_idp}] doesn't support "
f"{BINDING_HTTP_POST} or {BINDING_HTTP_REDIRECT}. "
f"Check if IdP Metadata is correctly loaded and updated."
)
logger.error(_msg)
raise UnsupportedBinding(_msg)
# SPID things here
try:
login_response = spid_sp_authn_request(conf,
selected_idp,
binding,
settings.SPID_NAMEID_FORMAT,
settings.SPID_AUTH_CONTEXT,
settings.SPID_SIG_ALG,
settings.SPID_DIG_ALG,
next_url
)
except UnknownSystemEntity as e: # pragma: no cover
_msg = f'Unknown IDP Entity ID: {selected_idp}'
logger.error(f'{_msg}: {e}')
return HttpResponseNotFound(_msg)
session_id = login_response['session_id']
http_response = login_response['http_response']
# success, so save the session ID and return our response
logger.debug(f'Saving session-id {session_id} in the OutstandingQueries cache')
oq_cache = OutstandingQueriesCache(request.saml_session)
oq_cache.set(session_id, next_url)
if binding == saml2.BINDING_HTTP_POST:
return HttpResponse(http_response['data'])
elif binding == saml2.BINDING_HTTP_REDIRECT:
headers = dict(login_response['http_response']['headers'])
return HttpResponseRedirect(headers['Location'])
def post(self, request):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
attribute_mapping = get_custom_setting(
'SAML_ATTRIBUTE_MAPPING', {'uid': ('username', )})
create_unknown_user = get_custom_setting(
'SAML_CREATE_UNKNOWN_USER', True)
conf = get_config(request=request)
client = Saml2Client(conf, identity_cache=IdentityCache(request.session))
oq_cache = OutstandingQueriesCache(request.session)
outstanding_queries = oq_cache.outstanding_queries()
xmlstr = serializer.validated_data['SAMLResponse']
# process the authentication response
try:
response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries)
except Exception as e:
if isinstance(e, StatusRequestDenied):
return login_failed(_('Authentication request has been denied by identity provider. '
'Please check your credentials.'))
logger.error('SAML response parsing failed %s' % e)
return login_failed(_('SAML2 response has errors.'))
if response is None:
logger.error('SAML response is None')
return login_failed(_('SAML response has errors. Please check the logs'))
if response.assertion is None:
logger.error('SAML response assertion is None')
return login_failed(_('SAML response has errors. Please check the logs'))
session_id = response.session_id()
oq_cache.delete(session_id)
# authenticate the remote user
session_info = response.session_info()
if callable(attribute_mapping):
attribute_mapping = attribute_mapping()
if callable(create_unknown_user):
create_unknown_user = create_unknown_user()
user = auth.authenticate(
session_info=session_info,
attribute_mapping=attribute_mapping,
create_unknown_user=create_unknown_user,
)
if user is None:
return login_failed(_('SAML2 authentication failed.'))
registration_method = settings.WALDUR_AUTH_SAML2.get('name', 'saml2')
if user.registration_method != registration_method:
user.registration_method = registration_method
user.save(update_fields=['registration_method'])
# required for validating SAML2 logout requests
auth.login(request, user)
_set_subject_id(request.session, session_info['name_id'])
logger.debug('User %s authenticated via SSO.', user)
logger.debug('Sending the post_authenticated signal')
post_authenticated.send_robust(sender=user, session_info=session_info)
token = self.refresh_token(user)
logger.info('Authenticated with SAML token. Returning token for successful login of user %s', user)
event_logger.saml2_auth.info(
'User {user_username} with full name {user_full_name} logged in successfully with SAML2.',
event_type='auth_logged_in_with_saml2', event_context={'user': user}
)
return login_completed(token.key, 'saml2')
def login(request,
config_loader_path=None,
wayf_template='djangosaml2/wayf.html',
authorization_error_template='djangosaml2/auth_error.html',
post_binding_form_template='djangosaml2/post_binding_form.html'):
"""SAML Authorization Request initiator
This view initiates the SAML2 Authorization handshake
using the pysaml2 library to create the AuthnRequest.
It uses the SAML 2.0 Http Redirect protocol binding.
* post_binding_form_template - path to a template containing HTML form with
hidden input elements, used to send the SAML message data when HTTP POST
binding is being used. You can customize this template to include custom
branding and/or text explaining the automatic redirection process. Please
see the example template in
templates/djangosaml2/example_post_binding_form.html
If set to None or nonexistent template, default form from the saml2 library
will be rendered.
"""
logger.debug('Login process started')
came_from = request.GET.get('next', settings.LOGIN_REDIRECT_URL)
if not came_from:
logger.warning('The next parameter exists but is empty')
came_from = settings.LOGIN_REDIRECT_URL
# Ensure the user-originating redirection url is safe.
if not is_safe_url(url=came_from, host=request.get_host()):
came_from = settings.LOGIN_REDIRECT_URL
# if the user is already authenticated that maybe because of two reasons:
# A) He has this URL in two browser windows and in the other one he
# has already initiated the authenticated session.
# B) He comes from a view that (incorrectly) send him here because
# he does not have enough permissions. That view should have shown
# an authorization error in the first place.
# We can only make one thing here and that is configurable with the
# SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN setting. If that setting
# is True (default value) we will redirect him to the came_from view.
# Otherwise, we will show an (configurable) authorization error.
if not request.user.is_anonymous():
try:
redirect_authenticated_user = settings.SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN
except AttributeError:
redirect_authenticated_user = True
if redirect_authenticated_user:
return HttpResponseRedirect(came_from)
else:
logger.debug('User is already logged in')
return render(request, authorization_error_template, {
'came_from': came_from,
})
selected_idp = request.GET.get('idp', None)
conf = get_config(config_loader_path, request)
# is a embedded wayf needed?
idps = available_idps(conf)
if selected_idp is None and len(idps) > 1:
logger.debug('A discovery process is needed')
return render(request, wayf_template, {
'available_idps': idps.items(),
'came_from': came_from,
})
# choose a binding to try first
sign_requests = getattr(conf, '_sp_authn_requests_signed', False)
binding = BINDING_HTTP_POST if sign_requests else BINDING_HTTP_REDIRECT
logger.debug('Trying binding %s for IDP %s', binding, selected_idp)
# ensure our selected binding is supported by the IDP
supported_bindings = get_idp_sso_supported_bindings(selected_idp,
config=conf)
if binding not in supported_bindings:
logger.debug('Binding %s not in IDP %s supported bindings: %s',
binding, selected_idp, supported_bindings)
if binding == BINDING_HTTP_POST:
logger.warning('IDP %s does not support %s, trying %s',
selected_idp, binding, BINDING_HTTP_REDIRECT)
binding = BINDING_HTTP_REDIRECT
else:
logger.warning('IDP %s does not support %s, trying %s',
selected_idp, binding, BINDING_HTTP_POST)
binding = BINDING_HTTP_POST
# if switched binding still not supported, give up
if binding not in supported_bindings:
raise UnsupportedBinding('IDP %s does not support %s or %s',
selected_idp, BINDING_HTTP_POST,
BINDING_HTTP_REDIRECT)
client = Saml2Client(conf)
http_response = None
logger.debug('Redirecting user to the IdP via %s binding.', binding)
if binding == BINDING_HTTP_REDIRECT:
try:
# do not sign the xml itself, instead us the sigalg to
# generate the signature as a URL param
sigalg = SIG_RSA_SHA1 if sign_requests else None
session_id, result = client.prepare_for_authenticate(
entityid=selected_idp,
relay_state=came_from,
binding=binding,
sign=False,
sigalg=sigalg)
except TypeError as e:
logger.error('Unable to know which IdP to use')
return HttpResponse(text_type(e))
else:
http_response = HttpResponseRedirect(get_location(result))
elif binding == BINDING_HTTP_POST:
# use the html provided by pysaml2 if no template specified
if not post_binding_form_template:
try:
session_id, result = client.prepare_for_authenticate(
entityid=selected_idp,
relay_state=came_from,
binding=binding)
except TypeError as e:
logger.error('Unable to know which IdP to use')
return HttpResponse(text_type(e))
else:
http_response = HttpResponse(result['data'])
# get request XML to build our own html based on the template
else:
try:
location = client.sso_location(selected_idp, binding)
except TypeError as e:
logger.error('Unable to know which IdP to use')
return HttpResponse(text_type(e))
session_id, request_xml = client.create_authn_request(
location, binding=binding)
http_response = render(
request, post_binding_form_template, {
'target_url': location,
'params': {
'SAMLRequest': base64.b64encode(
binary_type(request_xml)),
'RelayState': came_from,
},
})
else:
raise UnsupportedBinding('Unsupported binding: %s', binding)
# success, so save the session ID and return our response
logger.debug('Saving the session_id in the OutstandingQueries cache')
oq_cache = OutstandingQueriesCache(request.session)
oq_cache.set(session_id, came_from)
return http_response
def post(self, request):
if not self.request.user.is_anonymous:
error_message = _('This endpoint is for anonymous users only.')
return JsonResponse({'error_message': error_message}, status_code=400)
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
idp = serializer.validated_data.get('idp')
conf = get_config(request=request)
# ensure our selected binding is supported by the IDP
supported_bindings = utils.get_idp_sso_supported_bindings(idp, config=conf)
default_binding = settings.WALDUR_AUTH_SAML2.get('DEFAULT_BINDING')
if default_binding in supported_bindings:
binding = default_binding
elif BINDING_HTTP_POST in supported_bindings:
binding = BINDING_HTTP_POST
elif BINDING_HTTP_REDIRECT in supported_bindings:
binding = BINDING_HTTP_REDIRECT
else:
error_message = _('Identity provider does not support available bindings.')
return JsonResponse({'error_message': error_message}, status_code=400)
client = Saml2Client(conf)
kwargs = {}
sign_requests = getattr(conf, '_sp_authn_requests_signed', False)
if sign_requests:
signature_algorithm = settings.WALDUR_AUTH_SAML2.get('signature_algorithm') or SIG_RSA_SHA1
digest_algorithm = settings.WALDUR_AUTH_SAML2.get('digest_algorithm') or DIGEST_SHA1
kwargs['sign'] = True
kwargs['sigalg'] = signature_algorithm
kwargs['sign_alg'] = signature_algorithm
kwargs['digest_alg'] = digest_algorithm
nameid_format = settings.WALDUR_AUTH_SAML2.get('nameid_format')
if nameid_format or nameid_format == "": # "" is a valid setting in pysaml2
kwargs['nameid_format'] = nameid_format
if binding == BINDING_HTTP_REDIRECT:
session_id, result = client.prepare_for_authenticate(
entityid=idp, binding=binding, **kwargs)
data = {
'binding': 'redirect',
'url': get_location(result),
}
elif binding == BINDING_HTTP_POST:
try:
location = client.sso_location(idp, binding)
except TypeError:
error_message = _('Invalid identity provider specified.')
return JsonResponse({'error_message': error_message}, status_code=400)
session_id, request_xml = client.create_authn_request(location, binding=binding, **kwargs)
data = {
'binding': 'post',
'url': location,
'request': base64.b64encode(request_xml.encode('UTF-8')),
}
# save session_id
oq_cache = OutstandingQueriesCache(request.session)
oq_cache.set(session_id, '')
return JsonResponse(data)
def login(request,
config_loader_path=None,
wayf_template='djangosaml2/wayf.html',
authorization_error_template='djangosaml2/auth_error.html'):
"""SAML Authorization Request initiator
This view initiates the SAML2 Authorization handshake
using the pysaml2 library to create the AuthnRequest.
It uses the SAML 2.0 Http Redirect protocol binding.
"""
logger.debug('Login process started')
came_from = request.GET.get('next', settings.LOGIN_REDIRECT_URL)
if not came_from:
logger.warning('The next parameter exists but is empty')
came_from = settings.LOGIN_REDIRECT_URL
# if the user is already authenticated that maybe because of two reasons:
# A) He has this URL in two browser windows and in the other one he
# has already initiated the authenticated session.
# B) He comes from a view that (incorrectly) send him here because
# he does not have enough permissions. That view should have shown
# an authorization error in the first place.
# We can only make one thing here and that is configurable with the
# SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN setting. If that setting
# is True (default value) we will redirect him to the came_from view.
# Otherwise, we will show an (configurable) authorization error.
if not request.user.is_anonymous():
try:
redirect_authenticated_user = settings.SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN
except AttributeError:
redirect_authenticated_user = True
if redirect_authenticated_user:
return HttpResponseRedirect(came_from)
else:
logger.debug('User is already logged in')
return render_to_response(authorization_error_template, {
'came_from': came_from,
},
context_instance=RequestContext(request))
selected_idp = request.GET.get('idp', None)
conf = get_config(config_loader_path, request)
# is a embedded wayf needed?
idps = available_idps(conf)
if selected_idp is None and len(idps) > 1:
logger.debug('A discovery process is needed')
return render_to_response(wayf_template, {
'available_idps': idps.items(),
'came_from': came_from,
},
context_instance=RequestContext(request))
client = Saml2Client(conf)
try:
(session_id, result) = client.prepare_for_authenticate(
entityid=selected_idp,
relay_state=came_from,
binding=BINDING_HTTP_REDIRECT,
)
except TypeError as e:
logger.error('Unable to know which IdP to use')
return HttpResponse(str(e))
logger.debug('Saving the session_id in the OutstandingQueries cache')
oq_cache = OutstandingQueriesCache(request.session)
oq_cache.set(session_id, came_from)
logger.debug('Redirecting the user to the IdP')
return HttpResponseRedirect(get_location(result))
