You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
***saml2int** - Implements the SAML 2.0 Web Browser SSO Profile.
56
56
***Session-less** - Forget those common conflicts between the SP and
57
57
the final app, the toolkit delegate session in the final app.
58
-
***Easy to use** - Programmer will be allowed to code high-level and
58
+
***Easy to use** - Programmer will be allowed to code high-level and
59
59
low-level programming, 2 easy to use APIs are available.
60
60
***Tested** - Thoroughly tested.
61
61
***Popular** - OneLogin's customers use it. Add easy support to your django/flask web projects.
62
62
63
-
64
63
Installation
65
64
------------
66
65
67
-
### Dependences ###
66
+
### Dependencies ###
68
67
69
68
* python 2.7 // python 3.3
70
69
*[xmlsec](https://pypi.python.org/pypi/xmlsec) Python bindings for the XML Security Library.
@@ -89,25 +88,22 @@ The toolkit is hosted in pypi, you can find the python3-saml package at https://
89
88
90
89
You can install it executing:
91
90
```
92
-
pip install python3-saml
91
+
$ pip install python3-saml
93
92
```
94
93
95
94
If you want to know how a project can handle python packages review this [guide](https://packaging.python.org/en/latest/tutorial.html) and review this [sampleproject](https://github.com/pypa/sampleproject)
96
95
97
-
98
96
Security warning
99
97
----------------
100
98
101
-
In production, the **strict** parameter MUST be set as **"true"**. Otherwise
99
+
In production, the **strict** parameter MUST be set as **"true"**. Otherwise
102
100
your environment is not secure and will be exposed to attacks.
103
101
104
-
105
102
Security Guidelines
106
103
-------------------
107
104
108
105
If you believe you have discovered a security vulnerability in this toolkit, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
109
106
110
-
111
107
Getting started
112
108
---------------
113
109
@@ -187,7 +183,7 @@ This is the settings.json file:
187
183
188
184
```javascript
189
185
{
190
-
// If strict is True, then the Python Toolkit will reject unsigned
186
+
// If strict is True, then the Python Toolkit will reject unsigned
191
187
// or unencrypted messages if it expects them to be signed or encrypted.
192
188
// Also it will reject the messages if the SAML standard is not strictly
193
189
// followed. Destination, NameId, Conditions ... are validated too.
@@ -206,12 +202,12 @@ This is the settings.json file:
206
202
// URL Location where the <Response> from the IdP will be returned
207
203
"url":"https://<sp_domain>/?acs",
208
204
// SAML protocol binding to be used when returning the <Response>
209
-
// message. OneLogin Toolkit supports this endpoint for the
205
+
// message. OneLogin Toolkit supports this endpoint for the
// SAML protocol binding to be used when returning the <Response>
@@ -272,13 +268,14 @@ This is the settings.json file:
272
268
// Public x509 certificate of the IdP
273
269
"x509cert":"<onelogin_connector_cert>"
274
270
/*
275
-
* Instead of use the whole x509cert you can use a fingerprint in
271
+
* Instead of using the whole x509cert you can use a fingerprint in
276
272
* order to validate a SAMLResponse.
277
273
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
278
274
* or add for example the -sha256 , -sha384 or -sha512 parameter)
279
275
*
280
276
* If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
281
-
* let the toolkit know which algorithm was used. Possible values: sha1, sha256, sha384 or sha512
277
+
* let the toolkit know which algorithm was used.
278
+
Possible values: sha1, sha256, sha384 or sha512
282
279
* 'sha1' is the default value.
283
280
*
284
281
* Notice that if you want to validate any SAML Message sent by the HTTP-Redirect binding, you
@@ -290,7 +287,7 @@ This is the settings.json file:
290
287
}
291
288
```
292
289
293
-
In addition to the required settings data (idp, sp), there is extra information that could be defined at advanced_settings.json
290
+
In addition to the required settings data (idp, sp), extra settings can be defined in `advanced_settings.json`:
294
291
295
292
```javascript
296
293
{
@@ -303,15 +300,15 @@ In addition to the required settings data (idp, sp), there is extra information
303
300
// will be encrypted.
304
301
"nameIdEncrypted":false,
305
302
306
-
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
303
+
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
307
304
// will be signed. [Metadata of the SP will offer this info]
308
305
"authnRequestsSigned":false,
309
306
310
-
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
307
+
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
311
308
// will be signed.
312
309
"logoutRequestSigned":false,
313
310
314
-
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
311
+
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
315
312
// will be signed.
316
313
"logoutResponseSigned":false,
317
314
@@ -337,7 +334,7 @@ In addition to the required settings data (idp, sp), there is extra information
337
334
// elements received by this SP to be encrypted.
338
335
'wantAssertionsEncrypted'=>false,
339
336
340
-
// Indicates a requirement for the NameID element on the SAMLResponse
337
+
// Indicates a requirement for the NameID element on the SAMLResponse
341
338
// received by this SP to be present.
342
339
"wantNameId":true,
343
340
@@ -397,7 +394,7 @@ In addition to the required settings data (idp, sp), there is extra information
397
394
}
398
395
```
399
396
400
-
In the security section, you can set the way that the SP will handle the messages and assertions. Contact the admin of the IdP and ask him what the IdP expects, and decide what validations will handle the SP and what requirements the SP will have and communicate them to the IdP's admin too.
397
+
In the security section, you can set the way that the SP will handle the messages and assertions. Contact the admin of the IdP and ask them what the IdP expects, and decide what validations will handle the SP and what requirements the SP will have and communicate them to the IdP's admin too.
401
398
402
399
Once we know what kind of data could be configured, let's talk about the way settings are handled within the toolkit.
403
400
@@ -520,7 +517,7 @@ The login method can recieve 3 more optional parameters:
520
517
521
518
#### The SP Endpoints ####
522
519
523
-
Related to the SP there are 3 important endpoints: The metadata view, the ACS view and the SLS view.
520
+
Related to the SP there are 3 important endpoints: The metadata view, the ACS view and the SLS view.
524
521
The toolkit provides examples of those views in the demos, but lets see an example.
525
522
526
523
***SP Metadata***
@@ -543,7 +540,7 @@ The get_sp_metadata will return the metadata signed or not based on the security
543
540
544
541
Before the XML metadata is exposed, a check takes place to ensure that the info to be provided is valid.
545
542
546
-
Instead of use the Auth object, you can directly use
543
+
Instead of using the Auth object, you can directly use
@@ -599,7 +596,7 @@ If we execute print attributes we could get:
599
596
"mail": ["Doe"],
600
597
"groups": ["users", "members"]
601
598
}
602
-
```
599
+
```
603
600
604
601
Each attribute name can be used as a key to obtain the value. Every attribute is a list of values. A single-valued attribute is a listy of a single element.
605
602
@@ -642,7 +639,7 @@ if not logout_response.is_valid(self.__request_data, request_id):
If the SLS endpoints receives an Logout Request, the request is validated, the session is closed and a Logout Response is sent to the SLS endpoint of the IdP.
@@ -686,7 +683,7 @@ In order to send a Logout Request to the IdP:
686
683
687
684
The Logout Request will be sent signed or unsigned based on the security info of the advanced_settings.json ('logoutRequestSigned').
688
685
689
-
The IdP will return the Logout Response through the user's client to the Single Logout Service of the SP.
686
+
The IdP will return the Logout Response through the user's client to the Single Logout Service of the SP.
690
687
691
688
We can set a 'return_to' url parameter to the logout function and that will be converted as a 'RelayState' parameter:
if'sso'in request.args: # SSO action (SP-SSO initited). Will send an AuthNRequest to the IdP
717
714
return redirect(auth.login())
718
-
elif'sso2'in request.args: # Another SSO init action
715
+
elif'sso2'in request.args: # Another SSO init action
719
716
return_to ='%sattrs/'% request.host_url # but set a custom RelayState URL
720
717
return redirect(auth.login(return_to))
721
718
elif'slo'in request.args: # SLO action. Will sent a Logout Request to IdP
722
719
return redirect(auth.logout())
723
720
elif'acs'in request.args: # Assertion Consumer Service
724
721
auth.process_response() # Process the Response of the IdP
725
722
errors = auth.get_errors() # This method receives an array with the errors
726
-
iflen(errors) ==0: # that could took place during the process
723
+
iflen(errors) ==0: # that could took place during the process
727
724
ifnot auth.is_authenticated(): # This check if the response was ok and the user
728
725
msg ="Not authenticated"# data retrieved or not (user authenticated)
729
726
else:
730
727
request.session['samlUserdata'] = auth.get_attributes() # Retrieves user data
731
728
self_url = OneLogin_Saml2_Utils.get_self_url(req)
732
-
if'RelayState'in request.form and self_url != request.form['RelayState']:
729
+
if'RelayState'in request.form and self_url != request.form['RelayState']:
733
730
return redirect(auth.redirect_to(request.form['RelayState'])) # Redirect if there is a relayState
734
731
else: # If there is user data we save that to print it later.
735
732
msg =''
@@ -831,7 +828,7 @@ SAML 2 Logout Response class
831
828
****get_status*** Gets the Status of the Logout Response.
832
829
****is_valid*** Determines if the SAML LogoutResponse is valid
833
830
****build*** Creates a Logout Response object.
834
-
****get_response*** Returns a Logout Response object.
831
+
****get_response*** Returns a Logout Response object.
835
832
****get_error*** After execute a validation process, if fails this method returns the cause.
836
833
837
834
@@ -871,7 +868,7 @@ Configuration of the OneLogin Python Toolkit
871
868
872
869
A class that contains functionality related to the metadata of the SP
873
870
874
-
****builder*** Generates the metadata of the SP based on the settings.
871
+
****builder*** Generates the metadata of the SP based on the settings.
875
872
****sign_metadata*** Signs the metadata with the key/cert provided.
876
873
****add_x509_key_descriptors*** Adds the x509 descriptors (sign/encriptation) to the metadata
877
874
@@ -977,7 +974,7 @@ virtualenv and execute:
977
974
pip install -r demo-flask/requirements.txt
978
975
```
979
976
980
-
This will install flask and its dependences. Once it has finished, you have to complete the configuration
977
+
This will install flask and its dependencies. Once it has finished, you have to complete the configuration
981
978
of the toolkit. You'll find it at `demo-flask/settings.json`
982
979
983
980
Now, with the virtualenv loaded, you can run the demo like this:
@@ -1002,7 +999,7 @@ The flask project contains:
1002
999
1003
1000
####SP setup####
1004
1001
1005
-
The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-flask it used the first method.
1002
+
The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-flask it used the first method.
1006
1003
1007
1004
In the index.py file we define the app.config['SAML_PATH'], that will target to the 'saml' folder. We require it in order to load the settings files.
1008
1005
@@ -1042,8 +1039,8 @@ To run the demo you need to install the requirements first. Load your
1042
1039
virtualenv and execute:
1043
1040
```
1044
1041
pip install -r demo-django/requirements.txt
1045
-
```
1046
-
This will install django and its dependences. Once it has finished, you have to complete the configuration of the toolkit.
1042
+
```
1043
+
This will install django and its dependencies. Once it has finished, you have to complete the configuration of the toolkit.
1047
1044
1048
1045
Later, with the virtualenv loaded, you can run the demo like this:
1049
1046
```
@@ -1075,9 +1072,9 @@ The django project contains:
1075
1072
1076
1073
####SP setup####
1077
1074
1078
-
The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-django it used the first method.
1075
+
The Onelogin's Python Toolkit allows you to provide the settings info in 2 ways: settings files or define a setting dict. In the demo-django it used the first method.
1079
1076
1080
-
After set the SAML_FOLDER in the demo/settings.py, the settings of the python toolkit will be loaded on the django web.
1077
+
After set the SAML_FOLDER in the demo/settings.py, the settings of the python toolkit will be loaded on the django web.
1081
1078
1082
1079
First we need to edit the saml/settings.json, configure the SP part and review the metadata of the IdP and complete the IdP info. Later edit the saml/advanced_settings.json files and configure the how the toolkit will work. Check the settings section of this document if you have any doubt.
0 commit comments