zibasec / django-saml2-pro-auth Goto Github PK

Per onelogin/python-saml : https://github.com/onelogin/python-saml/blob/master/README.md dict keys are camelCase instead of snake_case

Hi,

From what I understand of the flow, the IDP is looking at my metadata endpoint and calling http://mydomain.com/sso/saml/?acs&provider=myprovider to authenticate the user.

What I want to do is redirect the user after authentication to a specific page.

I thought SAML_REDIRECT would do this but it looks like it does not work that way.

SAML_REDIRECT is only used if acs is not on the URL, since it's a elif instead of a if.

https://github.com/voxy/django-saml2-pro-auth/blob/master/src/django_saml2_pro_auth/views.py#L50

Can I have an example on how to use this setting?

Thanks a lot!

We should update the tested Python versions to include py 3.7, 3.8, and 3.9 and probably trim some of the older versions in the list. We can remove Python 2.x support altoghter and clean up any remaining 2.x backwards compatibility-isms left in the code.

Django versions should be trimmed as well 1.8, 1.10 should definitely be removed, and possibly 1.11 since it is now officially EOL.

Grettings,

First, I want to say thankyou for all your effort developing this package.

I implemented django-saml2-pro-auth and It worked in my local enviroment, but when I pushing to AWS Lambda, I checked the ACS's URL changed to http and It raise an 301 http response but It doesn't happend in my local enviroment. For example:

Local enviroment:

By the way, I use an enviroment variable to store https://localhost:8000

AWS Lambda enviroment:

In this case, You can see EntityDescriptor and AssertionConsumerService tags have "http://" but only SingleLogoutService tag keeps https:// and I repeat, I use an enviroment variable to set the server's url.

This issue fired a 301 http response and then redirects me to the same ACS's URL but with GET method but GET method isn't allowed to that URL as you can see in the next image:

I hope somebody could help with this issue.

Right now ProviderConverter raises SynchronousOnlyOperation when you try it on Django 3.2

There is a bug in urls
Because Onelogin SP assertionConsumerService.url overrides reply url configured in IdP (Azure AD), data being POSTed to wrong url.
Causing django_saml2_pro_auth.utils.SAMLError: No provider specified in request.

Example:

settings.py

SAML_PROVIDERS = [{
    "MyProvider": {
        "strict": False,
        "debug": True,
        "sp": {
            "entityId": "https://test.app.jan",
            "assertionConsumerService": {
                "url": "http://localhost:9876/sso/saml/?acs",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

SAML Request contains

AssertionConsumerServiceURL="http://localhost:9876/sso/saml/?acs"

But django-saml2-pro-auth is expecting /sso/saml/?acs&provider=MyProvider.

I tried this workaround:
So I tried to change assertionConsumerService.url to "url": "http://localhost:9876/sso/saml/?acs&provider=MyProvider.

Hence this this has been rejected at Microsoft site as Bad Request
AADSTS75005: The request is not a valid Saml2 protocol message.

My guess was the problem of url encoding and decoding, then I changed & to %26
"url": "http://localhost:9876/sso/saml/?acs%26provider=MyProvider which did the trick for sending of request.
But plugin does not know how to decode url in SAML response Destination="http://localhost:9876/sso/saml/?acs% 26provider=MyProvider"
I guess this is partially problem of OneLogin

Does this work with ADFS servers?

The documentation (the README in the project root) contains a few errors and omissions:

• It doesn't mention that one needs to add saml2_pro_auth to the INSTALLED_APPS list
• It refers to the function_urls, which no longer exist

This second item is causing an issue for people migrating from pre 1.0 to post 1.0: the class-based views have changed the SAML URLs, which means the SSO provider must update their settings to match the new URLs. In some organisations this can be a bit problematic due to slow formal ITIL procedures.

Not sure if this is a bug, or simply not or badly documented, but I would have guessed that setting the SAML_ROUTE setting, and including the URLs for ACS and SLS under the SAML_PROVIDERS dictionary, would result in the system using the same URLs as previously under the function-based views. This doesn't seem to work. I already had them in my settings, and they remain unchanged. What's worse: the new URLs don't seem to work either. They either result in a 404 or a 500. Before I file a separate bug for that, can someone from the team enlighten me as to whether these settings should in fact override the URLs for the class-based views as well?

from django docs,

https://docs.djangoproject.com/en/1.8/topics/auth/default/#django.contrib.auth.authenticate

def authenticate takes **credentials as argument

But in File "/django_saml2_pro_auth/views.py", line 42, in saml_login, it's being called by passing the request object
authenticate(request)

Instead of using request.META['HTTP_HOST'], prepare_django_request should use request.get_host() so that it works properly for app servers behind a proxy. In this configuration, Django should be configured with USE_X_FORWARDED_HOST so that request.get_host() uses the value from the X-FORWARDED-HOST header instead of Host.

I'm trying to override security values using settings.py config file within my Django project. All my security settings are ignored and default values are being used.
I'm mostly intrested in "requestedAuthnContext" and I want to set it to "False". I've also tried to modify other parameters like nameIdEncrypted or signatureAlgorithm. All of those get ignored.

Am I missing a way to redirect the user back to the page they were attempting to access? Django adds a ?next parameter when redirecting to the login page. Perhaps views.saml_login should check for that parameter in the GET data and use the value as return_to when calling auth.login? Pull request #22

Please have a look at this line.

Model instances do not have update methods, only QuerySets do.

The python-saml plugin already is able to read public and private key from file so the setting:

"x509cert": open(os.path.join(BASE_DIR,'certs/sp.crt'), 'r').read(),
 "privateKey": open(os.path.join(BASE_DIR,'certs/sp.key'), 'r').read(),

Is not really required

can be use for server-less app? api gateway + lambda?

I can't see any way to use the name id from the SAMLResponse as the lookup value for users in Django, so if the IDP doesn't supply this as a separate attribute, there is no way to match the user in Django.

Is this something that I've missed, or something that could be added through the settings? If nameid was added to the lookup map then it would make this simple, and would still provide support for custom user models in Django.

It seems a bit excessive to have to define which provider to use on every login attempt. Perhaps if 'provider' is not present in the GET data, it should fallback to the first provider in the settings. Any concerns with something like pull request #21?

Despite what the documentation says, not setting SAML_ROUTE throws an error on:

https://github.com/MindPointGroup/django-saml2-pro-auth/blob/8e1842c9e050d9c7fde07d41eb7f650e1e61f578/src/django_saml2_pro_auth/urls.py#L8

python3-saml supports py2 and py3 so directly use it instead installing python-saml or python3-saml based on python version.

Hello, I have a Django app that uses the package, we puted the wantMessagesSigned: True, we added this config in the admin interface as well, and we still receiving this error, I'm pretty sure the IDP sends a signature for us. Any change that we made is reflected in the application, is like the package not get the values from settings.
"security": {
"nameIdEncrypted": False,
"authnRequestsSigned": True,
"logoutRequestSigned": True,
"logoutResponseSigned": True,
"signMetadata": True,
"wantMessagesSigned": True,
"wantAssertionsSigned": True,
"wantAssertionsEncrypted": True,
"wantNameId": True,
"wantNameIdEncrypted": False,
"wantAttributeStatement": True,
"signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",

Thank you.

Hi,
first of all I'd like to thank you for great work.

Do you have any simple example how to use this in app? I have really basic experience with Django and I'd like to use this.

Thank you

Hi, I noticed that the user creation/lookup is solely based on the name id that the IDP provides. This could cause issues if multiple IDPs return the same NameId (be it malicious or just a bad way to generate the ids). Would it be possible to provide a way to generate the user id more dynamically? My suggestion would be to allow lookup_attr[1] in auth.py:90 to be function that takes saml_auth and final_map as arguments (and possibly the provider name?). Happy to provide a PR if you agree.

I do acknowledge that IDP providers should generally be trusted, and sometimes you even want to merge accounts that different IDPs provide, but in my case I am a bit paranoid about IDPs behaving badly.

I found that users that have is_active set to false are still allowed to login through SAML, the saml_login code in views.py doesn't check if it actually get back a user from the authenticate call, so just creating a backend that checks for is_active=False and returns None if so doesn't really work.

I propose something like this in the saml_login view.

user = authenticate(request=request)
if user is None:
    #raise exception
login(request, user)

If you'd agree I can create a pull request, or would you propose a different solution to block is_active=False users from entering through SAML?

@django=1.11
We get:
TypeError: authenticate() takes 0 positional arguments but 1 was given

for:
django_saml2_pro_auth/views.py line 42
user = authenticate(request=request)

Any known reason?

Transition our CI to use GH actions instead of Circle CI and update references still pointing to MPG

Hello! I'm having an issue with the user mapping process, because the configuration of the saml where I work doesn't return the key if the user doesn't have the atribute. So when it reaches to the point of mapping, it's possible that saml_data doesn't have one or more keys that have been specified in the SAML_USERS_MAP.

Is it possible to consider this and maybe do this process less strict by controlling if the user_key is in saml_data before asigning it?

Thank you a lot!