Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
As a developer of Django3 applications I need to integrate a SAML2 based
Single-Sign-On (SSO) User authentication system, for example with
Okta. I know there are a number of existing packages
out there, but I want something super-simple that does not require a lot of
configuration in my settings.py
file. I also need this integration to work
with exsitng Django solutions that do not allow me to modify settings.py
directly, as is the case with
Netbox.
This django3_auth_saml2
package was inspired by the existing
django-saml2-auth.
Notable Changes:
response.META['SAML2_AUTH_RESPONSE']
PermissionDenied
exceptions to allow for app specific handlingdjango3_auth_saml2.config.SAML2_AUTH_CONFIG
as an alternative
to using the Django settings.py
fileThis package requires the xmlsec
library to be installed.
This package provides two views:
login
- The URL View should be called when the User attempts to login directly to the appacs
- This URL View should be called by the SSO system (Okta)When the User attempts to use login
, the View will redirect the User's web
browser to the SSO system for authentication. Once the User authenticates at
the SSO system, the SSO system will then call the acs
URL view to sign into
the Django app.
In your ROOT_URLCONF.urlpatterns you will need to define two URLs. The first is for the SSO system, and the second is your login URL that will force the User to authenticate via the SSO first. You can change these to suit your specific app API.
Keep in mind that the 'django3_auth_saml2.urls' provides the 'acs' view, so that the example below would result in the app API "/sso/acs/" and "/sso/login/".
urlpatterns = [
path('sso/', include('django3_auth_saml2.urls')),
path('login/', RedirectView.as_view(url='/sso/login/')),
]
The options have been streamlined from the original django-sam2-auth package, only the following are supported:
AUTHENTICATION_BACKEND
(NEW) the dotted string name of the backend, for example:
"django.contrib.auth.backends.RemoteUserBackend"
One of:
A) METADATA_AUTO_CONF_URL
The URL to the SSO system where the metadata document can be retrieved, for example:
"https://mycorp.oktapreview.com/app/sadjfalkdsflkads/sso/saml/metadata"
B) METADATA_LOCAL_FILE_PATH
As an alternative to using the URL, you can store the metadata contents to a local file, for example:
"/etc/oktapreview-netbox-metadata.xml"
DEFAULT_NEXT_URL
The next URL used to redirect the User after login is successful. Defaults to /
.
DEFAULT_SSO_ACS_URL
The URL to be used for SSO sign-in purposes. Defaults to /sso/acs/
.
ENTITY_ID
This is generally the URL to your application, for example:
"https://okta-devtest.ngrok.io"
ASSERTION_URL - same
This is generally the URL to your application, for example:
"https://okta-devtest.ngrok.io"
NAME_ID_FORMAT
Identifies the format of the User name, see docs for options.
This value defaults to using email.
By default the User name value will be taken from the SAML response
name_id.text
value. For example, if the NAME_ID_FORMAT is set to use email,
then the User name value will be the User's email address.
For more information on these terms, refer to docs.
You should create the SAML2_AUTH_CONFIG
dictionary in the Django settings.py
file,
for example:
SAML2_AUTH_CONFIG = {
# Using default remote backend
'AUTHENTICATION_BACKEND': 'django.contrib.auth.backends.RemoteUserBackend',
# Metadata is required, choose either remote url or local file path
'METADATA_AUTO_CONF_URL': "https://mycorp.oktapreview.com/app/sadjfalkdsflkads/sso/saml/metadata"
}
By default acs
will define the remote_user
parameter from the
saml2_auth_resp.name_id.text
value when it calls the backend authenticate()
method. For example, if the SSO system (Okta) has configured the name ID
format as email (as shown in the example above), then the User name will be the
Users email address.
The acs
View will set the response.META['SAML2_AUTH_RESPONSE']
to the
saml2.response.AuthnResponse
instance so that you can access this
information.
When acs
calls the backend authenticate()
, the User will be created if it
does not exist by defaul; see class property create_unknown_user
. In this
case the RemoteUserBackend.configure_user()
method is called.
You can subclass RemoteUserBackend, implemeting your own authenticate()
and
configure_user()
methods to use the response.META['SAML2_AUTH_RESPONSE']
data. You can to access the SAML2 user identiy attributes. See samples in
backends.py.
If you are using Netbox and you do
not want to fork/modify the system settings.py
file, please refer to
netbox-plugin-auth-saml2
FAQs
Django3 auth SAML2 integration
We found that django3-auth-saml2 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.