django-saml2-auth
django-saml2-auth copied to clipboard
fangli
Support for Multiple IDPs
It appears that based on the current configuration settings, only a single IDP is supported for connection. Is this accurate? If so, is there already an effort to create the ability to have this support multiple IDPs (i.e. if this was used for a django SaaS solution, where this would be an SP providing an application to multiple consuming entities with multiple IDPs).
If not, that is ok, I just wanted to make sure that wasn't an effort already in place before I fork and start looking at adding support for it.
Is the work in progress?, as it would be quite astounding and very helpful if the multiple IDPs configuration can be provided by the developers. I'm working on a project where earlier only one IDP was being used and now we are moving ahead in using multiple IDPs. So I'm eagerly waiting for this update to popup. Meanwhile, if anyone has any idea of similar module providing multiple IDPs support please help me out. I'll be very thankful.
@vkbamania the changes to make this work were fairly extensive - though we did complete them. However, because of the extensive nature of the changes, it made it not possible to submit as a PR to this repo since the maintainer specifically has stated that:
So most non-security features or enhancements will be REJECTED. please fork your own version or just copy the code as you need. I want to make this module dead simple and reliable. That means when you have it properly configured, you are not likely to get into any troubles in the future.
That being the case - we forked and built from there.
It is currently housed in our internal repository as we were merging those changes into dozens of projects.
I will try to carve out some time this weekend to create an official fork and submit to PyPi as a new package.
We coded it to support "X" number of IDPs. Here is an example from our local settings just to give you an idea so you can tell if this would work for you. We also added some additional support for attribute and group mirroring - and attribute mapping. (i.e. instead of on just new user creation, it support updating the attributes/groups on subsequent logins)
SAML2_AUTH = [
{
'IDP_ALIAS': 'customer-idp-01',
'CALLBACK_URL': 'https://server.example.com/sso/acs/customer-idp-01/',
'METADATA_AUTO_CONF_URL': 'https://adfs.customer-idp-01.com/federationmetadata/2007-06/federationmetadata.xml',
'DEFAULT_NEXT_URL': '/admin',
'CREATE_USER': 'TRUE',
'NEW_USER_PROFILE': {
'USER_GROUPS': ['ADMIN','APP_MANAGERS'],
'ACTIVE_STATUS': True,
'STAFF_STATUS': False,
'SUPERUSER_STATUS': False,
},
'ATTRIBUTES_MAP': {
'email': 'Email Address',
'username': 'Username',
'first_name': 'First Name',
'last_name': 'Last Name',
'groups': 'Roles',
},
'UPDATE_ATTRIBUTES': True,
'ENTITY_ID': 'https://server.example.com/sso/acs/',
'USE_JWT': True,
'FRONTEND_URL': 'https://ui.example.com/login',
},
{
'IDP_ALIAS': 'customer-idp-02',
'CALLBACK_URL': 'https://server.example.com/sso/acs/customer-idp-02/',
'METADATA_AUTO_CONF_URL': 'https://shibboleth.customer-idp-02.com/Shibboleth.sso/Metadata',
'DEFAULT_NEXT_URL': '/admin',
'CREATE_USER': 'TRUE',
'NEW_USER_PROFILE': {
'USER_GROUPS': [],
'ACTIVE_STATUS': True,
'STAFF_STATUS': False,
'SUPERUSER_STATUS': False,
},
'ATTRIBUTES_MAP': {
'email': 'Email',
'username': 'Username',
'first_name': 'First Name',
'last_name': 'Last Name',
'groups': 'User Groups',
},
'UPDATE_ATTRIBUTES': True,
'ENTITY_ID': 'https://server.example.com/sso/acs/',
'USE_JWT': True,
'FRONTEND_URL': 'https://ui.example.com/login',
},
]