Understanding the use of /saml2/metadata

[ibouzidi]

Hello, I'm manage to integrate SAML authentication in my Django 3.2 application using the package Djangosaml2 and Pysaml2 with Azure as IdP provider.

In Azure I created a SAML application with these url : my entityid : https://company.website.com/ assertion consumer service : https://company.website.com/saml/acs/

this is my login and logout redirection url : https://login.microsoftonline.com/***-***-***6c/saml2 my Azure identifier : https://sts.windows.net/--***/ present in my remote metadata.

With this configuration my authentication works very well, I can login through https://company.website.com/saml/login/ and logout with https://company.website.com/saml/logout/

SAML_CONFIG = {
  # full path to the xmlsec1 binary programm
  'xmlsec_binary': '/usr/bin/xmlsec1',

  # your entity id, usually your subdomain plus the url to the metadata view
  'entityid': 'https://company.website.com/',

  # directory with attribute mapping
  'attribute_map_dir': os.path.join(BASE_DIR, 'attribute-maps'),

  # this block states what services we provide
  'service': {
      # we are just a lonely SP
      'sp' : {
          'name': 'SP',
          'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS,
          # Enable AllowCreate in NameIDPolicy.
          'name_id_format_allow_create': False,

          # For Okta add signed logout requests. Enable this:
          # "logout_requests_signed": True,

          'endpoints': {
              # url and binding to the assetion consumer service view
              # do not change the binding or service name
              'assertion_consumer_service': [
                  ('https://company.website.com/saml/acs/',
                   saml2.BINDING_HTTP_REDIRECT),
                  ('https://company.website.com/saml/acs/',
                   saml2.BINDING_HTTP_POST),
               ],
              # url and binding to the single logout service view
              # do not change the binding or service name
              'single_logout_service': [
                  ('https://company.website.com/saml/ls/', saml2.BINDING_HTTP_REDIRECT),
               ],
           },

             # attributes that this project need to identify a user
             'required_attributes': ['UserName'],
             # attributes that may be useful to have but not required
             'optional_attributes': ['Email'],

             'want_response_signed': False,
             'authn_requests_signed': False,
             'logout_requests_signed': False,
             # Indicates that Authentication Responses to this SP must
             # be signed. If set to True, the SP will not consume
             # any SAML Responses that are not signed.
             'want_assertions_signed': True,

             'only_use_keys_in_metadata': True,
             'force_authn': False,

             # When set to true, the SP will consume unsolicited SAML
             # Responses, i.e. SAML Responses for which it has not sent
             # a respective SAML Authentication Request.
             'allow_unsolicited': True,

          },
      },

  # where the remote metadata is stored, local, remote or mdq server.
  # One metadatastore or many ...
  'metadata': {
      'local': [os.path.join(BASE_DIR, 'remote_company.xml')],
      },

  # how long is our metadata valid
  'valid_for': 24 * 10,

  # set to 1 to output debugging information
  'debug': 1,

  }

But what I don't understand is what the use of the metadata present in my url https://company.website.com/saml/metatdata and this url https://company.website.com/saml/ls/ ? In the doc it's says that : you need to send the entity id and the metadata of this new SP to the IdP administrators so they can add it to their list of trusted services.

If someone can explain it to me that would be very helpfull. Thanks in advance

[peppelinux]

To enable a sp to request an authentication to an idp the RP have to save the idp metadata in its metadata storie (you have configured a local folder, so download the idp metadata and Place It in that folder)

Then the idp have to save the RP metadata

Once you've done this and if both metadata are valid and also their urls reachable over internet you'll be able to start your First authentication

Welcome to the saml2 world

[ibouzidi]

thank you for the explanations, and I take the opportunity to ask you a question, you see I added the groups in the SAML response and my question is there a way to fetch this groups and after authentication of the user, the user get the group attribute to it automatically in django database. If you any idea that will point me in the right direction. Thanks.

[peppelinux]

you can inherit class AssertionConsumerServiceView and overload this method https://github.com/IdentityPython/djangosaml2/blob/16bb169f894069fc350913cd36acc05c827f7a2f/djangosaml2/views.py#L601

then you just have to point to your class in your project urls.py https://github.com/IdentityPython/djangosaml2/blob/master/tests/testprofiles/urls.py

related to https://github.com/IdentityPython/djangosaml2/blob/master/djangosaml2/urls.py

[peppelinux]

feel free to push your contribution in the documentation with a PR to help other developers to get a better understanding of the internal API

[ibouzidi]

Sorry, I'm sure you explained it well but I don't follow, do you have a concrete example?

[peppelinux]

In the current documentation we may have a section related to your use case and how you implemented it, few lines of text that points to the inheritance of the method customize_session