Open tobru opened 1 year ago
It would be nice! I don't imagine it will be on the roadmap before 1.0, but I'll take it as a future feature request.
Hi,
just sharing here in case it is helpful for anyone, we use Takahe with Keycloak using SAML. Whilst there is no official support, it is fairly easy as with any generic Django application. I assume OIDC would work equally well, possibly even easier.
Here are the relevant parts in our settings.py
- the biggest chunk is mostly SAML related fine tuning:
LOGIN_URL = "/saml2/login/"
LOGOUT_URL = "/auth/logout/"
MIDDLEWARE = [
"djangosaml2.middleware.SamlSessionMiddleware",
]
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'djangosaml2.backends.Saml2Backend',
)
SAML_CONFIG = {
'xmlsec_binary': '/usr/bin/xmlsec1',
'entityid': 'https://example.com/saml2/metadata/',
'attribute_map_dir': os.path.join(BASE_DIR, 'attribute-maps'),
'allow_unknown_attributes': False,
'service': {
'sp' : {
'name': 'Takahe',
'name_id_format': saml2.saml.NAMEID_FORMAT_PERSISTENT,
'endpoints': {
'assertion_consumer_service': [
('https://example.com/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
'single_logout_service': [
('https://example.com/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
('https://example.com/saml2/ls/post',
saml2.BINDING_HTTP_POST),
],
},
'signing_algorithm': saml2.xmldsig.SIG_RSA_SHA256,
'digest_algorithm': saml2.xmldsig.DIGEST_SHA256,
'force_authn': False,
'name_id_format_allow_create': False,
'required_attributes': ['email'],
'want_response_signed': True,
'authn_requests_signed': True,
'logout_requests_signed': True,
'want_assertions_signed': True,
'only_use_keys_in_metadata': True,
'allow_unsolicited': False,
},
},
'metadata': {
'remote': [{"url": "https://libsso.net/realms/LibertaCasa/protocol/saml/descriptor"},],
},
'debug': 0,
'key_file': '/etc/ssl/takahe/saml.key',
'cert_file': '/etc/ssl/takahe/saml.crt',
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'console': {
'class': 'logging.StreamHandler',
},
},
'root': {
'handlers': ['console'],
'level': 'INFO',
},
}
Oh nice, thanks for that! Certainly helps things while I get around to adding it in centrally (which won't be for a bit, there's other bigger things to add!)
It would be cool if it were possible to authenticate to Takahe using OIDC, for example leveraging Keycloak for that or any other service providing SSO services.