Thank you! Can you please post a more complete example of integration? This will be very useful to many people here.
On Saturday, 8 December 2018 07:37:13 UTC-8, Pbop wrote: > > Greetings Fellow Web2Pyers, > > It's the season of giving. I hope what I share inspires others to share > some of their tips and tricks in Web2Py that others can use! Many thanks to > the community for your great help in the past! > > This post assumes the reader has limited exposure to SAML2. The solution > here allows any Web2Py app hosted on servers you control to work with any > SAML2 IDP (in theory). > > SAML2 is a mark-up language to support federated single-sign services > which include Microsoft ADFS and AZURE, Shibboleth, OKTA to name a few. > What's cool with federated SSO is your web2py app can support SSO with any > of these services with only registration information needing to be shared. > Conversely, when you authenticate into any of these providers, you gain > access to any other application with the same credentials also registered > into the provider. > > For those not familiar with how SAML2 works, there are two pieces of > technology needed: an IDP (identity provider) and the SP (service > provider). Microsoft refers to the IDP as Claims Provider and SP as > Relaying Party. The IDP is where the user authenticates and contains > identity information about the user and what applications the user is > allowed to access. The SP is the application (your Web2Py app) that wants > to use the IDP for sign-on services. When the user lands to the SP and is > not authenticated, the user is redirected to the IDP. The IDP will present > the user with a login form which means the user is authenticating into the > IDP, not directly into your application. On submission of credentials, the > IDP completes the sign-on process and redirects the authenticated and > authorized user back to the SP (your application). When redirecting the > user back to the SP, the post back includes whatever identity information > the IDP is authorized to release to the SP such as first and last name, > email, organization... This is different than CAS or AD which returns only > a login name or unique identifier. The IDP can release any information it > has about the user which means your app gains access to both authentication > and identity management services. > > While there are a number of python based SAML2 implementations including a > 5 year old web2py version, it gets fairly deep into details that can be > entirely avoided with what I am about to share. > > Shibboleth is a SAML2 implementation you can use to make your Web2Py app > SAML2 ready immediately. Shibboleth is used mostly in higher education and > includes both IDP and SP software installations. Both installations are > open source downloads that you can install to a web server (Unix and IIS), > but we're only interested in the service provider installation. The service > provider when installed to your server can protect a folder, including a > web2py application/controller/function folder. By protecting the folder > your web2py app is running against, you instantly gain SAML2 capability and > out of the box support to any SAML2 IDP. This is because all of the > identity attributes are now available in value pairs in the header (the > web2py request.env object) once the user is authenticated. > > To show how easy this is, let's say the folder we want the Shibboleth > service provider to protect is welcome\secure where secure is your > controller in the welcome app using a default function. When the user lands > to that folder, the Shibboleth SP kicks in and redirects the user to the > IDP. Your web2py app will not even respond until Shibboleth has > authenticated you. The user logs on at the IDP, the IDP determines the user > is authenticated and then redirects back to the protected folder. Since > Shibboleth has determined you are now authorized to use the folder, your > web2py app fires and all of the identity attributes are now available for > your web2py application in the request.env object to use as you need. > > Here is a set of headers from a Shibboleth authentication... This > represents what the IDP is releasing back to the SP and in turn represent > header variables available to your web2py app. > > http_cn : Joe Shmoe > http_officialemail : jsh...@schmoeland.com > http_uclalabasuuid : 202e96f3-919f-479e-80e1-9a03f2416b9d > http_uid : f0007939 > > For your web2Py app to use this data it is simple variable assignments... > > # Load Shibboleth Attributes > data = request.env > ucla = Storage() > ucla.university_id = data['http_uid'] > ucla.email = data['http_officialemail'] > ... > > # Onward... > > What identity attributes (header variables) are returned are a function of > the Shibboleth SP configuration with whatever IDP you are using and what > your app needs. Shibboleth handles producing the metadata the IDP needs, > login and logout services, offers comprehensive logging and has an active > community. To make your app SAML2 ready, you register the path in the > Shibboleth configuration file. You can get started with this approach at > www.testshib.org. > > Pay it forward! > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
