Django SAML整合 [英] Django SAML integration

问题描述

我正在使用在Docker本地运行的Django 1.9，Python 3(用于测试)
尝试将 django-saml2-auth 集成到我的应用程序中.
几乎遵循了文档中的所有步骤:
1)所有安装均成功完成
2)新网址已导入其余网址上方
3)安装的应用程序包括'django_saml2_auth'
4)将'SAML2_AUTH'字典放置在设置中(并且映射了所有属性)
5)在SAML2身份提供程序(使用OneLogin)中，单点登录URL和受众URI(SP实体ID)设置为 http://127.0.0.1:8000/saml2_auth/acs/

I am using Django 1.9, Python 3, running locally on Docker (for testing)
Trying to integrate django-saml2-auth into my application.
Pretty much followed all the steps in the docs:
1) All installations were successful
2) New URLs were imported above the rest
3) Installed apps includes 'django_saml2_auth'
4) 'SAML2_AUTH' dict was placed in settings (and all attributes were mapped)
5) In the SAML2 identity provider (using OneLogin), the Single-sign-on URL and Audience URI(SP Entity ID) was set to http://127.0.0.1:8000/saml2_auth/acs/

发生的事情是，当我进入 http://127.0.0.1:8000/admin 浏览器进入无限重定向循环:

What happens is that when I get to http://127.0.0.1:8000/admin the browser goes into an infinite redirect loop:

...
[02/May/2018 15:43:06] "GET /admin/ HTTP/1.1" 302 0
[02/May/2018 15:43:06] "GET /admin/login/?next=/admin/ HTTP/1.1" 302 0
[02/May/2018 15:43:07] "POST /saml2_auth/acs/ HTTP/1.1" 302 0
[02/May/2018 15:43:07] "GET /admin/ HTTP/1.1" 302 0
[02/May/2018 15:43:07] "GET /admin/login/?next=/admin/ HTTP/1.1" 302 0
[02/May/2018 15:43:08] "POST /saml2_auth/acs/ HTTP/1.1" 302 0
[02/May/2018 15:43:08] "GET /admin/ HTTP/1.1" 302 0
...

• 当我禁用 django-saml2-auth 时，我看到创建了一个职员用户.
  

• 在 OneLogin 界面中，我可以看到我已成功登录.
  

  • When I disable django-saml2-auth I see that a staff user was created.
    

  • In the OneLogin interface I can see that I logged in successfully.
    

    覆盖 django_saml2_auth.views.signin(r)，其中 r 是 django.core.handlers.wsgi.WSGIRequest ，对于< WSGIRequest:GET'/admin/login/?next =/admin/'> ，并在请求中将 user 设置为AnonymousUser ， COOKIES 包含 sessionid 和 csrftoken .

    Overriding django_saml2_auth.views.signin(r), where r is a django.core.handlers.wsgi.WSGIRequest, for <WSGIRequest: GET '/admin/login/?next=/admin/'>, and in the request, the user is set to AnonymousUser, COOKIES contain sessionid and csrftoken.

    我希望创建/获取用户的会话将开始，并且我将进入/admin/ 页面.

    I would expect that a session would start for the user that was created/fetched, and that I will get to an /admin/<whatever> page.

    我将非常感谢您提供的调试帮助，谢谢！

    I will appreciate any help in debugging this, thank you!

    通过从 settings.py 中删除 AUTHENTICATION_BACKENDS ，可以使它正常工作-我还使用了3个其他后端.似乎它们与 django-saml2-auth 冲突.
    有什么方法可以让 django-saml2-auth 与其他后端一起使用?

    I was able to get it to work by removing AUTHENTICATION_BACKENDS from settings.py- I have 3 other backends that I use. It seems like they conflict with django-saml2-auth.
    Is there any way to get django-saml2-auth to work with other backends?

    将尝试集成 django-saml2-pro-auth ，它具有后端，因此不会发生冲突.不过，我非常感谢您提供一些见识.

    EDIT 2: Will try to integrate django-saml2-pro-auth, which has a backend so will not conflict. I would really appreciate some insight though.

    回到编辑2，当我删除所有后端并且它们没有冲突时，日志流如下所示:

    EDIT 3: back to EDIT 2, when I remove all the backends and they don't conflict, the log flow looks like that:

    [04/May/2018 15:24:26] "GET /admin/ HTTP/1.1" 302 0
    [04/May/2018 15:24:27] "GET /admin/login/?next=/admin/ HTTP/1.1" 302
    [04/May/2018 15:26:27] "POST /saml2_auth/acs/ HTTP/1.1" 302 0
    [04/May/2018 15:26:27] "GET /admin/ HTTP/1.1" 200 38398
    

    最后一个 GET 不能重定向到200.

    Where the last GET does not get redirected, with 200.

    推荐答案

    问题已解决:进行更深入的研究后-似乎是此代码的问题:
    在 django_saml2_auth/views.py中，acs():

    Issue resolved: After taking a deeper dive- it seems like this code is the issue:
    In django_saml2_auth/views.py, acs():

    if target_user.is_active:
      target_user.backend = 'django.contrib.auth.backends.ModelBackend'
      login(r, target_user)
    else:
      return HttpResponseRedirect(get_reverse([denied, 'denied', 'django_saml2_auth:denied']))
    

    似乎默认的ModelBackend是必需的.当使用其他后端时，Django不再使用默认值，因此无限循环.如果将默认后端添加到后端列表中，则一切都会按预期进行.

    It seems like the default ModelBackend is necessary. When other backends are used, the default is no longer used by Django, and hence the infinite loop. If the default backend is added to the list of backends, everything works as intended.

    这篇关于Django SAML整合的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！