Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Massimo Di Pierro]

I too could use more info about how to use web2py SAML with Shibboleth. In 
particular I would like some help testing py4web with Shibboleth to make 
sure it is compliant.

On Tuesday, 22 October 2019 04:34:53 UTC-7, Davidiam wrote:
>
> Thank you.  In the meantime we have gotten Shibboleth working correctly 
> and we have just added an auth login to the user method in the default 
> controller for the app.
> This way, users are automatically logged in as soon as any routine has 
> they call a method requiring login or a group membership.
>
> So far seems to be working well.  We are still ironing out some finer 
> points of the implementation.
>
> Kind Regards,
> David
>
> On Monday, August 19, 2019 at 3:58:37 PM UTC+2, Pbop wrote:
>>
>> I am not familiar enough with how AUTH works but can offer a perspective 
>> that might help to the level you want AUTH to support AD or SAML2 SSOs. 
>>
>> In both AD and SAML using the Shibboleth IIS Plug-in, you are in essence 
>> designating a protected folder on the IIS web-server to require 
>> authentication. In other words, if you land to that protected folder and 
>> are NOT authenticated, IIS presents to the user an IIS generated 
>> Challenge/Response screen to enter credentials for AD or sends you to the 
>> IDP server (which can be any SAML2 IDP such as Shibboleth, ADFS, Azzure, 
>> Google, Okta... ) for authentication. In both cases once IIS determines you 
>> are authenticated (not the web-app), you ultimately are redirected back to 
>> the protected folder as an authenticated user. As an authenticated user, 
>> your browser header now has your login id in the header for AD and whatever 
>> identity attributes are released from the IDP server such as login id, 
>> emaiil, employee number, full name, shoe size... The catch to SAML2 is the 
>> identity attributes can be whatever you agree to in the initial 
>> configuration. 
>>
>> My point is authentication is managed at the web-server and does not need 
>> to be in the web application. What does need to be in the web application, 
>> if AUTH is to be used, is some sort of mapping of the browser header 
>> variables to appropriate columns and extending the data model if additional 
>> identity attributes are needed once the user is authenticated. 
>>
>> Perhaps I am over simplifying! Hope this helps! 
>>
>>
>> On Sunday, August 18, 2019 at 1:35:32 AM UTC-4, Massimo Di Pierro wrote:
>>>
>>> web2py or py4web? I could use some help getting it to work for py4web.
>>>
>>> On Thursday, 1 August 2019 07:08:10 UTC-7, Davidiam wrote:

 We are working on a Shibboleth implementation now. So far it is working 
 better than the other tests we did on Windows.

 We wanted to test it using a localhost Shibboleth sp and idp but it 
 wasn't clear to us how we needed to configure it.

 Thanks for the tip! 



-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/16fafae5-54e2-4edb-81c6-2e231e613a39%40googlegroups.com.

Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Mamisoa Andriantafika]

Hi,

I'm working on it at the moment ie Web2py <-> Shibboleth with Apache <-> 
3rd party provider

Could you give me a hint on how you managed this to work between Web2Py and 
Shibboleth?

Mamisoa


Le mardi 22 octobre 2019 13:34:53 UTC+2, Davidiam a écrit :
>
> Thank you.  In the meantime we have gotten Shibboleth working correctly 
> and we have just added an auth login to the user method in the default 
> controller for the app.
> This way, users are automatically logged in as soon as any routine has 
> they call a method requiring login or a group membership.
>
> So far seems to be working well.  We are still ironing out some finer 
> points of the implementation.
>
> Kind Regards,
> David
>
> On Monday, August 19, 2019 at 3:58:37 PM UTC+2, Pbop wrote:
>>
>> I am not familiar enough with how AUTH works but can offer a perspective 
>> that might help to the level you want AUTH to support AD or SAML2 SSOs. 
>>
>> In both AD and SAML using the Shibboleth IIS Plug-in, you are in essence 
>> designating a protected folder on the IIS web-server to require 
>> authentication. In other words, if you land to that protected folder and 
>> are NOT authenticated, IIS presents to the user an IIS generated 
>> Challenge/Response screen to enter credentials for AD or sends you to the 
>> IDP server (which can be any SAML2 IDP such as Shibboleth, ADFS, Azzure, 
>> Google, Okta... ) for authentication. In both cases once IIS determines you 
>> are authenticated (not the web-app), you ultimately are redirected back to 
>> the protected folder as an authenticated user. As an authenticated user, 
>> your browser header now has your login id in the header for AD and whatever 
>> identity attributes are released from the IDP server such as login id, 
>> emaiil, employee number, full name, shoe size... The catch to SAML2 is the 
>> identity attributes can be whatever you agree to in the initial 
>> configuration. 
>>
>> My point is authentication is managed at the web-server and does not need 
>> to be in the web application. What does need to be in the web application, 
>> if AUTH is to be used, is some sort of mapping of the browser header 
>> variables to appropriate columns and extending the data model if additional 
>> identity attributes are needed once the user is authenticated. 
>>
>> Perhaps I am over simplifying! Hope this helps! 
>>
>>
>> On Sunday, August 18, 2019 at 1:35:32 AM UTC-4, Massimo Di Pierro wrote:
>>>
>>> web2py or py4web? I could use some help getting it to work for py4web.
>>>
>>> On Thursday, 1 August 2019 07:08:10 UTC-7, Davidiam wrote:

 We are working on a Shibboleth implementation now. So far it is working 
 better than the other tests we did on Windows.

 We wanted to test it using a localhost Shibboleth sp and idp but it 
 wasn't clear to us how we needed to configure it.

 Thanks for the tip! 



-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/815bc3d1-0c26-4928-a01b-0ac0a20abb84%40googlegroups.com.

Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Davidiam]

Thank you.  In the meantime we have gotten Shibboleth working correctly and 
we have just added an auth login to the user method in the default 
controller for the app.
This way, users are automatically logged in as soon as any routine has they 
call a method requiring login or a group membership.

So far seems to be working well.  We are still ironing out some finer 
points of the implementation.

Kind Regards,
David

On Monday, August 19, 2019 at 3:58:37 PM UTC+2, Pbop wrote:
>
> I am not familiar enough with how AUTH works but can offer a perspective 
> that might help to the level you want AUTH to support AD or SAML2 SSOs. 
>
> In both AD and SAML using the Shibboleth IIS Plug-in, you are in essence 
> designating a protected folder on the IIS web-server to require 
> authentication. In other words, if you land to that protected folder and 
> are NOT authenticated, IIS presents to the user an IIS generated 
> Challenge/Response screen to enter credentials for AD or sends you to the 
> IDP server (which can be any SAML2 IDP such as Shibboleth, ADFS, Azzure, 
> Google, Okta... ) for authentication. In both cases once IIS determines you 
> are authenticated (not the web-app), you ultimately are redirected back to 
> the protected folder as an authenticated user. As an authenticated user, 
> your browser header now has your login id in the header for AD and whatever 
> identity attributes are released from the IDP server such as login id, 
> emaiil, employee number, full name, shoe size... The catch to SAML2 is the 
> identity attributes can be whatever you agree to in the initial 
> configuration. 
>
> My point is authentication is managed at the web-server and does not need 
> to be in the web application. What does need to be in the web application, 
> if AUTH is to be used, is some sort of mapping of the browser header 
> variables to appropriate columns and extending the data model if additional 
> identity attributes are needed once the user is authenticated. 
>
> Perhaps I am over simplifying! Hope this helps! 
>
>
> On Sunday, August 18, 2019 at 1:35:32 AM UTC-4, Massimo Di Pierro wrote:
>>
>> web2py or py4web? I could use some help getting it to work for py4web.
>>
>> On Thursday, 1 August 2019 07:08:10 UTC-7, Davidiam wrote:
>>>
>>> We are working on a Shibboleth implementation now. So far it is working 
>>> better than the other tests we did on Windows.
>>>
>>> We wanted to test it using a localhost Shibboleth sp and idp but it 
>>> wasn't clear to us how we needed to configure it.
>>>
>>> Thanks for the tip! 
>>>
>>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/0daf7711-43dc-43d8-bfc1-36d18856ecaf%40googlegroups.com.

Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Pbop]

I am not familiar enough with how AUTH works but can offer a perspective 
that might help to the level you want AUTH to support AD or SAML2 SSOs. 

In both AD and SAML using the Shibboleth IIS Plug-in, you are in essence 
designating a protected folder on the IIS web-server to require 
authentication. In other words, if you land to that protected folder and 
are NOT authenticated, IIS presents to the user an IIS generated 
Challenge/Response screen to enter credentials for AD or sends you to the 
IDP server (which can be any SAML2 IDP such as Shibboleth, ADFS, Azzure, 
Google, Okta... ) for authentication. In both cases once IIS determines you 
are authenticated (not the web-app), you ultimately are redirected back to 
the protected folder as an authenticated user. As an authenticated user, 
your browser header now has your login id in the header for AD and whatever 
identity attributes are released from the IDP server such as login id, 
emaiil, employee number, full name, shoe size... The catch to SAML2 is the 
identity attributes can be whatever you agree to in the initial 
configuration. 

My point is authentication is managed at the web-server and does not need 
to be in the web application. What does need to be in the web application, 
if AUTH is to be used, is some sort of mapping of the browser header 
variables to appropriate columns and extending the data model if additional 
identity attributes are needed once the user is authenticated. 

Perhaps I am over simplifying! Hope this helps! 


On Sunday, August 18, 2019 at 1:35:32 AM UTC-4, Massimo Di Pierro wrote:
>
> web2py or py4web? I could use some help getting it to work for py4web.
>
> On Thursday, 1 August 2019 07:08:10 UTC-7, Davidiam wrote:
>>
>> We are working on a Shibboleth implementation now. So far it is working 
>> better than the other tests we did on Windows.
>>
>> We wanted to test it using a localhost Shibboleth sp and idp but it 
>> wasn't clear to us how we needed to configure it.
>>
>> Thanks for the tip! 
>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/fc1d4032-47a5-4ad0-aeb0-59b0eced0d64%40googlegroups.com.

Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Massimo Di Pierro]

web2py or py4web? I could use some help getting it to work for py4web.

On Thursday, 1 August 2019 07:08:10 UTC-7, Davidiam wrote:
>
> We are working on a Shibboleth implementation now. So far it is working 
> better than the other tests we did on Windows.
>
> We wanted to test it using a localhost Shibboleth sp and idp but it wasn't 
> clear to us how we needed to configure it.
>
> Thanks for the tip! 
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/f86751b5-4b8a-4917-8311-14c38b79ee52%40googlegroups.com.

Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Davidiam]

We are working on a Shibboleth implementation now. So far it is working better 
than the other tests we did on Windows.

We wanted to test it using a localhost Shibboleth sp and idp but it wasn't 
clear to us how we needed to configure it.

Thanks for the tip! 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/214e0d91-b159-4768-99c3-46ee708897b3%40googlegroups.com.

Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Pbop]

Suggest you research Shibboleth as a SAML layer for your web2py app or if 
choose to use another framework. You can use Shibboleth to protect a virtual 
folder to any SAML IDP. If the protected folder is your web2py app, SHIB does 
the authentication and your web2py app can use any of the identity attributes 
returned in the header to complete an SSO or registration workflow. We have 
successfully used Shib to connect to Adfs, azzure, google, shibboleth and 
custom IDPs. There is a lot to learn about SAML and Shib is extremely well 
documented. 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/fdc1520b-3bab-426d-8cd0-4f1158cdecf1%40googlegroups.com.

Re: [web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Nico Zanferrari]

Well,

for the binary build I also had these kind of problems. I was finally able
to install it by using the wheel (but I've not tested it):
"download the file python_ldap-3.1.0-cp37-cp37m-win_amd64.whl from
https://www.lfd.uci.edu/~gohlke/pythonlibs/ and install it from that folder
with the command 'pip install python_ldap-3.1.0-cp37-cp37m-win_amd64.whl'".

I hope it helps somehow ;-)

Nico


Il giorno mer 24 lug 2019 alle ore 14:00 Davidiam 
ha scritto:

> We have been trying to implement a web2py project on a Windows IIS server
> for the last few weeks and we are currently considering abandoning the
> project due to the absence of LDAP and SAML modules for Windows.
>
> We are running python 3.7 with IIS 8.  We managed to get that
> configuration running pretty easily.  We then tried to integrate ldap.
> python-ldap seems to depend on Openldap and from what we can see, doesn't
> work on Windows for Python 3.7.
> Pyldap3 seems to work better, but would need to be integrated into the
> auth framework of Web2Py but the project decided to prefer SAML so the
> pyldap3 option was put on hold.
>
> We started trying to implement SAML  Python-saml also seems to have been
> made for Linux but doesn't seem to work in Windows with Python 3.7.
>
> We then tried Pysaml2, which installed without a problem, but we saw that
> we also needed xmlsec and then we started running into other errors and
> still have not managed to install ithe other modules needed like xmlsec
> (maybe due to our secure environment and firewall settings).
>
> Question : Is it even possible to use SAML with Python 3.7 on Windows ??
> We have lost already weeks on this and we don't want to lose more time if
> in the end it isn't possible.
> Has anyone done this ?  How did you do it ?  If it is a lost cause I
> prefer knowing that now.
>
> It basically looks like most modules needed were built for Linux and not
> for Windows.and for python 2.7 and not for python 3.X.
>
> You help or input will be greatly appreciated !!  Would especially
> appreciate any feedback from Massimo if he reads this.
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/ff2b4602-66ba-4949-b6ca-f405598c9d0d%40googlegroups.com
> 
> .
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CAAE8D_ABRvq9uRY%2BozzA9w7FPCO7OE9f7VW8Tkun7hM2e35ehw%40mail.gmail.com.

[web2py] Web2Py with LDAP and SAML : Is it worth it for Windows ?

[Davidiam]

We have been trying to implement a web2py project on a Windows IIS server 
for the last few weeks and we are currently considering abandoning the 
project due to the absence of LDAP and SAML modules for Windows.

We are running python 3.7 with IIS 8.  We managed to get that configuration 
running pretty easily.  We then tried to integrate ldap.
python-ldap seems to depend on Openldap and from what we can see, doesn't 
work on Windows for Python 3.7.
Pyldap3 seems to work better, but would need to be integrated into the auth 
framework of Web2Py but the project decided to prefer SAML so the pyldap3 
option was put on hold.

We started trying to implement SAML  Python-saml also seems to have been 
made for Linux but doesn't seem to work in Windows with Python 3.7.

We then tried Pysaml2, which installed without a problem, but we saw that 
we also needed xmlsec and then we started running into other errors and 
still have not managed to install ithe other modules needed like xmlsec 
(maybe due to our secure environment and firewall settings).

Question : Is it even possible to use SAML with Python 3.7 on Windows ??  
We have lost already weeks on this and we don't want to lose more time if 
in the end it isn't possible.
Has anyone done this ?  How did you do it ?  If it is a lost cause I prefer 
knowing that now.

It basically looks like most modules needed were built for Linux and not 
for Windows.and for python 2.7 and not for python 3.X.

You help or input will be greatly appreciated !!  Would especially 
appreciate any feedback from Massimo if he reads this.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/ff2b4602-66ba-4949-b6ca-f405598c9d0d%40googlegroups.com.