Greetings Fellow Web2Pyers, It's the season of giving. I hope what I share inspires others to share some of their tips and tricks in Web2Py that others can use! Many thanks to the community for your great help in the past!
This post assumes the reader has limited exposure to SAML2. The solution here allows any Web2Py app hosted on servers you control to work with any SAML2 IDP (in theory). SAML2 is a mark-up language to support federated single-sign services which include Microsoft ADFS and AZURE, Shibboleth, OKTA to name a few. What's cool with federated SSO is your web2py app can support SSO with any of these services with only registration information needing to be shared. Conversely, when you authenticate into any of these providers, you gain access to any other application with the same credentials also registered into the provider. For those not familiar with how SAML2 works, there are two pieces of technology needed: an IDP (identity provider) and the SP (service provider). Microsoft refers to the IDP as Claims Provider and SP as Relaying Party. The IDP is where the user authenticates and contains identity information about the user and what applications the user is allowed to access. The SP is the application (your Web2Py app) that wants to use the IDP for sign-on services. When the user lands to the SP and is not authenticated, the user is redirected to the IDP. The IDP will present the user with a login form which means the user is authenticating into the IDP, not directly into your application. On submission of credentials, the IDP completes the sign-on process and redirects the authenticated and authorized user back to the SP (your application). When redirecting the user back to the SP, the post back includes whatever identity information the IDP is authorized to release to the SP such as first and last name, email, organization... This is different than CAS or AD which returns only a login name or unique identifier. The IDP can release any information it has about the user which means your app gains access to both authentication and identity management services. While there are a number of python based SAML2 implementations including a 5 year old web2py version, it gets fairly deep into details that can be entirely avoided with what I am about to share. Shibboleth is a SAML2 implementation you can use to make your Web2Py app SAML2 ready immediately. Shibboleth is used mostly in higher education and includes both IDP and SP software installations. Both installations are open source downloads that you can install to a web server (Unix and IIS), but we're only interested in the service provider installation. The service provider when installed to your server can protect a folder, including a web2py application/controller/function folder. By protecting the folder your web2py app is running against, you instantly gain SAML2 capability and out of the box support to any SAML2 IDP. This is because all of the identity attributes are now available in value pairs in the header (the web2py request.env object) once the user is authenticated. To show how easy this is, let's say the folder we want the Shibboleth service provider to protect is welcome\secure where secure is your controller in the welcome app using a default function. When the user lands to that folder, the Shibboleth SP kicks in and redirects the user to the IDP. Your web2py app will not even respond until Shibboleth has authenticated you. The user logs on at the IDP, the IDP determines the user is authenticated and then redirects back to the protected folder. Since Shibboleth has determined you are now authorized to use the folder, your web2py app fires and all of the identity attributes are now available for your web2py application in the request.env object to use as you need. Here is a set of headers from a Shibboleth authentication... This represents what the IDP is releasing back to the SP and in turn represent header variables available to your web2py app. http_cn : Joe Shmoe http_officialemail : [email protected] http_uclalabasuuid : 202e96f3-919f-479e-80e1-9a03f2416b9d http_uid : f0007939 For your web2Py app to use this data it is simple variable assignments... # Load Shibboleth Attributes data = request.env ucla = Storage() ucla.university_id = data['http_uid'] ucla.email = data['http_officialemail'] ... # Onward... What identity attributes (header variables) are returned are a function of the Shibboleth SP configuration with whatever IDP you are using and what your app needs. Shibboleth handles producing the metadata the IDP needs, login and logout services, offers comprehensive logging and has an active community. To make your app SAML2 ready, you register the path in the Shibboleth configuration file. You can get started with this approach at www.testshib.org. Pay it forward! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
