Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSO integration in Django Application with SAML method #411

Open
Rajendra-dev-code opened this issue Feb 25, 2025 · 0 comments
Open

SSO integration in Django Application with SAML method #411

Rajendra-dev-code opened this issue Feb 25, 2025 · 0 comments

Comments

@Rajendra-dev-code
Copy link

I have setup Django application with sso via SAML with Azure AD in my Window PC .
But when trying to access URL saml2/login/ in browser, getting below issue

System check identified no issues (0 silenced).
February 25, 2025 - 13:28:59
Django version 5.1.6, using settings 'myproject.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CTRL-BREAK.

[25/Feb/2025 13:29:01] "GET /saml2/login/ HTTP/1.1" 200 1261
check_sig: [WinError 5] Access is denied
EXCEPTION: [WinError 5] Access is denied
Traceback (most recent call last):
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\response.py", line 360, in _loads
self.response = self.signature_check(
^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 1667, in correctly_signed_response
self._check_signature(decoded_xml, response, class_name(response), origdoc)
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 1507, in _check_signature
if self.verify_signature(
^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 1357, in verify_signature
return self.crypto.validate_signature(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 840, in validate_signature
(_stdout, stderr, _output) = self._run_xmlsec(com_list, [tmp.name])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 856, in _run_xmlsec
if self.version_nums >= (1, 3):
^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 610, in version_nums
vns = tuple(int(t) for t in self.version.split("."))
^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\saml2\sigver.py", line 656, in version
pof = Popen(com_list, stderr=PIPE, stdout=PIPE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\subprocess.py", line 1026, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\rajendra.y\scoop\apps\python\current\Lib\subprocess.py", line 1538, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [WinError 5] Access is denied
XML parse error: [WinError 5] Access is denied
Forbidden: /saml2/acs/

and below is SAML_config in setting.py

SAML_CONFIG = {

 'attribute_mapping': {
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": ("first_name",),
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": ("last_name",),
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": ("email",),
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": ("username",),
},

'SAML_VALIDATE_SIGNATURE': False,
# Use Python xmlsec instead of external xmlsec1
'xmlsec_binary':  r"C:\Users\rajendra.y\scoop\apps\python\current\Lib\site-packages\xmlsec",

# Entity ID (SP Metadata URL)
'entityid': 'http://localhost:8000/saml2/metadata/',

# Metadata Configuration (Local SP & IdP metadata)
'metadata': {
    #'local': [os.path.join(BASE_DIR, 'remote_metadata.xml')],  # SP Metadata file
    'remote': [
        {
            'url': 'https://login.microsoftonline.com/1c774691-8804-46e3-b382-0763151699e0/federationmetadata/2007-06/federationmetadata.xml?appid=55700b85-4678-47e5-b55b-c8ce799dcd3d',
            #'cert': BASE_DIR / 'certs' / 'AzureAD.pem',
            'certs':r"C:\Learning\Django\saml2\Test\djangotutorial\myproject\certs\AzureAD.pem"
        }
    ],  # Azure AD IdP Metadata URL
},

# Service Provider (SP) Settings
'service': {
    'sp': {
        #'authn_requests_signed': False,  # No signing required for AuthnRequest
        'want_assertions_signed': False,  # Do not require signed assertions
        'want_response_signed': False,  # Do not require signed SAML Response
        "want_assertions_or_response_signed": True,
        'allow_unsolicited': True,  # Allow IdP-initiated login
        'name_id_format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        #'private_key': os.path.join(BASE_DIR,'private.key'),
        #'certificate': os.path.join(BASE_DIR,'private.key'),
        
        'endpoints': {
            'assertion_consumer_service': [
                ('http://localhost:8000/saml2/acs/', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'),
            ],
            'single_logout_service': [
                ('http://localhost:8000/saml2/ls/', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
            ],
        },

        'required_attributes': ['emailAddress'],
    },
},

# Identity Provider (IdP) Settings (Azure AD Example)
'service': {
    'idp': {
        'entity_id': 'https://sts.windows.net/1c774691-8804-46e3-b382-0763151699e0/',  # Azure AD Entity ID
        'single_sign_on_service': {
            'url': 'https://login.microsoftonline.com/1c774691-8804-46e3-b382-0763151699e0/saml2',
            'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        },
        # 'single_logout_service': {
        #     'url': 'https://login.microsoftonline.com/1c774691-8804-46e3-b382-0763151699e0/saml2/logout',
        #     'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        # },
        'x509cert': r"C:\Learning\Django\saml2\Test\djangotutorial\myproject\certs\AzureAD.pem",  # Optional if Azure AD does not require signed responses
    }
},



# Security Settings (No Signing)
'security': {
    'signMetadata': False,  # Do not sign SP metadata
    #'digest_algorithm': 'http://www.w3.org/2001/04/xmlenc#sha256',
    'signature_algorithm': 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
},

# Debugging Mode
'debug': True,



"user_mapping": {"username":"email"},

# No Signing Keys

'key_file': '', # No private key needed

'cert_file': "", # No public certificate needed

}

Anyone please guide me here,Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant