SAML Authentication

The saml_auth plugin allows users to authentication with your SAML provider of choice.

To enable SAML authentication you must:

  • Add saml_auth to the PLUGINS_ENABLED list in askci/settings/config.py
  • Add some configuration detials to askci/settings/config.py
  • Configure the details of your SAML provider in in askci/settings/secrets.py per instructions provided here.
  • Build the docker image with the build argument ENABLE_SAML set to true:
$ docker build --build-arg ENABLE_SAML=true -t quay.io/vsoch/askci .

If you haven’t yet created a secrets.py, a good start is to do the following:

cp askci/settings/dummy_secrets.py askci/settings/secrets.py

Quick Start

This quick start is intended to demonstrate basic functionality of the SAML authentication.

Edit Config.py

In the file askci/settings/config.py you should add the name of your institution (used to render the button) along with the idp (the unique identifier for your SAML server request). That means uncommenting these lines.

# AUTH_SAML_IDP = "stanford"
# AUTH_SAML_INSTITUTION = "Stanford University"

so they appear like:

AUTH_SAML_IDP = "stanford"
AUTH_SAML_INSTITUTION = "Stanford University"

Setting up SAML Auth

In secrets.py you will need to define the variables specified here, and that includes generating your certificate, which looks something like:

openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.key
cat saml.key
mv saml.crt /etc/ssl/certs
mv saml.key /etc/ssl/private

and then generate the metadata.xml by going to http://localhost/saml.xml. Usually institutions have different portals for submitting metadata / getting information about SAML, for Stanford the information is via the SAML SP Service Provider Database.