SAML2 Authentication extension
The following packages are required: memcached, repoze, m2crypto, xmlsec1, xmlsec1-openssl, swig
- To install this extension run the following commands (switch to python env first): then
pip install -r requirements.txt&python setup.py develop - Append
saml2to theckan.pluginslist in your ckan configuration file (i.e:/etc/ckan/production.ini) - make sure that fields are mapped correctly in
production.inii.e:
# saml2 config
saml2.user_mapping =
email~mail
fullname~field_display_name
id~uid
name~name
- There are two ways to map organisational SAML attributes:
# 1. A custom function that take a single argument `saml_info`, dict
# containing the SAML attributes. and returns a dict like the example
# below. This is useful when users may have roles in multiple
# organisations. Default: not set (None)
#
# {
# 'org1': {
# 'capacity': 'member',
# 'data': {
# 'id': 'org1',
# 'description': 'A fun organization',
# ...
# },
# },
# ...
# }
saml2.organization_mapper = ckanext.myckan.plugin:mapping_function
# 2. Specify a simple mapping from individual SAML attributes to
# organisation schema fields. Note: `saml2.organization_mapping` must
# be defined, with no value if it should not be used
saml2.organization_mapping =
name~field_unique_id
title~field_organization
field_type_of_user~field_role
extras:organization_type~field_organization_type
- By default, the SP doesn't create organisations specified in the SAML attributes but this can be configured:
# create organisations specified in SAML attributes that don't exist in CKAN? Default: False
saml2.create_missing_orgs = True
- The SP initiates SLO on CKAN logout by default. In order to make this more prominent you can add the directive
saml2.sp_initiates_sloin ckan configuration file. Valuestrue,yes,on,y,t,1are treated as true. To disable SP-initiated SLO and only logout from CKAN, set this directive tofalse,no,off,n,f, or0.
saml2.sp_initiates_slo = true
- Modify
ckanext/saml2/config/sp_config.pyto suit your needs. The BASE variable at the top need reference the domain of the service provider (i.e changed to http://catalog.data.gov or wherever CKAN is currently hosted). - Place your identity provider's
idp.xmlmetadata here:ckanext/saml2/config/ - The certificates need to be placed in this directory:
ckanext/saml2/config/pki(they need to be namedmycert.pem&mykey.pem) - Generate the sp metadata (sp.xml):
/usr/lib/ckan/bin/python /usr/lib/ckan/src/pysaml2/tools/make_metadata.py /usr/lib/ckan/src/ckanext-saml2/ckanext/saml2/config/sp_config.py > sp.xml(the paths topython,make_metadata.pysp_config.pymight vary depending on where you installed ckan in your virtual env) - copy
ckanext/saml2/config/who.inito your ckan's config folder i.e:/etc/ckan/who.ini - make sure that your webserver can write to
/var/www/sp.log - Add
saml2.default_organdsaml2.default_role- that values will be assigned to newly created users as organization and role in this organization accordingly - In order to enable native login and registration as default option, add
saml2.enable_native_login = true|falsedirective to config file. saml2.login_form_sso_text = BUTTON_TEXTallows you to controll label of SSO button at login page(default: 'Login with SSO').