Skip to content
DJ Sam. Spinning all your favorite SAML hits.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
project
vendor
Makefile
README.rst
manage.py
requirements.txt

README.rst

DJ Sam

Spinning all your favorite SAML hits on Django.

RHEL 7 on AWS

RHEL 7

sudo yum groupinstall "Development Tools" -y

# Basics
sudo yum install httpd mod_wsgi python2-pip python-virtualenv libjpeg-devel screen swig libffi-devel openssl-devel psmisc -y

# Certbot requires epel repo & zope interface RPM from vendor/
sudo rpm -Uvh vendor/epel-release-latest-7.noarch.rpm
sudo rpm -Uvh vendor/python-zope-interface-4.0.5-4.el7.x86_64.rpm
sudo yum install python2-certbot-apache certbot -y

# xmlsec requires RPMs from vendor/
sudo yum install libtool-ltdl-devel libxml2-devel libxslt-devel -y
sudo rpm -Uvh vendor/xmlsec1-1.2.20-5.el7.x86_64.rpm vendor/xmlsec1-devel-1.2.20-5.el7.x86_64.rpm vendor/xmlsec1-openssl-1.2.20-5.el7.x86_64.rpm vendor/xmlsec1-openssl-devel-1.2.20-5.el7.x86_64.rpm

selinux

[ec2-user@ip-172-30-2-147 ~]$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Apache

ssl.conf

…

WSGIScriptAlias / /srv/dj-sam/project/wsgi.py
<Directory /srv/dj-sam/project>
        <Files wsgi.py>
                Require all granted
        </Files>
</Directory>
</VirtualHost>

WSGIPythonHome /srv/dj-sam
WSGIPythonPath /srv/dj-sam

SAML response examples

OneLogin SAMLResponse

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="R7160360b378fef81d99fa54c6e0a4aa5c9c1a015"
                Version="2.0"
                IssueInstant="2017-05-16T23:34:33Z"
                Destination="{recipient}"
                >
    <saml:Issuer>https://app.onelogin.com/saml/metadata/658891</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    Version="2.0"
                    ID="pfx89aab9e8-af3e-ace9-97b6-c1086f076d7a"
                    IssueInstant="2017-05-16T23:34:33Z"
                    >
        <saml:Issuer>https://app.onelogin.com/saml/metadata/658891</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">aclark@aclark.net</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2017-05-16T23:37:33Z"
                                              Recipient="{recipient}"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2017-05-16T23:31:33Z"
                         NotOnOrAfter="2017-05-16T23:37:33Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience/>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2017-05-16T23:34:32Z"
                             SessionNotOnOrAfter="2017-05-17T23:34:33Z"
                             SessionIndex="_b49f0e60-1cbb-0135-39ae-06cb00433bb7"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

dj-saml-idp SAMLResponse

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_491b1d10265e4299939a48ff2c7235d0"
                Version="2.0"
                IssueInstant="2017-05-17T02:37:33Z"
                Destination="https://aclark.myabsorb.com/account/saml"
                >
    <saml:Issuer>https://dj-saml-idp.aclark.net</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    Version="2.0"
                    ID="_6e4052395852402cb48ff74fd6c1cde0"
                    IssueInstant="2017-05-17T02:37:33Z"
                    >
        <saml:Issuer>https://dj-saml-idp.aclark.net</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#_6e4052395852402cb48ff74fd6c1cde0">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>zEWYGgLKLMLQ0LFGYJNDXBrVarM=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>P/UlY4rY7lctWWUS3LkRxDFCM3UcynowYXQn6WWIzODXA7sCe/9lXevY9mTEqQvdz7V2g84wBtNUho2MNBXUiAEma5qx3xZl2RVbRTdpJJO85oNsFIpxPBmY4PK1ObkH175sTdpYjZKhueln8cyGdKAUTNkbY1v/Zb5Cm5sZhmWD4mZkO3CI1DPx2L0coojxtmUMM6egor/op0LxE3vfMPQFWClAMmWh1daQ+V+JNk705G/4Y3JpP+/SDCEAMOojZeBhIc+QP46A2x91jC3JF8hLrOaO7CPIgL7OtgleG3XRvwlx/hxHUpOMFQXsVg2/7S+C8LR5DIsb1mtqeEmTugg=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIDZTCCAkygAwIBAgIBADANBgkqhkiG9w0BAQ0FADBMMQswCQYDVQQGEwJ1czELMAkGA1UECAwCTUQxDzANBgNVBAoMBkFDTEFSSzEfMB0GA1UEAwwWZGotc2FtbC1pZHAuYWNsYXJrLm5ldDAeFw0xNzA1MTcwMDM4MzJaFw0xODA1MTcwMDM4MzJaMEwxCzAJBgNVBAYTAnVzMQswCQYDVQQIDAJNRDEPMA0GA1UECgwGQUNMQVJLMR8wHQYDVQQDDBZkai1zYW1sLWlkcC5hY2xhcmsubmV0MIIBIzANBgkqhkiG9w0BAQEFAAOCARAAMIIBCwKCAQIAykosgghQluMK9lIsnCfALlzqSTQUD/vqi+G+jllWdJrIiVFSA6qYHJaFJ3smQCpHDO8d8TMJMtEZQR/Jg6ETf+mumigoOVYkKDfSNKxwWSmH9JJXBXeM7vTXhzM0O7pqUoyRUvp8xnn1Jv0CERiRoA5EPCaFrXO670CViu/NLPzJA2epPS++OqbDzn+XZqSxCKAWwgj3IX4ash6Jsrk/Xgf4bVBSgVnZRZ9XTgMVnxu7B10jeTPoOwoshgCzEEZF+2m6GFmV/ACe8nCpv47rv8053lNeTDiDGHMBpoA0aICbvge3OLCsXnQqPY6z7KeST1tCD0H+VJyBce0FBIo3rYECAwEAAaNQME4wHQYDVR0OBBYEFEhUGuuba4Sbln4dijEB9nGKqsBIMB8GA1UdIwQYMBaAFEhUGuuba4Sbln4dijEB9nGKqsBIMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQENBQADggECAFOa3vVl8GGxIZU0G8Ld9VPl9R7CRANLceNhg1p+IFcOn7lB6Iqy1T8g7Z1ic0+X/SSN3uwOWxTM/Yp4oZQ1eCtGRvmPBx9G+AhOoftaQxDzX/Ug5AOWcbawDffabVhPaPf7vrkNHWirToZ5cArOXZgoYnOm0tfq8W/T+ay+yuN3kgnAAFNsyiK6IE/4VbNlQReCQCnIapOyDlxc6tDBL4t37xCDlup4+aO6LnG1tDMnOVxj+0vQMWbaQ3k78YFEmH3fOZFyDpra42aVWYx0fbFjz+LoOElMrXTwmR6VUcJZdGnXvMwsKsxa+s5ct7Uc1wKD+Wcf1bEC1ueu9RmOqHMS</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">aclark@aclark.net</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2017-05-17T02:52:33Z"
                                              Recipient="https://aclark.myabsorb.com/account/saml"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2017-05-17T01:37:33Z"
                         NotOnOrAfter="2017-05-17T02:52:33Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience/>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2017-05-17T02:37:33Z"
                             SessionNotOnOrAfter=""
                             SessionIndex=""
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
</samlp:Response>

dj-saml-idp SAMLResponse (dj-saml-sp)

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_93e01310a905437384f3a2e453866f07"
                Version="2.0"
                IssueInstant="2017-05-19T19:32:58Z"
                Destination="http://127.0.0.1:9000/sp/acs/"
                >
    <saml:Issuer>http://127.0.0.1:8000</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_d1ea256032b14327b5f39ad7f7090f54"
                    IssueInstant="2017-05-19T19:32:58Z"
                    Version="2.0"
                    >
        <saml:Issuer>http://127.0.0.1:8000</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#_d1ea256032b14327b5f39ad7f7090f54">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>bgeIFEJ8MIj+HlzXicINqox2WSQ=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>ySTiOaFGtem6dp8gcKQq2W1UayxPz83N3bRDyllxcvkkfHReXDizZLUmIVNySCnHXqcsw/zRbNUV19XYr5OaFA==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2017-05-19T19:47:58Z"
                                              Recipient="http://127.0.0.1:9000/sp/acs/"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2017-05-19T18:32:58Z"
                         NotOnOrAfter="2017-05-19T19:47:58Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>http://127.0.0.1:8000/idp/login/</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2017-05-19T19:32:58Z">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="foo">
                <saml:AttributeValue>bar</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

dj-saml-idp SAMLResponse (dj-saml-sp, pretty print)

<?xml version="1.0"?>
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_93e01310a905437384f3a2e453866f07" Version="2.0" IssueInstant="2017-05-19T19:32:58Z" Destination="http://127.0.0.1:9000/sp/acs/">
  <saml:Issuer>http://127.0.0.1:8000</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d1ea256032b14327b5f39ad7f7090f54" IssueInstant="2017-05-19T19:32:58Z" Version="2.0">
    <saml:Issuer>http://127.0.0.1:8000</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#_d1ea256032b14327b5f39ad7f7090f54">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>bgeIFEJ8MIj+HlzXicINqox2WSQ=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>ySTiOaFGtem6dp8gcKQq2W1UayxPz83N3bRDyllxcvkkfHReXDizZLUmIVNySCnHXqcsw/zRbNUV19XYr5OaFA==</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2017-05-19T19:47:58Z" Recipient="http://127.0.0.1:9000/sp/acs/"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2017-05-19T18:32:58Z" NotOnOrAfter="2017-05-19T19:47:58Z">
      <saml:AudienceRestriction>
        <saml:Audience>http://127.0.0.1:8000/idp/login/</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2017-05-19T19:32:58Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="foo">
        <saml:AttributeValue>bar</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Research

You can’t perform that action at this time.