Objective of this project is to create a sample Django application as a Service Provider which uses a SAML Identity Provider.
Review the docker-compose file to get an idea of the project setup and the specific ports exposed to try out.
There are two django applications, one in http://localhost:8000/admin and the other one in http://localhost:8001/admin. Both of these uses two different Identity Providers. Former uses a php based identity provider(SAML 2.0).You can review how the user details are configured in this file Latter uses Ping Federate Identity Server. You can review its configuration using this file. Ping Federate needs a license file and initial configuration. This repository is configured with a personal dev license. It should ideally work out of the box when you clone it. I haven't tested if it will work on a different location IP address, if ping has any such restrictions. If it does not work, you need to use the same url as seen in the ping_idp README and configure.
There are no user pages configured in django.So the redirect URL for IDP is given as /admin so it will redirect there. In the real application, you may want to do it to redirect to the application's front page url.
Review the Dockerfile and requirements files first. You may review the code base for django_saml2_auth to see how that works. If you need to change, you can change it based on need there itself and map it.
docker-compose up
This will redirect to pingfederate idp on https://localhost:9031
Use the username/pw lucid/G3N0XmVsx2zD
You will find the saml response as follows which does the login into admin account.
<samlp:Response Destination="http://localhost:8001/saml2_auth/acs/" ID="VdUIU6TUeMZ5uoOAcIAshcCbdaQ"
InResponseTo="id-3AxyEUX5BX7qOnP4F" IssueInstant="2019-02-28T06:31:15.251Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">pingsample</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#VdUIU6TUeMZ5uoOAcIAshcCbdaQ">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>QidNdgXGRuzIldpwWnt4IAhLXcyaXBySda8Pn3Rj25Q=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>frpeeHJ5FmIte1JJ0XhQ50oacZ43ZsoCyLDy9isyCO6a04UJSMxHaOwnHY/2WmhTmzlrcAKL/KH64Y+jQzQzr59kzr/coAY0ZBoJHzOqEimu79z7ObVsWgWe+2HFStn3K5qt2WB/WmN0INeCGQbH+R56P4pbkIEGmn574p6s2UuMBecLVZ2h/RDAJJzz6uk9B8Zx8rbiVN3KCrHlI42+gSGBMtmyhO4D2E81e6tUZEYL/VIdtVbkSkH6W9BuSjS0kOGYWIw9EU6LnsXPg7L78yoH6HD2IZJ9ZnIhIdTt/BV8DIB3kSv6RrhHKE1X5bujEH+qNCyIu9JL70gD9uxKRg==</ds:SignatureValue>
</ds:Signature>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion ID="HqLvPXVhU9t-sR737OyoA5NBHph" IssueInstant="2019-02-28T06:31:15.267Z"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>pingsample</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="pingsample"
SPNameQualifier="http://localhost:8001/saml2_auth/acs/">utqjef9tUp9Vq3DQMQfOyLd0vZN</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="id-3AxyEUX5BX7qOnP4F"
NotOnOrAfter="2019-02-28T06:36:15.267Z" Recipient="http://localhost:8001/saml2_auth/acs/"/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2019-02-28T06:26:15.267Z" NotOnOrAfter="2019-02-28T06:36:15.267Z">
<saml:AudienceRestriction>
<saml:Audience>http://localhost:8001/saml2_auth/acs/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2019-02-28T06:31:15.263Z"
SessionIndex="HqLvPXVhU9t-sR737OyoA5NBHph">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Lucid</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Programmer</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lucidprogrammer@hotmail.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">lucid</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
python3-saml has a more detailed binding, little more complex than the one configured. If you would like to play around with that, use the docker to try it out.
Later if you wish to make auth itself as a microservice, based on your business need, you may create a custom Auth Backend in Django and let authenticate function redirect to any standard SAML provider, simplesamlphp (free) or pingfederate itself (you may want to configure it as SP). Then use a common session storage. In that manner, you can avoid any auth specific code in your django application.