Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding optional configuration for ADFS SAML compatibility #42

Merged
merged 1 commit into from
Mar 14, 2018
Merged

adding optional configuration for ADFS SAML compatibility #42

merged 1 commit into from
Mar 14, 2018

Conversation

BaconAndEggs
Copy link

@fangli , would you consider merging this pull request?

This is related to the issue #7

I bumped into a few issues getting a compatible integration with ADFS, and added a couple configuration options to allow accommodating ADFS's SAML2 interpretation.

The changes are to add optional settings to pass down to pysaml2 for allowing the addition of the pysaml2 entityid for authentication requests to populate the Issuer element, and a change to allow setting (or for ADFS, excluding) the Format property on the NameIDPolicy element via the pysaml2 name_id_format.

Also, a change in the setup.py to bump the version of pysaml2 to 4.5.0 to support the option to pass the name_id_format.

@fangli fangli merged commit 7006891 into fangli:master Mar 14, 2018
@srinathganesh1
Copy link

Hi, do you have sample values to be used when integrating with ADFS?

@BaconAndEggs
Copy link
Author

@srinathganesh1 , yeah, here you go:

    SAML2_AUTH = {
        'METADATA_AUTO_CONF_URL': SAML_METADATA_URL,
        # 'DEFAULT_NEXT_URL': '/', # uncomment if we want to force landing page after auth
        'ATTRIBUTES_MAP': {  # Change Email/UserName/FirstName/LastName to corresponding SAML2 userprofile attributes.
            'email': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            'username': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
            'first_name': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
            'last_name': 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
        },
        'ENTITY_ID': os.environ['SAML_ENTITY_ID'],
        'NAME_ID_FORMAT': 'None',
    }

With:
SAML_ENTITY_ID being something like https://my.apps.fqdn.com/saml2_auth/acs/
SAML_METADATA_URL being something like https://my.orgs.adfs.fqdn.com/FederationMetadata/2007-06/FederationMetadata.xml

Also, on the ADFS side, I had to ask the administrator to make a translation mapping to populate the NameID sub-element of the Subject element, which gets posted to the SP assertion endpoint. The instructions that we followed in doing this were from this Ping knowledge base article: https://ping.force.com/Support/PingIdentityArticle?id=kA3400000008TIRCA2 (you might need to make an account to read the article).

I hope that helps.

@srinathganesh1
Copy link

Thank you. will try that out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BaconAndEggs @srinathganesh1 @fangli