This is an app for allowing Django sites to use Northwestern University's Web SSO authentication system (powered by the OpenAM web agent software) in combination with NU Registry for accessing details of authenticated users. If you are not a web developer at Northwestern University and happened to stumble across this project, please stop right now.
- Get the web sso agent up and running on your system (easier said than done!)
- Clone this repository and run python setup.py install (or install via pip: pip install hg+https://firstname.lastname@example.org/technivore/django-nu-websso/#egg=nu_websso
- Add 'nu_websso' to INSTALLED_APPS
- Add 'django.contrib.auth.middleware.RemoteUserMiddleware' to your MIDDLEWARE_CLASSES setting after 'django.contrib.auth.middleware.AuthenticationMiddleware'.
- Add 'nu_websso.backends.NuRegistryRemoteUserBackend' to your AUTHENTICATION_BACKENDS setting.
- Set the NU_REGISTRY_SEARCH_USER and NU_REGISTRY_SEARCH_PASSWORD settings.
- python manage.py syncdb to add the model to your project's database.
- Log into your site's admin and set the Registry attribute to Django group mappings if desired.
The NuRegistryRemoteUserBackend will set the user's name and email address each time they log in to reflect the current state of these values in NU Registry.
Registry Attributes and Django Groups
Django doesn't know anything about the information in NU Registry but we'd like to use Django's built-in django.contrib.auth Group and User classes to handle authorization. This app therefore provides a way to map between arbitrary Registry attributes and Django groups, using the RegistryAttributeGroupMapping class.
- The Registry attribute to be searched, e.g. "nuCareer" or "nuAllSchoolAffiliations".
- If the specified string is found within the attribute (or any of the attribute values, if it is multi-valued), then the user will be added to the specified group. Be very careful with this value, as it is just a basic substring search, so a short, common value in the search_string may authorize users you don't intend to use your application.
- The Django group to add the user to.
- If true, then the user will be removed from this group if the search_string is not found in the attribute value the next time the user authenticates. Generally you will want this to be left on. It is intended to differentiate group memberships set via this method from manually-assigned group memberships, so that manually-assigned users aren't removed from their groups by this app.
Note that each time the user authenticates, their groups will be updated from NU Registry based on these mappings.
To exempt the django admin from the web sso agent, add it to the list of "notenforced" urls in OpenSSOAgentConfiguration.properties: com.sun.identity.agents.config.notenforced.url = http://<hostname>/admin This will allow you to use a built-in django user for accessing the admin.
You can specify the NU_REGISTRY_SEARCH_USER and NU_REGISTRY_SEARCH_PASSWORD settings via the environment. For example in a uwsgi.ini file, add these lines: env = NU_REGISTRY_SEARCH_USER=cn=<your login>, ou=Service, dc=northwestern, dc=edu env = NU_REGISTRY_SEARCH_PASSWORD=<your password>