0001-misc-remove-documentation-files-53764.patch
README | ||
---|---|---|
17 | 17 | |
18 | 18 |
Authentic 2 requires Python 2.7 and Django 1.7. |
19 | 19 | |
20 |
Full documentation available on http://authentic2.readthedocs.org/en/stable/. |
|
20 |
Full documentation available on http://authentic2.readthedocs.org/en/stable/, |
|
21 |
maintained in a distinct repository https://git.entrouvert.org/authentic2-doc.git/. |
|
21 | 22 | |
22 | 23 |
Features |
23 | 24 |
-------- |
doc/Makefile | ||
---|---|---|
1 |
# Makefile for Sphinx documentation |
|
2 |
# |
|
3 | ||
4 |
# You can set these variables from the command line. |
|
5 |
SPHINXOPTS = |
|
6 |
SPHINXBUILD = sphinx-build |
|
7 |
PAPER = |
|
8 |
BUILDDIR = _build |
|
9 | ||
10 |
# Internal variables. |
|
11 |
PAPEROPT_a4 = -D latex_paper_size=a4 |
|
12 |
PAPEROPT_letter = -D latex_paper_size=letter |
|
13 |
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . |
|
14 |
# the i18n builder cannot share the environment and doctrees with the others |
|
15 |
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . |
|
16 | ||
17 |
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext |
|
18 | ||
19 |
help: |
|
20 |
@echo "Please use \`make <target>' where <target> is one of" |
|
21 |
@echo " html to make standalone HTML files" |
|
22 |
@echo " dirhtml to make HTML files named index.html in directories" |
|
23 |
@echo " singlehtml to make a single large HTML file" |
|
24 |
@echo " pickle to make pickle files" |
|
25 |
@echo " json to make JSON files" |
|
26 |
@echo " htmlhelp to make HTML files and a HTML help project" |
|
27 |
@echo " qthelp to make HTML files and a qthelp project" |
|
28 |
@echo " devhelp to make HTML files and a Devhelp project" |
|
29 |
@echo " epub to make an epub" |
|
30 |
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" |
|
31 |
@echo " latexpdf to make LaTeX files and run them through pdflatex" |
|
32 |
@echo " text to make text files" |
|
33 |
@echo " man to make manual pages" |
|
34 |
@echo " texinfo to make Texinfo files" |
|
35 |
@echo " info to make Texinfo files and run them through makeinfo" |
|
36 |
@echo " gettext to make PO message catalogs" |
|
37 |
@echo " changes to make an overview of all changed/added/deprecated items" |
|
38 |
@echo " linkcheck to check all external links for integrity" |
|
39 |
@echo " doctest to run all doctests embedded in the documentation (if enabled)" |
|
40 | ||
41 |
clean: |
|
42 |
-rm -rf $(BUILDDIR)/* |
|
43 | ||
44 |
html: |
|
45 |
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html |
|
46 |
@echo |
|
47 |
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html." |
|
48 | ||
49 |
dirhtml: |
|
50 |
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml |
|
51 |
@echo |
|
52 |
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." |
|
53 | ||
54 |
singlehtml: |
|
55 |
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml |
|
56 |
@echo |
|
57 |
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." |
|
58 | ||
59 |
pickle: |
|
60 |
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle |
|
61 |
@echo |
|
62 |
@echo "Build finished; now you can process the pickle files." |
|
63 | ||
64 |
json: |
|
65 |
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json |
|
66 |
@echo |
|
67 |
@echo "Build finished; now you can process the JSON files." |
|
68 | ||
69 |
htmlhelp: |
|
70 |
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp |
|
71 |
@echo |
|
72 |
@echo "Build finished; now you can run HTML Help Workshop with the" \ |
|
73 |
".hhp project file in $(BUILDDIR)/htmlhelp." |
|
74 | ||
75 |
qthelp: |
|
76 |
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp |
|
77 |
@echo |
|
78 |
@echo "Build finished; now you can run "qcollectiongenerator" with the" \ |
|
79 |
".qhcp project file in $(BUILDDIR)/qthelp, like this:" |
|
80 |
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Authentic2.qhcp" |
|
81 |
@echo "To view the help file:" |
|
82 |
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Authentic2.qhc" |
|
83 | ||
84 |
devhelp: |
|
85 |
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp |
|
86 |
@echo |
|
87 |
@echo "Build finished." |
|
88 |
@echo "To view the help file:" |
|
89 |
@echo "# mkdir -p $$HOME/.local/share/devhelp/Authentic2" |
|
90 |
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Authentic2" |
|
91 |
@echo "# devhelp" |
|
92 | ||
93 |
epub: |
|
94 |
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub |
|
95 |
@echo |
|
96 |
@echo "Build finished. The epub file is in $(BUILDDIR)/epub." |
|
97 | ||
98 |
latex: |
|
99 |
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex |
|
100 |
@echo |
|
101 |
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." |
|
102 |
@echo "Run \`make' in that directory to run these through (pdf)latex" \ |
|
103 |
"(use \`make latexpdf' here to do that automatically)." |
|
104 | ||
105 |
latexpdf: |
|
106 |
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex |
|
107 |
@echo "Running LaTeX files through pdflatex..." |
|
108 |
$(MAKE) -C $(BUILDDIR)/latex all-pdf |
|
109 |
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." |
|
110 | ||
111 |
text: |
|
112 |
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text |
|
113 |
@echo |
|
114 |
@echo "Build finished. The text files are in $(BUILDDIR)/text." |
|
115 | ||
116 |
man: |
|
117 |
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man |
|
118 |
@echo |
|
119 |
@echo "Build finished. The manual pages are in $(BUILDDIR)/man." |
|
120 | ||
121 |
texinfo: |
|
122 |
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo |
|
123 |
@echo |
|
124 |
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." |
|
125 |
@echo "Run \`make' in that directory to run these through makeinfo" \ |
|
126 |
"(use \`make info' here to do that automatically)." |
|
127 | ||
128 |
info: |
|
129 |
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo |
|
130 |
@echo "Running Texinfo files through makeinfo..." |
|
131 |
make -C $(BUILDDIR)/texinfo info |
|
132 |
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." |
|
133 | ||
134 |
gettext: |
|
135 |
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale |
|
136 |
@echo |
|
137 |
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." |
|
138 | ||
139 |
changes: |
|
140 |
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes |
|
141 |
@echo |
|
142 |
@echo "The overview file is in $(BUILDDIR)/changes." |
|
143 | ||
144 |
linkcheck: |
|
145 |
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck |
|
146 |
@echo |
|
147 |
@echo "Link check complete; look for any errors in the above output " \ |
|
148 |
"or in $(BUILDDIR)/linkcheck/output.txt." |
|
149 | ||
150 |
doctest: |
|
151 |
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest |
|
152 |
@echo "Testing of doctests in the sources finished, look at the " \ |
|
153 |
"results in $(BUILDDIR)/doctest/output.txt." |
doc/admin_access.rst | ||
---|---|---|
1 |
.. _admin_access: |
|
2 | ||
3 |
============================================ |
|
4 |
Access the grapical administration interface |
|
5 |
============================================ |
|
6 | ||
7 |
The grapical administration interface is the 'Django admin' part of a Django |
|
8 |
project. See for more information. |
|
9 | ||
10 |
Just acces the admin url at http[s]://your.domain.com/admin. |
|
11 | ||
12 |
At first you log with the superuser you created at the very first database |
|
13 |
initialization. |
|
14 | ||
15 |
Then you can configure other accesses to the admin checking the is_staff |
|
16 |
option displayed on a user in the admin. |
doc/administration_with_policies.rst | ||
---|---|---|
1 |
.. _administration_with_policies: |
|
2 | ||
3 |
================== |
|
4 |
Work with policies |
|
5 |
================== |
|
6 | ||
7 |
The policy management with global policies is nearly used for any kind of |
|
8 |
policy in Authentic 2. |
|
9 | ||
10 |
For each kind of these policies, the system takes in account two special |
|
11 |
global policies named 'Default' and 'All': |
|
12 | ||
13 |
* There is always a system default that does not correspond to the 'Default' |
|
14 |
policy. This is used to make Authentic 2 boot without initial |
|
15 |
configuration. When you add a 'Default' policy, the system default are not |
|
16 |
used anymore. |
|
17 |
* A policy has always a name, 'Default' and 'All' are the names of two special |
|
18 |
policies with their name hardcoded. But you can create or delete them. |
|
19 |
* If no other policy applies, the policy 'Default' applies. |
|
20 |
* A policy can be created and attached to any related object. This policy is |
|
21 |
authoritative on the policy 'Default'. |
|
22 |
* If the policy 'All' exists, it is authoritative on any other policy. |
|
23 |
* The global policies 'All' and 'Default' are created by the administrator if |
|
24 |
necessary. |
|
25 |
* A policy is taken in account only if it is enabled. |
|
26 |
* When a regular policy is associated with an object, it is taken in account |
|
27 |
only if the option 'enable the following policy' is checked on the oject. |
|
28 | ||
29 |
It is advised to add a 'Default' global policy when it is expected to apply a |
|
30 |
policy to all related objects. A 'Default' global policy should be defined to |
|
31 |
avoid misonfiguration. |
|
32 | ||
33 |
Add a regular policy to some objects are used to handle particular |
|
34 |
configurations for a subset of related objects. |
|
35 | ||
36 |
An 'All' global policy should be used to enforce a global configuration for |
|
37 |
all related objects or for testing purposes. |
doc/advanced.rst | ||
---|---|---|
1 |
.. _advanced: |
|
2 | ||
3 |
=============== |
|
4 |
Advanced topics |
|
5 |
=============== |
|
6 | ||
7 | ||
8 |
- :ref:`attributes_in_session` |
|
9 |
- :ref:`writing_migrations` |
|
10 |
- :ref:`write_new_kind_policy` |
|
11 | ||
12 |
.. _attributes_in_session: |
|
13 | ||
14 |
Attributes in session pushed by third SAML2 identity providers |
|
15 |
============================================================== |
|
16 | ||
17 |
When an assertion is received, assertion data, including attributes, are |
|
18 |
pushed in the Django session dictionnary. |
|
19 | ||
20 |
It leads to the creation of the following dictionnary:: |
|
21 | ||
22 |
request.session['multisource_attributes'] |
|
23 | ||
24 |
The keys of the dictionnary are the source names, i.e. the entity Id for |
|
25 |
SAML2 identity providers. |
|
26 | ||
27 |
The values are list of data extracted from assertions. Indeed, this is done |
|
28 |
to store multiple assertion received from a same source in a same Django |
|
29 |
session:: |
|
30 | ||
31 |
request.session['multisource_attributes'] \ |
|
32 |
[source_name] = list() |
|
33 | ||
34 |
The items of this list are dictionnaries with the keys 'certificate_type' and |
|
35 |
'attributes'. |
|
36 | ||
37 |
For a saml2 assertion, all the keys are:: |
|
38 | ||
39 |
a8n['certificate_type'] = 'SAML2_assertion' |
|
40 |
a8n['nameid'] = ... |
|
41 |
a8n['subject_confirmation_method'] = ... |
|
42 |
a8n['not_before'] = ... |
|
43 |
a8n['not_on_or_after'] = ... |
|
44 |
a8n['authn_context'] = ... |
|
45 |
a8n['authn_instant'] = ... |
|
46 |
a8n['attributes'] = attrs |
|
47 | ||
48 |
a8n['attributes'] has the following structure:: |
|
49 | ||
50 |
attributes = {} |
|
51 |
attributes[name] = (value1, value2, ) |
|
52 |
attributes[(name, format)] = (value1, value2, ) |
|
53 |
attributes[(name, format, nickname)] = (value1, value2, ) |
|
54 |
a8n['attributes'] = attributes |
|
55 | ||
56 |
.. _writing_migrations: |
|
57 | ||
58 |
Writing migrations |
|
59 |
================== |
|
60 | ||
61 |
Migration containing reference to the user model must be rewritten manually to |
|
62 |
refer to the user model name indirectly. The followind modifications must be applied. |
|
63 | ||
64 |
1. First import the `user_model_label` from the `authentic2.compat` module: |
|
65 | ||
66 |
:: |
|
67 | ||
68 |
from authentic2.compat import user_model_label |
|
69 | ||
70 |
Any reference to `orm['auth.User']` or `orm['authentic2.User']` must be |
|
71 |
rewritten into `orm[user_model_label]`. For example this line::: |
|
72 | ||
73 |
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['authentic2.User'])), |
|
74 | ||
75 |
must be changed to::: |
|
76 | ||
77 |
('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm[user_model_label])), |
|
78 | ||
79 |
2. The user model when appearing in the `models` field like this: |
|
80 | ||
81 |
:: |
|
82 | ||
83 |
'auth.user': { |
|
84 |
'meta': {'object_name': 'User', |
|
85 | ||
86 |
must be rewritten like that::: |
|
87 | ||
88 |
user_model_label: { |
|
89 |
'Meta': {'object_name': user_model_label.split('.')[-1]}, |
|
90 | ||
91 |
3. If the user model is referred inside the `to` field of a foreign key |
|
92 |
declaration like this: |
|
93 | ||
94 |
:: |
|
95 | ||
96 |
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['auth.User']"}) |
|
97 | ||
98 |
must be rewritten like that::: |
|
99 | ||
100 |
'user': ('django.db.models.fields.related.ForeignKey', [], {'to': u"orm['%s']" user_model_label}) |
|
101 | ||
102 |
.. _write_new_kind_policy: |
|
103 | ||
104 |
Add a new kind of administration policy |
|
105 |
======================================= |
|
106 | ||
107 |
See how policies works :ref:`administration_with_policies`. Then, the bahavior |
|
108 |
should look like:: |
|
109 | ||
110 |
def get_sample_policy(any_object): |
|
111 |
# Look for a global policy 'All' |
|
112 |
try: |
|
113 |
return SamplePolicy.objects.get(name='All', enabled=True) |
|
114 |
except SamplePolicy.DoesNotExist: |
|
115 |
pass |
|
116 |
# Look for a regular policy |
|
117 |
if any_object.enable_following_sample_policy: |
|
118 |
if any_object.sample_policy: |
|
119 |
return any_object.sample_policy |
|
120 |
# Look for a global policy 'Default' |
|
121 |
try: |
|
122 |
return SamplePolicy.objects.get(name='Default', enabled=True) |
|
123 |
except SamplePolicy.DoesNotExist: |
|
124 |
pass |
|
125 |
return None |
doc/attribute_management.rst | ||
---|---|---|
1 |
.. _attribute_management: |
|
2 | ||
3 |
=================================== |
|
4 |
Attribute Management in Authentic 2 |
|
5 |
=================================== |
|
6 | ||
7 |
Summary |
|
8 |
======= |
|
9 | ||
10 |
Attribute management currently allows to configure attribute policies |
|
11 |
associated with SAML2 service providers to define attributes that are |
|
12 |
pushed in SAML2 successful authentication response delivered by Authentic 2. |
|
13 | ||
14 |
User attributes can be taken from LDAP directories, the user Django |
|
15 |
profile or taken from the user Django session if Authentic 2 is also configured |
|
16 |
as a SAML2 service provider. |
|
17 | ||
18 |
Indeed, when Authentic 2 acts also as a SAML2 service provider, |
|
19 |
attributes contained in the SAML2 assertion received from third IdP are put in |
|
20 |
the user session. |
|
21 | ||
22 |
Attributes can thus be proxyfied during SSO with Authentic 2 |
|
23 |
configured as a SAML2 proxy. |
|
24 | ||
25 |
*If there is no attribute policy associate with a service provider, no |
|
26 |
attribute is forwarded to it.* |
|
27 | ||
28 |
The namespace of attributes received from another SAML2 IdP and of attributes |
|
29 |
pushed in the assertion given to service providers can be configured per |
|
30 |
attribute or per service provider. |
|
31 | ||
32 |
By default, the namespace and format of attributes in assertion is conformant |
|
33 |
to the SAMLV2.0 X500/LDAP Attribute profile:: |
|
34 | ||
35 |
<saml:Attribute |
|
36 |
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" |
|
37 |
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
|
38 |
Name="urn:oid:2.5.4.42" FriendlyName="givenName"> |
|
39 |
<saml:AttributeValue xsi:type="xs:string" |
|
40 |
x500:Encoding="LDAP">Mikaël</saml:AttributeValue> |
|
41 |
</saml:Attribute> |
|
42 | ||
43 |
But the http://schemas.xmlsoap.org/ws/2005/05/identity/claims from the ISI |
|
44 |
profile can also be used, for instance:: |
|
45 | ||
46 |
<saml:Attribute |
|
47 |
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
|
48 |
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" |
|
49 |
FriendlyName="First Name"> |
|
50 |
<saml:AttributeValue>Mikaël</saml:AttributeValue> |
|
51 |
</saml:Attribute> |
|
52 | ||
53 |
Configuration |
|
54 |
============= |
|
55 | ||
56 |
Configure local sources of attributes |
|
57 |
------------------------------------- |
|
58 | ||
59 |
The source of attributes for authentic2 are of two kinds. The LDAP sources and |
|
60 |
the user django profile. |
|
61 | ||
62 |
Declare the Django profile source |
|
63 |
_________________________________ |
|
64 | ||
65 |
Add an attribute source named USER_PROFILE with namespace 'Default'. |
|
66 | ||
67 |
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/ |
|
68 | ||
69 |
2. Write 'USER_PROFILE' in name field |
|
70 | ||
71 |
.. image:: pictures/user_profile_source.png |
|
72 |
:width: 800 px |
|
73 |
:align: center |
|
74 | ||
75 |
3. Save |
|
76 | ||
77 |
.. image:: pictures/user_profile_source_saved.png |
|
78 |
:width: 800 px |
|
79 |
:align: center |
|
80 | ||
81 |
Add an LDAP Source |
|
82 |
__________________ |
|
83 | ||
84 |
For LDAP sources, objects of type 'LDAPSource' must be created. |
|
85 | ||
86 |
**Even if the authentication is based on LDAP authentification, thus that a |
|
87 |
server is configured in settings.py, it is |
|
88 |
necessary to create a corresponding 'LDAPSource' to use it as a source of |
|
89 |
attribute.** |
|
90 | ||
91 |
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/ldapsource/add/ |
|
92 | ||
93 |
2. Fill form fields |
|
94 | ||
95 |
Only the field Name, Server, User, Password, Base and Port are used for now. |
|
96 |
**The namespace of LDAP source must be kept to 'Default', since the system |
|
97 |
namespace is based on LDAP.** |
|
98 | ||
99 |
.. image:: pictures/ldapsource.png |
|
100 |
:width: 800 px |
|
101 |
:align: center |
|
102 | ||
103 |
3. Save |
|
104 | ||
105 |
.. image:: pictures/ldapsource_saved.png |
|
106 |
:width: 800 px |
|
107 |
:align: center |
|
108 | ||
109 |
Manage user distinguished names in LDAP directories |
|
110 |
___________________________________________________ |
|
111 | ||
112 |
To find the user in a LDAP directory, authentic2 must know its distinguished |
|
113 |
name (DN). If this LDAP has been used when the user has authenticated, |
|
114 |
Authentic 2 learn the user DN. Nothing has to be done from this point of view. |
|
115 | ||
116 |
However, if it is expected that user attributes be taken in a directory that |
|
117 |
is not used by the user for authentication, it is necessary to manually |
|
118 |
indicate to Authentic 2 what is the user DN in the directory. For this, a |
|
119 |
user alias in source is created for the user: |
|
120 | ||
121 |
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/useraliasinsource/add/ |
|
122 | ||
123 |
2. Fill form fields |
|
124 | ||
125 |
.. image:: pictures/alias_in_source.png |
|
126 |
:width: 800 px |
|
127 |
:align: center |
|
128 | ||
129 |
3. Save |
|
130 | ||
131 |
.. image:: pictures/alias_in_source_saved.png |
|
132 |
:width: 800 px |
|
133 |
:align: center |
|
134 | ||
135 |
Configure attributes from local sources pushed to SAML2 service providers in SSO response |
|
136 |
----------------------------------------------------------------------------------------- |
|
137 | ||
138 |
Reminder: |
|
139 | ||
140 |
- The default name format in SAML2 assertions is URI |
|
141 |
- The default namespace called 'Default' is LDAP |
|
142 | ||
143 |
In summary: |
|
144 | ||
145 |
1. Create attribute items indicating an attribute name, a source, the name format expected and the namespace expected for the attribute name and friendly name if any. |
|
146 | ||
147 |
2. Create a named list of attribute items. |
|
148 | ||
149 |
3. Create an attribute policy and associate the previous list or associate the previous list to a existing attribute policy. |
|
150 | ||
151 |
4. Associate the policy to a service provider. |
|
152 | ||
153 |
Create attribute items |
|
154 |
______________________ |
|
155 | ||
156 |
1. Go to http[s]://your.domain.com/admin/idp/attributeitem/add/ |
|
157 | ||
158 |
2. Fill form fields |
|
159 | ||
160 |
.. image:: pictures/attribute_item.png |
|
161 |
:width: 800 px |
|
162 |
:align: center |
|
163 | ||
164 |
3. Save |
|
165 | ||
166 |
.. image:: pictures/attribute_item_saved.png |
|
167 |
:width: 800 px |
|
168 |
:align: center |
|
169 | ||
170 |
Create a named list of attribute items |
|
171 |
______________________________________ |
|
172 | ||
173 |
1. Go to http[s]://your.domain.com/admin/idp/attributelist/add/ |
|
174 | ||
175 |
2. Name the list and add items to list |
|
176 | ||
177 |
.. image:: pictures/attribute_list.png |
|
178 |
:width: 800 px |
|
179 |
:align: center |
|
180 | ||
181 |
3. Save |
|
182 | ||
183 |
.. image:: pictures/attribute_list_saved.png |
|
184 |
:width: 800 px |
|
185 |
:align: center |
|
186 | ||
187 |
Create or modify an attribute policy |
|
188 |
____________________________________ |
|
189 | ||
190 |
You can create a global policy 'All' or 'Default'. For details, see :ref:`administration_with_policies`. |
|
191 |
Or you can create a regular policy and associate it to a service provider. |
|
192 | ||
193 |
1. Go to http[s]://your.domain.com/admin/idp/attributepolicy/add/ |
|
194 | ||
195 |
2. Add list to the policy |
|
196 | ||
197 |
.. image:: pictures/policy_pull.png |
|
198 |
:width: 800 px |
|
199 |
:align: center |
|
200 | ||
201 |
3. Save |
|
202 | ||
203 |
.. image:: pictures/policy_pull_saved.png |
|
204 |
:width: 800 px |
|
205 |
:align: center |
|
206 | ||
207 |
Associate the policy to a service provider |
|
208 |
__________________________________________ |
|
209 | ||
210 |
1. Go to http[s]://your.domain.com/admin/saml/libertyprovider/1/ |
|
211 | ||
212 |
2. Associate the policy to the service provider and **enable it** |
|
213 | ||
214 |
.. image:: pictures/sp_policy_pull.png |
|
215 |
:width: 800 px |
|
216 |
:align: center |
|
217 | ||
218 |
3. Save |
|
219 | ||
220 |
.. image:: pictures/sp_policy_pull_saved.png |
|
221 |
:width: 800 px |
|
222 |
:align: center |
|
223 | ||
224 |
4. The display name of the policy has changed |
|
225 | ||
226 |
.. image:: pictures/policy_pull_renamed.png |
|
227 |
:width: 800 px |
|
228 |
:align: center |
|
229 | ||
230 |
Handle attributes provided by other Identity providers and pushed to SAML2 service providers in SSO response (proxy attributes) |
|
231 |
------------------------------------------------------------------------------------------------------------------------------- |
|
232 | ||
233 |
To have these kind of attributes to forward, authentic must be configured as a |
|
234 |
SAML2 service provider, see the corresponding administration page |
|
235 |
:ref:`config_saml2_idp`. |
|
236 | ||
237 |
Forward all attributes in session without any modification |
|
238 |
__________________________________________________________ |
|
239 | ||
240 |
Create or modify an attribute policy activating the option 'Forward attributes from push sources' and save. |
|
241 | ||
242 |
**No other option below must be used.** |
|
243 | ||
244 |
.. image:: pictures/attr_policy_forward.png |
|
245 |
:width: 800 px |
|
246 |
:align: center |
|
247 | ||
248 |
**Attach policy to the service provider if it is not yet the case.** |
|
249 | ||
250 |
**No need to deal with namespace here.** |
|
251 | ||
252 |
Filter attributes from source only |
|
253 |
__________________________________ |
|
254 | ||
255 |
Here, you want to forward **all** attributes of selected source of attributes. |
|
256 | ||
257 |
First of all you need to create objects corresponding to the sources of |
|
258 |
attributes. |
|
259 | ||
260 |
**The name of the source object must be the entity ID of the SAML2 |
|
261 |
identity provider.** |
|
262 | ||
263 |
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/attributesource/add/ |
|
264 | ||
265 |
2. Set the name (No need to change the namespace) |
|
266 | ||
267 |
.. image:: pictures/attr_source_idp.png |
|
268 |
:width: 800 px |
|
269 |
:align: center |
|
270 | ||
271 |
3. Save |
|
272 | ||
273 |
.. image:: pictures/attr_source_idp_saved.png |
|
274 |
:width: 800 px |
|
275 |
:align: center |
|
276 | ||
277 |
Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**. |
|
278 |
You then select the source you want to forward attributes through the selection box and you save. |
|
279 | ||
280 |
.. image:: pictures/attr_policy_filter_source.png |
|
281 |
:width: 800 px |
|
282 |
:align: center |
|
283 | ||
284 |
**Attach policy to the service provider if it is not yet the case.** |
|
285 | ||
286 |
**No need to deal with namespace here.** |
|
287 | ||
288 | ||
289 |
Modify namespace of attributes forwarded when attributes forwarded are not filtered or when filtered according to the source |
|
290 |
____________________________________________________________________________________________________________________________ |
|
291 | ||
292 |
The system needs to 'recognise the attributes' to perform the mapping. |
|
293 |
For this, you need to indicate the namespace of attributes received per source |
|
294 |
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu* |
|
295 |
and supann). |
|
296 | ||
297 |
In other words if the source provides attributes in a different namespace, you |
|
298 |
need to create objects corresponding to the sources of attributes and indicate |
|
299 |
there the right namespace. By default, the only other supported namespace is |
|
300 |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims. |
|
301 | ||
302 |
.. image:: pictures/attr_source_idp_claims.png |
|
303 |
:width: 800 px |
|
304 |
:align: center |
|
305 | ||
306 |
Then create or modify an attribute policy activating the options 'Forward attributes from push sources', |
|
307 |
**'Map attributes from push sources'**. You also choose the output namespace expected with the |
|
308 |
parameters **'Output name format'** and **'Output namespace'**. |
|
309 | ||
310 |
.. image:: pictures/attr_policy_map_ns.png |
|
311 |
:width: 800 px |
|
312 |
:align: center |
|
313 | ||
314 |
Remind that the default namespace is X500/LDAP + edu* + supann and the only other supported namespace is |
|
315 |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims. |
|
316 | ||
317 |
**Attach policy to the service provider if it is not yet the case.** |
|
318 | ||
319 |
Filter attributes with a list of attributes, with or without choosing the source |
|
320 |
________________________________________________________________________________ |
|
321 | ||
322 |
The system needs to 'recognise the attributes' to filter the attributes |
|
323 |
according to a list of attributes. |
|
324 |
For this, you need to indicate the namespace of attributes received per source |
|
325 |
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu* |
|
326 |
and supann). |
|
327 | ||
328 |
In other words if the source provides attributes in a different namespace, you |
|
329 |
need to create objects corresponding to the sources of attributes and indicate |
|
330 |
there the right namespace. By default, the only other supported namespace is |
|
331 |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims. |
|
332 | ||
333 |
.. image:: pictures/attr_source_idp_claims.png |
|
334 |
:width: 800 px |
|
335 |
:align: center |
|
336 | ||
337 |
You then create an attribute list as described in section *'Create a named list of attribute items'*. |
|
338 | ||
339 |
Then create or modify an attribute policy activating the option **'Forward attributes from push sources'**. |
|
340 |
You then associate the list of attributes. |
|
341 | ||
342 |
.. image:: pictures/attr_policy_filter_attributes.png |
|
343 |
:width: 800 px |
|
344 |
:align: center |
|
345 | ||
346 |
If you want to also filter according to the source you can configure it as defined in section *'Filter attributes from source only'*. You can also choose to filter |
|
347 |
with the source indicate per attribute item of the list. For this select the option **'Filter source of filtered attributes'**. |
|
348 | ||
349 |
.. image:: pictures/attr_policy_filter_attributes_source.png |
|
350 |
:width: 800 px |
|
351 |
:align: center |
|
352 | ||
353 |
.. image:: pictures/attribute_item.png |
|
354 |
:width: 800 px |
|
355 |
:align: center |
|
356 | ||
357 |
The default name format is URI. You can however change the name format and namespace with the option **'Map attributes from push sources'** and the parameters **'Output name format'** and **'Output namespace'**. |
|
358 | ||
359 |
Using the option **'Map attributes of filtered attributes'** the output name format and namespace are the ones indicated per attribute item of the list. |
|
360 | ||
361 |
.. image:: pictures/attr_policy_filter_attributes_map.png |
|
362 |
:width: 800 px |
|
363 |
:align: center |
|
364 | ||
365 |
.. image:: pictures/attribute_item.png |
|
366 |
:width: 800 px |
|
367 |
:align: center |
|
368 | ||
369 | ||
370 |
Push manually (writing bits of code) attributes to SAML2 service providers in SSO response |
|
371 |
------------------------------------------------------------------------------------------ |
|
372 | ||
373 |
In idp/signals.py connect to the add_attributes_to_response signal:: |
|
374 | ||
375 |
add_attributes_to_response.connect(your_function) |
|
376 | ||
377 |
Your function must return an attribute dictionnary as follows:: |
|
378 | ||
379 |
dic = {} |
|
380 |
attributes = {} |
|
381 |
attributes[name] = (value1, value2, ) |
|
382 |
attributes[(name, format)] = (value1, value2, ) |
|
383 |
attributes[(name, format, nickname)] = (value1, value2, ) |
|
384 |
dic['attributes'] = attributes |
|
385 |
return dic |
|
386 | ||
387 |
*format* must be in (lasso.SAML2_ATTRIBUTE_NAME_FORMAT_URI, |
|
388 |
lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC) |
|
389 | ||
390 |
You can use the attributes form the local source and the attributes in the |
|
391 |
session that are pushed by other identity providers. |
|
392 | ||
393 |
Attributes in the session are in:: |
|
394 | ||
395 |
request.session['multisource_attributes'] |
|
396 | ||
397 |
See the page :ref:`attributes_in_session`. |
|
398 | ||
399 |
If you want to use local source of attributes and use mapping capabilities |
|
400 |
of the UserAttributeProfile see the page :ref:`attribute_management_explained`. |
|
401 |
Use the file idp/attributes.py as an exemple. |
|
402 | ||
403 |
Modifying supported namespaces and attribute name mappings |
|
404 |
========================================================== |
|
405 | ||
406 |
The mapping is defined in the file attribute_aggregator/mapping.py |
|
407 | ||
408 |
The mapping can be modified with the variables ATTRIBUTE_NAMESPACES and |
|
409 |
ATTRIBUTE_MAPPING that can be redefined using settings. |
|
410 | ||
411 |
Add new namespaces in ATTRIBUTE_NAMESPACES. |
|
412 | ||
413 |
To extend the default schema add key/value in ATTRIBUTE_MAPPING, for instance:: |
|
414 | ||
415 |
"displayName": { |
|
416 |
"oid": "2.16.840.1.113730.3.1.241", |
|
417 |
"display_name": _("displayName"), |
|
418 |
"type": "http://www.w3.org/2001/XMLSchema#string", |
|
419 |
"syntax": "1.3.6.1.4.1.1466.115.121.1.15", |
|
420 |
}, |
|
421 | ||
422 |
Add mapping of attribute name extending attribute entries in ATTRIBUTE_MAPPING, |
|
423 |
for instance:: |
|
424 | ||
425 |
"sn": { |
|
426 |
"oid": "2.5.4.4", |
|
427 |
"display_name": _("sn surname"), |
|
428 |
"alias": ['surname'], |
|
429 |
"profile_field_name": 'last_name', |
|
430 |
"type": "http://www.w3.org/2001/XMLSchema#string", |
|
431 |
"namespaces": { |
|
432 |
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims": { |
|
433 |
"identifiers": |
|
434 |
[ |
|
435 |
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", |
|
436 |
], |
|
437 |
"friendly_names": |
|
438 |
[ |
|
439 |
"Last Name", |
|
440 |
], |
|
441 |
} |
|
442 |
} |
|
443 |
}, |
doc/auth_ldap.rst | ||
---|---|---|
1 |
.. _auth_ldap: |
|
2 | ||
3 |
============================================== |
|
4 |
Authentication with an existing LDAP directory |
|
5 |
============================================== |
|
6 | ||
7 |
Authentic use the module django_auth_ldap to synchronize the Django user tables |
|
8 |
with an LDAP. For complex use case, we will refer you to the django_auth_ldap |
|
9 |
documentation, see http://packages.python.org/django-auth-ldap/. |
|
10 | ||
11 |
How to authenticate users against an LDAP server with anonymous binding ? |
|
12 |
------------------------------------------------------------------------- |
|
13 | ||
14 |
1. Install the django_auth_ldap module for Django:: |
|
15 | ||
16 |
pip install django_auth_ldap |
|
17 | ||
18 | ||
19 |
2. Configure your local_settings.py file for authenticating against LDAP. |
|
20 | ||
21 |
The next lines must be added:: |
|
22 | ||
23 |
AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', ) |
|
24 | ||
25 |
import ldap |
|
26 |
from django_auth_ldap.config import LDAPSearch |
|
27 | ||
28 |
# Here put the LDAP URL of your server |
|
29 |
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com' |
|
30 |
# Let the bind DN and bind password blank for anonymous binding |
|
31 |
AUTH_LDAP_BIND_DN = "" |
|
32 |
AUTH_LDAP_BIND_PASSWORD = "" |
|
33 |
# Lookup user under the branch o=base and by mathcing their uid against the |
|
34 |
# received login name |
|
35 |
AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base", |
|
36 |
ldap.SCOPE_SUBTREE, "(uid=%(user)s)") |
|
37 | ||
38 |
How to allow members of an LDAP group to manage Authentic ? |
|
39 |
----------------------------------------------------------- |
|
40 | ||
41 |
1. First you must know the objectClass of groups in your LDAP schema, this FAQ |
|
42 |
will show you the configuration for two usual classes: groupOfNames and |
|
43 |
groupOfUniqueNames. |
|
44 | ||
45 |
2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany |
|
46 | ||
47 |
3. Add the following lines:: |
|
48 | ||
49 |
from django_auth_ldap.config import GroupOfNamesType |
|
50 |
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() |
|
51 |
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany", |
|
52 |
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)") |
|
53 |
AUTH_LDAP_USER_FLAGS_BY_GROUP = { |
|
54 |
"is_staff": "cn=admin,o=mycompany" |
|
55 |
} |
|
56 | ||
57 |
For an objectClass of groupOfUniqueNames you would change the string |
|
58 |
GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to |
|
59 |
groupOfUniqueNames. For more complex cases see the django_auth_ldap |
|
60 |
documentation. |
|
61 |
doc/change_db.rst | ||
---|---|---|
1 |
.. _change_db: |
|
2 | ||
3 |
=============================== |
|
4 |
Specifying a different database |
|
5 |
=============================== |
|
6 | ||
7 |
This is done by modifying the DATABASES dictionary in your local_settings.py |
|
8 |
file (create it in Authentic project directory); for example:: |
|
9 | ||
10 |
DATABASES['default'] = { |
|
11 |
'ENGINE': 'django.db.backends.postgresql', |
|
12 |
'NAME': 'authentic', |
|
13 |
'USER': 'admindb', |
|
14 |
'PASSWORD': 'foobar', |
|
15 |
'HOST': 'db.example.com', |
|
16 |
'PORT': '', # empty string means default value |
|
17 |
} |
|
18 | ||
19 |
You should refer to the Django documentation on databases settings at |
|
20 |
http://docs.djangoproject.com/en/dev/ref/settings/#databases for all |
|
21 |
the details. |
doc/conf.py | ||
---|---|---|
1 |
# -*- coding: utf-8 -*- |
|
2 |
# |
|
3 |
# Authentic2 documentation build configuration file, created by |
|
4 |
# sphinx-quickstart on Thu Oct 13 14:38:32 2011. |
|
5 |
# |
|
6 |
# This file is exec()d with the current directory set to its containing dir. |
|
7 |
# |
|
8 |
# Note that not all possible configuration values are present in this |
|
9 |
# autogenerated file. |
|
10 |
# |
|
11 |
# All configuration values have a default; values that are commented out |
|
12 |
# serve to show the default. |
|
13 | ||
14 | ||
15 |
# If extensions (or modules to document with autodoc) are in another directory, |
|
16 |
# add these directories to sys.path here. If the directory is relative to the |
|
17 |
# documentation root, use os.path.abspath to make it absolute, like shown here. |
|
18 |
# sys.path.insert(0, os.path.abspath('.')) |
|
19 | ||
20 |
# -- General configuration ----------------------------------------------------- |
|
21 | ||
22 |
# If your documentation needs a minimal Sphinx version, state it here. |
|
23 |
# needs_sphinx = '1.0' |
|
24 | ||
25 |
# Add any Sphinx extension module names here, as strings. They can be extensions |
|
26 |
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. |
|
27 |
extensions = [ |
|
28 |
'sphinx.ext.autodoc', |
|
29 |
'sphinx.ext.doctest', |
|
30 |
'sphinx.ext.intersphinx', |
|
31 |
'sphinx.ext.todo', |
|
32 |
'sphinx.ext.coverage', |
|
33 |
'sphinx.ext.imgmath', |
|
34 |
'sphinx.ext.ifconfig', |
|
35 |
'sphinx.ext.viewcode', |
|
36 |
] |
|
37 | ||
38 |
# Add any paths that contain templates here, relative to this directory. |
|
39 |
templates_path = ['_templates'] |
|
40 | ||
41 |
# The suffix of source filenames. |
|
42 |
source_suffix = '.rst' |
|
43 | ||
44 |
# The encoding of source files. |
|
45 |
# source_encoding = 'utf-8-sig' |
|
46 | ||
47 |
# The master toctree document. |
|
48 |
master_doc = 'index' |
|
49 | ||
50 |
# General information about the project. |
|
51 |
project = 'Authentic 2' |
|
52 |
copyright = '2012, 2011, 2010, Entr\'ouvert' |
|
53 | ||
54 |
# The version info for the project you're documenting, acts as replacement for |
|
55 |
# |version| and |release|, also used in various other places throughout the |
|
56 |
# built documents. |
|
57 |
# |
|
58 |
# The short X.Y version. |
|
59 |
version = '2' |
|
60 |
# The full version, including alpha/beta/rc tags. |
|
61 |
release = '2.0.2' |
|
62 | ||
63 |
# The language for content autogenerated by Sphinx. Refer to documentation |
|
64 |
# for a list of supported languages. |
|
65 |
# language = None |
|
66 | ||
67 |
# There are two options for replacing |today|: either, you set today to some |
|
68 |
# non-false value, then it is used: |
|
69 |
# today = '' |
|
70 |
# Else, today_fmt is used as the format for a strftime call. |
|
71 |
# today_fmt = '%B %d, %Y' |
|
72 | ||
73 |
# List of patterns, relative to source directory, that match files and |
|
74 |
# directories to ignore when looking for source files. |
|
75 |
exclude_patterns = ['_build'] |
|
76 | ||
77 |
# The reST default role (used for this markup: `text`) to use for all documents. |
|
78 |
# default_role = None |
|
79 | ||
80 |
# If true, '()' will be appended to :func: etc. cross-reference text. |
|
81 |
# add_function_parentheses = True |
|
82 | ||
83 |
# If true, the current module name will be prepended to all description |
|
84 |
# unit titles (such as .. function::). |
|
85 |
# add_module_names = True |
|
86 | ||
87 |
# If true, sectionauthor and moduleauthor directives will be shown in the |
|
88 |
# output. They are ignored by default. |
|
89 |
# show_authors = False |
|
90 | ||
91 |
# The name of the Pygments (syntax highlighting) style to use. |
|
92 |
pygments_style = 'sphinx' |
|
93 | ||
94 |
# A list of ignored prefixes for module index sorting. |
|
95 |
# modindex_common_prefix = [] |
|
96 | ||
97 | ||
98 |
# -- Options for HTML output --------------------------------------------------- |
|
99 | ||
100 |
# The theme to use for HTML and HTML Help pages. See the documentation for |
|
101 |
# a list of builtin themes. |
|
102 |
html_theme = 'default' |
|
103 | ||
104 |
# Theme options are theme-specific and customize the look and feel of a theme |
|
105 |
# further. For a list of options available for each theme, see the |
|
106 |
# documentation. |
|
107 |
# html_theme_options = {} |
|
108 | ||
109 |
# Add any paths that contain custom themes here, relative to this directory. |
|
110 |
# html_theme_path = [] |
|
111 | ||
112 |
# The name for this set of Sphinx documents. If None, it defaults to |
|
113 |
# "<project> v<release> documentation". |
|
114 |
# html_title = None |
|
115 | ||
116 |
# A shorter title for the navigation bar. Default is the same as html_title. |
|
117 |
# html_short_title = None |
|
118 | ||
119 |
# The name of an image file (relative to this directory) to place at the top |
|
120 |
# of the sidebar. |
|
121 |
html_logo = 'pictures/eo_logo_t.png' |
|
122 | ||
123 |
# The name of an image file (within the static path) to use as favicon of the |
|
124 |
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 |
|
125 |
# pixels large. |
|
126 |
# html_favicon = None |
|
127 | ||
128 |
# Add any paths that contain custom static files (such as style sheets) here, |
|
129 |
# relative to this directory. They are copied after the builtin static files, |
|
130 |
# so a file named "default.css" will overwrite the builtin "default.css". |
|
131 |
html_static_path = ['_static'] |
|
132 | ||
133 |
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, |
|
134 |
# using the given strftime format. |
|
135 |
# html_last_updated_fmt = '%b %d, %Y' |
|
136 | ||
137 |
# If true, SmartyPants will be used to convert quotes and dashes to |
|
138 |
# typographically correct entities. |
|
139 |
# html_use_smartypants = True |
|
140 | ||
141 |
# Custom sidebar templates, maps document names to template names. |
|
142 |
# html_sidebars = {} |
|
143 | ||
144 |
# Additional templates that should be rendered to pages, maps page names to |
|
145 |
# template names. |
|
146 |
# html_additional_pages = {} |
|
147 | ||
148 |
# If false, no module index is generated. |
|
149 |
# html_domain_indices = True |
|
150 | ||
151 |
# If false, no index is generated. |
|
152 |
# html_use_index = True |
|
153 | ||
154 |
# If true, the index is split into individual pages for each letter. |
|
155 |
# html_split_index = False |
|
156 | ||
157 |
# If true, links to the reST sources are added to the pages. |
|
158 |
# html_show_sourcelink = True |
|
159 | ||
160 |
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. |
|
161 |
# html_show_sphinx = True |
|
162 | ||
163 |
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. |
|
164 |
# html_show_copyright = True |
|
165 | ||
166 |
# If true, an OpenSearch description file will be output, and all pages will |
|
167 |
# contain a <link> tag referring to it. The value of this option must be the |
|
168 |
# base URL from which the finished HTML is served. |
|
169 |
# html_use_opensearch = '' |
|
170 | ||
171 |
# This is the file name suffix for HTML files (e.g. ".xhtml"). |
|
172 |
# html_file_suffix = None |
|
173 | ||
174 |
# Output file base name for HTML help builder. |
|
175 |
htmlhelp_basename = 'Authentic2doc' |
|
176 | ||
177 | ||
178 |
# -- Options for LaTeX output -------------------------------------------------- |
|
179 | ||
180 |
latex_elements = { |
|
181 |
# The paper size ('letterpaper' or 'a4paper'). |
|
182 |
#'papersize': 'letterpaper', |
|
183 |
# The font size ('10pt', '11pt' or '12pt'). |
|
184 |
#'pointsize': '10pt', |
|
185 |
# Additional stuff for the LaTeX preamble. |
|
186 |
#'preamble': '', |
|
187 |
} |
|
188 | ||
189 |
# Grouping the document tree into LaTeX files. List of tuples |
|
190 |
# (source start file, target name, title, author, documentclass [howto/manual]). |
|
191 |
latex_documents = [ |
|
192 |
('index', 'Authentic2.tex', 'Authentic2 Documentation', 'Entr\'ouvert', 'manual'), |
|
193 |
] |
|
194 | ||
195 |
# The name of an image file (relative to this directory) to place at the top of |
|
196 |
# the title page. |
|
197 |
latex_logo = 'pictures/eo_logo.png' |
|
198 | ||
199 |
# For "manual" documents, if this is true, then toplevel headings are parts, |
|
200 |
# not chapters. |
|
201 |
# latex_use_parts = False |
|
202 | ||
203 |
# If true, show page references after internal links. |
|
204 |
# latex_show_pagerefs = False |
|
205 | ||
206 |
# If true, show URL addresses after external links. |
|
207 |
# latex_show_urls = False |
|
208 | ||
209 |
# Documents to append as an appendix to all manuals. |
|
210 |
# latex_appendices = [] |
|
211 | ||
212 |
# If false, no module index is generated. |
|
213 |
# latex_domain_indices = True |
|
214 | ||
215 | ||
216 |
# -- Options for manual page output -------------------------------------------- |
|
217 | ||
218 |
# One entry per manual page. List of tuples |
|
219 |
# (source start file, name, description, authors, manual section). |
|
220 |
man_pages = [('index', 'authentic2', 'Authentic2 Documentation', [u'Mikaël Ates'], 1)] |
|
221 | ||
222 |
# If true, show URL addresses after external links. |
|
223 |
# man_show_urls = False |
|
224 | ||
225 | ||
226 |
# -- Options for Texinfo output ------------------------------------------------ |
|
227 | ||
228 |
# Grouping the document tree into Texinfo files. List of tuples |
|
229 |
# (source start file, target name, title, author, |
|
230 |
# dir menu entry, description, category) |
|
231 |
texinfo_documents = [ |
|
232 |
( |
|
233 |
'index', |
|
234 |
'Authentic2', |
|
235 |
'Authentic2 Documentation', |
|
236 |
'Mikaël Ates', |
|
237 |
'Authentic2', |
|
238 |
'One line description of project.', |
|
239 |
'Miscellaneous', |
|
240 |
), |
|
241 |
] |
|
242 | ||
243 |
# Documents to append as an appendix to all manuals. |
|
244 |
# texinfo_appendices = [] |
|
245 | ||
246 |
# If false, no module index is generated. |
|
247 |
# texinfo_domain_indices = True |
|
248 | ||
249 |
# How to display URL addresses: 'footnote', 'no', or 'inline'. |
|
250 |
# texinfo_show_urls = 'footnote' |
|
251 | ||
252 | ||
253 |
# Example configuration for intersphinx: refer to the Python standard library. |
|
254 |
intersphinx_mapping = {'http://docs.python.org/': None} |
doc/config_cas_sp.rst | ||
---|---|---|
1 |
.. _config_cas_sp: |
|
2 | ||
3 |
===================================== |
|
4 |
Configure Authentic 2 as a CAS server |
|
5 |
===================================== |
|
6 | ||
7 |
How to use Authentic 2 as a CAS 1.0 or CAS 2.0 identity provider ? |
|
8 |
------------------------------------------------------------------ |
|
9 | ||
10 |
1. Activate CAS IdP support in settings.py:: |
|
11 | ||
12 |
IDP_CAS = True |
|
13 | ||
14 |
2. Then create the database table to hold CAS service tickets:: |
|
15 | ||
16 |
python authentic2/manage.py syncdb --migrate |
|
17 | ||
18 |
3. Also configure authentic2 to authenticate against your LDAP directory (see |
|
19 |
above) if your want your user attributes to be accessible from your service, |
|
20 |
if it is not necessary you can use the normal relational database storage |
|
21 |
for you users. |
|
22 | ||
23 |
4. Finally configure your service to point to the CAS endpoint at: |
|
24 | ||
25 |
http[s]://your.domain.com/idp/cas/ |
|
26 | ||
27 |
5. If needed configure your service to resolve authenticated user with your |
|
28 |
LDAP directory (if user attributes are needed for your service) |
doc/config_saml2_idp.rst | ||
---|---|---|
1 |
.. _config_saml2_idp: |
|
2 | ||
3 |
================================================================== |
|
4 |
Configure Authentic 2 as a SAML2 service provider or a SAML2 proxy |
|
5 |
================================================================== |
|
6 | ||
7 |
**The configuration to make Authentic 2 a SAML2 service provider or a SAML2 |
|
8 |
proxy is the same. The difference comes from that Authentic 2 is may be |
|
9 |
configured or not as a SAML2 identity provider.** |
|
10 | ||
11 |
How do I authenticate against a third SAML2 identity provider? |
|
12 |
============================================================== |
|
13 | ||
14 |
1. Declare Authentic 2 as a SAML2 service provider on your SAML2 identity provider using the SAML2 service provider metadata of Authentic 2. |
|
15 | ||
16 |
Go to http[s]://your.domain.com/authsaml2/metadata |
|
17 | ||
18 |
2. Add and configure a SAML2 identity provider entry in Authentic 2 using the metadata of the identity provider. |
|
19 | ||
20 |
How do I add and configure a SAML2 identity provider in Authentic 2? |
|
21 |
==================================================================== |
|
22 | ||
23 |
You first need to create a SAML2 identity provider entry with the SAML2 |
|
24 |
metadata of the identity provider. Then, you configure it. |
|
25 | ||
26 |
If your identity provider is Authentic 2, the metadata are available at: |
|
27 | ||
28 |
http[s]://your.domain.com/idp/saml2/metadata |
|
29 | ||
30 |
See :ref:`where_metadata` for more information. |
|
31 | ||
32 |
Create a SAML2 identity provider entry |
|
33 |
-------------------------------------- |
|
34 | ||
35 |
You first need to create a new SAML2 identity provider entry. This requires |
|
36 |
the SAML2 metadata of the identity provider. |
|
37 | ||
38 |
1. Go to |
|
39 | ||
40 |
http[s]://your.domain.com/admin/saml/libertyprovider/add/ |
|
41 | ||
42 |
2. Fill the form fields |
|
43 | ||
44 |
.. image:: pictures/new_saml2_idp_1.png |
|
45 |
:width: 800 px |
|
46 |
:align: center |
|
47 | ||
48 |
.. image:: pictures/new_saml2_idp_2.png |
|
49 |
:width: 800 px |
|
50 |
:align: center |
|
51 | ||
52 |
**The identity provider must be enabled.** |
|
53 | ||
54 |
See below about configuring the identity provider with policies: |
|
55 | ||
56 |
* options of the identity provider |
|
57 | ||
58 |
3. Save |
|
59 | ||
60 |
.. image:: pictures/new_saml2_idp_saved.png |
|
61 |
:width: 800 px |
|
62 |
:align: center |
|
63 | ||
64 |
Apply a SAML2 identity provider options policy |
|
65 |
---------------------------------------------- |
|
66 | ||
67 |
The SAML2 options of the identity provider are configured using idp options |
|
68 |
policies. For the explanation of the options see the following section. |
|
69 | ||
70 |
See the *administration with policy principle* page :ref:`administration_with_policies`. |
|
71 | ||
72 |
You may create a regular policy and configure your service provider to use it. |
|
73 | ||
74 |
Go to: |
|
75 | ||
76 |
http[s]://your.domain.com/admin/saml/idpoptionssppolicy/add/ |
|
77 | ||
78 |
Configure your policy and save: |
|
79 | ||
80 |
.. image:: pictures/idp_options_regular.png |
|
81 |
:width: 800 px |
|
82 |
:align: center |
|
83 | ||
84 |
.. image:: pictures/idp_options_regular_saved.png |
|
85 |
:width: 800 px |
|
86 |
:align: center |
|
87 | ||
88 |
Apply the policy to the identity provider: |
|
89 | ||
90 |
.. image:: pictures/idp_options_regular_modify_sp.png |
|
91 |
:width: 800 px |
|
92 |
:align: center |
|
93 | ||
94 |
Example with a policy 'Default': |
|
95 | ||
96 |
.. image:: pictures/idp_options_default.png |
|
97 |
:width: 800 px |
|
98 |
:align: center |
|
99 | ||
100 |
Example with a policy 'All': |
|
101 | ||
102 |
.. image:: pictures/idp_options_all.png |
|
103 |
:width: 800 px |
|
104 |
:align: center |
|
105 | ||
106 |
If no policy is found for the configuration of the SAML2 options of an identity |
|
107 |
provider, the following error is displayed to the users when a SSO request is |
|
108 |
initiated. |
|
109 | ||
110 |
.. image:: pictures/error_no_idp_options.png |
|
111 |
:width: 800 px |
|
112 |
:align: center |
|
113 | ||
114 |
SAML2 identity provider options explained |
|
115 |
----------------------------------------- |
|
116 | ||
117 |
Behavior with persistent nameID |
|
118 |
_______________________________ |
|
119 | ||
120 |
This option applies when an assertion with a persistent nameID is received and |
|
121 |
the nameID is not recognized as an existing federation. |
|
122 | ||
123 |
Two values are possible: "Create new account" and "Account linking by authentication". |
|
124 | ||
125 |
The value "Create new account" makes Authentic 2 create a user account associated |
|
126 |
to the nameID received. |
|
127 | ||
128 |
The value "Account linking by authentication" makes Authentic 2 ask the user to |
|
129 |
authenticate with an existing account to associate the nameID to this account. |
|
130 | ||
131 |
Behavior with transient nameID |
|
132 |
_______________________________ |
|
133 | ||
134 |
This option applies when an assertion with a transient nameID is received and |
|
135 |
there isn't a session opened for the user yet. |
|
136 | ||
137 |
Two values are possible: "Open a session" and "Ask authentication". |
|
138 | ||
139 |
The value "Open a session" makes Authentic 2 open a session. |
|
140 | ||
141 |
The value "Ask authentication" makes Authentic 2 ask for a user authentication, |
|
142 |
even when a valid assertion is received. That may have sense for instance if |
|
143 |
the SSO login is used only to receive signed attributes for users with existing |
|
144 |
accounts. |
|
145 | ||
146 | ||
147 |
How to refresh the metadata of an identity provider hosted at a Well-Known Location? |
|
148 |
==================================================================================== |
|
149 | ||
150 |
The Well-Known Location (WKL) means that the entity Id of the provider is a |
|
151 |
URL at which the provider metadata are hosted. |
|
152 | ||
153 |
To refresh them, select the provider on the list of provider, then select in |
|
154 |
the menu 'Update metadata', then click on 'Go'. |
|
155 | ||
156 |
.. image:: pictures/update_metadata.png |
|
157 |
:width: 800 px |
|
158 |
:align: center |
|
159 | ||
160 |
.. image:: pictures/update_metadata_done.png |
|
161 |
:width: 800 px |
|
162 |
:align: center |
|
163 | ||
164 |
How to create in bulk identity providers with the sync-metadata script? |
|
165 |
======================================================================= |
|
166 | ||
167 |
See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`. |
doc/config_saml2_sp.rst | ||
---|---|---|
1 |
.. _config_saml2_sp: |
|
2 | ||
3 |
==================================== |
|
4 |
Configure SAML 2.0 service providers |
|
5 |
==================================== |
|
6 | ||
7 |
How do I authenticate against Authentic 2 with a SAML2 service provider? |
|
8 |
======================================================================== |
|
9 | ||
10 |
1. Declare Authentic 2 as a SAML2 identity provider on your SAML2 service provider using the SAML2 identity provider metadata of Authentic 2. |
|
11 | ||
12 |
Go to http[s]://your.domain.com/idp/saml2/metadata |
|
13 | ||
14 |
2. Add and configure a SAML2 service provider in Authentic 2 using the metadata of the service provider. |
|
15 | ||
16 |
How do I add and configure a SAML2 service provider in Authentic 2? |
|
17 |
=================================================================== |
|
18 | ||
19 |
You first need to create a new SAML2 service provider entry. This requires the |
|
20 |
SAML2 metadata of the service provider. |
|
21 | ||
22 |
If your service provider is Authentic 2, the metadata are available at: |
|
23 | ||
24 |
http[s]://your.domain.com/authsaml2/metadata |
|
25 | ||
26 |
See :ref:`where_metadata` for more information. |
|
27 | ||
28 |
Create a SAML2 service provider entry |
|
29 |
------------------------------------- |
|
30 | ||
31 |
1. Go to |
|
32 | ||
33 |
http[s]://your.domain.com/admin/saml/libertyprovider/add/ |
|
34 | ||
35 |
2. Fill the form fields |
|
36 | ||
37 |
.. image:: pictures/new_saml2_sp_1.png |
|
38 |
:width: 800 px |
|
39 |
:align: center |
|
40 | ||
41 |
.. image:: pictures/new_saml2_sp_2.png |
|
42 |
:width: 800 px |
|
43 |
:align: center |
|
44 | ||
45 |
**Note:** The service provider must be enabled. |
|
46 | ||
47 |
See below about configuring the service provider with policies: |
|
48 | ||
49 |
* options of the service provider |
|
50 | ||
51 |
* protocol policy |
|
52 | ||
53 |
* attribute policy |
|
54 | ||
55 | ||
56 |
3. Save |
|
57 | ||
58 |
.. image:: pictures/new_saml2_sp_saved.png |
|
59 |
:width: 800 px |
|
60 |
:align: center |
|
61 | ||
62 |
Apply a SAML2 service provider options policy |
|
63 |
--------------------------------------------- |
|
64 | ||
65 |
The SAML2 options of the service provider are configured using sp options |
|
66 |
policies. |
|
67 | ||
68 |
See the *administration with policy principle* page :ref:`administration_with_policies`. |
|
69 | ||
70 |
You may create a regular policy and configure your service provider to use it. |
|
71 | ||
72 |
Go to: |
|
73 | ||
74 |
http[s]://your.domain.com/admin/saml/spoptionsidppolicy/add/ |
|
75 | ||
76 |
Configure your policy and save: |
|
77 | ||
78 |
.. image:: pictures/sp_options_regular.png |
|
79 |
:width: 800 px |
|
80 |
:align: center |
|
81 | ||
82 |
.. image:: pictures/sp_options_regular_saved.png |
|
83 |
:width: 800 px |
|
84 |
:align: center |
|
85 | ||
86 |
Apply the policy to the service provider: |
|
87 | ||
88 |
.. image:: pictures/sp_options_regular_modify_sp.png |
|
89 |
:width: 800 px |
|
90 |
:align: center |
|
91 | ||
92 |
Example with a policy 'Default': |
|
93 | ||
94 |
.. image:: pictures/sp_options_default.png |
|
95 |
:width: 800 px |
|
96 |
:align: center |
|
97 | ||
98 |
Example with a policy 'All': |
|
99 | ||
100 |
.. image:: pictures/sp_options_all.png |
|
101 |
:width: 800 px |
|
102 |
:align: center |
|
103 | ||
104 |
If no policy is found for the configuration of the SAML2 options of a service |
|
105 |
provider, the following error is displayed to the users when a SSO request is |
|
106 |
received. |
|
107 | ||
108 |
.. image:: pictures/error_no_sp_options.png |
|
109 |
:width: 800 px |
|
110 |
:align: center |
|
111 | ||
112 |
Configure the SAML2 service provider protocol options |
|
113 |
----------------------------------------------------- |
|
114 | ||
115 |
This kind of policy does not use the policy management using global policies. |
|
116 | ||
117 |
You should use the default option except if your service provider is a |
|
118 |
Shibboleth service provider, then you should use the option "Shibboleth SP |
|
119 |
(AuthnRequest Signature: Does not check signatures)". |
|
120 | ||
121 |
Configure the attribute policy of the service provider |
|
122 |
------------------------------------------------------ |
|
123 | ||
124 |
See the attribute management page :ref:`attribute_management`. |
|
125 | ||
126 |
How to refresh the metadata of a service provider hosted at a Well-Known Location? |
|
127 |
================================================================================== |
|
128 | ||
129 |
The Well-Known Location (WKL) means that the entity Id of the provider is a |
|
130 |
URL at which the provider metadata are hosted. |
|
131 | ||
132 |
To refresh them, select the provider on the list of provider, then select in |
|
133 |
the menu 'Update metadata', then click on 'Go'. |
|
134 | ||
135 |
.. image:: pictures/update_metadata.png |
|
136 |
:width: 800 px |
|
137 |
:align: center |
|
138 | ||
139 |
How to create in bulk service providers with the sync-metadata script? |
|
140 |
====================================================================== |
|
141 | ||
142 |
See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`. |
doc/configuration.rst | ||
---|---|---|
1 |
.. _configuration: |
|
2 | ||
3 |
============= |
|
4 |
Configuration |
|
5 |
============= |
|
6 | ||
7 |
Configuration with settings |
|
8 |
=========================== |
|
9 | ||
10 |
.. toctree:: |
|
11 |
:maxdepth: 1 |
|
12 | ||
13 |
settings |
|
14 | ||
15 |
settings_listing |
|
16 | ||
17 |
Configuration with the administration interface |
|
18 |
=============================================== |
|
19 | ||
20 |
Basics |
|
21 |
------ |
|
22 | ||
23 |
.. toctree:: |
|
24 |
:maxdepth: 1 |
|
25 | ||
26 |
admin_access |
|
27 | ||
28 |
administration_with_policies |
|
29 | ||
30 |
Authentication backends |
|
31 |
----------------------- |
|
32 | ||
33 |
.. toctree:: |
|
34 |
:maxdepth: 1 |
|
35 | ||
36 |
auth_ldap |
|
37 | ||
38 |
SAML2 |
|
39 |
----- |
|
40 | ||
41 |
.. toctree:: |
|
42 |
:maxdepth: 1 |
|
43 | ||
44 |
where_metadata |
|
45 | ||
46 |
config_saml2_sp |
|
47 | ||
48 |
config_saml2_idp |
|
49 | ||
50 |
saml2_slo |
|
51 | ||
52 |
CAS |
|
53 |
--- |
|
54 | ||
55 |
.. toctree:: |
|
56 |
:maxdepth: 1 |
|
57 | ||
58 |
config_cas_sp |
|
59 | ||
60 |
Attributes |
|
61 |
---------- |
|
62 | ||
63 |
.. toctree:: |
|
64 |
:maxdepth: 1 |
|
65 | ||
66 |
attribute_management |
|
67 | ||
68 |
User interfaces and interactions |
|
69 |
-------------------------------- |
|
70 | ||
71 |
.. toctree:: |
|
72 |
:maxdepth: 1 |
|
73 | ||
74 |
consent_management |
|
75 | ||
76 |
Administration |
|
77 |
============== |
|
78 | ||
79 |
.. toctree:: |
|
80 |
:maxdepth: 1 |
|
81 | ||
82 |
translation |
|
83 | ||
84 |
cronjobs |
|
85 | ||
86 |
sync-metadata_script |
doc/consent_management.rst | ||
---|---|---|
1 |
.. _consent_management: |
|
2 | ||
3 |
================================= |
|
4 |
Consent Management in Authentic 2 |
|
5 |
================================= |
|
6 | ||
7 |
What is the SAML2 federation consent aka account linking consent? |
|
8 |
================================================================= |
|
9 | ||
10 |
At the first single sign on process on the identity provider side, the user |
|
11 |
may be asked if she agrees to federation its local account with the remote |
|
12 |
account on the service provider side. |
|
13 | ||
14 |
The account linking also called a federation means that the nameID is |
|
15 |
persistent and will link the two accounts. This signed identifier allows to |
|
16 |
the service provider to login the user without reauthentication during the |
|
17 |
following single sign on process. |
|
18 | ||
19 |
How the consent is collected is determined by the identity provider. The |
|
20 |
service provider receives in the authnRequest the consent attribute |
|
21 |
indicating how the user consent was managed. |
|
22 | ||
23 | ||
24 |
Account linking consent management on the identity provider side |
|
25 |
================================================================ |
|
26 | ||
27 |
The consent is managed per service provider according to the options policy |
|
28 |
that applies to the service provider. |
|
29 | ||
30 |
The parameter 'Ask user for consent when creating a federation' determine |
|
31 |
if the user consent must be asked to the user. |
|
32 | ||
33 |
.. image:: pictures/federation_consent_idp.png |
|
34 |
:width: 800 px |
|
35 |
:align: center |
|
36 | ||
37 |
*Take care that is the identity provider provides the service provider with |
|
38 |
a transient nameID, there is no account linking, so there is no need for a |
|
39 |
consent.* |
|
40 | ||
41 |
*The user consent is only asked once. In other words, if the user already has |
|
42 |
a federation, the consent won't be asked anymore.* |
|
43 | ||
44 |
If the policy requires the user consent, this can be bypassed using the signal |
|
45 |
'avoid_consent'. |
|
46 | ||
47 |
Account linking consent management on the service provider side |
|
48 |
=============================================================== |
|
49 | ||
50 |
The service provider may refuse a valid single sign on if the user consent |
|
51 |
was not asked. |
|
52 | ||
53 |
The parameter 'Require the user consent be given at account linking' of the |
|
54 |
identity provider options policy determine the service provider behavior. |
|
55 | ||
56 |
.. image:: pictures/federation_consent_sp.png |
|
57 |
:width: 800 px |
|
58 |
:align: center |
|
59 | ||
60 |
How manage attribute forwarding consent? |
|
61 |
======================================== |
|
62 | ||
63 |
*If there is no attribute policy associate with a service provider, no |
|
64 |
attribute is forwarded.* |
|
65 | ||
66 |
When an attribute policy applies you can configure the consent rules per |
|
67 |
service provider. |
|
68 | ||
69 |
The choices are: |
|
70 | ||
71 |
- Don't ask the user consent |
|
72 |
- Ask the consent in all-or-nothing mode |
|
73 |
- Allow attribute selection |
|
74 | ||
75 |
To ask the user consent, tick the parameter 'Ask the user consent before |
|
76 |
forwarding attributes' of the attribute policy that applies to the service |
|
77 |
provider. |
|
78 | ||
79 |
To allow the attribute selection on the attribute consent page, tick the |
|
80 |
parameter 'Allow the user to select the forwarding attributes'. |
|
81 | ||
82 |
.. image:: pictures/attributes_consent.png |
|
83 |
:width: 800 px |
|
84 |
:align: center |
doc/copyright.rst | ||
---|---|---|
1 |
.. _copyright: |
|
2 | ||
3 |
========= |
|
4 |
Copyright |
|
5 |
========= |
|
6 | ||
7 |
Authentic and Authentic 2 are copyrighted by Entr'ouvert and are licensed |
|
8 |
through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of |
|
9 |
the whole license text is available in the COPYING file. |
|
10 | ||
11 |
The Documentation is under the licence Creative Commons |
|
12 |
`CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_. |
doc/cronjobs.rst | ||
---|---|---|
1 |
.. _cronjobs: |
|
2 | ||
3 | ||
4 |
Cronjobs and cleaning |
|
5 |
===================== |
|
6 | ||
7 |
The following cronjob must be run to clean deleted accounts and temporary objects:: |
|
8 | ||
9 |
5 0 * * * athentic2-ctl cleanup |
|
10 | ||
11 |
It's made to run every day at 00:05. |
doc/deployment.rst | ||
---|---|---|
1 |
.. _deployment: |
|
2 | ||
3 |
================================================== |
|
4 |
Running Authentic 2 for real (Nginx, Apache, etc.) |
|
5 |
================================================== |
|
6 | ||
7 | ||
8 |
DEBUG Mode by default, static files and the Django debug toolbar dependency ? |
|
9 |
----------------------------------------------------------------------------- |
|
10 | ||
11 |
By default, Authentic 2 is in the DEBUG mode. We made this default choice |
|
12 |
because most of the Authentic 2's users will begin with Authentic 2 using |
|
13 |
the Django development server (runserver command) and we want to avoid them |
|
14 |
a bad first impression because static files would not be served. As a matter |
|
15 |
of fact, static files are served by the Django development server only when |
|
16 |
the project is run in the DEBUG mode. |
|
17 | ||
18 |
In the DEBUG mode, the Django debug toolbar is used what adds a dependency. |
|
19 | ||
20 |
In production, the Django development server should not be used to serve |
|
21 |
Authentic 2 and a dedicated server should also be used to serve the static |
|
22 |
files. |
|
23 | ||
24 |
Set Authentic into the no DEBUG Mode |
|
25 |
------------------------------------ |
|
26 | ||
27 |
It is enough to edit authentic2/settings.py and set:: |
|
28 | ||
29 |
DEBUG = False |
|
30 | ||
31 |
From then on the django-debug-toolbar package is not necessary anymore. |
|
32 | ||
33 |
Use dedicated HTTP servers and serve static files |
|
34 |
------------------------------------------------- |
|
35 | ||
36 |
The best is to use a server dedicated to serve the Django applications and a |
|
37 |
different server to serve the static files. |
|
38 | ||
39 |
You could for instance use apache with mod_wsgi to serve Authentic 2. You will |
|
40 |
find configuration file examples in the debian directory of the Authentic 2 |
|
41 |
sources. |
|
42 | ||
43 |
Then you may want to use nginx to serve the static files. |
|
44 | ||
45 |
First you need to collect the Authentic 2 static files. The static files are |
|
46 |
collected using the collectstatic command that is configured in the |
|
47 |
settings.py. |
|
48 | ||
49 |
By default, running collectstatic will create a static directory in the parent |
|
50 |
directory of the authentic2 directory:: |
|
51 | ||
52 |
$python authentic2/manage.py collectstatic |
|
53 | ||
54 |
That static directory will contain all the static files of Authentic 2. |
|
55 | ||
56 |
If you want to change the path of the static directory you can edit |
|
57 |
STATIC_ROOT of the settings file. |
|
58 | ||
59 |
See https://docs.djangoproject.com/en/dev/ref/contrib/staticfiles/ for more |
|
60 |
information about collectstatic. |
doc/development.rst | ||
---|---|---|
1 |
.. _development: |
|
2 | ||
3 |
=========== |
|
4 |
Development |
|
5 |
=========== |
|
6 | ||
7 |
Get the code and the dependencies |
|
8 |
================================= |
|
9 | ||
10 |
1. Clone the repository:: |
|
11 | ||
12 |
$ git clone https://git.entrouvert.org/authentic.git |
|
13 | ||
14 |
2. Install `lasso <http://lasso.entrouvert.org>`_ python packages:: |
|
15 | ||
16 |
$ curl https://deb.entrouvert.org/entrouvert.gpg | sudo apt-key add - |
|
17 |
$ echo deb http://deb.entrouvert.org/ buster main | \ |
|
18 |
sudo tee /etc/apt/sources.list.d/entrouvert.list |
|
19 |
$ sudo apt-get update |
|
20 |
$ sudo apt-get install python-lasso python3-lasso |
|
21 | ||
22 |
3. Install dependencies:: |
|
23 | ||
24 |
$ sudo apt-get install postgresql build-essential gettext sassc \ |
|
25 |
libldap2-dev libsasl2-dev python3-dev |
|
26 | ||
27 |
Run the tests |
|
28 |
============= |
|
29 | ||
30 |
1. Setup a virtualenv:: |
|
31 | ||
32 |
$ sudo apt-get install direnv |
|
33 |
$ echo layout python3 > authentic/.envrc |
|
34 |
$ direnv allow authentic |
|
35 |
$ cd authentic |
|
36 |
$ pip install tox |
|
37 | ||
38 |
2. Run:: |
|
39 | ||
40 |
$ JENKINS_URL=fakeurl pg_virtualenv tox |
|
41 | ||
42 |
.. note:: |
|
43 | ||
44 |
`tests/test_ldap.py` will fail if `apparmor_status` reports that |
|
45 |
`/usr/sbin/slapd` is in enforce mode. |
|
46 | ||
47 |
.. note:: |
|
48 | ||
49 |
Setting `JENKINS_URL` instructs tox to run `[tox:jenkins]` instead |
|
50 |
of the default `[tox]`. |
|
51 | ||
52 |
2. Run with code coverage:: |
|
53 | ||
54 |
$ pg_virtualenv tox < /dev/null |
|
55 |
$ firefox htmlcov/index.html |
|
56 | ||
57 |
.. note:: |
|
58 | ||
59 |
When running from an interactive shell `< /dev/null` unsets |
|
60 |
the `tty` tox sub-type and defines the `COVERAGE` variable. |
|
61 | ||
62 |
Update translations |
|
63 |
=================== |
|
64 | ||
65 |
They are updated upstream before the releases to help keep the |
|
66 |
vocabulary consistent. |
|
67 | ||
68 |
.. note:: |
|
69 | ||
70 |
The only exception would be a trivial fix such as a typo. |
|
71 | ||
72 |
The `.po` files can be updated as follows:: |
|
73 | ||
74 |
$ ./update-locales.sh |
|
75 | ||
76 |
Build the documentation |
|
77 |
======================= |
|
78 | ||
79 |
1. Build:: |
|
80 | ||
81 |
$ pip install sphinx |
|
82 |
$ sphinx-build -b html doc build/html |
|
83 | ||
84 |
2. Display:: |
|
85 | ||
86 |
$ firefox build/html/index.html |
doc/index.rst | ||
---|---|---|
1 |
.. Authentic 2 documentation master file, created by |
|
2 |
sphinx-quickstart on Thu Oct 13 09:53:03 2011. |
|
3 |
You can adapt this file completely to your liking, but it should at least |
|
4 |
contain the root `toctree` directive. |
|
5 | ||
6 |
=========================== |
|
7 |
Authentic 2's documentation |
|
8 |
=========================== |
|
9 | ||
10 |
Authentic 2 is a versatile identity management server aiming to address a |
|
11 |
broad range of needs, from simple to complex setups; it has support for many |
|
12 |
protocols and can bridge between them. |
|
13 | ||
14 |
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID, |
|
15 |
LDAP, X509 and OAUTH2. |
|
16 | ||
17 |
Authentic 2 is under the GNU AGPL version 3 licence. |
|
18 | ||
19 |
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_, |
|
20 |
a free (GNU GPL) implementation of the Liberty Alliance and OASIS |
|
21 |
specifications of SAML2. |
|
22 | ||
23 |
Consult current Authentic 2 activity on the `project site <http://dev.entrouvert.org/projects/authentic>`_ |
|
24 | ||
25 |
If you don't find an explanation, you don't understand it or one is missing, |
|
26 |
please report it on the list. |
|
27 | ||
28 |
.. toctree:: |
|
29 |
:maxdepth: 1 |
|
30 | ||
31 |
overview |
|
32 | ||
33 |
installation |
|
34 | ||
35 |
configuration |
|
36 | ||
37 |
advanced |
|
38 | ||
39 |
development |
|
40 | ||
41 |
copyright |
|
42 | ||
43 |
This documentation is under the licence Creative Commons `CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_. |
|
44 | ||
45 |
.. Indices and tables |
|
46 |
.. ================== |
|
47 | ||
48 |
.. * :ref:`genindex` |
|
49 |
.. * :ref:`modindex` |
|
50 |
.. * :ref:`search` |
doc/installation.rst | ||
---|---|---|
1 |
.. _installation: |
|
2 | ||
3 |
===================================== |
|
4 |
Installation and quickstart tutorials |
|
5 |
===================================== |
|
6 | ||
7 |
You'll find here how to start and configure very quickly Authentic 2 for its |
|
8 |
main features. You just need Python 2.7 and Django 1.5. |
|
9 | ||
10 |
First of all, you can boot Authentic vwithout root |
|
11 |
privileges like this: |
|
12 | ||
13 |
1. Initialize a virtualenv:: |
|
14 | ||
15 |
virtualenv authentic |
|
16 |
source ./authentic/bin/activate |
|
17 |
cd authentic |
|
18 | ||
19 |
2. Install Authentic:: |
|
20 | ||
21 |
pip install authentic2 |
|
22 | ||
23 |
3. Initialize the database migrations:: |
|
24 | ||
25 |
authentic2-ctl syncdb --migrate |
|
26 | ||
27 |
4. Run the HTTP test server:: |
|
28 | ||
29 |
authentic2-ctl runserver |
|
30 | ||
31 |
Release cycle |
|
32 |
------------- |
|
33 | ||
34 |
In addition to the installation from sources, Entr'ouvert maintains `Debian GNU/Linux packages <https://deb.entrouvert.org/>`__ for Authentic that `follow the release cycle of Publik <https://dev.entrouvert.org/projects/publik/wiki/Cycle_de_mises_%C3%A0_jour>`__. |
|
35 | ||
36 |
Quickstart guides and installation guidelines |
|
37 |
--------------------------------------------- |
|
38 | ||
39 |
.. toctree:: |
|
40 |
:maxdepth: 1 |
|
41 | ||
42 | ||
43 |
installation_modes |
|
44 |
change_db |
|
45 |
upgrading |
|
46 |
deployment |
|
47 | ||
48 |
Quickstarts |
|
49 |
___________ |
|
50 | ||
51 |
.. toctree:: |
|
52 |
:maxdepth: 1 |
|
53 | ||
54 |
quick_oauth2_idp |
|
55 |
quick_saml2_idp |
|
56 |
quick_saml2_sp |
|
57 |
quick_cas_idp |
|
58 |
quick_ldap_backend |
doc/installation_modes.rst | ||
---|---|---|
1 |
.. _installation_modes: |
|
2 | ||
3 |
================== |
|
4 |
Installation modes |
|
5 |
================== |
|
6 | ||
7 |
The current version of Authentic 2 works with Python 2.7 and Django 1.5. |
|
8 | ||
9 |
Authentic 2 python installation script handles all the dependencies, |
|
10 |
except Lasso, relying on the Setuptools and the pypi repository. |
|
11 | ||
12 |
To run Authentic 2 with SAML2 features, you need to install lasso >= 2.3.6, |
|
13 |
see :ref:`install-lasso-ref`. |
|
14 | ||
15 |
The other Authentic 2 dependencies are: |
|
16 | ||
17 |
- Django>=1.7.6,<1.9 |
|
18 |
- requests>=2. |
|
19 |
- django-model-utils>=2 |
|
20 |
- dnspython>=1.12 |
|
21 |
- django-select2>=4.3.0 |
|
22 |
- django-tables2>=1.0 |
|
23 |
- gadjo>=0.6 |
|
24 |
- django-import-export>=0.2.7,<=0.4.5 |
|
25 |
- djangorestframework>=3.3 |
|
26 |
- Markdown>=2.5 |
|
27 |
- python-ldap |
|
28 | ||
29 |
Install Authentic 2: |
|
30 | ||
31 |
- :ref:`install-pypi-ref` |
|
32 |
- :ref:`obtain-pypi-ref` |
|
33 |
- :ref:`obtain-git-ref` |
|
34 | ||
35 |
.. _install-lasso-ref: |
|
36 | ||
37 |
Lasso installation |
|
38 |
------------------ |
|
39 | ||
40 |
Lasso is available in the linux debian destribution repositories. If you are |
|
41 |
installing Authentic 2 on debian, just execute :: |
|
42 | ||
43 |
apt-get install python-lasso |
|
44 | ||
45 |
You'll find more updated packages on http://deb.entrouvert.org/. |
|
46 | ||
47 |
We also provide rpm packages for redhat, see https://dev.entrouvert.org/redhat/README. |
|
48 | ||
49 |
You can also install lasso from sources http://lasso.entrouvert.org/download |
|
50 | ||
51 |
See the `Lasso website <http://lasso.entrouvert.org>`_ for installation details. |
|
52 |
This is a quick installation example. |
|
53 | ||
54 |
Install the following Lasso dependencies: |
|
55 | ||
56 |
- autoconf |
|
57 |
- automake |
|
58 |
- autotools-dev |
|
59 |
- libtool |
|
60 |
- gtk-doc-tools |
|
61 |
- zlib1g-dev |
|
62 |
- libglib2.0-dev |
|
63 |
- openssl-dev |
|
64 |
- libxml2-dev |
|
65 |
- libxmlsec1-dev |
|
66 |
- python2.6-dev |
|
67 |
- python-setuptools |
|
68 | ||
69 |
Obtain Lasso:: |
|
70 | ||
71 |
$wget https://dev.entrouvert.org/lasso/lasso-2.3.6.tar.gz |
|
72 |
$tar xzvf lasso-2.3.6.tar.gz |
|
73 |
$cd lasso-2.3.6 |
|
74 |
$./autogen.sh |
|
75 | ||
76 |
Be sure that the Python bindings is selected as follows:: |
|
77 | ||
78 |
============= |
|
79 |
Configuration |
|
80 |
============= |
|
81 | ||
82 |
Main |
|
83 |
---- |
|
84 | ||
85 |
Compiler: gcc |
|
86 |
CFLAGS: |
|
87 |
Install prefix: /usr/local |
|
88 |
Debugging: no |
|
89 |
Experimental ID-WSF: no |
|
90 | ||
91 |
Optionals builds |
|
92 |
---------------- |
|
93 | ||
94 |
Available languages: java(4.6.1) python(2.7) perl(5.12.4) |
|
95 | ||
96 |
Java binding: yes |
|
97 |
Perl binding: yes |
|
98 |
PHP 5 binding: no |
|
99 |
Python binding: yes |
|
100 | ||
101 |
C API references: yes |
|
102 |
Tests suite: no |
|
103 | ||
104 | ||
105 |
Now type 'make install' to install lasso. |
|
106 | ||
107 |
As indicated, build and install:: |
|
108 | ||
109 |
$make install |
|
110 |
$ldconfig |
|
111 | ||
112 |
Set the lasso python binding in you python path, e.g.:: |
|
113 | ||
114 |
$export PYTHONPATH="$PYTHONPATH:/usr/local/lib/python2.6/site-packages" |
|
115 | ||
116 |
Test trying to import Lasso:: |
|
117 | ||
118 |
$python |
|
119 |
>>> import lasso |
|
120 | ||
121 |
.. _install-pypi-ref: |
|
122 | ||
123 |
Install Authentic directly from pypi |
|
124 |
------------------------------------ |
|
125 | ||
126 |
Using pip:: |
|
127 | ||
128 |
pip install authentic2 |
|
129 | ||
130 |
You can now run Authentic from the installation directory:: |
|
131 | ||
132 |
./authentic2-ctl syncdb --migrate |
|
133 |
./authentic2-ctl runserver |
|
134 | ||
135 |
You should see the following output:: |
|
136 | ||
137 |
Validating models... |
|
138 |
0 errors found |
|
139 | ||
140 |
Django version 1.5, using settings 'authentic.settings' |
|
141 |
Development server is running at http://127.0.0.1:8000/ |
|
142 |
Quit the server with CONTROL-C. |
|
143 | ||
144 |
You can access the running application on http://127.0.0.1:8000/ |
|
145 | ||
146 |
.. _obtain-pypi-ref: |
|
147 | ||
148 |
Obtain the last package archive from pypi |
|
149 |
----------------------------------------- |
|
150 | ||
151 |
Download the archive on http://pypi.python.org/pypi/authentic2/. |
|
152 | ||
153 |
Then, you can install it directly from the archive using pip:: |
|
154 | ||
155 |
pip install authentic2-x.z.y.tar.gz |
|
156 | ||
157 |
You can now run Authentic from the installation directory, e.g.:: |
|
158 | ||
159 |
./authentic2-ctl syncdb --migrate |
|
160 |
./authentic2-ctl runserver |
|
161 | ||
162 |
You should see the following output:: |
|
163 | ||
164 |
Validating models... |
|
165 |
0 errors found |
|
166 | ||
167 |
Django version 1.5, using settings 'authentic.settings' |
|
168 |
Development server is running at http://127.0.0.1:8000/ |
|
169 |
Quit the server with CONTROL-C. |
|
170 | ||
171 |
You can access the running application on http://127.0.0.1:8000/ |
|
172 | ||
173 |
.. _obtain-git-ref: |
|
174 | ||
175 |
Obtain the last sources from the Git repository |
|
176 |
----------------------------------------------- |
|
177 | ||
178 |
Clone the repository:: |
|
179 | ||
180 |
git clone http://repos.entrouvert.org/authentic.git |
|
181 | ||
182 |
Then, you can install it directly using pip:: |
|
183 | ||
184 |
cd authentic |
|
185 |
pip install -e . |
|
186 | ||
187 |
You can now run Authentic from the installation directory, e.g.:: |
|
188 | ||
189 |
./authentic2-ctl syncdb --migrate |
|
190 |
./authentic2-ctl runserver |
|
191 | ||
192 |
You should see the following output:: |
|
193 | ||
194 |
Validating models... |
|
195 |
0 errors found |
|
196 | ||
197 |
Django version 1.5, using settings 'authentic.settings' |
|
198 |
Development server is running at http://127.0.0.1:8000/ |
|
199 |
Quit the server with CONTROL-C. |
|
200 | ||
201 |
You can access the running application on http://127.0.0.1:8000/ |
doc/overview.rst | ||
---|---|---|
1 |
.. _overview: |
|
2 | ||
3 |
======== |
|
4 |
Overview |
|
5 |
======== |
|
6 | ||
7 |
Authentic 2 is a versatile identity management server aiming to address a |
|
8 |
broad range of needs, from simple to complex setups; it has support for many |
|
9 |
protocols and can bridge between them. |
|
10 | ||
11 |
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID, |
|
12 |
LDAP, X509 and OAUTH2. |
|
13 | ||
14 |
Authentic 2 is under the GNU AGPL version 3 licence. |
|
15 | ||
16 |
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_, |
|
17 |
a free (GNU GPL) implementation of the Liberty Alliance and OASIS |
|
18 |
specifications of SAML2. |
|
19 | ||
20 |
Authentic 2 requires Python 2.7 et Django 1.5. |
|
21 | ||
22 |
Features |
|
23 |
-------- |
|
24 | ||
25 |
* SAML 2.0 Identity and service provider |
|
26 |
* OpenID 1.0 and 2.0 identity provider |
|
27 |
* Server CAS 1.0 and 2.0 using a plugin |
|
28 |
* Standards authentication mechanisms: |
|
29 | ||
30 |
* Login/password through internal directory or LDAP |
|
31 |
* X509 certificate over SSL/TLS |
|
32 | ||
33 |
* Protocol proxying, for instance between OpenID and SAML |
|
34 |
* Support of LDAP v2 and v3 directories |
|
35 |
* Support of the PAM backend |
|
36 |
* One-time password (OATH and Google-Authenticator) using a plugin |
|
37 |
* Identity attribute management |
|
38 |
* Plugin system |
|
39 | ||
40 | ||
41 |
Source and issue tracker |
|
42 |
------------------------ |
|
43 | ||
44 |
You can find on the project site authentic.entrouvert.org mainly the issue |
|
45 |
tracker. |
|
46 | ||
47 |
You can find there a viewer of the git repository or clone it:: |
|
48 | ||
49 |
git clone http://repos.entrouvert.org/authentic.git |
|
50 | ||
51 |
Support |
|
52 |
------- |
|
53 |
Authentic's developpers and users hangs on the mailing list authentic@listes.entrouvert.com. |
|
54 |
See archives or register at http://listes.entrouvert.com/info/authentic. |
|
55 | ||
56 |
You can open reports or feature request on http://authentic.entrouvert.org. |
|
57 | ||
58 |
Entr'ouvert also provides a commercial support. For information, visit http://www.entrouvert.com. |