Skip to main content

SAML 2 with django-allauth

Django-allauth got SAMLv2 support last August. It has been and continues to be an exceptionally complete package for all authentication-related things. SAML in 2024? Sure, it is OAuth or something more modern you would usually want, but as we all know, we only sometimes have that choice. In this post, I will explore how to integrate customer users into a SaaS product using SAML.

The official documentation covers the installation part. It also has an example of configuring it in the settings file. Alternatively, the settings can be stored in the DB.

SOCIALACCOUNT_PROVIDERS = {
"saml": {
"APPS": [
# Apps can be configured in the DB or listed here
],
},
}
view raw settings.py hosted with ❤ by GitHub

Often, SAML is used to integrate all users (and roles) from specific organizations. So, if a customer, say, Acme, wants to start using our SaaS product, all their user information often uses the same integration. In this case, Acme wants to use SAML.

Let's slap the configuration to the DB. Here is a screenshot of an example config, viewed through the Django admin. Their identity provider could be anything, and I have filled in the settings with dummy values.

The relevant part is the client_id, the slug in your Django applications allauth SAML URLs. So, all Acme signings are forwarded to their bespoke endpoint to initiate the authentication flow. With default settings, users are redirected to the following URL to complete the SAML authentication flow.

https://yourdjango.com/accounts/saml/acme/login/

Adding Acme's competitor, Initech, would be just a new model instance with a distinct client_id.

Acme also wishes to map their organization user roles to roles provided by your system. That can be done, for example, by creating an adapter that maps the integration's role attributes to the app's attributes.

class AcmeSocialAccountAdapter(DefaultSocialAccountAdapter):
# ...or save_user
def populate_user(self, request: Request, sociallogin: SocialLogin, data: dict) -> Any:
user = super().populate_user(request, sociallogin, data)
roles = sociallogin.account.extra_data.get("roles", [])
# Do something with extra attributes incoming from the SAML authentication response
user.roles = map_to_your_app_roles(roles)
return user
view raw account_adapter.py hosted with ❤ by GitHub

Comments

Popular posts from this blog

I'm not a passionate developer

A family friend of mine is an airlane pilot. A dream job for most, right? As a child, I certainly thought so. Now that I can have grown-up talks with him, I have discovered a more accurate description of his profession. He says that the truth about the job is that it is boring. To me, that is not that surprising. Airplanes are cool and all, but when you are in the middle of the Atlantic sitting next to the colleague you have been talking to past five years, how stimulating can that be? When he says the job is boring, it is not a bad kind of boring. It is a very specific boring. The "boring" you would want as a passenger. Uneventful.  Yet, he loves his job. According to him, an experienced pilot is most pleased when each and every tiny thing in the flight plan - goes according to plan. Passengers in the cabin of an expert pilot sit in the comfort of not even noticing who is flying. As someone employed in a field where being boring is not exactly in high demand, this sounds pro...

Canyon Precede:ON 7

I bought or technically leased a Canyon Precede:ON 7 (2022) electric bike last fall. This post is about my experiences with it after riding for about 2000 km this winter. The season was a bit colder than usual, and we had more snow than in years, so I properly put the bike through its paces. I've been cycling for almost 20 years. I've never owned a car nor used public transport regularly. I pedal all distances below 30km in all seasons. Besides commuting, I've mountain biked and raced BMX, and I still actively ride my road bike during the spring and summer months. I've owned a handful of bikes and kept them until their frames failed. Buying new bikes or gear has not been a major part of my hobby, and frankly, I'm quite sceptical about the benefits of updating bikes or gear frequently. I've never owned an E-bike before, but I've rented one a couple of times. The bike arrived in a hilariously large box. I suppose there's no need to worry about damage durin...

Emit structured Postgres data change events with wal2json

A common thing I see in an enterprise system is that when an end-user does some action, say add a user, the underlying web of subsystems adds the user to multiple databases in separate transactions. Each of these transactions may happen in varying order and, even worse, can fail, leaving the system in an inconsistent state. A better way could be to write the user data to some main database and then other subsystems like search indexes, pull/push the data to other interested parties, thus eliminating the need for multiple end-user originating boundary transactions. That's the theory part; how about a technical solution. The idea of this post came from the koodia pinnan alla podcast about event-driven systems and CDC . One of the discussion topics in the show is emitting events from Postgres transaction logs.  I built an utterly simple change emitter and reader using Postgres with the wal2json transaction decoding plugin and a custom go event parser. I'll stick to the boring ...