Reputation: 11
SAML2 Authentication extension for CKAN
Can someone explain Saml2 authentication process? I have installed ckanext-saml2 extension for ckan.I have a extra button in login form which is called login with sso.But I donot have any sp metadata(sp.xml).Also I have idp.xml but what should I write to the this file.Do you have any idea about these files?Should I create a sp.xml file?Also should I change idp.xml file?When I click the button where should I read user information ?
Upvotes: 1
Views: 1004
Answers (2)
Reputation: 11
You shouldn't change the idp.xml.
Basically ckanext-saml2 is used to allow Users to enter CKAN portal from other places, rather than only CKAN.
In order to do that, you'll need an idp.xml and sp.xml files.
idp.xml - file that consists of a unique path to the remote Portal where all Users already exists (usually it marked as entityID) and X509 Certificate.
sp.xml - file that is generated by CKAN portal and has pretty much same data as the idp.xml.
Both of those files are used to allow Users to log in into CKAN from other portals. In other words, sp.xml file is provided to the IdP (Identity Provider) and the idp.xml file is provided to the CKAN portal (Service Provider) that is going to use it.
According to the ckanext-saml2 documentation, all configuration should be done in ckanext/saml2/config/sp_config.py file. Configuration should consist entityID URL from idp.xml, path to the idp.xml file, path to logs, data about the CKAN portal, fields that should be taken from the response, their mapping and so on...
After the configuration done, according to documentation, you will be able to generate the sp.xml from the sp_config.py file by using python make_metadata.py sp_config.py.
The button on the login page should redirect you to the IdP login page, where you should log in and be redirected back to CKAN. CKAN will automatically create a User for you if it not exists on the CKAN Portal using the response from the IdP.
For more details, you can check out the Datashades SAML2 CKAN repo or at the original once.
Upvotes: 1
Reputation: 56
if you are not sure about SSO then you need to have a good reading about that.
Can you tell us what kind of IdP you integrate with? AD FS?
Your sp.xml should be generated by the ckanext-saml2 extension, have a look their git hub page. Then you need to upload sp.xml (sp metadata to your IdP)
Upvotes: 0
Related Questions
- saml2 idp authentication forwarding
- Adding minimal SAML support for ISV
- Authentication using SAML
- SAML 2 extensions in AuthnRequest (Keycloak)
- How to support SAML for user authentication
- SAML 2.0 password authentication
- Prepare SAML Authentication request using OpenSaml3.1.1
- CKAN: custom authentication but with default session handling
- SAML 2.0 AuthnRequest AudienceRestriction
- SAML for SharePoint 2010 Authentication