The following changes are required in deploy/docker/local_settings.py:
# default workflow
PORTAL_WORKFLOW = 'private'
# Authentication Settings
# these two are necessary so that users cannot register through system accounts. They can only register through identity providers
REGISTER_ALLOWED = False
USERS_CAN_SELF_REGISTER = False
USE_RBAC = True
USE_SAML = True
USE_IDENTITY_PROVIDERS = True
# Proxy and SSL Settings
USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
# SAML Configuration
SOCIALACCOUNT_ADAPTER = 'saml_auth.adapter.SAMLAccountAdapter'
ACCOUNT_USERNAME_VALIDATORS = "users.validators.less_restrictive_username_validators"
SOCIALACCOUNT_PROVIDERS = {
"saml": {
"provider_class": "saml_auth.custom.provider.CustomSAMLProvider",
}
}
SOCIALACCOUNT_AUTO_SIGNUP = True
SOCIALACCOUNT_EMAIL_REQUIRED = False
# if set to strict, user is created with the email from the saml provider without
# checking if the email is already on the system
# however if this is ommited, and user tries to login with an email that already exists on
# the system, then they get to the ugly form where it suggests they add a username/email/name
ACCOUNT_PREVENT_ENUMERATION = 'strict'- Navigate to Admin panel
- Select "Identity Provider"
- Configure as follows:
- Provider: saml # ensure this is set with lower case!
- Provider ID:
wayf.wayf.dk - IDP Config Name:
Deic(or preferred name) - Client ID:
wayf_dk(important: defines the URL, e.g.,https://deic.mediacms.io/accounts/saml/wayf_dk) - Site: Set the default one
Can be set through the SAML Configurations tab:
- IDP ID: Must be a URL, e.g.,
https://wayf.wayf.dk - IDP Certificate: x509cert from your SAML provider
- SSO URL:
https://wayf.wayf.dk/saml2/idp/SSOService2.php - SLO URL:
https://wayf.wayf.dk/saml2/idp/SingleLogoutService.php - SP Metadata URL: The metadata URL set for the SP, e.g.,
https://deic.mediacms.io/saml/metadata. This should point to the URL of the SP and is autogenerated
- Email Settings:
verified_email: When enabled, emails from SAML responses will be marked as verifiedRemove from groups: When enabled, user is removed from a group after login, if they have been removed from the group on the IDP
- Global Role Mapping: Maps the role returned by SAML (as set in the SAML Configuration tab) with the role in MediaCMS
- Group Role Mapping: Maps the role returned by SAML (as set in the SAML Configuration tab) with the role in groups that user will be added
- Group mapping: This creates groups associated with this IDP. Group ids as they come from SAML, associated with MediaCMS groups
- Category Mapping: This maps a group id (from SAML response) with a category in MediaCMS