使用SAML的Dropbox和Django SSO

Question

Summary
I am looking to use Dropbox SSO functionality by using the authentication from a Django site. Note that I'm not looking to use SAML as a backend for my Django site.

Resources
1) Dropbox Custom SSO help page: https://www.dropbox.com/en/help/1921#custom
2) Creating a SAML response: https://robinelvin.wordpress.com/2009/09/04/saml-with-django/
3) Struggled to find any examples from Google of people doing this kind of SSO. Lots of links about people using SAML as a Django backend.

Question
In the dropbox admin settings I can add my X509 certificate and the login link. This means that when you try to login into Dropbox using SSO it nicely forwards you to my Django site's login page using a GET request with a SAMLRequest in the querystring.

However, my understanding is that I now need to, once the user is authenticated on the Django site, fire a POST request back to Dropbox at their SAML login link with a SAMLResponse in the post data. Using the second resource above I believe I can create the SAMLResponse xml but I am unsure how to redirect the user to the dropbox SAML login link with the SAML data from my Django view.

Any help much appreciated.

Answer 1

Managed to get the functionality I needed using django-saml2-idp https://github.com/peopledoc/django-saml2-idp

Good documentation on installing here: https://github.com/peopledoc/django-saml2-idp/blob/master/doc/INSTALL.txt

Settings in the Dropbox Admin console required the X509 certificate and then the login url set to: https://****.com/idp/login

Note that I had issues installing the M2Crypto dependency so used an Ubuntu package via:
sudo apt-get install python-m2crypto

Additionally I'm using Django 1.9.6 so needed to make overrides to the views.py , urls.py , and registry.py files to make them compatible (various import statements needed updating and the urls changed to the new list format rather than using patterns).

Created a Dropbox Processor as follows:

import base64
import zlib
from saml2idp import base
from saml2idp.xml_render import _get_assertion_xml

def get_assertion_dropbox_xml(parameters, signed=False):
    return _get_assertion_xml(ASSERTION_DROPBOX, parameters, signed)

ASSERTION_DROPBOX = (
    '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" '
            'ID="${ASSERTION_ID}" '
            'IssueInstant="${ISSUE_INSTANT}" '
            'Version="2.0">'
        '<saml:Issuer>${ISSUER}</saml:Issuer>'
        '${ASSERTION_SIGNATURE}'
        '${SUBJECT_STATEMENT}'
        '<saml:Conditions NotBefore="${NOT_BEFORE}" NotOnOrAfter="${NOT_ON_OR_AFTER}">'
            '<saml:AudienceRestriction>'
                '<saml:Audience>${AUDIENCE}</saml:Audience>'
            '</saml:AudienceRestriction>'
        '</saml:Conditions>'
        '<saml:AuthnStatement AuthnInstant="${AUTH_INSTANT}"'
            '>'
            '<saml:AuthnContext>'
                '<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>'
            '</saml:AuthnContext>'
        '</saml:AuthnStatement>'
        '${ATTRIBUTE_STATEMENT}'
    '</saml:Assertion>'
)


class Processor(base.Processor):

    def _decode_request(self):
        """
        Decodes _request_xml from _saml_request.
        """
        self._request_xml = zlib.decompress(base64.b64decode(self._saml_request), -15)

    def _format_assertion(self):
        self._assertion_xml = get_assertion_dropbox_xml(self._assertion_params, signed=False)

Which you register in your settings.py file as follows:

SAML2IDP_CONFIG = {
    'autosubmit': True,
    'certificate_file': '/****/certificate.pem',
    'private_key_file': '/****/private-key.pem',
    'issuer': 'https://www.****.com',
    'signing': True,
}

sampleSpConfig = {
    'acs_url': 'https://www.dropbox.com/saml_login',
    'processor': 'dropbox.Processor',
}

SAML2IDP_REMOTES = {
    'sample': sampleSpConfig,
}

Works like a dream. Hope this helps somebody out there.