A Django app for DigiD/eHerkenning authentication flows
Project description
- Version:
- 0.4.1
- Source:
- Keywords:
django, authentication, digid, eherkenning, eidas, dutch, nl, netherlands
- PythonVersion:
3.7+
A Django app for DigiD/eHerkenning authentication flows
1 Features
SAML-based DigiD authentication flow
SAML-based eHerkenning authentication flow
Custom Django authentication backend
Extensible
2 Installation
2.1 Requirements
Python 3.7 or above
setuptools 30.3.0 or above
Django 2.2 or newer
2.2 Install
Install with pip:
pip install git+https://github.com/maykinmedia/python3-saml@maykin#egg=python3-saml
pip install django-digid-eherkenning
Add digid_eherkenning to the INSTALLED_APPS in your Django project’s settings. If you want to use Digid Single Logout you need to also add sessionprofile to the INSTALLED_APPS.
INSTALLED_APPS = [
...,
"digid_eherkenning",
"sessionprofile",
...,
]
If you want to create local users as part of the authentication flow, add the authentication backend to the settings:
AUTHENTICATION_BACKENDS = [
...,
"digid_eherkenning.backends.DigiDBackend",
...,
]
For Digid Single Logout you need also to include sessionprofile middleware into your settings. Note that SessionProfileMiddleware should be added before SessionMiddleware.
AUTHENTICATION_BACKENDS = [
...,
"sessionprofile.middleware.SessionProfileMiddleware",
...,
]
Finally, at the URL patterns to your root urls.py:
from django.urls import path, include
urlpatterns = [
...,
path("digid/", include("digid_eherkenning.digid_urls")),
...,
]
2.3 Configuration
In the settings you can specify the required configuration in DIGID or EHERKENNING dictionary. This is an example of Digid settings:
DIGID = {
"base_url": "https://sp.example.nl", # required
"entity_id": "sp.example.nl/digid", # required
"metadata_file": "/path/to/metadata", # required
"key_file": /path/to/key/file.key, # required
"cert_file": /path/to/cert/file.pem, # required
"service_entity_id": "https://example.digid.nl/saml/idp/metadata", # required
"attribute_consuming_service_index": "1",
"service_name": "Example",
"requested_attributes": [],
"login_url": reverse_lazy("admin:login"),
"session_age": 15 * 60,
"want_assertions_encrypted": False,
"want_assertions_signed": False,
"signature_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
"digest_algorithm": "",
"key_passphrase": "",
"technical_contact_person_telephone": "06123123123",
"technical_contact_person_email": "test@test.nl",
"organization": "Example organization",
}
Note that signature_algorithm setting is used only for requests with HTTP Redirect binding. Login request with HTTP Post binding uses http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 algorithm.
3 Usage
You can now display login URLs by reversing the appropriate URL:
reverse("digid:login")
or in templates:
{% url 'digid:login' %}
3.1 Mock login flow
For development and demonstration purposes you can swap-in a mockup Digid login flow that accepts any BSN and doesn’t require an actual DigiD metadata configuration.
In the login view username field you can enter any integer up to 9 digits (and a random password) to be used as the BSN in the authentication backend.
Swap the authentication backend for the mock version:
AUTHENTICATION_BACKENDS = [
"digid_eherkenning.backends.mock.DigiDBackend",
]
Swap the digid url patterns for the mock version:
urlpatterns = [
...,
path("digid/", include("digid_eherkenning.mock.digid_urls")),
...,
]
Additionally add the URLs for the mock IDP service to run in the same runserver instance:
urlpatterns = [
...,
path("digid/idp/", include("digid_eherkenning.mock.idp.digid_urls")),
...,
]
For settings to control mock behaviour see digid_eherkenning/mock/config.py.
3.2 Generating the DigiD metadata
The metadata for DigiD can be generated with the following command:
python manage.py generate_digid_metadata \
--want_assertions_encrypted \
--want_assertions_signed \
--key_file /path/test.key \
--cert_file /path/test.certificate \
--signature_algorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" \
--digest_algorithm "http://www.w3.org/2001/04/xmlenc#sha256" \
--entity_id http://test-url.nl \
--base_url http://test-url.nl \
--service_name "Test name" \
--service_description "Test description" \
--attribute_consuming_service_index 9050 \
--technical_contact_person_telephone 06123123123 \
--technical_contact_person_email test@test.nl \
--organization_name "Test organisation" \
--organization_url http://test-organisation.nl \
--slo
3.3 Generating eHerkenning/eIDAS metadata
The metadata for eHerkenning and eIDAS can be generated with the following command:
python manage.py generate_eherkenning_metadata \
--want_assertions_encrypted \
--want_assertions_signed \
--key_file /path/test.key \
--cert_file /path/test.certificate \
--signature_algorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" \
--digest_algorithm "http://www.w3.org/2001/04/xmlenc#sha256" \
--entity_id http://test-url.nl \
--base_url http://test-url.nl \
--service_name "Test name" \
--service_description "Test description" \
--eh_attribute_consuming_service_index 9052 \
--eidas_attribute_consuming_service_index 9053 \
--oin 00000001112223330000 \
--technical_contact_person_telephone 06123123123 \
--technical_contact_person_email test@test.nl \
--organization_name "Test organisation" \
--organization_url http://test-organisation.nl
For information about each option, use:
python manage.py generate_eherkenning_metadata --help
To generate the dienstcatalogus:
python manage.py generate_eherkenning_dienstcatalogus \
--key_file /path/test.key \
--cert_file /path/test.certificate \
--entity_id http://test-url.nl \
--base_url http://test-url.nl \
--service_name "Test name" \
--service_description "Test description" \
--eh_attribute_consuming_service_index 9052 \
--eidas_attribute_consuming_service_index 9053 \
--oin 00000001112223330000 \
--privacy_policy http://test-url.nl/privacy \
--makelaar_id 00000003332223330000 \
--organization_name "Test Organisation"
4 Specific broker settings
From 1st of April 2022 certain eHerkenning brokers like OneWelcome and Signicat, require that the artifact resolution request has the content-type header text/xml instead of application/soap+xml. This can be configured by including the following parameter in the EHERKENNING django setting:
EHERKENNING = {
...
"artifact_resolve_content_type": "text/xml",
...
}
5 Background information
Information that was at some point relevant and may document certain choices can be found in information.md.
6 Bitbucket mirror
This project was originally on Bitbucket and closed source. The Bitbucket project still exists, but only as a mirror of the Github repository. All future development must happen on Github.
Bitbucket mirror: https://bitbucket.org/maykinmedia/django-digid-eherkenning/
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-digid-eherkenning-0.4.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | fb7fb13bc2eff13fc0afcf6b0a8a8474ab3e80ca5ccd962b10ebfd946035543c |
|
MD5 | cafdd1a6913268ccb53256ed5786bb08 |
|
BLAKE2b-256 | 75f0fd196c4015fe311f3c9a55e212a3e673f6d6ce640875453d804c91f81803 |
Hashes for django_digid_eherkenning-0.4.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b4e95aa573fcca48ee391ccaf638dec1b953acaaea2287e1debbfea660578e2e |
|
MD5 | 9f7e58172cf8c2644ee11423d328376e |
|
BLAKE2b-256 | e4df4c0b8304b17bce82806a64486ff0843cd18b25e9d48d1f3f036af5b8d88f |