{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Collection of tips / guides for authentication on different platforms targeting University of Waterloo.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"NOTE: As of 2024, the recommended mechanism for authentication is DUO OIDC. This requires IST to grant access tokens in order to function.","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"paragraph"},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"style":{"value":"none"}},"macroMetadata":{"macroId":{"value":"bd7bc6f4-45fa-426b-b971-fd6bbbe33814"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"5b2b212f-c2be-4bd5-a93d-a84ff197d2be"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Getting started","type":"text"}]},{"type":"paragraph","content":[{"text":"FAST Members can access fully functional examples w/ localhost client ID on gitlab","type":"text","marks":[{"type":"strong"}]},{"type":"hardBreak"},{"text":"https://git.uwaterloo.ca/fast/project/auth-examples/-/tree/main/oidc?ref_type=heads","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.uwaterloo.ca/fast/project/auth-examples/-/tree/main/oidc?ref_type=heads"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You will need to know your callback URL (depending on your software stack this might be predetermined, check documentation for your libraries!)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If doing a reverse proxy to localhost on for example port 8080 it’s critical to firewall that port to only talk to your proxy server!","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Need to contact IST for a client key via a ticket","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"NEW","type":"text","marks":[{"type":"strong"}]},{"text":": OpenID Connect","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"ISS-General 2FA ","type":"text"},{"text":"https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660","type":"text","marks":[{"type":"link","attrs":{"href":"https://uwaterloo.atlassian.net/servicedesk/customer/portal/2/group/413/create/1660"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"set summary: “OIDC: add new web client“","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"set select topic you require assistance with: “Duo 2FA support”","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"set Additional comments","type":"text"}]},{"type":"codeBlock","content":[{"text":"## The django module uses /oidc/duo/callback/\n## Apache uses /secure/redirect_uri\ncallback URIs:\n- https://x.x.uwaterloo.ca/oidc/duo/callback/\n- https://x-stage.x.uwaterloo.ca/oidc/duo/callback/\n*group* in short format, not full DN.\nclaims: winaccountname, group, email, name, given_name, family_name","type":"text"}]}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Combining authentication with Grouper defined NEXUS groups can be a robust solution","type":"text"}]}]}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Aside: How OIDC Auth kinda works ","type":"text"}]},{"type":"paragraph","content":[{"text":"For those new to the technology, the basic premise is as follows:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Your website sends a https request to the OIDC authentication portal using your client key/secret (this will navigate your user away from your website). Part of the request will be your ","type":"text"},{"text":"callback url","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Some stuff happens on the other site – usually the user will log in and then do some 2FA stuff – you don’t need to worry about it, as we trust the OIDC portal!","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The portal will redirect to your ","type":"text"},{"text":"callback url","type":"text","marks":[{"type":"strong"}]},{"text":" with an auth token – you can store this info and use parts of it to refresh itself. Honestly this bit gets a bit hairy, so if possible ","type":"text"},{"text":"you should probably just use a library","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"It’s possible to get AD group information sent through the token information, which can be very useful to separate roles on your website via Grouper.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"OIDC development config","type":"text"}]},{"type":"paragraph","content":[{"text":"During development you will find it helpful to support auth on localhost. The following configuration only supports callbacks to ","type":"text"},{"text":"localhost:port/oidc/duo/callback/","type":"text","marks":[{"type":"code"}]},{"text":". We also added a handful of port numbers to keep things simple: ","type":"text"},{"text":"3000,8000,8080,8888,443,80","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"You can find the secret in the FAST examples gitlab repo linked above","type":"text"}]},{"type":"codeBlock","content":[{"text":"OIDC_AUTH_SERVER=https://sso-4ccc589b.sso.duosecurity.com/oidc/DIUHIIU5GLVCYFDLE7P7/\nOIDC_CLIENT_ID=DIUHIIU5GLVCYFDLE7P7\nOIDC_CLIENT_SECRET=TODO: ask mirko for key.. or perhaps we share it?\nOIDC_CALLBACK=/oidc/duo/callback/","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"OIDC with Apache (mod_auth_openidc)","type":"text"}]},{"type":"paragraph","content":[{"text":"You can set up OIDC ","type":"text"},{"text":"directly","type":"text","marks":[{"type":"em"}]},{"text":" on your Apache / httpd server. This allows you to handle authentication outside of the application itself, and instead push REMOTE_USER to your apps for validating users.","type":"text"}]},{"type":"paragraph","content":[{"text":"Install Apache module (debian/ubuntu)","type":"text"}]},{"type":"codeBlock","content":[{"text":"apt install -y libapache2-mod-auth-openidc\n# enable module\na2enmod auth_openidc","type":"text"}]},{"type":"paragraph","content":[{"text":"Configure the module and a basic VirtualHost","type":"text"}]},{"type":"codeBlock","content":[{"text":"# For advanced options see: https://github.com/OpenIDC/mod_auth_openidc\n\n # If you have an ingress proxy like Caddy you'll need the following\n # respect X-Forwarded-* headers passed down from proxy\n OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Host\n # this personal secret is created by you and never shared!\n OIDCCryptoPassphrase XXXXXXXXXXX_PERSONAL_SECRET_XXXXXXXXXXX\n # after successfull login redirect the user to where they wanted to go\n # this path needs to openid-connect protected on your host\n OIDCRedirectURI https://myhost.fast.uwaterloo.ca/oidc-callback/redirect_uri\n OIDCProviderMetadataURL https://sso-4ccc589b.sso.duosecurity.com/oidc/XXXXXXXXXXXXXXXXXXXX/.well-known/openid-configuration\n OIDCClientID XXXXXXXXXXXXXXXXXXXX\n OIDCClientSecret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n # NOTE: you can find scopes in the the OIDCProviderMetadataURL\n OIDCScope \"openid profile email\"\n OIDCRemoteUserClaim user\n # use HTTP_ prefix so env vars are more trusted in CGI. \"see: suexec safe_env_lst\"\n OIDCClaimPrefix HTTP_OIDC_CLAIM_\n # WARN: default delimiter is comma. AD groups can contain commas! (\":\" is safer)\n OIDCClaimDelimiter \":\"\n OIDCCacheShmEntrySizeMax 270848\n\n\n# Assuming handling https on an ingress server like Caddy.\n# Also port 80 is firewalled to only talk to your ingress server.\n\n ServerName myhost.fast.uwaterloo.ca\n ServerAlias myhost-stage.fast.uwaterloo.ca\n \n # NOTE: this is needed for the OIDCRedirectURI callback\n \n AuthType openid-connect\n Require valid-user\n \n\n # example: only allow IdM-HR-staff users\n \n AuthType openid-connect\n Require claim group:IdM-HR-staff\n \n\n # example: require user to be in two groups\n \n AuthType openid-connect\n # each require is an OR. If you want AND, use RequireAll:\n \n Require claim group:IdM-HR-staff\n Require claim group:myhost-admin\n \n # TODO: this might also work\n # Require claim \"group:myhost-admin group:IdM-HR-staff\"\n \n\n \n AuthType openid-connect\n Require valid-user\n # if you have a simple backend to proxy to\n ProxyPreserveHost On\n ProxyPass 127.0.0.1:8080\n \n","type":"text"}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":2},"content":[{"text":"OIDC in Django - django-oidc-auth","type":"text"}]},{"type":"paragraph","content":[{"text":"django-oidc-auth","type":"text","marks":[{"type":"link","attrs":{"href":"https://git.uwaterloo.ca/uw_django/oidc_auth"}}]},{"text":" is a library maintained by ","type":"text"},{"type":"mention","attrs":{"id":"557058:e89b706f-1e39-4715-9730-8738a1ac5b19","text":"@Mirko Vucicevich"}},{"text":" , ","type":"text"},{"type":"mention","attrs":{"id":"557058:87cb9ec5-704f-461c-bfae-47719804e537","text":"@Ryan Goggin"}},{"text":" and ","type":"text"},{"type":"mention","attrs":{"id":"557058:4851fe4a-3203-4975-91fc-aebe25c8610e","text":"@Steve Weber"}},{"text":" for simple OIDC auth via Django. It requires Django >= 3 and python >=3.9 (as of Feb 2024) ","type":"text"}]},{"type":"paragraph","content":[{"text":"For the simplest configuration follow the instructions in the provided README.md, as the software has been designed and tested with campus OIDC configurations.","type":"text"}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":2},"content":[{"text":"ADFS (Active Directory) Deprecated Auth Guides","type":"text"}]},{"type":"paragraph","content":[{"text":"New projects should avoid using ADFS directly if possible, and use DUO OIDC instead. This documentation is here for reference.","type":"text"}]},{"type":"expand","attrs":{"title":"Expand ADFS Configuration guides "},"content":[{"type":"heading","attrs":{"level":2},"content":[{"text":"ADFS - Apache (Mellon) ","type":"text"}]},{"type":"paragraph","content":[{"text":"Create self signed key cert pair. Create metadata file and get current FederationMetadata.xml.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"OLD / DEPRECATED: ADFS ","type":"text"},{"text":"https://uwaterloo.ca/request-tracking-system/adfs-request","type":"text","marks":[{"type":"link","attrs":{"href":"https://uwaterloo.ca/request-tracking-system/adfs-request"}}]},{"text":")","type":"text"}]}]}]},{"type":"codeBlock","content":[{"text":"HOST=example.uwaterloo.ca\nopenssl genrsa -out key 2048\nchmod 0600 key\nopenssl req -new -sha256 -x509 -days 10000 -subj \"/C=CA/ST=Ontario/L=Waterloo/O=University\\ of\\ Waterloo/CN=$HOST\" -key key -out signed.crt\n\n# Simple MellonSPMetadataFile\n< MellonSPMetadataFile.xml\n\n\n\n\n\n$(grep -v '^-----' \"signed.crt\")\n\n\n\n\n\n\n\nEOF\n\n# Pending on if its a test server or a dev server use adfs.uwaterloo.ca or adfstest.uwaterloo.ca\ncurl https://adfs.uwaterloo.ca/FederationMetadata/2007-06/FederationMetadata.xml > adfs_FederationMetadata.xml\ncurl https://adfstest.uwaterloo.ca/FederationMetadata/2007-06/FederationMetadata.xml > adfstest_FederationMetadata.xml","type":"text"}]},{"type":"paragraph","content":[{"text":"Register your MellonSPMetadataFile.xml using the web form: ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://uwaterloo.ca/request-tracking-system/adfs-request"}},{"text":" ","type":"text"}]},{"type":"paragraph","content":[{"text":"Perhaps set these claims:","type":"text"}]},{"type":"codeBlock","content":[{"text":"Group\nemailaddress\nsurname\ngivenname\nsamaccountname\nUPN","type":"text"}]},{"type":"paragraph","content":[{"text":"Install apache and mellon module","type":"text"}]},{"type":"codeBlock","content":[{"text":"command -v yum && yum install -y mod_auth_mellon\ncommand -v apt && apt install -y libapache2-mod-auth-mellon\n# enable the mellon module\na2enmod mellon","type":"text"}]},{"type":"paragraph","content":[{"text":"For this example you can copy your certs to the following locations, note you might want to review file mode and privileges.","type":"text"}]},{"type":"codeBlock","content":[{"text":"cp key /etc/apache_mellon/key\ncp MellonSPMetadataFile.xml /etc/apache_mellon/MellonSPMetadataFile.xml\ncp adfs_FederationMetadata.xml /etc/apache_mellon/adfs_MellonIdPMetadataFile.xml\ncp adfstest_FederationMetadata.xml /etc/apache_mellon/adfstest_MellonIdPMetadataFile.xml","type":"text"}]},{"type":"paragraph","content":[{"text":"Apache config example using proxypass.","type":"text"}]},{"type":"codeBlock","content":[{"text":"## If you want to send logs system journal\nErrorLog ${APACHE_LOG_DIR}/error.log\nErrorLog \"|/usr/bin/systemd-cat --identifier=apache_error --priority=warning\"\nCustomLog ${APACHE_LOG_DIR}/access.log combined\nLogFormat \"%h %l %u \\\"%r\\\" %>s %O\" systemd\nCustomLog \"|/usr/bin/systemd-cat --identifier=apache_access\" systemd\n\n## redirect http to https\n\n ServerName example.uwaterloo.ca\n Redirect permanent / https://{{vars.server_name}}/\n\n\n\n ServerName example.uwaterloo.ca\n DocumentRoot /var/www/html\n SSLEngine on\n SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\n SSLProtocol -All +TLSv1.2\n SSLCertificateFile {{vars.SSLCertificateFile}}\n SSLCertificateKeyFile {{vars.SSLCertificateKeyFile}}\n SSLCACertificateFile {{vars.SSLCACertificateFile}}\n\n\t# optional logout url\n \n Redirect /adfs_logout https://adfstest.uwaterloo.ca/adfs/ls/?wa=wsignout1.0&wreply=https://optional_adfs_logout_redirect\n #PRODUCTION: Redirect /adfs_logout https://adfs.uwaterloo.ca/adfs/ls/?wa=wsignout1.0&wreply=https://optional_adfs_logout_redirect\n \n\n \n # (optional) Redirect none VPN users to vpncheck page.\n RewriteEngine On\n RewriteCond expr \"!(-R '127.0.0.0/8' || -R '10.0.0.0/8' || -R '172.16.0.0/12' || -R '192.168.0.0/16')\"\n RewriteCond expr \"!(-R '129.97.0.0/16')\"\n RewriteCond expr \"!(-R '47.252.27.26/32')\"\n RewriteRule ^(.*) https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}%{REQUEST_URI} [R]\n\n ## More Configuration options are documented at:\n ## https://github.com/Uninett/mod_auth_mellon\n Require valid-user\n AuthType \"Mellon\"\n MellonEnable \"auth\"\n MellonSecureCookie On\n MellonMergeEnvVars On \":\"\n MellonSetEnvNoPrefix HTTP_ADFS_EMAILADDRESS emailaddress\n MellonSetEnvNoPrefix HTTP_ADFS_GIVENNAME givenname\n MellonSetEnvNoPrefix HTTP_ADFS_SURNAME http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\n MellonSetEnvNoPrefix HTTP_ADFS_SAMACCOUNTNAME samaccountname\n MellonSetEnvNoPrefix HTTP_ADFS_GROUP http://schemas.xmlsoap.org/claims/Group\n\n\t\t## Example: Limit access to multiple groups\n #MellonCond HTTP_ADFS_GROUP Math_G_Org_MFCF_Staff_Tech [MAP,OR]\n #MellonCond HTTP_ADFS_GROUP Math_G_Org_MFCF_Staff_Woot [MAP,OR]\n #MellonCond HTTP_ADFS_GROUP Math_G_Org_MFCF_Staff_Admin [MAP]\n\n\t\t## Limit access to one group\n\t\tMellonCond HTTP_ADFS_GROUP Math_G_Org_MFCF_Staff_Admin [MAP]\n\n # session lifetime 1d; Actual lifetime may be shorter, depending on IdP settings\n MellonSessionLength 86400\n MellonSPPrivateKeyFile /etc/apache_mellon/key\n MellonSPMetadataFile /etc/apache_mellon/MellonSPMetadataFile.xml\n MellonIdPMetadataFile /etc/apache_mellon/adfstest_MellonIdPMetadataFile.xml\n\t\t#PRODUCTION: MellonIdPMetadataFile /etc/apache_mellon/adfs_MellonIdPMetadataFile.xml\n MellonRedirectDomains *\n\n\t\t# (optional) Add headers with the claims to pass through the ProxyPass\n\t\t# These claims can then be used for example in a PHP web service running at 127.0.0.1:8080\n # NOTE: user provided headers would be overwritten http://www.ietf.org/rfc/rfc2616.txt\n RequestHeader set HTTP_ADFS_EMAILADDRESS %{HTTP_ADFS_EMAILADDRESS}e\n RequestHeader set HTTP_ADFS_GIVENNAME %{HTTP_ADFS_GIVENNAME}e\n RequestHeader set HTTP_ADFS_SURNAME %{HTTP_ADFS_SURNAME}e\n RequestHeader set HTTP_ADFS_SAMACCOUNTNAME %{HTTP_ADFS_SAMACCOUNTNAME}e\n RequestHeader set HTTP_ADFS_GROUP %{HTTP_ADFS_GROUP}e\n\n\t\t# if you want to pass the header to the clients browser for viewing\n #DEBUG Header set HTTP_ADFS_GROUP %{HTTP_ADFS_GROUP}e\n\n ProxyPass http://127.0.0.1:8080\n \n","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"example .htaccess","type":"text"}]},{"type":"codeBlock","content":[{"text":"MellonEnable auth\nRequire valid-user\nAuthType Mellon\nMellonCond ADFS_GROUP fast-admin [MAP]\n#DEBUG: to view group header in browser \n#Header set HTTP_ADFS_GROUP: %{HTTP_ADFS_GROUP}e","type":"text"}]},{"type":"paragraph"},{"type":"heading","attrs":{"level":2},"content":[{"text":"JavaScript (express / passport)","type":"text"}]},{"type":"paragraph","content":[{"text":"There's a million ways to go about this, easiest I (Mirko) have found so far is with Node + ExpressJS + PassportJS.","type":"text"}]},{"type":"paragraph","content":[{"text":"The following configuration works with these installs:","type":"text"}]},{"type":"paragraph","content":[{"text":"npm install expressjs@4.18 express-session@1.17 passport@0.6 passport-azure-ad@4.2 cookie-parser@1.4","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"I'm also using the ","type":"text"},{"text":"dotenv","type":"text","marks":[{"type":"strong"}]},{"text":" package to add some variables from a .env file to process.env","type":"text"}]},{"type":"paragraph","content":[{"text":"note the example is using node with .mjs files to enable module import / export","type":"text","marks":[{"type":"em"}]}]},{"type":"paragraph","content":[{"text":"index.mjs","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"javascript"},"content":[{"text":"import express from 'express'\nimport session from 'express-session'\nimport passport from 'passport'\nimport cookieParser from 'cookie-parser'\nimport { OIDCStrategy } from 'passport-azure-ad'\nimport dotenv from 'dotenv'\ndotenv.config()\n\nconst app = express()\napp.use(session({\n secret: process.env.SECRET_KEY||\"PROVIDE_SECRET\",\n resave: false,\n cookie: {maxAge: 7*24*60*60*1000} // Optionally add secure: true if https,\n saveUninitialized: true\n}))\n\napp.use(cookieParser())\napp.use(passport.initialize())\napp.use(passport.session())\n\npassport.use(new OIDCStrategy({\n identityMetadata: `${process.env.ADFS_SERVER}/adfs/.well-known/openid-configuration`,\n clientID: process.env.ADFS_CLIENT_ID,\n responseType: 'id_token',\n responseMode: 'form_post',\n redirectUrl: `${process.env.HOSTNAME}/oauth2/callback`,\n passReqToCallback: true,\n //loggingLevel: 'info',\n //scope: ['winaccountname'],\n useCookieInsteadOfSession: true,\n cookieEncryptionKeys: [ { key: '12345678901234567890123456789012', 'iv': '123456789012' }], // IDK what this does lol\n\n },\n function(req, iss, sub, profile, accessToken, refreshToken, done) {\n // You'll probably want to do some work here\n // You can pull out whatever you want from the profile here\n let username = profile._json.winaccountname\n if (!username) {\n return done(new Error(\"No username found\"), null);\n }\n return done(null, {username: username})\n }\n));\n\npassport.serializeUser(function(user, done) {\n // You can do some stuff here\n done(null, user);\n});\n \npassport.deserializeUser(function(user, done) {\n // Also here\n done(null, user);\n});\n\nfunction regenerateSessionAfterAuthentication(req, res, next) {\n let passportInstance = req.session.passport;\n return req.session.regenerate(function (err){\n if (err) {\n return next(err);\n }\n req.session.passport = passportInstance;\n return req.session.save(next);\n })\n}\n\nfunction restrict(check){\n // You can pass a check function here to add additional stuff!\n return function (req, res, next) {\n let cfn = check || function(){ return true }\n if (req.user && cfn(req, res)) {\n next();\n } else {\n // Do whatever you want here -- I'm returing json\n res.status(403).json({error: 'not logged in, access denied!'})\n }\n }\n}\n\napp.get('/oauth2/login',\n passport.authenticate('azuread-openidconnect', {\n prompt: 'login'\n })\n)\n\napp.post('/oauth2/callback', \n passport.authenticate('azuread-openidconnect', { failureRedirect: process.env.SERVER_LOGIN_REDIRECT, prompt: 'login'}),\n regenerateSessionAfterAuthentication,\n function (req, res) {\n // Successful authentication, redirect home.\n res.redirect(process.env.SERVER_LOGIN_REDIRECT);\n }\n)\n\napp.post('/oauth/logout/', (req, res, next)=>{\n // Logout is broken with azure-ad, so we just do it manually!\n if (req.session.passport) {\n delete req.session.passport.user;\n }\n let prevSession = req.session;\n \n req.session.save(function(err) {\n if (err) {\n return next(err)\n }\n \n // regenerate the session, which is good practice to help\n // guard against forms of session fixation\n req.session.regenerate(function(err) {\n if (err) {\n return next(err);\n }\n // You may want to redirect somewhere here!!\n return res.status(200).json({'status': 'ok'})\n });\n });\n})\n\napp.get('/', (req, res) => {\n res.send('Hello World!')\n})\n\napp.get('/restricted', restrict(), (req, res) => {\n res.send(`Hello ${req.user.username}`)\n})\n\n// And run!\napp.listen(process.env.PORT||3000, process.env.HOST||'localhost', ()=>{\n console.log(\"Server up!\")\n})","type":"text"}]},{"type":"paragraph","content":[{"text":"In hindsight this isn't very easy at all. If you need help contact Mirko","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"PHP","type":"text"}]},{"type":"paragraph","content":[{"text":"I know at ","type":"text"},{"text":"least","type":"text","marks":[{"type":"em"}]},{"text":" one of you guys has this set up!","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Python - Django (django-auth-adfs)","type":"text"}]},{"type":"paragraph","content":[{"text":"Django supports ","type":"text"},{"text":"REMOTE_USER","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.djangoproject.com/en/3.2/howto/auth-remote-user/"}}]},{"text":" out of the box, so if you've already got that set up you're good to go!","type":"text"}]},{"type":"paragraph","content":[{"text":"Alternatively Django has a popular package ","type":"text"},{"text":"django-auth-adfs","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/snok/django-auth-adfs"}}]},{"text":" for oauth2 SSO. For the SSO solutions once you have your client key from IST ","type":"text"},{"text":"follow the guide on the git repo to set up your LOGIN_URL, urls.py, and INSTALLED_APPS, then set the following in your settings.py:","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"python"},"content":[{"text":"AUTH_ADFS = {\n 'SERVER': 'adfs.uwaterloo.ca', #adftest.uwaterloo.ca for testing server\n 'CLIENT_ID': 'your-key',\n 'RELYING_PARTY_ID': 'your-key',\n 'AUDIENCE': 'microsoft:identityserver:your-key',\n 'CLAIM_MAPPING': {\n 'first_name': 'given_name',\n 'last_name': 'family_name',\n 'email': 'email',\n },\n 'USERNAME_CLAIM': 'winaccountname',\n 'MIRROR_GROUPS': False, # True if you want to overwrite django's groups with ADFS groups. It imports MANY groups\n}","type":"text"}]},{"type":"paragraph","content":[{"text":"If you've got it all set up you should be able to log in with ADFS, and Django user accounts will be created as normal.","type":"text"}]},{"type":"paragraph","content":[{"type":"mention","attrs":{"id":"5f7354d3b61f66006fec6060","text":"@Former user (Deleted)"}},{"text":" supports a fork of the adfs-package with duo / SAML all set up (ryan pls fill out)","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Python - Generic","type":"text"}]},{"type":"paragraph","content":[{"text":"This might be a tricky road to travel; See Authlib documents. ","type":"text"}]},{"type":"paragraph","content":[{"text":"https://docs.authlib.org/en/latest/client/index.html","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.authlib.org/en/latest/client/index.html"}}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":".NET Framework","type":"text"}]},{"type":"paragraph","content":[{"text":"When making your ADFS request ignore any instructions posted by IST; say you want it for .NET, you don't need to provide any metadata file. '","type":"text"}]},{"type":"paragraph","content":[{"text":"Full Framework/OWIN / somewhere in your app Startup","type":"text"}]},{"type":"codeBlock","attrs":{"language":"csharp"},"content":[{"text":"using Microsoft.Owin.Security.WsFederation; \n\napp.UseWsFederationAuthentication(\n new WsFederationAuthenticationOptions\n {\n Wtrealm = \"your realm/app id you gave them, usually make it the root app URL\",\n MetadataAddress = \"the ADFS metadata dev or production IST publishes on ADFS page\" \n });","type":"text"}]},{"type":"paragraph","content":[{"text":"Anywhere after:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"csharp"},"content":[{"text":"var claimsIdent = (ClaimsIdentity)User.Identity;","type":"text"}]}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"paragraph"}],"version":1}

Browser not supported