README

Author: peppelinux

.coverage

@@ -71,6 +71,10 @@ do to make sure it is compatible with your Django version and environment.
   Python users need to ``pip install djangosaml2[test]`` in order to run the
   tests.
 
+Add the SAML Session Middleware as follow, this is needed for SameSite Cookies::
+
+  MIDDLEWARE.append('djangosaml2.middleware.SamlSessionMiddleware')
+
 Then you have to add the ``djangosaml2.backends.Saml2Backend``
 authentication backend to the list of authentications backends.
 By default only the ModelBackend included in Django is configured.
@@ -106,9 +110,6 @@ If you want to allow several authentication mechanisms in your project
 you should set the LOGIN_URL option to another view and put a link in such
 view to the ``/saml2/login/`` view.
 
-Add the SAML Session Middleware as follow::
-
-  MIDDLEWARE.append('djangosaml2.middleware.SamlSessionMiddleware')
 
 Handling Post-Login Redirects
 -----------------------------
@@ -138,7 +139,7 @@ For example::
 
   import saml2
   SAML_LOGOUT_REQUEST_PREFERRED_BINDING = saml2.BINDING_HTTP_POST
-  
+
 Signed Logout Request
 ------------------------
 Idp's like Okta require a signed logout response to validate and logout a user. Here's a sample config with all required SP/IDP settings::
@@ -176,75 +177,6 @@ the path to that file.
 In djangosaml2 you just put the same information in the Django
 settings.py file under the SAML_CONFIG option.
 
-Okta settings to configure on your Idp's SAML app advanced settings::
-
-    Single Logout URL: http://localhost:8000/saml2/ls/post/
-    SP Issuer : http://localhost:8000/saml2/metadata/
-
-Okta sample configuration for setting up an Okta SSO with Django::
-
-        'service': {
-        # we are just a lonely SP
-        'sp': {
-            'name': 'XXX',
-            'allow_unsolicited': True,
-            'want_assertions_signed': True,  # assertion signing (default=True)
-            'want_response_signed': True,
-            "want_assertions_or_response_signed": True,  # is response signing required
-            'name_id_format': NAMEID_FORMAT_UNSPECIFIED,
-            
-            # Must for signed logout requests
-            "logout_requests_signed": True,
-            'endpoints': {
-                # url and binding to the assetion consumer service view
-                # do not change the binding or service name
-                'assertion_consumer_service': [
-                    ('http://localhost:8000/saml2/acs/',
-                     saml2.BINDING_HTTP_POST),
-                ],
-                # url and binding to the single logout service view
-                # do not change the binding or service name
-                'single_logout_service': [
-                    # ('http://localhost:8000/saml2/ls/',
-                    #  saml2.BINDING_HTTP_REDIRECT),
-                    ('http://localhost:8000/saml2/ls/post/',
-                     saml2.BINDING_HTTP_POST),
-                ],
-            },
-            # Mandates that the identity provider MUST authenticate the
-            # presenter directly rather than rely on a previous security context.
-            'force_authn': False,
-
-            "allow_unsolicited": True,
-
-            # Enable AllowCreate in NameIDPolicy.
-            'name_id_format_allow_create': False,
-
-            # attributes that this project need to identify a user
-            'required_attributes': ['email'],
-
-            # in this section the list of IdPs we talk to are defined
-            'idp': {
-                # we do not need a WAYF service since there is
-                # only an IdP defined here. This IdP should be
-                # present in our metadata
-
-                # the keys of this dictionary are entity ids
-                'https://xxx.okta.com/app/XXXXXXXXXX/sso/saml/metadata': {
-                    # Okta only uses HTTP_POST disable this
-                    # 'single_sign_on_service': {
-                    #     saml2.BINDING_HTTP_REDIRECT: 'https://xxx.okta.com/app/APPNAME/xxxxxxxxx/sso/saml',
-                    # },
-                    'single_logout_service': {
-                        saml2.BINDING_HTTP_POST: 'https://xxx.okta.com/app/APPNAME/xxxxxxxxxx/slo/saml',
-                    },
-                },
-            },
-
-        },
-       },
-
-
 We will see a typical configuration for protecting a Django project::
 
   from os import path
@@ -267,10 +199,10 @@ We will see a typical configuration for protecting a Django project::
         'sp' : {
             'name': 'Federated Django sample SP',
             'name_id_format': saml2.saml.NAMEID_FORMAT_PERSISTENT,
-            
+
             # For Okta add signed logout requets. Enable this:
             # "logout_requests_signed": True,
-            
+
             'endpoints': {
                 # url and binding to the assetion consumer service view
                 # do not change the binding or service name
@@ -619,6 +551,78 @@ filter like this::
              'class' => 'core:AttributeMap', 'name2oid'
         ),
 
+Okta federation
+===============
+
+Okta settings to configure on your Idp's SAML app advanced settings::
+
+    Single Logout URL: http://localhost:8000/saml2/ls/post/
+    SP Issuer : http://localhost:8000/saml2/metadata/
+
+Okta sample configuration for setting up an Okta SSO with Django::
+
+        'service': {
+        # we are just a lonely SP
+        'sp': {
+            'name': 'XXX',
+            'allow_unsolicited': True,
+            'want_assertions_signed': True,  # assertion signing (default=True)
+            'want_response_signed': True,
+            "want_assertions_or_response_signed": True,  # is response signing required
+            'name_id_format': NAMEID_FORMAT_UNSPECIFIED,
+
+            # Must for signed logout requests
+            "logout_requests_signed": True,
+            'endpoints': {
+                # url and binding to the assetion consumer service view
+                # do not change the binding or service name
+                'assertion_consumer_service': [
+                    ('http://localhost:8000/saml2/acs/',
+                     saml2.BINDING_HTTP_POST),
+                ],
+                # url and binding to the single logout service view
+                # do not change the binding or service name
+                'single_logout_service': [
+                    # ('http://localhost:8000/saml2/ls/',
+                    #  saml2.BINDING_HTTP_REDIRECT),
+                    ('http://localhost:8000/saml2/ls/post/',
+                     saml2.BINDING_HTTP_POST),
+                ],
+            },
+            # Mandates that the identity provider MUST authenticate the
+            # presenter directly rather than rely on a previous security context.
+            'force_authn': False,
+
+            "allow_unsolicited": True,
+
+            # Enable AllowCreate in NameIDPolicy.
+            'name_id_format_allow_create': False,
+
+            # attributes that this project need to identify a user
+            'required_attributes': ['email'],
+
+            # in this section the list of IdPs we talk to are defined
+            'idp': {
+                # we do not need a WAYF service since there is
+                # only an IdP defined here. This IdP should be
+                # present in our metadata
+
+                # the keys of this dictionary are entity ids
+                'https://xxx.okta.com/app/XXXXXXXXXX/sso/saml/metadata': {
+                    # Okta only uses HTTP_POST disable this
+                    # 'single_sign_on_service': {
+                    #     saml2.BINDING_HTTP_REDIRECT: 'https://xxx.okta.com/app/APPNAME/xxxxxxxxx/sso/saml',
+                    # },
+                    'single_logout_service': {
+                        saml2.BINDING_HTTP_POST: 'https://xxx.okta.com/app/APPNAME/xxxxxxxxxx/slo/saml',
+                    },
+                },
+            },
+
+        },
+       },
+
+
 Testing
 =======