Skip to main content

A Django app for DigiD/eHerkenning authentication flows

Project description

Version:
0.4.1
Source:

https://github.com/maykinmedia/django-digid-eherkenning

Keywords:

django, authentication, digid, eherkenning, eidas, dutch, nl, netherlands

PythonVersion:

3.7+

Build status Code quality checks black Coverage status

python-versions django-versions pypi-version

A Django app for DigiD/eHerkenning authentication flows

1 Features

  • SAML-based DigiD authentication flow

  • SAML-based eHerkenning authentication flow

  • Custom Django authentication backend

  • Extensible

2 Installation

2.1 Requirements

  • Python 3.7 or above

  • setuptools 30.3.0 or above

  • Django 2.2 or newer

2.2 Install

Install with pip:

pip install git+https://github.com/maykinmedia/python3-saml@maykin#egg=python3-saml
pip install django-digid-eherkenning

Add digid_eherkenning to the INSTALLED_APPS in your Django project’s settings. If you want to use Digid Single Logout you need to also add sessionprofile to the INSTALLED_APPS.

INSTALLED_APPS = [
    ...,
    "digid_eherkenning",
    "sessionprofile",
    ...,
]

If you want to create local users as part of the authentication flow, add the authentication backend to the settings:

AUTHENTICATION_BACKENDS = [
    ...,
    "digid_eherkenning.backends.DigiDBackend",
    ...,
]

For Digid Single Logout you need also to include sessionprofile middleware into your settings. Note that SessionProfileMiddleware should be added before SessionMiddleware.

AUTHENTICATION_BACKENDS = [
    ...,
    "sessionprofile.middleware.SessionProfileMiddleware",
    ...,
]

Finally, at the URL patterns to your root urls.py:

from django.urls import path, include


urlpatterns = [
    ...,
    path("digid/", include("digid_eherkenning.digid_urls")),
    ...,
]

2.3 Configuration

In the settings you can specify the required configuration in DIGID or EHERKENNING dictionary. This is an example of Digid settings:

DIGID = {
    "base_url": "https://sp.example.nl",  # required
    "entity_id": "sp.example.nl/digid",  # required
    "metadata_file": "/path/to/metadata",  # required
    "key_file": /path/to/key/file.key,  # required
    "cert_file": /path/to/cert/file.pem,  # required
    "service_entity_id": "https://example.digid.nl/saml/idp/metadata",  # required
    "attribute_consuming_service_index": "1",
    "service_name": "Example",
    "requested_attributes": [],
    "login_url": reverse_lazy("admin:login"),
    "session_age": 15 * 60,
    "want_assertions_encrypted": False,
    "want_assertions_signed": False,
    "signature_algorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
    "digest_algorithm": "",
    "key_passphrase": "",
    "technical_contact_person_telephone": "06123123123",
    "technical_contact_person_email": "test@test.nl",
    "organization": "Example organization",
}

Note that signature_algorithm setting is used only for requests with HTTP Redirect binding. Login request with HTTP Post binding uses http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 algorithm.

3 Usage

You can now display login URLs by reversing the appropriate URL:

reverse("digid:login")

or in templates:

{% url 'digid:login' %}

3.1 Mock login flow

For development and demonstration purposes you can swap-in a mockup Digid login flow that accepts any BSN and doesn’t require an actual DigiD metadata configuration.

In the login view username field you can enter any integer up to 9 digits (and a random password) to be used as the BSN in the authentication backend.

Swap the authentication backend for the mock version:

AUTHENTICATION_BACKENDS = [
    "digid_eherkenning.backends.mock.DigiDBackend",
]

Swap the digid url patterns for the mock version:

urlpatterns = [
    ...,
    path("digid/", include("digid_eherkenning.mock.digid_urls")),
    ...,
]

Additionally add the URLs for the mock IDP service to run in the same runserver instance:

urlpatterns = [
    ...,
    path("digid/idp/", include("digid_eherkenning.mock.idp.digid_urls")),
    ...,
]

For settings to control mock behaviour see digid_eherkenning/mock/config.py.

3.2 Generating the DigiD metadata

The metadata for DigiD can be generated with the following command:

python manage.py generate_digid_metadata \
    --want_assertions_encrypted \
    --want_assertions_signed \
    --key_file /path/test.key \
    --cert_file /path/test.certificate \
    --signature_algorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" \
    --digest_algorithm "http://www.w3.org/2001/04/xmlenc#sha256" \
    --entity_id http://test-url.nl \
    --base_url http://test-url.nl \
    --service_name "Test name" \
    --service_description "Test description" \
    --attribute_consuming_service_index 9050 \
    --technical_contact_person_telephone 06123123123 \
    --technical_contact_person_email test@test.nl \
    --organization_name "Test organisation" \
    --organization_url http://test-organisation.nl \
    --slo

3.3 Generating eHerkenning/eIDAS metadata

The metadata for eHerkenning and eIDAS can be generated with the following command:

python manage.py generate_eherkenning_metadata \
    --want_assertions_encrypted \
    --want_assertions_signed \
    --key_file /path/test.key \
    --cert_file /path/test.certificate \
    --signature_algorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" \
    --digest_algorithm "http://www.w3.org/2001/04/xmlenc#sha256" \
    --entity_id http://test-url.nl \
    --base_url http://test-url.nl \
    --service_name "Test name" \
    --service_description "Test description" \
    --eh_attribute_consuming_service_index 9052 \
    --eidas_attribute_consuming_service_index 9053 \
    --oin 00000001112223330000 \
    --technical_contact_person_telephone 06123123123 \
    --technical_contact_person_email test@test.nl \
    --organization_name "Test organisation" \
    --organization_url http://test-organisation.nl

For information about each option, use:

python manage.py generate_eherkenning_metadata --help

To generate the dienstcatalogus:

python manage.py generate_eherkenning_dienstcatalogus  \
    --key_file /path/test.key \
    --cert_file /path/test.certificate \
    --entity_id http://test-url.nl \
    --base_url http://test-url.nl \
    --service_name "Test name" \
    --service_description "Test description" \
    --eh_attribute_consuming_service_index 9052 \
    --eidas_attribute_consuming_service_index 9053 \
    --oin 00000001112223330000 \
    --privacy_policy http://test-url.nl/privacy \
    --makelaar_id 00000003332223330000 \
    --organization_name "Test Organisation"

4 Specific broker settings

From 1st of April 2022 certain eHerkenning brokers like OneWelcome and Signicat, require that the artifact resolution request has the content-type header text/xml instead of application/soap+xml. This can be configured by including the following parameter in the EHERKENNING django setting:

EHERKENNING = {
    ...
    "artifact_resolve_content_type": "text/xml",
    ...
}

5 Background information

Information that was at some point relevant and may document certain choices can be found in information.md.

6 Bitbucket mirror

This project was originally on Bitbucket and closed source. The Bitbucket project still exists, but only as a mirror of the Github repository. All future development must happen on Github.

Bitbucket mirror: https://bitbucket.org/maykinmedia/django-digid-eherkenning/

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-digid-eherkenning-0.4.1.tar.gz (348.2 kB view details)

Uploaded Source

Built Distribution

django_digid_eherkenning-0.4.1-py3-none-any.whl (367.0 kB view details)

Uploaded Python 3

File details

Details for the file django-digid-eherkenning-0.4.1.tar.gz.

File metadata

File hashes

Hashes for django-digid-eherkenning-0.4.1.tar.gz
Algorithm Hash digest
SHA256 fb7fb13bc2eff13fc0afcf6b0a8a8474ab3e80ca5ccd962b10ebfd946035543c
MD5 cafdd1a6913268ccb53256ed5786bb08
BLAKE2b-256 75f0fd196c4015fe311f3c9a55e212a3e673f6d6ce640875453d804c91f81803

See more details on using hashes here.

File details

Details for the file django_digid_eherkenning-0.4.1-py3-none-any.whl.

File metadata

File hashes

Hashes for django_digid_eherkenning-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b4e95aa573fcca48ee391ccaf638dec1b953acaaea2287e1debbfea660578e2e
MD5 9f7e58172cf8c2644ee11423d328376e
BLAKE2b-256 e4df4c0b8304b17bce82806a64486ff0843cd18b25e9d48d1f3f036af5b8d88f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page