OneLogin validation using django

(Gitsakti) #1

How to validate onelogin user i.e. user.is_authenticated ?

I am usnig python3-saml and django. but while redirecting to onelogin page I am getting error and stuck.
Below code in my view is giving error.

if auth.is_authenticated():
                user = authenticate(saml_authentication=auth)
                login(request, user)

How to resolve the below error?

'AnonymousUser' object has no attribute '_meta'
#2
if auth.is_authenticated(): ## IF USER IS AUTHENTICATED...
    user = authenticate(saml_authentication=auth) # AUTHENTICATE USER ?

Maybe you need something like if form.is_valid() instead of if auth.is_authenticated()?

(Basil Jose) #3

First of all with this much part of code snippet we can’t debug the issue. what is auth here ? User instance ?

why you are trying to authenticate already authenticated user ? or may be you want to if something else ?

from your error,

You already have the user when you save the form, so you don’t need to call authenticate since you already provide the backend when calling login() :

user = form.save()
login(request, user, backend='django.contrib.auth.backends.ModelBackend')
(Gitsakti) #4

Hi Basil, Thanks for reply, Here below I am providing more details to understand my requirement.

I have django application users stored locally. These users having customized role base access to pages (like roles: requester, approver, admin, etc.). where requester can only access to raise request pages and approver to approve request page and admin to all. All these are working fine.

Now there is one more requirement added i.e. include OneLogin users to my application. To provide access to OneLogin user I have imported python3-saml module from git. and
did some change in my views to redirect to home page once OneLogin authenticated successfully.

Till now its all working fine. However I am struggling to provide role base access to OneLogin user. All these roles are defined locally and to attache role to OneLogin user I have to store and authenticate those users locally as well.

I found similar post blog and pasted below the acs part where it mentioned

        user = authenticate(request)
        login(request, user)

acs part in the blog

if 'acs' in req['get_data']:
    request_id = None
    if 'AuthNRequestID' in request.session:
        request_id = request.session['AuthNRequestID']
    auth.process_response(request_id=request_id)
    errors = auth.get_errors()
    not_auth_warn = not auth.is_authenticated()
    if not errors:
        if 'AuthNRequestID' in request.session:
            del request.session['AuthNRequestID']
        request.session['samlUserdata'] = auth.get_attributes()
        request.session['samlNameId'] = auth.get_nameid()
        request.session['samlSessionIndex'] = auth.get_session_index()
        attributes = request.session['samlUserdata'].items()
        user = authenticate(request)
        login(request, user)
        if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
            return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
        else:
            return HttpResponseRedirect(OneLogin_Saml2_Utils.get_self_url(req))
    else:
        raise SAMLError('ERRORS FOUND IN SAML REQUEST: %s' % errors)
elif 'provider' in req['get_data']:
    if hasattr(settings, 'SAML_REDIRECT'):
        return HttpResponseRedirect(auth.login(settings.SAML_REDIRECT))
    elif 'RelayState' in req['post_data']:
            return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
    else:
        redir = OneLogin_Saml2_Utils.get_self_url(req)
        return HttpResponseRedirect(auth.login(redir))
else:
    return HttpResponseRedirect(auth.login())

but in my case authenticate function returns None. Hence, local login throws below error

'AnonymousUser' object has no attribute '_meta'

And the Django lib code block

`Python\Python36\lib\site-packages\django\contrib\auth\__init__.py`  in  `login`

154. request.session[SESSION_KEY] = user._meta.pk.value_to_string(user) 

Please let me know if you need more info on the same.

(Gitsakti) #5

Hi Crosby, Its not a form, its the third party authentication i.e. if auth.is_authenticated(): is validating onelogin user. I am just trying to authenticate locally only if onelogin authenticated successfully again to save the user locally as to provide role base access to the user. however its not working for some reason. may be the auth is not having all the required info… i guess so.

(Gitsakti) #6

You can get OneLogin configuration detailed steps from Saml toolkit for OneLogin. even you can download and execute the demo-django from it.

(Gitsakti) #7

Finally I manage to authenticate onelogin user locally and the application roles attache to it as well :slight_smile:

1 Like