{ "info": { "author": "NOAA Northwest science Fishery Resource Analysis and Montoring (FRAM) Data team", "author_email": "nmfs.nwfsc.fram.data.team@noaa.gov", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", "Intended Audience :: System Administrators", "License :: CC0 1.0 Universal (CC0 1.0) Public Domain Dedication", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Topic :: Software Development :: Libraries :: Python Modules", "Topic :: System :: Systems Administration :: Authentication/Directory" ], "description": "PyICAM\n======\n\n.. figure:: https://img.shields.io/badge/license-CC0-green.png\n :alt: License: Creative Commons Zero v1.0 Universal\n\nPython Identity, Credential, and Access Management.\n\nInstall\n-------\n\n::\n\n pip install pyicam\n\nWindows Installation\n~~~~~~~~~~~~~~~~~~~~\n\nInstallation may proceed more easily, by first downloading the\n`python-xmlsec `__\ndependency wheel:\n\n1). Download appropriate binary wheel from\n`ci.appveyor.com `__\n(see the ``Job [your-version]`` link, then ``Artifacts`` button on the\nleft).\n\n2). Install wheel\n\n::\n\n pip install \n\n3). Install\n\n::\n\n pip install pyicam\n\nSupported Python Versions\n-------------------------\n\n- Python 3.3+\n\nOverview\n--------\n\nPyICAM is a simple, SAML authentication library to help Python software\ndevelopers use the `NOAA Identity, Credential, Access and Federation\nManagement (ICAM) `__ login\nprovider in a consistent fashion.\n\nIt consists of a minimal, easy to use interface around the open-source\n`python3-saml `__ toolkit\nfrom Onelogin, Inc.\n\nOnline documentation is at https://github.com/nwfsc-data/PyICAM\n\nDisclaimer\n----------\n\nThis repository is a scientific product and is not official\ncommunication of the National Oceanic and Atmospheric Administration, or\nthe United States Department of Commerce. All NOAA GitHub project code\nis provided on an \u2018as is\u2019 basis and the user assumes responsibility for\nits use. Any claims against the Department of Commerce or Department of\nCommerce bureaus stemming from the use of this GitHub project will be\ngoverned by all applicable Federal law. Any reference to specific\ncommercial products, processes, or services by service mark, trademark,\nmanufacturer, or otherwise, does not constitute or imply their\nendorsement, recommendation or favoring by the Department of Commerce.\nThe Department of Commerce seal and logo, or the seal and logo of a DOC\nbureau, shall not be used in any manner to imply endorsement of any\ncommercial product or activity by DOC or the United States Government.\n\nQuick Start\n-----------\n\nAdd SSO authentication to your existing Python webserver, with these\nsteps:\n\n- `Certificate & Secret key <#certificate-secret-key>`__\n- `Define your application\n attributes <#define-your-application-attributes>`__\n- `Obtain SSO Authority\n attributes <#obtain-sso-authority-attributes>`__\n- `Create settings file <#create-settings-file>`__\n- `Submit Metadata <#submit-metadata>`__\n- `Add your metadata URL <#add-your-metadata-url>`__\n- `Add your login URL <#add-your-login-url>`__\n- `Add your logout URL <#add-your-logout-url>`__ - TBD\n\nCertificate & Secret key\n~~~~~~~~~~~~~~~~~~~~~~~~\n\n1). Your Python application will identify itself to others with a public\ncertificate, and private key used for signing.\n\nObtain a keypair that is acceptable by the SSO team (your organization\nmay already have a keypair which would be suitable to identify your\nwebserver).\n\nIf none is available, the following command may be used to generate a\nnew secret key & certificate request for signature:\n\n::\n\n openssl req -new -newkey rsa:2048 -nodes -keyout secrets/server.key -out CERT_REQUEST.csr\n\n- Complete certificate details, as required by the Certificate\n Authority from whom you obtain a signed HTTPS certificate (contact\n your PKI team for more info on your CA's requirements).\n- Send your Certificate Authority the contents of: ``CERT_REQUEST.csr``\n- keep your ``secrets/server.key`` file secure. If anyone, at any time,\n can read this file - they can copy the key and impersonate your\n Python webserver.\n\nDefine your application attributes\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n2). Make up some values, which will later be entered into a JSON\nsettings file. These can be any values you want for your application,\nbut should follow below format recommendations to minimize later\nproblems.\n\nDefine a unique name, id, description & three URLs for your webserver.\nThe URLs will be used to identify your webserver, and accept SSO and\nSingle-Log-Out (SLO) transmissions from the remote SSO authority:\n\n- serviceName: \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n- (Make a simple name for your application: \"Amazing FRAM Service dev\")\n- serviceId: \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_ (short, no\n spaces. E.g.: \"AmazingFRAMServiceDev\")\n- serviceDescription:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n- (A short description. E.g.: \"Amazing FRAM service development\n instance\")\n- custom URLs:\n\n - entityIdURL:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n\n - (E.g.:\n ``https://my.sample_domain/great_service/saml/metadata/``)\n - (This will be used by ICAM SSO team and others to learn about\n your service, \"saml/metadata/\" is a very conventional URI\n ending for this)\n\n - assertionConsumerServiceURL:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n (E.g.: ``https://my.sample_domain/great_service/saml/?acs``)\n - singleLogoutServiceURL:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n (E.g.: ``https://my.sample_domain/great_service/saml/?sls``)\n\nObtain SSO Authority attributes\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n3). Contact the operator of your SSO solution, and obtain their Identity\nProvider metadata. Generally this will be provided via an XML document\nnamed ``noaa-online-idp-metadata.xml`` or similar.\n\nGather details for the id, url & identifying certificate from the XML.\nThis info will be used in Step 4:\n\n- id: \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_ (XML encodes this as \"entityID\"\n property of the \"EntityDescriptor\" element. It's typically short, no\n spaces. Often also at the end of the authority URLs)\n- certificateText:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n (will be long, base64 encoded text within a \"ds:X509Certificate\"\n element)\n- remote SSO authority URLs:\n\n - singleSignOnServiceURL:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n\n - (Use the sign-on Location value which has\n Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\")\n\n - singleLogoutServiceURL:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n\n - (Use logout Location value which has\n Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\")\n\nCreate settings file\n~~~~~~~~~~~~~~~~~~~~\n\n4). Create a file called ``settings.json`` and populate it with the\ndetails from Step 2. & 3.:\n\n::\n\n {\n \"strict\": true,\n\n \"debug\": true,\n\n \"sp\": {\n \"entityId\": \"__Enter_step2_entityIdURL__\",\n \"assertionConsumerService\": {\n \"url\": \"__Enter_step2_assertionConsumerServiceURL__\",\n \"binding\": \"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n },\n \"singleLogoutService\": {\n \"url\": \"__Enter_step2_singleLogoutServiceURL__\",\n \"binding\": \"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n },\n \"attributeConsumingService\": {\n \"serviceName\": \"__Enter_step2_name__\",\n \"serviceDescription\": \"__Enter_step2_description__\",\n \"requestedAttributes\": [\n {\n \"name\": \"__Enter_step2_id__\",\n \"isRequired\": false,\n \"nameFormat\": \"\",\n \"friendlyName\": \"\",\n \"attributeValue\": []\n }\n ]\n },\n \"NameIDFormat\": \"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\",\n \"x509cert\": \"\",\n \"privateKey\": \"\"\n },\n\n \"security\": {\n \"wantAssertionsSigned\": true\n },\n\n \"idp\": {\n \"entityId\": \"__Enter_step3_id__\",\n \"singleSignOnService\": {\n \"url\": \"__Enter_step3_singleSignOnServiceURL__\",\n \"binding\": \"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n },\n \"singleLogoutService\": {\n \"url\": \"__Enter_step3_singleLogoutServiceURL__\",\n \"binding\": \"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n },\n \"x509cert\": \"__Enter_step3_certificateText__\"\n\n }\n }\n\nSubmit metadata\n~~~~~~~~~~~~~~~\n\n5). Generate metadata for your webserver, using the following code &\nsubmit the resulting ``metadata`` text to your SSO authority.\n\n.. code:: python\n\n from pyicam.saml.metadata import get_entity_descriptor\n settings = 'settings.json' #specify the path to your files\n cert = 'cert.pem' #save cert issued by your Certificate Authority in Step 1). in PEM format\n key = 'secrets/server.key'\n metadata, content_type = get_entity_descriptor(settings, cert, key)\n print(metadata)\n\n- Your SSO Identity Provider operator will let you know if submitted\n metadata is acceptable, or if any settings changes must be made.\n- SSO operator will provide you with a login URL for \"IdP-Initiated\n SSO\". Directing your users to this link allows them to log into your\n application via the SSO Identity server:\n \\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\n\nAdd your metadata URL\n~~~~~~~~~~~~~~~~~~~~~\n\n6). Add the custom entityIdURL from `Step: Define your application\nattributes <#define-your-application-attributes>`__ to your webserver,\nso it returns metadata as shown in the previous `Step: Submit\nmetadata <#submit-metadata>`__.\n\n- Note: the HTTP response returned by the URL must have the content\n type (``text/xml``) indicated by PyICAM.\n\nAdd your login URL\n~~~~~~~~~~~~~~~~~~\n\n7). Add the custom assertionConsumerServiceURL from `Step: Define your\napplication attributes <#define-your-application-attributes>`__ to your\nwebserver, to recieve login notifications via HTTP POST:\n\n.. code:: python\n\n # step1) retrieve user details\n from pyicam.saml.sso import login\n host = \"myserv.example.gov\" # details for your webserver\n port = \"443\"\n path = \"/myapp/saml\" # url path for your assertionConsumerServiceURL\n settings = 'settings.json' #specify the path to your files\n cert = 'cert.pem'\n key = 'secrets/server.key'\n user = login(host, port, path, settings, cert, key, post_data=request.params) # also set parameter https=True if your webserver uses https on a port other than 443 \n # step2) log in the user, using the provided dict, to create a user session in whatever fashion your program uses\n # step3) your URL may now respond to the user, or redirect them, however you see fit\n if 'relay_state' in user:\n # If the SSO login URL specified a SAML2 \"RelayState\" parameter for\n # the final redirect destination, PyICAM will return that value as: 'relay_state'\n users_saml2_RelayState_redirect_value = user['relay_state']\n\nCongratulations! Users may now log into your application via the SSO\nlink provided by your Identity authority in `Step: Submit\nmetadata <#submit-metadata>`__.\n\nAdd your logout URL\n~~~~~~~~~~~~~~~~~~~\n\n8). (Adding custom singleLogoutServiceURL - TBD)\n\nCopyright (C) 2017-2018 ERT Inc.\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/nwfsc-data/PyICAM", "keywords": "saml saml2 sso icam noaa", "license": "CC0-1.0", "maintainer": "", "maintainer_email": "", "name": "pyicam", "package_url": "https://pypi.org/project/pyicam/", "platform": "", "project_url": "https://pypi.org/project/pyicam/", "project_urls": { "Homepage": "https://github.com/nwfsc-data/PyICAM" }, "release_url": "https://pypi.org/project/pyicam/0.1.0/", "requires_dist": null, "requires_python": "", "summary": "SAML 2.0 client authentication library", "version": "0.1.0" }, "last_serial": 4935213, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "0facc6fbbcdf0d3867ff1d99f2beedc4", "sha256": "c4993a76ba54e23b9e71c3dd4e96774195faf7ca423244c91484f7157e87d322" }, "downloads": -1, "filename": "pyicam-0.1.0.tar.gz", "has_sig": false, "md5_digest": "0facc6fbbcdf0d3867ff1d99f2beedc4", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14505, "upload_time": "2018-12-20T00:33:19", "url": "https://files.pythonhosted.org/packages/db/94/8476ce61a421f1ba24ab3682dcccdf449f0a04d960fb15cbfd79a245d9ce/pyicam-0.1.0.tar.gz" } ], "0.1.0rc1": [ { "comment_text": "", "digests": { "md5": "613679a42fb750f42cbf9396c1b1145f", "sha256": "e938cef1b31cfeb5a10542c8ef864c36d94b3cad4b480664af6e980953e5f383" }, "downloads": -1, "filename": "pyicam-0.1.0rc1.tar.gz", "has_sig": false, "md5_digest": "613679a42fb750f42cbf9396c1b1145f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 9292, "upload_time": "2017-11-06T17:50:17", "url": "https://files.pythonhosted.org/packages/06/ef/adb4f36b9f285151a0f126bc0334099b5efce715ee024d29f63e04460bf4/pyicam-0.1.0rc1.tar.gz" } ], "0.1.0rc2": [ { "comment_text": "", "digests": { "md5": "9d90a8b5297caf1f30e207f0885db5d1", "sha256": "d2a876bf6150f930414e0d084b74509014b87a31be4b9f963c665e100e0bd182" }, "downloads": -1, "filename": "pyicam-0.1.0rc2.tar.gz", "has_sig": false, "md5_digest": "9d90a8b5297caf1f30e207f0885db5d1", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 9453, "upload_time": "2018-01-10T23:20:51", "url": "https://files.pythonhosted.org/packages/59/56/60bba8d6375b4935e02243a17550f9a8146c9d24fb1e9681ac2616f55a3c/pyicam-0.1.0rc2.tar.gz" } ], "0.1.0rc3": [ { "comment_text": "", "digests": { "md5": "5c1903723e1431c4063313fc21423c14", "sha256": "baf7395fe4d7efbe46f31f3dd0613d59bcaad688ff2945c5d22525279ed8762a" }, "downloads": -1, "filename": "pyicam-0.1.0rc3.tar.gz", "has_sig": false, "md5_digest": "5c1903723e1431c4063313fc21423c14", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14118, "upload_time": "2018-03-02T01:16:36", "url": "https://files.pythonhosted.org/packages/c7/b9/21dcc790272c1478e1a480dd0aa6b7ed125ae7018fadcb36ef2eb3b7e591/pyicam-0.1.0rc3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "0facc6fbbcdf0d3867ff1d99f2beedc4", "sha256": "c4993a76ba54e23b9e71c3dd4e96774195faf7ca423244c91484f7157e87d322" }, "downloads": -1, "filename": "pyicam-0.1.0.tar.gz", "has_sig": false, "md5_digest": "0facc6fbbcdf0d3867ff1d99f2beedc4", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 14505, "upload_time": "2018-12-20T00:33:19", "url": "https://files.pythonhosted.org/packages/db/94/8476ce61a421f1ba24ab3682dcccdf449f0a04d960fb15cbfd79a245d9ce/pyicam-0.1.0.tar.gz" } ] }