使用 djangosaml2 实现 SSO 时出现验证错误 'is_staff': ["'true' value must be True or False."]

【问题标题】:Getting validation error 'is_staff': ["'true' value must be either True or False."] while implementing SSO using djangosaml2使用 djangosaml2 实现 SSO 时出现验证错误 'is_staff': ["'true' value must be True or False."]
【发布时间】:2019-10-09 17:47:28
【问题描述】:

我尝试为我的 Django 项目实施 SSO。 当我尝试登录表单 SP ('/sso/login') 时,我从 IDP 得到了正确的响应,但在 SP 端的 'sso/acs' 上它会引发验证错误。

{'is_superuser': ["'true' value must be either True or False."], 'is_staff': ["'true' value must be either True or False."]}

当我从 SAML_ATTRIBUTE_MAPPING 中删除 is_staff 和 is_superuser 时。 SSO 正在运行。
项目包—— django 1.11,
后期,
djangosaml2idp 0.5.0,用于 IDP
djangosaml2 0.17.2 用于 SP

My setting for SP: 
SAML_USE_NAME_ID_AS_USERNAME = True
SAML_DJANGO_USER_MAIN_ATTRIBUTE = 'email'
SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP = '__iexact'
SAML_CREATE_UNKNOWN_USER = False
SAML_LOGOUT_REQUEST_PREFERRED_BINDING = saml2.BINDING_HTTP_POST

SAML_ATTRIBUTE_MAPPING = {
    # SAML : DJANGO
    # Must also be present in attribute-maps!
    'email': ('email', ),
    'username': ('username', ),
    'account_id': ('account_id', ),
    'is_staff': ('is_staff', ),
    'is_superuser':  ('is_superuser', ),
}

错误回溯:

Traceback (most recent call last):
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/django/views/decorators/http.py", line 40, in inner
    return func(request, *args, **kwargs)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/djangosaml2/views.py", line 316, in assertion_consumer_service
    create_unknown_user=create_unknown_user)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/django/contrib/auth/__init__.py", line 73, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/djangosaml2/backends.py", line 107, in authenticate
    create_unknown_user, main_attribute, attributes, attribute_mapping)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/djangosaml2/backends.py", line 154, in get_saml2_user
    return self._get_saml2_user(main_attribute, attributes, attribute_mapping)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/djangosaml2/backends.py", line 188, in _get_saml2_user
    user = self.update_user(user, attributes, attribute_mapping)
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/djangosaml2/backends.py", line 250, in update_user
    user.save()
  File "/Users/lite/projects/djangosaml2/sample-sp/sp/models.py", line 105, in save
    self.full_clean()
  File "/Users/lite/Virtual_Envs/spEnv/lib/python3.6/site-packages/django/db/models/base.py", line 1203, in full_clean
    raise ValidationError(errors)
django.core.exceptions.ValidationError: {'is_superuser': ["'true' value must be either True or False."], 'is_staff': ["'true' value must be either True or False."]}

我尝试了不同的数据库,并尝试了覆盖或不覆盖 Django 用户模型。 当我尝试使用默认(auth.models)时,用户模型 sso 正在使用 Postgres 和 sqlite 后端,但是当我为我的自定义用户模型覆盖用户模型时,它抛出了上述错误。 我认为在 SP 上不是对 IDP 响应进行类型转换,它只是将所有属性作为字符串解析和传递,同时保存在 DB 上会导致验证错误。但为什么它使用默认的 Django 用户模型?

应用用户模型

class User(AbstractBaseUser, PermissionsMixin):
    username = models.CharField(max_length=15, unique=True,)
    email = models.EmailField(max_length=123, blank=False, null=False, unique=True)

    is_staff = models.BooleanField(default=False, db_index=True)

    objects = UserManager()

    USERNAME_FIELD = 'username'
    REQUIRED_FIELDS = ['email']

    def clean(self):
        errors = {}
        users = get_user_model().objects.filter(username__iexact=self.username)
        if len(users) > 1:
            errors.setdefault('username', []).append(f'{self.username} not available')
        if errors:
            raise ValidationError(errors)

    def save(self, force_insert=False, force_update=False, using=None,
             update_fields=None):
        self.full_clean()
        return super().save(force_insert, force_update, using, update_fields)

【问题讨论】:

    标签: django postgresql single-sign-on python-3.6 saml-2.0


    【解决方案1】:

    有同样的问题,似乎这与djangosaml2idp 实现有关。

    从源代码中的示例代码,您应该将以下代码添加到 User app view.py 文件中(或者在主项目文件夹中,如果您没有自定义 User 模型)。

    @receiver(pre_user_save, sender=User)
def custom_update_user(sender, instance, attributes, user_modified, **kargs):
    """ Default behaviour does not play nice with booleans encoded in SAML as u'true'/u'false'.
        This will convert those attributes to real booleans when saving.
    """
    for k, v in attributes.items():
        u = set.intersection(set(v), set([u'true', u'false']))
        if u:
            setattr(instance, k, u.pop() == u'true')
    return True

    来源: custom_update_user

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2022-11-16
      • 2019-01-21
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode