We just released ckanext-saml2auth, a new plugin for CKAN! This extension enables Single Sign On (SSO) for CKAN data portals via SAML2 Authentication. It works with CKAN 2.9+, and can easily be installed on your existing CKAN data portal.
How does SSO work?
For those who are not already familiar with Single Sign On, it works by transferring the user’s identity from one place to another. It offers a few advantages over using a username/password to log into an account, such as:
- It saves time – You don’t have to type in credentials each time to log in
- It’s convenient – You won’t have to remember your password (or use the forgot password option)
- Offers security – Your account is safer and you don’t need to worry about using a weak password
How to set up SSO with our SAML2 plugin
Now let’s go over the installation process for ckanext-saml2auth:
- Install the required packages:
sudo apt install xmlsec1
- Activate your CKAN virtual environment, for example:
. /usr/lib/ckan/default/bin/activate
- Install the required system packages to install the necessary python module dependencies:
# rustc and cargo are neeeded to build cryptography if no binary wheel exists
sudo apt install rustc cargo
- Install the ckanext-saml2auth Python package into your virtual environment:
pip install ckanext-saml2auth
-
Add
saml2auth
to theckan.plugins
setting in your CKAN config file (by default the config file is located at/etc/ckan/default/ckan.ini)
. -
Restart CKAN. For example if you’ve deployed CKAN with Apache on Ubuntu:
sudo service apache2 reload
Required Config settings:
Make sure to have all the required Config settings installed.
# Specifies the metadata location type
# Options: local or remote
ckanext.saml2auth.idp_metadata.location = remote
# Path to a local file accessible on the server the service runs on
# Ignore this config if the idp metadata location is set to: remote
ckanext.saml2auth.idp_metadata.local_path = /opt/metadata/idp.xml
# A remote URL serving aggregate metadata
# Ignore this config if the idp metadata location is set to: local
ckanext.saml2auth.idp_metadata.remote_url = https://kalmar2.org/simplesaml/module.php/aggregator/?id=kalmarcentral2&set=saml2
# Path to a local file accessible on the server the service runs on
# Ignore this config if the idp metadata location is set to: local and metadata is public
ckanext.saml2auth.idp_metadata.remote_cert = /opt/metadata/kalmar2.cert
# Corresponding SAML user field for firstname
ckanext.saml2auth.user_firstname = firstname
# Corresponding SAML user field for lastname
ckanext.saml2auth.user_lastname = lastname
# Corresponding SAML user field for fullname
# (Optional: Can be used as an alternative to firstname + lastname)
ckanext.saml2auth.user_fullname = fullname
# Corresponding SAML user field for email
ckanext.saml2auth.user_email = email
A number of other optional configuration parameters are available and documented on the repository. That’s it. If you need any help setting up the SAML2 plugin, reach out to Keitaro’s team at [email protected].