X-Git-Url: https://git.mdrn.pl/django-cas-provider.git/blobdiff_plain/1d9fdda26cda5d009e97a5b3ad13db7e230f357d..e0a665a26179e5ab5bd781dba56e82f0fcdc4dd7:/README.rst diff --git a/README.rst b/README.rst index 1d32df1..8bbe307 100644 --- a/README.rst +++ b/README.rst @@ -2,30 +2,23 @@ django-cas-provider =================== ---------------------------------- -Chris Williams ---------------------------------- - OVERVIEW ========= -django-cas-provider is a provider for the `Central Authentication -Service `_. It supports CAS version 1.0. It allows -remote services to authenticate users for the purposes of -Single Sign-On (SSO). For example, a user logs into a CAS server -(provided by django-cas-provider) and can then access other services -(such as email, calendar, etc) without re-entering her password for -each service. For more details, see the `CAS wiki `_ -and `Single Sign-On on Wikipedia `_. +django-cas-provider is a provider for the `Central Authentication Service `_. It supports CAS version 1.0 and parts of CAS version 2.0 protocol. It allows remote services to authenticate users for the purposes of Single Sign-On (SSO). For example, a user logs into a CAS server +(provided by django-cas-provider) and can then access other services (such as email, calendar, etc) without re-entering her password for each service. For more details, see the `CAS wiki `_ and `Single Sign-On on Wikipedia `_. INSTALLATION ============= -To install, run the following command from this directory: +To install, run the following command from this directory:: + + python setup.py install + +Or, put `cas_provider` somewhere on your Python path. - ``python setup.py install`` +If you want use CAS v.2 protocol or above, you must install `lxml` package to correct work. -Or, put cas_provider somewhere on your Python path. USAGE ====== @@ -34,3 +27,136 @@ USAGE #. In *settings.py*, set ``LOGIN_URL`` to ``'/cas/login/'`` and ``LOGOUT_URL`` to ``'/cas/logout/'`` #. In *urls.py*, put the following line: ``(r'^cas/', include('cas_provider.urls')),`` #. Create login/logout templates (or modify the samples) +#. Use 'cleanuptickets' management command to clean up expired tickets + +SETTINGS +========= + +CAS_TICKET_EXPIRATION - minutes to tickets expiration. Default is 5 minutes. + +CAS_CUSTOM_ATTRIBUTES_CALLBACK - name of callback to provide dictionary with +extended user attributes (may be used in CAS v.2 or above). Default is None. + +CAS_CUSTOM_ATTRIBUTES_FORMAT - name of custom attribute formatter callback will be +used to format custom user attributes. This package provide module `attribute_formatters` +with formatters for common used formats. Available formats styles are `RubyCAS`, `Jasig` +and `Name-Value. Default is Jasig style. See module source code for more details. + +CAS_AUTO_REDIRECT_AFTER_LOGOUT - If False (default behavior, specified in CAS protocol) +after successful logout notification page will be shown. If it's True, after successful logout will +be auto redirect back to service without any notification. + + +PROTOCOL DOCUMENTATION +===================== + +* `CAS Protocol ` +* `CAS 1 Architecture ` +* `CAS 2 Architecture ` +* `Proxy Authentication ` +* `CAS – Central Authentication Service ` +* `Proxy CAS Walkthrough ` + +PROVIDED VIEWS +============= + +login +--------- + +It has not required arguments. + +Optional arguments: + +* template_name - login form template name (default is 'cas/login.html') +* success_redirect - redirect after successful login if service GET argument is not provided + (default is settings.LOGIN_REDIRECT_URL) +* warn_template_name - warning page template name to allow login user to service if he + already authenticated in SSO (default is 'cas/warn.html') + +If request.GET has 'warn' argument and user has already authenticated in SSO it shows +warning message instead of generate Service Ticket and redirect. + +logout +----------- + +This destroys a client's single sign-on CAS session. The ticket-granting cookie is destroyed, +and subsequent requests to login view will not obtain service tickets until the user again +presents primary credentials (and thereby establishes a new single sign-on session). + +It has not required arguments. + +Optional arguments: + +* template_name - template name for page with successful logout message (default is 'cas/logout.html') + +validate +------------- + +It checks the validity of a service ticket. It is part of the CAS 1.0 protocol and thus does +not handle proxy authentication. + +It has not arguments. + +service_validate +------------------------- + +It checks the validity of a service ticket and returns an XML-fragment response via CAS 2.0 protocol. +Work with proxy is not supported yet. + +It has not arguments. + + +CUSTOM USER ATTRIBUTES FORMAT +=========================== + +Custom attribute format style may be changed in project settings with +CAS_CUSTOM_ATTRIBUTES_FORMAT constant. You can provide your own formatter callback +or specify existing in this package in `attribute_formatters` module. + +Attribute formatter callback takes two arguments: + +* `auth_success` - `cas:authenticationSuccess` node. It is `lxml.etree.SubElement`instance; +* `attrs` - dictionary with user attributes received from callback specified in + CAS_CUSTOM_ATTRIBUTES_CALLBACK in project settings. + +Example of generated XML below:: + + + + jsmith + + + + PGTIOU-84678-8a9d2sfa23casd + + + + +* Name-Value style (provided in `cas_provider.attribute_formatters.name_value`):: + + + + + + + + +* Jasig Style attributes (provided in `cas_provider.attribute_formatters.jasig`):: + + + Jasig + Smith + John + CN=Staff,OU=Groups,DC=example,DC=edu + CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu + + + +* RubyCAS style (provided in `cas_provider.attribute_formatters.ruby_cas`):: + + RubyCAS + Smith + John + CN=Staff,OU=Groups,DC=example,DC=edu + CN=Spanish Department,OU=Departments,OU=Groups,DC=example,DC=edu +