- Aldryn SSO (authentication)¶
- Login methods¶
- Test site protection¶
- Aldryn SSO configuration options¶
- ALDRYN_SSO_ENABLE_LOCALDEV¶
- ALDRYN_SSO_ENABLE_SSO_LOGIN¶
- ALDRYN_SSO_ENABLE_LOGIN_FORM¶
- ALDRYN_SSO_ENABLE_AUTO_SSO_LOGIN¶
- ALDRYN_SSO_ALWAYS_REQUIRE_LOGIN¶
- ALDRYN_SSO_HIDE_USER_MANAGEMENT¶
- ALDRYN_SSO_BASICAUTH_USER and ALDRYN_SSO_BASICAUTH_PASSWORD¶
- SSO_DSN¶
- LOGIN_REDIRECT_URL¶
- ALDRYN_SSO_LOGIN_WHITE_LIST¶
- ALDRYN_SSO_OVERIDE_ADMIN_LOGIN_VIEW¶
Aldryn SSO (authentication)¶
Authentication to the Divio Cloud platform, and (by default) to user projectsrunning on the platform, is handled by the Divio Cloud SSO (single-sign-on)system. This provides a convenient way to authenticate users for Divio Cloudprojects (whether locally, or on the Test or Live servers) without needingto log in again, as long as they have logged into the Divio Cloud Control Panel.
This includes making it possible for users working on projects locally tolog in locally with a single click, as they have already been authenticated.
Divio Cloud SSO is managed by the open-source Aldryn SSO addon. The system is optional, but isinstalled by default in all Divio Cloud Django projects.
If the addon is uninstalled, then Django’s standard authentication behaviourwill apply.
Login methods¶
The Aldryn SSO addon provides three different login methods to Divio Cloudprojects:
Depending on how the project is configured, and which environment(local/test/live) it’s running in, different combinations of these options willbe shown (you’ll never see all three at once in a real project).
The illustrated options are:
1. Local development login¶
This is intended to appear on locally-running projects only. The _Add user_option is a convenient way to add new users to a project.
See ALDRYN_SSO_ENABLE_LOCALDEV.
2. Django’s standard username/password login form¶
This will not be of any use unless users with passwords exist in the database.
See ALDRYN_SSO_ENABLE_LOGIN_FORM.
3. Divio Cloud single-sign-on¶
This is intended to appear on projects running in Cloud environments only. Itallows users to sign in to their own projects with a single click, once theyhave authenticated with the Divio Cloud control panel.
See ALDRYN_SSO_ENABLE_SSO_LOGIN.
Test site protection¶
By default the Test site is protected so that it’s not publicly discoverableor viewable.
There are two ways in which it’s possible to see a protected Test site:
by being logging in as a user who is the owner or an authorised user of that site.
by using the secret hashed URL available from the icon on the Control Panel:
This URL can be shared with other people - for example, if you need to showprogress on the Test server to someone who doesn’t have a Divio Cloudaccount.
Aldryn SSO configuration options¶
Important
Most of these options must either be provided as environment variables, oras settings that are declared in settings.pybefore aldryn_addons.settings.load(locals())
.
This allows them to be processed correctly by the addons system.
The exception is ALDRYN_SSO_HIDE_USER_MANAGEMENT.
More details of how Aldryn SSO processes these settings can be studied ataldryn-sso.aldryn_config.py.
ALDRYN_SSO_ENABLE_LOCALDEV¶
Enables Local development login.
When True
(default for the local environment only) enables the _Add user_pane in the login form, providing a convenient way to add a new user to thedatabase.
Can also be specified as an environment variable or in settings.py
.
Warning
For obvious reasons, enabling this is strongly not recommended on theTest and Live sites, and there is generally no good reason tomanipulate this setting.
ALDRYN_SSO_ENABLE_SSO_LOGIN¶
Enables single-sign-on.
Requires a value to be present in SSO_DSN, and is automatically set whenthere is. If enabled when no SSO_DSN
value has been set, an error will beraised.
Can also be specified as an environment variable or in settings.py
.
ALDRYN_SSO_ENABLE_LOGIN_FORM¶
Enables Django’s standard username/password login form.
By default, is enabled when Hide user management is not enabled.
Can also be specified as an environment variable or in settings.py
.
ALDRYN_SSO_ENABLE_AUTO_SSO_LOGIN¶
When True
(the default on all sites) then if SSO login is the only loginmethod enabled, the user will be automatically logged-in via SSO (assuming ofcourse that the user is authorised to do so).
The logic for this condition is:
|ALDRYN_SSO_ENABLE_SSO_LOGIN|True
|ALDRYN_SSO_ENABLE_AUTO_SSO_LOGIN|True
|ALDRYN_SSO_ENABLE_LOGIN_FORM|False
|ALDRYN_SSO_ENABLE_LOCALDEV|False
Can also be specified as an environment variable or in settings.py
.
ALDRYN_SSO_ALWAYS_REQUIRE_LOGIN¶
Controls whether visitors need to be logged-in. Available options are:
- True: Users will need to log in via the SSO system in order to accessthe site (default for test site).
- False: No login is required (default for local and live environments).
- basicauth: The site will be protected by basic HTML accessauthorisation. Seebasicauth.
Can also be specified as an environment variable or insettings.py
.
ALDRYN_SSO_HIDE_USER_MANAGEMENT¶
This option is presented in the configuration form for the Aldryn SSO addon onthe Control Panel (as Hide user management). Its effect is to unregister theUser
and Group
models in the Django admin.
Setting it as an environment variable will have no effect.
Specifying it in settings.py will only have an effect if it is declaredafter aldryn_addons.settings.load(locals())
. This is not recommendedexcept for testing purposes.
For local testing, the hide_user_management
value inaldryn-addons/aldryn-sso/settings.json
can be changed, mimicking theeffect of the form value.
ALDRYN_SSO_BASICAUTH_USER and ALDRYN_SSO_BASICAUTH_PASSWORD¶
When ALDRYNSSO_ALWAYS_REQUIRE_LOGIN
is set to basicauth
, access tothe entire site will require user and password details. This is an _additionallayer of authentication. Access to the admin will still require login by an admin user, and even a logged-in admin user will need to supply the usernameand password.
See also
How to set up project-wide password protection.
Though the username and password can be specified as an environment variable orin settings.py
, the latter is not good practice.
SSO_DSN¶
The Data Source Name for single-sign-on.
This is set as an environment variable automatically in Cloud Projects,adding the SSO authority to the URL configuration for the project.
If you are providing your own single-sign-on, SSO_DSN
can also be specifiedas an environment variable or in settings.py
.
LOGIN_REDIRECT_URL¶
After login, redirect to the specified URL (by default, to /
).
Specifying LOGINREDIRECT_URL
in _settings.py will only have an effect ifit is declared after aldryn_addons.settings.load(locals())
.
ALDRYN_SSO_LOGIN_WHITE_LIST¶
A list of internal endpoints that don’t require authentication. Defaults to anempty list.
For example:
- from django.core.urlresolvers import reverse_lazy
- ALDRYN_SSO_LOGIN_WHITE_LIST = [reverse_lazy('my_whitelisted_endpoint')]
Can be specified as an environment variable or in settings.py
, ormanipulated programmatically in other applications:
- if 'ALDRYN_SSO_LOGIN_WHITE_LIST' in settings:
- settings['ALDRYN_SSO_LOGIN_WHITE_LIST'].extend([reverse_lazy('my_whitelisted_endpoint')])
ALDRYN_SSO_OVERIDE_ADMIN_LOGIN_VIEW¶
We override Django’s admin login view by default, as long as one of thethree login options is enabled. This takes better careof logged-in users who are not staff (admin) users.
The standard Django administration login view is available by setting this toFalse
as an environment variable or in settings.py
.
原文: http://docs.divio.com/en/latest/reference/addons-aldryn-sso.html