ckanext-adfs
A CKAN extension for validating users against Microsoft’s Active Directory
Federated Services (ADFS) Single Sign On (SSO) API.
In layman’s terms it lets you log in using some third-party source of
authentication provided by Microsoft and beloved by BDOs (Big Dumb Orgs).
See the requirements.txt file for third party modules needed for this to
work (lxml and M2Crypto). You’ll also need the following packages installed:
- libxml2
- libxml2-dev
- libxslt1.1
- libxslt1-dev
- openssl
- libssl-dev
- swig
- python-dev
What is ADFS?
Microsoft’s Azure cloud-based offering provides Active Directory Federated
Services (ADFS for short). As far as we can tell these have absolutely nothing
to do with the “traditional” LDAP/ActiveDirectory we love to loath but is a
confusion thought up by their marketing department. In essence it is possible
to create an “Active Directory” within Azure to define groups of users. ADFS
is a way to allow such users to log in to some third party application (in this
case it’s your instance of CKAN) via said Azure active directory. For this to
happen you’ll need to create a new “application” (representing your CKAN
instance) within the relevant Azure active directory. Microsoft have good
documentation online for doing this (although see the caveat about UI changes
below).
If you merely want to test this extension you can take out a free trial at the
Azure website (although you’ll need to provide credit card details to prove
you’re not a bot).
Configure:
In Azure ensure the following settings are correct for your application:
- Sign-on URL - should be https://yourdomain.com/user/login (replacing with, er, your domain).
- Reply URL - should be https://yourdomain.com/adfs/signin/ (make sure you include the trailing slash).
On the machine hosting your instance of CKAN:
Ensure all the requirements are installed (see requirements.txt for further
details).
In your CKAN’s settings.ini