We just released ckanext-saml2auth, a new plugin for CKAN! This extension enables Single Sign On (SSO) for CKAN data portals via SAML2 Authentication. It works with CKAN 2.9+, and can easily be installed on your existing CKAN data portal.

How does SSO work?

For those who are not already familiar with Single Sign On, it works by  transferring the user’s identity from one place to another. It offers a few advantages over using a username/password to log into an account, such as: 

  • It saves time – You don’t have to type in credentials each time to log in
  • It’s convenient – You won’t have to remember your password (or use the forgot password option)
  • Offers security – Your account is safer and you don’t need to worry about using a weak password

How to set up SSO with our SAML2 plugin

Now let’s go over the installation process for ckanext-saml2auth:

  1. Install the required packages:
sudo apt install xmlsec1
  1. Activate your CKAN virtual environment, for example:
. /usr/lib/ckan/default/bin/activate
  1. Install the ckanext-saml2auth Python package into your virtual environment:
pip install ckanext-saml2auth
  1. Install the python modules required by the extension (adjusting the path according to where ckanext-saml2auth was installed in the previous step):
pip install -r requirements.txt
  1. Add saml2auth to the ckan.plugins setting in your CKAN config file (by default the config file is located at /etc/ckan/default/ckan.ini).

  2. Restart CKAN. For example if you’ve deployed CKAN with Apache on Ubuntu:

sudo service apache2 reload

Required Config settings:

Make sure to have all the required Congif settings installed.

# Specifies the metadata location type
# Options: local or remote
ckanext.saml2auth.idp_metadata.location = remote

# Path to a local file accessible on the server the service runs on
# Ignore this config if the idp metadata location is set to: remote
ckanext.saml2auth.idp_metadata.local_path = /opt/metadata/idp.xml

# A remote URL serving aggregate metadata
# Ignore this config if the idp metadata location is set to: local
ckanext.saml2auth.idp_metadata.remote_url = https://kalmar2.org/simplesaml/module.php/aggregator/?id=kalmarcentral2&set=saml2

# Path to a local file accessible on the server the service runs on
# Ignore this config if the idp metadata location is set to: local
ckanext.saml2auth.idp_metadata.remote_cert = /opt/metadata/kalmar2.cert

# Corresponding SAML user field for firstname
ckanext.saml2auth.user_firstname = firstname

# Corresponding SAML user field for lastname
ckanext.saml2auth.user_lastname = lastname

# Corresponding SAML user field for email
ckanext.saml2auth.user_email = email

And that’s it. For developer installation instructions visit our GitHub page and if you need any help setting up the SAML2 plugin please reach out, our team would be happy to help you out.

One Reply to “Keitaro releases new SAML2 plugin for CKAN”

Leave a Reply to Barrie Wade Cancel reply