Django SSO: Setting Up an SSO Server with django-simple-sso

What Is Django? 

Django is a high-level Python web framework that promotes swift development and clean, pragmatic design. Its goal is to provide the infrastructure required for web development, allowing you to focus on writing your app. It’s free and open source, supported by a large community of developers. 

Django follows a “batteries included” philosophy. It provides many features, like authentication and messaging, out of the box, without requiring you to install separate libraries. Django also provides scalability, allowing developers to build high-performing, elegant web applications that can scale to handle large amounts of traffic. When it comes to security, Django helps developers avoid common security weaknesses, such as cross-site scripting, SQL injection, and clickjacking.

When it comes to single sign on (SSO), Django does not provide a built-in module, but there are several open source libraries you can use to extend its functionality and provide SSO to your users. We’ll focus on one of these, called django-simple-sso.

Importance of SSO in Django Applications 

Here are a few reasons you should consider implementing SSO in your Django application:

• Improve security: SSO allows users to access multiple applications with one set of login credentials. SSO can be a game-changer in terms of security, eliminating the need for multiple usernames and passwords, and reducing the risk of password-related breaches.
• Separating authentication from your app: SSO implementation ensures that authentication is handled by a dedicated system, separate from the application. This segregation means that even if your application is compromised, the attacker will not gain access to your users’ login credentials.
• Enhanced user experience: With SSO, users need to remember just one set of credentials, no matter how many applications they are using. This makes their experience smoother and more enjoyable. This is especially beneficial in enterprise settings, where users typically interact with multiple applications run by the same organization.
• Streamlining authentication processes: With traditional authentication systems, developers need to create separate login systems for each application. However, with SSO, you only need to have one authentication system that can be reused across multiple applications.
• Reduced administrative overhead: With SSO, administrators only need to manage a single set of credentials for each user, irrespective of the number of applications they have access to. Administrators can centrally manage access levels for users, and it becomes much easier to manage password resets and troubleshoot authentication issues.

What Is django-simple-sso? 

django-simple-sso is an open-source library designed to integrate Single Sign-On (SSO) functionality into Django applications. It serves as a bridge between a Django server, which acts as the SSO provider, and one or more Django clients, which utilize the SSO service for authentication. The primary components of django-simple-sso are the Server, which holds user information and handles authentication, and the Client, a Django website that facilitates login via SSO using the Server.

django-simple-sso manages user authentication centrally at the Server level, thereby simplifying the login process across multiple Client applications. The library uses a combination of a public ‘Key’ for identifying a Client and a private ‘Secret’ for secure communication between the Server and each Client. These mechanisms ensure that user credentials and authentication processes are handled securely and efficiently.

Django-simple-sso ensures secure communication by using HMAC-SHA256 for signing all requests, ensuring the integrity and authenticity of the data exchanged between the Server and Clients. Each request is accompanied by a signature, created using the Secret key, which the Server verifies to authenticate the request.

Here is how django-simple-sso’s authentication workflow works:

1. When a user wishes to log into a Client application, they are redirected to the Server for authentication. 
2. The Server then generates a Request Token and an Auth Token, which are used to validate the user’s identity and session. 
3. After successful authentication, the Server returns a serialized Django User object to the Client, enabling the Client to log the user in. 

This process ensures that the user’s login credentials remain secure and are not directly handled by the Client applications.

Tutorial: Implementing SSO in Django Applications With django-simple-sso

Set Up the Server Side

Here is how to set up the server side. The server will handle authentication for all the client apps:

1. Install django-simple-sso on the server using the following command:

pip install django-simple-sso

2. Run the following command to define application details for each client and store the user tokens:

python manage.py migrate

3. Set the environment variable DJANGO_SETTINGS_MODULE, or call the function settings.configure().

4. Create the public key and private key for each application using this code:

from simple_sso.sso_server.models import Token, Consumer
Consumer.objects.create(public_key='client_app_public_key', 
private_key='client_app_private_key', name='app_name')

5. Add simple_sso.sso_server to INSTALLED_APPS in your Django Project’s settings.py configuration.

6. Start the server.

7. Add the following url patterns to the urls.py file:

from simple_sso.sso_server.server import Server
my_server = Server()
urlpatterns += [
url(r'^server/', include(my_server.get_urls())),
]

Set Up the Client Side

Here is how to set up the client side for one of your applications:

1. Install django-simple-sso on the machine running your client app, as shown above.
2. Add a public key, private key, and server url to application settings:

SSO_PRIVATE_KEY = 'app_private_key'
SSO_PUBLIC_KEY = 'app-public-key'
SSO_SERVER = 'server-url'

3. Initialize the client and add the following urls patterns to your application urls:

from simple_sso.sso_client.client import Client
my_client_1 = Client(settings.SSO_SERVER, 
settings.SSO_PUBLIC_KEY, settings.SSO_PRIVATE_KEY)
url(r’^client/’, include(my_client_1.get_urls())),

Try to create at least two applications using the process above, setting a different hostname for each application via the /etc/hosts file.

Test that SSO Authentication Works

To test your Django SSO authentication process works, do the following:

1. Access the first application, it should require authentication
2. Log in using the correct user credentials
3. Access the second application
4. You should be logged in immediately via the SSO server without having to enter credentials.

Limitations of the Django-simple-sso Library

Scalability and Performance

Django-simple-sso is designed to handle single sign-on within Django applications efficiently. However, its scalability can be a challenge in large-scale deployments. As the number of client applications increases, the server may experience higher loads during peak authentication periods. Additionally, the server-based architecture means that all authentication requests must pass through a central server, which could become a bottleneck if not adequately scaled.

Security

While django-simple-sso provides a robust mechanism for secure communication using HMAC-SHA256, its security is highly dependent on the proper management of keys and the overall configuration. If the secret keys are compromised, malicious entities could potentially impersonate legitimate clients or intercept authentication data. Moreover, since django-simple-sso centralizes authentication, the security of the entire system is reliant on the security of the server. Any vulnerabilities in the server’s setup or in the way it handles requests can expose all connected clients to risks.

Integration with Non-Django Systems

Django-simple-sso is specifically tailored for Django applications, which means integration with non-Django systems can be complex and sometimes unfeasible without additional customization. Organizations using a diverse set of technologies may find it challenging to implement django-simple-sso across all platforms. This limitation could require additional development work to create compatible interfaces or might necessitate the use of additional bridging technologies to ensure seamless SSO functionality across different systems.

Feature Set

While django-simple-sso covers the fundamental aspects of SSO, its feature set might be limited compared to more comprehensive SSO solutions like OAuth2 or OpenID Connect. For example, it lacks built-in support for multi-factor authentication (MFA), detailed logging for security audits, or advanced user session management features such as session revocation or timeout controls. These features are often crucial for enterprises requiring rigorous security standards and granular control over user sessions and authentication mechanisms.

Django SSO with Frontegg 

Frontegg is a user management solution with full support for Django. Once you integrate Frontegg’s self-served user management solution, your customers can configure their SSO completely on their own with just a few lines of code. The single sign-on can be integrated with IDPs with commonly-used protocols like OIDC and SAML. Yes, you can implement social login SSOs as well. The front end has been taken care of as well. 

You can leverage all of Frontegg’s SSO components and personalize your SaaS offering with a login box builder. This embeddable box reduces implementation times as no in-house development is required. Users can authenticate smoothly and gain quick access to the app, without waiting for product updates and fixes. A true end-to-end SSO solution for SaaS apps and services.

Learn more about Frontegg for authentication