authentik.providers.saml.models
authentik SAML Provider Models
1"""authentik SAML Provider Models""" 2 3from uuid import uuid4 4 5from django.db import models 6from django.templatetags.static import static 7from django.urls import reverse 8from django.utils.translation import gettext_lazy as _ 9from rest_framework.serializers import Serializer 10from structlog.stdlib import get_logger 11 12from authentik.common.saml.constants import ( 13 DSA_SHA1, 14 ECDSA_SHA1, 15 ECDSA_SHA256, 16 ECDSA_SHA384, 17 ECDSA_SHA512, 18 RSA_SHA1, 19 RSA_SHA256, 20 RSA_SHA384, 21 RSA_SHA512, 22 SHA1, 23 SHA256, 24 SHA384, 25 SHA512, 26) 27from authentik.core.api.object_types import CreatableType 28from authentik.core.models import ( 29 AuthenticatedSession, 30 ExpiringModel, 31 PropertyMapping, 32 Provider, 33 User, 34) 35from authentik.crypto.models import CertificateKeyPair 36from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel 37from authentik.lib.utils.time import timedelta_string_validator 38from authentik.sources.saml.models import SAMLNameIDPolicy 39 40LOGGER = get_logger() 41 42 43class SAMLBindings(models.TextChoices): 44 """SAML Bindings supported by authentik""" 45 46 REDIRECT = "redirect" 47 POST = "post" 48 49 50class SAMLLogoutMethods(models.TextChoices): 51 """SAML Logout methods supported by authentik""" 52 53 FRONTCHANNEL_IFRAME = "frontchannel_iframe" 54 FRONTCHANNEL_NATIVE = "frontchannel_native" 55 BACKCHANNEL = "backchannel" 56 57 58class SAMLProvider(Provider): 59 """SAML 2.0 Endpoint for applications which support SAML.""" 60 61 acs_url = models.TextField( 62 validators=[DomainlessURLValidator(schemes=("http", "https"))], verbose_name=_("ACS URL") 63 ) 64 sp_binding = models.TextField( 65 choices=SAMLBindings.choices, 66 default=SAMLBindings.REDIRECT, 67 verbose_name=_("Service Provider Binding"), 68 help_text=_( 69 "This determines how authentik sends the response back to the Service Provider." 70 ), 71 ) 72 audience = models.TextField( 73 default="", 74 blank=True, 75 help_text=_( 76 "Value of the audience restriction field of the assertion. When left empty, " 77 "no audience restriction will be added." 78 ), 79 ) 80 issuer = models.TextField(help_text=_("Also known as EntityID"), default="authentik") 81 sls_url = models.TextField( 82 blank=True, 83 validators=[DomainlessURLValidator(schemes=("http", "https"))], 84 verbose_name=_("SLS URL"), 85 help_text=_("Single Logout Service URL where the logout response should be sent."), 86 ) 87 sls_binding = models.TextField( 88 choices=SAMLBindings.choices, 89 default=SAMLBindings.REDIRECT, 90 verbose_name=_("SLS Binding"), 91 help_text=_( 92 "This determines how authentik sends the logout response back to the Service Provider." 93 ), 94 ) 95 logout_method = models.TextField( 96 choices=SAMLLogoutMethods.choices, 97 default=SAMLLogoutMethods.FRONTCHANNEL_IFRAME, 98 help_text=_( 99 "Method to use for logout. Front-channel iframe loads all logout URLs simultaneously " 100 "in hidden iframes. Front-channel native uses your active browser tab to send post " 101 "requests and redirect to providers. " 102 "Back-channel sends logout requests directly from the server without " 103 "user interaction (requires POST SLS binding)." 104 ), 105 ) 106 name_id_mapping = models.ForeignKey( 107 "SAMLPropertyMapping", 108 default=None, 109 blank=True, 110 null=True, 111 on_delete=models.SET_DEFAULT, 112 verbose_name=_("NameID Property Mapping"), 113 help_text=_( 114 "Configure how the NameID value will be created. When left empty, " 115 "the NameIDPolicy of the incoming request will be considered" 116 ), 117 ) 118 authn_context_class_ref_mapping = models.ForeignKey( 119 "SAMLPropertyMapping", 120 default=None, 121 blank=True, 122 null=True, 123 on_delete=models.SET_DEFAULT, 124 verbose_name=_("AuthnContextClassRef Property Mapping"), 125 related_name="+", 126 help_text=_( 127 "Configure how the AuthnContextClassRef value will be created. When left empty, " 128 "the AuthnContextClassRef will be set based on which authentication methods the user " 129 "used to authenticate." 130 ), 131 ) 132 133 assertion_valid_not_before = models.TextField( 134 default="minutes=-5", 135 validators=[timedelta_string_validator], 136 help_text=_( 137 "Assertion valid not before current time + this value " 138 "(Format: hours=-1;minutes=-2;seconds=-3)." 139 ), 140 ) 141 assertion_valid_not_on_or_after = models.TextField( 142 default="minutes=5", 143 validators=[timedelta_string_validator], 144 help_text=_( 145 "Assertion not valid on or after current time + this value " 146 "(Format: hours=1;minutes=2;seconds=3)." 147 ), 148 ) 149 150 session_valid_not_on_or_after = models.TextField( 151 default="minutes=86400", 152 validators=[timedelta_string_validator], 153 help_text=_( 154 "Session not valid on or after current time + this value " 155 "(Format: hours=1;minutes=2;seconds=3)." 156 ), 157 ) 158 159 digest_algorithm = models.TextField( 160 choices=( 161 (SHA1, _("SHA1")), 162 (SHA256, _("SHA256")), 163 (SHA384, _("SHA384")), 164 (SHA512, _("SHA512")), 165 ), 166 default=SHA256, 167 ) 168 signature_algorithm = models.TextField( 169 choices=( 170 (RSA_SHA1, _("RSA-SHA1")), 171 (RSA_SHA256, _("RSA-SHA256")), 172 (RSA_SHA384, _("RSA-SHA384")), 173 (RSA_SHA512, _("RSA-SHA512")), 174 (ECDSA_SHA1, _("ECDSA-SHA1")), 175 (ECDSA_SHA256, _("ECDSA-SHA256")), 176 (ECDSA_SHA384, _("ECDSA-SHA384")), 177 (ECDSA_SHA512, _("ECDSA-SHA512")), 178 (DSA_SHA1, _("DSA-SHA1")), 179 ), 180 default=RSA_SHA256, 181 ) 182 183 verification_kp = models.ForeignKey( 184 CertificateKeyPair, 185 default=None, 186 null=True, 187 blank=True, 188 help_text=_( 189 "When selected, incoming assertion's Signatures will be validated against this " 190 "certificate. To allow unsigned Requests, leave on default." 191 ), 192 on_delete=models.SET_NULL, 193 verbose_name=_("Verification Certificate"), 194 related_name="+", 195 ) 196 signing_kp = models.ForeignKey( 197 CertificateKeyPair, 198 default=None, 199 null=True, 200 blank=True, 201 help_text=_("Keypair used to sign outgoing Responses going to the Service Provider."), 202 on_delete=models.SET_NULL, 203 verbose_name=_("Signing Keypair"), 204 ) 205 encryption_kp = models.ForeignKey( 206 CertificateKeyPair, 207 default=None, 208 null=True, 209 blank=True, 210 help_text=_( 211 "When selected, incoming assertions are encrypted by the IdP using the public " 212 "key of the encryption keypair. The assertion is decrypted by the SP using the " 213 "the private key." 214 ), 215 on_delete=models.SET_NULL, 216 verbose_name=_("Encryption Keypair"), 217 related_name="+", 218 ) 219 220 default_relay_state = models.TextField( 221 default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins") 222 ) 223 default_name_id_policy = models.TextField( 224 choices=SAMLNameIDPolicy.choices, default=SAMLNameIDPolicy.UNSPECIFIED 225 ) 226 227 sign_assertion = models.BooleanField(default=True) 228 sign_response = models.BooleanField(default=False) 229 sign_logout_request = models.BooleanField(default=False) 230 sign_logout_response = models.BooleanField(default=False) 231 232 @property 233 def launch_url(self) -> str | None: 234 """Use IDP-Initiated SAML flow as launch URL""" 235 try: 236 return reverse( 237 "authentik_providers_saml:sso-init", 238 kwargs={"application_slug": self.application.slug}, 239 ) 240 except Provider.application.RelatedObjectDoesNotExist: 241 return None 242 243 @property 244 def icon_url(self) -> str | None: 245 return static("authentik/sources/saml.png") 246 247 @property 248 def serializer(self) -> type[Serializer]: 249 from authentik.providers.saml.api.providers import SAMLProviderSerializer 250 251 return SAMLProviderSerializer 252 253 @property 254 def component(self) -> str: 255 return "ak-provider-saml-form" 256 257 def __str__(self): 258 return f"SAML Provider {self.name}" 259 260 class Meta: 261 verbose_name = _("SAML Provider") 262 verbose_name_plural = _("SAML Providers") 263 264 265class SAMLPropertyMapping(PropertyMapping): 266 """Map User/Group attribute to SAML Attribute, which can be used by the Service Provider""" 267 268 saml_name = models.TextField(verbose_name="SAML Name") 269 friendly_name = models.TextField(default=None, blank=True, null=True) 270 271 @property 272 def component(self) -> str: 273 return "ak-property-mapping-provider-saml-form" 274 275 @property 276 def serializer(self) -> type[Serializer]: 277 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingSerializer 278 279 return SAMLPropertyMappingSerializer 280 281 def __str__(self): 282 name = self.friendly_name if self.friendly_name != "" else self.saml_name 283 return f"{self.name} ({name})" 284 285 class Meta: 286 verbose_name = _("SAML Provider Property Mapping") 287 verbose_name_plural = _("SAML Provider Property Mappings") 288 289 290class SAMLProviderImportModel(CreatableType, Provider): 291 """Create a SAML Provider by importing its Metadata.""" 292 293 @property 294 def component(self): 295 return "ak-provider-saml-import-form" 296 297 @property 298 def icon_url(self) -> str | None: 299 return static("authentik/sources/saml.png") 300 301 class Meta: 302 abstract = True 303 verbose_name = _("SAML Provider from Metadata") 304 verbose_name_plural = _("SAML Providers from Metadata") 305 306 307class SAMLSession(InternallyManagedMixin, SerializerModel, ExpiringModel): 308 """Track active SAML sessions for Single Logout support""" 309 310 saml_session_id = models.UUIDField(default=uuid4, primary_key=True) 311 provider = models.ForeignKey(SAMLProvider, on_delete=models.CASCADE) 312 user = models.ForeignKey(User, verbose_name=_("User"), on_delete=models.CASCADE) 313 session = models.ForeignKey( 314 AuthenticatedSession, 315 on_delete=models.CASCADE, 316 help_text=_("Link to the user's authenticated session"), 317 ) 318 session_index = models.TextField(help_text=_("SAML SessionIndex for this session")) 319 name_id = models.TextField(help_text=_("SAML NameID value for this session")) 320 name_id_format = models.TextField(default="", blank=True, help_text=_("SAML NameID format")) 321 created = models.DateTimeField(auto_now_add=True) 322 323 @property 324 def serializer(self) -> type[Serializer]: 325 from authentik.providers.saml.api.sessions import SAMLSessionSerializer 326 327 return SAMLSessionSerializer 328 329 def __str__(self): 330 return f"SAML Session for provider {self.provider_id} and user {self.user_id}" 331 332 class Meta: 333 verbose_name = _("SAML Session") 334 verbose_name_plural = _("SAML Sessions") 335 unique_together = [("session_index", "provider")] 336 indexes = [ 337 models.Index(fields=["session_index"]), 338 models.Index(fields=["provider", "user"]), 339 models.Index(fields=["session"]), 340 ]
44class SAMLBindings(models.TextChoices): 45 """SAML Bindings supported by authentik""" 46 47 REDIRECT = "redirect" 48 POST = "post"
SAML Bindings supported by authentik
51class SAMLLogoutMethods(models.TextChoices): 52 """SAML Logout methods supported by authentik""" 53 54 FRONTCHANNEL_IFRAME = "frontchannel_iframe" 55 FRONTCHANNEL_NATIVE = "frontchannel_native" 56 BACKCHANNEL = "backchannel"
SAML Logout methods supported by authentik
59class SAMLProvider(Provider): 60 """SAML 2.0 Endpoint for applications which support SAML.""" 61 62 acs_url = models.TextField( 63 validators=[DomainlessURLValidator(schemes=("http", "https"))], verbose_name=_("ACS URL") 64 ) 65 sp_binding = models.TextField( 66 choices=SAMLBindings.choices, 67 default=SAMLBindings.REDIRECT, 68 verbose_name=_("Service Provider Binding"), 69 help_text=_( 70 "This determines how authentik sends the response back to the Service Provider." 71 ), 72 ) 73 audience = models.TextField( 74 default="", 75 blank=True, 76 help_text=_( 77 "Value of the audience restriction field of the assertion. When left empty, " 78 "no audience restriction will be added." 79 ), 80 ) 81 issuer = models.TextField(help_text=_("Also known as EntityID"), default="authentik") 82 sls_url = models.TextField( 83 blank=True, 84 validators=[DomainlessURLValidator(schemes=("http", "https"))], 85 verbose_name=_("SLS URL"), 86 help_text=_("Single Logout Service URL where the logout response should be sent."), 87 ) 88 sls_binding = models.TextField( 89 choices=SAMLBindings.choices, 90 default=SAMLBindings.REDIRECT, 91 verbose_name=_("SLS Binding"), 92 help_text=_( 93 "This determines how authentik sends the logout response back to the Service Provider." 94 ), 95 ) 96 logout_method = models.TextField( 97 choices=SAMLLogoutMethods.choices, 98 default=SAMLLogoutMethods.FRONTCHANNEL_IFRAME, 99 help_text=_( 100 "Method to use for logout. Front-channel iframe loads all logout URLs simultaneously " 101 "in hidden iframes. Front-channel native uses your active browser tab to send post " 102 "requests and redirect to providers. " 103 "Back-channel sends logout requests directly from the server without " 104 "user interaction (requires POST SLS binding)." 105 ), 106 ) 107 name_id_mapping = models.ForeignKey( 108 "SAMLPropertyMapping", 109 default=None, 110 blank=True, 111 null=True, 112 on_delete=models.SET_DEFAULT, 113 verbose_name=_("NameID Property Mapping"), 114 help_text=_( 115 "Configure how the NameID value will be created. When left empty, " 116 "the NameIDPolicy of the incoming request will be considered" 117 ), 118 ) 119 authn_context_class_ref_mapping = models.ForeignKey( 120 "SAMLPropertyMapping", 121 default=None, 122 blank=True, 123 null=True, 124 on_delete=models.SET_DEFAULT, 125 verbose_name=_("AuthnContextClassRef Property Mapping"), 126 related_name="+", 127 help_text=_( 128 "Configure how the AuthnContextClassRef value will be created. When left empty, " 129 "the AuthnContextClassRef will be set based on which authentication methods the user " 130 "used to authenticate." 131 ), 132 ) 133 134 assertion_valid_not_before = models.TextField( 135 default="minutes=-5", 136 validators=[timedelta_string_validator], 137 help_text=_( 138 "Assertion valid not before current time + this value " 139 "(Format: hours=-1;minutes=-2;seconds=-3)." 140 ), 141 ) 142 assertion_valid_not_on_or_after = models.TextField( 143 default="minutes=5", 144 validators=[timedelta_string_validator], 145 help_text=_( 146 "Assertion not valid on or after current time + this value " 147 "(Format: hours=1;minutes=2;seconds=3)." 148 ), 149 ) 150 151 session_valid_not_on_or_after = models.TextField( 152 default="minutes=86400", 153 validators=[timedelta_string_validator], 154 help_text=_( 155 "Session not valid on or after current time + this value " 156 "(Format: hours=1;minutes=2;seconds=3)." 157 ), 158 ) 159 160 digest_algorithm = models.TextField( 161 choices=( 162 (SHA1, _("SHA1")), 163 (SHA256, _("SHA256")), 164 (SHA384, _("SHA384")), 165 (SHA512, _("SHA512")), 166 ), 167 default=SHA256, 168 ) 169 signature_algorithm = models.TextField( 170 choices=( 171 (RSA_SHA1, _("RSA-SHA1")), 172 (RSA_SHA256, _("RSA-SHA256")), 173 (RSA_SHA384, _("RSA-SHA384")), 174 (RSA_SHA512, _("RSA-SHA512")), 175 (ECDSA_SHA1, _("ECDSA-SHA1")), 176 (ECDSA_SHA256, _("ECDSA-SHA256")), 177 (ECDSA_SHA384, _("ECDSA-SHA384")), 178 (ECDSA_SHA512, _("ECDSA-SHA512")), 179 (DSA_SHA1, _("DSA-SHA1")), 180 ), 181 default=RSA_SHA256, 182 ) 183 184 verification_kp = models.ForeignKey( 185 CertificateKeyPair, 186 default=None, 187 null=True, 188 blank=True, 189 help_text=_( 190 "When selected, incoming assertion's Signatures will be validated against this " 191 "certificate. To allow unsigned Requests, leave on default." 192 ), 193 on_delete=models.SET_NULL, 194 verbose_name=_("Verification Certificate"), 195 related_name="+", 196 ) 197 signing_kp = models.ForeignKey( 198 CertificateKeyPair, 199 default=None, 200 null=True, 201 blank=True, 202 help_text=_("Keypair used to sign outgoing Responses going to the Service Provider."), 203 on_delete=models.SET_NULL, 204 verbose_name=_("Signing Keypair"), 205 ) 206 encryption_kp = models.ForeignKey( 207 CertificateKeyPair, 208 default=None, 209 null=True, 210 blank=True, 211 help_text=_( 212 "When selected, incoming assertions are encrypted by the IdP using the public " 213 "key of the encryption keypair. The assertion is decrypted by the SP using the " 214 "the private key." 215 ), 216 on_delete=models.SET_NULL, 217 verbose_name=_("Encryption Keypair"), 218 related_name="+", 219 ) 220 221 default_relay_state = models.TextField( 222 default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins") 223 ) 224 default_name_id_policy = models.TextField( 225 choices=SAMLNameIDPolicy.choices, default=SAMLNameIDPolicy.UNSPECIFIED 226 ) 227 228 sign_assertion = models.BooleanField(default=True) 229 sign_response = models.BooleanField(default=False) 230 sign_logout_request = models.BooleanField(default=False) 231 sign_logout_response = models.BooleanField(default=False) 232 233 @property 234 def launch_url(self) -> str | None: 235 """Use IDP-Initiated SAML flow as launch URL""" 236 try: 237 return reverse( 238 "authentik_providers_saml:sso-init", 239 kwargs={"application_slug": self.application.slug}, 240 ) 241 except Provider.application.RelatedObjectDoesNotExist: 242 return None 243 244 @property 245 def icon_url(self) -> str | None: 246 return static("authentik/sources/saml.png") 247 248 @property 249 def serializer(self) -> type[Serializer]: 250 from authentik.providers.saml.api.providers import SAMLProviderSerializer 251 252 return SAMLProviderSerializer 253 254 @property 255 def component(self) -> str: 256 return "ak-provider-saml-form" 257 258 def __str__(self): 259 return f"SAML Provider {self.name}" 260 261 class Meta: 262 verbose_name = _("SAML Provider") 263 verbose_name_plural = _("SAML Providers")
SAML 2.0 Endpoint for applications which support SAML.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
233 @property 234 def launch_url(self) -> str | None: 235 """Use IDP-Initiated SAML flow as launch URL""" 236 try: 237 return reverse( 238 "authentik_providers_saml:sso-init", 239 kwargs={"application_slug": self.application.slug}, 240 ) 241 except Provider.application.RelatedObjectDoesNotExist: 242 return None
Use IDP-Initiated SAML flow as launch URL
248 @property 249 def serializer(self) -> type[Serializer]: 250 from authentik.providers.saml.api.providers import SAMLProviderSerializer 251 252 return SAMLProviderSerializer
Get serializer for this model
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Accessor to the related object on the forward side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Restaurant.place is a ForwardOneToOneDescriptor instance.
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Parent.children is a ReverseManyToOneDescriptor instance.
Most of the implementation is delegated to a dynamically defined manager
class built by create_forward_many_to_many_manager() defined below.
Accessor to the related object on the reverse side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Place.restaurant is a ReverseOneToOneDescriptor instance.
Inherited Members
- authentik.core.models.Provider
- name
- authentication_flow
- invalidation_flow
- property_mappings
- backchannel_application
- is_backchannel
- objects
- authentication_flow_id
- invalidation_flow_id
- backchannel_application_id
- id
- application
- outpost_set
- oauth2provider
- ldapprovider
- racprovider
- radiusprovider
- samlprovider
- scimprovider
- googleworkspaceprovider
- microsoftentraprovider
- ssfprovider
The requested object does not exist
The query returned multiple objects when only one was expected.
266class SAMLPropertyMapping(PropertyMapping): 267 """Map User/Group attribute to SAML Attribute, which can be used by the Service Provider""" 268 269 saml_name = models.TextField(verbose_name="SAML Name") 270 friendly_name = models.TextField(default=None, blank=True, null=True) 271 272 @property 273 def component(self) -> str: 274 return "ak-property-mapping-provider-saml-form" 275 276 @property 277 def serializer(self) -> type[Serializer]: 278 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingSerializer 279 280 return SAMLPropertyMappingSerializer 281 282 def __str__(self): 283 name = self.friendly_name if self.friendly_name != "" else self.saml_name 284 return f"{self.name} ({name})" 285 286 class Meta: 287 verbose_name = _("SAML Provider Property Mapping") 288 verbose_name_plural = _("SAML Provider Property Mappings")
Map User/Group attribute to SAML Attribute, which can be used by the Service Provider
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
276 @property 277 def serializer(self) -> type[Serializer]: 278 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingSerializer 279 280 return SAMLPropertyMappingSerializer
Get serializer for this model
Accessor to the related object on the forward side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Restaurant.place is a ForwardOneToOneDescriptor instance.
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Parent.children is a ReverseManyToOneDescriptor instance.
Most of the implementation is delegated to a dynamically defined manager
class built by create_forward_many_to_many_manager() defined below.
Inherited Members
- authentik.core.models.PropertyMapping
- pm_uuid
- name
- expression
- objects
- evaluate
- managed
- provider_set
- source_userpropertymappings_set
- source_grouppropertymappings_set
- notificationwebhookmapping
- oauthsourcepropertymapping
- scopemapping
- endpoint_set
- racpropertymapping
- radiusproviderpropertymapping
- samlsourcepropertymapping
- samlpropertymapping
- scimprovider_set
- scimmapping
- kerberossourcepropertymapping
- ldapsourcepropertymapping
- plexsourcepropertymapping
- scimsourcepropertymapping
- telegramsourcepropertymapping
- googleworkspaceprovider_set
- googleworkspaceprovidermapping
- microsoftentraprovider_set
- microsoftentraprovidermapping
The requested object does not exist
The query returned multiple objects when only one was expected.
291class SAMLProviderImportModel(CreatableType, Provider): 292 """Create a SAML Provider by importing its Metadata.""" 293 294 @property 295 def component(self): 296 return "ak-provider-saml-import-form" 297 298 @property 299 def icon_url(self) -> str | None: 300 return static("authentik/sources/saml.png") 301 302 class Meta: 303 abstract = True 304 verbose_name = _("SAML Provider from Metadata") 305 verbose_name_plural = _("SAML Providers from Metadata")
Create a SAML Provider by importing its Metadata.
Accessor to the related object on the forward side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Restaurant.place is a ForwardOneToOneDescriptor instance.
Inherited Members
- authentik.core.models.Provider
- name
- authentication_flow
- invalidation_flow
- property_mappings
- backchannel_application
- is_backchannel
- objects
- launch_url
- serializer
- DoesNotExist
- MultipleObjectsReturned
- authentication_flow_id
- invalidation_flow_id
- backchannel_application_id
- id
- application
- outpost_set
- oauth2provider
- ldapprovider
- racprovider
- radiusprovider
- samlprovider
- scimprovider
- googleworkspaceprovider
- microsoftentraprovider
- ssfprovider
308class SAMLSession(InternallyManagedMixin, SerializerModel, ExpiringModel): 309 """Track active SAML sessions for Single Logout support""" 310 311 saml_session_id = models.UUIDField(default=uuid4, primary_key=True) 312 provider = models.ForeignKey(SAMLProvider, on_delete=models.CASCADE) 313 user = models.ForeignKey(User, verbose_name=_("User"), on_delete=models.CASCADE) 314 session = models.ForeignKey( 315 AuthenticatedSession, 316 on_delete=models.CASCADE, 317 help_text=_("Link to the user's authenticated session"), 318 ) 319 session_index = models.TextField(help_text=_("SAML SessionIndex for this session")) 320 name_id = models.TextField(help_text=_("SAML NameID value for this session")) 321 name_id_format = models.TextField(default="", blank=True, help_text=_("SAML NameID format")) 322 created = models.DateTimeField(auto_now_add=True) 323 324 @property 325 def serializer(self) -> type[Serializer]: 326 from authentik.providers.saml.api.sessions import SAMLSessionSerializer 327 328 return SAMLSessionSerializer 329 330 def __str__(self): 331 return f"SAML Session for provider {self.provider_id} and user {self.user_id}" 332 333 class Meta: 334 verbose_name = _("SAML Session") 335 verbose_name_plural = _("SAML Sessions") 336 unique_together = [("session_index", "provider")] 337 indexes = [ 338 models.Index(fields=["session_index"]), 339 models.Index(fields=["provider", "user"]), 340 models.Index(fields=["session"]), 341 ]
Track active SAML sessions for Single Logout support
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
324 @property 325 def serializer(self) -> type[Serializer]: 326 from authentik.providers.saml.api.sessions import SAMLSessionSerializer 327 328 return SAMLSessionSerializer
Get serializer for this model
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
The requested object does not exist
The query returned multiple objects when only one was expected.