authentik.providers.saml.models
authentik SAML Provider Models
1"""authentik SAML Provider Models""" 2 3from uuid import uuid4 4 5from django.db import models 6from django.templatetags.static import static 7from django.urls import reverse 8from django.utils.translation import gettext_lazy as _ 9from rest_framework.serializers import Serializer 10from structlog.stdlib import get_logger 11 12from authentik.common.saml.constants import ( 13 DSA_SHA1, 14 ECDSA_SHA1, 15 ECDSA_SHA256, 16 ECDSA_SHA384, 17 ECDSA_SHA512, 18 RSA_SHA1, 19 RSA_SHA256, 20 RSA_SHA384, 21 RSA_SHA512, 22 SHA1, 23 SHA256, 24 SHA384, 25 SHA512, 26) 27from authentik.core.api.object_types import CreatableType 28from authentik.core.models import ( 29 AuthenticatedSession, 30 ExpiringModel, 31 PropertyMapping, 32 Provider, 33 User, 34) 35from authentik.crypto.models import CertificateKeyPair 36from authentik.lib.models import DomainlessURLValidator, InternallyManagedMixin, SerializerModel 37from authentik.lib.utils.time import timedelta_string_validator 38from authentik.sources.saml.models import SAMLNameIDPolicy 39 40LOGGER = get_logger() 41 42 43class SAMLBindings(models.TextChoices): 44 """SAML Bindings supported by authentik""" 45 46 REDIRECT = "redirect" 47 POST = "post" 48 49 50class SAMLLogoutMethods(models.TextChoices): 51 """SAML Logout methods supported by authentik""" 52 53 FRONTCHANNEL_IFRAME = "frontchannel_iframe" 54 FRONTCHANNEL_NATIVE = "frontchannel_native" 55 BACKCHANNEL = "backchannel" 56 57 58class SAMLProvider(Provider): 59 """SAML 2.0 Endpoint for applications which support SAML.""" 60 61 acs_url = models.TextField( 62 validators=[DomainlessURLValidator(schemes=("http", "https"))], verbose_name=_("ACS URL") 63 ) 64 sp_binding = models.TextField( 65 choices=SAMLBindings.choices, 66 default=SAMLBindings.REDIRECT, 67 verbose_name=_("Service Provider Binding"), 68 help_text=_( 69 "This determines how authentik sends the response back to the Service Provider." 70 ), 71 ) 72 audience = models.TextField( 73 default="", 74 blank=True, 75 help_text=_( 76 "Value of the audience restriction field of the assertion. When left empty, " 77 "no audience restriction will be added." 78 ), 79 ) 80 issuer_override = models.TextField( 81 blank=True, 82 default="", 83 help_text=_( 84 "Also known as EntityID. Providing a value overrides the default issuer " 85 "generated by authentik." 86 ), 87 ) 88 sls_url = models.TextField( 89 blank=True, 90 validators=[DomainlessURLValidator(schemes=("http", "https"))], 91 verbose_name=_("SLS URL"), 92 help_text=_("Single Logout Service URL where the logout response should be sent."), 93 ) 94 sls_binding = models.TextField( 95 choices=SAMLBindings.choices, 96 default=SAMLBindings.REDIRECT, 97 verbose_name=_("SLS Binding"), 98 help_text=_( 99 "This determines how authentik sends the logout response back to the Service Provider." 100 ), 101 ) 102 logout_method = models.TextField( 103 choices=SAMLLogoutMethods.choices, 104 default=SAMLLogoutMethods.FRONTCHANNEL_IFRAME, 105 help_text=_( 106 "Method to use for logout. Front-channel iframe loads all logout URLs simultaneously " 107 "in hidden iframes. Front-channel native uses your active browser tab to send post " 108 "requests and redirect to providers. " 109 "Back-channel sends logout requests directly from the server without " 110 "user interaction (requires POST SLS binding)." 111 ), 112 ) 113 name_id_mapping = models.ForeignKey( 114 "SAMLPropertyMapping", 115 default=None, 116 blank=True, 117 null=True, 118 on_delete=models.SET_DEFAULT, 119 verbose_name=_("NameID Property Mapping"), 120 help_text=_( 121 "Configure how the NameID value will be created. When left empty, " 122 "the NameIDPolicy of the incoming request will be considered" 123 ), 124 ) 125 authn_context_class_ref_mapping = models.ForeignKey( 126 "SAMLPropertyMapping", 127 default=None, 128 blank=True, 129 null=True, 130 on_delete=models.SET_DEFAULT, 131 verbose_name=_("AuthnContextClassRef Property Mapping"), 132 related_name="+", 133 help_text=_( 134 "Configure how the AuthnContextClassRef value will be created. When left empty, " 135 "the AuthnContextClassRef will be set based on which authentication methods the user " 136 "used to authenticate." 137 ), 138 ) 139 140 assertion_valid_not_before = models.TextField( 141 default="minutes=-5", 142 validators=[timedelta_string_validator], 143 help_text=_( 144 "Assertion valid not before current time + this value " 145 "(Format: hours=-1;minutes=-2;seconds=-3)." 146 ), 147 ) 148 assertion_valid_not_on_or_after = models.TextField( 149 default="minutes=5", 150 validators=[timedelta_string_validator], 151 help_text=_( 152 "Assertion not valid on or after current time + this value " 153 "(Format: hours=1;minutes=2;seconds=3)." 154 ), 155 ) 156 157 session_valid_not_on_or_after = models.TextField( 158 default="minutes=86400", 159 validators=[timedelta_string_validator], 160 help_text=_( 161 "Session not valid on or after current time + this value " 162 "(Format: hours=1;minutes=2;seconds=3)." 163 ), 164 ) 165 166 digest_algorithm = models.TextField( 167 choices=( 168 (SHA1, _("SHA1")), 169 (SHA256, _("SHA256")), 170 (SHA384, _("SHA384")), 171 (SHA512, _("SHA512")), 172 ), 173 default=SHA256, 174 ) 175 signature_algorithm = models.TextField( 176 choices=( 177 (RSA_SHA1, _("RSA-SHA1")), 178 (RSA_SHA256, _("RSA-SHA256")), 179 (RSA_SHA384, _("RSA-SHA384")), 180 (RSA_SHA512, _("RSA-SHA512")), 181 (ECDSA_SHA1, _("ECDSA-SHA1")), 182 (ECDSA_SHA256, _("ECDSA-SHA256")), 183 (ECDSA_SHA384, _("ECDSA-SHA384")), 184 (ECDSA_SHA512, _("ECDSA-SHA512")), 185 (DSA_SHA1, _("DSA-SHA1")), 186 ), 187 default=RSA_SHA256, 188 ) 189 190 verification_kp = models.ForeignKey( 191 CertificateKeyPair, 192 default=None, 193 null=True, 194 blank=True, 195 help_text=_( 196 "When selected, incoming assertion's Signatures will be validated against this " 197 "certificate. To allow unsigned Requests, leave on default." 198 ), 199 on_delete=models.SET_NULL, 200 verbose_name=_("Verification Certificate"), 201 related_name="+", 202 ) 203 signing_kp = models.ForeignKey( 204 CertificateKeyPair, 205 default=None, 206 null=True, 207 blank=True, 208 help_text=_("Keypair used to sign outgoing Responses going to the Service Provider."), 209 on_delete=models.SET_NULL, 210 verbose_name=_("Signing Keypair"), 211 ) 212 encryption_kp = models.ForeignKey( 213 CertificateKeyPair, 214 default=None, 215 null=True, 216 blank=True, 217 help_text=_( 218 "When selected, incoming assertions are encrypted by the IdP using the public " 219 "key of the encryption keypair. The assertion is decrypted by the SP using the " 220 "the private key." 221 ), 222 on_delete=models.SET_NULL, 223 verbose_name=_("Encryption Keypair"), 224 related_name="+", 225 ) 226 227 default_relay_state = models.TextField( 228 default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins") 229 ) 230 default_name_id_policy = models.TextField( 231 choices=SAMLNameIDPolicy.choices, default=SAMLNameIDPolicy.UNSPECIFIED 232 ) 233 234 sign_assertion = models.BooleanField(default=True) 235 sign_response = models.BooleanField(default=False) 236 sign_logout_request = models.BooleanField(default=False) 237 sign_logout_response = models.BooleanField(default=False) 238 239 @property 240 def launch_url(self) -> str | None: 241 """Use IDP-Initiated SAML flow as launch URL""" 242 try: 243 return reverse( 244 "authentik_providers_saml:init", 245 kwargs={"application_slug": self.application.slug}, 246 ) 247 except Provider.application.RelatedObjectDoesNotExist: 248 return None 249 250 @property 251 def icon_url(self) -> str | None: 252 return static("authentik/sources/saml.png") 253 254 @property 255 def serializer(self) -> type[Serializer]: 256 from authentik.providers.saml.api.providers import SAMLProviderSerializer 257 258 return SAMLProviderSerializer 259 260 @property 261 def component(self) -> str: 262 return "ak-provider-saml-form" 263 264 def __str__(self): 265 return f"SAML Provider {self.name}" 266 267 class Meta: 268 verbose_name = _("SAML Provider") 269 verbose_name_plural = _("SAML Providers") 270 271 272class SAMLPropertyMapping(PropertyMapping): 273 """Map User/Group attribute to SAML Attribute, which can be used by the Service Provider""" 274 275 saml_name = models.TextField(verbose_name="SAML Name") 276 friendly_name = models.TextField(default=None, blank=True, null=True) 277 278 @property 279 def component(self) -> str: 280 return "ak-property-mapping-provider-saml-form" 281 282 @property 283 def serializer(self) -> type[Serializer]: 284 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingSerializer 285 286 return SAMLPropertyMappingSerializer 287 288 def __str__(self): 289 name = self.friendly_name if self.friendly_name != "" else self.saml_name 290 return f"{self.name} ({name})" 291 292 class Meta: 293 verbose_name = _("SAML Provider Property Mapping") 294 verbose_name_plural = _("SAML Provider Property Mappings") 295 296 297class SAMLProviderImportModel(CreatableType, Provider): 298 """Create a SAML Provider by importing its Metadata.""" 299 300 @property 301 def component(self): 302 return "ak-provider-saml-import-form" 303 304 @property 305 def icon_url(self) -> str | None: 306 return static("authentik/sources/saml.png") 307 308 class Meta: 309 abstract = True 310 verbose_name = _("SAML Provider from Metadata") 311 verbose_name_plural = _("SAML Providers from Metadata") 312 313 314class SAMLSession(InternallyManagedMixin, SerializerModel, ExpiringModel): 315 """Track active SAML sessions for Single Logout support""" 316 317 saml_session_id = models.UUIDField(default=uuid4, primary_key=True) 318 provider = models.ForeignKey(SAMLProvider, on_delete=models.CASCADE) 319 user = models.ForeignKey(User, verbose_name=_("User"), on_delete=models.CASCADE) 320 session = models.ForeignKey( 321 AuthenticatedSession, 322 on_delete=models.CASCADE, 323 help_text=_("Link to the user's authenticated session"), 324 ) 325 session_index = models.TextField(help_text=_("SAML SessionIndex for this session")) 326 name_id = models.TextField(help_text=_("SAML NameID value for this session")) 327 name_id_format = models.TextField(default="", blank=True, help_text=_("SAML NameID format")) 328 issuer = models.TextField( 329 default=None, null=True, help_text=_("SAML Issuer used for this session") 330 ) 331 created = models.DateTimeField(auto_now_add=True) 332 333 @property 334 def serializer(self) -> type[Serializer]: 335 from authentik.providers.saml.api.sessions import SAMLSessionSerializer 336 337 return SAMLSessionSerializer 338 339 def __str__(self): 340 return f"SAML Session for provider {self.provider_id} and user {self.user_id}" 341 342 class Meta: 343 verbose_name = _("SAML Session") 344 verbose_name_plural = _("SAML Sessions") 345 unique_together = [("session_index", "provider")] 346 indexes = [ 347 models.Index(fields=["session_index"]), 348 models.Index(fields=["provider", "user"]), 349 models.Index(fields=["session"]), 350 ]
44class SAMLBindings(models.TextChoices): 45 """SAML Bindings supported by authentik""" 46 47 REDIRECT = "redirect" 48 POST = "post"
SAML Bindings supported by authentik
51class SAMLLogoutMethods(models.TextChoices): 52 """SAML Logout methods supported by authentik""" 53 54 FRONTCHANNEL_IFRAME = "frontchannel_iframe" 55 FRONTCHANNEL_NATIVE = "frontchannel_native" 56 BACKCHANNEL = "backchannel"
SAML Logout methods supported by authentik
59class SAMLProvider(Provider): 60 """SAML 2.0 Endpoint for applications which support SAML.""" 61 62 acs_url = models.TextField( 63 validators=[DomainlessURLValidator(schemes=("http", "https"))], verbose_name=_("ACS URL") 64 ) 65 sp_binding = models.TextField( 66 choices=SAMLBindings.choices, 67 default=SAMLBindings.REDIRECT, 68 verbose_name=_("Service Provider Binding"), 69 help_text=_( 70 "This determines how authentik sends the response back to the Service Provider." 71 ), 72 ) 73 audience = models.TextField( 74 default="", 75 blank=True, 76 help_text=_( 77 "Value of the audience restriction field of the assertion. When left empty, " 78 "no audience restriction will be added." 79 ), 80 ) 81 issuer_override = models.TextField( 82 blank=True, 83 default="", 84 help_text=_( 85 "Also known as EntityID. Providing a value overrides the default issuer " 86 "generated by authentik." 87 ), 88 ) 89 sls_url = models.TextField( 90 blank=True, 91 validators=[DomainlessURLValidator(schemes=("http", "https"))], 92 verbose_name=_("SLS URL"), 93 help_text=_("Single Logout Service URL where the logout response should be sent."), 94 ) 95 sls_binding = models.TextField( 96 choices=SAMLBindings.choices, 97 default=SAMLBindings.REDIRECT, 98 verbose_name=_("SLS Binding"), 99 help_text=_( 100 "This determines how authentik sends the logout response back to the Service Provider." 101 ), 102 ) 103 logout_method = models.TextField( 104 choices=SAMLLogoutMethods.choices, 105 default=SAMLLogoutMethods.FRONTCHANNEL_IFRAME, 106 help_text=_( 107 "Method to use for logout. Front-channel iframe loads all logout URLs simultaneously " 108 "in hidden iframes. Front-channel native uses your active browser tab to send post " 109 "requests and redirect to providers. " 110 "Back-channel sends logout requests directly from the server without " 111 "user interaction (requires POST SLS binding)." 112 ), 113 ) 114 name_id_mapping = models.ForeignKey( 115 "SAMLPropertyMapping", 116 default=None, 117 blank=True, 118 null=True, 119 on_delete=models.SET_DEFAULT, 120 verbose_name=_("NameID Property Mapping"), 121 help_text=_( 122 "Configure how the NameID value will be created. When left empty, " 123 "the NameIDPolicy of the incoming request will be considered" 124 ), 125 ) 126 authn_context_class_ref_mapping = models.ForeignKey( 127 "SAMLPropertyMapping", 128 default=None, 129 blank=True, 130 null=True, 131 on_delete=models.SET_DEFAULT, 132 verbose_name=_("AuthnContextClassRef Property Mapping"), 133 related_name="+", 134 help_text=_( 135 "Configure how the AuthnContextClassRef value will be created. When left empty, " 136 "the AuthnContextClassRef will be set based on which authentication methods the user " 137 "used to authenticate." 138 ), 139 ) 140 141 assertion_valid_not_before = models.TextField( 142 default="minutes=-5", 143 validators=[timedelta_string_validator], 144 help_text=_( 145 "Assertion valid not before current time + this value " 146 "(Format: hours=-1;minutes=-2;seconds=-3)." 147 ), 148 ) 149 assertion_valid_not_on_or_after = models.TextField( 150 default="minutes=5", 151 validators=[timedelta_string_validator], 152 help_text=_( 153 "Assertion not valid on or after current time + this value " 154 "(Format: hours=1;minutes=2;seconds=3)." 155 ), 156 ) 157 158 session_valid_not_on_or_after = models.TextField( 159 default="minutes=86400", 160 validators=[timedelta_string_validator], 161 help_text=_( 162 "Session not valid on or after current time + this value " 163 "(Format: hours=1;minutes=2;seconds=3)." 164 ), 165 ) 166 167 digest_algorithm = models.TextField( 168 choices=( 169 (SHA1, _("SHA1")), 170 (SHA256, _("SHA256")), 171 (SHA384, _("SHA384")), 172 (SHA512, _("SHA512")), 173 ), 174 default=SHA256, 175 ) 176 signature_algorithm = models.TextField( 177 choices=( 178 (RSA_SHA1, _("RSA-SHA1")), 179 (RSA_SHA256, _("RSA-SHA256")), 180 (RSA_SHA384, _("RSA-SHA384")), 181 (RSA_SHA512, _("RSA-SHA512")), 182 (ECDSA_SHA1, _("ECDSA-SHA1")), 183 (ECDSA_SHA256, _("ECDSA-SHA256")), 184 (ECDSA_SHA384, _("ECDSA-SHA384")), 185 (ECDSA_SHA512, _("ECDSA-SHA512")), 186 (DSA_SHA1, _("DSA-SHA1")), 187 ), 188 default=RSA_SHA256, 189 ) 190 191 verification_kp = models.ForeignKey( 192 CertificateKeyPair, 193 default=None, 194 null=True, 195 blank=True, 196 help_text=_( 197 "When selected, incoming assertion's Signatures will be validated against this " 198 "certificate. To allow unsigned Requests, leave on default." 199 ), 200 on_delete=models.SET_NULL, 201 verbose_name=_("Verification Certificate"), 202 related_name="+", 203 ) 204 signing_kp = models.ForeignKey( 205 CertificateKeyPair, 206 default=None, 207 null=True, 208 blank=True, 209 help_text=_("Keypair used to sign outgoing Responses going to the Service Provider."), 210 on_delete=models.SET_NULL, 211 verbose_name=_("Signing Keypair"), 212 ) 213 encryption_kp = models.ForeignKey( 214 CertificateKeyPair, 215 default=None, 216 null=True, 217 blank=True, 218 help_text=_( 219 "When selected, incoming assertions are encrypted by the IdP using the public " 220 "key of the encryption keypair. The assertion is decrypted by the SP using the " 221 "the private key." 222 ), 223 on_delete=models.SET_NULL, 224 verbose_name=_("Encryption Keypair"), 225 related_name="+", 226 ) 227 228 default_relay_state = models.TextField( 229 default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins") 230 ) 231 default_name_id_policy = models.TextField( 232 choices=SAMLNameIDPolicy.choices, default=SAMLNameIDPolicy.UNSPECIFIED 233 ) 234 235 sign_assertion = models.BooleanField(default=True) 236 sign_response = models.BooleanField(default=False) 237 sign_logout_request = models.BooleanField(default=False) 238 sign_logout_response = models.BooleanField(default=False) 239 240 @property 241 def launch_url(self) -> str | None: 242 """Use IDP-Initiated SAML flow as launch URL""" 243 try: 244 return reverse( 245 "authentik_providers_saml:init", 246 kwargs={"application_slug": self.application.slug}, 247 ) 248 except Provider.application.RelatedObjectDoesNotExist: 249 return None 250 251 @property 252 def icon_url(self) -> str | None: 253 return static("authentik/sources/saml.png") 254 255 @property 256 def serializer(self) -> type[Serializer]: 257 from authentik.providers.saml.api.providers import SAMLProviderSerializer 258 259 return SAMLProviderSerializer 260 261 @property 262 def component(self) -> str: 263 return "ak-provider-saml-form" 264 265 def __str__(self): 266 return f"SAML Provider {self.name}" 267 268 class Meta: 269 verbose_name = _("SAML Provider") 270 verbose_name_plural = _("SAML Providers")
SAML 2.0 Endpoint for applications which support SAML.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
240 @property 241 def launch_url(self) -> str | None: 242 """Use IDP-Initiated SAML flow as launch URL""" 243 try: 244 return reverse( 245 "authentik_providers_saml:init", 246 kwargs={"application_slug": self.application.slug}, 247 ) 248 except Provider.application.RelatedObjectDoesNotExist: 249 return None
Use IDP-Initiated SAML flow as launch URL
255 @property 256 def serializer(self) -> type[Serializer]: 257 from authentik.providers.saml.api.providers import SAMLProviderSerializer 258 259 return SAMLProviderSerializer
Get serializer for this model
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
Accessor to the related object on the forward side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Restaurant.place is a ForwardOneToOneDescriptor instance.
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Parent.children is a ReverseManyToOneDescriptor instance.
Most of the implementation is delegated to a dynamically defined manager
class built by create_forward_many_to_many_manager() defined below.
Accessor to the related object on the reverse side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Place.restaurant is a ReverseOneToOneDescriptor instance.
Inherited Members
- authentik.core.models.Provider
- name
- authentication_flow
- invalidation_flow
- property_mappings
- backchannel_application
- is_backchannel
- objects
- authentication_flow_id
- invalidation_flow_id
- backchannel_application_id
- id
- application
- outpost_set
- oauth2provider
- ldapprovider
- racprovider
- radiusprovider
- samlprovider
- scimprovider
- googleworkspaceprovider
- microsoftentraprovider
- ssfprovider
The requested object does not exist
The query returned multiple objects when only one was expected.
273class SAMLPropertyMapping(PropertyMapping): 274 """Map User/Group attribute to SAML Attribute, which can be used by the Service Provider""" 275 276 saml_name = models.TextField(verbose_name="SAML Name") 277 friendly_name = models.TextField(default=None, blank=True, null=True) 278 279 @property 280 def component(self) -> str: 281 return "ak-property-mapping-provider-saml-form" 282 283 @property 284 def serializer(self) -> type[Serializer]: 285 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingSerializer 286 287 return SAMLPropertyMappingSerializer 288 289 def __str__(self): 290 name = self.friendly_name if self.friendly_name != "" else self.saml_name 291 return f"{self.name} ({name})" 292 293 class Meta: 294 verbose_name = _("SAML Provider Property Mapping") 295 verbose_name_plural = _("SAML Provider Property Mappings")
Map User/Group attribute to SAML Attribute, which can be used by the Service Provider
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
283 @property 284 def serializer(self) -> type[Serializer]: 285 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingSerializer 286 287 return SAMLPropertyMappingSerializer
Get serializer for this model
Accessor to the related object on the forward side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Restaurant.place is a ForwardOneToOneDescriptor instance.
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Parent.children is a ReverseManyToOneDescriptor instance.
Most of the implementation is delegated to a dynamically defined manager
class built by create_forward_many_to_many_manager() defined below.
Inherited Members
- authentik.core.models.PropertyMapping
- pm_uuid
- name
- expression
- objects
- evaluate
- managed
- provider_set
- source_userpropertymappings_set
- source_grouppropertymappings_set
- notificationwebhookmapping
- oauthsourcepropertymapping
- scopemapping
- endpoint_set
- racpropertymapping
- radiusproviderpropertymapping
- samlsourcepropertymapping
- samlpropertymapping
- scimprovider_set
- scimmapping
- kerberossourcepropertymapping
- ldapsourcepropertymapping
- plexsourcepropertymapping
- scimsourcepropertymapping
- telegramsourcepropertymapping
- googleworkspaceprovider_set
- googleworkspaceprovidermapping
- microsoftentraprovider_set
- microsoftentraprovidermapping
The requested object does not exist
The query returned multiple objects when only one was expected.
298class SAMLProviderImportModel(CreatableType, Provider): 299 """Create a SAML Provider by importing its Metadata.""" 300 301 @property 302 def component(self): 303 return "ak-provider-saml-import-form" 304 305 @property 306 def icon_url(self) -> str | None: 307 return static("authentik/sources/saml.png") 308 309 class Meta: 310 abstract = True 311 verbose_name = _("SAML Provider from Metadata") 312 verbose_name_plural = _("SAML Providers from Metadata")
Create a SAML Provider by importing its Metadata.
Accessor to the related object on the forward side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Restaurant.place is a ForwardOneToOneDescriptor instance.
Inherited Members
- authentik.core.models.Provider
- name
- authentication_flow
- invalidation_flow
- property_mappings
- backchannel_application
- is_backchannel
- objects
- launch_url
- serializer
- DoesNotExist
- MultipleObjectsReturned
- authentication_flow_id
- invalidation_flow_id
- backchannel_application_id
- id
- application
- outpost_set
- oauth2provider
- ldapprovider
- racprovider
- radiusprovider
- samlprovider
- scimprovider
- googleworkspaceprovider
- microsoftentraprovider
- ssfprovider
315class SAMLSession(InternallyManagedMixin, SerializerModel, ExpiringModel): 316 """Track active SAML sessions for Single Logout support""" 317 318 saml_session_id = models.UUIDField(default=uuid4, primary_key=True) 319 provider = models.ForeignKey(SAMLProvider, on_delete=models.CASCADE) 320 user = models.ForeignKey(User, verbose_name=_("User"), on_delete=models.CASCADE) 321 session = models.ForeignKey( 322 AuthenticatedSession, 323 on_delete=models.CASCADE, 324 help_text=_("Link to the user's authenticated session"), 325 ) 326 session_index = models.TextField(help_text=_("SAML SessionIndex for this session")) 327 name_id = models.TextField(help_text=_("SAML NameID value for this session")) 328 name_id_format = models.TextField(default="", blank=True, help_text=_("SAML NameID format")) 329 issuer = models.TextField( 330 default=None, null=True, help_text=_("SAML Issuer used for this session") 331 ) 332 created = models.DateTimeField(auto_now_add=True) 333 334 @property 335 def serializer(self) -> type[Serializer]: 336 from authentik.providers.saml.api.sessions import SAMLSessionSerializer 337 338 return SAMLSessionSerializer 339 340 def __str__(self): 341 return f"SAML Session for provider {self.provider_id} and user {self.user_id}" 342 343 class Meta: 344 verbose_name = _("SAML Session") 345 verbose_name_plural = _("SAML Sessions") 346 unique_together = [("session_index", "provider")] 347 indexes = [ 348 models.Index(fields=["session_index"]), 349 models.Index(fields=["provider", "user"]), 350 models.Index(fields=["session"]), 351 ]
Track active SAML sessions for Single Logout support
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
334 @property 335 def serializer(self) -> type[Serializer]: 336 from authentik.providers.saml.api.sessions import SAMLSessionSerializer 337 338 return SAMLSessionSerializer
Get serializer for this model
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
The requested object does not exist
The query returned multiple objects when only one was expected.