Jupyterhub CAS Authenticator

Authenticate to Jupyterhub using the CAS 3.0 protocol (https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html)

Installation

This package can be installed with pip either from a local git repository or from PyPi.

Installation from local git repository:

cd jhub_cas_authenticator
pip install .

Installation from PyPi:

pip install jhub_cas_authenticator

Alternately, you can add the local project folder must be on your PYTHONPATH.

Configuration

You should edit your jupyterhub_config.py to set the authenticator class:

c.JupyterHub.authenticator_class = 'jhub_cas_authenticator.cas_auth.CASAuthenticator'

You will also need to add settings specific to the CAS authentication configuration:

# The CAS URL to redirect unauthenticated users to.
c.CASAuthenticator.cas_login_url = 'https://cas.example.net/cas/login'

# The service URL the CAS server will redirect the browser back to on successful authentication.
# If not set, this is set to the same URL the request comes in on.  This will work fine for
# simple deployments, but deployments behind a proxy or load banalncer will likely need to
# be adjusted so the CAS service redirects back to the *real* login URL for your Jupyterhub.
c.CASAuthenticator.cas_service_url = 'https://your-jupyterhub.tld/login'

# Path to CA certificates the CAS client will trust when validating a service ticket.
c.CASAuthenticator.cas_client_ca_certs = '/path/to/ca_certs.pem'

# The CAS endpoint for validating service tickets.
c.CASAuthenticator.cas_service_validate_url = 'https://cas.example.net/cas/p3/serviceValidate'

# A set of attribute name and value tuples a user must have to be allowed access.
c.CASAuthenticator.cas_required_attribs = {('memberOf', 'jupyterhub_users')}

Just-in-Time Account Creation

If your Jupyterhub spawner relies on local users to exist for the authenticated user, it can be useful to use CASLocalAuthenticator instead of CASAuthenticator. The former inherits from LocalAuthenticator and has the property create_system_users. You can use it like this:

c.JupyterHub.authenticator_class = 'jhub_cas_authenticator.cas_auth.CASLocalAuthenticator'
# The CAS URL to redirect unauthenticated users to.
c.CASLocalAuthenticator.cas_login_url = 'https://cas.example.net/cas/login'
# The CAS URL for logging out an authenticated user.
c.CASLocalAuthenticator.cas_logout_url = 'https://cas.example.net/cas/logout'
# The service URL the CAS server will redirect the browser back to on successful authentication.
# If not set, this is set to the same URL the request comes in on.  This will work fine for
# simple deployments, but deployments behind a proxy or load banalncer will likely need to
# be adjusted so the CAS service redirects back to the *real* login URL for your Jupyterhub.
c.CASLocalAuthenticator.cas_service_url = 'https://jupyterhub.example.net/login'
# Path to CA certificates the CAS client will trust when validating a service ticket.
c.CASLocalAuthenticator.cas_client_ca_certs = '/path/to/ca_certs.pem'
# The CAS endpoint for validating service tickets.
c.CASLocalAuthenticator.cas_service_validate_url = 'https://cas.example.net/cas/p3/serviceValidate'
# A set of attribute name and value tuples a user must have to be allowed access.
c.CASLocalAuthenticator.cas_required_attribs = {('memberOf', 'jupyterhub_users')}
# Allowed logins.
c.CASLocalAuthenticator.whitelist = {'waldbiec', 'carl', 'logan'}
# Create system users just-in-time.
c.CASLocalAuthenticator.create_system_users = True

quantumentangledandy / jhub_cas_authenticator Goto Github PK

jhub_cas_authenticator's Introduction

Jupyterhub CAS Authenticator

Installation

Configuration

Just-in-Time Account Creation

jhub_cas_authenticator's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent