Okta Authentication Django

Question

I have a Django app that I am trying to add Okta authentication. I currently have created a custom backend that utilizes the Okta API to authenticate a user:

class OKTABackend(ModelBackend):

  def __init__(self, *args, **kwargs):
    super().__init__(*args, **kwargs)

  def authenticate(self, username=None, password=None):
    headers = {
      'Authorization': 'SSWS {}'.format(<my OKTA API token>),
      'Accept': 'application/json',
      'Content-type': 'application/json'
    }
    authentication_payload = {
      'username': username,
      'password': password
    }
    r = requests.post(
          <my OKTA app address>,
          headers=headers,
          data=json.dumps(authentication_payload)
    )

    try:
      r.raise_for_status()
      # code that finds/creates and returns user
    except:
      return None

I have a login page with a form that gets the username and password and passes the information to this backend for authentication. All of this is working. But when I go to the OKTA site, and click on my app, I want it to sign into the app. Currently it just redirects to my login page. How do I enable sign on from the OKTA site into my app?

Answer 1

You don't have to implement it yourself now. just use the out-of-box solution: https://github.com/fangli/django-saml2-auth

It works with okta smoothly.

P.S. I'm the author of this plugin.

Answer 2

I would recommend using Python Social Auth: http://psa.matiasaguirre.net/ It has a generic SAML backend that you can use. http://psa.matiasaguirre.net/docs/backends/saml.html The documentation is pretty good and extending it is also fairly simple. In my own project we extended it to pull the SAML IdP information from the database, so that we could have users self-service enter that data.

Answer 3

You will need to implement a Single Sign On technology that Okta supports. For Python, the best approach would be SAML as there are multiple python SAML libraries available for use. I suggest reading up on SAML and how it works to get a full understanding. Look here for more information.

When you SAML enable your application, your application will send a SAML request to Okta for authentication. If you don't have an Okta session yet, you will be asked to login. Once you login successfully, Okta sends a SAML response back to your application to let you in. If you do have an Okta session, Okta will just return the SAML response back to the application with out prompting for login.

Each application in Okta can also have it's own login page, that way when a SAML request comes into Okta you can still use your own login page instead of the default Okta one.