Ephes Blog

I think we all learned a valuable lesson from this: Never ship. --Tyler Hillsman

With vacation just around the corner, work has been pretty light. I attended the Django Cologne Meetup and watched an interesting talk about Django background tasks. It’s great to think about not having to deal with Celery anymore. I also recorded and published a podcast episode on the Python Data Model. Then, I wrote a piece on implementing Django with SSO and managed to release a new version of django-cast (though there aren’t many updates).

I encountered a strange issue where some command line tools written in Rust (bat, exa) stopped working, showing error messages like this:

Calling brew reinstall bat fixed it.

Articles

• Microsoft Research Introduces AgentInstruct: A Multi-Agent Workflow Framework for Enhancing Synthetic Data Quality and Diversity in AI Model Training | A single GPU model outperforming GPT3.5? Cool!
• Imitation Intelligence, my keynote for PyCon US 2024
• Friday Deploy Freezes Are Exactly Like Murdering Puppies | Seems about the right time to repost this
• The PSF Board Election Results For 2024: What I Think
• Physics Simulations in Bevy
• Mining JIT traces for missing optimizations with Z3

Videos

• I tried using AI. It scared me. | Hmm, it does not scare me. And Napster also didn't. I'm always happy about new stuff you can use to do cool stuff.
• DjangoCon Europe 2024 | Fast on my machine: How to debug slow requests in production
• DjangoCon Europe 2024 | Data Oriented Django Deux

Software

• aseprite - Animated Sprite Editor
• django-readers - A lightweight function-oriented toolkit for better organisation of business logic and efficient selection and projection of data in Django projects
• Zettlr - Your One-Stop Publication Workbench

Fediverse

• When I worked at a cloud infrastructure company I evaluated some “endpoint management” security agent software | Thread on this crowdstrike disaster
• Any sufficiently advanced "endpoint protection" software is indistinguishable from malware.

Weeknotes

• Weeklog for Week 28: July 08 to July 14 | Johannes
• Weeknotes: GPT-4o mini, LLM 0.15, sqlite-utils 3.37 and building a staging environment | Simon Willison
• Months in Review | Luis 😄

Introduction

Adding SSO via SAML to a Django application can be a complex process. When I first tackled this task, I wished for a simple, straightforward tutorial. That's why I've created this guide - to help others implement SSO in their Django apps.

This tutorial will guide you through the process of setting up SSO for your Django application, specifically configuring it as a Service Provider (SP) in the SAML framework. As an SP, your Django app will rely on an external Identity Provider (IdP) for user authentication. By the end of this tutorial, your application will be able to delegate the authentication process to the IdP. This means users can log in through the IdP's interface and then access your app without needing separate credentials. Your Django app, as the SP, will trust and accept the authentication assertions provided by the IdP, allowing seamless and secure access for authenticated users.

Glossary

• SSO (Single Sign-On): A user authentication process that allows a user to access multiple applications with one set of login credentials.
• SAML (Security Assertion Markup Language): An XML-based framework for exchanging authentication and authorization information between an Identity Provider (IdP) and a Service Provider (SP).
• IdP (Identity Provider): The system that provides user authentication and passes the identity of the user to the Service Provider.
• SP (Service Provider): The system that relies on the Identity Provider to authenticate users and provide access to services or applications.
• ACS (Assertion Consumer Service): This endpoint on the Service Provider (your Django app) receives and processes SAML assertions sent by the Identity Provider after user authentication. It validates the SAML response and logs the user into the application, granting them access based on the provided authentication details.
• Metadata (sp.xml/idp.xml): XML files that describe the configuration and capabilities of the Identity Provider and Service Provider.
• PySAML2: A Python library used for handling SAML2 operations, providing the underlying functionality for SAML-based authentication.
• django-allauth: A Django package providing user authentication, registration, account management, and third-party (social) account authentication.
• Mako: A templating engine used for rendering HTML in Python applications.
• pytest: A testing framework for Python, used for writing and running tests.

With these terms defined, let's dive into setting up Single Sign-On (SSO) with SAML for your Django application.

There are two popular Django packages for integrating SAML2:

1. Django SAML2 Authentication (a fork of django-saml2-auth by Grafana)
2. djangosaml2 (which did not support newer Django versions in the past, but this has since been fixed)

These packages use PySAML2 for the main SAML functionality. Their main job is to connect PySAML2 with Django. I chose the first package for this tutorial. It works well, but has some drawbacks. It's not great at handling errors or making testing easy. We'll discuss these issues later in the Caveats section.

For those new to SAML or seeking a deeper understanding, these resources provide helpful content on how SAML works in general:

• OASIS SAML Technical Overview
• SAML Wiki Knowledgebase

Single Sign On Login Flow

Maybe we start with an overview how the authentication flow will look like with SSO.

The provided sequence diagram illustrates a typical Single Sign-On (SSO) login flow using Security Assertion Markup Language 2.0 (SAML2) between a User, a Django Application (acting as the Service Provider), and an Identity Provider (IdP). Here's an explanation of each step depicted in the diagram:

1. User Accesses Login Page: The user navigates to the login page of the Django application.
2. Display Login Form: The Django application displays a login form with an SSO button.
3. Click SSO Button: The user clicks the SSO login button.
4. Redirect to IdP: The Django application redirects the user to the Identity Provider (IdP) for authentication.
5. Display IdP Login Form: The IdP presents a login form for the user.
6. Submit Credentials: The user submits their credentials to the IdP.
7. Redirect Back with Auth Details: The IdP redirects back to the Django application with authentication details.
8. User Logged In: The Django application logs the user in and grants access.

This flow demonstrates how SAML2 enables Single Sign-On. Users authenticate through an Identity Provider, which then sends a SAML response containing the authentication assertion to your Django application. This allows users to access your application without needing to log in separately.

Here's the Mermaid code that created the diagram above.

somehow instead of saying “as a treat”, I’ve started using the phrase “for morale”, as if my body is a ship and its crew, and I (the captain) have to keep us in high spirits, lest we suffer a mutiny in the coming days.

and so I will eat this small block of fancy cheese, for morale. I will take a break and drink some tea, for morale. I will pick up that weird bug, for morale.

I’m not sure if it helps, but it does entertain me --Second Beat Songs

Started writing an article about SSO with Django, which I'll likely publish next week. Unfortunately, no time for open source projects this week.

I'm also getting used to my new camera. While the basic handling and lenses are the same, the post-processing is quite different. I’ve been using Apple Photos for the past few years and was quite happy with it. However, the new Nikon raw files aren't supported, so I have to decide between using a raw to DNG converter, as I discussed last week, or Nikon NX Studio. Currently, I'm trying the latter, but Nikon's software is somewhat odd. In some ways, it's fantastic — colors are great, you can use the same picture control settings as on your camera, and even upload custom looks to the camera. On the downside, it has serious memory leaks, quickly consuming all of my 32GB of RAM, and is also quite slow, requiring frequent restarts.

Articles

• Locality of Behaviour | Yep, nice description.
• Accessing 1Password items from the terminal
• Finding Simple Rewrite Rules for the JIT with Z3

Weeknotes

• Weeknotes for Week 27: July 1 to 7 | Jeff Triplett
• Weeklog for Week 27: July 01 to July 07 | Johannes

Videos

• Home-cooked Software and Barefoot Programmers: Maggie Appleton (Local-First Conf) | Barefoot Programmer 😆
• DjangoCon Europe 2024 Vigo | YouTube playlist of all talks 🥳
• DjangoCon Europe 2024 | API Maybe: Bootstrapping a Web Application circa 2024 | Yes
• Kasey Chambers - Lose Yourself (Eminem Cover) LIVE @ Civic Theatre, Newcastle AU | Whoa, what did I just see?

Fediverse

• Carl Sagan about military budget | If all people were playing the longest possible game, this would be true, but...
• I’m not trying to start a religious war, but what’s the community consensus these days on overriding Django’s built-in User model vs OneToOneField to it from a separate Profile model? | Yep, standard user model with unique email...
• I have a weird #ADHD lifehack that has been so effective that it's a little embarrassing, so I feel like I need to share it. | Always share your ADHD lifehacks, plz!
• In other words: 2024 reality, if you’re a SaaS provider, infostealers and cyber crime groups are a competitor - you have to be shit hot at authentication (even if it inconveniences the customer) | AT&T lost some data..

Out of Context Images

ZIZEK: that AI will be the death of learning & so on; to this, I say NO! My student brings me their essay, which has been written by AI, & I plug it into my grading AI, & we are free! While the 'learning' happens, our superego satisfied, we are free now to learn whatever we want --Zack Brown

Workwise, last week was quite busy. However, I managed to attend a meeting of PyDDF, our local Python user group, which was great. I also recorded and published a podcast episode about the DjangoCon Europe 2024 conference. Then I had to roll out a security update for Mastodon, which usually requires minimal maintenance, and updated Takahē along with it. There was also a new release of django-cast, which includes some bug fixes and a new feature: subtitles for blogs.

Here's a tip I discovered while trying to import pictures from my new camera: If you use Apple Photos to manage your pictures and it doesn't read RAW files from newer cameras, you can use the free Adobe DNG Converter to convert RAW files to DNG and then import them into Apple Photos. Unfortunately, it's not possible to preserve changes made in Nikon NX Studio, which has the best RAW support for Nikon cameras, when converting the RAW files to DNG.

Articles

• With Fifth Busy Beaver, Researchers Approach Computation’s Limits | Cellular automata are similar: It’s astonishing how a few simple rules can create incredibly complex structures. Or we are just bad at deducting the simple rules behind complicated fluff.
• The 2024 PSF Board Election is Open!

Weeknotes

• Weeknotes: a livestream, a surprise keynote and progress on Datasette Cloud billing | Simon Willison
• Weeklog for Week 26: June 24 to June 30 | Johannes

Videos

• Bevy Engine 0.14 - Open Source ECS-based game development in Rust | New release!

Fediverse / Twitter

• ▲ + 🐍 | Hehe, look who caught the htmx bug..

Software

• Python Polars 1.0.0 | 1.0 Release 🥳
• Psycopg 3.2 released
• eGenix PyRun is an Apache licensed, open-source, compressed, single file Python compatible run-time, which fits into merely 5-6 MB on disk | Now on github!
• Runwayml - A new frontier for high-fidelity, controllable video generation | Has a little bit more focus on the artist perspective, interesting.
• Bevycation of Brackeys First Game in Godot Tutorial | A bit more sophisticated compared to the platformer example from bevy_ecs_ldtk
• LLMs for the working programmer | LLM workshop by Manuel Odendahl

Out of Context Images

ACARS Message From: C-FWJS/WS0456

Message: HI. I JUST ACCIDENTLY CLEARED AN ACARS MESSAGE BEFORE WE COULD READ IT. DO YOU KNOW WHAT IT WAS ABOUT..... --ACARS Drama

I made numerous small fixes and improvements to django-cast. I also dabbled in Rust game development again and can now draw 2D maps in LDtk and load them into a game. It's just a small step forward, but I didn't struggle with the compiler as much as I anticipated - I'm starting to like Rust.

The weather has been lovely lately, so we bought a barbecue and visited a nearby zoo.

Articles

• How Neanderthal language differed from modern human – they probably didn’t use metaphors
• The time for designers to learn to code is now | Do it.
• Situational Awareness- The Decade Ahead | Overly optimistic in my opinion, because trendlines can just stop for all kinds of reasons (GANs are not stable and kind of dead by now, there are good reasons to believe that generative models have some fundamental limitations, and semisupervised learning does not yet work for anything but textual data...). But still interesting.

Videos

• Language models on the command-line | Fantastic talk
• Whole Earth Flashbacks | Whole Earth Catalog documentary
• Web Design Engineering With the New CSS | Matthias Ott | CSS Day 2024 | Solid talk - and yes, I'm looking into CSS for the same reason atm.

Weeknotes

• Weeklog for Week 25: June 17 to June 23 | Johannes
• Weeknotes for Week 25: June 17 to 23 | Jeff Triplett

TIL

• Unwrapping functools.wraps: How to Remove Decorators from a Python Function

Fediverse

• Periodic reminder that NIST does not approve of expiring passwords.

Software

• LLM - A CLI utility and Python library for interacting with Large Language Models, both via remote APIs and models that can be installed and run on your own machine
• files-to-prompt - Concatenate a directory full of files into a single prompt for use with LLMs
• ttok - This tool can count tokens, using OpenAI's tiktoken library.
• Django 5.1 beta 1 released

Out of Context Images