Welcome, guest | Sign In | My Account | Store | Cart

Notice! PyPM is being replaced with the ActiveState Platform, which enhances PyPM’s build and deploy capabilities. Create your free Platform account to download ActivePython or customize Python with the packages you require and get automatic updates.

pypm install hl.pas.samlplugin

How to install hl.pas.samlplugin

  1. Download and install ActivePython
  2. Open Command Prompt
  3. Type pypm install hl.pas.samlplugin
 Python 2.7Python 3.2Python 3.3
Windows (32-bit)
Windows (64-bit)
Mac OS X (10.5+)
Linux (32-bit)
Linux (64-bit)
0.7 Available View build log
Lastest release
version 0.7 on Jan 9th, 2014


hl.pas.samlplugin provides a SAML2 plugin for Zope's PluggableAuthService. It provides the IExtractionPlugin, IAuthenticationPlugin, IChallengePlugin, ICredentialsResetPlugin interfaces.

hl.pas.samlplugin so far has been tested with OpenAM.


  1. Add the package to your buildout.
  2. Run buildout. hl.pas.samlplugin will pull in pysaml2, which in turn needs xmlsec and repoze.who. xmlsec has to be installed manually, please refer to the pysaml2 documentation.
  3. Restart Zope.
  4. Visit your site's Pluggable Auth Service in ZMI and add a SAML2 PAS plugin


You will need to provide your IDP with an endpoint configuration for your Zope site containing your sites' settings for AssertionConsumerService and SingleLogoutService. This will be an XML file looking like e.g:

<EntityDescriptor entityID="http://zopehost:8080/spEntityID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

At the moment the bindings specified in the above example (i.e. HTTP-Redirect for the SingleLogoutService and HTTP-POST for the AssertionConsumerService) are the only ones that are supported. For the authentication request, HTTP-Redirect is used.

Please refer to available SAML2 documentation for further information.

On the SAML2 PAS plugins' properties tab, you will need to specify some more properties to make things work:

  • the absolute path to the IDP config file. This XML file should be provided by your IDP
  • the service endpoint URL, i.e. http://zopehost:8080/site in the example above
  • the service endpoint entity id as given to the IDP
  • the absolute path to the xmlsec executable (s. pysaml2 documentation)
  • the attribute provided by the IDP that should be used as the users login attribute (i.e. the user id used by Zope)
  • additional user properties given by the IDP that should be stored in the users session

Please have a look in the browser and the skins/auth subdirectories for examples on how to handle login/logout for a CMFSite.

It seems important to note that this PAS plugin (and the SAML2 protocol) only provides authentication. It is rather likely that you will have to implement your own plugins to provide the IPropertiesPlugin and the IUserEnumerationPlugin interfaces, at least if you have to deal with user generated content or want to use the Zope CMF.


0.7 (2013-08-19)
  • Python 2.6 compatibility
0.6 (2013-08-16)
  • use pysaml2 >= 1.0
0.5 (2013-07-24)
  • fixed configuration caching issue (when using multiple plugins)
0.4 (2013-07-04)
  • improved config caching
  • add sample data for unittests
0.3 (2013-07-02)
  • add icon
0.2 (2013-07-02)
  • fix MANIFEST.in
0.1 (2013-07-02)
  • initial release

Subscribe to package updates

Last updated Jan 9th, 2014

Download Stats

Last month:1

What does the lock icon mean?

Builds marked with a lock icon are only available via PyPM to users with a current ActivePython Business Edition subscription.

Need custom builds or support?

ActivePython Enterprise Edition guarantees priority access to technical support, indemnification, expert consulting and quality-assured language builds.

Plan on re-distributing ActivePython?

Get re-distribution rights and eliminate legal risks with ActivePython OEM Edition.