How Django Microsoft SSO works?¶
Current Flow¶
-
First, the user is redirected to the Django login page. If settings
MICROSOFT_SSO_ENABLED
is True, the "Login with Microsoft" button will be added to a default form. -
On click, Django-Microsoft-SSO will add, in a anonymous request session, the
sso_next_url
and Microsoft Auth info. This data will expire in 10 minutes. Then user will be redirected to Microsoft login page.Using Request Anonymous session
If you make any actions which change or destroy this session, like restart django, clear cookies or change browsers, the login will fail, and you can see the message "State Mismatched. Time expired?" in the next time you log in again.
-
On callback, Django-Microsoft-SSO will check
code
andstate
received. If they are valid, Microsoft's UserInfo will be retrieved. If the user is already registered in Django, the user will be logged in. The Graph request has a timeout of 10 seconds, defined inMICROSOFT_SSO_GRAPH_TIMEOUT
. -
Otherwise, the user will be created and logged in, if his email domain, matches one of the
MICROSOFT_SSO_ALLOWABLE_DOMAINS
. You can disable the auto-creation settingMICROSOFT_SSO_AUTO_CREATE_USERS
to False. -
On creation only, this user can be set to the
staff
orsuperuser
status, if his email are inMICROSOFT_SSO_STAFF_LIST
orMICROSOFT_SSO_SUPERUSER_LIST
respectively. Please note if you add an email to one of these lists, the email domain must be added toMICROSOFT_SSO_ALLOWABLE_DOMAINS
too. -
This authenticated session will expire in 1 hour, or the time defined, in seconds, in
MICROSOFT_SSO_SESSION_COOKIE_AGE
. -
If login fails, you will be redirected to route defined in
MICROSOFT_SSO_LOGIN_FAILED_URL
(default:admin:index
) which will use Django Messaging system to show the error message. -
If login succeeds, the user will be redirected to the
next_path
saved in the anonymous session, or to the route defined inMICROSOFT_SSO_NEXT_URL
(default:admin:index
) as a fallback.