These pages give the details of the Python code base for NDG Security. It uses the ndg_saml, ndg_xacml and MyProxyClient packages. For an overview of NDG Security see wiki:.

NDG Security uses a modular server side architecture based on the Python WSGI. WSGI filters front applications to be protected enforcing access control. Attribute and Authorisation web services, OpenID applications are all built around the WSGI specification. Using PasteDeploy, it is possible to make a flexibile configuration at deployment by arranging the filters and applications by following a simple ini file syntax.


See this overview for a description of the different components.

System Requirements

The code base has been tested on a variety of Linux distributions including Ubuntu and SUSE. Python 2.6 is required for the ndg_security version 2.0.0. The 1.5.x branch works with Python 2.5. For server deployment, Apache2 with mod_wsgi are the recommended containers for running applications and filters.

Installation and Configuration

Links to installation and configuration details


Troubleshooting installation, deployment issues.


Code is maintained in a SubVersion Repository Access the trunk. For the latest stable release, refer to the Releases section below.


Code is released as Python eggs and uploaded to the NERC DataGrid Python distributions repository at Releases once created are copied into the tags SVN directory. Branches are maintained where an earlier release has forked from the main development trunk e.g. the here 1.5.x branch


  • Correct 2.2.1 release - missing template files
  • Added a new paster template for Relying Party Authentication Services.
  • fix to OpenID Provider to warn user if another user is already authenticated with the Provider.
  • fix for ensure SAML requestor whitelist option can be disabled
  • fix config settings for clock skew tolerance so that it's passed on to SAML credential wallet
  • Working version of httplib and urllib2 wrappers to PyOpenSSL.


Includes paster templates for creating a ini files for a variety of configurations:

  1. Standalone OpenID Provider application
  2. SAML Attribute or Authorisation Service
  3. Configuration for securing a generic WSGI application
  4. Running a complete set of the security services in one WSGI stack.


Includes support for ESGF Group/Role? attribute value type for SAML queries and XACML policy. Also contains fix for clock skew tolerance check in SAML message validation.


Adds integration with XACML 2.0 implementation ndg_xacml, and SAML authorisation service interface.

1.5.x Branch

Maintained for some existing deployments. Uses custom authorisation interface.

See here for SubVersion development branch. See here for release snapshots.