SSO & SAML
🔥 Vibe Prompt
"Set up SAML SSO for a SaaS app. Connect to Google Workspace or Azure AD."
SAML Flow
User → SP (Service Provider) → IdP (Identity Provider) → Login → SAML Response → SP → Grant Access
Example:
- User visits app.myapp.com
- App redirects to Google Workspace (IdP)
- User logs in with Google credentials
- Google sends SAML Response (XML) back
- App verifies and grants access
SAML Response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Assertion>
<saml:Subject>
<saml:NameID>user@example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>user@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role">
<saml:AttributeValue>admin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthnStatement AuthnInstant="2024-01-01T00:00:00Z"/>
</saml:Assertion>
</samlp:Response>
SAML vs OIDC
| Aspect | SAML | OIDC | |--------|------|------| | Format | XML | JSON | | Transport | HTTP redirect (POST) | HTTP redirect (GET/POST) | | Use case | Enterprise SSO | Web/mobile apps | | Complexity | High | Low | | Maturity | 20+ years | 10+ years | | Best for | Large orgs with AD | Modern apps, APIs |
Implementation with Python
from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.settings import OneLogin_Saml2_Settings
def saml_login(request):
auth = OneLogin_Saml2_Auth(request, settings)
return auth.login() # Redirect to IdP
def saml_acs(request):
auth = OneLogin_Saml2_Auth(request, settings)
auth.process_response()
if auth.is_authenticated():
attributes = auth.get_attributes()
email = attributes.get("email", [None])[0]
role = attributes.get("role", ["user"])[0]
return f"Welcome {email}! Role: {role}"
return "Auth failed", 401
Key SAML Terms
| Term | Meaning | |------|---------| | SP (Service Provider) | Your app | | IdP (Identity Provider) | Google, Azure AD, Okta | | ACS URL | Where IdP sends SAML response | | Entity ID | Unique identifier for SP | | Metadata XML | Config exchange between SP & IdP | | NameID | Unique user identifier (email) |
Best Practices
- Sign SAML requests and responses
- Use short assertion lifetimes (5 min)
- Validate issuer and audience
- Encrypt assertions for sensitive data
- Store IdP metadata securely
- Support automatic metadata refresh
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
為什麼要學SSO 與 SAML?
SSO 與 SAML 是 security-iam 課程的核心章節之一。
在真實世界中
SSO 與 SAML 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。
你將從本章獲得
- 🎯 完整的知識體系:從核心原理到實作細節,條理分明
- 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
- 🔍 除錯技巧:常見錯誤的分析與解決方案
- 🚀 下一步指引:學完後該往哪個方向繼續深入
銜接下一章
本章為你建立了 SSO 與 SAML 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。