SSO & SAML

🔥 Vibe Prompt

"Set up SAML SSO for a SaaS app. Connect to Google Workspace or Azure AD."

SAML Flow

User → SP (Service Provider) → IdP (Identity Provider) → Login → SAML Response → SP → Grant Access

Example:
- User visits app.myapp.com
- App redirects to Google Workspace (IdP)
- User logs in with Google credentials
- Google sends SAML Response (XML) back
- App verifies and grants access

SAML Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Assertion>
    <saml:Subject>
      <saml:NameID>user@example.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
    </saml:Subject>
    <saml:AttributeStatement>
      <saml:Attribute Name="email">
        <saml:AttributeValue>user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="role">
        <saml:AttributeValue>admin</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthnStatement AuthnInstant="2024-01-01T00:00:00Z"/>
  </saml:Assertion>
</samlp:Response>

SAML vs OIDC

| Aspect | SAML | OIDC | |--------|------|------| | Format | XML | JSON | | Transport | HTTP redirect (POST) | HTTP redirect (GET/POST) | | Use case | Enterprise SSO | Web/mobile apps | | Complexity | High | Low | | Maturity | 20+ years | 10+ years | | Best for | Large orgs with AD | Modern apps, APIs |

Implementation with Python

from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.settings import OneLogin_Saml2_Settings

def saml_login(request):
    auth = OneLogin_Saml2_Auth(request, settings)
    return auth.login()  # Redirect to IdP

def saml_acs(request):
    auth = OneLogin_Saml2_Auth(request, settings)
    auth.process_response()
    if auth.is_authenticated():
        attributes = auth.get_attributes()
        email = attributes.get("email", [None])[0]
        role = attributes.get("role", ["user"])[0]
        return f"Welcome {email}! Role: {role}"
    return "Auth failed", 401

Key SAML Terms

| Term | Meaning | |------|---------| | SP (Service Provider) | Your app | | IdP (Identity Provider) | Google, Azure AD, Okta | | ACS URL | Where IdP sends SAML response | | Entity ID | Unique identifier for SP | | Metadata XML | Config exchange between SP & IdP | | NameID | Unique user identifier (email) |

Best Practices

  • Sign SAML requests and responses
  • Use short assertion lifetimes (5 min)
  • Validate issuer and audience
  • Encrypt assertions for sensitive data
  • Store IdP metadata securely
  • Support automatic metadata refresh

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


為什麼要學SSO 與 SAML?

SSO 與 SAML 是 security-iam 課程的核心章節之一。

在真實世界中

SSO 與 SAML 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。

你將從本章獲得

  • 🎯 完整的知識體系:從核心原理到實作細節,條理分明
  • 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
  • 🔍 除錯技巧:常見錯誤的分析與解決方案
  • 🚀 下一步指引:學完後該往哪個方向繼續深入

銜接下一章

本章為你建立了 SSO 與 SAML 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!