SSO & SAML
๐ฅ Vibe Prompt
"Set up SAML SSO for a SaaS app. Connect to Google Workspace or Azure AD."
SAML Flow
User โ SP (Service Provider) โ IdP (Identity Provider) โ Login โ SAML Response โ SP โ Grant Access
Example:
- User visits app.myapp.com
- App redirects to Google Workspace (IdP)
- User logs in with Google credentials
- Google sends SAML Response (XML) back
- App verifies and grants access
SAML Response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Assertion>
<saml:Subject>
<saml:NameID>user@example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>user@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role">
<saml:AttributeValue>admin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthnStatement AuthnInstant="2024-01-01T00:00:00Z"/>
</saml:Assertion>
</samlp:Response>
SAML vs OIDC
| Aspect | SAML | OIDC | |--------|------|------| | Format | XML | JSON | | Transport | HTTP redirect (POST) | HTTP redirect (GET/POST) | | Use case | Enterprise SSO | Web/mobile apps | | Complexity | High | Low | | Maturity | 20+ years | 10+ years | | Best for | Large orgs with AD | Modern apps, APIs |
Implementation with Python
from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.settings import OneLogin_Saml2_Settings
def saml_login(request):
auth = OneLogin_Saml2_Auth(request, settings)
return auth.login() # Redirect to IdP
def saml_acs(request):
auth = OneLogin_Saml2_Auth(request, settings)
auth.process_response()
if auth.is_authenticated():
attributes = auth.get_attributes()
email = attributes.get("email", [None])[0]
role = attributes.get("role", ["user"])[0]
return f"Welcome {email}! Role: {role}"
return "Auth failed", 401
Key SAML Terms
| Term | Meaning | |------|---------| | SP (Service Provider) | Your app | | IdP (Identity Provider) | Google, Azure AD, Okta | | ACS URL | Where IdP sends SAML response | | Entity ID | Unique identifier for SP | | Metadata XML | Config exchange between SP & IdP | | NameID | Unique user identifier (email) |
Best Practices
- Sign SAML requests and responses
- Use short assertion lifetimes (5 min)
- Validate issuer and audience
- Encrypt assertions for sensitive data
- Store IdP metadata securely
- Support automatic metadata refresh
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials