SSO & SAML

๐Ÿ”ฅ Vibe Prompt

"Set up SAML SSO for a SaaS app. Connect to Google Workspace or Azure AD."

SAML Flow

User โ†’ SP (Service Provider) โ†’ IdP (Identity Provider) โ†’ Login โ†’ SAML Response โ†’ SP โ†’ Grant Access

Example:
- User visits app.myapp.com
- App redirects to Google Workspace (IdP)
- User logs in with Google credentials
- Google sends SAML Response (XML) back
- App verifies and grants access

SAML Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Assertion>
    <saml:Subject>
      <saml:NameID>user@example.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
    </saml:Subject>
    <saml:AttributeStatement>
      <saml:Attribute Name="email">
        <saml:AttributeValue>user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="role">
        <saml:AttributeValue>admin</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthnStatement AuthnInstant="2024-01-01T00:00:00Z"/>
  </saml:Assertion>
</samlp:Response>

SAML vs OIDC

| Aspect | SAML | OIDC | |--------|------|------| | Format | XML | JSON | | Transport | HTTP redirect (POST) | HTTP redirect (GET/POST) | | Use case | Enterprise SSO | Web/mobile apps | | Complexity | High | Low | | Maturity | 20+ years | 10+ years | | Best for | Large orgs with AD | Modern apps, APIs |

Implementation with Python

from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.settings import OneLogin_Saml2_Settings

def saml_login(request):
    auth = OneLogin_Saml2_Auth(request, settings)
    return auth.login()  # Redirect to IdP

def saml_acs(request):
    auth = OneLogin_Saml2_Auth(request, settings)
    auth.process_response()
    if auth.is_authenticated():
        attributes = auth.get_attributes()
        email = attributes.get("email", [None])[0]
        role = attributes.get("role", ["user"])[0]
        return f"Welcome {email}! Role: {role}"
    return "Auth failed", 401

Key SAML Terms

| Term | Meaning | |------|---------| | SP (Service Provider) | Your app | | IdP (Identity Provider) | Google, Azure AD, Okta | | ACS URL | Where IdP sends SAML response | | Entity ID | Unique identifier for SP | | Metadata XML | Config exchange between SP & IdP | | NameID | Unique user identifier (email) |

Best Practices

  • Sign SAML requests and responses
  • Use short assertion lifetimes (5 min)
  • Validate issuer and audience
  • Encrypt assertions for sensitive data
  • Store IdP metadata securely
  • Support automatic metadata refresh

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!