SSO & SAML
🔥 Vibe Prompt
"Set up SAML SSO for a SaaS app. Connect to Google Workspace or Azure AD."
SAML Flow
User → SP (Service Provider) → IdP (Identity Provider) → Login → SAML Response → SP → Grant Access
Example:
- User visits app.myapp.com
- App redirects to Google Workspace (IdP)
- User logs in with Google credentials
- Google sends SAML Response (XML) back
- App verifies and grants access
SAML Response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Assertion>
<saml:Subject>
<saml:NameID>user@example.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>user@example.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role">
<saml:AttributeValue>admin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthnStatement AuthnInstant="2024-01-01T00:00:00Z"/>
</saml:Assertion>
</samlp:Response>
SAML vs OIDC
| Aspect | SAML | OIDC | |--------|------|------| | Format | XML | JSON | | Transport | HTTP redirect (POST) | HTTP redirect (GET/POST) | | Use case | Enterprise SSO | Web/mobile apps | | Complexity | High | Low | | Maturity | 20+ years | 10+ years | | Best for | Large orgs with AD | Modern apps, APIs |
Implementation with Python
from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.settings import OneLogin_Saml2_Settings
def saml_login(request):
auth = OneLogin_Saml2_Auth(request, settings)
return auth.login() # Redirect to IdP
def saml_acs(request):
auth = OneLogin_Saml2_Auth(request, settings)
auth.process_response()
if auth.is_authenticated():
attributes = auth.get_attributes()
email = attributes.get("email", [None])[0]
role = attributes.get("role", ["user"])[0]
return f"Welcome {email}! Role: {role}"
return "Auth failed", 401
Key SAML Terms
| Term | Meaning | |------|---------| | SP (Service Provider) | Your app | | IdP (Identity Provider) | Google, Azure AD, Okta | | ACS URL | Where IdP sends SAML response | | Entity ID | Unique identifier for SP | | Metadata XML | Config exchange between SP & IdP | | NameID | Unique user identifier (email) |
Best Practices
- Sign SAML requests and responses
- Use short assertion lifetimes (5 min)
- Validate issuer and audience
- Encrypt assertions for sensitive data
- Store IdP metadata securely
- Support automatic metadata refresh
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
SSO 與 SAML:企業身分管理
什麼是 SSO?
SSO(Single Sign-On)讓使用者登入一次就可以存取多個系統——例如用 Google 帳號登入 Slack、Notion、Figma。背後使用的是 SAML 或 OIDC 協定。
SAML 的工作流程
使用者嘗試存取 Service Provider(SP)
→ SP 檢查沒有 Session → 重新導向到 Identity Provider(IdP)
→ 使用者在 IdP 登入(如 Google Workspace、Okta)
→ IdP 產生 SAML Assertion(XML 格式的簽章文件)
→ SP 驗證 Assertion → 建立 Session → 允許存取
IAM vs SSO
| 比較 | AWS IAM | SSO / Identity Center | |:----|:-------|:--------------------| | 管理範圍 | 單一 AWS 帳號 | 多個 AWS 帳號 + 其他 SaaS | | 使用者來源 | IAM User(獨立管理) | Okta、Azure AD、Google Workspace | | 適合規模 | 小團隊(<10 人) | 企業(>10 人) |
下一章預告
這堂 IAM 課程從基礎概念、OAuth/OIDC 到 SSO/SAML——你現在可以設計企業級的身分與存取管理架構。