SSO & SAML

🔥 Vibe Prompt

"Set up SAML SSO for a SaaS app. Connect to Google Workspace or Azure AD."

SAML Flow

User → SP (Service Provider) → IdP (Identity Provider) → Login → SAML Response → SP → Grant Access

Example:
- User visits app.myapp.com
- App redirects to Google Workspace (IdP)
- User logs in with Google credentials
- Google sends SAML Response (XML) back
- App verifies and grants access

SAML Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml:Assertion>
    <saml:Subject>
      <saml:NameID>user@example.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
    </saml:Subject>
    <saml:AttributeStatement>
      <saml:Attribute Name="email">
        <saml:AttributeValue>user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="role">
        <saml:AttributeValue>admin</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthnStatement AuthnInstant="2024-01-01T00:00:00Z"/>
  </saml:Assertion>
</samlp:Response>

SAML vs OIDC

| Aspect | SAML | OIDC | |--------|------|------| | Format | XML | JSON | | Transport | HTTP redirect (POST) | HTTP redirect (GET/POST) | | Use case | Enterprise SSO | Web/mobile apps | | Complexity | High | Low | | Maturity | 20+ years | 10+ years | | Best for | Large orgs with AD | Modern apps, APIs |

Implementation with Python

from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.settings import OneLogin_Saml2_Settings

def saml_login(request):
    auth = OneLogin_Saml2_Auth(request, settings)
    return auth.login()  # Redirect to IdP

def saml_acs(request):
    auth = OneLogin_Saml2_Auth(request, settings)
    auth.process_response()
    if auth.is_authenticated():
        attributes = auth.get_attributes()
        email = attributes.get("email", [None])[0]
        role = attributes.get("role", ["user"])[0]
        return f"Welcome {email}! Role: {role}"
    return "Auth failed", 401

Key SAML Terms

| Term | Meaning | |------|---------| | SP (Service Provider) | Your app | | IdP (Identity Provider) | Google, Azure AD, Okta | | ACS URL | Where IdP sends SAML response | | Entity ID | Unique identifier for SP | | Metadata XML | Config exchange between SP & IdP | | NameID | Unique user identifier (email) |

Best Practices

  • Sign SAML requests and responses
  • Use short assertion lifetimes (5 min)
  • Validate issuer and audience
  • Encrypt assertions for sensitive data
  • Store IdP metadata securely
  • Support automatic metadata refresh

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


SSO 與 SAML:企業身分管理

什麼是 SSO?

SSO(Single Sign-On)讓使用者登入一次就可以存取多個系統——例如用 Google 帳號登入 Slack、Notion、Figma。背後使用的是 SAML 或 OIDC 協定。

SAML 的工作流程

使用者嘗試存取 Service Provider(SP)
  → SP 檢查沒有 Session → 重新導向到 Identity Provider(IdP)
  → 使用者在 IdP 登入(如 Google Workspace、Okta)
  → IdP 產生 SAML Assertion(XML 格式的簽章文件)
  → SP 驗證 Assertion → 建立 Session → 允許存取

IAM vs SSO

| 比較 | AWS IAM | SSO / Identity Center | |:----|:-------|:--------------------| | 管理範圍 | 單一 AWS 帳號 | 多個 AWS 帳號 + 其他 SaaS | | 使用者來源 | IAM User(獨立管理) | Okta、Azure AD、Google Workspace | | 適合規模 | 小團隊(<10 人) | 企業(>10 人) |

下一章預告

這堂 IAM 課程從基礎概念、OAuth/OIDC 到 SSO/SAML——你現在可以設計企業級的身分與存取管理架構。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!