See saml Menu

Code Your Python App to Provide SSO via OneLogin

You can use OneLogin’s open-source SAML toolkit for Python to enable single sign-on (SSO) for your app via any identity provider that offers SAML authentication.

Use this document to learn how to set up the SSO connection between your app and OneLogin, specifically.

We’ll use the demo-django or demo-flask apps (python-saml-master/demo-django or python-saml-master/demo-flask) delivered in the toolkit to demonstrate how to perform the necessary tasks. These are simple apps that demonstrate the SSO and single logout (SLO) flow enabled by the SAML toolkit.

For important information about prerequisites and installing and developing an app with the SAML Toolkit for Python, see OneLogin’s SAML Python Toolkit. 

The download also includes documentation of the OneLogin SAML Toolkit Python library. See /python-saml-master/docs/saml2/index.html.

Task 1: Prepare the demo files

  1. Download the SAML Toolkit for Python.

  2. Deploy Python and your Django or Flask framework in an appropriate location relative to your python-saml-master folder.

  3. Note the presence of the settings.json file in both demos (python-saml-master/demo-django/saml or python-saml-master/demo-flask/saml). You’ll be doing most of your configurations in this file.

Task 2: Create an app connector in OneLogin

You’ll use the OneLogin SAML Test (IdP w/ attr) (Identity Provider with attributes) app connector to build an application connector for your app. For demo purposes, we’ll build one for the demo-django or demo-flask apps.

This app connector will provide you with SAML values that your app needs to communicate with OneLogin as an identity provider. It also provides a place for you to provide SAML values that OneLogin needs to communicate with your app as a service provider.

  1. Access OneLogin.

  2. Go to Apps > Add Apps.

  3. Search for SAML Test Connector.

  4. Select the SAML Test Connector (IdP w/ attr) app.

  5. Edit the Display Name, if required. In the case of working with the demo-django app, enter demo-django, for example.

  6. Accept other default values for now and click Save.

Task 3: Define identity provider values in settings.json

In this step, provide your app with the identity provider values it needs to communicate with OneLogin. For demo purposes, we’ll provide the values for the demo-django and demo-flask apps.

  1. Open settings.json in python-saml-master/demo-django/saml or python-saml-master/demo-flask/saml.

  2. In the OneLogin app connector UI you kept open from the previous task, select the SSO tab.

  3. Copy values from the SSO tab and paste them into the idp section of settings.json as shown below.

    Copy SSO Tab Field Value to settings.json Location

    Issuer URL

    entityId

    SAML 2.0 Endpoint (HTTP)

    singleSignOnService

    SLO Endpoint (HTTP)

    singleLogoutService

    X.509 Certificate > View Details

    x509cert

    After copying values from the SSO tab into the idp section of your settings.json file, it should look something like this:

    "idp": {
            "entityId": "https://app.onelogin.com/saml/metadata/123456",
            "singleSignOnService": {
                "url": "https://domain.onelogin.com/trust/saml2/http-post/sso/123456",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            },
            "singleLogoutService": {
                "url": "https://domain.onelogin.com/trust/saml2/http-redirect/slo/123456",
                "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            },
            "x509cert": "XXXXxXXX1xXxXXXxXXXXXXxXXxxXx..."
        }

    x509cert must be a one-line string: Ensure that your x509cert value is a one-line string, with no line breaks. Use the FORMAT A X509 CERTIFICATE tool to format your value, if necessary.

  4. Save settings.json.

  5. Keep the OneLogin app connector UI open for the next task.

Task 4: Define service provider values in settings.json

In this step, we’ll define the service provider values that OneLogin will need to identify your app. For demo purposes, we’ll provide the values for the demo-django and demo-flask apps.

  1. Open settings.json in python-saml-master/demo-django/saml or python-saml-master/demo-flask/saml.

  2. In the sp section, replace the variable in each of the URLs with your actual domain value. When completed, the URLs should look something like the following.

    Important: Ensure that your URLs begin with http, not https.

    • entityID: http://myapp.com/metadata/

    • assertionConsumerService: http://myapp.com/?acs

    • singleLogoutService: http://myapp.com/?sls

  3. For the NameIDFormat value, change unspecified to emailAddress. This is the value used by OneLogin.

  4. Save settings.json.

  5. In the OneLogin app connector UI you kept open from the previous task, select the Configuration tab.

  6. Copy values from settings.json into the Configuration tab fields as shown below.

    Copy settings.json Value to Configuration Tab Field

    assertionConsumerService

    • ACS (Consumer) URL

    • Recipient

    singleLogoutService

    Single Logout URL

    entityId

    Audience

    For a detailed description of each of the fields on the Configuration tab, see How to Use the OneLogin SAML Test Connector for more details.

  7. You can leave RelayState blank. It will respect the value sent by the Service Provider.

  8. For now, set ACS (Consumer) URL Validator to .*.

    Once you have verified that the connection between your app and OneLogin is working, you’ll want to set this value to perform an actual validation. See How to Use the OneLogin SAML Test Connector for more details.

  9. Your Configuration tab should now look something like this:

  10. Click Save.

If you need advanced security for production, be sure to also configure the advanced_settings.json file.

For more information about how configure the settings.json and advanced_settings.json file, see the Toolkit documentation.

Task 5: Add users to your app connector

In this task, you’ll give users access to the app connector you just created and configured. For example, you’ll need to ensure that you have access to the app connector to be able to access the demo-django or demo-flask app.

  1. With your app connector open, select the Access tab.

  2. Ensure that the settings give you access to the app connector. For example, enable a role that will give you access. In this case, let’s say that the Default role grants access to relevant users, as shown below.

  3. Click Save.

Task 6: Log in to your app

At this point, the setup is complete and you should be able to single sign-on to and single logout of your app. For demo purposes, we’ll show the login and logout behavior using the demo-django or demo-flask app.

Log in using service provider-initiated SAML

The following login flow illustrates service provider-initiated SAML, in which the request for authentication and authorization is initiated from the app, or service provider.

  1. Access the demo-django or demo-flask app. For example, access: http://localhost:8000. The selected app displays. For example, the demo-django app displays as shown below.

  2. Select Login. The OneLogin login UI displays. Selecting the Login link demonstrates the user experience when logging into your app via SSO.

  3. Enter your OneLogin credentials.

  4. A page listing the values from the app connector’s Parameters tab displays. For your app, this would display your app in a logged in state.

  5. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO. For example, the demo-django app logout state displays as shown below.

Troubleshooting

If you see this UI instead of the OneLogin login UI, please ensure that you have completed Task 5: Add users to your app connector.

Log in using identity provider-initiated SAML

The following login flow illustrates identity provider-Initiated SAML, in which the login request is initiated from the identity provider. In this case, that user experience would be as follows:

  1. On your OneLogin App Home page, select the app connector your created. For example, select the demo-django app as shown below.

  2. The page listing the values from the app connector’s Parameters tab displays. For your app, this would display your app in a logged in state.

  3. Select Logout. Selecting the Logout link demonstrates the user experience when logging out of your app via SLO. For example, the demo-django app logout state displays as shown below.


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "onelogin saml python"

  • 9
    Votes

    A: Python library for implementing SAML2 based service provider and identity provider?

    Answered Oct 06 2014

    You can also take a look on https://github.com/onelogin/python-saml Is also open source and the toolkit contains 2 demos: A django application and a Flask application. Right now only works … on python 2.X Edited 13/05/2015: There is a python 3.X version (beta, I'm still testing it): https://github.com/pitbulk/python3-saml (thanks bgaifullin for contributing it) Edited 13/04/2016 python 3.X version is stable and tested. …

  • 2
    Votes

    A: Python SSO: pysaml2 and python3-saml

    Answered Nov 16 2016

    uses as dependecy pycryptodome to handle with cryptography and implements its own xmldsig and xmlenc classes (to manipulate signatures and encryption on XMLs). python3-saml uses as dependecy python … Both projects are compatible with Shibboleth. pysaml2 is older than python3-saml, right now both support py2 and py3. Both are kinda active and documented. python3-saml follows the structure …

  • 2
    Votes

    A: C# ASP.NET Single Sign-On Implementation

    Answered Jan 23 2017

    be quite expensive. Some of the tools available and with APIs for .NET are: IdentityExpress (with Admin UI) by IdentityServer Centrify Identity Service Okta Identity (SAML 2.0) OneLogin If you decide … protocols, ASP.NET Core) OAuth 2.0 by Okta Javascript passport-openidconnect (node.js) oidc-provider (node.js) openid-client (node.js) Python pyoidc Django OIDC Provider I would go …

  • 1
    Votes

    A: PingFederate SAML basic setup

    Answered Sep 25 2016

    to craft a POST request to the SAML request endpoint. That should get you started. I've personally used the OneLogin library in Python but here is the Java one: https://github.com/onelogin/java-saml … /tree/v2.0.0 It also has samples. What you are looking for is here: https://github.com/onelogin/java-saml/blob/v2.0.0/samples/java-saml-jspsample/src/main/webapp/dologin.jsp …

  • 1
    Votes

    A: Python SAML OneLogin - How to support multiple Identity Providers

    Answered May 12 2017

    This was answered in the git repo: The toolkit was not initially designed to be used with multiple IdPs, instead with the OneLogin IdP, but you can with a little effort support multiple IdPs … their application to either do this via subdomain (sometenant.myapp.com) or URL (www.myapp.com/sometenant) - with settings configured differently for each tenant Once you've done that, SAML is SAML and it should work with any IDP that supports it. …

Loading...