Learning Center/API and Integration/SAML Toolkits
SAML toolkit for Python
Christian Pedersen
posted this on July 18, 2011 02:56 pm
Make sure you read the Introduction to OneLogin's SAML Toolkits.
Get the toolkit
Using the toolkit
The identification flow starts when a user requests a resource from the service provider which, in this case, is implemented in our example app. In our example, the user requests a resource by going to the root path of our app, i.e,:
Our example app receives this request and in turn creates a SAML AuthnRequest
in the form of URL string which we use to redirect the user to our identity
provider--OneLogin:
from BaseHTTPServer import BaseHTTPRequestHandler
from onelogin.saml import AuthRequest
...
class SampleAppHTTPRequestHandler(BaseHTTPRequestHandler):
...
def do_GET(self):
...
url = AuthRequest.create(**self.settings)
self.send_response(301)
self.send_header("Location", url)
self.end_headers()
The self.settings variable is a dictionary with the following entries. These
entries are originally retrieved from the configuration file passed in as a
command line option to the example app:
settings = dict(
assertion_consumer_service_url='http://localhost:7070/example/saml/consume',
issuer='python-saml',
name_identifier_format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
idp_sso_target_url='https://app.onelogin.com/saml/signon/<id>',
)
The idp_sso_target_url is the SAML Login URL from the SAML Test (IdP) app. You must register with OneLogin and add the SAML Test (IdP) app to your apps in order to get the idp_sso_target_url. You must also register the assertion_consumer_service_url with the SAML Test (IdP) app by entering it in the SAML Consumer URL field.
Receiving and verifying the response
------------------------------------
The user will then be redirected to the OneLogin login page where they will enter their credentials in order to verify their identity. After Onelogin has verified their identity, it will redirect the user to the assertion_consumer_service_url, for example:
http://localhost:7070/example/saml/consume
Our example app then verifies the SAML Response from OneLogin using the fingerprint of the public certificate originally obtained from OneLogin:
def do_POST(self):
...
length = int(self.headers['Content-Length'])
data = self.rfile.read(length)
query = urlparse.parse_qs(data)
res = Response(
query['SAMLResponse'].pop(),
self.settings['idp_cert_fingerprint'],
)
valid = res.is_valid()
name_id = res.name_id
if valid:
msg = 'The identify of {name_id} has been verified'.format(
name_id=name_id,
)
self._serve_msg(200, msg)
else:
msg = '{name_id} is not authorized to use this resource'.format(
name_id=name_id,
)
self._serve_msg(401, msg)
Once again, the self.settings variable is populated from an entry in the configuration file. You can find the public certificate under Security -> SAML after you login to OneLogin.
What needs to be configured
In the example above, SAML settings are divided into two parts, the application specific (assertionConsumerServiceUrl, issuer) placed in AppSettings.cs and the user/account specific (certificate, idp_sso_target_url) placed in AccountSettings.cs. You’ll need to add your own code here to identify the user or user origin (e.g. by subdomain, ip_address etc.).
The following information needs to be available on the account:
assertionConsumerServiceUrl
The URL at which the SAML assertion should be received. In this example "http://localhost/SamlConsumer/Consume.aspx" would be correct.
issuer
The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login.
idp_sso_target_url
The URL to which the authentication request should be sent. This would be on the identity provider.
certificate
The x509 certificate fingerprint. This is provided from the identity provider when setting up the relationship.