User16901983863952436354 (Customer) asked a question.
I'm trying to implement SSO using Okta as an identity provider using SAML. I want to be able to login via the Okta login page, parse the SAML response and store it as a session. I didn't find a good use case for PySAML2 and I think my configuration is wrong.
I have two routes for it, `/sso/login` do redirect to Okta login page, and after that my Okta app do post request to `/sso/acs` route.
This code example is using `pysaml2` package, I also tried to use `python3-saml` but faced the same problem.
Could you help me fix my SAML config and explain how to parse it correctly and what should I store in the session to protect other routes that require authentication?
```
from fastapi import FastAPI, Request
from fastapi.responses import RedirectResponse
from starlette.middleware.sessions import SessionMiddleware
from saml2 import BINDING_HTTP_POST, BINDING_HTTP_REDIRECT
from saml2.client import Saml2Client
from saml2.config import Config as Saml2Config
app = FastAPI()
* SAML configuration
* Audience Restriction
OKTA_ENTITY_ID = 'http://localhost:8000'
* Identity Provider Single Sign-On URL
OKTA_SSO_URL = 'https://dev-domain.okta.com/app/dev-62477416_samltestapp_1/exkatg6gjmlgcxm6O5d7/sso/saml'
* Sign out URL
OKTA_SIGN_OUT_URL = 'https://dev-domain.okta.com'
* Identity Provider Issuer
OKTA_ISSUER = 'http://www.okta.com/exkatg6gjmlgcxm6O5d7'
* X.509 Certificate:
OKTA_CERTIFICATE = '''
-----BEGIN CERTIFICATE-----
certificate_string
-----END CERTIFICATE------
'''
CONFIG = {
"debug": True,
"entityid": OKTA_ENTITY_ID,
"name": "SAML Test App",
"service": {
"idp": {
"endpoints": {
"single_sign_on_service": [
(
OKTA_SSO_URL,
BINDING_HTTP_REDIRECT,
),
],
"single_logout_service": [
(
OKTA_SIGN_OUT_URL,
BINDING_HTTP_REDIRECT,
),
],
},
"x509cert": OKTA_CERTIFICATE,
}
}
}
@app.middleware("http")
async def validate_user(request: Request, call_next):
* end_point = request.url.path
* request.session["name"] = "some random value"
print(request.session)
response = await call_next(request)
return response
app.add_middleware(SessionMiddleware, secret_key='my-secret-key')
@app.get("/sso/login")
async def sso_login():
return RedirectResponse(OKTA_SSO_URL)
@app.post("/sso/acs")
async def sso_acs(request: Request):
config = Saml2Config()
config.load(CONFIG)
client = Saml2Client(config=config)
authn_response = await request.form()
client.parse_authn_request_response(authn_response.get('SAMLResponse'), BINDING_HTTP_POST)
return {"message": "Successfully logged in"}
```
Hello @User16901983863952436354 (Customer) Thank you for reacting out to our Community!
Looking at the information that you have provided there, on thing stands out, the "OKTA_ENTITY_ID = 'http://localhost:8000'". That is not the Okta entity ID, you might want to try http://www.okta.com/exkatg6gjmlgcxm6O5d7 which is the issuer.
Please also see additional Okta-Phyton documentation below :
https://developer.okta.com/code/python/pysaml2/
https://devforum.okta.com/t/okta-saml-and-python3-made-short-guide/3542
Additionally if you need further assistance we recommend to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
https://devforum.okta.com/
Community members help others by clicking Like or Select as Best on responses. Try it today.
Okta Identity Engine (OIE) Ask Me Anything: Get answers from product experts by clicking here.