This repository provides a simple SAML Service Provider (SP) setup to interact with ZITADEL as the Identity Provider (IdP). The application is built using Flask and the pysaml2 library.
We will be testing out the SP-Initiated SAML Flow:
- The user attempts to access a resource at the SP.
- The SP redirects the user to the IdP for authentication.
- The user authenticates at the IdP.
- The IdP sends a SAML response back to the SP.
- The SP processes the SAML response and grants the user access.
- The user logs out and sends a SAML request to the SLO endpoint and receives a SAML response.
- Python 3.x
- A ZITADEL instance on ZITADEL Cloud or your own self-hosted ZITADEL instance
-
Clone the Repository
git clone https://github.com/zitadel/python-saml-sp.git cd python-saml-sp -
Install Dependencies Make sure you have Python 3 installed. Then, create a virtual environment and install the required packages.
python3 -m venv venv source venv/bin/activate pip3 install -r requirements.txt -
ZITADEL Configuration You need to create a SAML app in your ZITADEL instance and upload the
sp_metadata.xmlfile found in this repository. Follow these steps:- Log in to your ZITADEL instance.
- Go to Projects and select your Project or create a new Project.
- Create a new Application by clicking on the
+button.
- Select SAML as the Application type and provide a name.
- You can provide your SAML SP configuration using any of the options given and we will provide a metadata file.
- Upload the
sp_metadata.xmlfile.
- Review and create the application.
- You can view the SAML endpoint URLs in the URLs tab.
- Obtain the IdP metadata URL file (
https://[your-ZITADEL-domain]/saml/v2/metadata) from ZITADEL and replace the content ofidp_metadata.xmlwith the provided IdP metadata.
-
Set Environment Variables
export FLASK_APP=app.py export FLASK_ENV=development
-
Run the Application
flask run
The application should now be running on
http://127.0.0.1:5000.
/- Home page with options to generate a SAML request and perform SSO./generate_saml_request- Endpoint to generate the SAML request./sso- Endpoint to redirect to the IdP with the SAML request./acs- Assertion Consumer Service endpoint to handle the SAML response from the IdP./logout- Endpoint to initiate logout./slo- Endpoint to handle Single Logout (SLO) response from the IdP.
- templates/index.html - HTML template for the home page.
- templates/response.html - HTML template to display the SAML response and user information.
- app.py - Main application file.
- config.json - Configuration file for the SAML SP.
- idp_metadata.xml - IdP metadata file (you must replace this with your own from ZITADEL).
- sp_metadata.xml - SP metadata file to be uploaded to ZITADEL.
- requirements.txt - List of Python dependencies needed to run the application.
- sp-cert.pem - SP certificate file.
- sp-csr.pem - SP certificate signing request file.
- sp-key.pem - SP private key file.
- Keep the
sp-key.pemfile secure and do not share it publicly.
If you want to generate your own sp-key.pem and sp-cert.pem files, you can use the following OpenSSL commands:
-
Generate the private key:
openssl genpkey -algorithm RSA -out sp-key.pem -aes256
-
Generate the certificate signing request (CSR):
openssl req -new -key sp-key.pem -out sp-csr.pem
-
Generate the self-signed certificate:
openssl req -x509 -key sp-key.pem -in sp-csr.pem -out sp-cert.pem -days 365
Replace
-days 365with the desired validity period for the certificate.