Skip to content

mostopalove/fast_api_sso_saml_okta

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
auth_utils.py
auth_utils.py
 
 
main.py
main.py
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 
saml_constants.py
saml_constants.py
 
 

Repository files navigation

When you have a frontend and backend with different domains and you're using Okta as your Identity Provider (IdP) for SAML-based authentication, the authentication flow typically involves the following steps:

  1. Initial Request from Frontend:

    • The user accesses a protected resource or initiates the login process on the frontend application.

  2. Frontend Redirect to Backend:

    • The frontend sends a request to the backend to initiate the SAML authentication process. This request could include a unique identifier or a redirect URL back to the frontend after authentication.

  3. Backend Generates SAML Request:

    • Upon receiving the request from the frontend, the backend generates a SAML authentication request to be sent to Okta. This request includes details like the Service Provider's (SP) entity ID, the Assertion Consumer Service (ACS) URL, and a unique request identifier.

  4. Redirect to Okta Login:

    • The backend redirects the user's browser to Okta's SAML login URL, passing the SAML request as a query parameter.

  5. User Authenticates on Okta:

    • The user enters their credentials on Okta's login page and completes the authentication process.

  6. Okta Generates SAML Response:

    • After successful authentication, Okta generates a SAML response (SAML assertion) containing user identity information.

  7. Redirect to Backend ACS:

    • Okta redirects the user's browser back to the ACS URL provided in the SAML request, which is one of the endpoints on your backend. This step may also include the SAML response as a POST request body.

  8. Backend Processes SAML Response:

    • The backend receives the SAML response from Okta.
    • It validates the SAML response's signature using Okta's public certificate or metadata.
    • If the SAML response is valid, it extracts user identity information from the SAML assertion.

  9. Backend Establishes Session:

    • Using the user identity information obtained from the SAML assertion, the backend establishes a session for the user.
    • It generates a session ID or token, associates it with the user's session, and stores any necessary user data.

  10. Backend Redirects to Frontend:

    • After the session is established, the backend redirects the user's browser back to the frontend application.
    • This redirect typically includes the session ID/token as a parameter or in a secure cookie.

  11. Frontend Receives Session Information:

    • The frontend receives the session ID/token from the backend.
    • It stores the session ID/token securely in memory or as a secure cookie.

  12. Subsequent Requests from Frontend:

    • For all subsequent requests from the frontend to the backend, the frontend includes the session ID/token as a bearer token or in the headers.
    • The backend validates the session ID/token and authorizes the user for each request.

This flow allows you to securely authenticate users across different domains while centralizing session management and user authorization in your backend. Okta handles the user authentication part, while your backend processes the SAML response, establishes user sessions, and validates subsequent requests from the frontend.

About

SSO implementation using SAML 2.0 Okta Python FastAPI

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages