{"id":2715,"library":"pysaml2","title":"PySAML2: Python SAML 2.0 Implementation","description":"PySAML2 is a pure Python implementation of the SAML Version 2 Standard. It provides a comprehensive toolkit for building both Service Providers (SP) and Identity Providers (IdP), handling SAML assertions, requests, and responses. The library is designed to work within WSGI environments but can also be utilized in non-WSGI contexts. The current version, 7.5.4, demonstrates active development with recent releases and ongoing maintenance.","status":"active","version":"7.5.4","language":"en","source_language":"en","source_url":"https://github.com/IdentityPython/pysaml2/","tags":["saml","sso","authentication","identity management","security"],"install":[{"cmd":"pip install pysaml2","lang":"bash","label":"Install PySAML2"}],"dependencies":[{"reason":"Required for SAML signature validation and encryption operations. This is a system-level binary dependency.","package":"xmlsec1","optional":false}],"imports":[{"symbol":"Config","correct":"from saml2.config import Config"},{"symbol":"Saml2Client","correct":"from saml2.client import Saml2Client"},{"symbol":"BINDING_HTTP_REDIRECT","correct":"from saml2 import BINDING_HTTP_REDIRECT"}],"quickstart":{"code":"import os\nfrom saml2.config import Config\nfrom saml2.client import Saml2Client\nfrom saml2 import BINDING_HTTP_REDIRECT\n\n# Minimal configuration for a Service Provider (SP)\n# In a real application, this would be loaded from a file or more extensive setup.\nSP_CONFIG = {\n \"entityid\": \"http://localhost:8080/saml2/metadata\",\n \"service\": {\n \"sp\": {\n \"endpoints\": {\n \"assertion_consumer_service\": [\n (\"http://localhost:8080/saml2/acs\", BINDING_HTTP_REDIRECT),\n ],\n \"single_logout_service\": [\n (\"http://localhost:8080/saml2/slo\", BINDING_HTTP_REDIRECT),\n ],\n },\n \"idp\": {\n # Example IdP metadata URL - replace with your actual IdP's metadata\n \"http://idp.example.com/metadata\": None\n },\n \"key_file\": os.environ.get(\"SAML_SP_KEY_FILE\", \"pki/mykey.pem\"),\n \"cert_file\": os.environ.get(\"SAML_SP_CERT_FILE\", \"pki/mycert.pem\"),\n }\n },\n \"metadata\": [\n {\n \"class\": \"saml2.mdstore.MetaDataFile\",\n \"metadata\": [(os.environ.get(\"SAML_IDP_METADATA_FILE\", \"idp.xml\"),)]\n },\n ],\n \"debug\": True,\n}\n\ndef initialize_saml_client():\n sp_config = Config()\n sp_config.load(SP_CONFIG, metadata_reload=False)\n client = Saml2Client(config=sp_config)\n print(\"SAML2 Client initialized successfully.\")\n print(f\"SP Entity ID: {client.config.entityid}\")\n # In a real app, you would now use 'client' to handle SAML flows\n # e.g., create_authn_request, parse_response, etc.\n\nif __name__ == \"__main__\":\n # Ensure dummy cert/key files exist for basic execution if not provided via env vars\n os.makedirs(\"pki\", exist_ok=True)\n if not os.path.exists(\"pki/mykey.pem\"):\n with open(\"pki/mykey.pem\", \"w\") as f:\n f.write(\"# Dummy private key content\\n\")\n if not os.path.exists(\"pki/mycert.pem\"):\n with open(\"pki/mycert.pem\", \"w\") as f:\n f.write(\"# Dummy public certificate content\\n\")\n if not os.path.exists(\"idp.xml\"):\n with open(\"idp.xml\", \"w\") as f:\n f.write(\"\")\n \n initialize_saml_client()","lang":"python","description":"This quickstart demonstrates the basic initialization of a PySAML2 Service Provider (SP) client. It sets up a minimal configuration using `saml2.config.Config` and creates a `saml2.client.Saml2Client` instance. For a functional SAML flow, you would need real IdP metadata, proper key/certificate files, and a web server to handle redirects and POST requests. Remember that `xmlsec1` must be installed on your system for signature and encryption operations."},"warnings":[{"fix":"Review your SAML configurations for encryption algorithms. If interoperability issues arise, ensure both SP and IdP support `rsa-oaep-mgf1p` or adjust configuration if an alternative is necessary and supported.","message":"PySAML2 v7.0.0 introduced a breaking change by replacing the default encryption method `rsa-1_5` with `rsa-oaep-mgf1p` for improved security. This may require updating configurations or interoperability testing with existing Identity Providers.","severity":"breaking","affected_versions":">=7.0.0"},{"fix":"Install `xmlsec1` on your operating system (e.g., `sudo apt-get install xmlsec1` on Debian/Ubuntu, `sudo yum install xmlsec1-openssl` on RHEL/CentOS/Fedora, `brew install xmlsec1` on macOS).","message":"PySAML2 relies on the external `xmlsec1` binary for critical cryptographic operations like signature validation and XML encryption/decryption. This binary must be installed at the system level.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your project runs on Python 3.9 or newer, as specified by the library's `requires_python` metadata.","message":"PySAML2 has transitioned to Python 3 only. Python 2 compatibility has been dropped, and using it with Python 2 will result in errors.","severity":"gotcha","affected_versions":"Versions released after Python 2 end-of-life (effectively ~v4.x onwards, definitively v7.x)"},{"fix":"Refer to the official PySAML2 documentation's 'Configuration of PySAML2 entities' section. Utilize the provided example configuration files as a starting point and adapt them carefully, paying close attention to entity IDs, endpoints, certificates, and metadata.","message":"The configuration of PySAML2 entities (SP/IdP) is critical and often complex, typically involving a Python module that defines a `CONFIG` dictionary. Misconfigurations are a common source of errors.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}