{"id":1686,"library":"python3-saml","title":"python3-saml Toolkit","description":"The python3-saml library provides a robust SAML (Security Assertion Markup Language) toolkit for Python, enabling applications to act as a Service Provider (SP) for Single Sign-On (SSO) and Single Logout (SLO). It simplifies integration with various Identity Providers (IdPs). The current version is 1.16.0, and it maintains an active release cadence with updates typically every few months, focusing on security, bug fixes, and compatibility.","status":"active","version":"1.16.0","language":"en","source_language":"en","source_url":"https://github.com/SAML-Toolkits/python3-saml","tags":["SAML","authentication","SSO","identity-provider","service-provider"],"install":[{"cmd":"pip install python3-saml","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"XML parsing and manipulation for SAML messages.","package":"lxml","optional":false}],"imports":[{"symbol":"OneLogin_Saml2_Auth","correct":"from onelogin.saml2.auth import OneLogin_Saml2_Auth"},{"symbol":"OneLogin_Saml2_Settings","correct":"from onelogin.saml2.settings import OneLogin_Saml2_Settings"},{"symbol":"OneLogin_Saml2_Constants","correct":"from onelogin.saml2.constants import OneLogin_Saml2_Constants"}],"quickstart":{"code":"import os\nimport json\nfrom onelogin.saml2.auth import OneLogin_Saml2_Auth\nfrom onelogin.saml2.settings import OneLogin_Saml2_Settings\nfrom onelogin.saml2.constants import OneLogin_Saml2_Constants\n\n# Dummy request data, replace with actual request data from your web framework\n# This simulates the data typically extracted from a Flask/Django/FastAPI request object.\ndummy_request_data = {\n    'http_host': 'localhost:8000',\n    'script_name': '/saml/sso',\n    'server_port': '8000',\n    'get_data': {}, # GET parameters\n    'post_data': {}, # POST parameters\n    'query_string': '',\n    'https': 'off', # 'on' or 'off'\n    'requested_url': 'http://localhost:8000/saml/sso',\n    'metadata': {} # Used for metadata generation\n}\n\n# SAML settings are critical for proper functioning and security.\n# In a real application, load these from a secure configuration management system,\n# e.g., a JSON file specified by an environment variable.\nsettings_path = os.environ.get('ONELOGIN_SAML_SETTINGS_PATH', '')\nsettings_data = {}\n\nif settings_path and os.path.exists(settings_path):\n    try:\n        with open(settings_path, 'r') as f:\n            settings_data = json.load(f)\n        print(f\"Loaded settings from {settings_path}\")\n    except Exception as e:\n        print(f\"Error loading settings from {settings_path}: {e}\")\nelse:\n    # Minimal settings for demonstration (NOT PRODUCTION READY).\n    # You MUST configure these with real SP and IdP details, including certificates.\n    print(\"Using default minimal settings. Please provide a settings file for production.\")\n    settings_data = {\n        'strict': True,\n        'debug': True,\n        'sp': {\n            'entityId': 'http://localhost:8000/saml/metadata/',\n            'assertionConsumerService': {\n                'url': 'http://localhost:8000/saml/acs/',\n                'binding': OneLogin_Saml2_Constants.BINDING_HTTP_POST\n            },\n            'singleLogoutService': {\n                'url': 'http://localhost:8000/saml/sls/',\n                'binding': OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT\n            },\n            'NameIDFormat': OneLogin_Saml2_Constants.NAMEID_EMAIL_ADDRESS,\n            'x509cert': '', # Your SP public certificate\n            'privateKey': '' # Your SP private key\n        },\n        'idp': {\n            'entityId': 'http://idp.example.com/saml/metadata/',\n            'singleSignOnService': {\n                'url': 'http://idp.example.com/saml/sso/',\n                'binding': OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT\n            },\n            'singleLogoutService': {\n                'url': 'http://idp.example.com/saml/slo/',\n                'binding': OneLogin_Saml2_Constants.BINDING_HTTP_REDIRECT\n            },\n            'x509cert': '' # IdP public certificate\n        }\n    }\n\ntry:\n    # Initialize SAML toolkit with request data and settings\n    auth = OneLogin_Saml2_Auth(dummy_request_data, settings_data)\n\n    # Example 1: Get the SSO URL to redirect the user for login\n    sso_url = auth.get_sso_url()\n    print(f\"\\nSAML Auth initialized. SSO URL for IdP: {sso_url}\")\n\n    # Example 2: Get SP metadata (typically exposed at a /saml/metadata URL)\n    settings = OneLogin_Saml2_Settings(settings_data)\n    sp_metadata = settings.get_sp_metadata()\n    print(\"\\nGenerated SP Metadata (truncated to 500 chars):\\n\" + sp_metadata[:500] + \"...\")\n\n    # In a real scenario, you'd handle SAML responses like this:\n    # if 'SAMLResponse' in dummy_request_data['post_data']:\n    #     auth.process_response()\n    #     if not auth.is_authenticated():\n    #         print(f\"Authentication failed: {auth.get_errors()}\")\n    #     else:\n    #         print(f\"User authenticated: {auth.get_nameid()}\")\n\nexcept Exception as e:\n    print(f\"Error during SAML initialization or operation: {e}\")","lang":"python","description":"This quickstart demonstrates how to initialize the `OneLogin_Saml2_Auth` object with example settings and dummy request data. It shows how to obtain the Single Sign-On (SSO) URL for initiating an authentication flow and how to generate Service Provider (SP) metadata. For production, SAML settings must be securely loaded and contain valid certificate data and endpoint URLs for both the SP and the IdP."},"warnings":[{"fix":"Explicitly set `strict: False` in your SAML settings if you require less strict validation, or update your IdP metadata/SAML responses to comply with strict SAML standards.","message":"The default value for the `strict` setting changed from `False` to `True` in `v1.8.0`. This can cause unexpected validation failures for existing configurations that were implicitly relying on `strict=False`.","severity":"breaking","affected_versions":">=1.8.0"},{"fix":"Ensure your request data dictionary provides accurate `http_host` and `https` values, which the library uses to determine the port implicitly or explicitly through the host string. Avoid using `server_port` directly.","message":"The `server_port` key in the request data dictionary (passed to `OneLogin_Saml2_Auth`) was deprecated in `v1.12.0`. While it might still function, reliance on it is discouraged.","severity":"deprecated","affected_versions":">=1.12.0"},{"fix":"Always review and harden your SAML settings, especially when dealing with potentially insecure algorithms or domain configurations. Consult the official `python3-saml` security best practices and ensure all relevant `security` sub-settings are properly configured for your environment.","message":"SAML security requires careful configuration of settings such as `rejectDeprecatedAlgorithm` (introduced in `v1.13.0`), `allowSingleLabelDomains` (introduced in `v1.10.0`), `wantAssertionsSigned`, `wantMessageSigned`, and others. Incorrectly configured settings can expose your application to vulnerabilities like Open Redirect, Reply attacks, or accepting insecure SAML messages.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure you are running Python 3.5 or newer. If encountering `lxml` related issues, try updating `lxml` or checking the `python3-saml` release notes for specific `lxml` version recommendations/restrictions, or install with `pip install --no-binary :all: lxml`.","message":"Python 3.4 support was dropped in `v1.8.0` due to `lxml` dependency requirements. Additionally, past versions have experienced issues with `lxml` version compatibility (e.g., in `v1.14.0`, `v1.15.0`) which could lead to installation or runtime errors.","severity":"gotcha","affected_versions":">=1.8.0"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}