Question: What to do when OneLogin is SP + IP

[fingermark]

I have three applications that need to support Single Sign-on and we are looking into SAML. It'd probably be easiest to just use OneLogin as a Service Provider and Identity Provider -- this makes sense, right? All the demos I see are for creating a SP. If I use OneLogin as my SP + IP, then these applications wouldn't be SPs, right? How would I implement SSO via SAML using python-saml, then?

Thanks

[pitbulk]

Onelogin is able to act as an SP, in order to be connected with others Identity Providers, but at the end you will want to add SAML support to your 3 applications (build SPs) and connect it with Onelogin (IdP).

Possible scenario that Onelogin is able to manage:

Salesforce IdP   ----- Onelogin (as SP) | Onelogin (as IdP) ----- app1
          or                                         |------------app2
         ADFS                                        |------------app3

I recommend you to read how SAML works: https://github.com/jch/saml

[fingermark]

@pitbulk, that's an excellent resource. Thanks. So, after reading, it's fairly clear that app1, app2, and app3 would be SPs here.

In looking at the demo-django I was expecting a little more (in terms of user provisioning via create_user), didn't see the logic in the templates, and got confused to what an SP actually was.

Thanks for your help and your work. I'll likely be using this soon.

[pitbulk]

The demo-django is very basic and take care of the SAML stuff and shows how to use the toolkit, logic to provision the user and other stuff is a task of the developer that integrates the django application.

But if you are using Django as your framework, take a look at:

• https://github.com/KristianOellegaard/django-saml-service-provider
• https://github.com/omab/python-social-auth/blob/b07708efe7d19b75009771aa97ddf821e59ec08e/docs/backends/saml.rst (Both uses as base python-saml to add SAML support)