Python Single Sign On with SAML IDP using JWT

Follow the Step-by-Step Guide given below to integrate your Python code with SAML IDP using JWT.

Step 1: Set up an Identity Source in miniOrange

• Login as a customer from Admin Console of miniOrange's Administrator Console, now go to Identity Sources Tab from menu and click Add Identity Source. Make sure SAML tab is selected.
• Enter the following:

  IDP Name	<Your IDP Display Name>
  IDP Identifier	<Your IDP App Name>
  IdP Entity ID	https://<YOUR_SAML_IDP_DOMAIN>
  SAML SSO Login URL	https://<YOUR_SAML_IDP_DOMAIN>
  X.509 Certificate	Provide the SAML IDP signing certificate
  Override Return URL	Yes
  Return URL	Leave blank

• Click on Save

Step 2: Configure miniOrange as relying party in your SAML IDP

• In your IDP enter the following URL in the Relying Party URL textbox: https://login.xecurify.com/moas/broker/login/saml/acs/{YOUR_CUSTOMER_KEY}
• Enter the following in Relying Party trust identifier textbox: https://login.xecurify.com/moas

Step 3: Creating an external app in miniOrange

• Login to miniOrange Admin console and go to Apps > Manage Apps
• Click on Configure Apps button on the right upper corner.
• Click on External/JWT/PasswordLess tab and select External App / JWT App . Click on Add App.
• Enter the Custom Application Name and Description. Enter Redirect-URL as this: http://localhost:5000.
  For details regarding the callback file refer to Step 6.
  
  
  
  
• Click on Save.
• Click on Download Certificate link against the application you just added.You will need the content of this to validate the JWT Token signature later.
• Click on Edit link against the App you just created. Save/Note down the App Secret. This will be required for generating the Encrypted Token.
  
  

Step 4: Fetching the Customer Key and Customer Token Key

• Now Go to Custom App Integration under Integration tab from menu
• Note down the Customer Key and Customer Token Key values. These will required in the next step.
  
  
  

Step 5: Adding the request page

• You will need App Secret, Customer Key, and Token Key from Step 3 and 4 above, in order to add the request page.
• Now, add the below given code in a new file named request.py which passes a SAML SSO request to the JWT Application.
• Encrypt your Customer Token Key by using the code given below.
• Once the encrypted token is created, URL encode the encrypted token and append it to the miniOrange endpoint and redirect the user. Here is the final URL where you should redirect the user:
  https://login.xecurify.com/moas/broker/login/http/{YOUR_CUSTOMER_KEY}?token={ENCRYPTED_TOKEN_KEY}&returnUrl={YOUR_CALLBACK_URL}
  
• Replace {YOUR_CUSTOMER_KEY} with the Customer Key you have and {YOUR_CALLBACK_URL} with the url of the callback file (URL Encoded) which is given in step 6.
  
  

request.py

from Crypto.Cipher import AES
import base64
import webbrowser
import urllib
import time
 
key = <CUSTUMER_KEY>
customer_id=<CUSTUMER_ID>
app_secret=<APP_SECRET>
return_url = 'http://localhost:5000'
timestamp= long(round(time.time()*1000))
text=str(timestamp)+":"+app_secret
cipher = AES.new(key, AES.MODE_ECB)
padSize = 16 - (len(text) % 16);
for i in range(0,padSize):
    text += chr(padSize)
msg =cipher.encrypt(text)
cipher_text=(base64.b64encode(msg)).encode("utf-8")
webbrowser.open("https://mytest.miniorange.in/moas/broker/login/jwt/"+customer_id+"/"+"?token="+urllib.quote_plus(cipher_text)+"&returnUrl="+urllib.quote_plus(return_url), new=2)

Step 6: Adding the response page

• Now, create a new file named callback.py (specified in steps 3 and 5) with the following code given below. This file will act as an endpoint i.e response to the jwt token which is received.

callback.py

from flask import Flask,request
import urlparse
import base64
import json
import time 

app = Flask(__name__)

@app.route("/")
def main():
  if request.method == 'GET':
    parsed = urlparse.urlparse(request.url)
    id_token=urlparse.parse_qs(parsed.query)['id_token']
    id_array=str(id_token).split(".")
    id_array[1] += "=" * ((4 - len(id_array[1]) % 4) % 4)
    j=json.loads(base64.b64decode(id_array[1]))
    if j['exp']>long(round(time.time()/1000)):
      return j['NameID']
    else:
      return "Response expired. Try login again."

if __name__ == "__main__":
  app.run()