ServiceProvider¶

class flask_saml2.sp.ServiceProvider¶

Developers should subclass ServiceProvider and provide methods to interoperate with their specific environment. All user interactions are performed through methods on this class.

There are no methods that must be overridden, but overriding get_default_login_return_url() and get_logout_return_url() is recommended.

session_auth_data_key = 'saml_auth_data'¶: What key to store authentication details under in the session.

blueprint_name = 'flask_saml2_sp'¶: The name of the blueprint to generate.

login_successful(auth_data, relay_state)¶

Called when a user is successfully logged on. Subclasses should override this if they want to do more with the returned user data. Returns a flask.Response, which is usually a redirect to get_default_login_return_url(), or a redirect to the protected resource the user initially requested. Subclasses may override this method and return a different response, but they must call super().

Return type: Response

get_sp_config()¶

Get the configuration for this SP. Defaults to SAML2_SP from flask.Flask.config. The configuration should be a dict like:

{
    # The X509 certificate and private key this SP uses to
    # encrypt, validate, and sign payloads.
    'certificate': ...,
    'private_key': ...,
}

To load the certificate and private_key values, see

Return type: dict

get_sp_entity_id()¶

The unique identifier for this Service Provider. By default, this uses the metadata URL for this SP.

See get_metadata_url().

Return type: str

get_sp_certificate()¶

Get the public certificate for this SP.

Return type: Optional[X509]

get_sp_private_key()¶

Get the private key for this SP.

Return type: Optional[PKey]

get_sp_signer()¶

Get the signing algorithm used by this SP.

Return type: Optional[Signer]

get_sp_digester()¶

Get the digest algorithm used by this SP.

Return type: Digester

should_sign_requests()¶

Should this SP sign its SAML statements. Defaults to True if the SP is configured with both a certificate and a private key.

Return type: bool

get_identity_providers()¶

Get an iterable of identity provider config dicts.``config`` should be a dict specifying an IdPHandler subclass and optionally any constructor arguments:

>>> list(sp.get_identity_providers())
[{
    'CLASS': 'my_app.identity_providers.MyIdPIdPHandler',
    'OPTIONS': {
        'entity_id': 'https://idp.example.com/metadata.xml',
    },
}]

Defaults to current_app.config['SAML2_IDENTITY_PROVIDERS'].

Return type: Iterable[Tuple[str, dict]]

get_login_url()¶

The URL of the endpoint that starts the login process.

Return type: str

get_acs_url()¶

The URL for the Assertion Consumer Service for this SP.

Return type: str

get_sls_url()¶

The URL for the Single Logout Service for this SP.

Return type: str

get_metadata_url()¶

The URL for the metadata xml for this SP.

Return type: str

get_default_login_return_url()¶

The default URL to redirect users to once the have logged in.

Return type: Optional[str]

get_login_return_url()¶

Get the URL to redirect the user to now that they have logged in.

Return type: Optional[str]

get_logout_return_url()¶

The URL to redirect users to once they have logged out.

Return type: Optional[str]

is_valid_redirect_url(url)¶

Is this URL valid and safe to redirect to? Defaults to only allowing URLs on the current server.

Return type: str

make_idp_handler(config)¶

Construct an IdPHandler from a config dict from get_identity_providers().

Return type: IdPHandler

get_idp_handlers()¶

Get the IdPHandler for each service provider defined.

Return type: Iterable[IdPHandler]

get_default_idp_handler()¶

Get the default IdP to sign in with. When logging in, if there is a default IdP, the user will be automatically logged in with that IdP. Return None if there is no default IdP. If there is no default, a list of IdPs to sign in with will be presented by the login view.

Return type: Optional[IdPHandler]

get_idp_handler_by_entity_id(entity_id)¶

Find the IdPHandler instance with a matching entity ID.

Return type: IdPHandler

get_idp_handler_by_current_session()¶

Get the IdPHandler used to authenticate the currently logged in user.

Return type: IdPHandler

login_required()¶: Check if a user is currently logged in to this session, and flask.abort() with a redirect to the login page if not. It is suggested to use is_user_logged_in().

is_user_logged_in()¶

Check if the user is currently logged in / authenticated with an IdP.

Return type: bool

logout()¶: Terminate the session for a logged in user.

render_template(template, **context)¶

Render an HTML template. This method can be overridden to inject more context variables if required.

Return type: str

set_auth_data_in_session(auth_data)¶: Store authentication details from the IdPHandler in the browser session.

clear_auth_data_in_session()¶: Clear the authentication details from the session. This will effectively log the user out.

get_auth_data_in_session()¶

Get an AuthData instance from the session data stored for the currently logged in user.

Return type: AuthData

make_absolute_url(url)¶

Take a local URL and make it absolute by prepending the current SERVER_NAME.

Return type: str

get_metadata_context()¶

Get any extra context for the metadata template. Suggested extra context variables include ‘org’ and ‘contacts’.

Return type: dict

create_blueprint()¶

Create a Flask flask.Blueprint for this Service Provider.

Return type: Blueprint