I’m just trying to get my bearings here, so if anyone could point me in the right direction and give me a little shove, I’d appreciate it.
I have a Django application that runs on Heroku and uses traditional username/password with the credentials stored in the database. I also have a customer who would like their employees to be able to sign onto my app via SAML2, and they use Okta as an identity provider. (Am I using the correct terms here?)
So I’m not quite sure where to start. I see that there is an Okta add-on in the Heroku marketplace, but I can’t figure out what it does, it’s “beta” and I’m not sure if it works with SAML2.
I saw the guide at https://developer.okta.com/code/python/pysaml2/ which looked interesting, but it seems to be a dead end. The sample app is for Python 2, has not been updated in years, and GitHub won’t let me clone the repo.
Are you more familiar with OAuth and django-social-auth? If so, my open source service Osso could help you here, where you configure your customer to use SAML inside of your Osso instance, and then consume your Osso instance using an OAuth 2.0 code grant flow from your django app. https://github.com/enterprise-oss/osso
Otherwise, if you want to implement SAML yourself, OneLogin (a competing identity provider to Okta) provides a package for python 3: https://github.com/onelogin/python3-saml
Where things will differ from that tutorial is that you will want to create a custom SAML 2.0 web application in your dev Okta instance. When you release to production, your customer will need to create a similar application in their Okta instance, and provide back to you at least a Single Sign on Url and x509 certificate so that you can decode the SAML response.
Hopefully this is helpful! If you want to give Osso a shot you can reach out to us on ossoapp.com