SAML Authentication in Python — ELI5

Imagine your school is going on a field trip to a museum. Before you leave, your teacher checks everyone’s permission slips and gives each student a signed badge that says “This student is approved by Springfield Elementary.”

When you arrive at the museum, the staff doesn’t call your parents to double-check. They look at the badge, see the school’s stamp, and trust it. You’re in.

That’s basically how SAML works for logging into websites at work.

Your company has one main login system — like the school’s front office. When you try to visit a work app (say, the expenses tool), the app says “Hold on, I don’t know you. Go prove who you are at the front office first.”

You get redirected to your company’s login page, type your password once, and the login system creates a signed message that says “Yes, this person is really Janet from Accounting.” That signed message is the SAML “assertion.”

The expenses app receives that assertion, checks the signature, and lets you in — without ever seeing your password. The app trusts the assertion because it trusts your company’s login system.

The magic part: once you’ve logged in at the front office, you can visit other work apps too — the project tracker, the HR portal — without typing your password again. Each app gets its own signed assertion from the same login. That’s single sign-on.

In Python, libraries like python3-saml handle all the signature checking and message formatting so your app can accept these assertions correctly.

The one thing to remember: SAML is like a signed permission slip from your company’s login system that lets work apps trust who you are without ever seeing your password.