使用 SAML 进行身份验证(Web 应用)
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
如果您已升级到 Firebase Authentication with Identity Platform,则可以使用所选的 SAML 身份提供方对用户进行 Firebase 身份验证。这样,您就可以使用基于 SAML 的单点登录解决方案让用户登录到您的 Firebase 应用。
Firebase Authentication 仅支持服务提供方启动的 SAML 流程。
准备工作
如需让用户使用 SAML 身份提供方登录,您必须先从该提供方处收集一些信息:
- 提供方的实体 ID:用于标识身份提供方的 URI。
- 提供方的 SAML 单点登录网址:身份提供方的登录页面的网址。
- 提供方的公钥证书:用于验证身份提供方签署的令牌的证书。
- 应用的实体 ID:用于标识应用(“服务提供方”)的 URI。
获得上述信息后,启用 SAML 作为 Firebase 项目的登录提供方:
将 Firebase 添加至您的 JavaScript 项目。
如果您尚未升级到 Firebase Authentication with Identity Platform,请升级。SAML 身份验证仅适用于升级后的项目。
在 Firebase 控制台的登录提供方页面上,点击添加新提供方,然后点击 SAML。
为此提供方命名。请记下系统生成的提供方 ID(类似于 saml.example-provider
)。向应用添加登录代码时,您需要用到此 ID。
指定身份提供方的实体 ID、单点登录网址和公钥证书,以及应用(服务提供方)的实体 ID。这些值必须与提供方分配给您的值完全一致。
保存更改。
如果您尚未向应用网域授权,请在 Firebase 控制台的 Authentication > 设置页面上将其添加到允许列表中。
使用 Firebase SDK 处理登录流程
如需使用 Firebase JavaScript SDK 处理登录流程,请按以下步骤操作:
使用您在 Firebase 控制台中获得的提供方 ID 创建 SAMLAuthProvider
实例。
Web
import { SAMLAuthProvider } from "firebase/auth";
const provider = new SAMLAuthProvider('saml.example-provider');
Web
var provider = new firebase.auth.SAMLAuthProvider('saml.example-provider');
``
使用 SAML 提供方对象通过 Firebase 进行身份验证。
您可以将用户重定向到提供方的登录页面,也可以在弹出式浏览器窗口中打开登录页面。
重定向流程
调用 signInWithRedirect()
重定向到提供方登录页面:
Web
import { getAuth, signInWithRedirect } from "firebase/auth";
const auth = getAuth();
signInWithRedirect(auth, provider);
Web
firebase.auth().signInWithRedirect(provider);
用户完成登录并返回到您的应用后,您可以调用 getRedirectResult()
获取登录结果。
Web
import { getAuth, getRedirectResult, SAMLAuthProvider } from "firebase/auth";
const auth = getAuth();
getRedirectResult(auth)
.then((result) => {
// User is signed in.
// Provider data available using getAdditionalUserInfo()
})
.catch((error) => {
// Handle error.
});
Web
firebase.auth().getRedirectResult()
.then((result) => {
// User is signed in.
// Provider data available in result.additionalUserInfo.profile,
// or from the user's ID token obtained from result.user.getIdToken()
// as an object in the firebase.sign_in_attributes custom claim.
})
.catch((error) => {
// Handle error.
});
弹出式窗口流程
Web
import { getAuth, signInWithPopup, OAuthProvider } from "firebase/auth";
const auth = getAuth();
signInWithPopup(auth, provider)
.then((result) => {
// User is signed in.
// Provider data available in result.additionalUserInfo.profile,
// or from the user's ID token obtained from result.user.getIdToken()
// as an object in the firebase.sign_in_attributes custom claim.
})
.catch((error) => {
// Handle error.
});
Web
firebase.auth().signInWithPopup(provider)
.then((result) => {
// User is signed in.
// Provider data available in result.additionalUserInfo.profile,
// or from the user's ID token obtained from result.user.getIdToken()
// as an object in the firebase.sign_in_attributes custom claim.
})
.catch((error) => {
// Handle error.
});
只有在身份提供方的 SAML 断言的 NameID
属性中提供了用户的电子邮件地址时,它才会包含在 ID 令牌和 UserInfo 对象中:
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@email.com</NameID>
</Subject>
以上示例侧重的是登录流程。除此之外,您也可以使用同一模式通过 linkWithRedirect()
和 linkWithPopup()
将 SAML 提供方与现有用户相关联,然后使用 reauthenticateWithRedirect()
和 reauthenticateWithPopup()
(可用于为要求用户在近期登录的敏感操作检索新的凭据)重新验证用户身份。
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-08-08。
[null,null,["最后更新时间 (UTC):2025-08-08。"],[],[],null,["If you've upgraded to Firebase Authentication with Identity Platform, you can authenticate your users with Firebase\nusing the SAML identity provider of your choice. This makes it possible to use\nyour SAML-based SSO solution to sign users in to your Firebase app.\n\nFirebase Authentication supports only the service-provider initiated SAML flow.\n\nBefore you begin\n\nTo sign in users using a SAML identity provider, you must first collect some\ninformation from the provider:\n\n- **The provider's Entity ID**: A URI that identifies the identity provider.\n- **The provider's SAML SSO URL**: The URL of the identity provider's sign-in page.\n- **The provider's public key certificate**: The certificate used to validate tokens signed by the identity provider.\n- **Your app's Entity ID**: A URI that identifies your app, the \"service provider\".\n\nAfter you have the above information, enable SAML as a sign-in provider for your\nFirebase project:\n\n1. [Add Firebase to your JavaScript project](/docs/web/setup).\n\n2. If you haven't upgraded to Firebase Authentication with Identity Platform, do so. SAML authentication is only\n available in upgraded projects.\n\n3. On the [**Sign-in providers**](//console.firebase.google.com/project/_/authentication/providers)\n page of the Firebase console, click **Add new provider** , and then click\n **SAML**.\n\n4. Give a name to this provider. Note the provider ID that's generated:\n something like `saml.example-provider`. You'll need this ID when you add\n sign-in code to your app.\n\n5. Specify your identity provider's entity ID, SSO URL, and public key\n certificate. Also specify the entity ID of your app (the service provider).\n These values must exactly match the values your provider assigned to you.\n\n6. Save your changes.\n\n7. If you haven't already authorized your app's domain, add it to the allow\n list on the [**Authentication \\\u003e Settings**](//console.firebase.google.com/project/_/authentication/settings)\n page of the Firebase console.\n\nHandle the sign-in flow with the Firebase SDK\n\nTo handle the sign-in flow with the Firebase JavaScript SDK, follow these\nsteps:\n\n1. Create an instance of an `SAMLAuthProvider` using the provider ID you got in\n the Firebase console.\n\n Web \n\n import { SAMLAuthProvider } from \"firebase/auth\";\n\n const provider = new SAMLAuthProvider('saml.example-provider');\n\n Web \n\n var provider = new firebase.auth.SAMLAuthProvider('saml.example-provider');\n ``\n\n\u003c!-- --\u003e\n\n1. Authenticate with Firebase using the SAML provider object.\n\n You can either redirect the user to the provider's sign-in page or open the\n sign-in page in a pop-up browser window.\n\n **Redirect flow**\n\n Redirect to the provider sign-in page by calling `signInWithRedirect()`: \n\n Web \n\n import { getAuth, signInWithRedirect } from \"firebase/auth\";\n\n const auth = getAuth();\n signInWithRedirect(auth, provider);\n\n Web \n\n firebase.auth().signInWithRedirect(provider);\n\n After the user completes sign-in and returns to your app, you can obtain the\n sign-in result by calling `getRedirectResult()`. \n\n Web \n\n import { getAuth, getRedirectResult, SAMLAuthProvider } from \"firebase/auth\";\n\n const auth = getAuth();\n getRedirectResult(auth)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available using getAdditionalUserInfo()\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n Web \n\n firebase.auth().getRedirectResult()\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n **Pop-up flow**\n\n Web \n\n import { getAuth, signInWithPopup, OAuthProvider } from \"firebase/auth\";\n\n const auth = getAuth();\n signInWithPopup(auth, provider)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n Web \n\n firebase.auth().signInWithPopup(provider)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n The ID token and [UserInfo](/docs/reference/js/auth.userinfo#userinfoemail)\n object contains the user's email address only if it is provided in the\n `NameID` attribute of the SAML assertion from the identity provider: \n\n \u003cSubject\u003e\n \u003cNameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\"\u003etest@email.com\u003c/NameID\u003e\n \u003c/Subject\u003e\n\n2. While the above examples focus on sign-in flows, you can use the same\n pattern to link a SAML provider to an existing user using\n `linkWithRedirect()` and `linkWithPopup()`, and re-authenticate a user with\n `reauthenticateWithRedirect()` and `reauthenticateWithPopup()`, which can be\n used to retrieve fresh credentials for sensitive operations that require\n recent login."]]