在網頁應用程式中使用 SAML 進行驗證
透過集合功能整理內容
你可以依據偏好儲存及分類內容。
如果您已升級至 Firebase Authentication with Identity Platform,可以透過 Firebase 驗證使用者
使用您選擇的 SAML 識別資訊提供者因此您可以使用
透過 SAML 式單一登入 (SSO) 解決方案,讓使用者登入 Firebase 應用程式。
Firebase Authentication 僅支援服務供應商啟動的 SAML 流程。
事前準備
如要透過 SAML 識別資訊提供者登入使用者,您必須先收集
供應商提供的資訊:
- 供應器的實體 ID:用於識別識別資訊提供者的 URI。
- 供應商的 SAML 單一登入 (SSO) 網址:識別資訊提供者的登入網址
頁面。
- 供應商的公用金鑰憑證:用於驗證的憑證
取得憑證
- 應用程式的實體 ID:用來識別應用程式的 URI (「service」)
。
備妥上述資訊後,請啟用 SAML 做為登入提供者:
Firebase 專案:
將 Firebase 新增至您的 JavaScript 專案。
如果您尚未升級至 Firebase Authentication with Identity Platform,請進行更新。只有 SAML 驗證
適用於已升級的專案。
登入供應商頁面
在 Firebase 控制台的頁面中,依序點選「新增供應商」和
「SAML」。
為這個供應商命名。記下產生的提供者 ID:
例如 saml.example-provider。新增
登入程式碼
指定識別資訊提供者的實體 ID、單一登入 (SSO) 網址和公開金鑰
憑證並指定應用程式的實體 ID (服務供應商)。
這些值必須與供應商指派給您的值完全相符。
儲存變更。
如果您尚未授權應用程式的網域,請將網域新增至允許清單
[驗證] > 中的清單設定
Firebase控制台中的頁面。
使用 Firebase SDK 處理登入流程
如要使用 Firebase JavaScript SDK 處理登入流程,請按照下列步驟操作:
步驟:
使用您取得的提供者 ID 建立 SAMLAuthProvider 的執行個體
也可前往 Firebase 控制台
Web
import { SAMLAuthProvider } from "firebase/auth";
const provider = new SAMLAuthProvider('saml.example-provider');
Web
var provider = new firebase.auth.SAMLAuthProvider('saml.example-provider');
``
使用 SAML 提供者物件向 Firebase 進行驗證。
您可以將使用者重新導向至提供者的登入頁面,也可以直接開啟
彈出式視窗中的登入頁面。
重新導向流程
呼叫 signInWithRedirect() 以重新導向至供應商登入頁面:
Web
import { getAuth, signInWithRedirect } from "firebase/auth";
const auth = getAuth();
signInWithRedirect(auth, provider);
Web
firebase.auth().signInWithRedirect(provider);
使用者完成登入並返回應用程式後,您就可以取得
呼叫 getRedirectResult() 取得登入結果。
Web
import { getAuth, getRedirectResult, SAMLAuthProvider } from "firebase/auth";
const auth = getAuth();
getRedirectResult(auth)
.then((result) => {
// User is signed in.
// Provider data available using getAdditionalUserInfo()
})
.catch((error) => {
// Handle error.
});
Web
firebase.auth().getRedirectResult()
.then((result) => {
// User is signed in.
// Provider data available in result.additionalUserInfo.profile,
// or from the user's ID token obtained from result.user.getIdToken()
// as an object in the firebase.sign_in_attributes custom claim.
})
.catch((error) => {
// Handle error.
});
彈出式視窗流程
Web
import { getAuth, signInWithPopup, OAuthProvider } from "firebase/auth";
const auth = getAuth();
signInWithPopup(auth, provider)
.then((result) => {
// User is signed in.
// Provider data available in result.additionalUserInfo.profile,
// or from the user's ID token obtained from result.user.getIdToken()
// as an object in the firebase.sign_in_attributes custom claim.
})
.catch((error) => {
// Handle error.
});
Web
firebase.auth().signInWithPopup(provider)
.then((result) => {
// User is signed in.
// Provider data available in result.additionalUserInfo.profile,
// or from the user's ID token obtained from result.user.getIdToken()
// as an object in the firebase.sign_in_attributes custom claim.
})
.catch((error) => {
// Handle error.
});
ID 權杖和 UserInfo
物件會包含使用者的電子郵件地址,前提是
來自識別資訊提供者的 SAML 宣告的 NameID 屬性:
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@email.com</NameID>
</Subject>
上述範例著重於登入流程,您可以
模式,使用以下模式將 SAML 提供者連結至現有使用者
linkWithRedirect() 和 linkWithPopup(),並透過
reauthenticateWithRedirect() 和 reauthenticateWithPopup(),可分為
用來為需要修改的敏感作業擷取新憑證
近期登入的資訊。
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權,程式碼範例則為阿帕契 2.0 授權。詳情請參閱《Google Developers 網站政策》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-08-30 (世界標準時間)。
[null,null,["上次更新時間:2025-08-30 (世界標準時間)。"],[],[],null,["If you've upgraded to Firebase Authentication with Identity Platform, you can authenticate your users with Firebase\nusing the SAML identity provider of your choice. This makes it possible to use\nyour SAML-based SSO solution to sign users in to your Firebase app.\n\nFirebase Authentication supports only the service-provider initiated SAML flow.\n\nBefore you begin\n\nTo sign in users using a SAML identity provider, you must first collect some\ninformation from the provider:\n\n- **The provider's Entity ID**: A URI that identifies the identity provider.\n- **The provider's SAML SSO URL**: The URL of the identity provider's sign-in page.\n- **The provider's public key certificate**: The certificate used to validate tokens signed by the identity provider.\n- **Your app's Entity ID**: A URI that identifies your app, the \"service provider\".\n\nAfter you have the above information, enable SAML as a sign-in provider for your\nFirebase project:\n\n1. [Add Firebase to your JavaScript project](/docs/web/setup).\n\n2. If you haven't upgraded to Firebase Authentication with Identity Platform, do so. SAML authentication is only\n available in upgraded projects.\n\n3. On the [**Sign-in providers**](//console.firebase.google.com/project/_/authentication/providers)\n page of the Firebase console, click **Add new provider** , and then click\n **SAML**.\n\n4. Give a name to this provider. Note the provider ID that's generated:\n something like `saml.example-provider`. You'll need this ID when you add\n sign-in code to your app.\n\n5. Specify your identity provider's entity ID, SSO URL, and public key\n certificate. Also specify the entity ID of your app (the service provider).\n These values must exactly match the values your provider assigned to you.\n\n6. Save your changes.\n\n7. If you haven't already authorized your app's domain, add it to the allow\n list on the [**Authentication \\\u003e Settings**](//console.firebase.google.com/project/_/authentication/settings)\n page of the Firebase console.\n\nHandle the sign-in flow with the Firebase SDK\n\nTo handle the sign-in flow with the Firebase JavaScript SDK, follow these\nsteps:\n\n1. Create an instance of an `SAMLAuthProvider` using the provider ID you got in\n the Firebase console.\n\n Web \n\n import { SAMLAuthProvider } from \"firebase/auth\";\n\n const provider = new SAMLAuthProvider('saml.example-provider');\n\n Web \n\n var provider = new firebase.auth.SAMLAuthProvider('saml.example-provider');\n ``\n\n\u003c!-- --\u003e\n\n1. Authenticate with Firebase using the SAML provider object.\n\n You can either redirect the user to the provider's sign-in page or open the\n sign-in page in a pop-up browser window.\n\n **Redirect flow**\n\n Redirect to the provider sign-in page by calling `signInWithRedirect()`: \n\n Web \n\n import { getAuth, signInWithRedirect } from \"firebase/auth\";\n\n const auth = getAuth();\n signInWithRedirect(auth, provider);\n\n Web \n\n firebase.auth().signInWithRedirect(provider);\n\n After the user completes sign-in and returns to your app, you can obtain the\n sign-in result by calling `getRedirectResult()`. \n\n Web \n\n import { getAuth, getRedirectResult, SAMLAuthProvider } from \"firebase/auth\";\n\n const auth = getAuth();\n getRedirectResult(auth)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available using getAdditionalUserInfo()\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n Web \n\n firebase.auth().getRedirectResult()\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n **Pop-up flow**\n\n Web \n\n import { getAuth, signInWithPopup, OAuthProvider } from \"firebase/auth\";\n\n const auth = getAuth();\n signInWithPopup(auth, provider)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n Web \n\n firebase.auth().signInWithPopup(provider)\n .then((result) =\u003e {\n // User is signed in.\n\n // Provider data available in result.additionalUserInfo.profile,\n // or from the user's ID token obtained from result.user.getIdToken()\n // as an object in the firebase.sign_in_attributes custom claim.\n })\n .catch((error) =\u003e {\n // Handle error.\n });\n\n The ID token and [UserInfo](/docs/reference/js/auth.userinfo#userinfoemail)\n object contains the user's email address only if it is provided in the\n `NameID` attribute of the SAML assertion from the identity provider: \n\n \u003cSubject\u003e\n \u003cNameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\"\u003etest@email.com\u003c/NameID\u003e\n \u003c/Subject\u003e\n\n2. While the above examples focus on sign-in flows, you can use the same\n pattern to link a SAML provider to an existing user using\n `linkWithRedirect()` and `linkWithPopup()`, and re-authenticate a user with\n `reauthenticateWithRedirect()` and `reauthenticateWithPopup()`, which can be\n used to retrieve fresh credentials for sensitive operations that require\n recent login."]]
