Introduction

This app provides a simple SAML Identity Provider (IdP) to test SAML 2.0 Service Providers (SPs) with the SAML 2.0 Web Browser SSO Profile or the Single Logout Profile.

This sample is not intended for use with production systems!

Docker Installation and Startup

docker-compose build
docker-compose up

Simply modify Dockerfile to specify your own parameters.

Manual Installation

npm install
openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Identity Provider' -keyout idp-private-key.pem -out idp-public-cert.pem -days 7300

Usage

SSO Profile

node app.js --acs {POST URL} --aud {audience}

SSO & SLO Profile

node app.js --acs {POST URL} --slo {POST URL} --aud {audience}

Open http://localhost:7000 in your browser to start an IdP initiated flow to your SP

Example

node app.js --acs https://foo.okta.com/auth/saml20/example --aud https://www.okta.com/saml2/service-provider/spf5aFRRXFGIMAYXQPNV

Options

Most parameters can be defined with the following command-line arguments:

Options:
  --help                            Show help                                                                                                                         [boolean]
  --version                         Show version number                                                                                                               [boolean]
  --settings                        Path to JSON config file
  --port, -p                        Web Server Listener Port                                                                                         [required] [default: 7000]
  --cert                            IdP Signature PublicKey Certificate                                                           [required] [default: "./idp-public-cert.pem"]
  --key                             IdP Signature PrivateKey Certificate                                                          [required] [default: "./idp-private-key.pem"]
  --issuer, --iss                   IdP Issuer URI                                                                                      [required] [default: "urn:example:idp"]
  --acsUrl, --acs                   SP Assertion Consumer URL                                                                                                        [required]
  --sloUrl, --slo                   SP Single Logout URL
  --audience, --aud                 SP Audience URI                                                                                                                  [required]
  --serviceProviderId, --spId       SP Issuer/Entity URI                                                                                                               [string]
  --relayState, --rs                Default SAML RelayState for SAMLResponse
  --disableRequestAcsUrl, --static  Disables ability for SP AuthnRequest to specify Assertion Consumer URL                                           [boolean] [default: false]
  --encryptAssertion, --enc         Encrypts assertion with SP Public Key                                                                            [boolean] [default: false]
  --encryptionCert, --encCert       SP Certificate (pem) for Assertion Encryption                                                                                      [string]
  --encryptionPublicKey, --encKey   SP RSA Public Key (pem) for Assertion Encryption (e.g. openssl x509 -pubkey -noout -in sp-cert.pem)                                [string]
  --httpsPrivateKey                 Web Server TLS/SSL Private Key (pem)                                                                                               [string]
  --httpsCert                       Web Server TLS/SSL Certificate (pem)                                                                                               [string]
  --https                           Enables HTTPS Listener (requires httpsPrivateKey and httpsCert)                                       [boolean] [required] [default: false]
  --configFile, --conf              Path to a SAML attribute config file                                             [required] [default: "/Users/karl/src/saml-idp/config.js"]
  --rollSession                     Create a new session for every authn request instead of reusing an existing session                              [boolean] [default: false]

IdP SAML Settings

Issuer

The default IdP issuer is urn:example:idp. You can change this with the --iss argument.

Signing Certificate

You must generate a self-signed certificate for the IdP.

openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Identity Provider' -keyout idp-private-key.pem -out idp-public-cert.pem -days 7300

The signing certificate public key must be sepcified as a file path or PEM string using the cert argument The signing certificate private key must be sepcified as a file path or PEM string using the key argument

Passing key/cert pairs from environment variables

Signing certificate key/cert pairs can also be passed from environment variables.

node app.js --acs {POST URL} --aud {audience} --cert="$SAML_CERT" --key="$SAML_KEY"

Single Sign-On Service Binding

Both SSO POST and Redirect bindings are available on the same endpoint which by default is http://localhost:7000/saml/sso

Binding	URL
HTTP-Redirect	`http://localhost:port/saml/sso`
HTTP-POST	`http://localhost:port/saml/sso`

Single Logout Service Binding

Both SSO POST and Redirect bindings are available on the same endpoint which by default is http://localhost:7000/saml/slo

Binding	URL
HTTP-Redirect	`http://localhost:port/saml/slo`
HTTP-POST	`http://localhost:port/saml/slo`

SAML Metadata

IdP SAML metadata is available on http://localhost:port/metadata

Assertion Attributes

The IdP mints the user's profile as a SAML Assertion Attribute Statement using the metadata property in config.js. Profile properties that match a metadata entry id property will be generated as a SAML Attribute with the same name. The IdP UI will automatically render an input for each entry defined via a metadata entry in config.js with a default value from the matching profile property.

Profile Property

{
  "email": "saml.jackson@example.com"
}

Metadata Entry

{
  "id": "email",
  "optional": false,
  "displayName": "E-Mail Address",
  "description": "The e-mail address of the user",
  "multiValue": false
}

SAML Assertion Attribute Statement

<saml:Attribute Name="email"><saml:AttributeValue xsi:type="xs:anyType">saml.jackson@example.com</saml:AttributeValue>

Default Attributes

The default profile mappings are defined in config.js as:

Profile Property	SAML Attribute Name
userName	Subject NameID
nameIdFormat	Subject NameID Format
nameIdNameQualifier	Subject NameID Name Qualifer
nameIdSPNameQualifier	Subject NameID SP Name Qualifer
nameIdSPProvidedID	Subject NameID SP ProvidedID
firstName	`firstName`
lastName	`lastName`
displayName	`displayName`
email	`email`
mobilePhone	`mobilePhone`
groups	`groups`

SAML attribute mappings currently default to Okta (Inbound SAML)

Custom Attributes

New attributes can be defined at runtime in the IdP UI or statically by modifying the profile and metadata objects in config.js.

Add metadata entry for your new attributes. The id property must be the name of the SAML Attribute

{
  "id": "customAttribute",
  "optional": false,
  "displayName": "Custom Attribute",
  "description": "My custom attribute",
  "multiValue": false
}

Optionally add a default profile attribute value that will be used on startup

Assertion Encryption

Encrypted assertions require both a certificate and public key from the target service provider in the PEM format (base64 encoding of .der, .cer, .cert, .crt). You can convert certificate formats with openssl

DER to PEM

openssl x509 -inform der -in to-convert.der -out converted.pem

The following formats or extensions should be convertible to the pem format: .der, .cer, .cert, `.crt

PEM Certificate to Public Key

PEM files that contain the header -----BEGIN CERTIFICATE----- can also be converted to just the public key which is a file with just the -----BEGIN PUBLIC KEY----- header

openssl x509 -pubkey -noout -in cert.pem > pub.key

May	JUN	Jul
	11
2017	2018	2019

Failed to load latest commit information.
bin	Add a bin entry to package.json	Sep 13, 2017
lib	moved metadata list to config and updated readme with custom attribut…	Mar 22, 2015
public/css	added support for SAML session index, modernized some code, visual UI…	Oct 4, 2017
test	require each install to generate unique key-pair in case someone runs…	Mar 22, 2015
views	console log the SAMLResponse message to make debugging easier for folks	May 29, 2018
.bowerrc	upgraded npm pkgs, added bower pkgs, support for authnrequest params,…	Feb 7, 2015
.gitignore	updated ignore list for publishing	Jun 26, 2017
Dockerfile	Fix CSS loading	Oct 22, 2017
LICENSE	updated version	Jun 26, 2017
README.md	added support for SAML Single Logout and updated package dependencies	May 28, 2018
app.js	console log the SAMLResponse message to make debugging easier for folks	May 29, 2018
bower.json	added support for SAML session index, modernized some code, visual UI…	Oct 4, 2017
config.js	Adding support for select type attributes	Jun 26, 2017
docker-compose.yml	Dockerize saml-idp	May 7, 2017
idp-private-key.pem	added more help on readme and renamed certificates to prevent mistake…	Feb 12, 2015
idp-public-cert.pem	added more help on readme and renamed certificates to prevent mistake…	Feb 12, 2015
package-lock.json	console log the SAMLResponse message to make debugging easier for folks	May 29, 2018
package.json	console log the SAMLResponse message to make debugging easier for folks	May 29, 2018

mcguinness/saml-idp

Join GitHub today

Clone with HTTPS

Launching GitHub Desktop...