This app provides a simple Identity Provider (IdP) to test SAML 2.0 Service Providers (SPs) with the SAML 2.0 Web Browser SSO Profile.
This sample is not intended for use with production systems!
npm installbower installopenssl req -x509 -new -newkey rsa:2048 -nodes -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Identity Provider' -keyout idp-private-key.pem -out idp-public-cert.pem -days 7300Bower, a front-end package manager, can be installed with
npm install -g bower
node app.js --acs {POST URL} --aud {audience}
Open http://localhost:7000 in your browser to start an IdP initiated flow to your SP
node app.js --acs https://foo.okta.com/auth/saml20/example --aud https://www.okta.com/saml2/service-provider/spf5aFRRXFGIMAYXQPNV
Most parameters can be defined with the following command-line arguments:
--port, -p Web Server Listener Port [required] [default: 7000]
--issuer, --iss IdP Issuer URI [required] [default: "urn:example:idp"]
--acsUrl, --acs SP Assertion Consumer URL [required]
--audience, --aud SP Audience URI [required]
--relayState, --rs Default SAML RelayState for SAMLResponse
--disableRequestAcsUrl, --static Disables ability for SP AuthnRequest to specify Assertion Consumer URL [default: false]
--encryptionCert, --encCert SP Certificate (pem) for Assertion Encryption
--encryptionPublicKey, --encKey SP RSA Public Key (pem) for Assertion Encryption (e.g. openssl x509 -pubkey -noout -in sp-cert.pem)
--httpsPrivateKey Web Server TLS/SSL Private Key (pem)
--httpsCert Web Server TLS/SSL Certificate (pem)
--https Enables HTTPS Listener (requires httpsPrivateKey and httpsCert) [required] [default: false]
The default IdP issuer is urn:example:idp. You can change this with the --iss argument.
Both SSO POST and Redirect bindings are available on the same endpoint which by default is http://localhost:7000
| Binding | URL |
|---|---|
| HTTP-Redirect | http://localhost:port |
| HTTP-POST | http://localhost:port |
http://localhost:port/idp will also work if your SP has weird URL validation rules
You must generate a self-signed certificate for the IdP.
openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Identity Provider' -keyout idp-private-key.pem -out idp-public-cert.pem -days 7300
IdP SAML metadata is available on http://localhost:port/metadata
The IdP mints the user's profile as a SAML Assertion Attribute Statement using the metadata property in config.js. Profile properties that match a metadata entry id property will be generated as a SAML Attribute with the same name. The IdP UI will automatically render an input for each entry defined via a metadata entry in config.js with a default value from the matching profile property.
{
"email": "saml.jackson@example.com"
}
{
"id": "email",
"optional": false,
"displayName": "E-Mail Address",
"description": "The e-mail address of the user",
"multiValue": false
}
<saml:Attribute Name="email"><saml:AttributeValue xsi:type="xs:anyType">saml.jackson@example.com</saml:AttributeValue>
The default profile mappings are defined in config.js as:
| Profile Property | SAML Attribute Name |
|---|---|
| userName | Subject NameID |
| nameIdFormat | Subject NameID Format |
| nameIdNameQualifier | Subject NameID Name Qualifer |
| nameIdSPNameQualifier | Subject NameID SP Name Qualifer |
| nameIdSPProvidedID | Subject NameID SP ProvidedID |
| firstName | firstName |
| lastName | lastName |
| displayName | displayName |
email | |
| mobilePhone | mobilePhone |
| groups | groups |
SAML attribute mappings currently default to Okta (Inbound SAML)
New attributes can be defined at runtime in the IdP UI or statically by modifying the profile and metadata objects in config.js.
Add metadata entry for your new attributes. The id property must be the name of the SAML Attribute
{
"id": "customAttribute",
"optional": false,
"displayName": "Custom Attribute",
"description": "My custom attribute",
"multiValue": false
}
2. Optionally add a default profile attribute value that will be used on startup
## Assertion Encryption
Encrypted assertions require both a certificate and public key from the target service provider in the PEM format (base64 encoding of `.der`, `.cer`, `.cert`, `.crt`). You can convert certificate formats with `openssl`
#### DER to PEM
`openssl x509 -inform der -in to-convert.der -out converted.pem`
> The following formats or extensions should be convertible to the pem format: `.der`, `.cer`, `.cert`, `.crt
#### PEM Certificate to Public Key
PEM files that contain the header `-----BEGIN CERTIFICATE-----` can also be converted to just the public key which is a file with just the `-----BEGIN PUBLIC KEY-----` header
`openssl x509 -pubkey -noout -in cert.pem > pub.key`
FAQs
Test Identity Provider (IdP) for SAML 2.0 Web Browser SSO Profile
We found that saml-idp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.