Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

saml-idp

Package Overview
Dependencies
Maintainers
1
Versions
8
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

saml-idp

Test Identity Provider (IdP) for SAML 2.0 Web Browser SSO Profile

  • 1.2.1
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
7.4K
increased by6.54%
Maintainers
1
Weekly downloads
 
Created
Source

Introduction

This app provides a simple SAML Identity Provider (IdP) to test SAML 2.0 Service Providers (SPs) with the SAML 2.0 Web Browser SSO Profile or the Single Logout Profile.

This sample is not intended for use with production systems!

Installation

Global Command Line Tool

npm install --global saml-idp

Manual

From inside a local copy of this repo

npm install
# or
npm link

Library

npm install saml-idp

Docker

  1. docker-compose build
  2. docker-compose up

Simply modify Dockerfile to specify your own parameters.

Generating IdP Signing Certificate

You must generate a self-signed certificate for the IdP.

The private key should be unique to your test IdP and not shared!

You can generate a keypair using the following command (requires openssl in your path):

openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Identity Provider' -keyout idp-private-key.pem -out idp-public-cert.pem -days 7300

Usage

Library

An IdP server can be started using the exported runServer function. runServer accepts a config object which matches the interface of the saml-idp command.

const {runServer} = require('saml-idp');

runServer({
  acsUrl: `https://foo.okta.com/auth/saml20/assertion-consumer`,
  audience: `https://foo.okta.com/auth/saml20/metadata`,
});
Custom user config (claims)
const {runServer} = require('saml-idp');

runServer({
  acsUrl: `https://foo.okta.com/auth/saml20/assertion-consumer`,
  audience: `https://foo.okta.com/auth/saml20/metadata`,
  config: {
    user: userDefaults,
    // The auth-service requires at least one AttributeStatement in the SAML assertion.
    metadata: [{
      id: 'email',
      optional: false,
      displayName: 'E-Mail Address',
      description: 'The e-mail address of the user',
      multiValue: false
    }, {
      id: "userType",
      optional: true,
      displayName: 'User Type',
      description: 'The type of user',
      options: ['Admin', 'Editor', 'Commenter']
    }],
    user: {
      email: 'saml.jackson@example.com',
    },
  },
});

Command Line

SSO Profile
saml-idp --acsUrl {POST URL} --audience {audience}
SSO & SLO Profile
saml-idp --acsUrl {POST URL} --sloUrl {POST URL} --audience {audience}

Open http://localhost:7000 in your browser to start an IdP initiated flow to your SP

Example
saml-idp --acsUrl https://foo.okta.com/auth/saml20/example --audience https://www.okta.com/saml2/service-provider/spf5aFRRXFGIMAYXQPNV
Options

The following options can either be passed as --<option> or to runServer in an options object.

Option (* required)DescriptionDefault
hostIdP Web Server Listender Hostlocalhost
portIdP Web Server Listener Port7000
cert *IdP Signature PublicKey Certificate./idp-public-cert.pem
key *IdP Signature PrivateKey Certificate./idp-private-key.pem
issuer *IdP Issuer URIurn:example:idp
acsUrl *SP Assertion Consumer URL
sloUrlSP Single
audience *SP Audience URI
serviceProviderIdSP Issuer/Entity URI
relayStateDefault SAML RelayState
disableRequestAcsUrlDisables ability for SP AuthnRequest to specify Assertion Consumer URLfalse
encryptAssertionEncrypts assertion with SP Public Keyfalse
encryptionCertSP Certificate (pem) for Assertion Encryption
encryptionPublicKeySP RSA Public Key (pem) for Assertion Encryption (e.g. openssl x509 -pubkey -noout -in sp-cert.pem)
httpsPrivateKeyWeb Server TLS/SSL Private Key (pem)
httpsCertWeb Server TLS/SSL Certificate (pem)
https *Enables HTTPS Listener (requires httpsPrivateKey and httpsCert)false
configFile *Path to a SAML attribute config filesaml-idp/config.js
rollSessionCreate a new session for every authn request instead of reusing an existing sessionfalse
authnContextClassRefAuthentication Context Class Referenceurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
authnContextDeclAuthentication Context Declaration (XML FilePath)

IdP SAML Settings

Issuer

The default IdP issuer is urn:example:idp. You can change this with the --iss argument.

Signing Certificate

The signing certificate public key must be specified as a file path or PEM string using the cert argument.

To generate a self-signed certificate for the IdP run

openssl req -x509 -new -newkey rsa:2048 -nodes \
  -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Identity Provider' \
  -keyout idp-private-key.pem \
  -out idp-public-cert.pem -days 7300

The signing certificate private key must be specified as a file path or PEM string using the key argument

Passing key/cert pairs from environment variables

Signing certificate key/cert pairs can also be passed from environment variables.

saml-idp --acsUrl {POST URL} --audience {audience} --cert="$SAML_CERT" --key="$SAML_KEY"

Single Sign-On Service Binding

Both SSO POST and Redirect bindings are available on the same endpoint which by default is http://localhost:7000/saml/sso

BindingURL
HTTP-Redirecthttp://localhost:port/saml/sso
HTTP-POSThttp://localhost:port/saml/sso

Single Logout Service Binding

Both SSO POST and Redirect bindings are available on the same endpoint which by default is http://localhost:7000/saml/slo

BindingURL
HTTP-Redirecthttp://localhost:port/saml/slo
HTTP-POSThttp://localhost:port/saml/slo

SAML Metadata

IdP SAML metadata is available on http://localhost:port/metadata

Assertion Attributes

The IdP mints the user's profile as a SAML Assertion Attribute Statement using the metadata property in config.js. Profile properties that match a metadata entry id property will be generated as a SAML Attribute with the same name. The IdP UI will automatically render an input for each entry defined via a metadata entry in config.js with a default value from the matching profile property.

Profile Property
{
  "email": "saml.jackson@example.com"
}
Metadata Entry
{
  "id": "email",
  "optional": false,
  "displayName": "E-Mail Address",
  "description": "The e-mail address of the user",
  "multiValue": false
}
SAML Assertion Attribute Statement
<saml:Attribute Name="email"><saml:AttributeValue xsi:type="xs:anyType">saml.jackson@example.com</saml:AttributeValue>

Default Attributes

The default profile mappings are defined in config.js as:

Profile PropertySAML Attribute Name
userNameSubject NameID
nameIdFormatSubject NameID Format
nameIdNameQualifierSubject NameID Name Qualifer
nameIdSPNameQualifierSubject NameID SP Name Qualifer
nameIdSPProvidedIDSubject NameID SP ProvidedID
firstNamefirstName
lastNamelastName
displayNamedisplayName
emailemail
mobilePhonemobilePhone
groupsgroups

SAML attribute mappings currently default to Okta (Inbound SAML)

Custom Attributes

New attributes can be defined at runtime in the IdP UI or statically by modifying the profile and metadata objects in config.js.

  1. Add metadata entry for your new attributes. The id property must be the name of the SAML Attribute

    {
      "id": "customAttribute",
      "optional": false,
      "displayName": "Custom Attribute",
      "description": "My custom attribute",
      "multiValue": false
    }
    
  2. Optionally add a default profile attribute value that will be used on startup

Assertion Encryption

Encrypted assertions require both a certificate and public key from the target service provider in the PEM format (base64 encoding of .der, .cer, .cert, .crt). You can convert certificate formats with openssl

DER to PEM

openssl x509 -inform der -in to-convert.der -out converted.pem

The following formats or extensions should be convertible to the pem format: .der, .cer, .cert, `.crt

PEM Certificate to Public Key

PEM files that contain the header -----BEGIN CERTIFICATE----- can also be converted to just the public key which is a file with just the -----BEGIN PUBLIC KEY----- header

openssl x509 -pubkey -noout -in cert.pem > pub.key

Keywords

FAQs

Package last updated on 02 Jun 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc