I need a SAML IDP to test — now!
This is the other side of my previous post:
Just to be clear, we are talking about SAML 2.0 (the protocol) and not SAML (the token).
Once you figure out how the client side works, you need an Identity Provider (IDP) to test against.
Normally, the fact that you are busy adding SAML to a client means that you are intending to connect to an existing IDP that supports SAML but this may not yet be available or you have to wait for someone to configure it or you are not sure which parameters to pass over for the IDP admin. to add your service etc.
So you need to do some quick smoke tests to check all is well.
This post is a work in progress. If there’s an IDP you use, let me know in the comments and I’ll add it.
Some of the utilities offer both IDP and SP support. So this could cover the case where you have an IDP you want to test against a test client.
Note that I haven’t personally used all of them so use at your own risk.
On-premises
If you have the infrastructure / subscription available, you could use:
- ADFS is a service in running on Windows server. There are a number of posts in this blog showing how to use it
- OpenAM has both commercial and community offerings
- identityserver4 with the Rock Solid Knowledge SAML stack. There are a number of posts in this blog showing how to use it
- Keycloak is open source and can act as a SAML IDP
- A web application running on IIS using the products below
- A web application running on IIS running SimpleSAMLPHP
Of course, once you have the application up and running, you could deploy this to the cloud.
Products
A number of the SAML client stacks come with an IDP you can use for testing.
There are a number of posts in this blog for ComponentSpace and Sustainsys.
IDP
I’ve put together a list below of all the IDP that I could find.
Typically, to use these you need to swap SAML metadata between the client and the IDP. This may be a problem if your client doesn’t have the ability to generate metadata on the fly or import metadata.
ADFS
You can use Claims X-Ray.
You create a Relying Party in ADFS following the instructions and can then send a SAML request.
Auth0
You can use Auth0 as an IDP.
You can run up a free instance to do your testing.
There are a number of posts in this blog showing how to use it.
Azure AD
Azure AD provides a SAML IDP using “Enterprise applications”.
You need to get a free Azure account.
There are a number of posts in this blog showing how to use it.
Azure AD B2C
There is a useful web application for this.
“The SAMLTEST web application is a DotNetCore2 SAML Identity Provider and Service Provider.
This application is designed to be used with Azure AD B2C for testing / training of SAML Policies”.
Refer to my posts for SP Initiated and IDP Initiated flows.
Gluu Server
You can use the Gluu server as a SAML IDP.
The community edition is free.
JumpCloud
This is a commercial offering that offers SAML 2.0 support as an IDP.
Their free package offers the full platform for 10 users and 10 devices.
mockSAML
A free SAML 2.0 Identity Provider for testing SAML SSO integrations.
miniOrange
I’ve seem some recommendations for this.
They only seem to have a 30-day free trial.
Okta
Okta can be used as a SAML IDP.
You can run up a free instance. This is valid for a month.
Ping Identity
Ping provide a SAML IDP.
You need to get a free developer account.
RSA Simple Test Provider
“This SP site is a SAML 2.0 Test provider. It does not implement the entire SAML 2.0 specifications but only as much as is needed to parse an incoming assertion and extract information out of it and display it.”
It handles IDP and SP Initiated flows.
For IDP Initiated, I used ADFS as the platform.
You can download the RSA metadata here. I used this to create an ADFS RP called “RSA SPTest”.
Then browse to:
https://my-adfs/adfs/ls/idpinitiatedsignon.htm
Authenticate on ADFS, then select the RSA SPTest RP and click “Sign In”.
You should see:
and it displays the SAML parameters and attributes.
For SP Initiated, you upload the ADFS metadata file located at:
https://my-adfs/FederationMetadata/2007-06/FederationMetadata.xml
This then generates a URL for testing e.g.
https://sptest.iamshowcase.com/ixs?idp=8e9…094
When you browse to the URL, it sends an AuthnRequest to ADFS, you authenticate and are then redirected to the “Hello” screen as above.
It also has a “AuthN Request Wizard”.
This allows you to build up the SAML request parameter by parameter.
Salesforce
You can use Salesforce as a SAML IDP.
You need to sign up for a developer account.
saml-idp
This is a npm package that provides a simple SAML Identity Provider (IdP) to test SAML 2.0 Service Providers (SPs) with the SAML 2.0 Web Browser SSO Profile or the Single Logout Profile.
samlidp.io
This is a commercial service but if you don’t use it often, it will probably be free as long as you don’t hit the thresholds.
SAMLTest.ID
“SAMLtest is a free SAML 2.0 testing service. We use Shibboleth 3.x as our reference implementation, but you may use any SAML 2.0-compliant provider.
Our public providers’ logs are displayed so you can diagnose and fix issues with vision from both sides of the transaction.”
You need to upload your metadata, download theirs and then you can test your IDP / SP.
Samling
Note: As per comment:
“The Samling site has been shut down for quite a while. But some nice person grabbed the content before and provided a Docker image for it.”
Samling is a serverless SAML IdP for the purpose of testing any SAML SP endpoint. It supports AuthnRequest and LogoutRequest.
It provides complete control over the SAML response properties that will be sent back to the Service Provider, including simulating errors and the session cookie duration that tracks the logged-in user.
Generating a SAML Response requires the use of a private key and certificate for signing the SAML Assertion. SAMLING enables generating a random private/public key and saving it in the local storage so they are used in subsequent SAML responses.
It runs solely in the browser to simulate SAML responses returned from a SAML IdP — no registration, no servers, just a browser. You can control many aspects of the response — from success to various failures.
Simply setup the target URL for the SAML IdP to be https://capriza.github.io/samling/samling.html, and you’re done.
If there is a SAMLRequest query param present on the request, Samling will parse, extract and populate the relevant fields.
If you don’t want to use the online version, you can clone the samling repo and host it yourself — all you will need is a static file server.
Shibboleth
Shibboleth used to offer a publicly available SAML v2 SP and IdP.
Check the link to see if they have a new offering. At the moment, it’s in transition.
SSOCircle
To use SSOCircle, you need to register and login.
You also need to continually prove that you are not a robot and are subjected to adverts. These checks and adverts can be removed by upgrading to a paid account.
I tried this with ADFS.
In the “Manage Metadata” tab, click “Add new Service Provider”.
Enter the FQDN of the ADFS server. Mine is hosted in an Azure VM so:
my-adfs.eastus.cloudapp.azure.com
Copy / paste the ADFS metadata.
You then get “Error — An error occured. Reason:0007” (or 0006).
After some trail and error. you need to remove the “Signature” element, both “RoleDescriptor” elements and the “IDPSSODescriptor” element.
So you end up with:
<EntityDescriptor ID="_d42fe92c-27c8-4c11-ba40-379c5871d4b9" entityID="http://my-adfs/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
...
</SPSSODescriptor>
</EntityDescriptor>
You get the SSOCircle metadata from the link above for “SSOCircle Public IDP Metadata”.
When you try and import this into ADFS as a claims provider, you will get an error saying that some elements were ignored.
To fix this, you need to remove all SOAP bindings:
Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”
After creating the claims provider trust, set the hash algorithm in the wizard to “SHA-1”.
I called the claims provider “SSOCircle”.
So lets try:
where spEntityID is the entityID of your ADFS.
You will get:
SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key
To fix this run:
Set-AdfsClaimsProviderTrust –TargetName “SSOCircle” –SigningCertificateRevocationCheck “None”
and you’ll see the ADFS IDPInitiated page.
There are some tips and tricks here:
https://www.ssocircle.com/en/idp-tips-tricks/ssocircle-how-to/
And a decode utility here:
Samlify
Samlify is a Node.js SAML2 API.
“It has:
- Simple and active maintenance
- Includes Identity and Service Provider
- Highly configurable
This module provides a library for scaling Single Sign On implementation. Developers can easily configure the entities by importing the metadata.
It provides a simple interface that’s highly configurable”.
ZXIDP
ZXIDP provides a free SAML 2.0 IdP (Identity Provider) and ID-WSF 2.0 Discovery Services to the public. Any user or Service Provider can register for the self declared assurance level.
External SAML Tools
Just for completeness, there is a set of SAML tools here.
I hope that helps 😃
If I’ve missed any, feel free to add the product / project / utility in the comments and I’ll add it.
All good!