Test Environment

The test environment is set up with several Docker containers with a reverse proxy in front of them, all hosted on a single virtual machine (VM).

The main domain is maiv1.incubator.geant.org, supplemented by the registered wildcard domain *.maiv1.incubator.geant.org, allowing for an unlimited number of subdomain virtual hosts.

Virtual host certificates are obtained using acme.sh, available at https://github.com/acmesh-official/acme.sh

The Git repository for the entire setup is internally available here (expect significant changes during Incubator activity): https://gitlab.software.geant.org/TI_Incubator/saml-signature-validation-test-env

Test IdP

The test IdP is a SimpleSAMLphp v2.1 instance with a configured IdP and installed 'conformance' module (authentication processing filter) that can modify SAML Responses sent to trusted SPs, with pre-configured trust for several test SPs.

IdP metadata: https://conformance-idp.maiv1.incubator.geant.org/module.php/saml/idp/metadata

Admin dashboard: https://conformance-idp.maiv1.incubator.geant.org/module.php/admin/

Conformance module repo: https://github.com/cicnavi/simplesamlphp-module-conformance

Trusted SP metadata handling

Test IdP is configured with PDO metadata storage handler (it can use database to store SP metadata) in addition to plain PHP metadata files.

Conformance module exposes an HTML form which can be used to manually add additional SP metadata, either by pasting the SP metadata XML or by uploading the metadata XML file. 

The UI form is available here: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/add

In addition, there is additional endpoint which can be used to provision SP metadata dynamically (described below).

Available endpoints

Test modification

Endpoint to define next test for particular SP.

URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/test/setup

HTTP method: GET

Parameters:

• testId
  • valid values: standardResponse | noSignature | invalidSignature
  • example: noSignature
• spEntityId
  • valid values: any trusted SP Entity ID
  • example: urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp

For example, to specify that the next test for the SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp' should be the one that doesn't sign the SAML Response:

https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/test/setup?testId=noSignature&spEntityId=urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp

SP metadata provisioning

Endpoint to provision SP metadata which will be trusted by the Test IdP.

URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/persist

HTTP method: POST

Parameters:

• xmlData - optional (mandatory if xmlFile not provided)
  • valid values: SAML2 SP metadata XML string
  • example: <?xml version="1.0" encoding="utf-8"?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp">
      <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-logout.php/good-sp"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-acs.php/good-sp" index="0"/>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-acs.php/good-sp" index="1"/>
      </md:SPSSODescriptor>
    </md:EntityDescriptor>
• xmlFile - optional (mandatory if xmlData not provided)
  • valid values: SAML SP XML metadata file
  • example: default-sp

IdP Initiated Login

IdP initiated login can be performed as per SimpleSAMLphp documentation: https://simplesamlphp.org/docs/2.1/simplesamlphp-idp-more.html

Sample URI to initiate login to SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp':

https://conformance-idp.maiv1.incubator.geant.org/saml2/idp/SSOService.php?spentityid=urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp

Sample SPs and Related Apps

SimpleSAMLphp

SimpleSAMLphp v2.1 instance with configured SPs listed below is featuring a code modification to skip signature checks for 'bad' SPs for simulation purposes.

Admin dashboard: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/admin/

List of apps: https://simplesamlphp-sp.maiv1.incubator.geant.org/

Good SP / App

Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/good-sp

App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-good-ssp-sp/

Bad SP / App

Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/bad-sp

App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-bad-ssp-sp/

KeyCloak

Instance with 'conformance' realm with two SPs in with different configurations regarding signature checking, available here: https://keycloak.maiv1.incubator.geant.org/

Authentication on either SP can be initiated by going to https://keycloak.maiv1.incubator.geant.org/realms/conformance/account > Personal info > Click on the appropriate IdP / SP  on the "Or sign in with" section (choose good or bad SP). 

Settings

Good SP: https://keycloak.maiv1.incubator.geant.org/admin/master/console/#/conformance/identity-providers/saml/geant-incubator-conformance-idp-with-good-sp/settings

Bad SP: https://keycloak.maiv1.incubator.geant.org/admin/master/console/#/conformance/identity-providers/saml/geant-incubator-conformance-idp-with-bad-sp/settings

Shibboleth

TODO