Conformance IdP
The Conformance IdP is a SimpleSAMLphp v2.1 SAML2 IdP instance with:
- default authentication source which automatically authenticates a sample (dummy) user
- Conformance module installed which provides
- authentication processing filter that can modify SAML Responses, that is, create invalid ones in order to test SP behavior
- ability to run Nuclei tests from the module UI
- ability to ask SP contacts for consent for running tests on SP
- API which enables programmatic control and execution of tests
IdP metadata: https://conformance-idp.maiv1.incubator.geant.org/module.php/saml/idp/metadata
Admin dashboard: https://conformance-idp.maiv1.incubator.geant.org/module.php/admin/
Conformance module UI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/nuclei/test/setup
Conformance module repo: https://github.com/cicnavi/simplesamlphp-module-conformance
SP metadata handling
Conformance IdP is configured with PDO metadata storage handler (it can use database to store SP metadata) in addition to plain PHP metadata files.
Conformance module exposes an HTML form which can be used to manually add additional SP metadata, either by pasting the SP metadata XML or by uploading the metadata XML file.
The UI form is available here: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/add
Also, there is an API endpoint which can be used to provision SP metadata dynamically (described below).
API endpoints
API endpoints are protected with Authorization Bearer token. In order to access the API, you must provide the token in the HTTP request as the Authorization header, with Bearer scheme. For example:
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer sometoken
Test modification
Endpoint to define next test for particular SP.
URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/test/setup
HTTP method: GET
Parameters:
- testId
- valid values: standardResponse | noSignature | invalidSignature
- example: noSignature
- spEntityId
- valid values: any trusted SP Entity ID
- example: urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp
For example, to specify that the next test for the SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp' should be the one that doesn't sign the SAML Response:
SP metadata provisioning
Endpoint to provision SP metadata which will be trusted by the Conformance IdP.
URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/persist
HTTP method: POST
Parameters:
- xmlData - optional (mandatory if xmlFile not provided)
- valid values: SAML2 SP metadata XML string
- example: <?xml version="1.0" encoding="utf-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-logout.php/good-sp"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-acs.php/good-sp" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-acs.php/good-sp" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
- xmlFile - optional (mandatory if xmlData not provided)
- valid values: SAML SP XML metadata file
- example: default-sp
IdP Initiated Login
IdP initiated login can be performed as per SimpleSAMLphp documentation: https://simplesamlphp.org/docs/2.1/simplesamlphp-idp-more.html
Sample URI to initiate login to SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp':
SP Consents
Conformance module has ability to ask SP contacts for consent before running tests for SP.
For testing / demo purposes, in this environment a dummy smtp server was provisioned which is used to catch all outgoing email invitations for consents (emails won't really be sent to SP contacts).
All emails will be available for inspection at: https://mailbox.maiv1.incubator.geant.org/
Sample SPs and Related Apps
SimpleSAMLphp
SimpleSAMLphp v2.1 instance with configured SPs listed below is featuring a code modification to skip signature checks for 'bad' SPs for simulation purposes.
Admin dashboard: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/admin/
List of apps: https://simplesamlphp-sp.maiv1.incubator.geant.org/
Good SP / App
Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/good-sp
App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-good-ssp-sp/
Bad SP / App
Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/bad-sp
App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-bad-ssp-sp/
KeyCloak
Instance with 'conformance' realm with two SPs in with different configurations regarding signature checking, available here: https://keycloak.maiv1.incubator.geant.org/
Authentication on either SP can be initiated by going to https://keycloak.maiv1.incubator.geant.org/realms/conformance/account > Personal info > Click on the appropriate IdP / SP on the "Or sign in with" section (choose good or bad SP).
Settings
Shibboleth
Two different Shibboleth v3 SPs as Docker container instances, one acting as a good SP (checks signature), and one as a bad SP which has signature check disabled using NullSecurity Rule - Service Provider 3 - Confluence (atlassian.net) and XMLSigning Rule - Service Provider 3 - Confluence (atlassian.net) set to false.
Good SP / App
Metadata: https://shibb-good-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata
App: https://shibb-good-sp.maiv1.incubator.geant.org/
Bad SP / App
Metadata: https://shibb-bad-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata