How do I set up a local test SAML2.0 Identity Provider?

Asked 16/7, 2014 at 10:54 Answered 1/5, 2019 at 19:14

As a Service Provider (SP) I have written a node.js service to processes SAML2.0 Assertions. I would now like to test this code.

I am aware that I can use various cloud-based services to act as my test Identity Provider (IdP) however these require that my new, untested SP end-points be made public.

Currently I am simply POSTing a hand-crafted SAML2.0 Assertion to my SP end-point but I want a more realistic test, especially the ability to test SP initiated SSO.

Therefore I believe I need to have a local IdP running on my development machine so I can, for now, keep all my testing local and sand-boxed.

Can you recommend a way forward for me?

Lapin answered 16/7, 2014 at 10:54 Comment(0)

You actually do not need to publish your endpoints in order to be able to use a public IDP.

All communication between the SP and IDP is either done through your browser (which of course needs to be able to access both your local SP and public IDP), or your SP calls IDP (when using HTTP-Artifact profile). But in usual situations IDP never directly calls SP, which means that SP can be running locally without a publicly accessible URL.

One of the public IDPs which can be configured in this way is SSO Circle.

In case you would still like to run an IDP locally, Shibboleth is probably your easiest bet.

Seawright answered 16/7, 2014 at 14:1 Comment(2)

Thank you for the crucial observation that my SP end-point does not need to be public. As recommended I will use Shibboleth. I have decided to try TestShib – Lapin 16/7, 2014 at 20:25

What about single logout where IDP calls all SP to inform about logout? – Kenyatta 12/6, 2023 at 17:36

There is an open Idp that will reply to any AuthnRequest available for free at https://stubidp.sustainsys.com. It will allow you to set the Subject NameId you want in a simple form and then reply back to the SP. If you want to set up your own instance, the source of the stubidp is available at https://github.com/Sustainsys/Saml2.

Disclosure notice: I'm the author of the stubidp, but I won't make any money out of anyone using it, it's provided entirely as a free service.

Ackerley answered 17/7, 2014 at 21:1 Comment(3)

This has proved very useful and easy to use, far easier than setting up a test idp in the cloud or installing software locally. Thanks for providing it. – Lapin 21/7, 2014 at 16:15

Would it be possible to provide your public key data inside a <ds:Signature> element within the <saml2:Assertion element? This is the structure expected by the saml20 nodejs module I am using to validate the SAMLResponse. Thanks. – Lapin 24/7, 2014 at 13:31

Could you please add an option to ignore RelayState 80 character limit? – Kenyatta 20/6, 2023 at 12:14

Another option is https://github.com/mcguinness/saml-idp. It's straight-forward and quick to setup for local testing (it's a node server). I successfully used it to implement some full end-to-end SAML SSO tests using cypress.

We have a .net core app, and I basically just run node server.js on startup if running in development environment. I redirect output of the node server to our .net core web app's output, so we can see the SAML requests/responses right alongside our app's logs. Works really well.

Chiro answered 1/5, 2019 at 19:14 Comment(0)

Agree with Shibboleth - others are SimpleSAMLphp and (if you have Windows Server) then perhaps ADFS.

If you go the cloud route, Azure Active Directory is another option - albeit that it only currently supports SP Initiated.

Yorgo answered 16/7, 2014 at 19:39 Comment(0)

Recommended topics

Hot tags