The test environment is set up with several Docker containers with a reverse proxy in front of them, all hosted on a single virtual machine (VM).
The main domain is maiv1.incubator.geant.org, supplemented by the registered wildcard domain *.maiv1.incubator.geant.org, allowing for an unlimited number of subdomain virtual hosts.
Virtual host certificates are obtained using acme.sh, available at https://github.com/acmesh-official/acme.sh
The Git repository for the entire setup is internally available here (expect significant changes during Incubator activity): https://gitlab.software.geant.org/TI_Incubator/saml-signature-validation-test-env
Test IdP
The test IdP is a SimpleSAMLphp v2.1 instance with a configured IdP and installed 'conformance' module (authentication processing filter) that can modify SAML Responses sent to trusted SPs, with pre-configured trust for several test SPs.
IdP metadata: https://conformance-idp.maiv1.incubator.geant.org/module.php/saml/idp/metadata
Admin dashboard: https://conformance-idp.maiv1.incubator.geant.org/module.php/admin/
Conformance module repo: https://github.com/cicnavi/simplesamlphp-module-conformance
Trusted SP metadata handling
Test IdP is configured with PDO metadata storage handler (it can use database to store SP metadata) in addition to plain PHP metadata files.
Conformance module exposes an HTML form which can be used to manually add additional SP metadata, either by pasting the SP metadata XML or by uploading the metadata XML file.
The UI form is available here: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/add
In addition, there is additional endpoint which can be used to provision SP metadata dynamically (described below).
Available endpoints
Test modification
Endpoint to define next test for particular SP.
URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/test/setup
HTTP method: GET
Parameters:
- testId
- valid values: standardResponse | noSignature | invalidSignature
- example: noSignature
- spEntityId
- valid values: any trusted SP Entity ID
- example: urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp
For example, to specify that the next test for the SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp' should be the one that doesn't sign the SAML Response:
SP metadata provisioning
Endpoint to provision SP metadata which will be trusted by the Test IdP.
URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/persist
HTTP method: POST
Parameters:
- xmlData - optional (mandatory if xmlFile not provided)
- valid values: SAML2 SP metadata XML string
- example: <?xml version="1.0" encoding="utf-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-logout.php/good-sp"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-acs.php/good-sp" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/saml2-acs.php/good-sp" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
- xmlFile - optional (mandatory if xmlData not provided)
- valid values: SAML SP XML metadata file
- example: default-sp
IdP Initiated Login
IdP initiated login can be performed as per SimpleSAMLphp documentation: https://simplesamlphp.org/docs/2.1/simplesamlphp-idp-more.html
Sample URI to initiate login to SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp':
Sample SPs and Related Apps
SimpleSAMLphp
SimpleSAMLphp v2.1 instance with configured SPs listed below is featuring a code modification to skip signature checks for 'bad' SPs for simulation purposes.
Admin dashboard: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/admin/
List of apps: https://simplesamlphp-sp.maiv1.incubator.geant.org/
Good SP / App
Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/good-sp
App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-good-ssp-sp/
Bad SP / App
Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/bad-sp
App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-bad-ssp-sp/
KeyCloak
Instance with 'conformance' realm with two SPs in with different configurations regarding signature checking, available here: https://keycloak.maiv1.incubator.geant.org/
Authentication on either SP can be initiated by going to https://keycloak.maiv1.incubator.geant.org/realms/conformance/account > Personal info > Click on the appropriate IdP / SP on the "Or sign in with" section (choose good or bad SP).
Settings
Shibboleth
Two different Shibboleth v3 SPs as Docker container instances, one acting as a good SP (checks signature), and one as a bad SP which has signature check disabled using NullSecurity Rule - Service Provider 3 - Confluence (atlassian.net) and XMLSigning Rule - Service Provider 3 - Confluence (atlassian.net) set to false.
Good SP / App
Metadata: https://shibb-good-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata
App: https://shibb-good-sp.maiv1.incubator.geant.org/
Bad SP / App
Metadata: https://shibb-bad-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata