You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Conformance IdP

The Conformance IdP is a SimpleSAMLphp v2.1 SAML2 IdP instance with:

  • default authentication source which automatically authenticates a sample (dummy) user
  • Conformance module installed which provides
    • authentication processing filter that can modify SAML Responses, that is, create invalid ones in order to test SP behavior
    • ability to run Nuclei tests from the module UI
    • ability to ask SP contacts for consent for running tests on SP
    • API which enables programmatic control and execution of tests

IdP metadata: https://conformance-idp.maiv1.incubator.geant.org/module.php/saml/idp/metadata

Admin dashboard: https://conformance-idp.maiv1.incubator.geant.org/module.php/admin/

Conformance module UI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/nuclei/test/setup

Conformance module repo: https://github.com/cicnavi/simplesamlphp-module-conformance

SP metadata handling

Conformance IdP is configured with PDO metadata storage handler (it can use database to store SP metadata) in addition to plain PHP metadata files.

Conformance module exposes an HTML form which can be used to manually add additional SP metadata, either by pasting the SP metadata XML or by uploading the metadata XML file. 

The UI form is available here: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/add

Also, there is an API endpoint which can be used to provision SP metadata dynamically (described below).

API endpoints

API endpoints are protected with Authorization Bearer token. In order to access the API, you must provide the token in the HTTP request as the Authorization header, with Bearer scheme. For example:

GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer sometoken


Test modification

Endpoint to define next test for particular SP.

URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/test/setup

HTTP method: GET

Parameters:

  • testId
    • valid values: standardResponse | noSignature | invalidSignature
    • example: noSignature
  • spEntityId
    • valid values: any trusted SP Entity ID
    • example: urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp


For example, to specify that the next test for the SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp' should be the one that doesn't sign the SAML Response:

https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/test/setup?testId=noSignature&spEntityId=urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp

SP metadata provisioning

Endpoint to provision SP metadata which will be trusted by the Conformance IdP.

URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/persist

HTTP method: POST

Parameters:


IdP Initiated Login

IdP initiated login can be performed as per SimpleSAMLphp documentation: https://simplesamlphp.org/docs/2.1/simplesamlphp-idp-more.html

Sample URI to initiate login to SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp':

https://conformance-idp.maiv1.incubator.geant.org/saml2/idp/SSOService.php?spentityid=urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp

SP Consents

Conformance module has ability to ask SP contacts for consent before running tests for SP.

For testing / demo purposes, in this environment a dummy smtp server was provisioned which is used to catch all outgoing email invitations for consents (emails won't really be sent to  SP contacts).

All emails will be available for inspection at: https://mailbox.maiv1.incubator.geant.org/

Sample SPs and Related Apps

SimpleSAMLphp

SimpleSAMLphp v2.1 instance with configured SPs listed below is featuring a code modification to skip signature checks for 'bad' SPs for simulation purposes.

Admin dashboard: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/admin/

List of apps: https://simplesamlphp-sp.maiv1.incubator.geant.org/

Good SP / App

Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/good-sp

App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-good-ssp-sp/

Bad SP / App

Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/bad-sp

App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-bad-ssp-sp/

KeyCloak

Instance with 'conformance' realm with two SPs in with different configurations regarding signature checking, available here: https://keycloak.maiv1.incubator.geant.org/

Authentication on either SP can be initiated by going to https://keycloak.maiv1.incubator.geant.org/realms/conformance/account > Personal info > Click on the appropriate IdP / SP  on the "Or sign in with" section (choose good or bad SP). 

Settings

Good SP: https://keycloak.maiv1.incubator.geant.org/admin/master/console/#/conformance/identity-providers/saml/geant-incubator-conformance-idp-with-good-sp/settings

Bad SP: https://keycloak.maiv1.incubator.geant.org/admin/master/console/#/conformance/identity-providers/saml/geant-incubator-conformance-idp-with-bad-sp/settings

Shibboleth

Two different Shibboleth v3 SPs as Docker container instances, one acting as a good SP (checks signature), and one as a bad SP which has signature check disabled using NullSecurity Rule - Service Provider 3 - Confluence (atlassian.net) and XMLSigning Rule - Service Provider 3 - Confluence (atlassian.net) set to false. 

Good SP / App

Metadata: https://shibb-good-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata

App: https://shibb-good-sp.maiv1.incubator.geant.org/

Bad SP / App

Metadata: https://shibb-bad-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata

App: https://shibb-bad-sp.maiv1.incubator.geant.org/

  • No labels