The Conformance IdP is a SimpleSAMLphp v2.1 SAML2 IdP instance with:
IdP metadata: https://conformance-idp.maiv1.incubator.geant.org/module.php/saml/idp/metadata
Admin dashboard: https://conformance-idp.maiv1.incubator.geant.org/module.php/admin/
Conformance module UI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/nuclei/test/setup
Conformance module repo: https://github.com/cicnavi/simplesamlphp-module-conformance
Conformance IdP is configured with PDO metadata storage handler (it can use database to store SP metadata) in addition to plain PHP metadata files.
Conformance module exposes an HTML form which can be used to manually add additional SP metadata, either by pasting the SP metadata XML or by uploading the metadata XML file.
The UI form is available here: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/add
Also, there is an API endpoint which can be used to provision SP metadata dynamically (described below).
API endpoints are protected with Authorization Bearer token. In order to access the API, you must provide the token in the HTTP request as the Authorization header, with Bearer scheme. For example:
GET /resource HTTP/1.1
Host: server.example.com
Authorization: Bearer sometoken
Endpoint to define next test for particular SP.
URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/test/setup
HTTP method: GET
Parameters:
For example, to specify that the next test for the SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp' should be the one that doesn't sign the SAML Response:
Endpoint to provision SP metadata which will be trusted by the Conformance IdP.
URI: https://conformance-idp.maiv1.incubator.geant.org/module.php/conformance/metadata/persist
HTTP method: POST
Parameters:
IdP initiated login can be performed as per SimpleSAMLphp documentation: https://simplesamlphp.org/docs/2.1/simplesamlphp-idp-more.html
Sample URI to initiate login to SP 'urn:x-simplesamlphp:geant:incubator:simplesamlphp-sp:good-sp':
SimpleSAMLphp v2.1 instance with configured SPs listed below is featuring a code modification to skip signature checks for 'bad' SPs for simulation purposes.
Admin dashboard: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/admin/
List of apps: https://simplesamlphp-sp.maiv1.incubator.geant.org/
Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/good-sp
App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-good-ssp-sp/
Metadata: https://simplesamlphp-sp.maiv1.incubator.geant.org/simplesaml/module.php/saml/sp/metadata/bad-sp
App: https://simplesamlphp-sp.maiv1.incubator.geant.org/php-app-bad-ssp-sp/
Instance with 'conformance' realm with two SPs in with different configurations regarding signature checking, available here: https://keycloak.maiv1.incubator.geant.org/
Authentication on either SP can be initiated by going to https://keycloak.maiv1.incubator.geant.org/realms/conformance/account > Personal info > Click on the appropriate IdP / SP on the "Or sign in with" section (choose good or bad SP).
Two different Shibboleth v3 SPs as Docker container instances, one acting as a good SP (checks signature), and one as a bad SP which has signature check disabled using NullSecurity Rule - Service Provider 3 - Confluence (atlassian.net) and XMLSigning Rule - Service Provider 3 - Confluence (atlassian.net) set to false.
Metadata: https://shibb-good-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata
App: https://shibb-good-sp.maiv1.incubator.geant.org/
Metadata: https://shibb-bad-sp.maiv1.incubator.geant.org/Shibboleth.sso/Metadata
App: https://shibb-bad-sp.maiv1.incubator.geant.org/