Can you recommend a SAML 2.0 Identity Provider for test?

StackOverflow https://stackoverflow.com/questions/1125915

  •  13-09-2019
  •  | 
  •  

Question

I'm implementing a SAML 2.0 Service Provider and need to install a SAML 2.0 Identity Provider for testing. Given this need, the Identity Provider should ideally be free (or have a trial period) and be easy to set up and configure.

I'm looking for basic single sign on and single log out functionality.

I've tried Sun Opensso Enterprise. The price is right, but so far it's been a nightmare to configure. Also, its error messaging and logging leaves a lot to be desired and I'm often troubleshooting an issue that basically boils down to a misconfiguration or a counterintuitive default setting.

Was it helpful?

Solution

What problems are you having configuring OpenSSO? I found OpenSSO to be the easiest setup!

My notes on getting the basic IDP up and running are below - hopefully they help you get up and running.

Michael

I've found that the best (i.e. most painless) way is...

  1. Use Glassfish - this is a well supported container for OpenSSO - use the developer profile to make your life even easier - use the quick setup steps as documented on the download page
  2. Deploy OpenSSO as per the basic instructions (unpack the zip - deploy the war file to the default domain)

I've used the following as my setup steps (I use OpenSSO build 7):

  • Under "Custom Configuration", click "Create New Configuration".
  • Type the password "adminadmin" in the Password and Confirm fields. Click Next.
  • In Server Settings, leave the defaults alone (or edit if if needed) and choose Next.
  • In Configuration Data Store, leave the defaults alone (or edit if needed) and choose Next.
  • In User Data Store, choose "OpenSSO User Data Store". Click Next.
  • In Site Configuration, choose No (this installation will not use a load balancer). Click Next.
  • In Default Agent User, enter admin123 as the password and confirmed password. Click Next.
  • Click "Create Configuration".
  • Click "Proceed to Login".
  • Log in as "amadmin" with the password "adminadmin".

The instructions above are based on http://developers.sun.com/identity/reference/techart/opensso-glassfish.html

You've now got your basics up and running. Create a subrealm under / called users, and create an account or two in there.

Now prep your SP metadata. Don't put too much in your metadata to start with - keep it simple.

In the default page of the GUI, choose to create a hosted IDP. This is a pretty basic workflow. You should specify your /users realm and choose to use the test key alias for signing. The circle of trust you create can be called petty much anything.

When you complete the workflow you'll be asked if you want to import metadata for an SP - say yes and choose to import from your prepared metadata file.

At this stage you should be pretty much set up.

You'll want to grab your IDP metadata next. There are a few ways to do this. You could use "http://servername:8080/opensso/ssoadm.jsp?cmd=export-entity" or "http://servername:8080/opensso/saml2/jsp/exportmetadata.jsp?realm=/users".

... and that's pretty much it for setup.

If you run into issues interoperating with OpenSSO you can look in the OpenSSO data directory (~/opensso by default). There's debugging and logging information in the subdirectories under there. You can cross reference that information with the OpenSSO Wiki, which has some pretty good troubleshooting information.

OTHER TIPS

Instead of installing and configuring an IdP you can use a hosted test platform such as TestShib or OpenIdP. Both work along the same lines but OpenIdP requires you to register.

  1. Generate your SAML metadata XML file.
  2. Register your SP with the IdP by uploading your metadata XML file.
  3. Register the IdP with your SP by downloading their metadata XML file.

Use samlidp.io, it is perfect and free for testing, you can setup your own IdP with a few clicks with adding your custom SP's metadata and that's all, it works.

You can give a try to LemonLDAP::NG (http://lemonldap-ng.org)

It is packaged for most Linux distributions, so easy to install and to set up.

You can configure Auth0 as a SAML IdP. The setup is straight-forward and there's a free tier available.

I'm using Keycloak (https://www.keycloak.org/).

  • Open Source
  • Standalone application
  • Easy to configure

I would recommend to use OpenAm https://backstage.forgerock.com/#!/downloads/OpenAM/OpenAM%20Enterprise#browse to istall locally on tomcat instance. It's quite easy to setup and get it up and running during a couple of hours.

I have been struggling with testing SAML2 integration for a long time, and used OpenSSO. Since I discovered OKTA for testing applications http://okta.com/ I haven't looked back. It is perfect, easy to use, and you can also create different users and send custom attributes back to the SP.

OpenSSO is not nice. For start you have those ridiculous captchas which don't even make sense. SSOCircle does not allow you to send custom attributes, it does not allow you to use SHA-256 encryption either, for what I've seen. OpenSSO does not give you any help about error messages unless you pay for their debug functionality (which is probably poor given the rest of the application works poorly).

Take a look at this answer.

In a nut shell, samling is a serverless SAML IdP for the purpose if testing any SAML SP endpoint. It supports AuthnRequest and LogoutRequest. It runs solely in the browser to simulate SAML responses returned from a SAML IdP - no registration, no servers, just a browser, allowing you to control many aspects of the response - from success to various failures.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top