Use samltest.id for testing

Extended README.md with info about testing this app against samltest.id test service. Testing is possible without any account/registration.
ataylor284 · Dec 4, 2023 · 8f50c03 · 8f50c03
1 parent f961343
commit 8f50c03
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -5,9 +5,9 @@ A simple SAML application built with opensaml and pac4j to understand the SAML w
 
 An example SAML authentication webflow:
 
-There are three parties involved in the authentication: the user's
-browser, the Service Provider (SP) - saml-example in this example, and
-the Identity Provider (IDP).  The IDP can be any SAML 2.0 identity
+There are three parties involved in the authentication: the *user's
+browser*, the Service Provider *(SP) - saml-example in this example*, and
+the Identity Provider *(IDP)*.  The IDP can be any SAML 2.0 identity
 provider.
 
 The negotiation looks like this:
@@ -22,13 +22,13 @@ authenticated session for the browser, so it returns a special "SAML
 Login 1" response.  This is generated by pac4j and opensaml in
 saml-example.  The response is a form that auto-submits itself
 (request 2) to the IDP.  The form includes a SAMLRequest parameter
-that encodes it's identity.
+that encodes its identity.
 
 The IDP determines the user is not yet authenticated, and presents a
 login form where the user enters their IDP creds (requests 3 and 4).
 
 The response to the successful login is another auto-submitting form,
-this time with a SAMLResponse parameter.  This is auto-sumbitted to
+this time with a SAMLResponse parameter.  This is auto-submitted to
 the SP callback URL.
 
 When the form is submitted the SP decodes the SAMLResponse and gets
@@ -42,5 +42,29 @@ Create a java keystore and create a key pair with alias saml in the current dire
     keytool -genkey -keyalg RSA -alias saml -keypass changeit -keystore trust.keystore -storepass changeit
 
 Copy the IDP metadata XML document to
-src/main/resources/idp-metadata.xml.  Build, run and browse to
-localhost:8080.
+`src/main/resources/idp-metadata.xml`.
+
+Build (`mvn compile`), run (`mvn exec:java -Dexec.mainClass="ca.redtoad.Main"`) and browse to http://localhost:8080.
+
+Testing on samltest.id
+----------------------
+
+To test this project against https://samltest.id saml service (there is IdP and also SP),
+you first need to prepare your custom sp metadata, with custom entityID.
+One minimal example generated on online tool, https://www.samltool.com/sp_metadata.php
+is in `sp-metadata.xml` in this repo.
+
+Most important is entityId (in sample file, `http://localhost:8080/callback?skúškaaaa`).
+Another important info in this file is a callback url. It contains domain, path and
+client name. Client name is configured in `SAML2ClientBuilder` class and it is
+set to `SAMLExample`. We can keep it as-is.
+EntityId is also used by samltest.id service as a primary key when uploading config.
+Then [upload](https://samltest.id/upload.php) your sp-metadata.xml to the service.
+
+Change your entityId also in source code, in `SAML2ClientBuilder` class, there is
+a call to `config.setServiceProviderEntityId` method.
+
+To obtain `idp-metadata.xml` file, you can go to https://samltest.id/download/ page and
+download given file
+(Direct link is https://samltest.id/saml/idp, and you need to save it
+to `src/main/resources/idp-metadata.xml` file).
diff --git a/sp-metadata.xml b/sp-metadata.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+                     validUntil="2023-12-03T14:00:17Z"
+                     cacheDuration="PT604800S"
+                     entityID="http://localhost:8080/callback?skúškaaaa">
+    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                     Location="http://localhost:8080/login/finish?client_name=SAMLExample"
+                                     index="1" />
+
+    </md:SPSSODescriptor>
+</md:EntityDescriptor>
diff --git a/src/main/java/ca/redtoad/SAML2ClientBuilder.java b/src/main/java/ca/redtoad/SAML2ClientBuilder.java
@@ -8,6 +8,7 @@ public class SAML2ClientBuilder {
 
     public SAML2Client build() {
         SAML2Configuration config = new SAML2Configuration();
+        config.setServiceProviderEntityId("http://localhost:8080/callback?skúškaaaa");
         config.setIdentityProviderMetadataResourceUrl(getClass().getResource("/idp-metadata.xml").toString());
         config.setSpLogoutRequestBindingType(SAMLConstants.SAML2_REDIRECT_BINDING_URI);