boxyhq / mock-saml Goto Github PK

View Code? Open in Web Editor NEW

76.0 6.0 19.0 2.69 MB

A simple mock SAML 2.0 Identity Provider

Home Page: https://mocksaml.com

License: Apache License 2.0

JavaScript 3.69% TypeScript 89.86% CSS 2.27% Dockerfile 4.00% Procfile 0.17%

saml-idp saml mock-saml-idp test-saml saml-testing fake-saml-idp hactoberfest

mock-saml's People

Contributors

Stargazers

Watchers

Forkers

ibm-thanatcha jalbertogonzalez tachiniererin edlott doraig fa-ggiuranno rjohnsonbade immersivelabsukorg workbook jatingodnani mseccafien-sap daxcee pedroramosdiehl ricardoborgesgo pccr10001 turboyjs a-st u-itachi jkrentzabsolute

mock-saml's Issues

Mock SAML generates invalid IDs sometimes

Hi,
Thanks for the effort of developing and maintaining this project.

It appears that the current Mock SAML deployed on https://mocksaml.com generates SAML responses with invalid IDs sometimes, making the response fail to validate on our end.

It appears that IDs starting with a number should not be returned as per this comment:

"the value of the id cannot start with a number"
https://answers.unity.com/questions/283292/xmldocument-getelementbyid-returning-null.html

I've not taken my time to check if the specification disallows this kind of IDs, but please review it as it might be the case.

SAML response with valid ID (d6e31e4076892cf4a0f4)

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="d6e31e4076892cf4a0f4" Destination="http://[REDACTED]" IssueInstant="2022-10-04T08:08:15.437Z">
	<saml:Issuer
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.com/entityid
	</saml:Issuer>
	<Signature
		xmlns="http://www.w3.org/2000/09/xmldsig#">
		<SignedInfo>
			<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
			<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
			<Reference URI="#d6e31e4076892cf4a0f4">
				<Transforms>
					<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
					<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
				</Transforms>
				<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
				<DigestValue>dkxg1EE6NKrKfPobnGCjRrSYCiPfUA1wGJAiXR3IvR4=</DigestValue>
			</Reference>
		</SignedInfo>
		<SignatureValue>ARQCgUO20bExALkhelkRZX0Fxxsz2WZdrvU6kHYhgDXxiOonfmA1e9fXeEdKqHsaTRLP/MRPsjU9f4bwzxAQmKZ4XJpxwbN0WiDQGRcw0nw6JGd1QPrejaUDcHrwu3h208u53B+xjUixHILLNECfTCIWVgwAeNyNLlgaEL5OGjxHyt0KUmZ7fEXigdX/58QwM5TKa0RGYs45TXkasmtWsYngSS/N6Jk0K46aLwowdoEYPxDJJ0M+HBFBD+L4XTlfwlWyF8TXozWT8Qo2PyzdNkw1XPNjgsWRH3P5ZwS/RekUQN8CtZnm8GheH1EevlNjrDf54falV+Cyq8A/BNxWfQ==</SignatureValue>
		<KeyInfo>
			<X509Data>
				<X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4
MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK
DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0
RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd
4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V
pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b
2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ
NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW
5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4
khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX
UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L
r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M
m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==
</X509Certificate>
			</X509Data>
		</KeyInfo>
	</Signature>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
	</samlp:Status>
	<saml:Assertion
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="cb7a498e3457bbd3b08d" IssueInstant="2022-10-04T08:08:15.437Z">
		<saml:Issuer>https://saml.example.com/entityid</saml:Issuer>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
		</saml:Subject>
		<saml:Conditions NotBefore="2022-10-04T08:03:15.437Z" NotOnOrAfter="2022-10-04T08:13:15.437Z">
			<saml:AudienceRestriction>
				<saml:Audience>https://saml.boxyhq.com</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2022-10-04T08:08:15.437Z" SessionIndex="_YIlFoNFzLMDYxdwf-T_BuimfkGa5qhKg">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement
			xmlns:xs="http://www.w3.org/2001/XMLSchema"
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
			<saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1dda9fb491dc01bd24d2423ba2f22ae561f56ddf2376b29a11c80281d21201f9
				</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]
				</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
				</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
				</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

SAML response with invalid ID (052bb91c65e36da98b89)

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="052bb91c65e36da98b89" Destination="http://[REDACTED]" IssueInstant="2022-10-04T08:44:05.068Z">
	<saml:Issuer
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.com/entityid
	</saml:Issuer>
	<Signature
		xmlns="http://www.w3.org/2000/09/xmldsig#">
		<SignedInfo>
			<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
			<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
			<Reference URI="#052bb91c65e36da98b89">
				<Transforms>
					<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
					<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
				</Transforms>
				<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
				<DigestValue>erlgDPYbA9WnipM1e73poCYsqR+SZ3KNeIyNgk1IrIM=</DigestValue>
			</Reference>
		</SignedInfo>
		<SignatureValue>SSXuvMrs2QZTO0KtxyVkVJgSvtyCxL0RjI8PYMwFchm4+YUZ1sReNoNjL2vaOC1R6ZA6s6snhOoUdKZBywIoeVAPOJFDfR+7CDpxphd8+8hh4+Qgi5ucoUppbjQvUqe+iXUFeluECcCtT6vvyXqX3BKLaf1rkC8TYSv+jEDVKJTuqwu6JCznNLOQMTihVGoKLSfVP2byawSTHEZZhhiMS+uTb526Ol9odzJwI4LtyB7dfwBm/RC8Nrr+bKBTyzvpWVLD16OpwN2EA307Soz2UcaBSGl4oCZOs3XbxCC33pJw3hCICyIZbDso0J4s1pd9kIWRHW3/f1H0keVulFKJYA==</SignatureValue>
		<KeyInfo>
			<X509Data>
				<X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4
MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK
DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0
RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd
4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V
pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b
2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ
NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW
5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4
khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX
UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L
r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M
m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==
</X509Certificate>
			</X509Data>
		</KeyInfo>
	</Signature>
	<samlp:Status>
		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
	</samlp:Status>
	<saml:Assertion
		xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="94f234f28bf71773b14c" IssueInstant="2022-10-04T08:44:05.068Z">
		<saml:Issuer>https://saml.example.com/entityid</saml:Issuer>
		<saml:Subject>
			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
		</saml:Subject>
		<saml:Conditions NotBefore="2022-10-04T08:39:05.068Z" NotOnOrAfter="2022-10-04T08:49:05.068Z">
			<saml:AudienceRestriction>
				<saml:Audience>https://saml.boxyhq.com</saml:Audience>
			</saml:AudienceRestriction>
		</saml:Conditions>
		<saml:AuthnStatement AuthnInstant="2022-10-04T08:44:05.068Z" SessionIndex="_YIlFoNFzLMDYxdwf-T_BuimfkGa5qhKg">
			<saml:AuthnContext>
				<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
			</saml:AuthnContext>
		</saml:AuthnStatement>
		<saml:AttributeStatement
			xmlns:xs="http://www.w3.org/2001/XMLSchema"
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
			<saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1dda9fb491dc01bd24d2423ba2f22ae561f56ddf2376b29a11c80281d21201f9
				</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]
				</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
				</saml:AttributeValue>
			</saml:Attribute>
			<saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
				<saml:AttributeValue
					xmlns:xs="http://www.w3.org/2001/XMLSchema"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
				</saml:AttributeValue>
			</saml:Attribute>
		</saml:AttributeStatement>
	</saml:Assertion>
</samlp:Response>

Feature request: autopopulate and/or hide acs & audience fields

Normal users don't know anything about SAML things like 'ACS URL' or 'Audience' - they just want to be able to log in and be redirected back to their app.

I know this tool is targeted towards developers, but presumably the fields on the login form for ACS URL and Audience aren't going to change if they're tied to a specific app. It'd be great to be able to autopopulate those with an ENV variable rather than have to copy/paste the acs and metadata urls each time you want to log in; something like

...
# Base64 encoded value of public key `cat public.crt | base64`
PUBLIC_KEY=
# Base64 encoded value of private key `cat key.pem | base64`
PRIVATE_KEY=

# Set default ACS URL (usually my.app/saml/acs)
ACS_URL=
# Set default Audience (usually my.app/saml/metadata)
AUDIENCE_URL=
...

Those values would then appear in the login form rather than the default boxyhq.com urls.

Added plus would be to set the defaults and then hide those fields from the login form entirely.

Error missing signature

Getting the error 'missing signature' with belowSAML Request.

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost:8081/SSO/assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://mocksaml.com/api/saml/sso" ForceAuthn="false" ID="_4238f5e9-3a2b-487d-ba53-5128f89c5dcc" IssueInstant="2023-03-23T12:03:34.690Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
	<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.com/entityid</samlp:Issuer>
	<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
			<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
			<ds:Reference URI="#_4238f5e9-3a2b-487d-ba53-5128f89c5dcc">
				<ds:Transforms>
					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
				<ds:DigestValue>GAJ0X/KgH4hnUhS0K4TEacK9CG/aW12jgvJlL4OifaY=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>
Ol10duUDMbW15gjhwM45GgIkEWZCItOXfAS6b0Lw8Z3eenTOPIojLCrYi04qAox2elV321pzMyI8B0u/rqXjytdkXLvgaq4W7B0t+6x/KC2JPTj15K48q8aRJ0BxHfxyezfHInmLuM+5W/VmO+hMekieNKITFnGW9XLEEExooFEXW8n9uoN5itbdHVZsgfg05sueGAAVt5RqmuoWs0VzD/388L9nyh+67qYyVcEo2dSeJmK13JQnj8PnqYqgrgPzcOkmnV9cOUO9Orj93AzVuc7KVoNfnhpQlNZO/gDQoiObO5UpbxV+Ryhc9LFCNRYOjZF2BtN45LHGkXnman51og==
</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIIDHjCCAgagAwIBAgIGAYcNXHuyMA0GCSqGSIb3DQEBCwUAMC4xGDAWBgNVBAMMD215LXRlc3Qt
c3NvLWFwcDESMBAGA1UECwwJTWVuZGl4LVNQMB4XDTIzMDMyMjA3MjYxN1oXDTMzMDMyMDA3MjYx
N1owLjEYMBYGA1UEAwwPbXktdGVzdC1zc28tYXBwMRIwEAYDVQQLDAlNZW5kaXgtU1AwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTkrmFrCwpj91XTS1X5Fm2GzTh+j1kBL7adQv6T2uJ
JZPUo5e4wCbNRrG7z6SsRN9PFBpf8Tjqzt2pj1yikzJGkJZ3a83UKXEIOrDsHZaeZnWZPIch5lqj
lR2dOsEv8u/NRitEjtARE4f3PrqLos8qodLLnFCHL+P0cuswhEUXSU1xzfya/HbpkJVnhZxosdk6
k7VOSI+FdBqjBEeadWSLA+JXIid0La5NWpH4DeWY1dY49BvC13IkH86Yp63tpr2l97tsi6Rtd+F/
FthQ0Bf48KEdurZnTp7MKNxmqgGssi3GL0aviq0F+WUNUyonUD5B608zUixJoImuwW4Z5BftAgMB
AAGjQjBAMB0GA1UdDgQWBBRHkl8LgFkdHCQs+PqOl2VT6DGwSDAfBgNVHSMEGDAWgBRHkl8LgFkd
HCQs+PqOl2VT6DGwSDANBgkqhkiG9w0BAQsFAAOCAQEAD+Khxnkz8cQsi1bxEwCU4MEwE8jz/eLy
f/U4Ueem36hWwqBlZODi53KKgXL83vLbzdZzZVVtl2c23D/HL6LO9PFt11nINhOi3ugLPQ3dkPly
+KyIC2/5JIv5vL6T4kxYeV50m9PsI51Fg++m0VoMauqxy5DQ6P+MH/euRmTvWXqaG9jR9m316rGl
fK9uQdU7L25HoC5lg9bjaP5W14h+bx/AGy2AwlR/KZe6vwsqoqUejnzotlTw3XiL8tcAkxSP/Qzz
Sn1kW3Og30Ma9lvnUuoh+3Gm3IRuaC7UyA0V/LV9xh83TvGg1b1yELwjsmARDY1atfkON0BDrGMH
TB3aAA==</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
</samlp:AuthnRequest>

Will ARM architecture be available for docker installation?

I'm trying to mock SAML in my project and I was thinking to use BoxyHQ Mock Saml, but docker installation process ended up with

Status: Downloaded newer image for boxyhq/mock-saml:latest WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested

Are you going to prepare docker image for ARM architecture?

Using spring boot 2.7 with saml2 through opensaml4 fails

When using mock-saml with the current spring security saml2 implementation, using opensaml4 as the protocol implementation, we end up

TypeError: Cannot read properties of undefined (reading '$')
    at extractSAMLRequestAttributes (/app/.next/server/chunks/391.js:116:52)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async processSAMLRequest (/app/.next/server/pages/api/saml/sso.js:85:72)
    at async handler (/app/.next/server/pages/api/saml/sso.js:65:20)
    at async Object.apiResolver (/app/node_modules/next/dist/server/api-utils/node.js:363:9)
    at async NextNodeServer.runApi (/app/node_modules/next/dist/server/next-server.js:488:9)
    at async Object.fn (/app/node_modules/next/dist/server/next-server.js:750:37)
    at async Router.execute (/app/node_modules/next/dist/server/router.js:253:36)
    at async NextNodeServer.run (/app/node_modules/next/dist/server/base-server.js:384:29)
    at async NextNodeServer.handleRequest (/app/node_modules/next/dist/server/base-server.js:322:20)

The entire setup is fairly basic. We did not configure AuthNSignRequest since we yet do not understand which private key to use on the client side. Should the generated key/pair that is used for response signing just used on the client to sign the request?

Thank you for the clarification

Add support for custom attributes

Is it possible to add support for custom attributes in the SAML response?
For example, givenName, lastName, email, and so on.

Add example.org to the domain list so that users can test multiple domains

Support IdP login

Add mock OIDC support

The ACS URL is down?

I've been trying to test the IdP Login since yesterday, but it keeps loading infinitely because apparently the ACS URL (https://jackson-demo.boxyhq.com/) is offline. Any predictions of normality?

"Error: Missing signature" result seems to not conform to saml-bindings-2.0

When my SP makes this authn redirect request (line breaks added for clarity):

https://mocksaml.com/api/saml/sso?
SAMLRequest=nJJBj9MwEIX%2FiuV7YieUJbE2kcpWiEoLVNvCgdvEmWwtYjt4JsDy61GbRSqXCu3R9nwz73neLYEfJ7Oe%2BRge8PuMxOKXHwOZ00Mj5xRMBHJkAngkw9bs1x%2FuTZlrA0SY2MUgL5DpOjOlyNHGUYrtppGuz2pti27o6je1fm2Hqi46WNXVCiscVjd9NUDRwQAFSvEFE7kYGlnmWoot0YzbQAyBG1nq8lWmy6woDsWNKVem1Hmhy69SbJDYBeAzeWSeyCjlo%2F12Epvb6BVMTp0OiihKsf5r6i4Gmj2mPaYfzuLnh%2FuFN0qN0cJ4jMS549%2BPuUdT6UovTcCSFLtnl29d6F14vP4l3VJE5v3hsMt2n%2FYH2Z7XYs4ek3gXkwe%2B3uR04%2FpsOJcaDOz4Sbb%2FodcjQw8Mt%2BpiZPsci4%2FgcbvZxdHZpxfI4ASBHAaWYj2O8eddQmBsJKcZpWqXkf%2BGr%2F0TAAD%2F%2Fw%3D%3D

&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1

&Signature=auEkgD83piMUaxm%2BetHGmxDHpQV9b3t9CLxriYGdmklSH5ZH8aWku4zeFz8sEtZoAA6JiXLkEAIKbEQfee%2BsX70g%2FhVjPC9w%2BVTGjBbbJd98CEgtSvDWMB9AsfEtPw59kO5mux%2BcSuAXyfRberO96vcjF4X5WF27wA7A7qDT6RwkzK7V%2BQ0%2FesVDu1AGJkXNUJZv9EjZOtEnOymlPgLufpAlD5dPnR99Ktf3G1bJT7KDWi9V1TTizq5xr6rA5%2BocVnHEZN7ZPiCcGZfgtbjCJ0ZIkMpGG6ciZoPW00w00fXPRcdB%2BGIJuQT%2BXbiHYhzMHl3y7UMAZ7FVgkaRqmzJ%2BQ%3D%3D

Then the response page only shows ""Error: Missing signature".

FWIW I identified this section of code as the origin of that response

mock-saml/utils/request.ts

Lines 34 to 40 in b6f2e89

 const publicKey = result['samlp:AuthnRequest']['Signature'] 

 ? result['samlp:AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0] 

 : null; 

 if (!publicKey) { 

 throw new Error('Missing signature'); 

 }

From the saml-bindings-2.0 specification, section 3.4.4, it states

A query string parameter named SAMLEncoding is reserved to identify the encoding mechanism used. If
this parameter is omitted, then the value is assumed to be
urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE

As such, DEFLATE is the mechanism in play, which then is discussed in section 3.4.4.1. Item 1 of XML serialization states:

Any signature on the SAML protocol message, including the ds:Signature XML element itself,
MUST be removed

which is what the SAML authentication library that I am uses does. That seems to be a mismatch with the expectation of the code referenced above, but I might be missing some broader context of the code.

Further in 3.4.4.1 the block that starts:

If the underlying SAML protocol message is signed with an XML signature [XMLSig], the URL-encoded
form of the message MUST be signed as follows:

You'll note that the URL I attempted, shown above, includes SigAlg and Signature, but they don't seem to be considered by the request processing.

Problems integrating with Keycloak

I'm trying to integrate Mock SAML into my Keycloak application.

I am downloading the metadata file available on the website and importing it into my Keycloak using the flow:
Identity Providers > Add provider > SAML v2.0 > Disable "Use entity descriptor" and import the XML file that I downloaded from Mock SAML.

However, when I try to log in, I get the login timeout message.

Searching the internet, I saw cases where there was a time difference on the Keycloak server caused by Docker, and people solved it by increasing the time in "Allowed clock skew", in Keycloak. However, I have already closed and opened my Docker several times, I have tried different values in "Allowed clock skew" but the problem persists.

Has anyone ever experienced this? Does anyone know what the problem could be?

My Keycloak version is 21.1.2

Mock login and logout

Currently login is simulated but to test things like ForceAuthn we should login the user via a session and then provide a logout functionality. If use is logged in they should be directly taken through skipping the current login screen.

Feature request: FriendlyName flag

Some SAML SPs are looking for FriendlyName in the Attribute properties in the SAML Response, rather than Name:

 <saml:Attribute Name="firstName"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

Is there a way to set this property to FriendlyName? If not, could this be set an .env var?

...
USE_ATTRIBUTE_FRIENDLYNAME=true
...

Add a URL to download the Metadata file

Add support for roles and groups

automated login flow

We want to use the mocker to entirely automate the login process. Thus we use a combination of mockMvc / resttempalte to

get the redirect including the SAMLrequest parameter (302 based, redirect based)
call that sso url via rest template
(2) will offer us some kind of either redirect or login form to login with the user (since the request / client is yet not authenicated
we would like to post some kind of form-data request via restTemplate to that form, to authenticate the user and retrieve the session cookie
use the target redirect from d (to the ACS) and follow that redirect using mockMVC - retrieve and ensure the user is logged in

This would test the entire SAML flow without any e2e testing tool and ensure the configuration/filter/provider and so forth are all correctly setup (thats the motivation / value).

Could you give us a hint how to do the part '4.' (anything else is no issue).

we assume the SAMLrequest id needs to be part of that post (context) so the SAMLresponse can be created
which endpoint to use?
what form fields to set (should we just reverse engeneer the fields of the mocker login form?)

If you could share some ideas, this would be awesome!

Send standard claims

Add SLO support

SP login incorrectly shows IdP login fields briefly before swapping back to place

The login page is prerendered (rendered to HTML) during build time. This means the query params will be missing in the initial client render and will be set only after hydration. We need to handle this intermediate state using the isReady boolean from next/router. More details can be found here. You can see this happening by turning on network throttling in devtools.

Docker build and push

Build and push docker image
via Github Actions

idp metadata set WantAuthnRequestsSigned to false but needed in processSAMLRequest

in metadata here is WantAuthnRequestsSigned set to false

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2033-01-12T02:54:41.843Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

but in utils\request.ts's extractSAMLRequestAttributes certificate is needed

  const publicKey = result['samlp:AuthnRequest']['Signature']
    ? result['samlp:AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]
    : null;

  if (!publicKey) {
    throw new Error('Missing signature');
  }

Error: Invalid signature

Hi,
Integrated mock-saml for 2 of our product. One is working fine and for other product
when hitting the login url page, it is showing the
Error: Invalid signature

Could you please help me how to resolve this issue?
Note : In the server log, i can see it is generating the sp meta data file, which is fine but afterwards no other errors.

How to send custom request that acceptable by mocksaml?

Hi, thanks for the app. Helps a lot.
I just learn how SSO works with ReactJS with Laravel as a backend.
The flow that I made is kinda like this :

ReactJS -> Pop Up SSO Mocksaml -> Everything Good ->
Laravel listens -> Share success to websocket with some users data ->
ReactJS Receives

But currently, ReactJS listens to all channel that websocket has.
I want to be able to decide what channels for each client listen by generating some custom attribute before hit the SSO login link.
Is that possible to send a custom attribute request to login SSO link so Mocksaml can send it after the success response?

Thanks!

AWS Cognito fails to parse the metadata file/URL

Unable to unmarshall metadata

Validate AuthnRequest signature

500 error on /api/saml/auth: Can't create duplicate variable contentOriginal

Hi - Just starting out with the boxyhq/mock-saml Docker image, so it may be a configuration error:

When I go to the app's (mapped to port 8000) login page, I'm redirected to the SAML container's (mapped to port 4000 login page:

After changing the ACS link to my local app instance; clicking 'Sign In' yields an 'Error in getting SAML response' error, and the console reports a 500 Error at the container's /api/saml/auth endpoint, followed up with a js Syntax Error: [Error] SyntaxError: Can't create duplicate variable: 'contentOriginal' which looks like it's in a versioned login.js file:

From the documentation, I believe I have everything set up properly (but happy to provide additional details if it would be helpful) - any help appreciated.

Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used

Test steps:

Im using this on an ubuntu22 ec2 instance.
git clone https://github.com/boxyhq/mock-saml.git
cd ./mock-saml
npm ci
npm run build

Expected:
npm run build should run with no issues.

Actual:
I see the below in our logs.

added 327 packages, and audited 328 packages in 23s
[2023-09-09T06:13:38.133Z] 99 packages are looking for funding
[2023-09-09T06:13:38.133Z]   run `npm fund` for details
[2023-09-09T06:13:38.134Z] 1 moderate severity vulnerability
[2023-09-09T06:13:38.134Z] To address all issues, run:
[2023-09-09T06:13:38.134Z]   npm audit fix
[2023-09-09T06:13:38.134Z] Run `npm audit` for details.
[2023-09-09T06:13:38.134Z] npm notice 
[2023-09-09T06:13:38.134Z] npm notice New major version of npm available! 9.6.7 -> 10.1.0
[2023-09-09T06:13:38.134Z] npm notice Changelog: <https://github.com/npm/cli/releases/tag/v10.1.0>
[2023-09-09T06:13:38.134Z] npm notice Run `npm install -g [email protected]` to update!
[2023-09-09T06:13:38.134Z] npm notice 
[2023-09-09T06:13:38.134Z] > [email protected] build
[2023-09-09T06:13:38.134Z] > next build
[2023-09-09T06:13:38.134Z] Attention: Next.js now collects completely anonymous telemetry regarding usage.
[2023-09-09T06:13:38.134Z] This information is used to shape Next.js' roadmap and prioritize features.
[2023-09-09T06:13:38.134Z] You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
[2023-09-09T06:13:38.134Z] https://nextjs.org/telemetry
[2023-09-09T06:13:38.389Z] - info Linting and checking validity of types...
[2023-09-09T06:13:44.925Z] Failed to compile.
[2023-09-09T06:13:44.925Z] ./pages/_app.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/api/saml/auth.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/api/saml/metadata/index.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/api/saml/sso.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/index.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/saml/login.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./components/Footer.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./components/Header.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./components/Layout.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./lib/env.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] info  - Need to disable some ESLint rules? Learn more here: https://nextjs.org/docs/basic-features/eslint#disabling-rules

Note: This was working for us on Aug 25 but started to fail on the Sept 1 run. We run this test only on the weekends. I am working around it by downloading https://github.com/boxyhq/mock-saml/archive/refs/tags/v1.1.2.tar.gz and using that. Not sure if there is something else I should be doing if I want to run with the latest?

	const publicKey = result['samlp:AuthnRequest']['Signature']
	? result['samlp:AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]
	: null;

	if (!publicKey) {
	throw new Error('Missing signature');
	}