boxyhq / mock-saml Goto Github PK
View Code? Open in Web Editor NEWA simple mock SAML 2.0 Identity Provider
Home Page: https://mocksaml.com
License: Apache License 2.0
A simple mock SAML 2.0 Identity Provider
Home Page: https://mocksaml.com
License: Apache License 2.0
Hi,
Thanks for the effort of developing and maintaining this project.
It appears that the current Mock SAML deployed on https://mocksaml.com generates SAML responses with invalid IDs sometimes, making the response fail to validate on our end.
It appears that IDs starting with a number should not be returned as per this comment:
"the value of the id cannot start with a number"
https://answers.unity.com/questions/283292/xmldocument-getelementbyid-returning-null.html
I've not taken my time to check if the specification disallows this kind of IDs, but please review it as it might be the case.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="d6e31e4076892cf4a0f4" Destination="http://[REDACTED]" IssueInstant="2022-10-04T08:08:15.437Z">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.com/entityid
</saml:Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#d6e31e4076892cf4a0f4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>dkxg1EE6NKrKfPobnGCjRrSYCiPfUA1wGJAiXR3IvR4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>ARQCgUO20bExALkhelkRZX0Fxxsz2WZdrvU6kHYhgDXxiOonfmA1e9fXeEdKqHsaTRLP/MRPsjU9f4bwzxAQmKZ4XJpxwbN0WiDQGRcw0nw6JGd1QPrejaUDcHrwu3h208u53B+xjUixHILLNECfTCIWVgwAeNyNLlgaEL5OGjxHyt0KUmZ7fEXigdX/58QwM5TKa0RGYs45TXkasmtWsYngSS/N6Jk0K46aLwowdoEYPxDJJ0M+HBFBD+L4XTlfwlWyF8TXozWT8Qo2PyzdNkw1XPNjgsWRH3P5ZwS/RekUQN8CtZnm8GheH1EevlNjrDf54falV+Cyq8A/BNxWfQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4
MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK
DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0
RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd
4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V
pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b
2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ
NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW
5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4
khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX
UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L
r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M
m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="cb7a498e3457bbd3b08d" IssueInstant="2022-10-04T08:08:15.437Z">
<saml:Issuer>https://saml.example.com/entityid</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="2022-10-04T08:03:15.437Z" NotOnOrAfter="2022-10-04T08:13:15.437Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.boxyhq.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2022-10-04T08:08:15.437Z" SessionIndex="_YIlFoNFzLMDYxdwf-T_BuimfkGa5qhKg">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1dda9fb491dc01bd24d2423ba2f22ae561f56ddf2376b29a11c80281d21201f9
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="052bb91c65e36da98b89" Destination="http://[REDACTED]" IssueInstant="2022-10-04T08:44:05.068Z">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.com/entityid
</saml:Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#052bb91c65e36da98b89">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>erlgDPYbA9WnipM1e73poCYsqR+SZ3KNeIyNgk1IrIM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>SSXuvMrs2QZTO0KtxyVkVJgSvtyCxL0RjI8PYMwFchm4+YUZ1sReNoNjL2vaOC1R6ZA6s6snhOoUdKZBywIoeVAPOJFDfR+7CDpxphd8+8hh4+Qgi5ucoUppbjQvUqe+iXUFeluECcCtT6vvyXqX3BKLaf1rkC8TYSv+jEDVKJTuqwu6JCznNLOQMTihVGoKLSfVP2byawSTHEZZhhiMS+uTb526Ol9odzJwI4LtyB7dfwBm/RC8Nrr+bKBTyzvpWVLD16OpwN2EA307Soz2UcaBSGl4oCZOs3XbxCC33pJw3hCICyIZbDso0J4s1pd9kIWRHW3/f1H0keVulFKJYA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4
MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK
DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0
RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd
4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V
pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b
2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ
NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW
5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4
khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX
UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L
r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M
m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="94f234f28bf71773b14c" IssueInstant="2022-10-04T08:44:05.068Z">
<saml:Issuer>https://saml.example.com/entityid</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
</saml:Subject>
<saml:Conditions NotBefore="2022-10-04T08:39:05.068Z" NotOnOrAfter="2022-10-04T08:49:05.068Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.boxyhq.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2022-10-04T08:44:05.068Z" SessionIndex="_YIlFoNFzLMDYxdwf-T_BuimfkGa5qhKg">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">1dda9fb491dc01bd24d2423ba2f22ae561f56ddf2376b29a11c80281d21201f9
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jackson
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Normal users don't know anything about SAML things like 'ACS URL' or 'Audience' - they just want to be able to log in and be redirected back to their app.
I know this tool is targeted towards developers, but presumably the fields on the login form for ACS URL and Audience aren't going to change if they're tied to a specific app. It'd be great to be able to autopopulate those with an ENV
variable rather than have to copy/paste the acs
and metadata
urls each time you want to log in; something like
...
# Base64 encoded value of public key `cat public.crt | base64`
PUBLIC_KEY=
# Base64 encoded value of private key `cat key.pem | base64`
PRIVATE_KEY=
# Set default ACS URL (usually my.app/saml/acs)
ACS_URL=
# Set default Audience (usually my.app/saml/metadata)
AUDIENCE_URL=
...
Those values would then appear in the login form rather than the default boxyhq.com
urls.
Added plus would be to set the defaults and then hide those fields from the login form entirely.
Getting the error 'missing signature' with belowSAML Request.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost:8081/SSO/assertion" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://mocksaml.com/api/saml/sso" ForceAuthn="false" ID="_4238f5e9-3a2b-487d-ba53-5128f89c5dcc" IssueInstant="2023-03-23T12:03:34.690Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Issuer xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.example.com/entityid</samlp:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_4238f5e9-3a2b-487d-ba53-5128f89c5dcc">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>GAJ0X/KgH4hnUhS0K4TEacK9CG/aW12jgvJlL4OifaY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Ol10duUDMbW15gjhwM45GgIkEWZCItOXfAS6b0Lw8Z3eenTOPIojLCrYi04qAox2elV321pzMyI8B0u/rqXjytdkXLvgaq4W7B0t+6x/KC2JPTj15K48q8aRJ0BxHfxyezfHInmLuM+5W/VmO+hMekieNKITFnGW9XLEEExooFEXW8n9uoN5itbdHVZsgfg05sueGAAVt5RqmuoWs0VzD/388L9nyh+67qYyVcEo2dSeJmK13JQnj8PnqYqgrgPzcOkmnV9cOUO9Orj93AzVuc7KVoNfnhpQlNZO/gDQoiObO5UpbxV+Ryhc9LFCNRYOjZF2BtN45LHGkXnman51og==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDHjCCAgagAwIBAgIGAYcNXHuyMA0GCSqGSIb3DQEBCwUAMC4xGDAWBgNVBAMMD215LXRlc3Qt
c3NvLWFwcDESMBAGA1UECwwJTWVuZGl4LVNQMB4XDTIzMDMyMjA3MjYxN1oXDTMzMDMyMDA3MjYx
N1owLjEYMBYGA1UEAwwPbXktdGVzdC1zc28tYXBwMRIwEAYDVQQLDAlNZW5kaXgtU1AwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTkrmFrCwpj91XTS1X5Fm2GzTh+j1kBL7adQv6T2uJ
JZPUo5e4wCbNRrG7z6SsRN9PFBpf8Tjqzt2pj1yikzJGkJZ3a83UKXEIOrDsHZaeZnWZPIch5lqj
lR2dOsEv8u/NRitEjtARE4f3PrqLos8qodLLnFCHL+P0cuswhEUXSU1xzfya/HbpkJVnhZxosdk6
k7VOSI+FdBqjBEeadWSLA+JXIid0La5NWpH4DeWY1dY49BvC13IkH86Yp63tpr2l97tsi6Rtd+F/
FthQ0Bf48KEdurZnTp7MKNxmqgGssi3GL0aviq0F+WUNUyonUD5B608zUixJoImuwW4Z5BftAgMB
AAGjQjBAMB0GA1UdDgQWBBRHkl8LgFkdHCQs+PqOl2VT6DGwSDAfBgNVHSMEGDAWgBRHkl8LgFkd
HCQs+PqOl2VT6DGwSDANBgkqhkiG9w0BAQsFAAOCAQEAD+Khxnkz8cQsi1bxEwCU4MEwE8jz/eLy
f/U4Ueem36hWwqBlZODi53KKgXL83vLbzdZzZVVtl2c23D/HL6LO9PFt11nINhOi3ugLPQ3dkPly
+KyIC2/5JIv5vL6T4kxYeV50m9PsI51Fg++m0VoMauqxy5DQ6P+MH/euRmTvWXqaG9jR9m316rGl
fK9uQdU7L25HoC5lg9bjaP5W14h+bx/AGy2AwlR/KZe6vwsqoqUejnzotlTw3XiL8tcAkxSP/Qzz
Sn1kW3Og30Ma9lvnUuoh+3Gm3IRuaC7UyA0V/LV9xh83TvGg1b1yELwjsmARDY1atfkON0BDrGMH
TB3aAA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</samlp:AuthnRequest>
I'm trying to mock SAML in my project and I was thinking to use BoxyHQ Mock Saml, but docker installation process ended up with
Status: Downloaded newer image for boxyhq/mock-saml:latest WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Are you going to prepare docker image for ARM architecture?
When using mock-saml with the current spring security saml2 implementation, using opensaml4 as the protocol implementation, we end up
TypeError: Cannot read properties of undefined (reading '$')
at extractSAMLRequestAttributes (/app/.next/server/chunks/391.js:116:52)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async processSAMLRequest (/app/.next/server/pages/api/saml/sso.js:85:72)
at async handler (/app/.next/server/pages/api/saml/sso.js:65:20)
at async Object.apiResolver (/app/node_modules/next/dist/server/api-utils/node.js:363:9)
at async NextNodeServer.runApi (/app/node_modules/next/dist/server/next-server.js:488:9)
at async Object.fn (/app/node_modules/next/dist/server/next-server.js:750:37)
at async Router.execute (/app/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/app/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/app/node_modules/next/dist/server/base-server.js:322:20)
The entire setup is fairly basic. We did not configure AuthNSignRequest since we yet do not understand which private key to use on the client side. Should the generated key/pair that is used for response signing just used on the client to sign the request?
Thank you for the clarification
Is it possible to add support for custom attributes in the SAML response?
For example, givenName, lastName, email, and so on.
I've been trying to test the IdP Login since yesterday, but it keeps loading infinitely because apparently the ACS URL (https://jackson-demo.boxyhq.com/) is offline. Any predictions of normality?
When my SP makes this authn redirect request (line breaks added for clarity):
https://mocksaml.com/api/saml/sso?
SAMLRequest=nJJBj9MwEIX%2FiuV7YieUJbE2kcpWiEoLVNvCgdvEmWwtYjt4JsDy61GbRSqXCu3R9nwz73neLYEfJ7Oe%2BRge8PuMxOKXHwOZ00Mj5xRMBHJkAngkw9bs1x%2FuTZlrA0SY2MUgL5DpOjOlyNHGUYrtppGuz2pti27o6je1fm2Hqi46WNXVCiscVjd9NUDRwQAFSvEFE7kYGlnmWoot0YzbQAyBG1nq8lWmy6woDsWNKVem1Hmhy69SbJDYBeAzeWSeyCjlo%2F12Epvb6BVMTp0OiihKsf5r6i4Gmj2mPaYfzuLnh%2FuFN0qN0cJ4jMS549%2BPuUdT6UovTcCSFLtnl29d6F14vP4l3VJE5v3hsMt2n%2FYH2Z7XYs4ek3gXkwe%2B3uR04%2FpsOJcaDOz4Sbb%2FodcjQw8Mt%2BpiZPsci4%2FgcbvZxdHZpxfI4ASBHAaWYj2O8eddQmBsJKcZpWqXkf%2BGr%2F0TAAD%2F%2Fw%3D%3D
&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
&Signature=auEkgD83piMUaxm%2BetHGmxDHpQV9b3t9CLxriYGdmklSH5ZH8aWku4zeFz8sEtZoAA6JiXLkEAIKbEQfee%2BsX70g%2FhVjPC9w%2BVTGjBbbJd98CEgtSvDWMB9AsfEtPw59kO5mux%2BcSuAXyfRberO96vcjF4X5WF27wA7A7qDT6RwkzK7V%2BQ0%2FesVDu1AGJkXNUJZv9EjZOtEnOymlPgLufpAlD5dPnR99Ktf3G1bJT7KDWi9V1TTizq5xr6rA5%2BocVnHEZN7ZPiCcGZfgtbjCJ0ZIkMpGG6ciZoPW00w00fXPRcdB%2BGIJuQT%2BXbiHYhzMHl3y7UMAZ7FVgkaRqmzJ%2BQ%3D%3D
Then the response page only shows ""Error: Missing signature".
FWIW I identified this section of code as the origin of that response
Lines 34 to 40 in b6f2e89
From the saml-bindings-2.0 specification, section 3.4.4, it states
A query string parameter named SAMLEncoding is reserved to identify the encoding mechanism used. If
this parameter is omitted, then the value is assumed to be
urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE
As such, DEFLATE is the mechanism in play, which then is discussed in section 3.4.4.1. Item 1 of XML serialization states:
Any signature on the SAML protocol message, including the ds:Signature XML element itself,
MUST be removed
which is what the SAML authentication library that I am uses does. That seems to be a mismatch with the expectation of the code referenced above, but I might be missing some broader context of the code.
Further in 3.4.4.1 the block that starts:
If the underlying SAML protocol message is signed with an XML signature [XMLSig], the URL-encoded
form of the message MUST be signed as follows:
You'll note that the URL I attempted, shown above, includes SigAlg
and Signature
, but they don't seem to be considered by the request processing.
I'm trying to integrate Mock SAML into my Keycloak application.
I am downloading the metadata file available on the website and importing it into my Keycloak using the flow:
Identity Providers > Add provider > SAML v2.0 > Disable "Use entity descriptor" and import the XML file that I downloaded from Mock SAML.
However, when I try to log in, I get the login timeout message.
Searching the internet, I saw cases where there was a time difference on the Keycloak server caused by Docker, and people solved it by increasing the time in "Allowed clock skew", in Keycloak. However, I have already closed and opened my Docker several times, I have tried different values in "Allowed clock skew" but the problem persists.
Has anyone ever experienced this? Does anyone know what the problem could be?
My Keycloak version is 21.1.2
Currently login is simulated but to test things like ForceAuthn we should login the user via a session and then provide a logout functionality. If use is logged in they should be directly taken through skipping the current login screen.
Some SAML SPs are looking for FriendlyName
in the Attribute properties in the SAML Response, rather than Name
:
<saml:Attribute Name="firstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
Is there a way to set this property to FriendlyName
? If not, could this be set an .env
var?
...
USE_ATTRIBUTE_FRIENDLYNAME=true
...
We want to use the mocker to entirely automate the login process. Thus we use a combination of mockMvc / resttempalte to
This would test the entire SAML flow without any e2e testing tool and ensure the configuration/filter/provider and so forth are all correctly setup (thats the motivation / value).
Could you give us a hint how to do the part '4.' (anything else is no issue).
If you could share some ideas, this would be awesome!
The login page is prerendered (rendered to HTML) during build time. This means the query params will be missing in the initial client render and will be set only after hydration. We need to handle this intermediate state using the isReady
boolean from next/router
. More details can be found here. You can see this happening by turning on network throttling in devtools.
in metadata here is WantAuthnRequestsSigned
set to false
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2033-01-12T02:54:41.843Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
but in utils\request.ts
's extractSAMLRequestAttributes
certificate is needed
const publicKey = result['samlp:AuthnRequest']['Signature']
? result['samlp:AuthnRequest']['Signature'][0]['KeyInfo'][0]['X509Data'][0]['X509Certificate'][0]
: null;
if (!publicKey) {
throw new Error('Missing signature');
}
Hi,
Integrated mock-saml for 2 of our product. One is working fine and for other product
when hitting the login url page, it is showing the
Error: Invalid signature
Could you please help me how to resolve this issue?
Note : In the server log, i can see it is generating the sp meta data file, which is fine but afterwards no other errors.
Hi, thanks for the app. Helps a lot.
I just learn how SSO works with ReactJS with Laravel as a backend.
The flow that I made is kinda like this :
ReactJS -> Pop Up SSO Mocksaml -> Everything Good ->
Laravel listens -> Share success to websocket with some users data ->
ReactJS Receives
But currently, ReactJS listens to all channel that websocket has.
I want to be able to decide what channels for each client listen by generating some custom attribute before hit the SSO login link.
Is that possible to send a custom attribute request to login SSO link so Mocksaml can send it after the success response?
Thanks!
Unable to unmarshall metadata
Hi - Just starting out with the boxyhq/mock-saml
Docker image, so it may be a configuration error:
When I go to the app's (mapped to port 8000
) login page, I'm redirected to the SAML container's (mapped to port 4000
login page:
After changing the ACS link to my local app instance; clicking 'Sign In' yields an 'Error in getting SAML response' error, and the console reports a 500 Error at the container's /api/saml/auth
endpoint, followed up with a js Syntax Error: [Error] SyntaxError: Can't create duplicate variable: 'contentOriginal'
which looks like it's in a versioned login.js
file:
From the documentation, I believe I have everything set up properly (but happy to provide additional details if it would be helpful) - any help appreciated.
Test steps:
Expected:
npm run build should run with no issues.
Actual:
I see the below in our logs.
added 327 packages, and audited 328 packages in 23s
[2023-09-09T06:13:38.133Z] 99 packages are looking for funding
[2023-09-09T06:13:38.133Z] run `npm fund` for details
[2023-09-09T06:13:38.134Z] 1 moderate severity vulnerability
[2023-09-09T06:13:38.134Z] To address all issues, run:
[2023-09-09T06:13:38.134Z] npm audit fix
[2023-09-09T06:13:38.134Z] Run `npm audit` for details.
[2023-09-09T06:13:38.134Z] npm notice
[2023-09-09T06:13:38.134Z] npm notice New major version of npm available! 9.6.7 -> 10.1.0
[2023-09-09T06:13:38.134Z] npm notice Changelog: <https://github.com/npm/cli/releases/tag/v10.1.0>
[2023-09-09T06:13:38.134Z] npm notice Run `npm install -g [email protected]` to update!
[2023-09-09T06:13:38.134Z] npm notice
[2023-09-09T06:13:38.134Z] > [email protected] build
[2023-09-09T06:13:38.134Z] > next build
[2023-09-09T06:13:38.134Z] Attention: Next.js now collects completely anonymous telemetry regarding usage.
[2023-09-09T06:13:38.134Z] This information is used to shape Next.js' roadmap and prioritize features.
[2023-09-09T06:13:38.134Z] You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
[2023-09-09T06:13:38.134Z] https://nextjs.org/telemetry
[2023-09-09T06:13:38.389Z] - info Linting and checking validity of types...
[2023-09-09T06:13:44.925Z] Failed to compile.
[2023-09-09T06:13:44.925Z] ./pages/_app.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/api/saml/auth.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/api/saml/metadata/index.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/api/saml/sso.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/index.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./pages/saml/login.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./components/Footer.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./components/Header.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./components/Layout.tsx
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] ./lib/env.ts
[2023-09-09T06:13:44.925Z] Error: Parsing error: DeprecationError: 'originalKeywordKind' has been deprecated since v5.0.0 and can no longer be used. Use 'identifierToKeywordKind(identifier)' instead.
[2023-09-09T06:13:44.925Z] info - Need to disable some ESLint rules? Learn more here: https://nextjs.org/docs/basic-features/eslint#disabling-rules
Note: This was working for us on Aug 25 but started to fail on the Sept 1 run. We run this test only on the weekends. I am working around it by downloading https://github.com/boxyhq/mock-saml/archive/refs/tags/v1.1.2.tar.gz and using that. Not sure if there is something else I should be doing if I want to run with the latest?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.