This is an implementation of a simple Service Provider(SP) for testing single sign-on (SSO) and single logout (SLO) for the following protocols:
- WS-Federation (WS-Fed)
- SAML
- OIDC
For this purpose, it uses the following software stack:
- Spring Boot
- Spring Security
- Apache CXF Fediz for WS-Fed, and PAC4J for SAML and OIDC
It's purpose is to provide a resource to test an IdP's implementation of those protocols, or to test the setup of such an IdP. This client has the following restrictions:
- It is only used for passive requestors (i.e browsers).
- WS-Fed doesn't specify the token format, leaving the choice free to the implementation. This test client currently supports SAML 1.1 and SAML 2 tokens.
- TODO: NOTE RESTRICTIONS FOR SAML AND OIDC
This test client was initially developed to be used to test the WS-Fed module for Keycloak and was later expanded to include OIDC and SAML. Therefore, all configuration examples use Keycloak as reference. However, this test client should work with any implementation of the supported protocols.
Simply package with maven: mvn clean package. The result is an executable jar containing all necessary dependencies.
To create the image, run the following command after the build: docker build -t idp-test-client .
To create the container (and start it), run the following command : docker run -d -p 7000:7000 -t idp-test-client
To open a shell inside the running container : docker run -it <container_name> sh
The configuration uses the following files: a keystore, a fediz configuration file, a SAML IDPSSODescriptor xml file, and an application properties file.
The keystore is used to store the public key of the IdP, as well as the public-private key pair of the client.
A local keystore, localstore.jks is provided, which is used both for the WS-Fed and SAML protocols. It is possible to
specify other keystores to use (up to two, for WS-Fed and SAML) by modifying the references in the fediz_config.xml
and application.properties.
The fediz configuration file contains the configuration of the client and of the IdP. The description of the
configuration file is provided here, and the provided
fediz_configuration file is the reference configuration for this test client. It is commented to describe each element
of the configuration.
The SAML IDPSSODescriptor xml file contains the configuration of the IdP for the SAML client. For Keycloak, this can be automatically generated from the configuration page of the SAML client, on the installation tab.
The application properties file is used for the general application configuration, the configuration for the use of the SAML protocol, and for the use of the OIDC protocol. In this file we also specify which of the three protocols (WS-Fed, SAMl or OIDC) will be used to secure the test client. It is commented to describe each element of the configuration.
All configuration values can be set before building, or after building by editing the files from within the resulting jar. It is also possible set other files and values with command line options (see below).
The application can only use a single protocol to protect its resource at run time, but of course it is possible to run
the application multiple time to simulate multiple test clients. The protocol is selected using the
connection.protocol value, set in the application.properties file. By default it is set to WS-Fed.
Note that the normally the Fediz library provides configuration metadata for the IdP for the WS-Fed protocol at
http[s]://<host>:<port>/<context>/FederationMetadata/2007-06/FederationMetadata.xml, or by default in our case:
http://localhost:7000/FederationMetadata/2007-06/FederationMetadata.xml, but currently this is not working.
After building, run the resulting jar with java -jar IdPTestClient.jar from the directory the jar was built to, or by replacing the IdPTestClient.jar by the path to that jar file.
Any configuration element of the application.properties can be modified at runtime by appending a value with the
format --<PROPERTY.NAME>=<VALUE>. For example, the port can be set to 9000 --server.port=9000.
As the paths to all the other configuration files are specified in the application.properties, meaning that the
application can be fully configured even with a built jar by specifying the properties and properties files when running
the application. For example, the path to a fediz configuration file can be specified by adding
--fediz.configFilePath=</PATH/TO/FILE>.
After running, go to the address being listened to (by default http://localhost:7000). The first link on the page will
redirect to http://localhost:7000/secured, which is protected by IdP access. Once accessed, one can view information
on the token provided by the IdP for verification purposes.
It is also possible to to a single logout by using the second link on initial page, which by default is at
http://localhost:7000/singleLogout. For WS-Fed and SAML, this leads to a logout page after the automatic logout, but
currently for OIDC it leads back to the base page.