Skip to content

Saml2Test testapp

Jump to bottom
Timothy Legge edited this page Jan 19, 2023 · 2 revisions

Introduction

The git repository for Perl's Net::SAML2 cpan module includes a test application that implements a SAML2 Service Provider that is used to test Net::SAML2 against multiple Identity Providers (IdPs).

Over the last few releases the testapp has been improved to make it easier to test Net::SAML2 against multiple IdPs. Adding a new IdP is simple:

Adding a new IdP to the testapp

  1. Add a new directory to the xt/testapp/IdPs directory (the name of the IdP ex. shibboleth)
  2. Copy the IdP's metadata to the new directory (ex. xt/testapp/IdPs/shibboleth/metadata.xml
  3. Copy the IdP's cacert to the new directory (ex. xt/testapp/IdPs/shibboleth/cacert.pem
  4. Create an IdP's attribute mapping config if needed (ex. xt/testapp/IdPs/shibboleth/mappings.yml)
  5. The new IdP configuration will automatically show up on the index page of the testapp.

Initiating an Authentication Request

Simply clicking on the link for an IdP performs a SAML2 HTTP-Redirect to the IdP to allow you to log on.

Screenshot from 2023-01-16 22-42-43

After you successfully log on, the IdP initiates a SAML2 callback to the testapp application which processes the SAML2 assertion and displays the user attributes.

Currently the testapp only supports a HTTP-Redirect to initiate a login request but there are plans to support other Binding methods.

The testapp supports multiple binding types as a response including:

  1. HTTP-POST
  2. SOAP

The logged in page displays a dynamic message specifying the Login Method: "Successful Login via POST" to tell you how the IdP communicated to the testapp Service Provider.

Initiating a LogoutRequest

Many IdPs have different supported Bindings for a LogoutRequest. The logged in page dynamically displays the supported Logout options for each IdP.

User Logged in Page

Upon Logout, the index page displays a dynamic message that specifies the Logout method: "Successful logout via: SOAP".

Successful Logout

Testing with testapp

Currently testapp has been used to test against the following IdPs:

  1. Auth0 (requires Net::SAML2 >=0.39)
  2. Azure (Microsoft Office 365)
  3. GSuite (Google)
  4. Jump
  5. Keycloak
  6. Okta
  7. OneLogin
  8. PingIdentity (requires Net::SAML2 >=0.54)
  9. samltest
  10. shibboleth

If you are testing against multiple IdPs it is a good idea to configure them to test different Binding/Response methods. A number of the listed providers above only support POST responses. However, Keycloak and Shibboleth also support SOAP and SOAP-Artifact.

Clone this wiki locally