Mock IDP

Ever needed to test an SSO setup but don't have access to the IDP for whatever reason?

Mock IDP provides a SAML2.0 IDP using POST bindings without need for a user database or complicated enterprise software setup.

Prerequisites

Mock-idp requires python 3.6 and pip

Installation

Install and run mock-idp using Pip:

$ pip3 install mock-idp
$ mock-idp
...

Configuration File

To override the system configuration create a config file. The service loads config files in the following order:

mockidp.yaml in the current working directory
~/.mockidp.yaml in your home directory
/etc/mockidp.yaml in the global config directory
internal default config file shipped with the service package

Here is a sample (copy of built-in config) file to start with:

service_providers:
  - name: "local:service:author"
    response_url: "http://localhost:3000/saml_login"

users:
  charlie:
    first_name: "Charlie"
    last_name: "Brown"
    email: "charlie@gmail.com"
    password: snoopy
  linus:
    first_name: "Linus"
    last_name: "van Pelt"
    email: "linus@gmail.com"
    password: pumpkin
  lucy:
    password: charlie
    first_name: "Lucy"
    last_name: "van Pelt"
    email: "lucy@gmail.com"
  peppermint:
    first_name: "Peppermint"
    last_name: "Patty"
    email: "peppermint@gmail.com"
    password: peppermint

Service providers

For each service provider (client) that uses the identity provider, an entry in the service providers section of the config is needed. It has two values:

service_providers:
  - name: "local:aem:author"
    response_url: "http://localhost:14502/saml_login"

name is the service provider entity id that the service provider sends with each request.
response_url is the public url of the service provider. Once login has been completed, the browser will be redirected to this url.

Users

Users is a fairly self explanatory list of user credentials recognized by the IDP:

users:
  charlie:
    first_name: "Charlie"
    last_name: "Brown"
    email: "charlie@gmail.com"
    password: snoopy
    roles:
      - administrators

Configuring a generic Service Provider

Mock-IDP supports the POST binding protocol of SAML2.0.
By default mock-idp runs on port 5000 and the binding path is /saml.
the response message provides four attributes:
- uid: The username
- email: the user email address
- firstName: The users first name
- lastName: The users last name
The logout path is /saml/logout

Certificate keys

To generate a service provider Certificate, run the following commands:

$ openssl genrsa -out saml.pem 2048
$ openssl req -new -key saml.pem -out saml.csr
$ openssl x509 -req -days 365 -in saml.csr -signkey saml.pem -out saml.crt

This will produce three files:

saml.pem - The private key
saml.csr - The certificate signing request
saml.crt - The final certificate

Refer to your service provider documentation on how to install the certificate.

Running using Docker

Import local config into a docker container

To run the base config just start the service and map port 5000

$ docker run -p 5000:5000 bjornskoglund/mock-idp:0.4.0

Provided you have produced your config file containing service providers and user account information. You can inject into a docker container by the following:

$ docker run -p 5000:5000 -v <absolute path to your config>.yaml:/usr/local/mock-idp/mockidp.yaml bjornskoglund/mock-idp

Copy the cert/cert.pem file into your Service Provider (SP), and be sure that the ISSUER (entity id) provided by the SP matches the name: of the Service Provider in your config.

Development

Setup

Install pipenv with pip to handle dependencies

$ pip3 install pipenv

then install environment

$ pipenv install

Run from source:

$ PYTHONPATH=. pipenv run bin/mock-idp
...

All system config is located in mockidp/resources/default_config.yaml.

Compatibility

Mock-IDP has been tested with the following service providers

Adobe Experience Manager (AEM) 6.2
Node.js - saml2-js package

bjorns / mock-idp

readme