Skip to content

Commit

Permalink
added more help on readme and renamed certificates to prevent mistake…
Browse files Browse the repository at this point in the history 
…s with picking wrong key
  • Loading branch information
@mcguinness
mcguinness committed Feb 12, 2015
1 parent 78ec969 commit 6769268
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 18 deletions.
90 changes: 75 additions & 15 deletions README.md
View file
@@ -1,23 +1,82 @@
Simple SAMLP Identity Provider for node.js.
# Introduction

This app provides a simple Identity Provider (IdP) to test SAML 2.0 Service Providers (SPs) with the [SAML 2.0 Web Browser SSO Profile](http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile).

> **This sample is not intended for use with production systems!**
## Installation

npm install
bower install

> [Bower](http://bower.io/), a front-end package manager, can be installed with `npm install -g bower`
## Introduction
### Usage

This app provides a simple Identity Provider (IdP) to test SAML 2.0 Service Providers (SPs) with the [SAML 2.0 Web Browser SSO Profile](http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile)
node app.js --acs {POST URL} --aud {audience}

Open `http://localhost:7000` in your browser to start an IdP initiated flow to your SP

> SAML attribute mappings currently default to [Okta (Inbound SAML)](developer.okta.com)
#### Example

## Usage
node app.js --acs https://foo.okta.com/auth/saml20/example --aud https://www.okta.com/saml2/service-provider/spf5aFRRXFGIMAYXQPNV

node app.js --acs {POST URL} --aud {audience}
#### Options

### Example
Most parameters can be defined with the following command-line arguments:

node app.js --acs https://foo.okta.com/auth/saml20/example --aud https://www.okta.com/saml2/service-provider/spf5aFRRXFGIMAYXQPNV
```
--port, -p Web Server Listener Port [required] [default: 7000]
--issuer, --iss IdP Issuer URI [required] [default: "urn:example:idp"]
--acsUrl, --acs SP Assertion Consumer URL [required]
--audience, --aud SP Audience URI [required]
--relayState, --rs Default SAML RelayState for SAMLResponse
--disableRequestAcsUrl, --static Disables ability for SP AuthnRequest to specify Assertion Consumer URL [default: false]
--encryptionCert, --encCert SP Certificate (pem) for Assertion Encryption
--encryptionPublicKey, --encKey SP RSA Public Key (pem) for Assertion Encryption (e.g. openssl x509 -pubkey -noout -in sp-cert.pem)
--httpsPrivateKey Web Server TLS/SSL Private Key (pem)
--httpsCert Web Server TLS/SSL Certificate (pem)
--https Enables HTTPS Listener (requires httpsPrivateKey and httpsCert) [required] [default: false]
```

# IdP SAML Settings

## Issuer

The default IdP issuer is `urn:example:idp`. You can change this with the `--iss` argument.

## Binding

Both SSO POST and Redirect bindings are available on the same endpoint which by default is `http://localhost:7000`

Binding | URL
------------- | --------------------------------------------------------
HTTP-Redirect | `http://localhost:port`
HTTP-POST | `http://localhost:port`

> http://localhost:port/idp will also work if your SP has weird URL validation rules
## Signing Certificate

A self-signed 2048-bit certificate is already generated and part of this project.

Parameter | |
---------------------- | ------------------------------------------------------------|
Public Key Certificate | `idp-public-cert.pem`
Format | `PEM`
SHA1 Fingerprint | `84:EA:56:58:95:24:AE:57:88:9D:B3:63:ED:65:30:1F:E2:5C:5B:B8`

> **DO NOT USE** `idp-private-key.pem` in your SP. This is the private key used by the IdP to sign SAML messages
>
> **DO NOT USE** this certificate on a production system! [Generate your own keypair](https://devcenter.heroku.com/articles/ssl-certificate-self) and replace this test key-pair if you want to use this sample against a production system.
You can use openssl to view additional details on the certificate

`openssl x509 -in idp-public-cert.pem -text -noout -fingerprint`

## SAML Metadata

IdP SAML metadata is available on http://localhost:port/metadata

## Assertion Statement Mappings

Expand All @@ -27,15 +86,16 @@ Property | SAML Attribute Name
------------- | --------------------------------------------------------
userName | Subject NameID
nameIdFormat | Subject NameID Format
firstName | 'FirstName'
lastName | 'LastName'
displayName | 'DisplayName'
email | 'Email'
mobilePhone | 'MobilePhone'
groups | 'Groups'
firstName | `FirstName`
lastName | `LastName`
displayName | `DisplayName`
email | `Email`
mobilePhone | `MobilePhone`
groups | `Groups`

> The default user profile is specified in `config.js`
> The default user profile is specified in `config.js`
> SAML attribute mappings currently default to [Okta (Inbound SAML)](developer.okta.com)
## Assertion Encryption

Expand Down
5 changes: 2 additions & 3 deletions app.js
View file
Expand Up @@ -117,7 +117,6 @@ var argv = yargs
argv.httpsPrivateKey = fs.readFileSync(argv.httpsPrivateKey).toString();
argv.httpsCert = fs.readFileSync(argv.httpsCert).toString();
}

})
.check(function(argv, aliases) {
var hasFormat = function(file, header) {
Expand Down Expand Up @@ -179,8 +178,8 @@ console.log();

var idpOptions = {
issuer: argv.issuer,
cert: fs.readFileSync(path.join(__dirname, 'server-cert.pem')),
key: fs.readFileSync(path.join(__dirname, 'server-key.pem')),
cert: fs.readFileSync(path.join(__dirname, 'idp-public-cert.pem')),
key: fs.readFileSync(path.join(__dirname, 'idp-private-key.pem')),
audience: argv.audience,
recipient: argv.acsUrl,
destination: argv.acsUrl,
Expand Down
0 server-key.pem → idp-private-key.pem
View file
File renamed without changes.
0 server-cert.pem → idp-public-cert.pem
View file
File renamed without changes.

0 comments on commit 6769268

Please sign in to comment.