Production Support

[mjwheatley]

I noticed this disclaimer in your README.

This sample is not intended for use with production systems!

I was wondering if you could possibly explain why. What modifications would be needed in order to make this production ready? Are there any other libraries or examples that could be used in a production environment?

[mcguinness]

This is just a tool to simulate an IdP actor with SAML 2.0 SSO protocol that enables you to generate whatever SAML AuthnResponse or Assertion you want to test your SP implementation. The production disclaimer is that if you establish SAML trust between an IdP hosted by this tool and your production system then "here be dragons" and you need to fully understand the security implications and have implemented all necessary mitigations such as ensuring the private key is secure and unique for your trust relationship, the IdP endpoints are not accessible by public, the IdP can't perform account takeovers for valid production users, etc. This project was designed to help build/test phase of development where these concerns are local to your test environment and is the 100% opposite of secure by design, it's insecure by design.