Quick... give me a SAML Service Provider to test with!
Did you ever encounter the scenario where you have to show a SAML integration working and you (or your customer/partner) doesn't have a demo/test SAML application available?
Silly question... of course you did!
While there are cloud services out there that offer trial/test instances they are usually time limited and you have to go thru the process of requesting such a trial - not impossible but certainly an annoyance. The time restriction (e.g. 30 days) also means your demo system will need to be reconfigured every month and you have to go thru the process again to get a new test instance... doable but certainly not pretty.
Because of all of this we created a simple SAML service provider and deployed it on a host that is accessible from anywhere.
Feel free to use it yourself, tell your colleagues and friends, customers, partners...
If you can't wait to start, here is the URL: https://sptest.iamshowcase.com
The site itself should have all the instructions needed but just in case you need some hand-holding here are more detailed descriptions and instructions.
What the demo site does
The demo site acts as a SAML service provider and supports IDP and SP initiated SSO.
Once you configured everything correctly you can federate into the demo SP and see things like the user ID (SAML Subject), attributes (if any...) and more. If you want you can also get the raw SAML assertion from the page.
This is what you'll get:
The site is responsive - meaning it should work fine on any device and scale accordingly. Great for demos from your phone/tablet!
OK, the site won't win any design awards but that wasn't the goal anyway.
Getting IDP initiated SSO working
IDP initiated SSO only requires that you download the metadata from the demo SP and import it into your IDP and configure whatever needs to be configured on your side.
The start page of the demo site has the download link for the metadata.
For RSA SecurID Access here is what you need to do:
1. Create a SAML application
Give it a cool name.
"Demo SAML Application" is what I chose. I'm not cool.
2. Import the SP metadata
Click the "Import Metadata" button on the "Connection Profile" section and import the metadata file from the demo SP you download previously.
It'll fill out a couple of things like the ACS URL and SP Entity ID.
Just accept the defaults.
3. Set other configuration parameters
Set the "Connection URL" to https://sptest.iamshowcase.com and select the "IDP-initiated" radio button.
This makes sure that when you click on the link in the portal, the IDR will send you to the SP with a SAML Assertion. Don't worry... SP initiated SSO will work too but more on that later.
Create (or re-use) a certificate bundle.
Set the User Identity to whatever you like. The SP doesn't really care. EMail is fine but if you like to send something else feel free to do so.
In my example I chose "Attribute Hunting" as I have two LDAP directories setup.
You can also send any other attributes over - in my example I chose to send "Firstname" and "Lastname". You can send whatever you like and name the attributes to your liking too.
Finally select the policy this app should be protected with, publish the changes and Bob's your uncle.
Log into the portal with a user that has access to the newly created application. You should see the icon you chose.
You should see something similar to this (depending on the screen resolution it might look slightly differently):
Scroll down and you'll see further information like the NameID and NameID format as well as the attributes:
... and your IDP entity ID, timing information and the raw SAML assertion in case you want to take a closer look:
Getting SP initiated SSO working
OK, IDP initiated SSO works but 9/10 times somebody will ask for SP initiated SSO. Rightfully so!
To get SP initiated SSO working you need to first export the IDP metadata and import it into the demo SP site.
You can upload the metadata file on the start page of the demo site.
Once you did that you'll be presented with a screen that shows you your unique logon URL:
That URL (e.g. https://sptest.iamshowcase.com/ixs.jsp?idp=cie8348382093) you need to remember. Copy it and make a bookmark out of it.
If you hit that URL the demo SP will send a SAML Authentication Request to your IDP which in turn will respond with a SAML Assertion. You might have to log into the IDP if you don't have a session there already.
That is how the "IDP discovery" is done - similar to what e.g. Google or SFDC do. They also provide unique login URLs that will trigger an AuthNRequest.
After a successful SAML SSO transaction you can also logout and click on the link to the protected page again - it'll trigger a SAML AuthNRequest again.
Should you forget/loose the URL simply re-upload the metadata again and the same URL will be displayed again.
Is it secure?
We do not store any part of your metadata except the ACS URL of the IDP - that is what we use to create that unique login URL.
We do not store your subject names, attributes etc.
We do also not validate the SAML signature - at least in the current release. This is a demo site and not really concerned about security. So if you send a SAML assertion with a invalid signature don't expect it to trigger any alarms.