Mock IDP
Ever needed to test an SSO setup but don't have access to the IDP for whatever reason?
Mock IDP provides a SAML2.0 IDP using POST bindings without need for a user database or complicated enterprise software setup.
Prerequisites
Mock-idp requires python 3.6 and pip
Installation
Install and run mock-idp using Pip:
$ pip3 install mock-idp
$ mock-idp
...
Configuration File
To override the system configuration create a config file. The service loads config files in the following order:
mockidp.yaml
in the current working directory~/.mockidp.yaml
in your home directory/etc/mockidp.yaml
in the global config directory- internal default config file shipped with the service package
Here is a sample (copy of built-in config) file to start with:
service_provider:
name: https://<address>/sso_service_provider/<scope_id>
response_url: https://<address>/web/api/v2.0/users/login/sso-saml2/<scope_id>
users:
ssotestuser1:
fullname: ssotestuser1
email: ssotestuser1@ssotest.com
password: ssotestuser1!
role: Admin
ssotestuser2:
fullname: ssotestuser2
email: ssotestuser2@ssotest.com
password: ssotestuser2!
role: Viewer
ssotestuser3:
fullname: ssotestuser3
email: ssotestuser3@ssotest.com
password: ssotestuser3!
role: SOC
Service providers
For each service provider (client) that uses the identity provider, an entry in the service providers section of the config is needed. It has two values:
service_provider:
name: https://<address>/sso_service_provider/<scope_id>
response_url: https://<address>/web/api/v2.0/users/login/sso-saml2/<scope_id>
- name is the service provider entity id that the service provider sends with each request.
- response_url is the public url of the service provider. Once login has been completed, the browser will be redirected to this url.
Users
Users is a fairly self explanatory list of user credentials recognized by the IDP:
ssotestuser1:
fullname: ssotestuser1
email: ssotestuser1@ssotest.com
password: ssotestuser1!
role: Admin
Configuring a generic Service Provider
- Mock-IDP supports the POST binding protocol of SAML2.0.
- By default mock-idp runs on port 5000 and the binding path is /saml.
- the response message provides four attributes:
- username: The username (=full_name)
- email: the user email address
- full_name: The users first name
- role: The users role in mgmt console
- The logout path is /saml/logout
Certificate keys
To generate a service provider Certificate, run the following commands:
$ openssl genrsa -out saml.pem 2048
$ openssl req -new -key saml.pem -out saml.csr
$ openssl x509 -req -days 365 -in saml.csr -signkey saml.pem -out saml.crt
This will produce three files:
- saml.pem - The private key
- saml.csr - The certificate signing request
- saml.crt - The final certificate
Refer to your service provider documentation on how to install the certificate.
Running using Docker
Import local config into a docker container
Provided you have produced your config file containing service providers and user account information. You can inject into a docker container by the following:
$ sudo docker run -p 5000:5000 --name idpmock -v /home/sdm/mockidp.yaml:/usr/local/mock-idp/mockidp.yaml art.sentinelone.net/s1-idp-mock/s1-idp-mock:latest
Copy the cert/cert.pem file into your Service Provider (SP), and be sure that the ISSUER (entity id) provided by the SP matches the name: of the Service Provider in your config.
Development
Setup
Install pipenv with pip to handle dependencies
$ pip3 install pipenv
then install environment
$ pipenv install
Run from source:
$ PYTHONPATH=. pipenv run bin/mock-idp
...
All system config is located in mockidp/resources/default_config.yaml.
Compatibility
Mock-IDP has been tested with the following service providers
- Adobe Experience Manager (AEM) 6.2
- Node.js - saml2-js package