___ ___ _ _ | \/ | (_)(_) | . . | _ _ _ _ _ __ __ _ | |\/| || | | || || || '_ \ / _` | | | | || |_| || || || | | || (_| | \_| |_/ \__,_|| ||_||_| |_| \__,_| _/ | |__/ Mock Identity and Service Provider using OpenSAML
Mujina
Mujina mocks a SAML2 Identity and Service Provider (IdP & SP). Almost all characteristics of either the IdP or SP can be configured on-the-fly using a REST API. This approach removes the need for special test configuration sets in your set-up. Thus, Mujina makes testing your stack a breeze! Mujina can be used in combination with test suites like Selenium or Jmeter to automate authentication testing for your applications.
Mujina is used to test the SURFconext middleware which enables Dutch educational services to use cloud based SAAS-services. SURFconext also exposes a REST API for Service Providers to offer the end-user context about the groups and memberships of the user (typically students, researchers and educational advisors). Mujina SP and IdP can be used to test the SURFconext cloud broker capabilities. The OAuth playground - part of the REST API component - can be used to test the SURFconext REST API (or any other OAuth compliant API like Google, Twitter, Facebook or Foursquare).
Features
-
A SAML2 complient Identity Provider. The IdP will authenticate known users, providing known attributes to the SP. A REST api allows for the 'just-in-time' manipulation of:
- user credentials (either a specific username & password or allow any username and password)
- user role
- any user attributes
- signing certificate
- entityID
- ACS endpoint
-
A SAML2 complient Service Provider. The SP displays the attributes as these were recieved from an IdP. A REST api allows for the 'just-in-time' manipulation of:
- entityID
- signing certificate
- sso Service URL
Defaults
The default Identity Provider configuration is as follows:
- The Entity ID is "http://mock-idp"
- It has a user with login "admin" and password "secret" with roles ROLE_USER and ROLE_ADMIN
- It has a user with login "user" and password "secret" with role ROLE_USER
- It has the following attributes. Attributes are always stored as lists. Even when they contain a single value.
- "urn:mace:dir:attribute-def:uid" is "john.doe"
- "urn:mace:dir:attribute-def:cn" is "John Doe"
- "urn:mace:dir:attribute-def:givenName" is "John"
- "urn:mace:dir:attribute-def:sn" is "Doe"
- "urn:mace:dir:attribute-def:displayName" is "John Doe"
- "urn:mace:dir:attribute-def:mail" is "j.doe@example.com"
- "urn:mace:terena.org:attribute-def:schacHomeOrganization" is "example.com"
- "urn:mace:dir:attribute-def:eduPersonPrincipalName" is "j.doe@example.com"
- "urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1" is "guest"
- There is a default certificate and private key available
- By default the ACS endpoint should be provided by the SP as an attribute in the AuthnRequest. If the ACS endpoint is set using the IdP api this is not neccesary. Use of the api overrides values set in AuthnRequests
The default Service Provider configuration is as follows:
- The Entity ID is "http://mock-sp"
- There is a default certificate and private key available
In this document you will find some examples for overriding the default configuration. After you override configuration you can go back to the default using the reset API.
Build Mujina
Maven 3 is needed to build and run Mujina.
The build dependencies are hosted on https://build.surfconext.nl/repository/public/ (and will be fetched automatically by Maven).
Run the IDP using jetty
mvn clean install
cd mujina-idp
mvn jetty:run
Then, go to https://localhost:8443/ or http://localhost:8080/
Run the SP using jetty
mvn clean install
cd mujina-sp
mvn jetty:run
Then, go to http://localhost:9090/. You will be redirected to the IdP, where you can login with username admin and password secret.
Changing port numbers
Both the SP and IDP can be made to bind to a different tcp/ip port:
mvn jetty:run -DhttpPort=8082 -DhttpsPort=8444
Resetting the IDP
This API is available on both the IDP and the SP.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X POST \
http://localhost:8080/api/reset
Changing the entityID
This API is available on both the IDP and the SP.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X PUT -d '{"value": "myEntityId"}' \
http://localhost:8080/api/entityid
Changing the signing credentials (Both IDP and SP)
This API is available on both the IDP and the SP. The certificate should be in PEM format. The key should be in base64 encoded pkcs6 DER format.
export CERT=MIICHzCCAYgCCQD7KMJ17XQa7TANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJO\
TDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEQMA4GA1UECgwH\
U3VyZm5ldDEPMA0GA1UECwwGQ29uZXh0MB4XDTEyMDMwODA4NTQyNFoXDTEzMDMw\
ODA4NTQyNFowVDELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNV\
BAcMB1V0cmVjaHQxEDAOBgNVBAoMB1N1cmZuZXQxDzANBgNVBAsMBkNvbmV4dDCB\
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2slVe459WUDL4RXxJf5h5t5oUbPk\
PlFZ9lQysSoS3fnFTdCgzA6FzQzGRDcfRj0HnWBdA1YH+LxBjNcBIJ/nBc7Ssu4e\
4rMO3MSAV5Ouo3MaGgHqVq6dCD47f52b98df6QTAA3C+7sHqOdiQ0UDCAK0C+qP5\
LtTcmB8QrJhKmV8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQCvPhO0aSbqX7g7IkR7\
9IFVdJ/P7uSlYFtJ9cMxec85cYLmWL1aVgF5ZFFJqC25blyPJu2GRcSxoVwB3ae8\
sPCECWwqRQA4AHKIjiW5NgrAGYR++ssTOQR8mcAucEBfNaNdlJoy8GdZIhHZNkGl\
yHfY8kWS3OWkGzhWSsuRCLl78A==
export KEY=MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANrJVXuOfVlAy+EV8SX+YebeaFGz\
5D5RWfZUMrEqEt35xU3QoMwOhc0MxkQ3H0Y9B51gXQNWB/i8QYzXASCf5wXO0rLuHuKzDtzEgFeT\
rqNzGhoB6launQg+O3+dm/fHX+kEwANwvu7B6jnYkNFAwgCtAvqj+S7U3JgfEKyYSplfAgMBAAEC\
gYBaPvwkyCTKYSD4Co37JxAJJCqRsQtv7SyXoCl8zKcVqwaIz4rUQRVN/Hv3/WjIFzqB3xLe4mjN\
YBIF31YWt/6ZslaLL5YJIXISrMgDuQzPKL8VqvvsH9XEpi/qSUsVAWa9Vaqqwa8JTPELK8QhHKaX\
TxGtatEuW1x6kSNXFCoasQJBAPUaYdj9oCDOGTaOaupF0GB6TIgIItpQESY1Dfpn4cvwB0jH8wBJ\
SBVeBqSa6dg4RI5ydD3J82xlF7NrQnvWpYkCQQDkg26KzQckoJ39HX2gYS4olSeQDAyIDzeCMkj7\
McDhigy0cL6k9nOQrKlq6V3vkBISTRg7JceJ4z3QE00edXWnAkEAoggv2WBJxIYbOurJmVhP2gff\
oiomyEYYIDcAp6KXLdffKOkuJulLIv0GzTiwEMWZ5MWbPOHN78Gg+naU/AM5aQJBALfbsANpt4eW\
28ceBUgXKMZqS+ywZRzL8YOF5gaGH4TYSCSeWiXsTUtoQN/OaFAqAQBMm2Rrn0KoXcGe5fvN0h0C\
QQDgNLxVcByrVgmRmTPTwLhSfIveOqE6jBlQ8o0KyoQl4zCSDDtMEb9NEFxxvI7NNjgdZh1RKrzZ\
5JCAUQcdrEQJ
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X POST -d "{\"certificate\": \"$CERT\",\"key\":\"$KEY\"}" \
http://localhost:8080/api/signing-credential
Setting attribute foo to bar (e.g. urn:mace:dir:attribute-def:foo to bar)
This API is only available on the IDP. Note: An attribute is always a list.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X PUT -d '{"value": ["bar"]}' \
http://localhost:8080/api/attributes/urn:mace:dir:attribute-def:foo
Removing an attribute
This API is only available on the IDP.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X DELETE \
http://localhost:8080/api/attributes/urn:mace:dir:attribute-def:foo
Adding a user
This API is only available on the IDP.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X PUT -d '{"name": "hacker", "password": "iamgod", "authorities": ["ROLE_USER", "ROLE_ADMIN"]}' \
http://localhost:8080/api/users
Setting the authentication method
This API is only available on the IDP.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X PUT -d '{"value": "ALL"}' \
http://localhost:8080/api/authmethod
Setting the Assertion Consumer Service (ACS) endpoint
This API is only available on the IDP.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X PUT -d '{"url": "https://my_sp.no:443/acsendpoint_path"}' \
http://localhost:8080/api/acsendpoint
The authentication method API has two possible values.
- USER
- ALL
The default setting is USER. This setting requires a valid user to be known in Mujina's IdP.
The ALL setting allows any username and password combination. As a side effect, the urn:mace:dir:attribute-def:uid attribute is set to the username each time a user logs in.
Setting the SSO Service URL
This API is only available on the SP.
curl -v -H "Accept: application/json" \
-H "Content-type: application/json" \
-X PUT -d '{"value": "http://localhost:8080/SingleSignOnService/vo:test"}' \
http://localhost:9090/api/ssoServiceURL