Add support for multiple IdPs to the SamlTest testapp

Makes testing against Multiple IdPs much simpler to setup and configure

Author: timlegge

.gitignore

@@ -21,3 +21,4 @@ xt/testapp/sign-certonly-dsa.pem
 xt/testapp/sign-nopw-cert-dsa.pem
 xt/testapp/sign-private-dsa.pem
 Release-*
+xt/testapp/IdPs/*/*

xt/testapp/IdPs/.keep

@@ -33,7 +33,7 @@ Access http://localhost:3000
 
 ### Run lighttpd to proxy https to the Saml2Test application
 
-Many SAML2 Identity Providers will not allow the application (Service Provider) URL to be http and force you to specify https to use SAML2.  lighttpd is used to listen on port 443 and use https protocol so that the Identity Provider can redirect or POST to a https site.  lighttpd then proxies that communication to the Dancer application listening on port 3000.
+Many SAML2 Identity Providers will not allow the application (Service Provider) URL to be http and forces you to specify https to use SAML2.  lighttpd is used to listen on port 443 and use https protocol so that the Identity Provider can redirect or POST to a https site.  lighttpd then proxies that communication to the Dancer application listening on port 3000.
 
    1. cd xt/testapp
    2. sudo lighttpd -D -f lighttpd.conf
@@ -42,11 +42,15 @@ Note that the command requires sudo to allow it to use the default https port of
 
 TODO: maybe change it to use 8443
 
-### Create your metadata.xml file
+### Create your metadata.xml and cacert.pem file
 
-Download the metadata for you configured application from your Identity Provider and save it to:
+The testapp now supports a simplified automatic configuration for testing against multiple Identity Providers (IdPs).
 
-    xt/testapp/metadata.xml
+   1. Simply create a directory in xt/testapp/IdPs for the name of the IdP (eg. google)
+   2. Download the metadata from your IdP and save it as IdPs/google/metadata.xml
+   3. Download the cacert.pem from the IdP and save it as IdPs/google/cacert.pem
+
+The index page will automatically list each configured Identity Provider as a link to initiate login against that IdP.
 
 ### Run lighttpd to deliver metadata.xml
 
@@ -55,7 +59,7 @@ Net::SAML2 requires access to a URL containing the metadata.  The simplest metho
    1. cd xt/testapp
    2. lighttpd -D -f lighttpd-metadata.conf
 
-The metadata has been configured to be available at: http://localhost:8880/metadata.xml.
+The metadata has been configured to be available at: http://localhost:8880/metadata.xml.  The simplified IdP configuration will automatically access the metadata.xml at http://localhost:8880/IdPs/googlee/metadata.xml (if you followed the instructions above and created the google directory in xt/testapp/IdPs)
 
 Note that the configuration attempts to only deliver a file named metadata.xml from the xt/testapp directory.  There are no guarantees - this is a test application so verify your own security.
 

xt/testapp/README.md

@@ -2,7 +2,7 @@ layout: "main"
 #logger: "console"
 appname: "Saml2Test"
 charset: "UTF-8"
-
+template: "template_toolkit"
 idp: "http://localhost:8880/metadata.xml"
 issuer: "https://netsaml2-testapp.local"
 url: "https://netsaml2-testapp.local"

xt/testapp/config.yml

@@ -16,14 +16,41 @@ Demo app to show use of Net::SAML2 as an SP.
 use Dancer ':syntax';
 use Net::SAML2;
 use MIME::Base64 qw/ decode_base64 /;
+use File::Slurper qw/ read_dir /;
 
-our $VERSION = '0.1';
+our $VERSION = '0.2';
 
 get '/' => sub {
-    template 'index';
+    if ( ! -x './IdPs' ) {
+        return "<html><pre>You must have a xt/testapp/IdPs directory</pre></html>";
+    }
+    my @dirs = read_dir('./IdPs');
+    my @idps;
+    for my $dir (sort @dirs) {
+        if ( $dir eq '.keep' ) { next ; }
+        my %tempidp;
+        $tempidp{'idp'} = $dir;
+        if ( -f "./IdPs/$dir/cacert.pem" ) {
+            $tempidp{'cacert'} = 'exists';
+        } else {
+            $tempidp{'cacert'} = 'missing';
+        }
+        if ( -f "./IdPs/$dir/metadata.xml" ) {
+            $tempidp{'metadata'} = 'exists';
+        } else {
+            $tempidp{'metadata'} = 'missing';
+        }
+        push @idps, \%tempidp;
+    }
+
+    template 'index', { 'idps' => \@idps };
 };
 
 get '/login' => sub {
+    my $tokens = shift;
+
+    config->{cacert} = 'IdPs/' . params->{idp} . '/cacert.pem';
+    config->{idp} = 'http://localhost:8880/IdPs/' . params->{idp} . '/metadata.xml';
     my $idp = _idp();
     my $sp = _sp();
     my $authnreq = $sp->authn_request(
@@ -86,7 +113,7 @@ get '/logout-soap' => sub {
         cert	 => 'sign-nopw-cert.pem',
         url	 => $slo_url,
         idp_cert => $idp_cert,
-        cacert   => 'saml_cacert.pem',
+        cacert   => config->{cacert},
     );
 
     my $res = $soap->request($logoutreq);
@@ -97,7 +124,7 @@ get '/logout-soap' => sub {
 
 post '/consumer-post' => sub {
     my $post = Net::SAML2::Binding::POST->new(
-        cacert => 'saml_cacert.pem',
+        cacert => config->{cacert},
     );
     my $ret = $post->handle_response(
         params->{SAMLResponse}
@@ -226,7 +253,7 @@ sub _sp {
 sub _idp {
     my $idp = Net::SAML2::IdP->new_from_url(
         url    => config->{idp},
-        cacert => 'saml_cacert.pem',
+        cacert => config->{cacert},
         sls_force_lcase_url_encoding => config->{sls_force_lcase_url_encoding},
         sls_double_encoded_response => config->{sls_double_encoded_response}
     );

xt/testapp/lib/Saml2Test.pm

@@ -24,7 +24,7 @@ $HTTP["host"] != "localhost" {
 
 $HTTP["host"] == "localhost" {
 
-    $HTTP["url"] !~ "^/metadata.xml" {
+    $HTTP["url"] !~ "metadata.xml" {
         url.access-deny = ("")
     }
     url.access-deny = ("disable")

xt/testapp/lighttpd-metadata.conf

@@ -8,7 +8,7 @@ use Dancer::Test;
 
 route_exists [GET => '/'], 'a route handler is defined for /';
 response_status_is ['GET' => '/'], 200, 'response status is 200 for /';
-response_content_like [GET => '/'], qr/Log In/s,
+response_content_like [GET => '/'], qr/Login with/s,
     'content looks OK for /';
 
 done_testing;

xt/testapp/t/002_index_route.t

@@ -1,3 +1,22 @@
-<p><a href="/metadata.xml">SP Metadata</a></p>
+    <% if idps.size >= 1 %>
+        <h2>Login with:</h2>
+    <ul>
+        <% FOREACH provider IN idps %>
+            <li><h3><a href ="/login?idp=<% provider.idp %>"><% provider.idp %> </a>
+            <% if provider.metadata == 'missing' %>metadata missing <% end %>
+            <% if provider.cacert == 'missing' %>cacert missing<% end %>
+            </h3>
+        <% END %>
+    </ul>
+    <% else %>
+        <h2>No Identity Providers (IdP) found!</h2>
+        <h3>Configure an Idp</h3>
+        <ol>
+            <li>Simply create a directory in xt/testapp/IdPs for the name of the IdP (eg. <i>google</i>)
+            <li>Download the metadata from your IdP and save it to IdPs/<i>google</i>/metadata.xml
+            <li>Download the cacert.pem from the IdP and save it to IdPs/<i>google</i>/cacert.pem
+        </ol>
+    <% end %>
+
+    <h2>Download SP <a href="/metadata.xml">Metadata</a></h2>
 
-<p><a href="/login">Log In</a></p>

xt/testapp/views/index.tt

@@ -1,4 +1,4 @@
-<h1>User: <% assertion.nameid %></h1>
+<h1>NameID: <% assertion.nameid %></h1>
 
 <p><a href="/logout-redirect?nameid=<% assertion.nameid | html %>&session=<% assertion.session | html %>">Logout (redirect binding)</a></p>
 
@@ -17,25 +17,21 @@
     <td>Issuer</td>
     <td><% assertion.issuer %></td>
   </tr>
-  <tr>
-    <td>DN</td>
-    <td><% assertion.attributes.DN %></td>
-  </tr>
-  <tr>
-    <td>CN</td>
-    <td><% assertion.attributes.CN %></td>
-  </tr>
   <tr>
     <td>EmailAddress</td>
-    <td><% assertion.attributes.EmailAddress %></td>
+    <td><% assertion.attributes.EmailAddress.0 %></td>
   </tr>
   <tr>
     <td>FirstName</td>
-    <td><% assertion.attributes.FirstName %></td>
+    <td><% assertion.attributes.FirstName.0 %><% assertion.attributes.fname.0 %></td>
+  </tr>
+  <tr>
+    <td>LastName</td>
+    <td><% assertion.attributes.LastName.0 %><% assertion.attributes.lname.0 %></td>
   </tr>
   <tr>
     <td>Address</td>
-    <td><% assertion.attributes.Address %></td>
+    <td><% assertion.attributes.Address.0 %></td>
   </tr>
   <tr>
     <td>Phone</td>
@@ -45,5 +41,4 @@
     <td>EmployeeNumber</td>
     <td><% assertion.attributes.EmployeeNumber %></td>
   </tr>
-  <% end %>
 </table>