This is an announcement of two new related features in the Authservices SAML2 StubIdp, AttributeStatements and user lists.
AttributeStatements
Until now the only identification related element supported by the StubIdp was the Subject NameID.
In many SAML2 installations additional data, like roles and full name, are included as AttributeStatements. This has been supported by the AuthServices library, but it has not been possible to generate testdata with the StubIdp.
Now we have implemented a dynamic list of AttributeStatements in the StubIdp.
You can enter statements like this
resulting in the following Assertion in the Saml2Response
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_46d82d7c-a080-4ca3-b3ba-021148ac7133" IssueInstant="2015-06-29T07:54:39Z" > <saml2:Issuer>http://localhost:52071/Metadata</saml2:Issuer> <saml2:Subject> <saml2:NameID>AdminAlmighty</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> </saml2:Subject> <saml2:Conditions NotOnOrAfter="2015-06-29T07:56:39Z" /> <saml2:AttributeStatement> <saml2:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"> <saml2:AttributeValue>Administrator</saml2:AttributeValue> <saml2:AttributeValue>root</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> <saml2:AttributeStatement> <saml2:Attribute Name="SpecialPowers"> <saml2:AttributeValue>All of them</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> |
(Captured with the Firefox plugin SAML Tracer)
The AttributeStatements will appear as claims on System.Security.Claims.ClaimsPrincipal.Current.Claims in your c# code.
Let the content of the above response serve as a reminder to make sure you only trust the production IDP:s in your production environment.
User Lists
Until now the StubIdp has been useful for testing SAML2 implementations, but has not been designed to serve as a log in solution for test environments. Now we have implemented the ability to register a unique IDP within the StubIdp and supply a list of users complete with NameID and AttributeStatements.
To register a new IDP go to http://stubidp.kentor.se and click on the “create your own IDP” link. This creates a unique IDP identified by a GUID and redirects you to the manage page of the IDP. On the manage page you can define a custom description displayed a the top of your IDP page. Here you can supply a description to introduce your users to your system. You can also supply a default AssertionServiceConsumer URL to be used for unsolicited AuthnResponses from the StubIdp.
Finally you can supply a user list. This list will be displayed as a drop down on your IDP page, making it easy to select a user from the list to get the predefined NameID and AttributeStatements filled in. On each user you can enter a description field that is shown beside the dropdown if you want to describe the characteristics of each test user in regular text.
A sample configuration
{ "DefaultAssertionConsumerServiceUrl": "http://www.mysystem.com/acs (optional, you may remove this line)", "IdpDescription": "This is my custom IDP description", "UserList": [ { "DisplayName": "John Doe", "Description": "Just a regular user", "Assertion": { "NameId": "JohnDoe" } }, { "DisplayName": "Admin Almighty", "Description": "Admin with super powers", "Assertion": { "NameId": "AdminAlmighty", "AttributeStatements": [ { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Value": "Administrator" }, { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Value": "root" }, { "Type": "SpecialPowers", "Value": "All of them" } ] } } ] } |
Resulting in the following appearance in the StubIdp
Selecting this fills in NameId and AttributeStatements as in the example above.