{"id":32438784,"url":"https://github.com/mcguinness/saml-sp","last_synced_at":"2025-10-26T00:52:58.025Z","repository":{"id":27053448,"uuid":"30518819","full_name":"mcguinness/saml-sp","owner":"mcguinness","description":"Simple Service Provider (SP) for SAML 2.0 Web SSO and Relying Party (RP) for WS-Federation","archived":false,"fork":false,"pushed_at":"2023-03-04T02:27:57.000Z","size":326,"stargazers_count":49,"open_issues_count":13,"forks_count":27,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-04-11T06:54:48.751Z","etag":null,"topics":["federation","saml","saml-service-provider","samlp","sso","testing","ws-federation"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mcguinness.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-02-09T04:37:31.000Z","updated_at":"2024-03-06T18:33:21.000Z","dependencies_parsed_at":"2023-01-14T05:53:47.029Z","dependency_job_id":null,"html_url":"https://github.com/mcguinness/saml-sp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mcguinness/saml-sp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcguinness%2Fsaml-sp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcguinness%2Fsaml-sp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcguinness%2Fsaml-sp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcguinness%2Fsaml-sp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mcguinness","download_url":"https://codeload.github.com/mcguinness/saml-sp/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mcguinness%2Fsaml-sp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281043404,"owners_count":26434444,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-25T02:00:06.499Z","response_time":81,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["federation","saml","saml-service-provider","samlp","sso","testing","ws-federation"],"created_at":"2025-10-26T00:52:48.278Z","updated_at":"2025-10-26T00:52:58.017Z","avatar_url":"https://github.com/mcguinness.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Introduction\n\nThis app provides a simple test Service Provider (SP) for [SAML 2.0 Web Browser SSO Profile](http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile) or Relying Party (RP) for [WS-Federation Passive Requestor Profile](http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223175002)\n\nThe following SAML 2.0 WebSSO features are supported:\n\n- Authentication Request\n  - Signatures (SHA1 or SHA256)\n  - HTTP-POST or HTTP-Redirect Bindings\n- Authentication Context Class\n  - NameID Format\n  - ForceAuthn\n  - Dynamic AssertionConsumerServiceURL\n- Assertion Consumer Service\n  - Signature Verification with Public Key Certificate or Thumbprint\n  - HTTP-POST Binding\n  - Encrypted Assertions\n- SAML Single Logout Service\n  - Signatures (SHA1 or SHA256)\n  - HTTP-POST Binding for Responses\n  - HTTP-POST or HTTP-Redirect Bindings for Requests\n- SAML Metadata\n  - Auto-configuration with IdP Metadata\n  - Publish SP Metadata\n\nThe following WS-Federation features are supported:\n\n- Security Token Service Response\n  - Signature Verification with Public Key Certificate or Thumbprint\n  - Encrypted Assertions\n- Federation Metadata\n  - Auto-configuration with IdP Metadata\n  - Publish RP Metadata\n\n\n# Installation\n\n`npm install`\n\n## Usage\n\n### Dynamic IdP Configuration from IdP Metadata (Recommended)\n\n`node bin/server.js --idpMetaUrl {url}`\n\n\u003e The default protocol is SAMLP if metadata supports both SAMLP and WS-Federation\n\n#### Example\n\n`node bin/server.js --idpMetaUrl https://example.okta.com/app/exkikd6nFJIdpcrZR0g3/sso/saml/metadata`\n\n### Static IdP Configuration with Certificate\n\n`node bin/server.js --iss {issuer} --idpSsoUrl {url} --idpCert {pem}`\n\n#### Example\n\n`node bin/server.js --iss http://www.okta.com/exknnoOGPcwWSnKUK0g3 --idpSsoUrl https://example.okta.com/app/example_saml/exknnoOGPcwWSnKUK0g3/sso/saml --idpCert ./idp-cert.pem`\n\n### Static IdP Configuration with SHA1 Thumbprint\n\n`node bin/server.js --iss {issuer} --idpSsoUrl {url} --idpThumbprint {sha1}`\n\n#### Example\n\n`node bin/server.js --iss http://www.okta.com/exknnoOGPcwWSnKUK0g3 --idpSsoUrl https://example.okta.com/app/example_saml/exknnoOGPcwWSnKUK0g3/sso/saml --idpThumbprint 77:87:4A:86:18:B3:CB:44:C2:EB:68:1B:77:0B:1D:F6:4A:0E:88:E7`\n\n\n### Options\n\n`node bin/server.js  --help`\n\n```\nOptions:\n  --version                      Show version number                                                                                                       [boolean]\n  --settings                     Path to JSON config file\n  --port, -p                     Web Server listener port                                                                        [number] [required] [default: 7070]\n  --protocol                     Federation Protocol                                                                          [string] [required] [default: \"samlp\"]\n  --idpIssuer, --iss             IdP Issuer URI                                                                                [string] [default: \"urn:example:idp\"]\n  --idpSsoUrl                    IdP Single Sign-On Service URL (SSO URL)                                                                                   [string]\n  --idpSsoBinding                IdP Single Sign-On AuthnRequest Binding         [string] [required] [default: \"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"]\n  --idpSloUrl                    IdP Single Logout Service URL (SLO URL) (SAMLP)                                                                            [string]\n  --idpSloBinding                IdP Single Logout Request Binding (SAMLP)       [string] [required] [default: \"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"]\n  --idpCert                      IdP Public Key Signing Certificate (PEM)                                                                                   [string]\n  --idpThumbprint                IdP Public Key Signing Certificate SHA1 Thumbprint                                                                         [string]\n  --idpMetaUrl                   IdP SAML Metadata URL                                                                                                      [string]\n  --audience, --aud              SP Audience URI / RP Realm                                                                     [string] [default: \"urn:example:sp\"]\n  --providerName                 SP Provider Name                                                                 [string] [default: \"Simple SAML Service Provider\"]\n  --acsUrls                      SP Assertion Consumer Service (ACS) URLs (Relative URL)                                 [array] [required] [default: [\"/saml/sso\"]]\n  --signAuthnRequests, --signed  Sign AuthnRequest Messages (SAMLP)                                                             [boolean] [required] [default: true]\n  --signatureAlgorithm           Signature Algorithm                                                                                [string] [default: \"rsa-sha256\"]\n  --digestAlgorithm              Digest Algorithm                                                                                       [string] [default: \"sha256\"]\n  --requestNameIDFormat          Request Subject NameID Format (SAMLP)                                                                     [boolean] [default: true]\n  --validateNameIDFormat         Validate format of Assertion Subject NameID                                                               [boolean] [default: true]\n  --nameIDFormat, --nameid       Assertion Subject NameID Format                        [string] [default: \"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\"]\n  --requestAuthnContext          Request Authentication Context (SAMLP)                                                                    [boolean] [default: true]\n  --authnContextClassRef, --acr  Authentication Context Class Reference      [string] [default: \"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\"]\n  --spCert                       SP/RP Public Key Signature \u0026 Encryption Certificate (PEM)          [string] [default: \"/Users/karl/src/saml-sp/config/sp-cert.pem\"]\n  --spKey                        SP/RP Private Key Signature \u0026 Decryption Certificate(PEM)           [string] [default: \"/Users/karl/src/saml-sp/config/sp-key.pem\"]\n  --httpsPrivateKey              Web Server TLS/SSL Private Key (PEM)                                                                                       [string]\n  --httpsCert                    Web Server TLS/SSL Certificate (PEM)                                                                                       [string]\n  --https                        Enables HTTPS Listener (requires httpsPrivateKey and httpsCert)                                          [boolean] [default: false]\n  --relayState, --rs             Default Relay State                                                                                                        [string]\n  --help                         Show help                                                                                                                 [boolean]\n```\n\n### Passing key-pairs from environment variables\n\nkey-pairs can also be passed from environment variables.\n\n```\nnode bin/server.js --iss {issuer} --idpSsoUrl {url} --idpCert=\"$SAML_IDP_CERT\" --spCert=\"$SAML_SP_CERT\" --spKey=\"$SAML_SP_KEY\"\n```\n\n# SAML 2.0 SSO Protocol\n\nThe SAML 2.0 protocol is specified with `--protocol samlp` (default)\n\n## Identity Provider Settings\n\nThe IdP settings needed for federation can be auto-configured via IdP SAML Metadata.  If IdP SAML metadata is not available you can manually specify service endpoints, binding, and signing credentials.\n\n\u003e If you need an IdP to test with, use  [Simple Identity Provider (IdP) for SAML 2.0](https://github.com/mcguinness/saml-idp) for all your end-to-end SAML 2.0 Web Browser SSO flows!\n\n### Endpoints\n\nEndpoints               | Argument        | Default\n----------------------- | --------------- | --------------------------------------------------------\nSSO Service URL         | `idpSsoUrl`     |\nSSO Service Binding     | `idpSsoBinding` | `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`\nSLO Service  URL        | `idpSloUrl`     |\nSLO Service Binding     | `idpSloBinding` | `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`\n\n### Response/Assertion Signing Certificate\n\nYou must specify the public key certificate with the `idpCert` or SHA1 thumbprint with `idpThumbprint` argument to validate the SAMLResponse message from the IdP.\n\n## Service Provider Settings\n\nYou need to create a SAML trust in your SAML IdP for the SP web app.  The following settings are required and can be customized via command-line arguments or within the `/settings` page.\n\n### Audience (EntityID)\n\nThe default SP audience is `urn:example:sp`.  You can change this with the `--aud` argument.\n\n### Binding\n\nThe Service Provider only supports the HTTP-POST binding for the Assertion Consumer Service\n\nService                    | Binding       | URL\n-------------------------- | ------------- | --------------------------------------------------------\nAssertion Consumer Service | HTTP-POST     | `http://localhost:port/saml/sso` (Default)\nSingle Logout Service      | HTTP-POST     | `http://localhost:port/saml/slo`\n\nYou can specify additional endpoints (relative paths) for the Assertion Consumer Service with the `acsUrls` argument.  The first ACS URL in the array (e.g. acsUrls[0]) is used by default for AuthnRequests.  You can select any configured ACS URL for requests with the `/login?acsUrl=/path` query param or by going to the settings page in the SP and selecting the default ACS URL.\n\n### Request Signing Certificate\n\nYou should generate a self-signed certificate for the SP.\n\n    openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Service Provider' -keyout /config/sp-key.pem -out /config/sp-cert.pem -days 7300\n\nThis key-pair will be used to sign SAML AuthnRequest and LogoutRequest messages generated by the Service Provider.  You can disable AuthnRequest message signatures with the `signAuthnRequests` argument.  LogoutRequest messages always require signatures.\n\n## Decryption Private Key\n\nThe Service Provider uses the same key-pair for signatures and decryption.  Use the same signing public key certificate to encrypt SAML assertion in the IdP.\n\n### SAML Metadata\n\nService Provider SAML metadata is available on `http://localhost:port/metadata`\n\n# WS-Federation Protocol\n\nThe WS-Federation protocol is specified with `--protocol wsfed`\n\n## Identity Provider Settings\n\nThe IdP settings needed for federation can be auto-configured via IdP Metadata.  If IdP metadata is not available you can manually specify service endpoints, binding, and signing credentials.\n\n\n### Endpoints\n\nEndpoints                      | Argument        | Default\n------------------------------ | --------------- | --------------------------------------------------------\nIdP Passive Requestor Endpoint | `idpSsoUrl`     |\n\n### Assertion Signing Certificate\n\nYou must specify the public key certificate with the `idpCert` or SHA1 thumbprint with `idpThumbprint` argument to validate the SAML 2.0 security token returned from the IdP.\n\n## Relying Party Settings\n\nYou need to create a federation trust in your IdP/STS for the RP web app.  The following settings are required and can be customized via command-line arguments or within the `/settings` page.\n\n### Realm (Audience)\n\nThe default RP realm/audience is `urn:example:sp`.  You can change this with the `--aud` argument.\n\n### Binding\n\nThe Relying Party only supports the HTTP-POST binding for the Security Token Response Endpoint\n\nService                          | Binding       | URL\n-------------------------------- | ------------- | --------------------------------------------------------\nSecurity Token Response Endpoint | HTTP-POST     | `http://localhost:port/saml/sso`\n\n## Decryption Private Key\n\nUse the same signing public key certificate to encrypt SAML assertion in the IdP.\n\n### RP Metadata\n\nRelying Party SAML metadata is available on `http://localhost:port/metadata`\n\n# Web Server\n\nYou can customize the port and optionally provide a TLS/SSL certificate for the Service Provider to enable HTTPS\n\n##  HTTP URL Routes\n\nThe web app hosts the following URL routes:\n\nRoute       | Description\n----------- | --------------------------------------------------------\n`/profile`  | Displays the user profile for the authenticated user\n`/login`    | Initiates a SSO request to the IdP\n`/logout`   | Attempts to logout via SAML SLO if configured otherwise just destroys the user's active session\n`/settings` | Service Providers settings\n`/saml/sso` | SSO Assertion Consumer Service / Security Token Service Response Passive Endpoint\n`/saml/slo` | SLO endpoint\n`/metadata` | Service Provider/Relying Party Metadata endpoint\n\n## HTTPS\n\nSpecify the `https` argument to enable TLS along with public key certificate and private key in PEM format\n\n```\nnode bin/server.js --https --httpsCert {cert} --httpsKey {key}\n\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcguinness%2Fsaml-sp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmcguinness%2Fsaml-sp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmcguinness%2Fsaml-sp/lists"}