{"id":23859204,"url":"https://github.com/openconext/mujina","last_synced_at":"2025-10-22T03:08:32.545Z","repository":{"id":2850209,"uuid":"3854292","full_name":"OpenConext/Mujina","owner":"OpenConext","description":"A mock IDP and SP using the OpenSAML library","archived":false,"fork":false,"pushed_at":"2024-10-28T12:16:15.000Z","size":1321,"stargazers_count":367,"open_issues_count":17,"forks_count":166,"subscribers_count":30,"default_branch":"main","last_synced_at":"2024-10-30T01:59:39.364Z","etag":null,"topics":["idp","java","mock","openconext","saml","saml2","sp","testing"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenConext.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.TXT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-03-28T11:22:53.000Z","updated_at":"2024-10-29T03:34:23.000Z","dependencies_parsed_at":"2023-02-09T19:45:16.976Z","dependency_job_id":"17e1a74d-e39a-4768-a05b-1f414360369d","html_url":"https://github.com/OpenConext/Mujina","commit_stats":{"total_commits":300,"total_committers":25,"mean_commits":12.0,"dds":0.6799999999999999,"last_synced_commit":"c73c6489481040b975e321f1c6e99bb9420e8063"},"previous_names":[],"tags_count":34,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FMujina","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FMujina/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FMujina/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenConext%2FMujina/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenConext","download_url":"https://codeload.github.com/OpenConext/Mujina/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254355335,"owners_count":22057354,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["idp","java","mock","openconext","saml","saml2","sp","testing"],"created_at":"2025-01-03T03:32:47.570Z","updated_at":"2025-10-22T03:08:27.492Z","avatar_url":"https://github.com/OpenConext.png","language":"Java","readme":"\u003cpre\u003e___  ___        _  _\n|  \\/  |       (_)(_)\n| .  . | _   _  _  _  _ __    __ _\n| |\\/| || | | || || || '_ \\  / _` |\n| |  | || |_| || || || | | || (_| |\n\\_|  |_/ \\__,_|| ||_||_| |_| \\__,_|\n              _/ |\n             |__/\n\n  Configurable Identity and Service Provider built with OpenSAML \u0026 Java Spring Boot\n\u003c/pre\u003e\n\nMujina\n======\n\n[![Build Status](https://travis-ci.org/OpenConext/Mujina.svg)](https://travis-ci.org/OpenConext/Mujina)\n[![codecov.io](https://codecov.io/github/OpenConext/Mujina/coverage.svg)](https://codecov.io/github/OpenConext/Mujina)\n\nMujina is a SAML2 Identity and Service Provider (IdP \u0026 SP).\n\nNote that backward incompatibilities were introduced in version 5.0.0. If you want to migrate from pre-5 versions to the post-5 versions\nthen the following has changed:\n\n* We no longer use Tomcat, but standalone Spring boot applications\n* The API has changed for all end-points requiring a single value (e.g. String or boolean) and only that value is required in the request body. See the API documentation below.\n\nAs of version 9.0.0 we run with Java 21.\n\nCharacteristics of both the IdP or SP can be runtime changed with the REST API.\n\nMujina is used to test the SURFconext middleware which enables Dutch educational services to use cloud based SAAS-services.\n\nFeatures\n--------\n- A SAML2-compliant Identity Provider. The IdP will authenticate known users, providing known attributes to the SP. The REST api allows for the manipulation of:\n  * user credentials (either a specific username \u0026 password or allow any username and password)\n  * user role\n  * any user attributes\n  * signing certificate\n  * entityID\n  * ACS endpoint\n  * signature Algorithm\n\n- A SAML2-compliant Service Provider. The SP displays the attributes as these were received from an IdP. The REST api allows for the manipulation of:\n  * entityID\n  * signing certificate  \n  * SSO Service URL\n  * signature Algorithm\n\nDefaults\n--------\nThe default Identity Provider configuration is as follows:\n\n* The Entity ID is \"http://mock-idp\"\n* The signatureAlgorithm is \"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"\n* It has a user with login \"admin\" and password \"secret\" with roles ROLE_USER and ROLE_ADMIN\n* It has a user with login \"user\" and password \"secret\" with role ROLE_USER\n* It has the following attributes. Attributes are always stored as lists. Even when they contain a single value.\n    * \"urn:mace:dir:attribute-def:uid\" is \"john.doe\"\n    * \"urn:mace:dir:attribute-def:cn\" is \"John Doe\"\n    * \"urn:mace:dir:attribute-def:givenName\" is \"John\"\n    * \"urn:mace:dir:attribute-def:sn\" is \"Doe\"\n    * \"urn:mace:dir:attribute-def:displayName\" is \"John Doe\"\n    * \"urn:mace:dir:attribute-def:mail\" is \"j.doe@example.com\"\n    * \"urn:mace:terena.org:attribute-def:schacHomeOrganization\" is \"example.com\"\n    * \"urn:mace:dir:attribute-def:eduPersonPrincipalName\" is \"j.doe@example.com\"\n* There is a default certificate and private key available\n* By default the ACS endpoint should be provided by the SP as an attribute in the AuthnRequest.\n  If the ACS endpoint is set using the IdP api this is not necessary. Use of the api overrides values set in AuthnRequests\n\nThe default Service Provider configuration is as follows:\n\n* The Entity ID is \"http://mock-sp\"\n* The signatureAlgorithm is \"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"\n* There is a default certificate and private key available\n\nIn this document you will find some examples for overriding the default configuration.\nAfter you override configuration you can go back to the default using the reset API.\n\nBuild Mujina\n---------------\n\n[Maven 3](http://maven.apache.org) in combination with Java 21 is needed to build and run Mujina.\n\n```bash\ngit clone git@github.com:OpenConext/Mujina.git\ncd Mujina\nmvn clean install\n```\n\nThe build dependencies are hosted on https://build.openconext.org/repository/public/\n(and will be fetched automatically by Maven).\n\nRun the IDP\n-----------------------\n\n```bash\ncd mujina-idp\nmvn spring-boot:run\n```\n\nThen, go to http://localhost:8080/. If you want the application to run over https, please refer\nto the [spring boots docs](https://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html#howto-configure-ssl).\n\nRun the SP (in a new terminal session)\n----------------------\n\n```bash\ncd mujina-sp\nmvn spring-boot:run\n```\n\nThen, go to http://localhost:9090/. You can access the secure page and will be redirected to the IdP, where you can\nlogin with username admin and password secret.\n\n## [Private signing key and public certificate](#signing-keys)\n\nThe SAML Spring Security library needs a private DSA key / public certificate pair for the IdP / SP which can be re-generated\nif you want to use new key pairs.\n\n```bash\nopenssl req -subj '/O=Organization, CN=Mujina/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out mujina.crt -keyout mujina.pem\n```\n\nThe Java KeyStore expects a pkcs8 DER format for RSA private keys so we have to re-format that key:\n\n```bash\nopenssl pkcs8 -nocrypt  -in mujina.pem -topk8 -out mujina.der\n```\n\nRemove the whitespace, heading and footer from the mujina.crt and mujina.der:\n\n```bash\ncat mujina.der |head -n -1 |tail -n +2 | tr -d '\\n'; echo\ncat mujina.crt |head -n -1 |tail -n +2 | tr -d '\\n'; echo\n```\n\nAbove commands work on linux distributions. On mac you can issue the same command with `ghead` after you install `coreutils`:\n\n```bash\nbrew install coreutils\n\ncat mujina.der |ghead -n -1 |tail -n +2 | tr -d '\\n'; echo\ncat mujina.crt |ghead -n -1 |tail -n +2 | tr -d '\\n'; echo\n```\n\nAdd the mujina key pair to the application.yml file:\n\n```yml\nidp:\n  private_key: ${output from cleaning the der file}\n  certificate: ${output from cleaning the crt file}\n\nsp:\n  private_key: ${output from cleaning the der file}\n  certificate: ${output from cleaning the crt file}\n```\n\nResetting the IDP\n-----------------\n\nThis API is available on both the IDP and the SP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X POST \\\n        http://localhost:8080/api/reset\n```\n\nChanging the entityID\n---------------------\n\nThis API is available on both the IDP and the SP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d \"myEntityId\" \\\n        http://localhost:8080/api/entityid\n```\n\nSetting the Signature Algorithm\n-------------\n\nThis API is available on both the IDP and the SP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d \"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" \\\n        http://localhost:9090/api/signatureAlgorithm\n```        \n\nChanging the signing credentials (Both IDP and SP)\n--------------------------------\n\nThis API is available on both the IDP and the SP.\nThe certificate should be in PEM format.\nThe key should be in base64 encoded pkcs6 DER format.\n\n```bash\nexport CERT=MIICHzCCAYgCCQD7KMJ17XQa7TANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJO\\\nTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEQMA4GA1UECgwH\\\nU3VyZm5ldDEPMA0GA1UECwwGQ29uZXh0MB4XDTEyMDMwODA4NTQyNFoXDTEzMDMw\\\nODA4NTQyNFowVDELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNV\\\nBAcMB1V0cmVjaHQxEDAOBgNVBAoMB1N1cmZuZXQxDzANBgNVBAsMBkNvbmV4dDCB\\\nnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2slVe459WUDL4RXxJf5h5t5oUbPk\\\nPlFZ9lQysSoS3fnFTdCgzA6FzQzGRDcfRj0HnWBdA1YH+LxBjNcBIJ/nBc7Ssu4e\\\n4rMO3MSAV5Ouo3MaGgHqVq6dCD47f52b98df6QTAA3C+7sHqOdiQ0UDCAK0C+qP5\\\nLtTcmB8QrJhKmV8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQCvPhO0aSbqX7g7IkR7\\\n9IFVdJ/P7uSlYFtJ9cMxec85cYLmWL1aVgF5ZFFJqC25blyPJu2GRcSxoVwB3ae8\\\nsPCECWwqRQA4AHKIjiW5NgrAGYR++ssTOQR8mcAucEBfNaNdlJoy8GdZIhHZNkGl\\\nyHfY8kWS3OWkGzhWSsuRCLl78A==\nexport KEY=MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANrJVXuOfVlAy+EV8SX+YebeaFGz\\\n5D5RWfZUMrEqEt35xU3QoMwOhc0MxkQ3H0Y9B51gXQNWB/i8QYzXASCf5wXO0rLuHuKzDtzEgFeT\\\nrqNzGhoB6launQg+O3+dm/fHX+kEwANwvu7B6jnYkNFAwgCtAvqj+S7U3JgfEKyYSplfAgMBAAEC\\\ngYBaPvwkyCTKYSD4Co37JxAJJCqRsQtv7SyXoCl8zKcVqwaIz4rUQRVN/Hv3/WjIFzqB3xLe4mjN\\\nYBIF31YWt/6ZslaLL5YJIXISrMgDuQzPKL8VqvvsH9XEpi/qSUsVAWa9Vaqqwa8JTPELK8QhHKaX\\\nTxGtatEuW1x6kSNXFCoasQJBAPUaYdj9oCDOGTaOaupF0GB6TIgIItpQESY1Dfpn4cvwB0jH8wBJ\\\nSBVeBqSa6dg4RI5ydD3J82xlF7NrQnvWpYkCQQDkg26KzQckoJ39HX2gYS4olSeQDAyIDzeCMkj7\\\nMcDhigy0cL6k9nOQrKlq6V3vkBISTRg7JceJ4z3QE00edXWnAkEAoggv2WBJxIYbOurJmVhP2gff\\\noiomyEYYIDcAp6KXLdffKOkuJulLIv0GzTiwEMWZ5MWbPOHN78Gg+naU/AM5aQJBALfbsANpt4eW\\\n28ceBUgXKMZqS+ywZRzL8YOF5gaGH4TYSCSeWiXsTUtoQN/OaFAqAQBMm2Rrn0KoXcGe5fvN0h0C\\\nQQDgNLxVcByrVgmRmTPTwLhSfIveOqE6jBlQ8o0KyoQl4zCSDDtMEb9NEFxxvI7NNjgdZh1RKrzZ\\\n5JCAUQcdrEQJ\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X POST -d \"{\\\"certificate\\\": \\\"$CERT\\\",\\\"key\\\":\\\"$KEY\\\"}\" \\\n        http://localhost:8080/api/signing-credential\n```\n\nAdding a user\n-------------\n\nThis API is only available on the IDP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d '{\"name\": \"hacker\", \"password\": \"iamgod\", \"authorities\": [\"ROLE_USER\", \"ROLE_ADMIN\"]}' \\\n        http://localhost:8080/api/users\n```\n\nSetting attribute foo to bar (e.g. urn:mace:dir:attribute-def:foo to bar)\n-------------------------------------------------------------------------\n\nThis API is only available on the IDP. **Note:** An attribute is always a list.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d '[\"bar\"]' \\\n        http://localhost:8080/api/attributes/urn:mace:dir:attribute-def:foo\n```\nOr to test the UTF-8 encoding:\n```bash\ncurl -v -H \"Accept: application/json\" -H \"Content-type: application/json\" -X PUT -d '[\"髙橋 大輔\"]' https://mujina-idp.test2.surfconext.nl/api/attributes/urn:mace:dir:attribute-def:cn\n```\n\nSetting attribute for specific user\n-----------------------------------\n\nThe call to set an attribute is global for all users. With this call you set an attribute for a specific user.\nThis API is only available on the IDP. **Note:** The user must exists and will NOT be provisioned on the fly.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d '[\"bar\"]' \\\n        http://localhost:8080/api/attributes/urn:mace:dir:attribute-def:foo/user\n```\n\n\nRemoving an attribute\n---------------------\n\nThis API is only available on the IDP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X DELETE \\\n        http://localhost:8080/api/attributes/urn:mace:dir:attribute-def:foo\n```\n\nRemoving an attribute for a user\n--------------------------------\n\nThis API is only available on the IDP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X DELETE \\\n        http://localhost:8080/api/attributes/urn:mace:dir:attribute-def:foo/user\n```\n\nSetting the authentication method\n---------------------------------\n\nThis API is only available on the IDP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d \"ALL\" \\\n        http://localhost:8080/api/authmethod\n```\n\nRetrieving all persisted users\n---------------------------------\n\nThis API is only available on the IDP.\n\n```bash\ncurl -H \"Content-type: application/json\"  http://localhost:8080/api/users\n```\n\nSetting the Assertion Consumer Service (ACS) endpoint\n---------------------------------\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d \"https://my_sp.no:443/acsendpoint_path\" \\\n        http://localhost:8080/api/acsendpoint\n```\n\nThe authentication method API has two possible values.\n\n* USER\n* ALL\n\nThe setting is configurable in the application.yml\n```\n# Authentication method ALL for every username / password combination and USER for the configured users\nauth_method: USER\n```\n\nThe USER setting requires a valid user to be known in Mujina's IdP and the ALL accepts everything.\n\nThe ALL setting allows any username and password combination.\nAs a side effect, the urn:mace:dir:attribute-def:uid attribute is set to the username each time a user logs in.\n\nSetting the SSO Service URL\n-------------\n\nThis API is only available on the SP.\n\n```bash\ncurl -v -H \"Accept: application/json\" \\\n        -H \"Content-type: application/json\" \\\n        -X PUT -d \"http://localhost:8080/SingleSignOnService/vo:test\" \\\n        http://localhost:9090/api/ssoServiceURL\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenconext%2Fmujina","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenconext%2Fmujina","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenconext%2Fmujina/lists"}