Test SAML Generation

Recently I was working on providing SAML based SSO support for Spring application. The requirement was to provide IDP initiated SSO support. One of the major challenge was how to generate a Test SAML for testing the integration without real IDP. This post talks about the steps to generate test SAML without real IDP. 

1. Download the SAML template from either of these locations
• Option 1: The SAML template can be downloaded from https://www.samltool.com/generic_sso_res.php. Download An unsigned SAML Response with an unsigned Assertion as we have to modify the SAML. Lets call this Template 1 henceforth
• Option 2: Download the template from Github . Lets call this template 2.
2.  Specify the Destination in the SAML. This is the location of Service Provider (SP). This should match the Location value of AssertionConsumerService tag of your SP metadata 
• Template 1 : Substitute the value of Destination attribute of  samlp:Response element with  the location of your SP.
• Template 2 : Substitute <<Destination>> with the location of your SP.
3. Specify the issuer of the Saml. This should match the entityID from IDP metadata
• Template 1: Replace the value of tag <saml:Issuer> with the entityID from IDP metadata.
• Template 2 : Substitute <<Issuer>> with the entityID from IDP metadata.
4.  Specify the Recipient. This should match with the Destination specified in step 2 above
• Template 1: Specify the value of Recipient attribute of  saml:SubjectConfirmationData tag 
• Template 2: Substitute <<Recipient>> with the value as specified in step 2
5. Specify the Audience. This value should match the entityId in the SP metadata
• Template 1: Specify the value of saml:Audience tag to match the entityId in SP metadata
• Template 2: Substitute the <<Audience>> with the value to match the entityId in the SP metadata
6. Specify the Certificate date validity attributes. The date value should be matching to your SPs current time. The time difference should not be greater than response skewness value specified in your SAML validator. Generally the skewness value is 60 sec. The date should be in this format 2024-01-18T06:21:48Z
• Template 1: Specify the appropriate value for these attributes IssueInstant (multiple instances), NotBefore,  AuthnInstant. 
• Template 2: Substitute <<IssueDate>> with appropriate value.
7. InResponseTo signifies that SAMLRequest from SP had that value and IDP is sending a response to that request. As we are working on SAML response for IDP initiated response, the InResponseTo attribute should not be present.
• Template 1: Remove all the instances of InResponseTo attribute
• Template 2: It's already removed so no action is required.
8. As the saml response is ready, next step is to sign the response. To sign the response, we need Private certificate and Public Certificate.
• Creating Public and Private Key
#create the keypair 
openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem 


#convert the private key to pkcs8 format 
openssl pkcs8 -topk8 -inform PEM -outform DER -in saml.pem -out saml.pkcs8 -nocrypt
• Go to  https://www.samltool.com/sign_response.php. Copy the XML generated in step 7 and certificate generated in above step to appropriate input boxes and click Sign XML.
9. Next step is Encoding the Signed Certificate. Go to https://www.samltool.com/base64.php. Copy the XML generated in Step 8 to XML to be Base64 Encode input box and Click Base64 Encode XML button. The output of Base64 Encoded XML input box is the encoded SAML assertion.
10. Next Step is creating an HTML page to submit the SAML assertion to SP endpoint.
• Download the HTML template from Github
• Substitute <<SPEndPoint>> with the SSO URL of the application that you plan to access 
• Substitute the <<SAMLEncodedToken>> with the SAML assertion received in step 9 above.
11. As you load the above HTML page in any browser SAML token is submitted to SP endpoint and if authentication is successful, appropriate secured page is shown.

Happy SAML.