Service providers with SAML version 2 for SSO accessible to public?
TestingSingle Sign-OnSamlService ProviderTesting Problem Overview
I'm wondering if there are any publicly available SAML version 2 SPs (Service Providers) that can be used to test SSO(Single Sign On)
Salesforce and Google apps both have an SSO solution, but how to go get access to them and what is the cost for those services?
I could setup a service provider using OpenSSO on an another system for my testing purpose.
Testing Solutions
Solution 1 - Testing
UPDATE: Samling is live again at https://fujifish.github.io/samling/samling.html
Samling is a serverless SAML IdP for the purpose if testing any SAML SP endpoint. It supports AuthnRequest and LogoutRequest.
It runs solely in the browser to simulate SAML responses returned from a SAML IdP - no registration, no servers, just a browser. You can control many aspects of the response - from success to various failures.
Simply setup the target URL for the SAML IdP to be https://fujifish.github.io/samling/samling.html, and you're done. If there is a SAMLRequest query param present on the request, Samling will parse, extract and populate the relevant fields.
If you don't want to use the online version, you can clone the samling repo from https://github.com/fujifish/samling and host it yourself - all you will need is a static file server.
Solution 2 - Testing
Salesforce has a free developer edition you can sign up for at: http://developer.force.com. It will enable you to test with them acting as either a SAML 2.0 SP or IDP. It is quite simple to sign up and use its SAML features for testing purposes.
For Google, they offer free 30 day Google Apps accounts for trial purposes - beyond that you need to pay.
As you say - there are loads others (like PingFederate or OpenAM) that you could either get for free, sign up for a trial for or purchase - if you want something in house.
Solution 3 - Testing
Shibboleth offer a publicly available SAML v2 SP and IdP; https://www.testshib.org/ Note - works with any SAML IdP/SP, not just shib.
Solution 4 - Testing
Why not just use SimpleSAMLPHP? It's easy to set up, and can be used as a service provider. Google Apps is also pretty easy to set up as a SAML service provider.
Solution 5 - Testing
I can't recommend because I haven't used it, but it sounds promising, so worth trying.
They provide free public users and integration with your own SP and additional features with premium accounts.
Solution 6 - Testing
You can definitely use miniOrange's SAML SSO with a variety of service providers. I knew nothing about how it all works, and got it setup using their free trial very quickly, as they have nice docs that step you through integrating with a variety of service providers, with Salesforce of course being one of them.
So:
- Sign up for a free trial here
- View their docs on how to integrate.
I don't work for them, I just found it was easy one to setup, and I tried SSOCircle and Salesforce as an IDP before these guys as well. FYI !
Solution 7 - Testing
Here is how you can use salesforce developer's account to set up your IdP and test it with an example service provider hosted on heroku
STEP 1: Establish a Federation Id For this single sign-on implementation, we’ll set a user attribute that links the user between their Salesforce organization and an external application.
- From Setup in your salesforce developer's account, enter Users in the Quick Find box, then select Users. Click Edit next to your current user. In the Single Sign On Information section, enter the Federation ID: [email protected]. For this example, we arbitrarily made up a Federation ID. The Federation ID is a unique username for each user that can be shared across multiple applications. Sometimes this is the employee ID for that user. Click Save.
STEP 2: Set up your Identity Provider
-
In a new browser window, go to http://axiomsso.herokuapp.com.
-
Click SAML Identity Provider & Tester. Click Download the Identity Provider Certificate. The certificate validates signatures, and you need to upload it to your Salesforce organization. Remember where you save it.
-
In your Salesforce organization, from Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings. Click Edit. Select SAML Enabled. Click Save.
-
In SAML Single Sign-On Settings, click New. Enter the following values.
Name: Axiom Test App Issuer: http://axiomsso.herokuapp.com Identity Provider Certificate: Choose the file you downloaded in step 3. Request Signing Certificate: Select a certificate. If no certificate is available, leave as Generate self-signed certificate. SAML Identity Type: Select Assertion contains the Federation ID from the User object. SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement. Service Provider Initiated Request Binding: Select HTTP Redirect. Entity Id: Enter your My Domain name including “https”, such as https://universalcontainers.my.salesforce.com Click Save and leave the browser page open.
STEP 3: Generate SAML
-
Return to Axiom at http://axiomsso.herokuapp.com. Click generate a SAML response. Enter the following values (other fields can be left blank).
SAML 2.0 Username or Federated ID: [email protected] Issuer: http://axiomsso.herokuapp.com Recipient URL: Get that from the Salesforce SAML Single Sign-On Setting page. (If you didn’t keep that page open, from Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings, and then click Axiom Test App.) Use the Salesforce Login URL value.