How to test SAML SSO to my site?

I am trying to implement single sign-on using SAML 2  with a connection TO my website.

That is, when a user logs into their company website (acome.com for example), then will click a link to automatically log into our site.

Without troubling one of my clients as a guinea pig, how can I test the integration to my site?  

I was thinking about getting a wordPress site with a SAML plug-in to try it out, but I have never done that either.

Any information on testing SAML or using wordpress greatly appreciated.

We are using okta for our authorization
LVL 39
gdemariaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gr8gonzoConsultantCommented:
To implement SAML, you need to understand SSL certificates.

Basically, the most common way that SAML works is that Acome.com has an application called an identity provider. Users log into the identity provider at acome.com and then click on a link inside the identity provider which kicks off a process to try to log them into YOUR website (let's say it's gdemaria.com).

So when that process starts:
1. The identity provider creates a medium-sized chunk of XML that is called an assertion. The assertion simply says, "User John Smith is coming from Acome.com and wants to log into gdemaria.com." So an assertion is sort of like a ticket that you might buy to get into some event, like a concert.

2. The identity provider uses a private key (this is where understanding SSL certificates comes into the picture) to add a digital signature to the assertion. This digital signature is based off of the content of that ticket and it ensures two things:
- That the assertion was generated by the Acome.com identity provider (that it wasn't forged by someone else)
- That the assertion content has not been manipulated. If the content changes, then the signature won't match the content.
So this digital signature is sort of like having a valid bar code on that ticket I mentioned earlier. Someone trying to forge a ticket won't have a valid bar code, so their fake ticket won't be recognized as valid.

3. The identity provider takes the digitally-signed assertion, base64-encodes it, and then usually generates a web page with a hidden form that immediately and automatically submits itself. That way, the end user's browser is technically the one that is submitting the form. Okta will generate that intermediate "logging in" grey page so that users have something visually pleasing to look at while this all happens.

4. YOUR website, gdemaria.com, has some page like "saml_login.php" or something that is the target of that form, so it receives the POSTed assertion from the end user's browser.

5. That saml_login.php (or whatever you call it), has to base64-decode the assertion (the variable is usually called "SAMLResponse") to get to the XML. Then it needs to parse that XML (easiest way is to use the SimpleXML or DOMDocument extensions in PHP) to get the signature and then validate that the signature matches the rest of the content. This process gets a little technical and relies on a process called C14N that looks at a specially-formatted version of the content. In order to VALIDATE the signature, you need the corresponding PUBLIC KEY. (So a quick recap - private key CREATES the signature, and the corresponding public key VERIFIES the signature)

That means that you have to get the public key from Acome.com and store it somewhere on your server so that you can load it up and use it to verify the data. You would use the OpenSSL extension from PHP to load the public key, and openssl_verify() to verify the signature against the C14N content.

http://php.net/manual/en/function.openssl-verify.php

By doing this, you are ensuring that you are only accepting assertions that have come from Acome.com's identity provider, and only accepting assertions that have not been tampered with.

Ideally you will also implement code that checks the timestamps in the assertion content so that you're rejecting expired assertions, assertions that are already used, etc...

6. Finally, once you've validated the assertion all looks good and everything has passed the security checks, then saml_login.php can safely take the data from the assertion and do whatever you need to do to log the user into your own system (e.g. set cookies or session data or whatever your system uses to log a user in).

All that said, a framework like SimpleSamlPHP will do a lot of this work for you. It's worth noting that the above reflects the most common and simplest way that SAML works, which is called the "POST binding" - there are other ways that SAML can work, too.

However, the premise will still require you to be able to get a public key from Acome.com (a signing certificate), and store it on your server so that your server knows that it can trust assertions from Acome.com. That is a critical part of the process.

So to get back to your original question - to test out SAML for a specific service provider, you basically need to set up Okta with a new connection to that service provider, and then take the public key / signing certificate for that connection, and ensure that the SAML service provider (your gdemaria.com or whatever the site is) can trust that certificate.

Or if Okta is acting as the service provider here, then you need to set up a small SAML application (again, SimpleSamlPHP is a decent choice for a quick setup) that will generate signed assertions that will be sent over to your Okta endpoint (called the Assertion Consumer Service URL or ACS for short).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gdemariaAuthor Commented:
gr8gonzo  - thank you so very much for this thoughtful explanation.  I found it extremely helpful and copied it and shared it with my team.   My neglect of the question does not represent how very helpful and valuable I found the information.  Thank you very much for taking the time to give such a great answer.  My apologies for not getting back to the question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security Assertion Markup Language (SAML)

From novice to tech pro — start learning today.