Can you recommend a SAML 2.0 Identity Provider for test?
I'm implementing a SAML 2.0 Service Provider and need to install a SAML 2.0 Identity Provider for testing. Given this need, the Identity Provider should ideally be free (or have a trial period) and be easy to set up and configure.
I'm looking for basic single sign on and single log out functionality.
I've tried Sun Opensso Enterprise. The price is right, but so far it's been a nightmare to configure. Also, its error messaging and logging leaves a lot to be desired and I'm often troubleshooting an issue that basically boils down to a misconfiguration or a counterintuitive default setting.
Answer
What problems are you having configuring OpenSSO? I found OpenSSO to be the easiest setup!
My notes on getting the basic IDP up and running are below - hopefully they help you get up and running.
Michael
I've found that the best (i.e. most painless) way is...
- Use Glassfish - this is a well supported container for OpenSSO - use the developer profile to make your life even easier - use the quick setup steps as documented on the download page
- Deploy OpenSSO as per the basic instructions (unpack the zip - deploy the war file to the default domain)
I've used the following as my setup steps (I use OpenSSO build 7):
- Under "Custom Configuration", click "Create New Configuration".
- Type the password "adminadmin" in the Password and Confirm fields. Click Next.
- In Server Settings, leave the defaults alone (or edit if if needed) and choose Next.
- In Configuration Data Store, leave the defaults alone (or edit if needed) and choose Next.
- In User Data Store, choose "OpenSSO User Data Store". Click Next.
- In Site Configuration, choose No (this installation will not use a load balancer). Click Next.
- In Default Agent User, enter admin123 as the password and confirmed password. Click Next.
- Click "Create Configuration".
- Click "Proceed to Login".
- Log in as "amadmin" with the password "adminadmin".
The instructions above are based on http://developers.sun.com/identity/reference/techart/opensso-glassfish.html
You've now got your basics up and running. Create a subrealm under / called users, and create an account or two in there.
Now prep your SP metadata. Don't put too much in your metadata to start with - keep it simple.
In the default page of the GUI, choose to create a hosted IDP. This is a pretty basic workflow. You should specify your /users realm and choose to use the test key alias for signing. The circle of trust you create can be called petty much anything.
When you complete the workflow you'll be asked if you want to import metadata for an SP - say yes and choose to import from your prepared metadata file.
At this stage you should be pretty much set up.
You'll want to grab your IDP metadata next. There are a few ways to do this. You could use "http://servername:8080/opensso/ssoadm.jsp?cmd=export-entity" or "http://servername:8080/opensso/saml2/jsp/exportmetadata.jsp?realm=/users".
... and that's pretty much it for setup.
If you run into issues interoperating with OpenSSO you can look in the OpenSSO data directory (~/opensso by default). There's debugging and logging information in the subdirectories under there. You can cross reference that information with the OpenSSO Wiki, which has some pretty good troubleshooting information.