Testing of remote authentication modules
Midpoint contains three remote modules oidc, saml and ldap. Oidc module contains two kind of authentication one for GUI and one for rest api. We test integration for GUI with schrodinger tests and integration for rest api with rest test module in midpoint.
Every kind of tests contains properties file for configuration. Every property has form composed of two part prefix of server and name of property separated of point, for example keycloak.clientId. Name of property can contain more parts separated of point.
Schrodinger testing
Schrodinger contains tests for oidc, saml and ldap authentication module. Tests work with users enabled_user, disabled_user and non_exist_user. Testing users have to exist on every IDP server.
Command for running of tests:
mvn clean install -P flexible-authentication
Oidc module
We test oidc authentication module with two kind of identity provider service, namely azure and keycloak. Configuration file contains next properties.
| Property | Midpoint attribute | Description |
|---|---|---|
serverPrefix.clientId |
oidc.client.clientId |
|
serverPrefix.clientSecret |
oidc.client.clientSecret |
|
serverPrefix.issuerUri |
oidc.client.openIdProvider.issuerUri |
|
serverPrefix.authorizationUri |
oidc.client.openIdProvider.authorizationUri |
|
serverPrefix.tokenUri |
oidc.client.openIdProvider.tokenUri |
|
serverPrefix.jwkSetUri |
oidc.client.openIdProvider.jwkSetUri |
|
serverPrefix.endSessionUri |
oidc.client.openIdProvider.endSessionUri |
|
serverPrefix.midpointUserPassword |
Password for testing users. |
|
serverPrefix.signedJwt.clientId |
oidc.client.clientId |
Client id for client which uses privateKeyJwt for verifying of client. |
serverPrefix.signedJwt.issuerUri |
oidc.client.openIdProvider.issuerUri |
Issuer uri for client which uses privateKeyJwt for verifying of client. |
serverPrefix.privateKey |
oidc.client.simpleProofKey.privateKey |
Private key used for privateKeyJwt. |
serverPrefix.passwordForPrivateKey |
oidc.client.simpleProofKey.passphrase, oidc.client.keyStoreProofKey.keyStorePassword, oidc.client.keyStoreProofKey.keyPassword |
|
serverPrefix.certificate |
oidc.client.simpleProofKey.certificate |
Certificate for private key used for privateKeyJwt. |
serverPrefix.keyStorePath |
oidc.client.keyStoreProofKey.keyStorePath |
Path to keystore which contains private key used for privateKeyJwt. |
serverPrefix.keyAlias |
oidc.client.keyStoreProofKey.keyAlias |
Alias, from the keystore, of private key used for privateKeyJwt. |
Saml module
We test saml authentication module with two kind of identity provider service, namely azure and keycloak. Configuration file contains next properties.
| Property | Midpoint attribute | Description |
|---|---|---|
serverPrefix.entityId |
saml2.serviceProvider.identityProvider.entityId |
|
serverPrefix.metadataUrl |
saml2.serviceProvider.identityProvider.metadata.metadataUrl |
|
serverPrefix.pathToFile |
saml2.serviceProvider.identityProvider.metadata.pathToFile |
|
serverPrefix.xml |
saml2.serviceProvider.identityProvider.metadata.xml |
|
serverPrefix.midpointUserPassword |
Password for testing users. |
|
serverPrefix.signing.entityId |
saml2.serviceProvider.identityProvider.entityId |
Entity id for client which supports signing of authentication requests. |
serverPrefix.signing.metadataUrl |
saml2.serviceProvider.identityProvider.metadata.metadataUrl |
Metadata for client which supports signing of authentication requests. |
serverPrefix.signing.privateKey |
saml2.serviceProvider.keys.activeSimpleKey.privateKey |
Private key used for signing of authentication requests. |
serverPrefix.signing.passwordForPrivateKey |
saml2.serviceProvider.keys.activeSimpleKey.passphrase saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePassword saml2.serviceProvider.keys.activeKeyStoreKey.keyPassword |
|
serverPrefix.signing.certificate |
saml2.serviceProvider.keys.activeSimpleKey.certificate |
Certificate for private key used for signing of authentication requests. |
serverPrefix.signing.keyStorePath |
saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePath |
Path to keystore which contains private key used for signing of authentication requests. |
serverPrefix.signing.keyAlias |
saml2.serviceProvider.keys.activeKeyStoreKey.keyAlias |
Alias, from the keystore, of private key used for signing of authentication requests. |
serverPrefix.decryption.entityId |
saml2.serviceProvider.identityProvider.entityId |
Entity id for client which supports encryption of saml assertion. |
serverPrefix.decryption.metadataUrl |
saml2.serviceProvider.identityProvider.metadata.metadataUrl |
Metadata for client which supports encryption of saml assertion. |
serverPrefix.decryption.privateKey |
saml2.serviceProvider.keys.activeSimpleKey.privateKey |
Private key used for encryption of saml assertion. |
serverPrefix.decryption.passwordForPrivateKey |
saml2.serviceProvider.keys.activeSimpleKey.passphrase saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePassword saml2.serviceProvider.keys.activeKeyStoreKey.keyPassword |
|
serverPrefix.decryption.certificate |
saml2.serviceProvider.keys.activeSimpleKey.certificate |
Certificate for private key used for encryption of saml assertion. |
serverPrefix.decryption.keyStorePath |
saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePath |
Path to keystore which contains private key used for encryption of saml assertion. |
serverPrefix.decryption.keyAlias |
saml2.serviceProvider.keys.activeKeyStoreKey.keyAlias |
Alias, from the keystore, of private key used for encryption of saml assertion. |
Ldap module
We test only OpenLdap server. Configuration file contains next properties.
| Property | Midpoint attribute | Description |
|---|---|---|
openLdap.host |
ldap.host |
|
openLdap.userDn |
ldap.userDn |
|
openLdap.userPassword |
ldap.userPassword |
|
openLdap.midpointUserPassword |
Password for testing users. |
Rest testing
Only oidc module support authentication for rest. We test azure and keycloak as Identity service provider.
Command for running of tests:
mvn clean install -pl testing/rest -P restAuthenticationTest
Tests work only with one user administrator. This user have to exist on every IDP server.
Configuration file contains next properties.
Azure
| Property | Midpoint attribute | Description |
|---|---|---|
azure.clientId |
Client id used for obtaining of access token. |
|
azure.opaqueToken.clientId |
Client id used for obtaining of access token. This client tests opaque token configuration of oidc authentication module. |
|
azure.authServerUrl |
Authority used for obtaining of access token. Probably https://login.microsoftonline.com/tenant_id. |
|
azure.emailSuffix |
Email suffix for azure tested user. |
|
azure.issuerUri |
oidc.resourceServer.jwt.issuerUri |
|
azure.jwkSetUri |
oidc.resourceServer.jwt.jwkSetUri |
|
azure.kid |
Kid of public key which azure uses for signing of jwt token. You can find it in jwt header. |
|
azure.userInfoUri |
oidc.resourceServer.opaqueToken.userInfoUri |
|
azure.midpointUserPassword |
Password for tested user. |
Keycloak
| Property | Midpoint attribute | Description |
|---|---|---|
keycloak.clientId |
Client id used for obtaining of access token. |
|
keycloak.clientSecret |
Client secret used for obtaining of access token. |
|
keycloak.authServerUrl |
Url of keycloak server. |
|
keycloak.issuerUri |
oidc.resourceServer.jwt.issuerUri |
|
keycloak.jwkSetUri |
oidc.resourceServer.jwt.jwkSetUri |
|
keycloak.userInfoUri |
oidc.resourceServer.opaqueToken.userInfoUri |
|
keycloak.midpointUserPassword |
Password for tested user. |
Hints
Create key pair
Generate keystore with new key pair:
keytool -genkey -alias key_alias -keyalg RSA -validity 365 -keystore new_keystore.keystore -storetype JKS
keytool -importkeystore -srckeystore new_keystore.keystore -destkeystore new_keystore.keystore -deststoretype pkcs12
Export key:
openssl pkcs12 -in new_keystore.keystore -nodes -nocerts -out new_key.pem
Export cert:
openssl pkcs12 -in new_keystore.keystore -nokeys -out new_cert.pem
Set keys to server
Oidc
Set certificate for jwtPrivateKey verifying of client.
Azure
App registration → 'select your app' → Certificates & secrets → Certificates → Upload certificate
Keycloak
'select your realm' → Clients → 'select your client' → Keys → Import Certificate
Saml
Signing
Set certificate for verifying of authentication request.
Azure
Enterprise applications → 'select your application → Single sign-on → scroll to Verification certificates (optional) → click Edit → Upload certificate
Keycloak
'select your realm' → Clients → 'select your client' → Keys → scroll to Signing Key → Import
Encryption
Set certificate for encryption of saml assertion.
Azure
Enterprise applications → 'select your application → Token encryption → Import Certificate
Keycloak
'select your realm' → Clients → 'select your client' → Keys → scroll to Encryption Key → Import