Testing of remote authentication modules

Last modified 30 May 2023 14:11 +02:00

Midpoint contains three remote modules oidc, saml and ldap. Oidc module contains two kind of authentication one for GUI and one for rest api. We test integration for GUI with schrodinger tests and integration for rest api with rest test module in midpoint.

Every kind of tests contains properties file for configuration. Every property has form composed of two part prefix of server and name of property separated of point, for example keycloak.clientId. Name of property can contain more parts separated of point.

Schrodinger testing

Schrodinger contains tests for oidc, saml and ldap authentication module. Tests work with users enabled_user, disabled_user and non_exist_user. Testing users have to exist on every IDP server.

Command for running of tests: mvn clean install -P flexible-authentication

Oidc module

We test oidc authentication module with two kind of identity provider service, namely azure and keycloak. Configuration file contains next properties.

Property Midpoint attribute Description

serverPrefix.clientId

oidc.client.clientId

serverPrefix.clientSecret

oidc.client.clientSecret

serverPrefix.issuerUri

oidc.client.openIdProvider.issuerUri

serverPrefix.authorizationUri

oidc.client.openIdProvider.authorizationUri

serverPrefix.tokenUri

oidc.client.openIdProvider.tokenUri

serverPrefix.jwkSetUri

oidc.client.openIdProvider.jwkSetUri

serverPrefix.endSessionUri

oidc.client.openIdProvider.endSessionUri

serverPrefix.midpointUserPassword

Password for testing users.

serverPrefix.signedJwt.clientId

oidc.client.clientId

Client id for client which uses privateKeyJwt for verifying of client.

serverPrefix.signedJwt.issuerUri

oidc.client.openIdProvider.issuerUri

Issuer uri for client which uses privateKeyJwt for verifying of client.

serverPrefix.privateKey

oidc.client.simpleProofKey.privateKey

Private key used for privateKeyJwt.

serverPrefix.passwordForPrivateKey

oidc.client.simpleProofKey.passphrase, oidc.client.keyStoreProofKey.keyStorePassword, oidc.client.keyStoreProofKey.keyPassword

serverPrefix.certificate

oidc.client.simpleProofKey.certificate

Certificate for private key used for privateKeyJwt.

serverPrefix.keyStorePath

oidc.client.keyStoreProofKey.keyStorePath

Path to keystore which contains private key used for privateKeyJwt.

serverPrefix.keyAlias

oidc.client.keyStoreProofKey.keyAlias

Alias, from the keystore, of private key used for privateKeyJwt.

Saml module

We test saml authentication module with two kind of identity provider service, namely azure and keycloak. Configuration file contains next properties.

Property Midpoint attribute Description

serverPrefix.entityId

saml2.serviceProvider.identityProvider.entityId

serverPrefix.metadataUrl

saml2.serviceProvider.identityProvider.metadata.metadataUrl

serverPrefix.pathToFile

saml2.serviceProvider.identityProvider.metadata.pathToFile

serverPrefix.xml

saml2.serviceProvider.identityProvider.metadata.xml

serverPrefix.midpointUserPassword

Password for testing users.

serverPrefix.signing.entityId

saml2.serviceProvider.identityProvider.entityId

Entity id for client which supports signing of authentication requests.

serverPrefix.signing.metadataUrl

saml2.serviceProvider.identityProvider.metadata.metadataUrl

Metadata for client which supports signing of authentication requests.

serverPrefix.signing.privateKey

saml2.serviceProvider.keys.activeSimpleKey.privateKey

Private key used for signing of authentication requests.

serverPrefix.signing.passwordForPrivateKey

saml2.serviceProvider.keys.activeSimpleKey.passphrase saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePassword saml2.serviceProvider.keys.activeKeyStoreKey.keyPassword

serverPrefix.signing.certificate

saml2.serviceProvider.keys.activeSimpleKey.certificate

Certificate for private key used for signing of authentication requests.

serverPrefix.signing.keyStorePath

saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePath

Path to keystore which contains private key used for signing of authentication requests.

serverPrefix.signing.keyAlias

saml2.serviceProvider.keys.activeKeyStoreKey.keyAlias

Alias, from the keystore, of private key used for signing of authentication requests.

serverPrefix.decryption.entityId

saml2.serviceProvider.identityProvider.entityId

Entity id for client which supports encryption of saml assertion.

serverPrefix.decryption.metadataUrl

saml2.serviceProvider.identityProvider.metadata.metadataUrl

Metadata for client which supports encryption of saml assertion.

serverPrefix.decryption.privateKey

saml2.serviceProvider.keys.activeSimpleKey.privateKey

Private key used for encryption of saml assertion.

serverPrefix.decryption.passwordForPrivateKey

saml2.serviceProvider.keys.activeSimpleKey.passphrase saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePassword saml2.serviceProvider.keys.activeKeyStoreKey.keyPassword

serverPrefix.decryption.certificate

saml2.serviceProvider.keys.activeSimpleKey.certificate

Certificate for private key used for encryption of saml assertion.

serverPrefix.decryption.keyStorePath

saml2.serviceProvider.keys.activeKeyStoreKey.keyStorePath

Path to keystore which contains private key used for encryption of saml assertion.

serverPrefix.decryption.keyAlias

saml2.serviceProvider.keys.activeKeyStoreKey.keyAlias

Alias, from the keystore, of private key used for encryption of saml assertion.

Ldap module

We test only OpenLdap server. Configuration file contains next properties.

Property Midpoint attribute Description

openLdap.host

ldap.host

openLdap.userDn

ldap.userDn

openLdap.userPassword

ldap.userPassword

openLdap.midpointUserPassword

Password for testing users.

Rest testing

Only oidc module support authentication for rest. We test azure and keycloak as Identity service provider.

Command for running of tests: mvn clean install -pl testing/rest -P restAuthenticationTest

Tests work only with one user administrator. This user have to exist on every IDP server.

Configuration file contains next properties.

Azure

Property Midpoint attribute Description

azure.clientId

Client id used for obtaining of access token.

azure.opaqueToken.clientId

Client id used for obtaining of access token. This client tests opaque token configuration of oidc authentication module.

azure.authServerUrl

Authority used for obtaining of access token. Probably https://login.microsoftonline.com/tenant_id.

azure.emailSuffix

Email suffix for azure tested user.

azure.issuerUri

oidc.resourceServer.jwt.issuerUri

azure.jwkSetUri

oidc.resourceServer.jwt.jwkSetUri

azure.kid

Kid of public key which azure uses for signing of jwt token. You can find it in jwt header.

azure.userInfoUri

oidc.resourceServer.opaqueToken.userInfoUri

azure.midpointUserPassword

Password for tested user.

Keycloak

Property Midpoint attribute Description

keycloak.clientId

Client id used for obtaining of access token.

keycloak.clientSecret

Client secret used for obtaining of access token.

keycloak.authServerUrl

Url of keycloak server.

keycloak.issuerUri

oidc.resourceServer.jwt.issuerUri

keycloak.jwkSetUri

oidc.resourceServer.jwt.jwkSetUri

keycloak.userInfoUri

oidc.resourceServer.opaqueToken.userInfoUri

keycloak.midpointUserPassword

Password for tested user.

Hints

Create key pair

Generate keystore with new key pair: keytool -genkey -alias key_alias -keyalg RSA -validity 365 -keystore new_keystore.keystore -storetype JKS keytool -importkeystore -srckeystore new_keystore.keystore -destkeystore new_keystore.keystore -deststoretype pkcs12

Export key: openssl pkcs12 -in new_keystore.keystore -nodes -nocerts -out new_key.pem

Export cert: openssl pkcs12 -in new_keystore.keystore -nokeys -out new_cert.pem

Set keys to server

Oidc

Set certificate for jwtPrivateKey verifying of client.

Azure

App registration → 'select your app' → Certificates & secrets → Certificates → Upload certificate

Keycloak

'select your realm' → Clients → 'select your client' → Keys → Import Certificate

Saml

Signing

Set certificate for verifying of authentication request.

Azure

Enterprise applications → 'select your application → Single sign-on → scroll to Verification certificates (optional) → click Edit → Upload certificate

Keycloak

'select your realm' → Clients → 'select your client' → Keys → scroll to Signing Key → Import

Encryption

Set certificate for encryption of saml assertion.

Azure

Enterprise applications → 'select your application → Token encryption → Import Certificate

Keycloak

'select your realm' → Clients → 'select your client' → Keys → scroll to Encryption Key → Import

Was this page helpful?
YES NO
Thanks for your feedback