Development with Docker Compose - silinternational/ssp-base GitHub Wiki

Summary

Running docker-compose will allow you to start up five containers for 2 SP's, the Hub and 2 IDP's.

Hosts File

Add the following lines to your hosts file to allow browsing to the different containers.

127.0.0.1 ssp-hub.local # use with port 80
127.0.0.1 ssp-hub-idp.local  # use with port 8085
127.0.0.1 ssp-hub-idp2.local # use with port 8086
127.0.0.1 ssp-hub-sp.local   # use with port 8081
127.0.0.1 ssp-hub-sp2.local  # use with port 8082

Try It Out

A helpful tool to use is the Firefox Addon called SAML Tracer. It will show the web pages the browser hits along with the response codes, parameters and SAML assertions.

In your shell, navigate to the main ssp-base folder and run ...

docker-compose up -d sp1 sp2 idp1 idp2 hub

When the containers are running,

First SP to First IDP

• navigate to the first SP ... http://ssp-hub-sp.local:8081, which will take you to the basic simplesamlphp admin page.
• click on the Authentication tab, then on the Test configured authentication sources link.
• click on the ssp-hub link.

This should take you to the hub's idp discovery page at http://ssp-hub.local.

• Click on LOGIN WITH IDP1, which will take you to the login page at http://ssp-hub-idp.local:8085
• Enter a as the password.

At this point, your browser should have returned to http://ssp-hub-sp.local:8081 to show your attributes.

Note that the attributes come in two versions: with the friendly name and the oid name. Also, note that the NameID ends with "@IDP-1". This was added by a sildisco authproc called AddIdp2NameId.

Second SP to Second IDP

Now, the SP remote metadata on the Hub includes an IDPList entry for the second SP that only includes the second IDP. Since you logged in through the first IDP, attempting to use the second SP will require logging in through the second IDP.

• navigate to the second SP .. http://ssp-hub-sp2.local:8082/module.php/core/authenticate.php
• click on the ssp-hub link

This should take you straight to the login page for the second IDP at http://ssp-hub-idp2.local:8086

• Enter b as the password.
• This should take you back to the second SP at http://ssp-hub-sp2.local:8082

Alternative order

If you began by logging in to the second SP (via the second IDP) and then went to the first SP's page, you would not be forced to authenticate a second time, since the first SP is allowed to use either IDP for authentication.