feat: SAML SP login samples (Node, Java, .NET)#48
Merged
Conversation
- extract-snippets: ScenarioMeta gains optional `lib` so a scenario can declare its own library (e.g. @node-saml/passport-saml) instead of inheriting the framework manifest's default. lib_version lookup uses the override when present. - aggregate-manifests: ConfigRow gains optional `display_only` flag so rows can render in the dashboard without polluting the generated .env / environment.ts (e.g. an IdP-Initiated SSO test URL).
Express + @node-saml/passport-saml SP that authenticates against SecureAuth as the SAML IdP. One ACS endpoint accepts both SP-initiated and IdP-initiated flows (validateInResponseTo: ifPresent). Local session via express-session; logout clears the session cookie (CIAM does not implement SAML SLO). Registers a saml_sp_login scenario with app_type: saml and surfaces config rows for SP entity ID / ACS URL, IdP entity ID / SSO URL, signing certificate (download), and IdP-Initiated SSO launch URL (display only).
Adds two new SAML SP login samples mirroring the Node sample: - Java (Spring Boot 3.4 + spring-security-saml2-service-provider): single Application.java with inline @configuration for the relying-party registration, security filter chain (saml2Login + accept unsolicited responses), and home controller. Reuses the dev TLS keystore as the AuthnRequest signing credential. Targeted bearer-confirmation validator works around CIAM's host:port-form Address attribute and bypasses session-stored InResponseTo state across cross-site POST. - .NET (ASP.NET Core 10 Minimal APIs + Sustainsys.Saml2.AspNetCore2): Program.cs with cookie + SAML2 auth, IdP-initiated SSO enabled via AllowUnsolicitedAuthnResponse, IdP cert loader walks parent dirs to find ./saml-certificate.pem regardless of working directory. Both samples register a server_saml_sp_login scenario with app_type: saml. The aggregated server_saml_sp_login now spans node, java, and dotnet frameworks. Pipeline: - scripts/extract-snippets: per-scenario docs_url override (mirrors the existing per-scenario lib override) so SAML scenarios point at their own library docs instead of the framework's OIDC default. - scripts/aggregate-manifests: strip docs_url (along with run_command and lib) from the scenario-level entry — they all differ per framework and live in snippets.json keyed by framework.
There was a problem hiding this comment.
Pull request overview
Adds a new aggregated SAML SP Login quickstart scenario (server_saml_sp_login, app_type: saml) with end-to-end samples for Node.js, Java (Spring Boot/Spring Security SAML2), and .NET (ASP.NET Core + Sustainsys), plus pipeline support for per-scenario docs_url (mirroring the existing per-scenario lib override).
Changes:
- Introduces SAML SP login samples for Node.js, Java, and .NET (including basic integration/unit tests per sample).
- Extends snippet extraction/manifest aggregation to support per-scenario
docs_urlanddisplay_onlyconfig rows. - Updates generated snippet metadata (
snippets.json,snippet-manifest.yaml) to includedocs_urland the new SAML scenario.
Reviewed changes
Copilot reviewed 33 out of 35 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| snippets.json | Adds docs_url fields to existing snippets and introduces the new server_saml_sp_login scenario snippets for dotnet/java/node. |
| snippet-manifest.yaml | Adds aggregated server_saml_sp_login scenario with config rows (including display_only). |
| scripts/extract-snippets.ts | Adds per-scenario docs_url override and uses scenario-level lib for version resolution. |
| scripts/aggregate-manifests.ts | Adds display_only, supports scenario-level lib/docs_url fields, and strips run_command/lib/docs_url from aggregated scenario entries. |
| samples/node/manifest.yaml | Adds the server_saml_sp_login scenario metadata (run command, lib, docs URL, config rows). |
| samples/java/manifest.yaml | Adds the server_saml_sp_login scenario metadata (run command, lib, docs URL, config rows). |
| samples/dotnet/manifest.yaml | Adds the server_saml_sp_login scenario metadata (run command, lib, docs URL, config rows). |
| samples/node/saml-sp-login/package.json | New Node SAML sample package definition (deps/scripts). |
| samples/node/saml-sp-login/yarn.lock | New lockfile for the Node SAML sample. |
| samples/node/saml-sp-login/tsconfig.json | New TypeScript config for Node SAML sample (NodeNext, strict, noEmit). |
| samples/node/saml-sp-login/.yarnrc.yml | Yarn config for the Node SAML sample. |
| samples/node/saml-sp-login/.env.example | Env template for Node SAML sample. |
| samples/node/saml-sp-login/src/env.ts | requireEnv helper for Node SAML sample. |
| samples/node/saml-sp-login/src/saml.ts | Passport-SAML strategy configuration + IdP cert loading for Node SAML sample. |
| samples/node/saml-sp-login/src/app.ts | Express app wiring: sessions, passport, /login, /saml/acs, /logout, and HTML rendering. |
| samples/node/saml-sp-login/src/index.ts | HTTPS server bootstrap using a self-signed cert. |
| samples/node/saml-sp-login/src/app.test.ts | Vitest + supertest coverage for key auth routes and session behavior. |
| samples/node/saml-sp-login/README.md | Setup/run instructions and notes for Node SAML sample. |
| samples/java/saml-sp-login/pom.xml | New Spring Boot SAML sample Maven project (SAML2 SP + test deps + keystore plugin). |
| samples/java/saml-sp-login/.env.example | Env template for Java SAML sample. |
| samples/java/saml-sp-login/src/main/resources/application.yml | Server TLS + session cookie SameSite/Secure configuration for cross-site POST. |
| samples/java/saml-sp-login/src/main/java/com/secureauth/quickstart/Application.java | Spring Boot app: relying party registration, SAML validators, security chain, and home controller. |
| samples/java/saml-sp-login/src/test/resources/application.yml | Test-time server config (random port, SSL off). |
| samples/java/saml-sp-login/src/test/java/com/secureauth/quickstart/TestSamlConfig.java | Test SAML relying-party registration with stub cert for Spring Security SAML requirements. |
| samples/java/saml-sp-login/src/test/java/com/secureauth/quickstart/ApplicationTests.java | MockMvc tests for signed-in/signed-out home and logout. |
| samples/java/saml-sp-login/README.md | Setup/run instructions and production notes for Java SAML sample. |
| samples/dotnet/saml-sp-login/saml-sp-login.sln | New .NET solution including app + test project. |
| samples/dotnet/saml-sp-login/src/saml-sp-login.csproj | New ASP.NET Core SAML sample project (Sustainsys + env loader, pinned Newtonsoft.Json). |
| samples/dotnet/saml-sp-login/src/Program.cs | Minimal API SAML setup: env loading, IdP cert discovery, auth wiring, routes, and HTML rendering. |
| samples/dotnet/saml-sp-login/.env.example | Env template for .NET SAML sample. |
| samples/dotnet/saml-sp-login/tests/saml-sp-login.tests.csproj | New test project (xUnit + WebApplicationFactory) with pinned System.Drawing.Common. |
| samples/dotnet/saml-sp-login/tests/TestAuthHandler.cs | Test auth handler used to fake authenticated requests. |
| samples/dotnet/saml-sp-login/tests/AuthIntegrationTests.cs | Integration tests for /, /login, /logout plus startup env/cert setup. |
| samples/dotnet/saml-sp-login/README.md | Setup/run instructions and production notes for .NET SAML sample. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ksroda-sa
marked this pull request as ready for review
April 28, 2026 08:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds SAML SP login samples for Node.js, Java, and .NET, plus pipeline support for per-scenario library and docs URL overrides. The aggregated quickstart now exposes a new `server_saml_sp_login` scenario with `app_type: saml` that spans all three server frameworks.
What's new
Pipeline changes
🤖 Generated with Claude Code