Skip to content

feat: SAML SP login samples (Node, Java, .NET)#48

Merged
ksroda-sa merged 4 commits into
mainfrom
feature/saml-server-samples
Apr 28, 2026
Merged

feat: SAML SP login samples (Node, Java, .NET)#48
ksroda-sa merged 4 commits into
mainfrom
feature/saml-server-samples

Conversation

@ksroda-sa

@ksroda-sa ksroda-sa commented Apr 28, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds SAML SP login samples for Node.js, Java, and .NET, plus pipeline support for per-scenario library and docs URL overrides. The aggregated quickstart now exposes a new `server_saml_sp_login` scenario with `app_type: saml` that spans all three server frameworks.

What's new

  • `samples/node/saml-sp-login/` — Express + `@node-saml/passport-saml`. One ACS endpoint accepts both SP-initiated and IdP-initiated flows via `validateInResponseTo: "ifPresent"`.
  • `samples/java/saml-sp-login/` — Spring Boot 3.4 + `spring-security-saml2-service-provider` (Spring Security 6.4 / OpenSAML 4). `OpenSaml4AuthenticationProvider` with custom response/assertion validators that:
    • filter `INVALID_IN_RESPONSE_TO` from the response-level validator (allows IdP-initiated)
    • skip the `SC_CHECK_ADDRESS` check (CIAM emits host:port form)
    • feed the assertion's own `InResponseTo` back as the expected value (defends against session loss across cross-site POST)
    • reuse the dev TLS keystore as the SP signing credential (Spring Security 6.4 always signs AuthnRequests)
    • use `SameSite=None; Secure` session cookies
  • `samples/dotnet/saml-sp-login/` — ASP.NET Core 10 Minimal APIs + `Sustainsys.Saml2.AspNetCore2`. `AllowUnsolicitedAuthnResponse = true`. IdP cert loader walks parent directories to find `saml-certificate.pem` regardless of which subdir the app launches from. Pinned newer transitive deps to clear NU1903/NU1904 vulnerability warnings.

Pipeline changes

  • Per-scenario `lib` override (`scripts/extract-snippets.ts`) — already added in a prior commit, used here so `server_saml_sp_login` reports the SAML lib instead of inheriting the framework's OIDC default.
  • Per-scenario `docs_url` override (this PR) — mirrors `lib`. Each framework's SAML scenario now points at its actual SAML library docs (Sustainsys, Spring Security SAML2, passport-saml) instead of the framework-level OIDC docs URL.
  • `display_only` config rows (already added) — used here for the "IdP-Initiated SSO URL" row, which surfaces the test URL in the dashboard but is excluded from the generated `.env`.
  • Aggregator strips per-framework concerns (`run_command`, `lib`, `docs_url`) from the scenario-level entry in `snippet-manifest.yaml` since they all differ per framework and live in `snippets.json` keyed by framework.

🤖 Generated with Claude Code

- extract-snippets: ScenarioMeta gains optional `lib` so a scenario can
  declare its own library (e.g. @node-saml/passport-saml) instead of
  inheriting the framework manifest's default. lib_version lookup uses
  the override when present.
- aggregate-manifests: ConfigRow gains optional `display_only` flag so
  rows can render in the dashboard without polluting the generated .env
  / environment.ts (e.g. an IdP-Initiated SSO test URL).
Express + @node-saml/passport-saml SP that authenticates against
SecureAuth as the SAML IdP. One ACS endpoint accepts both SP-initiated
and IdP-initiated flows (validateInResponseTo: ifPresent). Local
session via express-session; logout clears the session cookie (CIAM
does not implement SAML SLO).

Registers a saml_sp_login scenario with app_type: saml and surfaces
config rows for SP entity ID / ACS URL, IdP entity ID / SSO URL,
signing certificate (download), and IdP-Initiated SSO launch URL
(display only).
Adds two new SAML SP login samples mirroring the Node sample:

- Java (Spring Boot 3.4 + spring-security-saml2-service-provider): single
  Application.java with inline @configuration for the relying-party
  registration, security filter chain (saml2Login + accept unsolicited
  responses), and home controller. Reuses the dev TLS keystore as the
  AuthnRequest signing credential. Targeted bearer-confirmation validator
  works around CIAM's host:port-form Address attribute and bypasses
  session-stored InResponseTo state across cross-site POST.
- .NET (ASP.NET Core 10 Minimal APIs + Sustainsys.Saml2.AspNetCore2):
  Program.cs with cookie + SAML2 auth, IdP-initiated SSO enabled via
  AllowUnsolicitedAuthnResponse, IdP cert loader walks parent dirs to
  find ./saml-certificate.pem regardless of working directory.

Both samples register a server_saml_sp_login scenario with app_type:
saml. The aggregated server_saml_sp_login now spans node, java, and
dotnet frameworks.

Pipeline:
- scripts/extract-snippets: per-scenario docs_url override (mirrors
  the existing per-scenario lib override) so SAML scenarios point at
  their own library docs instead of the framework's OIDC default.
- scripts/aggregate-manifests: strip docs_url (along with run_command
  and lib) from the scenario-level entry — they all differ per
  framework and live in snippets.json keyed by framework.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new aggregated SAML SP Login quickstart scenario (server_saml_sp_login, app_type: saml) with end-to-end samples for Node.js, Java (Spring Boot/Spring Security SAML2), and .NET (ASP.NET Core + Sustainsys), plus pipeline support for per-scenario docs_url (mirroring the existing per-scenario lib override).

Changes:

  • Introduces SAML SP login samples for Node.js, Java, and .NET (including basic integration/unit tests per sample).
  • Extends snippet extraction/manifest aggregation to support per-scenario docs_url and display_only config rows.
  • Updates generated snippet metadata (snippets.json, snippet-manifest.yaml) to include docs_url and the new SAML scenario.

Reviewed changes

Copilot reviewed 33 out of 35 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
snippets.json Adds docs_url fields to existing snippets and introduces the new server_saml_sp_login scenario snippets for dotnet/java/node.
snippet-manifest.yaml Adds aggregated server_saml_sp_login scenario with config rows (including display_only).
scripts/extract-snippets.ts Adds per-scenario docs_url override and uses scenario-level lib for version resolution.
scripts/aggregate-manifests.ts Adds display_only, supports scenario-level lib/docs_url fields, and strips run_command/lib/docs_url from aggregated scenario entries.
samples/node/manifest.yaml Adds the server_saml_sp_login scenario metadata (run command, lib, docs URL, config rows).
samples/java/manifest.yaml Adds the server_saml_sp_login scenario metadata (run command, lib, docs URL, config rows).
samples/dotnet/manifest.yaml Adds the server_saml_sp_login scenario metadata (run command, lib, docs URL, config rows).
samples/node/saml-sp-login/package.json New Node SAML sample package definition (deps/scripts).
samples/node/saml-sp-login/yarn.lock New lockfile for the Node SAML sample.
samples/node/saml-sp-login/tsconfig.json New TypeScript config for Node SAML sample (NodeNext, strict, noEmit).
samples/node/saml-sp-login/.yarnrc.yml Yarn config for the Node SAML sample.
samples/node/saml-sp-login/.env.example Env template for Node SAML sample.
samples/node/saml-sp-login/src/env.ts requireEnv helper for Node SAML sample.
samples/node/saml-sp-login/src/saml.ts Passport-SAML strategy configuration + IdP cert loading for Node SAML sample.
samples/node/saml-sp-login/src/app.ts Express app wiring: sessions, passport, /login, /saml/acs, /logout, and HTML rendering.
samples/node/saml-sp-login/src/index.ts HTTPS server bootstrap using a self-signed cert.
samples/node/saml-sp-login/src/app.test.ts Vitest + supertest coverage for key auth routes and session behavior.
samples/node/saml-sp-login/README.md Setup/run instructions and notes for Node SAML sample.
samples/java/saml-sp-login/pom.xml New Spring Boot SAML sample Maven project (SAML2 SP + test deps + keystore plugin).
samples/java/saml-sp-login/.env.example Env template for Java SAML sample.
samples/java/saml-sp-login/src/main/resources/application.yml Server TLS + session cookie SameSite/Secure configuration for cross-site POST.
samples/java/saml-sp-login/src/main/java/com/secureauth/quickstart/Application.java Spring Boot app: relying party registration, SAML validators, security chain, and home controller.
samples/java/saml-sp-login/src/test/resources/application.yml Test-time server config (random port, SSL off).
samples/java/saml-sp-login/src/test/java/com/secureauth/quickstart/TestSamlConfig.java Test SAML relying-party registration with stub cert for Spring Security SAML requirements.
samples/java/saml-sp-login/src/test/java/com/secureauth/quickstart/ApplicationTests.java MockMvc tests for signed-in/signed-out home and logout.
samples/java/saml-sp-login/README.md Setup/run instructions and production notes for Java SAML sample.
samples/dotnet/saml-sp-login/saml-sp-login.sln New .NET solution including app + test project.
samples/dotnet/saml-sp-login/src/saml-sp-login.csproj New ASP.NET Core SAML sample project (Sustainsys + env loader, pinned Newtonsoft.Json).
samples/dotnet/saml-sp-login/src/Program.cs Minimal API SAML setup: env loading, IdP cert discovery, auth wiring, routes, and HTML rendering.
samples/dotnet/saml-sp-login/.env.example Env template for .NET SAML sample.
samples/dotnet/saml-sp-login/tests/saml-sp-login.tests.csproj New test project (xUnit + WebApplicationFactory) with pinned System.Drawing.Common.
samples/dotnet/saml-sp-login/tests/TestAuthHandler.cs Test auth handler used to fake authenticated requests.
samples/dotnet/saml-sp-login/tests/AuthIntegrationTests.cs Integration tests for /, /login, /logout plus startup env/cert setup.
samples/dotnet/saml-sp-login/README.md Setup/run instructions and production notes for .NET SAML sample.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread samples/java/saml-sp-login/README.md Outdated
Comment thread samples/dotnet/saml-sp-login/tests/AuthIntegrationTests.cs
Comment thread scripts/aggregate-manifests.ts
Comment thread snippet-manifest.yaml Outdated
@ksroda-sa
ksroda-sa marked this pull request as ready for review April 28, 2026 08:09
@ksroda-sa
ksroda-sa merged commit d886871 into main Apr 28, 2026
31 checks passed
@ksroda-sa
ksroda-sa deleted the feature/saml-server-samples branch April 28, 2026 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants