SAML IdP Probe

Probe a SAML IdP deployment

Installation

Download the dependent Bash Library source, change directory to the source directory, and install the source into /tmp as follows:

$ export BIN_DIR=/tmp/bin
$ export LIB_DIR=/tmp/lib
$ ./install.sh $BIN_DIR $LIB_DIR

or install into your home directory:

$ export BIN_DIR=$HOME/bin
$ export LIB_DIR=$HOME/lib
$ ./install.sh $BIN_DIR $LIB_DIR

A target directory will be created if one doesn't already exist. The following files will be installed:

$ ls -1 $BIN_DIR
cget.sh

$ ls -1 $LIB_DIR 
command_paths.sh
compatible_date.sh
compatible_mktemp.sh
config_tools.sh
extract_entity.xsl
http_tools.sh
md_tools.sh
saml_tools.sh

Next download the SAML IdP Probe project source, change directory to the source directory, and install the source on top of the previous installation:

$ ./install.sh $BIN_DIR $LIB_DIR

Altogether the following files will be installed:

$ ls -1 $BIN_DIR
cget.sh
check_idp_error_urls.sh
list_local_idp_error_urls.sh
probe_saml_idp.sh

$ ls -1 $LIB_DIR 
command_paths.sh
compatible_date.sh
compatible_mktemp.sh
config_tools.sh
extract_IdP_entityIDs.xsl
extract_IdP_names.xsl
extract_InCommon_IdP_entityIDs.xsl
extract_entity.xsl
http_tools.sh
md_tools.sh
saml_tools.sh

Overview

check_idp_error_urls.sh

Given a list of entityIDs and a metadata source, bash script check_idp_error_urls.sh probes each entity and determines which of the entityIDs correspond to SAML IdP deployments. For each such deployment, the script determines whether it has an errorURL in metadata and whether or not that URL is resolvable. For example:

# Fetch the main production metadata aggregate at md.incommon.org:
$ MD_LOCATION=http://md.incommon.org/InCommon/InCommon-metadata.xml
$ MD_PATH=$MD_DIR/InCommon-metadata.xml
$ /usr/bin/curl --silent $MD_LOCATION > $MD_PATH

# Probe every errorURL in IdP metadata registered by InCommon
$ /bin/cat $MD_PATH \
  | /usr/bin/xsltproc $LIB_DIR/extract_InCommon_IdP_entityIDs.xsl - \
  | $BIN_DIR/check_idp_error_urls.sh -f $MD_PATH

See the inline help file for details:

$ $BIN_DIR/check_idp_error_urls.sh -h

probe_saml_idp.sh

Given a single IdP entityID, the probe_saml_idp.sh script probes all browser-facing SSO endpoints in IdP metadata.

$ id=https://idp.incommonfederation.org/idp/shibboleth
$ $BIN_DIR/probe_saml_idp.sh -a $id
0 redirects:2;response:200;dns:0.000;tcp:0.062;ssl:0.141;total:1.047 https://idp.incommonfederation.org/idp/profile/SAML2/Redirect/SSO urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect https://idp.incommonfederation.org/idp/shibboleth https://incommon.org
0 redirects:2;response:200;dns:0.000;tcp:0.062;ssl:0.149;total:1.140 https://idp.incommonfederation.org/idp/profile/SAML2/POST/SSO urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST https://idp.incommonfederation.org/idp/shibboleth https://incommon.org
0 redirects:2;response:200;dns:0.000;tcp:0.062;ssl:0.142;total:1.070 https://idp.incommonfederation.org/idp/profile/Shibboleth/SSO urn:mace:shibboleth:1.0:profiles:AuthnRequest https://idp.incommonfederation.org/idp/shibboleth https://incommon.org

The -a option probes all browser-facing endpoints, including SAML1 endpoints.

See the inline help file for details:

$ $BIN_DIR/probe_saml_idp.sh -h

Compatibility

The bash scripts are compatible with both GNU/Linux and Mac OS. The XSLT scripts are written in XSLT 1.0.

Dependencies

• Bash Library