Test application for testing authentication against Identity Providers in the Sweden Connect federation.
The Test my eID Spring Boot application is the official test service provider for testing authentication against the identity providers of the Sweden Connect-federation.
It is released as open source so that anyone can see how an authentication request that is compliant with the Sweden Connect Technical Framework should be constructed. The application also contains a reference for how to validate a response message containing an SAML assertion.
Test my eID is available in the following federations:
-
Sweden Connect Sandbox - https://eid.idsec.se/testmyeid
- Note: Not all IdP:s in the sandbox federation is functioning correctly. The Test my eID-application is currently configured to support all IdP:s that seem to be "up". Anyone adding a new IdP to the sandbox-federation and wants that to be supported by the test application should send a mail to [email protected].
-
Sweden Connect QA - https://qa.test.swedenconnect.se
-
Sweden Connect Production - https://test.swedenconnect.se
This section describes the configuration settings of the application.
You can start the application by giving property values on the form -D<property>=<value>
to the Java application. For example:
>JAVA_OPTS="-Dserver.port=9443 -Dmanagement.server.port=9444"
>java $JAVA_OPTS test-my-eid-<version>.jar
Or, you can assign the corresponding environment variables:
>SERVER_PORT=9443
>MANAGEMENT_SERVER_PORT=9444
>java test-my-eid-<version>.jar
The Test my eID application has four pre-defined Spring profiles (that are mutually exclusive). They are prod
, for Sweden Connect production, qa
, for running in the Sweden Connect QA federation, sandbox
, for the Sweden Connect Sandbox federation and local
for local deployment.
See the corresponding application-<profile>.yml
files under src/main/resources for the default values for each profile.
General servlet settings:
Property Environment variable |
Description | Default value |
---|---|---|
spring.profiles.active SPRING_PROFILES_ACTIVE |
The active Spring profile(s). Built in support for prod , qa and sandbox is available. They contain default settings (see below) for Sweden Connect production, Sweden Connect QA and Sweden Connect Sandbox. |
- |
server.port SERVER_PORT |
The server port. | 8443 |
server.servlet.context-path SERVER_SERVLET_CONTEXT_PATH |
The context path for the application | /testmyeid |
server.ssl.enabled SERVER_SSL_ENABLED |
Is TLS enabled for the application? | true |
server.ssl.key-store SERVER_SSL_KEY_STORE |
The path to the keystore holding the application TLS key and certificate. | classpath:snakeoil-localhost.p12 Need to be changed to reflect the application host name. Unless running in AJP-mode (see below). |
server.ssl.key-store-type SERVER_SSL_KEY_STORE_TYPE |
The type of the TLS keystore (PKCS12/JKS). | PKCS12 |
server.ssl.key-store-password SERVER_SSL_KEY_STORE_PASSWORD |
The password for the above keystore. | secret |
server.ssl.key-alias SERVER_SSL_KEY_ALIAS |
The keystore alias holding the TLS key and certificate. | localhost |
server.ssl.key-password SERVER_SSL_KEY_PASSWORD |
The password to unlock the TLS key. | secret |
tomcat.ajp.enabled TOMCAT_AJP_ENABLED |
Is the AJP protocol enabled? | false |
tomcat.ajp.port TOMCAT_AJP_PORT |
The AJP port. | 8009 |
tomcat.ajp.secret-required TOMCAT_AJP_SECRET_REQUIRED |
Whether AJP secret is required. | false |
tomcat.ajp.secret TOMCAT_AJP_SECRET |
Tomcat AJP secret. | - |
Application settings:
Property Environment variable |
Description | Default value |
---|---|---|
sp.entity-id SP_ENTITY_ID |
The SAML entityID for the Test my eID application. | http://test.swedenconnect.se/testmyeid |
sp.sign-entity-id SP_SIGN_ENTITY_ID |
The SAML entityID for the Test my eID application when it acts as a signature service. | http://test.swedenconnect.se/testmyeid-sign |
sign-sp.entity-id SIGN_SP_ENTITY_ID |
Deprecated. Use sp.sign-entity-id . |
http://test.swedenconnect.se/testmyeid-sign |
sp.base-uri SP_BASE_URI |
The base URI for the SP application, e.g., https://test.swedenconnect.se . |
- |
sp.federation.metadata.url SP_FEDERATION_METADATA_URL |
The URL from which federation metadata is periodically downloaded. | For production:https://md.swedenconnect.se/role/idp.xml For QA: https://qa.md.swedenconnect.se/role/idp.xml For sandbox: https://eid.svelegtest.se/metadata/ mdx/role/idp.xml |
sp.federation.metadata. validation-certificate SP_FEDERATION_METADATA_ VALIDATION_CERTIFICATE |
Path to the certificate that is to be used to verify metadata signatures. The application classpath contains valid certificates for the sandbox , qa and prod profiles. To override any of the default values give the full path prefixed with file: . |
For production:classpath:prod/sc-metadata.crt For QA: classpath:qa/sc-qa-metadata.crt For sandbox: classpath:sandbox/sandbox-metadata.crt |
sp.discovery. static-idp-configuration SP_DISCOVERY_ STATIC_IDP_CONFIGURATION |
Optional configuration file that tells how the IdP discovery page should be displayed. See further the "IdP Discovery Configuration" section below. To override a default value give the full path prefixed with file: . |
Default (no profile): - For production: classpath:prod/idp-disco-prod.yml For QA: classpath:qa/idp-disco-qa.yml For sandbox: classpath:qa/idp-disco-sandbox.yml |
sp.discovery.black-list SP_DISCOVERY_BLACK_LIST |
A list of black-listed IdP:s (entity ID:s) | - |
sp.discovery.include-only-static SP_DISCOVERY_INCLUDE_ONLY_STATIC |
Whether only statically configured IdP:s should be selectable (see above). | false |
sp.discovery.cache-time SP_DISCOVERY_CACHE_TIME |
Number of seconds the application should keep discovery cache. | 600 (10 minutes) |
sp.discovery.ignore-contracts SP_DISCOVERY_IGNORE_CONTRACTS |
Should contract entity categories be ignored during discovery matching? | true |
sp.security.algorithm-config. rsa-oaep-digest SP_SECURITY_ALGORITHM_CONFIG_ RSA_OAEP_DIGEST |
Which digest method to use as default for RSA-OAEP encryption. Consider using http://www.w3.org/2000/09/xmldsig#sha1 if we run into too many interop issues with the SHA-256 default. |
http://www.w3.org/2001/04/xmlenc#sha256 |
``sp.security.algorithm-config.<br/> use-aes-gcm``SP_SECURITY_ALGORITHM_CONFIG_` `USE_AES_GCM` |
Should AES-GCM block cipher be used? The alternative is AES-CBC. | true |
For easy deployment, the Test my eID application comes with pre-packaged credentials in form of Java Keystore files. For production these should be changed.
The table below shows the configuration settings for the three credentials used. The <usage>
stands for:
sign
- The credential the SP application uses to sign authentication requests.decrypt
- The credential holding the decryption key (to decrypt assertions).md-sign
- The signature credential used to sign the metadata (published at/testmyeid/metadata
.
Property Environment variable |
Description | Default value |
---|---|---|
sp.credential.<usage>.resource SP_CREDENTIAL_<usage>_RESOURCE |
The resource holding the keystore file. To override the default setting give the full path prefixed with file: |
For sign and decrypt:classpath:sp-keys.jks For metadata sign: classpath:metadata-sign.jks |
sp.credential.<usage>.file SP_CREDENTIAL_<usage>_FILE |
Deprecated. Use sp.credential.<usage>.resource . |
See above. |
sp.credential.<usage>.type SP_CREDENTIAL_<usage>_type |
The type of keystore - JKS or PKCS12 . |
JKS |
sp.credential.<usage>.password SP_CREDENTIAL_<usage>_PASSWORD |
The password to unlock the keystore. | secret |
sp.credential.<usage>.alias SP_CREDENTIAL_<usage>_ALIAS |
The alias for the key entry in the store. | For sign: sign For decrypt: encrypt For metadata sign: mdsign |
sp.credential.<usage>.key-password SP_CREDENTIAL_<usage>_KEY_PASSWORD |
The password to unlock the key entry. | secret |
SAML metadata for the SP application is put together using a set of configurable properties and published on /testmyeid/metadata
. All metadata properties are prefixed with sp.metadata.
and control entity categories, display name, logotype, organization name and contact details. See further the application.yml file. To override a property simply define your own value for it.
Management API settings:
For settings concerning the Spring Boot management API, see the property values prefixed with management
of application.yml.
Log settings:
Property Environment variable |
Description | Default value |
---|---|---|
logging.level.root LOGGING_LEVEL_ROOT |
Default level for logging. | INFO |
logging.level.testmyeid LOGGING_LEVEL_TESTMYEID |
Logging level for Test my eID logic. | DEBUG |
For controlling the log level for a specific package assign a property/variable on the format logging.level.<package-name>
/LOGGING_LEVEL_<package-name separated with '_'>
.
The page where the user selects which IdP (or authentication method) to use is normally called "IdP Discovery". It is possible to construct such a list only based on the IdP:s found in the SAML metadata, where each IdP declares its display name and logotype. However, for an optimal user interface you may want to add extra information, display a more suitable logotype, filter out some of the IdP:s found and perhaps most important, to display the options in the order that you decide.
Therefore, the Test my eID application may be supplied with a IDP discovery configuration file (by assigning the property sp.discovery.static-idp-configuration
). This configuration file is a list under the idp
key where each item may contain:
Property | Description | Default |
---|---|---|
entity-id |
The entityID of the IdP. | Required field - no default |
display-name-sv display-name-en |
The display name in Swedish/English for the IdP. | IdP metadata entry (mdui:DisplayName element with language tag "sv"/"en"). |
description-sv description-en |
For some IdP:s we may want to add additional information. This property provides this information in Swedish/English. | - |
logo-url |
An URL for the IdP logotype that should be displayed in the UI. | IdP metadata entry (mdui:Logo element with the most "square" dimensions). |
logo-width logo-height |
The width/height for logo-url |
- |
enabled |
Enable flag. May be used if a configuration for an IdP is set up, but it should not be active until later. | true |
Example:
The default IdP configuration file for the Sweden Connect QA profile looks like:
idp:
# The eIDAS connect
- entity-id: https://qa.connector.eidas.swedenconnect.se/eidas
# Freja eID Plus
- entity-id: https://idp-sweden-connect-valfr-2017-ct.test.frejaeid.com
logo-url: https://idp-sweden-connect-valfr-2017-ct.test.frejaeid.com/idp/images/frejaeid_logo.svg
logo-height: 75
logo-width: 75
# The Sweden Connect Reference IdP
- entity-id: http://qa.test.swedenconnect.se/idp
Somewhat overkill for a test application, but Test my eID also has a management API.
Endpoints for monitoring and administering the service can accessed via the management port (default: 8444). This port should not be publicly exposed and is for internal use only. The following endpoints are available:
Returns a general health indication for the service. For an "UP" status, the endpoint will return a 200 HTTP status along with a JSON response that may look something like:
curl --insecure https://<server>:8444/testmyeid/manage/health
{
"status" : "UP",
"details" : {
"diskSpace" : {
"details" : {
"free" : 139894284288,
"threshold" : 10485760,
"total" : 500068036608
},
"status" : "UP"
},
"testMyEid" : {
"status" : "UP"
}
}
}
If all checks that are performed by the health
-endpoint returns "UP", the overall status will be "UP" and a 200 HTTP status is returned.
The /manage/info
endpoint displays information about the service. Spring Boot supplies some information such as build info and version information.
curl --insecure https://<server>:8444/testmyeid/manage/info
{
"app" : {
"version" : "1.0.0",
"name" : "test-my-eid",
"description" : "Application for testing my eID"
}
}
Copyright © 2016-2024, Sweden Connect. Licensed under version 2.0 of the Apache License.