Local Development with the SAML Toolkit
Overview
The SAML Toolkit provides a local development environment to build and test SAML Single Sign-On (SSO) integrations. This toolkit simulates a SAML Identity Provider, allowing you to develop and validate your SAML client implementation before connecting to production environments.
To setup the SAML Toolkit, refer to the instructions in the README file.
Features
- Mock SAML Identity Provider - Full SAML 2.0 authentication flow
- SAML Assertion Generation - XML assertions with non-editable mock attributes
- Digital Signing - RS256-signed assertions using Candescent's private key
- Assertion Encryption - Support for vendor-provided encryption certificates
- E2E Validation - Automated tests to verify your integration
- Downloadable Artifacts - Public key for signature verification
How It Works
Configuration Page
When the toolkit loads, it displays:
- ACS URL input field
- Enter your Test Assertion Consumer Service URL
- Test encryption public certificate field
- Enter the Test public certificate in PEM format
- User attributes (first name, last name, member ID, and email)
- non-editable mock data
- Download Candescent Public Key
- For signature verification
SAML Flow
-
Enter the test ACS URL and encryption public certificate
- Test ACS URL Example:
- If running locally:
http://localhost:7080/api/saml-validator/acs - If running in Docker:
http://host.docker.internal:7080/api/saml-validator/acs
- If running locally:
- Public Certificate: Enter the test public certificate in PEM format
- Test ACS URL Example:
-
Click Run Simulation to generate and post the SAML assertion
-
Backend processes the request:
- Creates a SAML assertion in XML format.
- Signs it using Candescent's private key.
- Encrypts it using the test public key.
- Base64-encodes the SAML response.
- Posts it to the test ACS URL.
-
The system displays:
- A success screen upon receiving a successful response from the ACS endpoint.
- An error screen with an appropriate error message when the ACS endpoint returns a failure response.
SAML Endpoints
The toolkit exposes standard SAML endpoints:
| Endpoint | Method | Description |
|---|---|---|
/api/saml/login | POST | Generates and posts SAML assertion to ACS URL |
/api/saml/saml-setting | GET | Retrieves cached SAML settings |
/api/public-key | GET | Returns Candescent's public key for signature verification |
/api/e2e-test | POST | Runs E2E tests and returns test reports as ZIP |
/api/publish-config | GET | Downloads SAML configuration file |
/api/health | GET | Health check |
Validation
Running the Validator
- Navigate to
http://localhost:8000/samlValidator. - Click Run Validator to execute E2E tests.
- Review the validation report.
- Download reports (if needed).
- Publish SAML settings after successful validation.
The validator tests:
- SAML assertion generation
- Digital signing
- Assertion encryption
- ACS endpoint communication
- Response validation
Validation Reports
After running the validator, download:
- e2e-report.html - Human-readable test report
- jest-e2e.xml - XML test report with test cases.
Configuration
Port Configuration
Edit sample-web-app/config.json:
{
"frontendPort": 8000,
"backendPort": 9000
}
Values can be changed to any available ports on your system.
Component Overview
| Component | Technology | Purpose |
|---|---|---|
| Frontend | React, Redux Toolkit | Configuration UI and flow initiator |
| Backend | NestJS | Mock SAML Identity Provider |
| client-web-app | NestJS | Mock vendor environment for testing |
About the client-web-app
The client-web-app is a separate NestJS-based service that acts as a mock vendor environment for testing SAML SSO flows. It includes dummy ACS URL and test encryption public certificate to test the end-to-end flow.
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Port already in use | Another service running | Edit config.json to change ports |
| Backend won't start | Missing private key | Default keys should be in certs/. If missing, check certificate files |
| Frontend not connecting to backend | Backend not running | Ensure backend is started on the configured port |
| Token validation fails | Certificate mismatch | Re-download public key from the toolkit |
| Docker pull: "unauthorized" | Package visibility | The package must be public. Verify at https://github.com/orgs/candescent-dev/packages |
| Docker pull: "no matching manifest for linux/arm64" | Image built for AMD64 only | Use --platform linux/amd64 flag or build locally (see Docker Setup) |
Security Notice
Default Development Certificates
This toolkit includes pre-generated RSA keys in sample-web-app/backend/certs/ for convenience:
- ✅ Safe for local development and testing.
- ❌ NOT secure for production use.
- ❌ NOT secure for QA/staging environments.
For Production Use
If deploying to production or QA, generate your own keys using appropriate security practices.
Next Steps
After validating your integration locally:
- Contact your PM - Request QA environment access.
- Complete the Setup Checklist - Provide application details.
- Begin QA testing - Validate with real Candescent endpoints.
- Proceed to certification - Complete FI environment testing.
References
- Technical Reference - Full SAML specification details
- FAQ & Troubleshooting - Common questions and issues