Skip to content

✨ Feature / Public TestSupport with in-process FakeIdP #41

Description

@docJerem

Context

Host applications integrating ex_saml currently have no supported way to exercise the full SSO flow in their own test suites without standing up a real IdP (Okta, Entra, Keycloak…). This makes integration tests slow, flaky, or simply skipped, and it slows adoption.

Goal

Ship a publicly documented test-support surface that lets a host app drive a complete SP-initiated and IdP-initiated flow against an in-process fake IdP.

Proposed scope

  • ExSaml.TestSupport.FakeIdP — generates valid signed SAMLResponse / assertions for a given SP config (entity_id, ACS URL, NameID, attributes, conditions).
  • An XML-DSig signing helper so fixtures are signed with a test key whose cert matches the IdP fingerprints the SP is configured to trust (exercises the real verification path, not a bypass).
  • Helpers to build encrypted assertions (to cover the decrypt path) and logout request/response payloads.
  • Optional isolated store helpers so replay/relay-state state does not leak between tests.
  • A short "Testing your integration" guide.

Why

  • Lets consumers (and our own suite) assert real end-to-end behaviour, including signature verification and replay protection, with no network and no external IdP.
  • Strong adoption lever: "clone, add config, run a green SSO test locally" before touching production.

Notes

  • Must live behind a clear TestSupport namespace and never weaken production verification (signing keys are real, trust binding is real).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions