Context
Host applications integrating ex_saml currently have no supported way to exercise the full SSO flow in their own test suites without standing up a real IdP (Okta, Entra, Keycloak…). This makes integration tests slow, flaky, or simply skipped, and it slows adoption.
Goal
Ship a publicly documented test-support surface that lets a host app drive a complete SP-initiated and IdP-initiated flow against an in-process fake IdP.
Proposed scope
ExSaml.TestSupport.FakeIdP — generates valid signed SAMLResponse / assertions for a given SP config (entity_id, ACS URL, NameID, attributes, conditions).
- An XML-DSig signing helper so fixtures are signed with a test key whose cert matches the IdP fingerprints the SP is configured to trust (exercises the real verification path, not a bypass).
- Helpers to build encrypted assertions (to cover the decrypt path) and logout request/response payloads.
- Optional isolated store helpers so replay/relay-state state does not leak between tests.
- A short "Testing your integration" guide.
Why
- Lets consumers (and our own suite) assert real end-to-end behaviour, including signature verification and replay protection, with no network and no external IdP.
- Strong adoption lever: "clone, add config, run a green SSO test locally" before touching production.
Notes
- Must live behind a clear
TestSupport namespace and never weaken production verification (signing keys are real, trust binding is real).
Context
Host applications integrating
ex_samlcurrently have no supported way to exercise the full SSO flow in their own test suites without standing up a real IdP (Okta, Entra, Keycloak…). This makes integration tests slow, flaky, or simply skipped, and it slows adoption.Goal
Ship a publicly documented test-support surface that lets a host app drive a complete SP-initiated and IdP-initiated flow against an in-process fake IdP.
Proposed scope
ExSaml.TestSupport.FakeIdP— generates valid signedSAMLResponse/ assertions for a given SP config (entity_id, ACS URL, NameID, attributes, conditions).Why
Notes
TestSupportnamespace and never weaken production verification (signing keys are real, trust binding is real).