The f5-oidc-sso-simulator provides a OIDC/SSO simulation environment to test user authentication, App/API authorization, and ID/access token claims' retrieval via your IdPs for the following persona and scenarios.
| Persona | Scenario |
|---|---|
| Product Manager, Solution Architect | New IdP Support: I want to test new IdPs to ensure my app's implementation supports it before selling the app. |
| Solution Engineer, Customer Support | SSO Troubleshooting: I want to test customers' IdP configuration without using my app as one of troubleshooting steps when getting authN errors. |
| Enterprise Customer | Token Claim Extract: I want to extract and check ID/access token claims with securely protecting PII without using public sites when configuring an IdP. |
| Software Engineer, Quality Engineer | OIDC Test Env: I want to quickly configure and run SSO test environments when testing my apps. |
- IdP Setup: Create an app in your IdP. Use the following URIs if you want to run this tool locally.
Category URI Example Redirect URI https://host.docker.internal:443/_codexchPost Logout Redirect URI https://host.docker.internal:443/_logout - Clone this repo
git clone https://github.com/f5devcentral/f5-oidc-sso-simulator.git
- Docker: Install and Run Docker
- Host: Edit
hostsfile when testing your app locally:$ sudo vi /etc/hosts 127.0.0.1 host.docker.internal
- Nginx Plus Free Trial: Download Nginx Plus license files, and copy
nginx-repo.crtandnginx-repo.keyto./common/certs/.
Skip this step if you just want to locally run this environment with a Keycloak bundle.
- DNS: Edit your DNS resolver in
template/oidc_dns_resolver.confas the following example:resolver 127.0.0.11; # For local Docker DNS lookup #resolver 8.8.8.8; # For DNS lookup of external IDP endpoint
- IdP Endpoints: Edit
template/oidc_idp.confmap $oidc_app_identifier $idp_domain { default host.docker.internal:8443/realms/master/protocol/openid-connect; } map $oidc_app_identifier $oidc_authz_endpoint { default https://$idp_domain/auth; } map $oidc_app_identifier $oidc_jwt_keyfile { default https://$idp_domain/certs; } map $oidc_app_identifier $oidc_logout_endpoint { default https://$idp_domain/logout; } map $oidc_app_identifier $oidc_token_endpoint { default https://$idp_domain/token; } map $oidc_app_identifier $oidc_userinfo_endpoint { default https://$idp_domain/userinfo; } map $oidc_app_identifier $oidc_scopes { default "openid+profile+email"; } map $oidc_app_identifier $oidc_client { default "my-client-id"; } map $oidc_app_identifier $oidc_pkce_enable { default 1; # Set value with 0 if secret is needed. } map $oidc_app_identifier $oidc_client_secret { default "{{edit-your-client-secret-unless-pkce-enabled}}"; }
- Host & Certs: Edit
template/oidc_proxy_host_certs.conf - Config Automation: TBD via
well-known endpoint.
- Start Docker containers:
make start
- Check Docker containers' status:
make watch
- Run a Web Browser with https://host.docker.internal and click
Sign in/outbutton:Landing Page IdP Sign in User Info after Sign-in 
- Check ID/access token claims and test API authorization
ID Token Claims Access Token Claims Proxied API Authorization 
Note:
- Ensure ID token contains OIDC standard claim names of
given_name, family_name, emailfor F5 Distributed Cloud(XC) Customers before configuring F5 XC SSO. - Authentication error will be occured with XC if your IdP doesn't return ID token.
- User Account Information form will be shown in XC if the ID token doesn't contain standard claims.
- Ensure ID token contains OIDC standard claim names of
- NGINX OIDC Core and App Examples for multiple Identity Providers
- Amazon Cognito Setup & Nginx Config Example
- Auth0 Setup & Nginx Config Example
- Azure Entera ID (a.k.a. AD) Setup & Nginx Config Example
- Keycloak Setup & Nginx Config Example
- Okta Setup & Nginx Config Example
- OneLogin Setup & Nginx Config Example
- Ping Identity Setup & Nginx Config Example
- Google SSO Setup & F5 Distributed Cloud Example
- Custom SSO Setup & & F5 Distributed Cloud Example