As a Service Provider (SP) I have written a node.js service to processes SAML2.0 Assertions. I would now like to test this code.
I am aware that I can use various cloud-based services to act as my test Identity Provider (IdP) however these require that my new, untested SP end-points be made public.
Currently I am simply POSTing a hand-crafted SAML2.0 Assertion to my SP end-point but I want a more realistic test, especially the ability to test SP initiated SSO.
Therefore I believe I need to have a local IdP running on my development machine so I can, for now, keep all my testing local and sand-boxed.
Can you recommend a way forward for me?
You actually do not need to publish your endpoints in order to be able to use a public IDP.
All communication between the SP and IDP is either done through your browser (which of course needs to be able to access both your local SP and public IDP), or your SP calls IDP (when using HTTP-Artifact profile). But in usual situations IDP never directly calls SP, which means that SP can be running locally without a publicly accessible URL.
One of the public IDPs which can be configured in this way is SSO Circle.
In case you would still like to run an IDP locally, Shibboleth is probably your easiest bet.