Create module to bring back some of the functionality of the old frontpage

[tvdijen]

Is your feature request related to a problem? Please describe.
The old frontpage was very useful as a debug-tool, however it exposed individual authsources which imposed a security risk.
See #1554 and #1515 as a reference to what has changed.

Describe the solution you'd like
We could bring back some of the old functionality by exposing not the authsources but the hosted+remote IDPs. Because not everyone will use this, it makes sense to move this into a new module.

Describe alternatives you've considered
I don't really see any alternatives.. A good tool to debug IDP responses is a must-have. At least myself and @macmenco rely on this on a day-to-day basis

[thijskh]

I think the use case needs to be specified a bit more exactly to know what to do.

As an admin you can already test the auth source (which includes remote IdP's if a SAML SP auth source is defined) from within the admin module.

If the installation is an IdP, what would you need to be exposed to the public to be able to test what you want to test?

For an SP the same question.

[tvdijen]

@macmenco and me use it as an SP (one single SP authsource) where we send users if we have to debug something. It's basically the same as the Engineblock debug page. Let's start with exposing SP-authsources and take it from there. Those are safe to expose.

[thijskh]

So any authsource that is of type saml:SP?

[tvdijen]

Yes, exactly!

[jockexa]

@macmenco and me use it as an SP (one single SP authsource) where we send users if we have to debug something. It's basically the same as the Engineblock debug page. Let's start with exposing SP-authsources and take it from there. Those are safe to expose.

I'm also using simplesamlphp as a debugging tool in the very same scenario.
It's a great service for troubleshooting the content of a SAML response.

In version 1.19.x we simply tell the federating party (IdP) to use this https://example.com/simplesaml/module.php/core/login which displays all saml:SP configured in authsources.php and let them choose a saml:SP and tell us the result.

The beauty of this (in my opinion) is that all saml:SP are listed on one single page that does not require any authentication.
It would be nice to have that functionality in version 2.x.x as well without having to first use the admin-password.

[tvdijen]

@jockexa The problem is that in 1.1x it would show much more than just the saml:SP authsources (if you have any) which induced a serious security risk (especially for IdP's). That's why it was removed and has to be redesigned.

[jockexa]

@tvdijen OK, I get it.
I just wanted to add some more info and context to how I was using authsources since I'm only using it for saml:SP.