A mock SingPass/CorpPass/MyInfo server for dev purposes

• Click the ready-to-code badge above
• Wait for MockPass to start
• Make port 5156 public
• Open Browser to note the URL hosting MockPass
• Configure your application per local machine quick start, changing the localhost:5156 to the Gitpod hostname

Configure your application to point to the following endpoints:

SingPass:

• http://localhost:5156/singpass/logininitial - SAML login redirect with optional page
• http://localhost:5156/singpass/soap - receives SAML artifact and returns assertion
• http://localhost:5156/singpass/authorize - OIDC login redirect with optional page
• http://localhost:5156/singpass/token - receives OIDC authorization code and returns id_token

CorpPass:

• http://localhost:5156/corppass/logininitial
• http://localhost:5156/corppass/soap
• http://localhost:5156/corppass/authorize - OIDC login redirect with optional page
• http://localhost:5156/corppass/token - receives OIDC authorization code and returns id_token

MyInfo:

• http://localhost:5156/myinfo/{v2,v3}/person-basic (exclusive to government systems)
• http://localhost:5156/myinfo/{v2,v3}/authorise
• http://localhost:5156/myinfo/{v2,v3}/token
• http://localhost:5156/myinfo/{v2,v3}/person

Provide your application with the spcp* certs found in static/certs and with application certs at static/certs/{key.pem|server.crt}

Alternatively, provide the paths to your app cert as env vars SERVICE_PROVIDER_CERT_PATH and SERVICE_PROVIDER_PUB_KEY

$ npm install @opengovsg/mockpass

# Some familiarity with SAML Artifact Binding is assumed
# Optional: Configure where MockPass should send SAML artifact to, default endpoint will be `PartnerId` in request query parameter.
$ export SINGPASS_ASSERT_ENDPOINT=http://localhost:5000/singpass/assert
$ export CORPPASS_ASSERT_ENDPOINT=http://localhost:5000/corppass/assert

# All values shown here are defaults
$ export MOCKPASS_PORT=5156
$ export MOCKPASS_NRIC=S8979373D
$ export MOCKPASS_UEN=123456789A

$ export SHOW_LOGIN_PAGE=true # Optional, defaults to `false`

# Disable signing/encryption (Optional, by default `true`)
$ export SIGN_ASSERTION=false
$ export ENCRYPT_ASSERTION=false
$ export SIGN_RESPONSE=false
$ export RESOLVE_ARTIFACT_REQUEST_SIGNED=false

# Encrypt payloads returned by /myinfo/*/{person, person-basic},
# equivalent to MyInfo Auth Level L2 (testing and production)
$ export ENCRYPT_MYINFO=false

# If specified, will verify token provided in Authorization header
# for requests to /myinfo/*/token
$ export SERVICE_PROVIDER_MYINFO_SECRET=<your secret here>

$ npx mockpass
MockPass listening on 5156

There currently is nothing widely available to test an application's integration with SingPass/CorpPass using a dev machine alone. This is awkward for developers who then need to connect to the staging servers hosted by SingPass/CorpPass, which may not always be available (eg, down for maintenance, or no Internet).

MockPass tries to solves this by providing an extremely lightweight implementation of a SAML 2.0 Identity Provider that returns mock SingPass and CorpPass assertions. It optionally provides a mock login page that (badly) mimics the SingPass/CorpPass login experience.

We welcome contributions to code open-sourced by the Government Technology Agency of Singapore. All contributors will be asked to sign a Contributor License Agreement (CLA) in order to ensure that everybody is free to use their contributions.