BadIdP

Appearance

About ​

What is BadIdP? ​

BadIdP is a fully customizable identity provider which supports all valid (and invalid) OpenID Connect 1.0 and SAML 2.0 flows. Upon receiving an authentication request from a service, BadIdP will show the user/tester (you) all the information received in the authentication request from the service, and allow you to fully craft the response that BadIdP will return.

In the case of OIDC 1.0, this means you will be allowed to craft what claims your token will have i.e. you can set the values of any of the claims relevant to the openid, email, or profile scopes, or any additional custom claims you wish to provide.

In the case of SAML 2.0, this means you will be allowed to craft the assertion response i.e. you can set the values of any of the fields in the assertion request sent by the service, as well as any additional custom fields you wish to provide.

What Can I Use BadIdP For? ​

πŸš€ Accelerate Manual Integration Testing ​

BadIdP is a powerful tool for quickly validating how your service integrates with identity providers using OpenID Connect or SAML protocols. It removes the overhead of configuring real IdPs and gives you full control over the authentication flow, allowing you to:

  • Test end-to-end login flows in minutes: Skip the hassle of setting up Okta, Azure AD, or other IdPs by instantly simulating login flows with BadIdP
  • Manually craft token and assertion responses: Control every aspect of the returned OIDC ID token or SAML assertion to match what your application expectsβ€”or intentionally deviate from it
  • Iterate rapidly without deploying changes: BadIdP enables you to tweak claims or attributes on the fly, making it ideal for testing edge cases or new integrations
  • Debug integration issues interactively: See exactly what your application sends and receives during the authentication process to help isolate bugs
  • Validate UI and session handling behavior: Confirm that post-login redirects, user state management, and error handling behave as expected with different identity inputs

βœ… Ensure Specification Adherence ​

BadIdP can help you test whether your application adheres to the OIDC and SAML standards by allowing you to:

  • Simulate strict spec-compliant flows: Create authentication responses that precisely match the OpenID Connect or SAML 2.0 specifications
  • Test edge-case parameter handling: Send requests with optional or rarely-used fields to verify that your application processes them correctly
  • Validate protocol error handling: Intentionally omit required fields or provide invalid values to check if your service detects and responds appropriately
  • Check scope and claim behavior: Ensure that your service reacts correctly when presented with mismatched or missing scopes, claims, or attributes
  • Verify state/token integrity: Confirm that state and nonce parameters are enforced and validated according to the spec

πŸ’ͺ🏽 Ensure Relisience Against Malicious Payloads ​

Use BadIdP to evaluate how robust your service is in the face of malicious or malformed authentication inputs:

  • Inject invalid or malformed values into ID tokens or SAML assertions (e.g., broken JSON, overlong fields, HTML/JavaScript payloads)
  • Spoof identity data: Set confusing or deceptive values in user claims (e.g., email mismatch with subject, multiple sub claims)
  • Create token structure anomalies: Generate ID tokens with missing signatures, incorrect algorithms, or duplicated fields
  • Test replay and timing issues: Reuse expired or tampered tokens to assess how your system validates token freshness and source
  • Validate error propagation: Ensure your application does not leak sensitive details when processing invalid payloads

πŸ§ͺ IdP Fuzzing Automation ​

(🚧 Comming Soon 🚧)

BadIdP supports automated fuzzing workflows to stress-test your identity-consuming application:

  • Generate randomized or mutated tokens/assertions using scripting hooks or test automation frameworks
  • Integrate with CI pipelines to run nightly fuzz tests against your authentication endpoints
  • Log behavior under load to identify crashes, improper parsing, or security failures
  • Customize payload templates to guide the fuzzer toward specific aspects of OIDC/SAML that you want to test (e.g., claim values, field nesting)
  • Explore input boundaries: Use fuzzing to discover what happens when field lengths, encodings, or types deviate from the norm