This repository has been migrated to a new URL. Please visit the following link for the latest updates: new URL.
Micro-Id-Gym (MIG) aims to assist system administrators and testers in the deployment and pen-testing of IdM protocol instances.
- Setup and deploy a custom SSO solution based on SAML and OIDC/OAuth
- Run automated tests to discover vulnerabilities in the implementation of SSO based on SAML and OIDC/OAuth
- Graphically represents the authentication flow as message sequence chart and deeply inspect it
- Access Cyber Threat Intelligence (CTI) information to assess how a vulnerability can be exploited and how severe it is
To be able to run MIG framework you will need to install:
You can download MIG framework by cloning this git repository:
git clone https://github.com/stfbk/micro-id-gym/
Open a new terminal, reach the dashboard folder and install the necessary packages with the command:
npm install
Run then the dashboard with the command:
node app
Visit localhost:2020
to start using MIG framework webapp.
A dashboard for the configuration is presented. Here you can customize the ports where the System Under Test (SUT) and the tools will run.
At the end of the configuration, click on the button Download scenario and tools to generate a folder with the customized SUT and tools.
Following the instructions provided by the webapp and available also in the README
file inside the folder, you can run the testing environment.
The instructions to use the frontend components are available at the following links:
MSC Drawer:
STIX Visualizer:
Pentesting tools:
MIG framework exists thanks to the following projects:
- SAML[3]
- OAuth[2]
- OpenID Connect[4]
- STIX[1]
- Shibboleth
- MITREid
- Keycloak
- Burpsuite Community Edition
- cti-stix-visualization
- JS Sequence Diagrams
[1] OASIS Cyber Threat Intelligence (CTI) TC
[2] Security Considerations OAuth (accessed june 23, 2020)
[3] Security Assertion Markup Language (SAML) V2.0 Technical Overview
[4] OpenID Connect
Copyright 2019-2020, Fondazione Bruno Kessler
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Developed within Security & Trust Research Unit at Fondazione Bruno Kessler (Italy)