Versions Compared

Old Version 11

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 12

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: add Hello world

Testing authentication

In order to test/verify your IDP's authentication configuration it's easiest to use the Hello world feature (new for IDP 4.1):

  • Add the login name of the account you want to test authentication with to the AccessByAdminUser  entry in conf/access-control.xml (and uncomment that section, of course)
  • Reload the access control config, /opt/shibboleth-idp/bin/reload-service.sh -id shibboleth.ReloadableAccessControlService 
  • Access /idp/profile/admin/hello on your IDP server. (smile)

Older systems (or those who disabled the Hello world module for whatever reason) will have to complete a few more steps in order to test authentication:

Provided you already have completed your metadata configuration by follwing our instructions you can test your authentication configuration with a web browser using IDP-initiated SSO URLs. While the details for this (as always) are fully documented in the Shibboleth Wiki it should suffice to know that the URL needs to look like this:

...

Note
iconfalse
titleFailure at SAML SP expected!

Until your IDP is known to SPs Service Providers via metadata Metadata (commonly by having your IDP's metadata registered within eduID.at) you'll end up at the SP – in the above example that's the entityID of the eduID.at SAML Demo SP – with an error message of some kind, letting you know that it doesn't know your IDP. That's fully expected before your IDP has joined eduID.at and does not limit your ability to test/verify your IDP's authentication configuration.

Testing the attribute resolver and filter

Using the "Hello world" endpoint (see above) you can also test the attribute resolver (and the attribute registry) in isolation, without the need for a Service Provider.

Command Line Interface

Provided you already have completed our metadata configuration instructions you can test both your attribute resolver and attribute release from the command line, without the need for a "Test SP" that shows you what it recieved successfully. This greatly accelerates configuration verification of your IDP so do make use of this (before/after tests) when changing your resolver or  filter  configuration. (You could also use this on a test maschine to verify the changed configuration works as expected before transferring the tested config to the production server.)

...