Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Testing authentication

New New for IDP 4.1: In order to test/verify your IDP's authentication configuration it's easiest to use the Hello world feature:

...

Provided you already have completed our metadata configuration instructions you can test both your attribute resolver and attribute release from the command line without the need for a "Test SP" that shows you what it recieved successfully. This greatly accelerates configuration verification of your IDP so do make use of this (with before/after tests) when changing e.g. your resolver or filter configuration. (You could also use this on a test maschine to verify the changed configuration works as expected before transferring the tested config to the production server.)

...

Where "SOME_USERID" above needs to be replaced with the userid/login name people would enter as part of authenticating to your IDP. Then the attributes, their values as well as any NameIDs that would be sent to the SP identified by its entityID – in the above example that would be the eduID.at SAML Demo SP – will be shown, in XML the way it would be sent in a SAML Assertion (after encrypting and encoding the data to the SP named as recipient, of course). You could use this command without the --saml2 parameter but the simpler output you get that way may hide some of the details that are relevant when debugging attribute release issues. So it may be best to always use the --saml2 output to learn how the SAML is supposed to look like.

Note that no data is sent to the specified SP using that method: This command simply provides an answer to the question "What attributes (and NameIDs) – if any – would the IDP send for account X to service Y using the current currently running configuration?"
Also note that the IDP will use the currenly running/loaded configuration for this, not anything you have edited/changed since the IDP was started or reloaded. I.e., the aacli cannot be used to test configuration changes before applying them to the running IDP. (If that's what you need you would have to use a test IDP installation on a different machine.)

Test Service Provider

ACOnet also operates the eduID.at Demo SP for full end-to-end testing involving you your web browser, authentication, attribute lookup and filtering, signing (and signature verification, at the SP) encryption (and decryption, at the SP), etc. This SAML SP knows all eduID.at IDPs and so is available to anyone having access to an IDP registered in eduID.at

Info
iconfalse

The ACOnet Team can also add your IDP's metadata to the Demo SP locally, in order to faciltate end-to-end testing before your IDP has been registered in eduID.at. In that case you'll need to send a copy of your IDP's metadata (a basic version thereof has been created by the Shibboleth IDP's installer in /opt/shibboleth-idp/metadata/idp-metadata.xml) to the ACOnet Team. In turn the ACOnet Team will provide you with a URL you can use to initiate logins to the test SP with your IDP. The URL you'll be recieving from the ACOnet Team That URL will look like this:
https://sp.eduid.at/Shibboleth.sso/Login?entityID=YOUR-IDP-ENTITY-ID
Where where "YOUR-IDP-ENTITY-ID" above needs to be replaced with the entityID of your IDP.

Once your IDP has been registered and published in eduID.at metadata using that specific URL is no longer necessary (though it will continue to work) – you can then simply select your IDP from the IDP Discovery Services Services offered at the eduID.at Demo SP.

Testing scalable attribute release

For those Those (also) participating in eduGAIN/Interfederation you'll will want to know how well your their IDP works with Service Providers registered in other federations, i.e., what attributes it'll sends to what SPs and why:

"The eduGAIN Attribute Release Check allows testing whether the Identity Provider of an organisation participating in eduGAIN properly releases user attributes to eduGAIN services."

This will mainly illustrate the good use (or lack thereof) you've made of the Service Categories defined by the global academic community to streamline access to academic resources.

IDPs following our documentation and recommendations should expect to see "A+" for all tests that recieve a score (as per end of year 20212022).
I.e, if you're seeing some other result you're not following our documentation and recommendations and the community your IDP is intended to serve will likely be missing out.

...

You should also test how your IDP interoperates with selected services important to our academic community, e.g.specifically: