You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

ACOnet provides a federated eduID.at Demo Service Provider to its community, with the entityID https://test-sp.aco.net/shibboleth
This consists of a simple WSGI application making use of data provided by the current Shibboleth Service Provider software.

ACOnet recommends all institutions having deployed a SAML Identity Provider to also deploy at least one SAML Service Provider for more flexible testing and debugging, configuration verification, understanding of the technology & application integration patterns, as well as end-to-end monitoring of their IDP service.
The eduID.at Demo Service Provider is no real substitute for running a SAML Service Provider yourself.

Accessing session data

To access data about your session you need to first log in (see below for ways of doing that) and select the desired rendering style from the "Demo SP" dropdown menu in the navigation bar on top of the page.

In addition to "echoing" back attributes recieved via SAML (to allow testing of a SAML IDP's attribute release confguration) the Demo SP also shows the (decoded, decrypted and reformatted) XML of the SAML assertion itself, as well as giving access to the web server's environment variables.

The Demo SP also makes use of the Shibboleth SP's feature to extract information from SAML metadata about the used SAML IDP, which is useful e.g. to provide detailed information to users on error pages etc. Use of similar methods in your own applications is highly recommended.

Demo IDP Discovery Services

The eduID.at Demo Service Provider also showcases 3 different SAML IDP Discovery Services:

Note that a real-world (non-demo) application will only ever use one type of Discovery Service for a consistent user experience.

  • Clicking on "Login" in the upper right corner will bring up the embedded DiscoJuice DS, which follows the REFEDS Discovery Guide to some degree
  • In the middle of the start page you'll find the Shibboleth Embedded Discovery Service, which loads directly in the website.
  • Clicking on any protected "deep links" without a valid Session at that SAML SP (e.g. /attributes) the Shibboleth SP software will trigger session initiation using the provided fallback discovery service (as in that case the webserver will enforce protection and hence no JavaScript user interfaces can be used by the application to offer an "embedded" Discovery Service).

All three DS instances support typeahead searches as well as chosing from lists of Identity Providers.

Ending your Session

The Demo SP currently provides two ways of terminating your Shibboleth SP session, for demonstration purposes and to help with easily getting back to an unauthenticated state at this SP, to start testing IDP discovery and SSO again.

Unless you're using someone else's computer (with the other person logged in into the desktop/GUI) or you are using the eduID.at Demo SP from a public Internet terminal or kisok – both highly unlikely scenarios – there simply is no need to ever "log out". Even in such unusual cases starting the web browser's "private browsing" mode beforehand, or deciding not to log in at all, is the much better choice. This goes for all SAML-protected resources, of course.

  • Chosing Logout in the upper right corner (where you can "Login", when you don't yet have an active session) will initiate "local" logout. This will only affect the Demo SP's own session and will not send a SAML logout request to your IDP. As such logging in again to this Demo SP right away you will experience SSO at your IDP and will not be prompted for authentication again. This is useful for repeated login/logout sequences during testing.
  • Selecting the "Demo SP" dropdown menu and chosing "SAML Logout" will send a SAML Logout Request to your SAML IDP if your IDP supports some form of SAML SLO. Most IDPs do not because Logout is basically broken, in which case the Shibboleth SP will silently perform a "local" logout, not affecting your SAML IDP (or any other SAML SP) sessions!

That means unless your SAML IDP supports some form of SAML SLO both logout links will only clear the local SP session, nothing else.

Questions about this service are always welcome on the eduID.at community mailing ilst.

  • No labels