12.2.2 Testing Service Provider Initiated URLs

The following tests are initiated on the service provider side to test SAML v2 communications with the identity provider.

• 12.2.2.1 Testing Persistent Federation

• 12.2.2.2 Testing Single Logout

• 12.2.2.3 Testing Single Sign On

• 12.2.2.4 Testing Federation Termination

12.2.2.1 Testing Persistent Federation

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. In this test, a persistent identifier is used to federate the identity provider's user profile with the same user's profile on the service provider side.

• To Test Persistent Federation Using the Browser Artifact Profile

• To Test Persistent Federation Using the Browser POST Profile

To Test Persistent Federation Using the Browser Artifact Profile

1. Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as test user.

   User Name:

   idpuser

   Password:

   idpuser

   The request is redirected to OpenSSO Enterprise on the service provider side.

3. Log in to the OpenSSO Enterprise console as the test user.

   User Name:

   spuser

   User Name:

   spuser

   The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.

4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Persistent Federation Using the Browser POST Profile

1. Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   Password:

   idpuser

   The request is redirected to OpenSSO Enterprise on the service provider side.

3. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   spuser

   User Name:

   spuser

   The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.

4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.2 Testing Single Logout

Single logout permits session termination of all participants in the session. The logout request can be initiated by any participant in the session.

• To Test Single Logout Using Back Channel SOAP Over HTTP

• To Test Single Logout Using Front Channel HTTP

To Test Single Logout Using Back Channel SOAP Over HTTP

1. Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Single Logout Using Front Channel HTTP

1. Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.3 Testing Single Sign On

In this test, the user accomplishes single sign on through the back channel.

• To Test Single Sign On Using the Browser Artifact Profile

• To Test Single Sign-On Using the Browser POST Profile

To Test Single Sign On Using the Browser Artifact Profile

1. Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   Password:

   idpuser

   The browser message “Single Sign-On succeeded” is displayed.

3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Single Sign-On Using the Browser POST Profile

1. Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   Password:

   idpuser

   The message “Single Sign-On succeeded” is displayed.

3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.4 Testing Federation Termination

In this test, the federation previously authorized is terminated.

• To Terminate Federation Using Back Channel SOAP Over HTTP

• To Terminate Federation Using Front Channel HTTP

To Terminate Federation Using Back Channel SOAP Over HTTP

1. Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP.

   The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Terminate Federation Using Front Channel HTTP

1. Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate.

   The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.