Following are the SAML v2 profiles used for testing the SAML v2 configurations.
Federation
Single Logout
Single Sign On
Federation Termination
SAML v2 profiles can be initiated from the service provider side or from the identity provider side of the deployment. There are two ways in which the SAML v2 configurations can be tested and the procedures for these options are in the following sections.
This automated test uses the Test Federation Connectivity work flow option under the Common Tasks tab of the OpenSSO Enterprise console.
Access https://lb2.idp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
The Common Tasks tab is displayed.
Under the Common Tasks tab, click Test Federation Connectivity.
The Validate Federation Setup page is displayed.
Select the radio button next to idpcot, the circle of trust that contains the providers you are testing.
The providers in idpcot are displayed.
Click Start Test.
A pop up is displayed.
Click OK on the pop up.
Your administrator session is terminated and the test is run.
When displayed, log in to the OpenSSO Enterprise console on the identity provider side with the following information.
idpuser
idpuser
With successful authentication, the OpenSSO Enterprise console on the service provider side is displayed.
Log in to the OpenSSO Enterprise console on the service provider side with the following information.
spuser
spuser
With successful authentication, the two accounts are linked. Single logout follows the successful federation.
When displayed to test single sign on, log in to the OpenSSO Enterprise console on the identity provider side with the following information.
idpuser
idpuser
Following successful authentication on the identity provider side, the user is logged in to the service provider through a back channel, demonstrating single sign on. Finally, the user profile federation is terminated. Thus, the following has occurred:
A user is successfully authenticated with two different providers and the user's separate profiles are federated.
The user is logged out of both providers verifying single logout.
The user is logged back in to both providers by providing credentials to only one of them verifying single sign on.
The federation between the two user profiles is terminated.
Click Cancel to return to the OpenSSO Enterprise console login page.
In this section, test SAML v2 communications for the following profiles and bindings using specially constructed URLs.
Browser Artifact Profile (SOAP/HTTP)
Browser POST Profile (SOAP/HTTP)
Back Channel SOAP Over HTTP
Front Channel HTTP
Tests can be initiated from the identity provider side or the service provider side. The following procedures provide the constructed URLs and procedures for accessing them.
The following tests are initiated on the identity provider side to test SAML v2 communications with the service provider.
Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. In this test, a persistent identifier is used to federate the identity provider's user profile with the same user's profile on the service provider side.
To Test Persistent Federation Using the Browser Artifact Profile
To Test Persistent Federation Using the Browser POST Profile
Enter the persistent federation URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso.
The request is directed to OpenSSO Enterprise on the service provider side.
Log in to the OpenSSO Enterprise console as a test user.
spuser
spuser
The login request is redirected to OpenSSO Enterprise on the identity provider side.
Log in to the OpenSSO Enterprise console as a test user.
idpuser
idpuser
The browser message “Single Sign-On succeeded” is displayed confirming that federation has succeeded.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the persistent federation URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=HTTP-POST.
The request is directed to OpenSSO Enterprise on the service provider side.
Log in to the OpenSSO Enterprise console as a test user.
spuser
spuser
The login request is redirected to OpenSSO Enterprise on the identity provider side.
Log in to the OpenSSO Enterprise console as a test user.
idpuser
idpuser
The browser message “Single Sign-On succeeded” is displayed confirming that federation has succeeded.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Single logout permits session termination of all participants in the session. The logout request can be initiated by any participant in the session.
Enter the single logout URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP
The browser message “IDP initiated single logout succeeded” is displayed.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the single logout URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso
The message “IDP initiated single logout succeeded” is displayed.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
In this test, the user accomplishes single sign on through the back channel.
Enter the single sign on URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso.
The request is directed to OpenSSO Enterprise on the service provider side.
Log in to the OpenSSO Enterprise console as a test user.
spuser
spuser
The browser message “Single Sign-On succeeded” is displayed.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the single sign on URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=HTTP-POST.
The login request is redirected to Access Manager.
Log in to the OpenSSO Enterprise console as a test user.
spuser
spuser
The browser message “Single Sign-On succeeded” is displayed.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
In this test, the federation previously authorized is terminated.
Enter the federation termination URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP&requestType=Terminate.
The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the federation termination URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&requestType=Terminate.
The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
The following tests are initiated on the service provider side to test SAML v2 communications with the identity provider.
Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. In this test, a persistent identifier is used to federate the identity provider's user profile with the same user's profile on the service provider side.
To Test Persistent Federation Using the Browser Artifact Profile
To Test Persistent Federation Using the Browser POST Profile
Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.
The request is directed to OpenSSO Enterprise on the identity provider side for authentication.
Log in to the OpenSSO Enterprise console as test user.
idpuser
idpuser
The request is redirected to OpenSSO Enterprise on the service provider side.
Log in to the OpenSSO Enterprise console as the test user.
spuser
spuser
The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.
The request is directed to OpenSSO Enterprise on the identity provider side for authentication.
Log in to the OpenSSO Enterprise console as a test user.
idpuser
idpuser
The request is redirected to OpenSSO Enterprise on the service provider side.
Log in to the OpenSSO Enterprise console as a test user.
spuser
spuser
The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Single logout permits session termination of all participants in the session. The logout request can be initiated by any participant in the session.
Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP&idpEntityID=https://lb2.idp-example.com:1081/opensso.
The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.
The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
In this test, the user accomplishes single sign on through the back channel.
Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.
The request is directed to OpenSSO Enterprise on the identity provider side for authentication.
Log in to the OpenSSO Enterprise console as a test user.
idpuser
idpuser
The browser message “Single Sign-On succeeded” is displayed.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.
The request is directed to OpenSSO Enterprise on the identity provider side for authentication.
Log in to the OpenSSO Enterprise console as a test user.
idpuser
idpuser
The message “Single Sign-On succeeded” is displayed.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
In this test, the federation previously authorized is terminated.
Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP.
The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.
Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate.
The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.
(Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.