Chapter 12 Testing the SAML v2 Profiles

Following are the SAML v2 profiles used for testing the SAML v2 configurations.

• Federation

• Single Logout

• Single Sign On

• Federation Termination

SAML v2 profiles can be initiated from the service provider side or from the identity provider side of the deployment. There are two ways in which the SAML v2 configurations can be tested and the procedures for these options are in the following sections.

• 12.1 Using the OpenSSO Enterprise Common Tasks Wizard

• 12.2 Using Specially Constructed URLs

12.1 Using the OpenSSO Enterprise Common Tasks Wizard

This automated test uses the Test Federation Connectivity work flow option under the Common Tasks tab of the OpenSSO Enterprise console.

To Test SAML v2 Using the Common Tasks Wizard

1. Access https://lb2.idp-example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

   The Common Tasks tab is displayed.

3. Under the Common Tasks tab, click Test Federation Connectivity.

   The Validate Federation Setup page is displayed.

4. Select the radio button next to idpcot, the circle of trust that contains the providers you are testing.

   The providers in idpcot are displayed.

5. Click Start Test.

   A pop up is displayed.

6. Click OK on the pop up.

   Your administrator session is terminated and the test is run.

7. When displayed, log in to the OpenSSO Enterprise console on the identity provider side with the following information.

   Username

   idpuser

   Password

   idpuser

   With successful authentication, the OpenSSO Enterprise console on the service provider side is displayed.

8. Log in to the OpenSSO Enterprise console on the service provider side with the following information.

   Username

   spuser

   Password

   spuser

   With successful authentication, the two accounts are linked. Single logout follows the successful federation.

9. When displayed to test single sign on, log in to the OpenSSO Enterprise console on the identity provider side with the following information.

   Username

   idpuser

   Password

   idpuser

   Following successful authentication on the identity provider side, the user is logged in to the service provider through a back channel, demonstrating single sign on. Finally, the user profile federation is terminated. Thus, the following has occurred:

   • A user is successfully authenticated with two different providers and the user's separate profiles are federated.

   • The user is logged out of both providers verifying single logout.

   • The user is logged back in to both providers by providing credentials to only one of them verifying single sign on.

   • The federation between the two user profiles is terminated.

10. Click Cancel to return to the OpenSSO Enterprise console login page.

12.2 Using Specially Constructed URLs

In this section, test SAML v2 communications for the following profiles and bindings using specially constructed URLs.

• Browser Artifact Profile (SOAP/HTTP)

• Browser POST Profile (SOAP/HTTP)

• Back Channel SOAP Over HTTP

• Front Channel HTTP

Tests can be initiated from the identity provider side or the service provider side. The following procedures provide the constructed URLs and procedures for accessing them.

• 12.2.1 Testing Identity Provider Initiated URLs

• 12.2.2 Testing Service Provider Initiated URLs

12.2.1 Testing Identity Provider Initiated URLs

The following tests are initiated on the identity provider side to test SAML v2 communications with the service provider.

• 12.2.1.1 Testing Persistent Federation

• 12.2.1.2 Testing Single Logout

• 12.2.1.3 Testing Single Sign On

• 12.2.1.4 Testing Federation Termination

12.2.1.1 Testing Persistent Federation

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. In this test, a persistent identifier is used to federate the identity provider's user profile with the same user's profile on the service provider side.

• To Test Persistent Federation Using the Browser Artifact Profile

• To Test Persistent Federation Using the Browser POST Profile

To Test Persistent Federation Using the Browser Artifact Profile

1. Enter the persistent federation URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso.

   The request is directed to OpenSSO Enterprise on the service provider side.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   spuser

   Password:

   spuser

   The login request is redirected to OpenSSO Enterprise on the identity provider side.

3. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   User Name:

   idpuser

   The browser message “Single Sign-On succeeded” is displayed confirming that federation has succeeded.

4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Persistent Federation Using the Browser POST Profile

1. Enter the persistent federation URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=HTTP-POST.

   The request is directed to OpenSSO Enterprise on the service provider side.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   spuser

   Password:

   spuser

   The login request is redirected to OpenSSO Enterprise on the identity provider side.

3. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   User Name:

   idpuser

   The browser message “Single Sign-On succeeded” is displayed confirming that federation has succeeded.

4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.1.2 Testing Single Logout

Single logout permits session termination of all participants in the session. The logout request can be initiated by any participant in the session.

• To Test Single Logout Using Back Channel SOAP Over HTTP

• To Test Single Logout Using Front Channel HTTP

To Test Single Logout Using Back Channel SOAP Over HTTP

1. Enter the single logout URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP

   The browser message “IDP initiated single logout succeeded” is displayed.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Single Logout Using Front Channel HTTP

1. Enter the single logout URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSingleLogoutInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso

   The message “IDP initiated single logout succeeded” is displayed.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.1.3 Testing Single Sign On

In this test, the user accomplishes single sign on through the back channel.

• To Test Single Sign-On Using the Browser Artifact Profile

• To Test Single Sign-On Using the Browser POST Profile

To Test Single Sign-On Using the Browser Artifact Profile

1. Enter the single sign on URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso.

   The request is directed to OpenSSO Enterprise on the service provider side.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   spuser

   Password:

   spuser

   The browser message “Single Sign-On succeeded” is displayed.

3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Single Sign-On Using the Browser POST Profile

1. Enter the single sign on URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=HTTP-POST.

   The login request is redirected to Access Manager.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   spuser

   Password:

   spuser

   The browser message “Single Sign-On succeeded” is displayed.

3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.1.4 Testing Federation Termination

In this test, the federation previously authorized is terminated.

• To Test Federation Termination Using Back Channel SOAP Over HTTP

• To Test Federation Termination Using Front Channel HTTP

To Test Federation Termination Using Back Channel SOAP Over HTTP

1. Enter the federation termination URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP&requestType=Terminate.

   The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Federation Termination Using Front Channel HTTP

1. Enter the federation termination URL in a web browser: https://lb2.idp-example.com:1081/opensso/saml2/jsp/idpMNIRequestInit.jsp?metaAlias=/idp&spEntityID=https://lb4.sp-example.com:1081/opensso&requestType=Terminate.

   The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2 Testing Service Provider Initiated URLs

The following tests are initiated on the service provider side to test SAML v2 communications with the identity provider.

• 12.2.2.1 Testing Persistent Federation

• 12.2.2.2 Testing Single Logout

• 12.2.2.3 Testing Single Sign On

• 12.2.2.4 Testing Federation Termination

12.2.2.1 Testing Persistent Federation

Name identifiers are used by the identity provider and the service provider to communicate with each other regarding a user. In this test, a persistent identifier is used to federate the identity provider's user profile with the same user's profile on the service provider side.

• To Test Persistent Federation Using the Browser Artifact Profile

• To Test Persistent Federation Using the Browser POST Profile

To Test Persistent Federation Using the Browser Artifact Profile

1. Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as test user.

   User Name:

   idpuser

   Password:

   idpuser

   The request is redirected to OpenSSO Enterprise on the service provider side.

3. Log in to the OpenSSO Enterprise console as the test user.

   User Name:

   spuser

   User Name:

   spuser

   The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.

4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Persistent Federation Using the Browser POST Profile

1. Enter the persistent federation URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   Password:

   idpuser

   The request is redirected to OpenSSO Enterprise on the service provider side.

3. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   spuser

   User Name:

   spuser

   The browser message “Single Sign-On succeeded” is displayed confirming federation has succeeded.

4. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.2 Testing Single Logout

Single logout permits session termination of all participants in the session. The logout request can be initiated by any participant in the session.

• To Test Single Logout Using Back Channel SOAP Over HTTP

• To Test Single Logout Using Front Channel HTTP

To Test Single Logout Using Back Channel SOAP Over HTTP

1. Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Single Logout Using Front Channel HTTP

1. Enter the single logout URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The message “SP initiated single logout succeeded” is displayed and both user profile sessions are ended.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.3 Testing Single Sign On

In this test, the user accomplishes single sign on through the back channel.

• To Test Single Sign On Using the Browser Artifact Profile

• To Test Single Sign-On Using the Browser POST Profile

To Test Single Sign On Using the Browser Artifact Profile

1. Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   Password:

   idpuser

   The browser message “Single Sign-On succeeded” is displayed.

3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Test Single Sign-On Using the Browser POST Profile

1. Enter the single sign on URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&binding=HTTP-POST.

   The request is directed to OpenSSO Enterprise on the identity provider side for authentication.

2. Log in to the OpenSSO Enterprise console as a test user.

   User Name:

   idpuser

   Password:

   idpuser

   The message “Single Sign-On succeeded” is displayed.

3. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

12.2.2.4 Testing Federation Termination

In this test, the federation previously authorized is terminated.

• To Terminate Federation Using Back Channel SOAP Over HTTP

• To Terminate Federation Using Front Channel HTTP

To Terminate Federation Using Back Channel SOAP Over HTTP

1. Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate&binding=urn:oasis:names:tc:SAML:2.0:bindings:SOAP.

   The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.

To Terminate Federation Using Front Channel HTTP

1. Enter the federation termination URL in a web browser: https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1081/opensso&requestType=Terminate.

   The browser message “ManageNameID Request succeeded” is displayed confirming the federation has been terminated.

2. (Optional) To view the SAML v2 assertion used, see the debug file in /export/ossoadm/config/opensso/debug/Federation.