| Table of Contents |
|---|
Considered scenarios
These four scenarios outline diverse approaches to SAML SP testing, each tailored to its respective context and purpose and requiring a different type of deployment.
SELF - Self-testing by SP for production readiness (Not necessarily the primary scenario to be implemented!!)
Summary description
This scenario enables individual Service Providers (SPs) to internally validate their SAML service configuration, focusing on signature usage.
...
SPs perform this self-testing independently within their organisation.
The SP deploys a test ISPIdP, preferably as an easily configurable VM image, container image, or appliance. Alternative (preferred by Niels): The tool is deployed at the federation.
Configuration of the tested SP for it includes...
...
Testing is initiated by a service admin or operator , and triggered through command-line invocation (preferred by Pavel). The target SP for testing is specified via a command-line parameter. Alternative: The tool is invoked by the SP through a web UI provided by the federation.
Testing can occur after the service is deployed but before its production use is declared/announced, after configuration changes, or periodically via automated scheduling tools like cron.
...
Status information, issues related to SP operation, and details of both successful and failed tests are reported to standard output (stdout). Issues in Errors related to the execution of the command are reported to standard error (stderr).
...
Presentation and analysis of test results
For the admin , for of the onboarded SP, through the web UI, with email notification with an access link, ...!!
Specifics regarding the presentation and analysis of test results are not provided but should be detailed in the onboarding guidelines.
...
Periodic testing is conducted by federation operators in pre-defined predefined intervals aligned with the federation's policy and operational rules, ensuring ongoing compliance.
...
Compliance testing, as part of a broader compliance review, is likely to be included in the contractual arrangements between the client institution and the SP, possibly within the Service Level Agreements (SLAs) between the client institution and the SP.
Things/tests to look at
...
OMG: https://
...
...
google.com/search?client=firefox-b-d&q=turn+off+saml+signature+validation#ip=1
“A Signature element in AuthnRequest elements is optional. If Require Verification certificates is not checked, Microsoft Entra ID does not validate signed authentication requests if a signature is present”
...
...
...
azure/active-directory/manage-apps/howto-enforce-signed-saml-authentication