Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

These four scenarios outline diverse delineate distinct approaches to SAML SP testing, each tailored to its respective specific context and purpose and requiring a different type of deployment, necessitating a diverse deployment approach.

SELF - Self-testing by SP for production readiness

Summary description

This scenario empowers enables individual Service Providers (SPs) to internally validate their SAML service configuration, with a focus on signature usage. While it stands out as the simplest one in terms of technical requirements and legal considerations, its chances for meaningful adoption remain potential for widespread remains modest.

Deployment or configuration

SPs independently execute this self-testing autonomously within their organisations.

...

Test output verbosity can be configured using a switchset by the user.

Results are presented in plain text, offering both summary and detailed formats of information about the outcome of individual tests, detected issues, and exchanged content.

...

However, problems in both command execution and SP operation are indicated by non-zero exit statuses, facilitating use in scripts.

For test tool deployment within a federation, the web interface may mirror that of the onboarding scenario. However, a notable distinction could be the provision of an option for users to escalate to full onboarding or to contact the federation's support for assistance at the conclusion of the test, if such assistance is made available by the federation.

Relational or contractual arrangements

No formal arrangements are required as the tester and SP belong to the same organisation.

In federation-based tool deployment, preventing bogus self-testing to probe someone else's SP is crucial.

ONBOARDING - Testing of SP deployment by FedOps during onboarding

...

This scenario is applicable during SP onboarding and may involve manual or automated testing. It is initiated Initiated upon the SP's request and integrated , it integrates into the federations' onboarding procedure of the federation. Its benefits include a broader outreach without significant legal issues, easy enforcement and a single deployment of testing software deployment per identity federation. It requires the availability of a A web user interface is necessary.

Deployment or configuration

...

Arrangement and execution of tests

Initiated It is initiated upon SP request by the SP during onboarding.

Automation is possible as part of the onboarding process.

...

For the admin of the onboarded SP, through the web UI, with email notification with and an access link.

Specifics regarding the presentation and analysis of test results should be detailed in the onboarding guidelines.

...

The testing process should be allowed/sanctioned into the federation's policy and operational guidelines.

Bogus onboarding, performed with a goal to prove somebody else's SP, should be prevented.

PERIODIC - Periodic testing of SPs by FedOps

...

Deployment or configuration

Similar It is similar to the deployment at the FedOp for testing of SPs during onboarding.

...

It requires both overviews for several or all SPs and search/filtering a detailed view for a single one.

By default, all test results are available for the federation operator to view. If an SP's results are to be made available to its operator, then separate arrangements need to be made on what to make available to whom.

Relational or contractual arrangements

The federationFederation's policy and operating guidelines should must allow or mandate the testing process.

Separate registration and access-granting arrangements are needed if sharing SP results.

COMPLIANCE - Client institution testing for compliance

...

The use of the test by the client institution may necessitate specialised procedures and reporting. The producer report may retire some SLA-styled longitudinal metrics.In a more advanced usage, Advanced usage may involve report signing or 'certificate' issuance may need to be supportedsupport. The produced reports may also require some SLA-styled longitudinal metrics.

Relational or contractual arrangements

Compliance testing, as part of a broader compliance review, is likely to be included in the contractual arrangements between the client institution and the SP, possibly within the Service Level Agreements (SLAs) between the client institution and the SP. These arrangements should also address shared or public access to test results.