Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Considered scenarios

These four scenarios outline diverse delineate distinct approaches to SAML SP testing, each tailored to its respective specific context and purpose and requiring a different type of deployment, necessitating a diverse deployment approach.

SELF - Self-testing by SP for production readiness

Summary description

Fully internal.

Deploy a test ISP and configure the tested SP for it.

Relational characteristics

Policy/

Deployment or configuration

!!

Arrangement and execution of tests

!!

Presentation and analysis of test results

!!

Relational or contractual arrangements

!!

This scenario enables individual Service Providers (SPs) to internally validate their SAML service configuration, with a focus on signature usage. While it stands out as the simplest one in terms of technical requirements and legal considerations, its potential for widespread remains modest.

Deployment or configuration

SPs independently execute this self-testing within their organisations.

The SP deploys a test IdP, preferably as an easily configurable VM image, container image, or appliance. Alternatively, the tool can be deployed at the federation, in which case it necessitates a web interface.

Arrangement and execution of tests

Testing is initiated by a service admin or operator and triggered through command-line invocation. The target SP is specified via a command-line parameter. Alternatively, the tool is invoked by the SP through a web UI provided by the federation.

Testing can occur after the service is deployed but before its production use is declared, after configuration changes, or periodically via automated scheduling tools like cron.

The testing tool allows selective execution or suppression of individual tests through command-line options.

Presentation and analysis of test results

Test output verbosity can be set by the user.

Results are presented in plain text, offering both summary and detailed formats of information about the outcome of individual tests, detected issues, and exchanged content.

Status information, issues related to SP operation, and details of both successful and failed tests are reported to standard output (stdout). Errors related to the execution of the command are reported to standard error (stderr).

However, problems in both command execution and SP operation are indicated by non-zero exit statuses, facilitating use in scripts.

For test tool deployment within a federation, the web interface may mirror that of the onboarding scenario. However, a notable distinction could be the provision of an option for users to escalate to full onboarding or to contact the federation's support for assistance at the conclusion of the test, if such assistance is made available by the federation.

Relational or contractual arrangements

No formal arrangements are required as the tester and SP belong to the same organisation.

In federation-based tool deployment, preventing bogus self-testing to probe someone else's SP is crucial.

ONBOARDING - Testing of SP deployment by FedOps during onboarding

Summary description

Options

This scenario is applicable during SP onboarding and may involve manual or automated testing. Initiated upon the SP's request

...

It probably needs to be integrated into the federation's policy and operational guidelines. However, it can be easily communicated among other requirements after the SP requests onboarding, it integrates into the federations' onboarding procedure. Its benefits include a broader outreach without significant legal issues, easy enforcement and a single testing software deployment per identity federation. A web user interface is necessary.

Deployment or configuration

...

The testing tool is deployed by the federation.

Details of SP configuration should be specified in onboarding guidelines.!!

Arrangement and execution of tests

...

It is initiated upon SP request during onboarding.

Automation is possible as part of the onboarding process.

Specific details on conducted tests are outlined in the onboarding procedure, and this information can be communicated to SPs requesting onboarding. They may be accompanied by corresponding SP configuration guidelines that would increase the SP's chances of passing the tests. Optionally, the SP may be informed about the requirements and tests and be requested to give explicit approval and clearance for tests to be conducted.!!

Presentation and analysis of test results

...

For the admin of the onboarded SP, through the web UI, with email notification and an access link.

Specifics regarding the presentation and analysis of test results should be detailed in the onboarding guidelines.!!

Relational or contractual arrangements

!!

Periodic testing of SP deployments by FedOps

Summary description

Options

  • Triggered by SPs themselves, with each SP required to invoke it in regular intervals within policy-defined periods.
  • Or it could be automatically invoked by FedOps in line with predefined rules.

The testing must probably be integrated into the federation's policy and operational guidelines.

Testing may be mandated as part of the onboarding criteria when requested by SP organisations when it should be communicated as a requirement within the onboarding procedure. However, this testing will be better accepted if it is mentioned and outlined in the description of the onboarding procedure that must be read by SP organisations wishing to join the federation.

The testing process should be allowed/sanctioned into Must be aligned with the federation's policy and operational A part of guidelines.

Bogus onboarding, performed with a goal to prove somebody else's SP, should be prevented.

PERIODIC - Periodic testing of SPs by FedOps

Summary description

Periodic testing is conducted by federation operators in predefined intervals aligned with the federation's policy and operational rules, ensuring ongoing compliance. This is an extension of the testing of SPs during onboarding. It requires additional SP selection and scheduling functionalities.

Deployment or configuration

!!It is similar to the deployment at the FedOp for testing of SPs during onboarding.

Arrangement and execution of tests

...

Testing execution must be aligned with the federation's policy and operating rules.

Tests across SPs may be spread in time and conducted during predefined high-load or low-load periods.!!

Presentation and analysis of test results

...

It requires both overviews for several or all SPs and search/filtering a detailed view for a single one.

By default, all test results are available for the federation operator to view. If an SP's results are to be made available to its operator, then separate arrangements need to be made on what to make available to whom.!!

Relational or contractual arrangements

...

!!

Federation's policy and operating guidelines must allow or mandate the testing process.

Separate registration and access-granting arrangements are needed if sharing SP results.

COMPLIANCE - Client institution testing for compliance

Summary description

Conducted by a client institution for contracted services, possibly as part of its internal compliance reviews (e.g., GDPR audits, This scenario involves the SP's client institution conducting compliance testing, often as part of broader assessments like GDPR audits or ISO 27001 security controls).

How is the practical arrangement of the test coordinated between the client institution and the SP?

Practical differences and requirements in comparison to self-testing:

...

. It often integrates with broader compliance assessments, introducing additional requirements and may involve specific compliance criteria dictated by the client institution.

...

Deployment or configuration

To best simulate the regular service usage, the testing platform can be deployed by the client organisation. However, it may also be provided by a third party specialised in compliance audits.

In the latter case, which is more comfortable for clients, additional legal issues may arise.

Arrangement and execution of tests

It is conducted by an individual client organisation to internally validate the validity of contracted SP's SAML service configuration for compliance by internal or external auditors operating with both the organisation's and SP's approval and SP's support if needed. However, this testing is usually done without direct involvement of the SP.

How the practical execution of tests and debugging are coordinated and conducted between the client institution and the SP is out of the scope of this description, as the SP does not have to do or deploy anything that would specifically support this testing scenario.

Presentation and analysis of test results

The use of the test by the client institution may necessitate specialised procedures and reporting. Advanced usage may involve report signing or 'certificate' issuance support. The produced reports may also require some SLA-styled longitudinal metrics.

Relational or contractual arrangements

Compliance testing, as part of a broader compliance review, is likely to be included in the contractual arrangements between the client institution and the SP, possibly within the Service Level Agreements (SLAs) between the client institution and the SP. These arrangements should also address shared or public access to test results.

It probably needs to be included in the SLA.

Deployment or configuration

!!

Arrangement and execution of tests

!!

Presentation and analysis of test results

!!

Relational or contractual arrangements

!!

Things/tests to look at

https://release-check.edugain.org/

https://access-check.edugain.org/step1

https://medium.com/the-new-control-plane/i-need-a-saml-idp-to-test-now-477761595b60

https://saml.oktadev.com/

https://auth0.com/docs/authenticate/protocols/saml/saml-configuration/configure-auth0-as-service-and-identity-provider

https://samltest.id/start-sp-test/

https://jumpcloud.com/blog/how-to-test-saml-and-configure-sso-for-free

https://www.samltool.com/

https://mocksaml.com/