...
These test cases check that the Service Provider is capable of including the child elements and attributes listed in the eGov 2.0 profile in an AuthnRequest message. The tests are carried out using the HTTP-Redirect binding on the assumption that support for child elements and attributes in the message is not affected by the choice of binding. The latter tests check that the Identity Provider handles these and other child elements and attributes in an appropriate way. The correct formation of these elements are not tested in these cases. See section 4 for tests that confirm support for the NameIDPolicy child element.
Test case 8.1 - Confirm Service Provider support for AuthnRequest child
...
element <saml2p:RequestedAuthnContext>
...
Scope:
- Verify possibility to specify, and presence of, the AuthnRequest child elements
element <saml2p:RequestedAuthnContext> and <saml2p:NameIDPolicy>
Preconditions:
- Metadata exchanged and imported
- Service provider metadata contains multiple indexed AttributeConsumingService entries
- SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
...
1. Configure SP to specify one or more authentication contexts
CONFIRM: SP offers administrative capability to specify authentication contexts in the request
2. Configure SP to specify a NameIDPolicy for one or all authentication requests
CONFIRM: SP offers administrative capability to specify a NameIDPolicy in the request
3. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
4 3. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of element <saml2p:RequestedAuthnContext> as a child of AuthnRequest element CONFIRM: presence of element <saml2p:NameIDPolicy> as a child of AuthnRequest element
Test case 8.2 - Confirm Service Provider support for AuthnRequest attributes ForceAuthn and IsPassive
...
- Verify IDP handling of AuthnRequest child elements <saml:Subject>, <NameIDPolicy>, <saml:Conditions>, <RequestedAuthnContext>, <Scoping>, and attributes AssertionConsumerServiceIndex and ProviderName
...
- Metadata exchanged and imported
- Service provider configured to send AuthnRequest messages with Subject, NameIDPolicyNameIDPoliy, Conditions, RequestedAuthnContext, Scoping, AssertionConsumerServiceIndex and ProviderName
- Service provider metadata contains indexed AssertionConsumerService entries
- SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
...
1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding (note prerequisites)
2. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of attributes and child elements outlined above, in element <samlp:AuthnRequest>
3. Observe IDP handling of AuthnRequest
CONFIRM: IDP accepts AuthnRequest without error, or returns apprioriate appropriate error messages
Test case 8.5 - Confirm Identity Provider support for AuthnRequest child elements and attributes that should be utilized
...
- Metadata exchanged and imported
- Service provider capable of sending AuthnRequest messages with <saml2p:NameIDPolicy>, ForceAuthn, IsPassive, and AttributeConsumingServiceIndex.
- Service provider metadata contains indexed AttributeConsumingService entries
- IDP configured to provide attribute response
- Valid and known account that can be authenticated using an available authentication method on IDP
...
1. Trigger SP-initiated single sign-on specifying NameIDPolicy and AttributeConsumingServiceIndex
2. Authenticate to IDP using test account
3. Observe response message 
CONFIRM: attributes sent according to AttributeConsumingServiceIndex
CONFIRM: NameID supplied according to NameIDPolicy specified
4. Trigger SP-initiated single sign-on specifying forced authentication
5. Observe IDP behaviour
CONFIRM: user presented with authentication method on IDP
6. Terminate user sessions on IDP and SP
...