Versions Compared

Old Version 36

changes.mady.by.user Former user

Saved on

compared with

New Version 37

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section 7: Authentication Requests Binding and Security Requirements (Jonathan Scudder - Jonathan.Scudder@forgerock.com)

Test case 7.1 - Confirm support for the HTTP-Redirect binding for transmitting AuthnRequest messages

Testing that the HTTP-Redirect binding for AuthnRequest messages is supported can be performed through metadata analysis or by verifying that the AuthnRequest is accepted when triggering SP-initiated SSO. The latter is used for this test as a more accurate indication of actual support.

Scope:
  • Confirm that a valid AuthnRequest transmitted to the IDP is accepted and acted upon.
Preconditions:
  • Metadata exchanged and imported
  • No current user session on IDP
  • Any authentication method configured on IDP side
  • Test performed with NameID setting supported by both IDP and SP
Test sequence:

1. Trigger SP-initiated single sign-on with valid parameters
2. Observe IDP handling of the request
CONFIRM: IDP authentication is triggered without error.

Test case 7.2 - Confirm support for generation of signatures

This involves verifying that an AuthnRequest can be generated with signatures on the SP side by
triggering such a message and examining the information transmitted to the IDP using the
HTTP-Redirect binding. The correct creation of signatures is not tested in this case.

Scope:
  • Test for the presence of a signature for AuthnRequest when transmitting to IDP.
Preconditions:
  • Metadata exchanged and imported
  • Signing key created and configured on the SP side
  • SP configured to sign authentication requests
  • SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
  • A signature algorithm supported by both IDP and SP is used for the test
Test sequence:

1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
2. Observe parameters of the HTTP redirect
CONFIRM: presence of the SigAlg and Signature parameters

Test case 7.3 - Confirm support for verification of signatures

This case checks that an IDP can receive a signed AuthnRequest and act approriately according to the validity of the signature.

Scope:
  • Test consumption of a signed AuthnRequest with and without error according to validity.
Preconditions:
  • Metadata exchanged and imported
  • Signing keys created, exchanged and configured
  • SP configured to sign authentication requests
  • SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
  • A signature algorithm supported by both IDP and SP is used for the test
Test sequence:

1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
2. Observe IDP handling of the request
CONFIRM: IDP accepts AuthnRequest message without error
3. Remove signature public key from IDP
4. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
5. Observer IDP handling of the request
CONFIRM: IDP rejects AuthnRequest due to invalidity of the signature

...

These test cases check that the Service Provider is capable of including the child elements and attributes listed in the eGov 2.0 profile in an AuthnRequest message. The tests are carried out using the HTTP-Redirect binding on the assumption that support for child elements and attributes in the message is not affected by the choice of binding. The latter tests check that the Identity Provider handles these and other child elements and attributes in an appropriate way. The correct formation of these elements are not tested in these cases.

Test case 8.1 - Confirm Service Provider support for AuthnRequest child elements <saml2p:RequestedAuthnContext> and <saml2p:NameIDPolicy>

Scope:
  • Verify possibility to specify, and presence of, the AuthnRequest child elements
    <saml2p:RequestedAuthnContext> and <saml2p:NameIDPolicy>
Preconditions:
  • Metadata exchanged and imported
  • Service provider metadata contains multiple indexed AttributeConsumingService entries
  • SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
Test sequence:

1. Configure SP to specify one or more authentication contexts
CONFIRM: SP offers administrative capability to specify authentication contexts in the request
2. Configure SP to specify a NameIDPolicy for one or all authentication requests
CONFIRM: SP offers administrative capability to specify a NameIDPolicy in the request
3. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
4. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of element <saml2p:RequestedAuthnContext> as a child of AuthnRequest element
CONFIRM: presence of element <saml2p:NameIDPolicy> as a child of AuthnRequest element

Test case 8.2 - Confirm Service Provider support for AuthnRequest attributes ForceAuthn and IsPassive

Scope:
  • Verify possibility to specify, and presence of, the AuthnRequest attributes ForceAuthn and IsPassive
Preconditions:
  • Metadata exchanged and imported
  • SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
Test sequence:

1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding, specifying that authentication should be forced
CONFIRM: SP offers capability for specifying whether authentication should be forced or not
2. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of attribute "ForceAuthn" with value "true" on element <samlp:AuthnRequest>

3. Trigger SP-initiated single sign-on using the HTTP-Redirect binding, specifying that the request should be passive
CONFIRM: SP offers capability for specifying whether authentication request should be passive or not
4. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of attribute "IsPassive" with value "true" on element <samlp:AuthnRequest>

Test case 8.3 - Confirm Service Provider support for AuthnRequest attributes AssertionConsumerServiceURL, ProtocolBinding, and AttributeConsumingServiceIndex

Scope:
  • Verify possibility to specify, and presence of, the AuthnRequest attributes AssertionConsumerServiceURL, ProtocolBinding, and AttributeConsumingServiceIndex
Preconditions:
  • Metadata exchanged and imported
  • Service provider metadata contains indexed AssertionConsumerService entries
  • Service provider metadata contains indexed AttributeConsumingService entries
  • SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
Test sequence:

1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding, specifying that a particular AssertionConsumerServiceURL be called using a specified ProtocolBinding
CONFIRM: SP offers capability for specifying the AssertionConsumerService URL
CONFIRM: SP offers capability for specifying the ProtocolBinding to be used
2. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of attribute "AssertionConsumerServiceURL" with the URL specified in step 1 as value, on element <samlp:AuthnRequest>
CONFIRM: presence of attribute "ProtocolBinding" with the URL specified in step 1 as value, on element <samlp:AuthnRequest>

3. Trigger SP-initiated single sign-on using the HTTP-Redirect binding, specifying that a particular AttributeConsumingServiceIndex be called
CONFIRM: SP offers capability for specifying the AttributeConsumingServiceIndex value
4. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of attribute "AttributeConsumingServiceIndex" with the index specified in step 3 as value, on element <samlp:AuthnRequest>

Test case 8.4 - Confirm Identity Provider support for AuthnRequest child elements and attributes that should be accepted

Scope:
  • Verify IDP handling of AuthnRequest child elements <saml:Subject>, <NameIDPolicy>, <saml:Conditions>, <RequestedAuthnContext>, <Scoping>, and attributes AssertionConsumerServiceIndex and ProviderName
Preconditions:
  • Metadata exchanged and imported
  • Service provider configured to send AuthnRequest messages with Subject, NameIDPolicy, Conditions, RequestedAuthnContext, Scoping, AssertionConsumerServiceIndex and ProviderName
  • Service provider metadata contains indexed AssertionConsumerService entries
  • SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
Test sequence:

1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding (note prerequisites)
2. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of attributes and child elements outlined above, in element <samlp:AuthnRequest>
3. Observe IDP handling of AuthnRequest
CONFIRM: IDP accepts AuthnRequest without error, or returns apprioriate error messages

Test case 8.5 - Confirm Identity Provider support for AuthnRequest child elements and attributes that should be utilized

Scope:
  • Verify IDP handling of AuthnRequest child element <saml2p:NameIDPolicy>, and attributes ProtocolBinding, ForceAuthn, IsPassive, AttributeConsumingServiceIndex.
Preconditions:
  • Metadata exchanged and imported
  • Service provider capable of sending AuthnRequest messages with <saml2p:NameIDPolicy>, ForceAuthn, IsPassive, and AttributeConsumingServiceIndex.
  • Service provider metadata contains indexed AttributeConsumingService entries
  • IDP configured to provide attribute response
  • Valid and known account that can be authenticated using an available authentication method on IDP
Test sequence:

1. Trigger SP-initiated single sign-on specifying NameIDPolicy and AttributeConsumingServiceIndex
2. Authenticate to IDP using test account
3. Observe response message (star)
CONFIRM: attributes sent according to AttributeConsumingServiceIndex
CONFIRM: NameID supplied according to NameIDPolicy specified

...

7. Trigger SP-initiated single sign-on specifying passive request
8. Observe IDP bevhaiour
CONFIRM: IDP returns control to SP without presenting the user with an authentication method

Test case 8.6 - Confirm Identity Provider verification of AssertionConsumerServiceURL value

Scope:
  • Verify IDP handling of AuthnRequest attributes AssertionConsumerServiceURL and ProtocolBinding
Preconditions:
  • Metadata exchanged and imported
  • Service provider capable of sending AuthnRequest messages with AssertionConsumerServiceURL and ProtocolBinding attributes
  • Service provider metadata contains AssertionConsumerService entries
  • IDP configured to provide attribute response
  • Valid and known account that can be authenticated using an available authentication method on IDP
Test sequence:

1. Trigger SP-initiated single sign-on specifying an AssertionConsumerServiceURL and ProtocolBinding that matches values in SP metadata
2. Observe IDP behaviour
CONFIRM: IDP accepts AuthnRequest without error

...