...
2.5.2.1 Authentication Requests Binding and Security Requirements (Jonathan Scudder - Jonathan.Scudder@forgerock.com)
...
Confirm support for the HTTP-Redirect binding for transmitting AuthnRequest messages
Testing that the HTTP-Redirect binding for AuthnRequest messages is supported can be performed through metadata analysis or by verifying that the AuthnRequest is accepted when triggering SP-initiated SSO. The latter is used for this test as a more accurate indication of actual support.
...
Scope:
...
- Confirm that a valid AuthnRequest transmitted to the IDP is accepted and acted upon.
...
Preconditions:
...
- Metadata exchanged and imported
- No current user session on IDP
- Any authentication method configured on IDP side
- Test performed with NameID setting supported by both IDP and SP
...
Test sequence:
...
1. Trigger SP-initiated single sign-on with valid parameters
2. Observe IDP handling of the request
CONFIRM: IDP authentication is triggered without error.
Confirm support for generation of signatures
This involves verifying that an AuthnRequest can be generated with signatures on the SP side by
triggering such a message and examining the information transmitted to the IDP using the
HTTP-Redirect binding. The correct creation of signatures is not tested in this case.
...
Scope:
...
- Test for the presence of a signature for AuthnRequest when transmitting to IDP.
...
Preconditions:
...
- Metadata exchanged and imported
- Signing key created and configured on the SP side
- SP configured to sign authentication requests
- SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
- A signature algorithm supported by both IDP and SP is used for the test
...
Test sequence:
...
1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
2. Observe parameters of the HTTP redirect
CONFIRM: presence of the SigAlg and Signature parameters
Confirm support for verification of signatures
This case checks that an IDP can receive a signed AuthnRequest and act approriately according to the validity of the signature.
...
Scope:
...
- Test consumption of a signed AuthnRequest with and without error according to validity.
...
Preconditions:
...
- Metadata exchanged and imported
- Signing keys created, exchanged and configured
- SP configured to sign authentication requests
- SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
- A signature algorithm supported by both IDP and SP is used for the test
...
Test sequence:
...
1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
2. Observe IDP handling of the request
CONFIRM: IDP accepts AuthnRequest message without error
3. Remove signature public key from IDP
4. Trigger SP-initiated single sign-on using the HTTP-Redirect binding
5. Observer IDP handling of the request
CONFIRM: IDP rejects AuthnRequest due to invalidity of the signature
2.5.2.2 Authentication Requests Message Content (Jonathan Scudder - Jonathan.Scudder@forgerock.com)
...