Versions Compared

Old Version 29

changes.mady.by.user Former user

Saved on

compared with

New Version 30

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

2.5.3.1 Responses Binding and Security Requirements (Diego Lopez - diego.lopez@rediris.es)

[What should be CONFIRMED through testing from this section?]

* See Bob Sunday's example test case belowConfirm...

+ Availability of both Artifact and POST bindings to issue <saml2:Response> at IdPs
+ Consumption (SP) and production (IdP) of unsolicited <saml2:Response>
+ IdP error reporting via a <saml2:Response> unless no endpoint is available
+ Issuance (IdP) and acceptance (SP) of signed <saml2:Assertion>
+ Issuance (IdP) and acceptance (SP) of <saml2:EnctyptedAssertion>

Responses to Authentication Failure

To complete this Test Case, the IdP under test must receive an authentication request for a User it cannot or will not authenticate. The cause of this authentication failure is not relevant but is expected to be an event such as:

  • The user chooses to cancel the authentication process.
  • The user identity does not exist or the number of failed login attempts has been exceeded.
  • The user forgets his/her password and must wait for an email containing the password.
Preconditions
  • Metadata exchanged and loaded
  • Encryption disabled
  • User Identities Not Federated
Test Sequence

1. AuthnRequest from SP to IdP, Redirect Binding, Federate

User/SP attempts Single Sign-On with Persistent Name Identifier with AllowCreate set to true. SP communication to the IdP for the SAML request is through HTTP-Redirect binding. IdP does not recognize User and thus cannot authenticate user.

IdP CONFIRM: User is not authenticated.

2. Response Failure

Being unable to authenticate User, IdP returns SAML Response with error indicating AuthnRequest failed.

SP CONFIRM: IdP returns SAML Response indicating authentication error.

2.5.3.2 Responses Message Content (Diego Lopez - diego.lopez@rediris.es)

...

Confirm...

+ IdP able to limit the number of <saml2:Assertion>, <saml2:AuthnStatement>, and <saml2:AttributeStatement> to one
+ IdP able to include a Consent attribute in <samlp:Response> IdP able
+ to include a SessionIndex attribute in <saml2:AuthnStatement>

2.5.4.1 Artifact Resolution Requests (Andrew Lindsay-Stewart - alindsay-stewart@fugensolutions.com)

...