Versions Compared

Old Version 24

changes.mady.by.user Former user

Saved on

compared with

New Version 25

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CONFIRM: The content(s) of the md:KeyDescriptor element(s) matches the expected output.

Consumption of IOP-compliant Metadata

Testing is best accomplished with a fixed implementation to test against, as the purpose is not to test actual protocol correctness, but use of the metadata itself.

Scope
  • Verify the ability to process metadata conformant to the Metadata IOP.
  • Verify support for bare keys, self-signed, arbitrary-CA, and expired certificates.
  • Check for bypass of CRL or OCSP extensions in certificates.
  • Verify ability to match keys between different certificates
  • Verify recognition of a removed/revoked key.
  • Verify enforcement of validUntil.
Preconditions
  • Keys and certificates generated with various characteristics:
    • Self-signed, no revocation-related extensions
    • Signed by a CA, with revocation-related extensions
    • Expired
    • Multiple certificates with the same public key
Test Sequence

1. Test Bare Keys

a. Metadata is prepared for the fixed implementation containing a pair of md:KeyDescriptors both containing a ds:KeyValue containing a ds:RSAKeyValue. The fixed implementation is configured to use one of the keys for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

b. The fixed implementation is switched to use the second of the pair of keys in its metadata.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

c. The fixed implementation is switched to use a key that is NOT in its metadata.

CONFIRM: The SSO operations are unsuccessful.

2. Test Self-Signed Certificates

a. Metadata is prepared for the fixed implementation containing a pair of md:KeyDescriptors both containing a ds:X509Certificate, with the certificates self-signed. One of the certificates should be expired. The fixed implementation is configured to use one of the certificates for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

b. The fixed implementation is switched to use the second of the pair of certificates in its metadata.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

c. The fixed implementation is switched to use a different certificate that is not in the metadata but contains the same key as one that is.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

d. The fixed implementation is switched to use a certificate and key that is NOT in its metadata.

CONFIRM: The SSO operations are unsuccessful.

2. Test CA-Issued Certificates

a. Metadata is prepared for the fixed implementation containing a pair of md:KeyDescriptors both containing a ds:X509Certificate, with the certificates signed by one or more arbitrary CAs. The certificates should, if possible, include a CRL distribution point or OCSP location extension. These endpoints should not exist or be unavailable to the testing environment. The fixed implementation is configured to use one of the certificates for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata. No delays in processing occur as a result of failed attempts to contact non-existent or unavailable CRL or OCSP endpoints.

b. The fixed implementation is switched to use the second of the pair of certificates in its metadata.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

c. The fixed implementation is switched to use a different certificate that is not in the metadata but contains the same key as one that is.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

d. The fixed implementation is switched to use a key that is NOT in its metadata.

CONFIRM: The SSO operations are unsuccessful.

3. Verify Revocation and validUntil

a. Metadata is prepared for the fixed implementation containing a md:KeyDescriptor containing a key in one of the supported formats. The fixed implementation is configured to the key for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

b. The metadata is altered to remove the md:KeyDescriptor and the candidate implementation is configured to refresh the appropriate source of metadata.

CONFIRM: The SSO operations are unsuccessful.

c. The metadata is altered to add back the md:KeyDescriptor, but a validUntil attribute is added such that the metadata is expired, and the candidate implementation is configured to refresh the appropriate source of metadata.

CONFIRM: The SSO operations are unsuccessful.

Support for "Metadata Extension for Entity Attributes" Profile

Scope
  • Test SP acceptance of SSO based on IdP metadata extension content

...

Code Block
xml
xml
<EntityDescriptor entityID="https://idp.example.org/SAML" ... >
   <Extensions>
      <attr:EntityAttributes xmlns:attr="urn:oasis:names:tc:SAML:metadata:attribute">
        <saml:Attribute
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
          <saml:AttributeValue>
            http://foo.example.com/assurance/loa1
          </saml:AttributeValue>
        </saml:Attribute>
      </attr:EntityAttributes>
    </Extensions>
    <IDPSSODescriptor...> 
      ...
    </IDPSSODescriptor>	
</EntityDescriptor>
Preconditions
  • SP configured with metadata for candidate IdP containing acceptable LOA "tag".
  • SP configured with metadata for candidate IdP not containing acceptable LOA "tag".
  • SP configured to require presence of "tag" in metadata for IdPs before it will accept SSO from them.
Test Sequence

1. Verify use of acceptable IdP

...

It may be necessary to bypass, or incorporate a limited amount of, metadata verification functionality in order for metadata import to be tested.

Publication

Scope
  • Publication (and maintenance) of metadata via Well-Known-Location resolution profile.
Preconditions
  • An http/https entityID defined that is suitable for dereferencing
  • Appropriate configuration of that entityID is completed
  • Multiple details of configuration are available to tester (location of a profile endpoint, a key descriptor, etc.)
  • Any pre-publishing step required is completed
Test Sequence

1. Access published metadata

...

CONFIRM: As in (1), but also that the implementation did not require a restart or disruption of service.

Import from File

Scope
  • Metadata consumption via local file
  • Ability to detect and ignore invalid metadata
  • Support for batches (md:EntitiesDescriptor)
  • Ability to update from a changed source without disruption
  • Maintenance of valid operation after a change that renders a source invalid.
Preconditions
  • Valid metadata is available to the implementation via a local filesystem path
  • The valid metadata contains at least two md:EntityDescriptor elements inside an md:EntitiesDescriptor element
  • Invalid metadata is available to the implementation via a (different) local filesystem path
  • Appropriate configuration for the use of those paths is applied
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import valid metadata

The implementation is directed in whatever manner is required to import or make use of the valid metadata. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

...

CONFIRM: The interactions remain successful in accordance with the metadata that existed prior to the change. No restart or other service interruption was required to accomodate the change.

Import from URL

Scope
  • Metadata consumption via multiple http and https sources
  • Ability to detect and ignore invalid or unavailable metadata
  • Support for caching
  • Ability to update via a changed source without disruption
  • Maintenance of valid operation after a change that renders a source invalid.
Preconditions
  • Valid metadata is available to the implementation via at least two URLs (one http, one https)
  • Invalid metadata is available to the implementation via a different, possibly unavailable, URL
  • Appropriate configuration for the use of those URLs is applied
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import valid metadata

The implementation is directed in whatever manner is required to import or make use of the valid metadata. A set of SAML interactions is then attempted between the implementation and the metadata subjects (at least two, one for each source of metadata). A basic test of SP-initiated SSO is sufficient.

...

Verification by Known Key

Scope
  • Test verification of root level signature via a known key.
Preconditions
  • Any MTI signature algorithm may be used.
  • Valid metadata signed by a known key is available at an http or https URL.
  • Valid metadata with an invalid signature is available via a different URL.
  • The key should not be present inside the signature of the metadata document.
  • Appropriate configuration for the use of the URLs and verification with the key is applied.
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import and verify valid metadata

...

Verification by Certificate Validation

Scope
  • Test verificiation of root level signature via path validation of a signing certificate.
Preconditions
  • Any MTI signature algorithm may be used.
  • Two certificates issued by a sample certificate authority are created, one valid, one expired.
  • The certificate must be present inside the signature of the metadata document.
  • Valid metadata signed by the key in the valid certificate is available at an http or https URL.
  • Valid metadata signed by the key in the invalid certificate is available via a different URL.
  • Appropriate configuration for the use of the URLs and verification with the issuing CA is applied.
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import and verify valid metadata

...

  • The user chooses to cancel the authentication process.
  • The user identity does not exist or the number of failed login attempts has been exceeded.
  • The user forgets his/her password and must wait for an email containing the password.
Preconditions
  • Metadata exchanged and loaded
  • Encryption disabled
  • User Identities Not Federated
Test Sequence

1. AuthnRequest from SP to IdP, Redirect Binding, Federate

...