Skip to end of metadata
  • Created by Former user, last modified by Former user on Jun 29, 2010
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 60 Next »

  • Section numbers correspond to the eGov 2.0 draft profile.

Test Case eGov2-1 - Production of IOP-compliant Metadata

Scope
  • Verify the ability to produce metadata conformant to the Metadata IOP.

IOP-conformant metadata has a different meaning from metadata intended to be evaluated in a PKIX environment, but syntactically should be identical based on the eGov profile language, so this should be sufficient to test production of metadata for both profiles.

Preconditions
  • Implementation configured sufficiently to produce metadata identifying its signing, TLS, and encryption keys.
  • Details of expected md:KeyDescriptor content available to tester
Test Sequence

1. Access published metadata

The metadata produced by the implementation is obtained.

CONFIRM: The content(s) of the md:KeyDescriptor element(s) matches the expected output.

Test Case eGov2-2 - Consumption of IOP-compliant Metadata

Testing is best accomplished with a fixed implementation to test against, as the purpose is not to test actual protocol correctness, but use of the metadata itself.

Scope
  • Verify the ability to process metadata conformant to the Metadata IOP.
  • Verify support for bare keys, self-signed, arbitrary-CA, and expired certificates.
  • Check for bypass of CRL or OCSP extensions in certificates.
  • Verify ability to match keys between different certificates
  • Verify recognition of a removed/revoked key.
  • Verify enforcement of validUntil.
Preconditions
  • Keys and certificates generated with various characteristics:
    • Self-signed, no revocation-related extensions
    • Signed by a CA, with revocation-related extensions
    • Expired
    • Multiple certificates with the same public key
Test Sequence

1. Test Bare Keys

a. Metadata is prepared for the fixed implementation containing a pair of md:KeyDescriptors both containing a ds:KeyValue containing a ds:RSAKeyValue. The fixed implementation is configured to use one of the keys for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

b. The fixed implementation is switched to use the second of the pair of keys in its metadata.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

c. The fixed implementation is switched to use a key that is NOT in its metadata.

CONFIRM: The SSO operations are unsuccessful.

2. Test Self-Signed Certificates

a. Metadata is prepared for the fixed implementation containing a pair of md:KeyDescriptors both containing a ds:X509Certificate, with the certificates self-signed. One of the certificates should be expired. The fixed implementation is configured to use one of the certificates for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

b. The fixed implementation is switched to use the second of the pair of certificates in its metadata.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

c. The fixed implementation is switched to use a different certificate that is not in the metadata but contains the same key as one that is.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

d. The fixed implementation is switched to use a certificate and key that is NOT in its metadata.

CONFIRM: The SSO operations are unsuccessful.

2. Test CA-Issued Certificates

a. Metadata is prepared for the fixed implementation containing a pair of md:KeyDescriptors both containing a ds:X509Certificate, with the certificates signed by one or more arbitrary CAs. The certificates should, if possible, include a CRL distribution point or OCSP location extension. These endpoints should not exist or be unavailable to the testing environment. The fixed implementation is configured to use one of the certificates for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata. No delays in processing occur as a result of failed attempts to contact non-existent or unavailable CRL or OCSP endpoints.

b. The fixed implementation is switched to use the second of the pair of certificates in its metadata.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

c. The fixed implementation is switched to use a different certificate that is not in the metadata but contains the same key as one that is.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

d. The fixed implementation is switched to use a key that is NOT in its metadata.

CONFIRM: The SSO operations are unsuccessful.

3. Verify Revocation and validUntil

a. Metadata is prepared for the fixed implementation containing a md:KeyDescriptor containing a key in one of the supported formats. The fixed implementation is configured to the key for signing and/or TLS purposes. The metadata is supplied to the candidate system, and one or more SSO operations is attempted. Bindings should be chosen to exercise both signature verification and TLS authentication if possible.

CONFIRM: The SSO operations are successful based on the use of the key(s) that appear in the metadata.

b. The metadata is altered to remove the md:KeyDescriptor and the candidate implementation is configured to refresh the appropriate source of metadata.

CONFIRM: The SSO operations are unsuccessful.

c. The metadata is altered to add back the md:KeyDescriptor, but a validUntil attribute is added such that the metadata is expired, and the candidate implementation is configured to refresh the appropriate source of metadata.

CONFIRM: The SSO operations are unsuccessful.

Test Case eGov2-3 - Support for "Metadata Extension for Entity Attributes" Profile

Scope
  • Test SP acceptance of SSO based on IdP metadata extension content

The proposed tag would be an attribute named "urn:oasis:names:tc:SAML:attribute:assurance-certification" and would appear as follows:

<EntityDescriptor entityID="https://idp.example.org/SAML" ... >
   <Extensions>
      <attr:EntityAttributes xmlns:attr="urn:oasis:names:tc:SAML:metadata:attribute">
        <saml:Attribute
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
          <saml:AttributeValue>
            http://foo.example.com/assurance/loa1
          </saml:AttributeValue>
        </saml:Attribute>
      </attr:EntityAttributes>
    </Extensions>
    <IDPSSODescriptor...>
      ...
    </IDPSSODescriptor>
</EntityDescriptor>
Preconditions
  • SP configured with metadata for candidate IdP containing acceptable LOA "tag".
  • SP configured with metadata for candidate IdP not containing acceptable LOA "tag".
  • SP configured to require presence of "tag" in metadata for IdPs before it will accept SSO from them.
Test Sequence

1. Verify use of acceptable IdP

SP-initiated or IdP-initiated SSO is used to produce an assertion response from the candidate IdP.

CONFIRM: SSO is successful.

2. Verify non-use of unacceptable IdP

SP-initiated or IdP-initiated SSO is used to produce an assertion response from the candidate IdP.

CONFIRM: SSO is unsuccessful based on the policy requiring the tag.

Test Case eGov2-4 - Publication

Scope
  • Publication (and maintenance) of metadata via Well-Known-Location resolution profile.
Preconditions
  • An http/https entityID defined that is suitable for dereferencing
  • Appropriate configuration of that entityID is completed
  • Multiple details of configuration are available to tester (location of a profile endpoint, a key descriptor, etc.)
  • Any pre-publishing step required is completed
Test Sequence

1. Access published metadata

The entityID is dereferenced to obtain the metadata document.

CONFIRM: The metadata is available, and correctly reflects the entityID accessed, and is returned with the correct MIME type (application/xml+samlmetadata). The configuration details expected are found in the metadata.

2. Alter metadata and republish

Alter the configuration (changing an endpoint, a key descriptor, etc.) and republish, then repeat the first test.

CONFIRM: As in (1), but also that the implementation did not require a restart or disruption of service.

Test Case eGov2-5 - Import from File

Scope
  • Metadata consumption via local file
  • Ability to detect and ignore invalid metadata
  • Support for batches (md:EntitiesDescriptor)
  • Ability to update from a changed source without disruption
  • Maintenance of valid operation after a change that renders a source invalid.
Preconditions
  • Valid metadata is available to the implementation via a local filesystem path
  • The valid metadata contains at least two md:EntityDescriptor elements inside an md:EntitiesDescriptor element
  • Invalid metadata is available to the implementation via a (different) local filesystem path
  • Appropriate configuration for the use of those paths is applied
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import valid metadata

The implementation is directed in whatever manner is required to import or make use of the valid metadata. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

CONFIRM: Operation of a defined set of SAML interactions with the metadata subject is successful based on the content of the metadata (correct endpoints used, keys used in accordance with one of the supported metadata profiles, etc.).

2. Import invalid metadata

The implementation is directed in whatever manner is required to import or make use of the invalid metadata. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

CONFIRM: Import and/or interaction with the metadata subject is unsuccessful.

3. Update valid metadata

The valid metadata is modified in some manner that is detectable via the interactions used to confirm successful import (changing an endpoint, a key descriptor, etc.), but remains valid. If the implementation requires manual intervention to recognize the change, this is done. The SAML interactions are repeated.

CONFIRM: The interactions remain successful but cognizant of the change(s). No restart or other service interruption was required to accomodate the change.

4. Update valid metadata with invalid change.

The valid metadata is modified in some manner that renders it invalid. If the implementation requires manual intervention to recognize the change, this is done. The SAML interactions are repeated.

CONFIRM: The interactions remain successful in accordance with the metadata that existed prior to the change. No restart or other service interruption was required to accomodate the change.

Test Case eGov2-6 - Import from URL

Scope
  • Metadata consumption via multiple http and https sources
  • Ability to detect and ignore invalid or unavailable metadata
  • Support for caching
  • Ability to update via a changed source without disruption
  • Maintenance of valid operation after a change that renders a source invalid.
Preconditions
  • Valid metadata is available to the implementation via at least two URLs (one http, one https)
  • Invalid metadata is available to the implementation via a different, possibly unavailable, URL
  • Appropriate configuration for the use of those URLs is applied
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import valid metadata

The implementation is directed in whatever manner is required to import or make use of the valid metadata. A set of SAML interactions is then attempted between the implementation and the metadata subjects (at least two, one for each source of metadata). A basic test of SP-initiated SSO is sufficient.

CONFIRM: Operation of a defined set of SAML interactions with the metadata subjects is successful based on the content of the metadata (correct endpoints used, keys used in accordance with one of the supported metadata profiles, etc.).

2. Import invalid metadata

The implementation is directed in whatever manner is required to import or make use of the invalid metadata source. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

CONFIRM: Import and/or interaction with the metadata subject is unsuccessful.

3. Re-import unchanged metadata

The implementation is directed in whatever manner is required to re-import/refresh the valid source of metadata, with the source maintaining the same caching indicator(s). The SAML interactions are repeated.

CONFIRM: The import resulted in no exchange of the metadata document across the network, and the interactions remain successful in accordance with the metadata that existed prior to the re-import.

4. Re-import changed metadata

The valid metadata is modified in some manner that is detectable via the interactions used to confirm successful import (changing an endpoint, a key descriptor, etc.), but remains valid. The implementation is directed in whatever manner is required to re-import/refresh the valid source of metadata. The SAML interactions are repeated.

CONFIRM: The interactions remain successful but cognizant of the change(s). No restart or other service interruption was required to accomodate the change.

5. Update valid metadata with invalid change.

The valid metadata is modified in some manner that renders it invalid. The implementation is directed in whatever manner is required to re-import/refresh the now-invalid source of metadata. The SAML interactions are repeated.

CONFIRM: The interactions remain successful in accordance with the metadata that existed prior to the change. No restart or other service interruption was required to accomodate the change.

Test Case eGov2-7 - Verification by Known Key

Scope
  • Test verification of root level signature via a known key.
Preconditions
  • Any MTI signature algorithm may be used.
  • Valid metadata signed by a known key is available at an http or https URL.
  • Valid metadata with an invalid signature is available via a different URL.
  • The key should not be present inside the signature of the metadata document.
  • Appropriate configuration for the use of the URLs and verification with the key is applied.
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import and verify valid metadata

The implementation is directed in whatever manner is required to import or make use of the valid metadata. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

CONFIRM: Operation of a defined set of SAML interactions with the metadata subject is successful based on the content of the metadata (correct endpoints used, keys used in accordance with one of the supported metadata profiles, etc.).

2. Import and (fail to) verify invalid signature

The implementation is directed in whatever manner is required to import or make use of the metadata with the invalid signature. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

CONFIRM: Import and/or interaction with the metadata subject is unsuccessful.

Test Case eGov2-8 - Verification by Certificate Validation

Scope
  • Test verificiation of root level signature via path validation of a signing certificate.
Preconditions
  • Any MTI signature algorithm may be used.
  • Two certificates issued by a sample certificate authority are created, one valid, one expired.
  • The certificate must be present inside the signature of the metadata document.
  • Valid metadata signed by the key in the valid certificate is available at an http or https URL.
  • Valid metadata signed by the key in the invalid certificate is available via a different URL.
  • Appropriate configuration for the use of the URLs and verification with the issuing CA is applied.
  • No configuration of the information supplied via metadata is in place prior to import
Test Sequence

1. Import and verify valid metadata

The implementation is directed in whatever manner is required to import or make use of the valid metadata. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

CONFIRM: Operation of a defined set of SAML interactions with the metadata subject is successful based on the content of the metadata (correct endpoints used, keys used in accordance with one of the supported metadata profiles, etc.).

2. Import and (fail to) verify invalid signature

The implementation is directed in whatever manner is required to import or make use of the metadata signed with the invalid certificate. A set of SAML interactions is then attempted between the implementation and the metadata subject. A basic test of SP-initiated SSO is sufficient.

CONFIRM: Import and/or interaction with the metadata subject is unsuccessful.

Test Case eGov2-9 - Confirm support for NameIDPolicy of 'persistent' & 'transient'

Scope:
  • Verify SP possibility to specify values of 'persistent' & 'transient' for the NameIDPolicy element in an AuthnRequest
Preconditions:
  • Metadata exchanged and imported
  • SP and IDP configured to use HTTP-Redirect binding for AuthnRequest
Test sequence:

1. Trigger SP-initiated single sign-on using the HTTP-Redirect binding, specifying at SP that the returned identifier be 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
CONFIRM: SP offers capability for specifying name identifier format of "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
2. Observe HTTP redirect parameters and decode the SAMLRequest value using the DEFLATE algorithm reversal
CONFIRM: presence of element "NameIDPolicy" with value "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" on element <samlp:AuthnRequest>

3. Authenticate to IDP using test account
4. Observe response message
CONFIRM: NameID supplied according to NameIDPolicy specified in AuthnRequest

Repeat above test sequence for 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'

Test Case eGov2-10 - IDP Discovery

Scope:
  • Verify that during web-based SSO that a SP is able to establish an IDP associated with the user.
Preconditions:
  • Exchange and import metadata for SP (including extension element for the discovery
  • No labels