From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=SAML login/logout testing. |setup= <ol> <li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data ...")
 
 
(3 intermediate revisions by one other user not shown)
Line 3: Line 3:
 
|setup=
 
|setup=
 
<ol>
 
<ol>
<li>For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
+
<li>The IDP and both SPs need to be installed</li>
<li>Make sure <code>/etc/hosts</code> is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.</li>
 
<li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ''ipa.example.org'' and ''ad.example.org''</li>
 
 
</ol>
 
</ol>
 
|actions=
 
|actions=
  
 
==== Verify the basics ====
 
==== Verify the basics ====
 +
 +
For starters we need to configure the browser to work with the IPA CA and configure it to work with Kerberos.  If you have already done this when setting up the IDP and testing Kerberos authentication, you can skip this step.
 +
 +
In the browser, hit the web UI of the IPA server at http://idp.example.com/ipa/config/browserconfig.html and follow the steps.
 +
 +
The SP's will be configured with a non-IPA SSL certificate so you'll get a warning dialog the first time you hit the page. Go ahead and add an exception.
  
 
===== Forms-based login =====
 
===== Forms-based login =====
 +
 +
You will want to open a shell/console window to test this. You'll want to execute these as the user you started Firefox as.
  
 
Ensure you have no Kerberos credentials:
 
Ensure you have no Kerberos credentials:
  
  # kdestroy -A
+
  $ kdestroy -A
  
Bring up your Firefox window and select admin->Logout if you are still logged into the IDP.
+
Bring up your Firefox window and in the upper-right select admin->Logout if you are still logged into the IDP.
  
Go the protected site you just created on the SP, https://sp.example.com/sp/
+
Go the protected site you just created on the SP, https://sp.example.com/sp
  
You should be prompted with a form login.
+
You should be prompted with a login form.
  
User the user that was created during the IPA installation, ttest.
+
User the user and password that was created during the IPA installation, ttest.
  
Once you've authenticated you should see a success page and a Logout link. This is a known issue, you should be redirected back to the SP, so let's go there manually. Go back to https://sp.example.com/sp/
+
Once you've authenticated you should see a success page and a Logout link. If you see only a page with a Logout link this is a known issu, you should be redirected back to the SP, so let's go there manually. Go back to https://sp.example.com/sp/
  
 
You should get the welcome page.
 
You should get the welcome page.
Line 39: Line 45:
 
Go to a shell and run:
 
Go to a shell and run:
  
  kinit ttest
+
  $ kinit ttest
  
 
Go to https://sp.example.com/sp/ (or hit reload)
 
Go to https://sp.example.com/sp/ (or hit reload)
Line 48: Line 54:
  
 
If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.
 
If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.
 +
 +
===== Single-Sign On =====
 +
 +
Single sign-on is best demonstrated using the forms-based login (because with Kerberos you could arguably just be re-authenticated and as an end-user there is no way to know whether Kerberos authenticated you or the IDP). Let us destroy the Kerberos ticket.
 +
 +
$ kdestroy -A
 +
 +
Go to your SP, https://sp.example.com/sp/ and you will be redirected to the IDP. Authenticate and hopefully you'll be redirected back, if not surf back to the secure page on the SP. You should see the welcome page.
 +
 +
Now bring up another tab or window and access the secure page on the second SP you configured, https://sp2.example.com/sp/. You should be presented with the welcome page without having to provide credentials. Welcome to federated Single-Sign on (SSO).
 +
 +
===== Single Logout =====
 +
 +
The inverse of SSO is Single Logout (SLO). In this test we'll log out of one SP and this should log you out of both.
 +
 +
On either SP select the Logout link.
 +
 +
Switch to the other tab/window and refresh the secured page, https://sp[2].example.com/sp/. You should be redirected to the login form. If so then success!
 +
 +
You can try logging back into both SP's and log out of the other SP this time. The order of login/logout shouldn't make a difference (if it does then it's a bug).
 +
 +
===== If things go horribly wrong =====
 +
 +
If you end up in a weird state where the SPs will not let you log out by throwing a 400 Bad Request (or Internal Server Error) you can try clearing all cookies in the browser via Edit -> Preferences -> Privacy -> remove individual cookies -> Remove all cookies
  
 
|results=
 
|results=

Latest revision as of 03:23, 12 March 2015

Description

SAML login/logout testing.

Setup

  1. The IDP and both SPs need to be installed

How to test

Verify the basics

For starters we need to configure the browser to work with the IPA CA and configure it to work with Kerberos. If you have already done this when setting up the IDP and testing Kerberos authentication, you can skip this step.

In the browser, hit the web UI of the IPA server at http://idp.example.com/ipa/config/browserconfig.html and follow the steps.

The SP's will be configured with a non-IPA SSL certificate so you'll get a warning dialog the first time you hit the page. Go ahead and add an exception.

Forms-based login

You will want to open a shell/console window to test this. You'll want to execute these as the user you started Firefox as.

Ensure you have no Kerberos credentials:

$ kdestroy -A

Bring up your Firefox window and in the upper-right select admin->Logout if you are still logged into the IDP.

Go the protected site you just created on the SP, https://sp.example.com/sp

You should be prompted with a login form.

User the user and password that was created during the IPA installation, ttest.

Once you've authenticated you should see a success page and a Logout link. If you see only a page with a Logout link this is a known issu, you should be redirected back to the SP, so let's go there manually. Go back to https://sp.example.com/sp/

You should get the welcome page.

Click Logout

Go back to the SP page, https://sp.example.com/sp/ and you should be redirected for login again.

Kerberos-based login

Now we will try login using Kerberos authentication.

Go to a shell and run:

$ kinit ttest

Go to https://sp.example.com/sp/ (or hit reload)

You may see a quick redirect to the IDP, then a return to the SP, and the welcome page displayed. If so then success!

Click Logout

If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.

Single-Sign On

Single sign-on is best demonstrated using the forms-based login (because with Kerberos you could arguably just be re-authenticated and as an end-user there is no way to know whether Kerberos authenticated you or the IDP). Let us destroy the Kerberos ticket.

$ kdestroy -A

Go to your SP, https://sp.example.com/sp/ and you will be redirected to the IDP. Authenticate and hopefully you'll be redirected back, if not surf back to the secure page on the SP. You should see the welcome page.

Now bring up another tab or window and access the secure page on the second SP you configured, https://sp2.example.com/sp/. You should be presented with the welcome page without having to provide credentials. Welcome to federated Single-Sign on (SSO).

Single Logout

The inverse of SSO is Single Logout (SLO). In this test we'll log out of one SP and this should log you out of both.

On either SP select the Logout link.

Switch to the other tab/window and refresh the secured page, https://sp[2].example.com/sp/. You should be redirected to the login form. If so then success!

You can try logging back into both SP's and log out of the other SP this time. The order of login/logout shouldn't make a difference (if it does then it's a bug).

If things go horribly wrong

If you end up in a weird state where the SPs will not let you log out by throwing a 400 Bad Request (or Internal Server Error) you can try clearing all cookies in the browser via Edit -> Preferences -> Privacy -> remove individual cookies -> Remove all cookies

Expected Results

All the test steps should end with the specified results.