From Fedora Project Wiki

Revision as of 03:23, 12 March 2015 by Nkinder (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


SAML login/logout testing.


  1. The IDP and both SPs need to be installed

How to test

Verify the basics

For starters we need to configure the browser to work with the IPA CA and configure it to work with Kerberos. If you have already done this when setting up the IDP and testing Kerberos authentication, you can skip this step.

In the browser, hit the web UI of the IPA server at and follow the steps.

The SP's will be configured with a non-IPA SSL certificate so you'll get a warning dialog the first time you hit the page. Go ahead and add an exception.

Forms-based login

You will want to open a shell/console window to test this. You'll want to execute these as the user you started Firefox as.

Ensure you have no Kerberos credentials:

$ kdestroy -A

Bring up your Firefox window and in the upper-right select admin->Logout if you are still logged into the IDP.

Go the protected site you just created on the SP,

You should be prompted with a login form.

User the user and password that was created during the IPA installation, ttest.

Once you've authenticated you should see a success page and a Logout link. If you see only a page with a Logout link this is a known issu, you should be redirected back to the SP, so let's go there manually. Go back to

You should get the welcome page.

Click Logout

Go back to the SP page, and you should be redirected for login again.

Kerberos-based login

Now we will try login using Kerberos authentication.

Go to a shell and run:

$ kinit ttest

Go to (or hit reload)

You may see a quick redirect to the IDP, then a return to the SP, and the welcome page displayed. If so then success!

Click Logout

If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.

Single-Sign On

Single sign-on is best demonstrated using the forms-based login (because with Kerberos you could arguably just be re-authenticated and as an end-user there is no way to know whether Kerberos authenticated you or the IDP). Let us destroy the Kerberos ticket.

$ kdestroy -A

Go to your SP, and you will be redirected to the IDP. Authenticate and hopefully you'll be redirected back, if not surf back to the secure page on the SP. You should see the welcome page.

Now bring up another tab or window and access the secure page on the second SP you configured, You should be presented with the welcome page without having to provide credentials. Welcome to federated Single-Sign on (SSO).

Single Logout

The inverse of SSO is Single Logout (SLO). In this test we'll log out of one SP and this should log you out of both.

On either SP select the Logout link.

Switch to the other tab/window and refresh the secured page, https://sp[2] You should be redirected to the login form. If so then success!

You can try logging back into both SP's and log out of the other SP this time. The order of login/logout shouldn't make a difference (if it does then it's a bug).

If things go horribly wrong

If you end up in a weird state where the SPs will not let you log out by throwing a 400 Bad Request (or Internal Server Error) you can try clearing all cookies in the browser via Edit -> Preferences -> Privacy -> remove individual cookies -> Remove all cookies

Expected Results

All the test steps should end with the specified results.