SAML login/logout testing.
- The IDP and both SPs need to be installed
How to test
Verify the basics
For starters we need to configure the browser to work with the IPA CA and configure it to work with Kerberos. If you have already done this when setting up the IDP and testing Kerberos authentication, you can skip this step.
In the browser, hit the web UI of the IPA server at http://idp.example.com/ipa/config/browserconfig.html and follow the steps.
The SP's will be configured with a non-IPA SSL certificate so you'll get a warning dialog the first time you hit the page. Go ahead and add an exception.
You will want to open a shell/console window to test this. You'll want to execute these as the user you started Firefox as.
Ensure you have no Kerberos credentials:
$ kdestroy -A
Bring up your Firefox window and in the upper-right select admin->Logout if you are still logged into the IDP.
Go the protected site you just created on the SP, https://sp.example.com/sp
You should be prompted with a login form.
User the user and password that was created during the IPA installation, ttest.
Once you've authenticated you should see a success page and a Logout link. If you see only a page with a Logout link this is a known issu, you should be redirected back to the SP, so let's go there manually. Go back to https://sp.example.com/sp/
You should get the welcome page.
Go back to the SP page, https://sp.example.com/sp/ and you should be redirected for login again.
Now we will try login using Kerberos authentication.
Go to a shell and run:
$ kinit ttest
Go to https://sp.example.com/sp/ (or hit reload)
You may see a quick redirect to the IDP, then a return to the SP, and the welcome page displayed. If so then success!
If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.
Single sign-on is best demonstrated using the forms-based login (because with Kerberos you could arguably just be re-authenticated and as an end-user there is no way to know whether Kerberos authenticated you or the IDP). Let us destroy the Kerberos ticket.
$ kdestroy -A
Go to your SP, https://sp.example.com/sp/ and you will be redirected to the IDP. Authenticate and hopefully you'll be redirected back, if not surf back to the secure page on the SP. You should see the welcome page.
Now bring up another tab or window and access the secure page on the second SP you configured, https://sp2.example.com/sp/. You should be presented with the welcome page without having to provide credentials. Welcome to federated Single-Sign on (SSO).
The inverse of SSO is Single Logout (SLO). In this test we'll log out of one SP and this should log you out of both.
On either SP select the Logout link.
Switch to the other tab/window and refresh the secured page, https://sp.example.com/sp/. You should be redirected to the login form. If so then success!
You can try logging back into both SP's and log out of the other SP this time. The order of login/logout shouldn't make a difference (if it does then it's a bug).
If things go horribly wrong
If you end up in a weird state where the SPs will not let you log out by throwing a 400 Bad Request (or Internal Server Error) you can try clearing all cookies in the browser via Edit -> Preferences -> Privacy -> remove individual cookies -> Remove all cookies
All the test steps should end with the specified results.