Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Last revision Both sides next revision
en:functionaltest_sp [2017/06/15 14:16]
Wolfgang Pempe created
en:functionaltest_sp [2019/04/08 09:39]
Wolfgang Pempe [Functional Tests for Service Providers]
Line 1: Line 1:
 ====== Functional Tests for Service Providers ====== ====== Functional Tests for Service Providers ======
-There are two IdPs available in the test federation for performing functional tests: +The DFN operates two IdPs for performing functional tests in the Test Federation
 ^ DisplayName    ^ EntityID                                   ^ Remarks                                   ^ ^ DisplayName    ^ EntityID                                   ^ Remarks                                   ^
-| DFN Test-IdP 1 | https://testidp.aai.dfn.de/idp/shibboleth  | SAML2, requires attribute query          | 
 | DFN Test-IdP 2 | https://testidp2.aai.dfn.de/idp/shibboleth | SAML2, standard behaviour (attribute push) | | DFN Test-IdP 2 | https://testidp2.aai.dfn.de/idp/shibboleth | SAML2, standard behaviour (attribute push) |
 +<del>| DFN Test-IdP 1 | https://testidp.aai.dfn.de/idp/shibboleth  | SAML2, requires attribute query (for checking the SP's capability to perform attribute queries, **if needed**) |</del>
 +**NB:** There is also an AAI Integration and Test IdP available in the production federation. Accounts are issued on request, please contact [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]].
 ==== Test Accounts ==== ==== Test Accounts ====
 The following accounts are available by default: The following accounts are available by default:
Line 12: Line 13:
 | test-me  | test     | urn:mace:dir:common-lib-terms; urn:something... | member@... | member with multiple entitlements | | test-me  | test     | urn:mace:dir:common-lib-terms; urn:something... | member@... | member with multiple entitlements |
 | test-ma  | test     | urn:mace:dir:common-lib-terms | member@... ; staff@... | member with multiple affiliations | | test-ma  | test     | urn:mace:dir:common-lib-terms | member@... ; staff@... | member with multiple affiliations |
-The primary purpose of these accounts is to test authorisation with typical content providers - in that case the user test-na is not entitled to access any protected content. \\ +The primary purpose of these accounts is to test authorisation with typical content providers - **in this case the user 'test-nais not entitled to access any protected content**.  
-In case that further test users are required that provide more specific attribute profile, please contact [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]]. + 
-==== Attribute-based Authorization ==== +**If more and/or other attributes are required to access and use a specific Service, please contact [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]]. Further test accounts are available on request
-**Important:** An vielen Heimateinrichtungen (nicht nur in Deutschlandsind auch Nutzerinnen im jeweiligen Identity Management System registriert, bei denen es sich nicht um Hochschulangehörige im engeren Sinne handelt (-> Landeshochschulgesetz), sondern z.B. um GästeKoperationspartnerAlumni etc. \\ +**==== Attribute-based Authorization ==== 
-In aller Regel steht ein Dienst bzw. Service Provider nur einer Teilmenge der an einer Einrichtung registrierten NutzerInnen zur VerfügungDaher darf ein erfolgreicher Login am IdP der betreffenden Einrichtung nicht als alleiniges Kriterium für den Zugriff auf einen Dienst gewertet werden. Vielmehr muss eine Autorisierungsentscheidung anhand der vom IdP übertragenen Attribute getroffen werdenWelche Attribute hierfür in Frage kommenhängt von der Art und der Implementierung des jeweiligen Dienstes ab. If you have any questions, please contact the [[https://www.aai.dfn.de/kontakt/|DFN-AAI Helpdesk]].+**Important:** At many Home Organizations (not only in Germany), there are also users registered with the Identity Management System (and therefore able to login to the IdPthat are not members of the respective Institution in a strict senselike guestscooperation partnersalmuni etc. \\ 
 +In the overwhelming majority of cases, a service (respectively a Service Provider) is supposed to be available only for a subset of the users affiliated with a Home OrganizationFor this reason, a successful authentication at the home IdP is usually not sufficient for granting access to a protected resource! Rather, the authorization decision must be made by means of the user attributes released by the IdP. Which attributes (and attribute values) are appropriate for this purposedepends on the type and implementation of the service / Service Provider. If you have any questions, please contact the [[https://www.aai.dfn.de/kontakt/|DFN-AAI Helpdesk]].  
 + 
 +See also the comprehensive documentation on [[https://www.switch.ch/aai/guides/sp/access-rules/|implementing access control with Shibboleth SP]] provided by SWITCHaai. 
 + 
 +**Next step:** [[en:production|Production Environment]]
  • Last modified: 20 months ago