Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:functionaltest_sp [2017/06/15 14:43]
Wolfgang Pempe
en:functionaltest_sp [2019/04/08 09:40]
Wolfgang Pempe [Functional Tests for Service Providers]
Line 2: Line 2:
 The DFN operates two IdPs for performing functional tests in the Test Federation: ​ The DFN operates two IdPs for performing functional tests in the Test Federation: ​
 ^ DisplayName ​   ^ EntityID ​                                  ^ Remarks ​                                  ^ ^ DisplayName ​   ^ EntityID ​                                  ^ Remarks ​                                  ^
-| DFN Test-IdP 1 | https://​testidp.aai.dfn.de/​idp/​shibboleth ​ | SAML2, requires attribute query          | 
 | DFN Test-IdP 2 | https://​testidp2.aai.dfn.de/​idp/​shibboleth | SAML2, standard behaviour (attribute push) | | DFN Test-IdP 2 | https://​testidp2.aai.dfn.de/​idp/​shibboleth | SAML2, standard behaviour (attribute push) |
-**NB:** There is also an AAI Integration and Test IdP available in the production ​environment. Accounts are issued on request, please contact [[mailto:​hotline@aai.dfn.de|hotline@aai.dfn.de]].+| <​del>​DFN Test-IdP 1</​del>​ | <​del>​https://​testidp.aai.dfn.de/​idp/​shibboleth</​del> ​ | <​del>​SAML2,​ requires attribute query (for checking the SP's capability to perform attribute queries, **if needed**)</​del>​ | 
 +**NB:** There is also an AAI Integration and Test IdP available in the production ​federation. Accounts are issued on request, please contact [[mailto:​hotline@aai.dfn.de|hotline@aai.dfn.de]].
 ==== Test Accounts ==== ==== Test Accounts ====
 The following accounts are available by default: The following accounts are available by default:
Line 13: Line 13:
 | test-me ​ | test     | urn:​mace:​dir:​common-lib-terms;​ urn:​something... | member@... | member with multiple entitlements | | test-me ​ | test     | urn:​mace:​dir:​common-lib-terms;​ urn:​something... | member@... | member with multiple entitlements |
 | test-ma ​ | test     | urn:​mace:​dir:​common-lib-terms | member@... ; staff@... | member with multiple affiliations | | test-ma ​ | test     | urn:​mace:​dir:​common-lib-terms | member@... ; staff@... | member with multiple affiliations |
-The primary purpose of these accounts is to test authorisation with typical content providers - in that case the user test-na is not entitled to access any protected content. ​\\ +The primary purpose of these accounts is to test authorisation with typical content providers - **in this case the user 'test-na' ​is not entitled to access any protected content**.  
-In case that further test users are required, providing more specific ​attribute profiles, please contact [[mailto:​hotline@aai.dfn.de|hotline@aai.dfn.de]]. + 
-==== Attribute-based Authorization ==== +**If more and/or other attributes ​are required ​to access and use a specific ​Service, please contact [[mailto:​hotline@aai.dfn.de|hotline@aai.dfn.de]]. Further test accounts are available on request
-**Important:​** At many Home Organizations (not only in Germany), there are also users registered with the identity ​Management System (and therefore able to login to the IdP) that are not members of the respective Institution in a strict sense, like guests, cooperation partners, almuni etc. \\ +**==== Attribute-based Authorization ==== 
-In the overwhelming majority of cases, a service (respectively a Service Provider) is supposed to be available only for a subset of the users at a Home Organization. For this reason, a successful authentication at the home IdP is usually not sufficient for granting access to a protected resource! Rather, the authorization decision must be made by means of the user attributes released by the IdP. Which attributes (and attributevalues are appropriate,​ depends on the type and implementation of the respective ​service. If you have any questions, please contact the [[https://​www.aai.dfn.de/​kontakt/​|DFN-AAI Helpdesk]].+**Important:​** At many Home Organizations (not only in Germany), there are also users registered with the Identity ​Management System (and therefore able to login to the IdP) that are not members of the respective Institution in a strict sense, like guests, cooperation partners, almuni etc. \\ 
 +In the overwhelming majority of cases, a service (respectively a Service Provider) is supposed to be available only for a subset of the users affiliated with a Home Organization. For this reason, a successful authentication at the home IdP is usually not sufficient for granting access to a protected resource! Rather, the authorization decision must be made by means of the user attributes released by the IdP. Which attributes (and attribute valuesare appropriate ​for this purpose, depends on the type and implementation of the service ​/ Service Provider. If you have any questions, please contact the [[https://​www.aai.dfn.de/​kontakt/​|DFN-AAI Helpdesk]]. ​ 
 + 
 +See also the comprehensive documentation on [[https://​www.switch.ch/​aai/​guides/​sp/​access-rules/​|implementing access control with Shibboleth SP]] provided by SWITCHaai. 
 + 
 +**Next step:** [[en:​production|Production Environment]]
  • Last modified: 16 months ago