Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Last revisionBoth sides next revision
en:functionaltest_sp [2022/05/17 12:29] – [Test Accounts] added newer test accounts Silke Meyeren:functionaltest_sp [2022/05/17 12:33] – [Test Accounts] added link to attributes best practice Silke Meyer
Line 15: Line 15:
 |test-all |test  |only if required in SP metadata|only if required in SP metadata|all attributes that the SP requires in its metadata| |test-all |test  |only if required in SP metadata|only if required in SP metadata|all attributes that the SP requires in its metadata|
 |test-special-charactrers1, test-special-charactrers2, test-special-charactrers3 |test |only if required in SP metadata|only if required in SP metadata|givenName and sn contain special characters, all attributes that the SP requires in its metadata| |test-special-charactrers1, test-special-charactrers2, test-special-charactrers3 |test |only if required in SP metadata|only if required in SP metadata|givenName and sn contain special characters, all attributes that the SP requires in its metadata|
-|test-multi-mail |test  |only if required in SP metadata|only if required in SP metadata|multiple values in e-mail attribute, all attributes that the SP requires in its metadata|+|test-multi-mail |test  |only if required in SP metadata|only if required in SP metadata|multiple values in e-mail attribute (do not use ''mail'' as an identifier, see [[en:aai:attributes_best_practice|Best Practice]]), all attributes that the SP requires in its metadata|
  
 The primary purpose of these accounts is to test authorisation with typical content providers - **in this case the user 'test-na' is not entitled to access any protected content**.  The primary purpose of these accounts is to test authorisation with typical content providers - **in this case the user 'test-na' is not entitled to access any protected content**. 
  
-**If more and/or other attributes are required to access and use a specific Service, please contact [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]]. Further test accounts are available on request. +If more and/or other attributes are required to access and use a specific Service, please contact [[mailto:hotline@aai.dfn.de|hotline@aai.dfn.de]]. Further test accounts are available on request. 
-* + 
-*==== Attribute-based Authorization ====+==== Attribute-based Authorization ====
 **Important:** At many Home Organizations (not only in Germany), there are also users registered with the Identity Management System (and therefore able to login to the IdP) that are not members of the respective Institution in a strict sense, like guests, cooperation partners, almuni etc. \\ **Important:** At many Home Organizations (not only in Germany), there are also users registered with the Identity Management System (and therefore able to login to the IdP) that are not members of the respective Institution in a strict sense, like guests, cooperation partners, almuni etc. \\
 In the overwhelming majority of cases, a service (respectively a Service Provider) is supposed to be available only for a subset of the users affiliated with a Home Organization. For this reason, a successful authentication at the home IdP is usually not sufficient for granting access to a protected resource! Rather, the authorization decision must be made by means of the user attributes released by the IdP. Which attributes (and attribute values) are appropriate for this purpose, depends on the type and implementation of the service / Service Provider. If you have any questions, please contact the [[https://www.aai.dfn.de/kontakt/|DFN-AAI Helpdesk]].  In the overwhelming majority of cases, a service (respectively a Service Provider) is supposed to be available only for a subset of the users affiliated with a Home Organization. For this reason, a successful authentication at the home IdP is usually not sufficient for granting access to a protected resource! Rather, the authorization decision must be made by means of the user attributes released by the IdP. Which attributes (and attribute values) are appropriate for this purpose, depends on the type and implementation of the service / Service Provider. If you have any questions, please contact the [[https://www.aai.dfn.de/kontakt/|DFN-AAI Helpdesk]]. 
  • Last modified: 23 months ago