Child pages
  • Test IdPs in Metadata

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

  1. Optimize the production IdP. Evaluate the use of back-channel protocols on your production IdP with an eye towards eliminating unused protocols and endpoints. Phase out seldom-used protocols if possible. An optimally configured IdP will support SAML2 on the front channel only.
  2. Deploy a test IdP. Configure this test IdP to be nearly identical to your production IdP (same entityID, same metadata sources, same attribute release policy, etc.). {div:style=}{
    Wiki Markup
    Div
    stylemargin-top:1.5ex;
    Note
    }

    Your

    test

    IdP

    should

    have

    _

    the

    same

    entityID

    _

    as

    your

    production

    IdP

    so

    that

    the

    two

    are

    indistinguishable

    by

    relying

    parties

    (such

    that

    the

    two

    really

    are

    *

    one

    logical

    IdP

    *

    ).

    Consequently,

    a

    single

    entity

    descriptor

    in

    metadata

    is

    sufficient

    to

    describe

    both

    IdPs.

    Any

    SP

    that

    consumes

    that

    metadata

    will

    interoperate

    with

    either

    your

    test

    IdP

    or

    your

    production

    IdP.

    {note}{div}

    There are at least two deployment options:
    1. Deploy the test IdP on the same host. In this case, the endpoint locations of the test IdP will have the same hostname but a different path. This is perhaps the simplest option since then the production IdP and the test IdP can easily share the same signing key. (In this scenario, the test IdP is really an extension of the production IdP environment.)
    2. Deploy the test IdP on a different host. In this case, the endpoint locations will have a different hostname but the same path as the production IdP. One option is to copy the production signing key onto the new host (without exposing that key of course). Another option is to use a new signing key (which should be no less secure than the production signing key). The certificate corresponding to this new signing key may be added to the IdP's entity descriptor in metadata so that there are two certificates in metadata, one for the production IdP and one for the test IdP.
  3. Exercise the test IdP. There are at least two test scenarios depending on how the test IdP is deployed:
    1. Using IdP-initiated SSO on the test IdP, systematically push SAML2 assertions to endpoints at select partner SPs.
    2. If the test IdP is deployed on a different host, map the IdP domain name (in metadata) to the IP address of the test IdP using /etc/hosts on a client machine. Using SP-initiated SSO, systematically test select partner SPs using the client machine.