...
- Evaluate the use of back-channel protocols on your production IdP with an eye towards eliminating unused protocols and endpoints. Phase out seldom-used protocols if possible. An optimally configured IdP will support SAML2 on the front channel only.
- Deploy a test IdP. Configure this test IdP to be nearly identical to your production IdP (same entityID, same metadata sources, same attribute release policy, etc.). There are at least two deployment options:
- Deploy the test IdP on the same host. In this case, the endpoint locations of the test IdP will have the same hostname but a different path. This is perhaps the simplest option since then the production IdP and the test IdP can easily share the same signing key. (In this scenario, the test IdP is really an extension of the production IdP environment.)
- Deploy the test IdP on a different host. In this case, the endpoint locations will have a different hostname but the same path as the production IdP. One option is to copy the production signing key onto the new host (without exposing the that key of course). Another option is to use a new signing key (that is which should be no less secure than the production signing key). The certificate corresponding to this new signing key may be added to the production IdP's entity descriptor in metadata so that there are two certificates in metadata, one for the production IdP and one for the test IdP.
- Using IdP-initiated SSO on the test IdP, systematically push SAML2 assertions to endpoints at select partner SPs.
- Install a 3rd-party extension on the test IdP. The extension allows you to change the signature/digest algorithm that the IdP uses to sign assertions. Configure the test IdP to sign assertions using the SHA-256 digest algorithm.
- Repeat step 3. This round of testing may uncover SPs that are not compatible with the SHA-256 digest algorithm.
...