After you have installed and configured a SAML service provider on your system, please perform the following tests to confirm successful implementation. We also recommend that you complete a round of your standard application functional testing to ensure that all elements of your application are working as expected.

Terms to know:

• Security Assertion Markup Language (SAML) - The XML-based communication protocol used to provide centralized authentication.
• Service Provider (SP) - The application that you are testing, which delegates authentication to the Enterprise Authentication service.
• Identity Provider (IdP) - The application that provides authentication; in this case, the Enterprise Authentication service.

Note: Your SP may not implement log out functionality. The reasons for this are documented at KB0017620: Identity Provider and Service Provider Single Log Out. Please keep this in mind as you test log out functionality below.

Basic Tests

The tests in this section should be run on all SAML-protected systems at initial implementation and after system upgrades or SAML configuration changes.

Function: UT EID Protection

Test Cases

• Confirm that protected resources require UT EID authentication.
• Confirm that unauthenticated protected resource retrieval attempts result in redirection to the sign in page.
• Confirm that post-authentication redirection takes the user to the requested resource.

Test Steps

1. Navigate to a protected resource on your server.
2. Confirm that you are redirected to the Enterprise Authentication sign in page.
3. Sign in with a valid UT EID and password.
4. Confirm that you are redirected to the resource you requested in step 1.

Function: Unprotected Resources

Test Case

• Confirm that unprotected resources can be accessed without UT EID authentication.

Test Steps

1. Log out of both the SP and the IdP (see below).
2. Navigate to an unprotected resource on your server.
3. Confirm that you are not redirected to the Enterprise Authentication sign in page.
4. Confirm that you are able to access the resource you requested in step 2.

Function: Logout

Test Case

• Confirm that the SP correctly ends both the local session and IdP session upon log out.

Test Steps

1. Navigate to a protected resource on your server.
2. If redirected to the Enterprise Authentication sign in page, sign in with a valid UT EID and password.
3. Log out of your SP.
4. Navigate to a protected resource on your server.
5. Confirm that you are redirected to the Enterprise Authentication sign in page.

Common Variations

Variation: Applications Using SAML Attributes

The tests in this section should be run on applications that retrieve attributes from a SAML response and act on them in a way that can be tested. These tests should be conducted at initial implementation of SAML authentication and after system upgrades or SAML configuration changes.

Function: Attribute Retrieval

Test Case

• Confirm that attributes from the IdP are successfully retrieved.

Test Steps

1. Log out of the SP and IdP.
2. Navigate to a protected resource within your application.
3. Confirm that you are redirected to the IdP sign in page.
4. Sign in with a valid UT EID for which pertinent attribute values are known.
5. Confirm that the SP application behaves in a way that is consistent with the expected attribute values.

Function: Logout and Login as a Different User

Test Case

• Confirm that applications respect user changes.

Test Steps

1. Navigate to a protected resource on your server, within your application.
2. If redirected to the IdP sign in page, sign in with a valid UT EID and password.
3. Open a new tab in your application in the same browser.
4. Log out of the SP and IdP.
5. Confirm that you are redirected to the IdP log out page.
6. Navigate to the protected resource in step 1.
7. Sign in as a different user.
8. Return to the previously opened tab.
9. Reload the page.
10. Confirm that the user has changed within the application.

Variation: SP Authorizations

The tests in this section should be run on SAML-protected applications that restrict access to certain groups of users, rather than all EID holders. It is your responsibility to block unauthorized users from accessing your application.

Function: Access Control

Test Case

• Confirm that SP resources are restricted to authorized users.

Test Steps

1. Log out of the IdP and SP.
2. Navigate to a protected resource in the SP application.
3. When redirected to the Enterprise Authentication sign in page, sign in with a valid UT EID for that has no special privileges within your system and the corresponding password.
   
   • If needed, create a guest EID.
4. Confirm that you are UNABLE to access to the protected resource.