TF-OpenSpace – Session 4, room yellow. 12 February 2014.
Lead by: Lukas (SWITCH)
Attendees: Stefan, Janne, Maja, Tomasz, Peter, Blaz, Guido, Wolfgang, Lukas, Olivier, Christos, Paul, Brook, Ken, Roland, Ann, Thomas, Nicole, Klaas.
Notes: Brook Schofield
- Test IdP for eduGAIN/Federations.
Lukas provided background on why we should explore this topic.
Peter doesn’t believe that problem exists because you’re only testing the interaction of an IdP and an SP and this doesn’t change if the connection between IdP/SP is via metadata broker or not.
Thomas clarified that the SP wants to test interoperability in various situations, such as:
- IdP doesn’t provide attributes
- IdP only provides “ePTID” and nothing else
- IdP provides the wrong affiliation
SP operator/owner/tester would create various identities that simulate all the options for testing purposes.
This IdP "service" would need a range of accounts that could be used but access to these accounts would need to be protected from "random" users and only work with specific SPs.
The IdP wouldn't need to be "interfederated" via eduGAIN but could also be part of any/all federations.
There needs to be a "few" profiles that the IdP would follow because the experience will be different between federations.
SWAMID has 8/9 SPs that are setup for different entity categories for testing IdP interoperability.
Adding test IdPs to production metadata is a bad idea because then you need to build mitigation systems to stop the use of the test IdP against SPs that shouldn't be used.
Tomasz: If there is a valuable SP that can't be used by his institution then a test account will be provided in no time.
Nicole: Couldn't a pool of "humans" be used to test this kind of thing.
What about http://testshib.org/ ? Although it is about testing shib rather than providing a range of profiles to test against.