In their daily lives federation Federation operators and eduGAIN experts are frequently asked , how to test access to a production federated service can be tested. A simple login test to a federated service requires a federated account at an organisation that is part of the federation/eduGAIN. However, on one hand commercial service operators normally don't have and normally don't received federated accounts in a national federation and eduGAIN. On the other hand, And even if they had a single account of their own or if they asked a real-world user to test, this would not be sufficient to thouroughly test federated login with multiple identities and different sets of attributes.
Setting up an own a SAML Identity Provider (IdP) and us this using it to test the own IdP its Service Provider (SP) would be ideal but is non-trivial and therefore in most cases too much effort. Using self-registration IdPs (e.g. https://openidp.feide.no/) and configuring them bilaterally with their Service Provider (SP) might be sufficient for development but as these IdPs are not part of eduGAIN, they don't allow federated login under real conditions from an eduGAIN IdP. Also, self-registration IdPs usually don't allow certain attributes (e.g. affiliation) to be set.
The eduGAIN Access Check solves most of the above-mentioned forementioned issues because it provides SP operators an easy way to test federated login for their eduGAIN service with test identities that have different attribute profiles.
...
Your Service Provider first needs to be registered in eduGAIN metadata. Therefore, you should contact your nearest federation operators (please have a look at the list of eduGAIN member federations) to find out about the local process to join eduGAIN.
Once your SP's metadata is included into eduGAIN, you can start creating test accounts. Before you obtain the test accounts, it is checked that you are a legitimate administrator of your SP. This is achieved via an email challenge sent to the contact address for the Service Provider.
To use the test accounts, initiate a login at your SP. On the Discovery Service, select "eduGAIN Access Check" as your Identity Provider and then use the credentials of one of the created test accounts. Once authenticated, the eduGAIN Access Check IdP will send your SP release a realistic set of user attributesattributes with realistic values, based on those associated with the account, and those explicitely requested by the SP, according to its metadata. This allows you to validate that your service behaves as expected.
...
The code of the eduGAIN Access Check Account manager is published as open source. It's available at: http://svn.geant.net/GEANT/edugain_testidp_account_managerFIXME. Feel free to install it to run you own instance of the service.
...
The eduGAIN Access Check service exclusively allows creating test accounts for users who can receive challenge emails for contac contact email addresses listed in the eduGAIN metadata for a particular Service Provider. The test accounts can be used exclusively to access a single SP (for which a user proofed that he is administrator for). Authentication requests for other SPs are rejected.
...