Test Cases to Validate your SAML Single Sign-On and Single Logout Setup
This page explains how to verify your SSO and SLO setup is correct.
After you have completed the steps to setup SSO and SLO in Foundry and in your identity provider, you should run several different tests to verify that the setup is correct in both your identity provider and in Foundry.
EVERFI has a Google Sheet containing around 6 test cases that verify SSO and SLO operate successfully, initiated by a user from either the IDP or the SP (Foundry). There is also a test case verifying that new users get created successfully during SSO, if you choose to enable that feature.
The Google Sheet can be accessed at this link:
This Sheet is read-only, so if you want to use these cases and add notes, then open the Google Sheet and make a copy (File –> Make a copy) for your own use.
- In the Google Sheet, use column C (Passed?) to check off the cases that have passed.
- If certain cases don’t pertain to your specific implementation, then strike them out so you don’t think you need to test that case.
- If you have any testing notes to record, type them into the last column called Notes
- Before testing SSO, we recommend starting a new browser session and make sure you are fully logged out of your IDP and Foundry.
- Following on the theme above, to avoid login confusion, we recommend testing SSO in a different browser software than your primary preferred browser. For example, if you normally use Chrome, then test in Firefox.
- Firefox is handy for testing SAML because of the SAML-tracer browser add-on. If you are comfortable with technical details, then we recommend testing with this add-on because it calls out any SAML messages that help you see the SAML exchanges between your IDP and Foundry. Other browsers have similar plugins and extensions but we happen to like the Firefox version. To use this add-on, install it first. Then, prior to starting SSO, click the add-on link in your browser, which will open a new SAML tracer window. Then run your SSO steps. You will see in SAML-tracer all the various SAML messages logged. Click on any log entry to see more details. Note that if your IDP encrypts responses, you will not be able to see the clear-text SAML response sent from your IDP.
- If you prefer to test in Google Chrome, we recommend installing the SAML Chrome Panel extension. Install the extension, enable debugger tools (View –> Developer –> Inspect Elements), then view the SAML menu in the developer tools to see the SAML messages.
- Some of these test cases will not be relevant to your implementation if you do not support certain features, so you can ignore any test cases that don’t apply to your scenarios. For example, you might support only SP-initiated SSO and not IDP-initiated SSO, or vice versa, or you might not support SLO, or you might not support the feature to add new users during SSO.
- To run the test cases SSO-03 and SSO-04, you will need to make sure your user doesn’t exist in Foundry. Since your user probably does exist in Foundry, you can temporarily edit the Foundry user and change the SSO ID by putting the letter “x” in front of the User; remember to correct this afterwards. Note that you cannot change the SSO ID of your own user, so you’ll need to get a colleague to do this for you. Alternately, set up a dummy user for testing these cases.
- Running into issues? Check the SSO Troubleshooting page and the SLO Setup page for common setup snags.