Testing IdP deployments

After you have configured the browser-facing certificate you should test the security of the TLS/SSL configuration. We suggest you use the SSL Labs SSL Server Test tool for this. You should check the "Do not show the results on the boards" box before you start.

Once you have registered your IdP in the federation, you can test its configuration using this UK federation test service provider:

The index page contains a number of links, which invoke different versions of the Discovery Service. If you click one of these links and select your IdP from the Discovery Service page and successfully authenticate, you should see the UK federation Attribute Viewer, which shows you the attributes released by the IdP to the SP, and some header variables. This allows you to test attribute generation and release as well as simple authentication.

Note that when your IdP is hidden you will need to click the "Search over All sites" link at the bottom of the Discovery Service page, in order to be able to select it. You can start typing in the organisation display name in the box until your IdP is the only one displayed, and select it; or click the "Let me choose from a list" link and find it in the list of all IdPs. The former option is generally preferable, as the list is very long.

It is normally sufficient to test it with the link "Default DS flow with the UK federation CDS". The "Default DS" link uses the federation Discovery Service and should invoke a SAML2 session, which produces a single displayed assertion. We do not expect many SPs to require SAML2 Artifact, but it's advisable to test with that flow too, just in case.

If you are testing a Shibboleth IdP, and you have trouble authenticating or releasing attributes, then ensure your log levels are turned up to DEBUG before re-testing, and check the logs; the idp-process.log is generally the most informative. See the Logging section for more information. If nothing is being written to the Shibboleth logs then check the Tomcat or Jetty logs; it is advisable to keep checking the Tomcat or Jetty logs anyway during the earlier stages of the installation.

You should not attempt to gain access to any live service until you have verified, by the use of the test page noted above, that your IdP is properly configured and releasing attributes correctly.