The UK federation Test Identity Provider

The UK federation Test IdP allows you to test access to your SP deployment, and can be used for troubleshooting. It is not intended for load testing.

The Display Name of the IdP is "UK federation test IdP" and the entityID is https://test-idp.ukfederation.org.uk/idp/shibboleth. Please note that the entityID is an identifier. It is not the location of the metadata for this IdP. The metadata can be found in the metadata aggregate or MDQ service that your SP uses.

We intend this Test IdP to be self-service as far as possible. If you find that your SP deployment doesn't allow access from the test IdP, please investigate your own system first. Read the error message, check in the logs. If you need more information or want to discuss the errors, you can contact the UK federation helpdesk.

Please note: your SP must be registered in the UK federation before you can use our Test IdP.

Accounts and attributes

Several accounts corresponding to typical use cases are available on the Test IdP. Two accounts (Beth and Craig) are based on personas developed by EDINA and the other accounts illustrate other aspects of attribute usage in the UK federation (see also our background page on attributes and authorisation).

As this is an open-access IdP and the credentials are listed below, we cannot assert user accountability.

The IdP releases attributes for each account from the UK federation core attribute set. See section 7 of the UK federation Technical Recommendations for Participants for more information. In the descriptions below, we have used the shorthand name for the attribute rather than the formal URI, since the URI is different depending on whether you are testing SAML 1 or SAML 2 operation. For example, the friendly name eduPersonScopedAffiliation refers to the attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9 in SAML 2, or urn:mace:dir:attribute-def:eduPersonScopedAffiliation in SAML 1. The value passed in these two protocols is the same, even through the encoding of them into a SAML statement is different.

The eduPersonEntitlement value of http://ukfederation.org.uk/entitlements/example has been created by the UK federation specifically to allow SPs to test for the presence of this attribute. We do not define any meaning to this value and it is not intended to be used in production. It is documented at http://www.ukfederation.org.uk/entitlements/example.

SPs in the REFEDS Research and Scholarship entity category

This entity category has been developed to facilitate access to collaborative tools and services such as wikis, blogs, project and grant management tools which require some personal information about people accessing the service to work effectively. It is not used for access to licensed content such as e-journals.

IdPs that support the REFEDS Research and Scholarship category, including this Test IdP, will release a defined bundle of personal details (including name and email address) for a subset of their accounts to these SPs. Personal details will be released for all accounts except "Gwen" (subject to explicit consent in the consent screen).

See our documentation on the REFEDS R&S entity category for more details

Alice, an affiliate

An affiliate is a user that has some relationship with the organization but not a full member. A typical use is for someone applying to study at an organization.

username: alice
password: passworda

attributes releasedvalue
eduPersonScopedAffiliationaffiliate@test.ukfederation.org.uk
eduPersonPrincipalNamealice@test.ukfederation.org.uk
eduPersonTargetedIDdepends on the entityID of the SP

Beth, a lecturer

This user is appropriate for any member of staff at an organization. The user is based on the EDINA persona for a lecturer in Higher Education.

username: beth
password: passwordb

attributevalue
eduPersonScopedAfilliationstaff@test.ukfederation.org.uk and member@test.ukfederation.org.uk
eduPersonPrincipalNamebeth@test.ukfederation.org.uk
eduPersonTargetedIDdepends on the entityID of the SP
eduPersonEntitlementhttp://ukfederation.org.uk/entitlements/example

Craig, a student

This user is appropriate for any full-time or part-time student in education. It is based on the EDINA persona for a PhD student, although is representative of any student in HE or FE.

username: craig
password: passwordc

attributes releasedvalue
eduPersonScopedAffiliationstudent@test.ukfederation.org.uk and member@test.ukfederation.org.uk
eduPersonPrincipalNamecraig@test.ukfederation.org.uk
eduPersonTargetedIDdepends on the entityID of the SP
eduPersonEntitlementhttp://ukfederation.org.uk/entitlements/example

Duns, a polymath

This account corresponds to a user who has a complicated relationship with the organization and therefore has two affiliations.

username: duns
password: passwordd

attributes releasedvalue
eduPersonScopedAffiliationaffiliate@test.ukfederation.org.uk and member@test.ukfederation.org.uk
eduPersonPrincipalNameduns@test.ukfederation.org.uk
eduPersonTargetedIDdepends on the entityID of the SP

Ewart, an alumnus

This account represents a person who is no longer a student at the organization.

username: ewart
password: passworde

attributes releasedvalue
eduPersonScopedAffiliationalum@test.ukfederation.org.uk
eduPersonPrincipalNameewart@test.ukfederation.org.uk
eduPersonTargetedIDdepends on the entityID of the SP

Library, a library-walk-in user

This account represents a user who has access to library but no other formal association with the organization. Whether such a user gains access to resources will depend on the SP.

username: library
password: passwordl (the letter l)

attributes releasedvalue
eduPersonScopedAffiliationlibrary-walk-in@test.ukfederation.org.uk

Yanny and Laurel

These accounts represent a pair of users that have an eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) which differs only in case. This can be used to determine whether your SP is handling case-sensitivity correctly. If your system identifies Yanny and Laurel as the same user then your SP or application (or both) is broken and there is a risk that many subjects will be mapped to the same account in your application, and consequent loss of privacy.

The IdP releases the same values of eduPersonTargetedID to all SPs because these accounts are intended to test the case handling of your SP, not the pairwise nature of eduPersonTargetedID.

username: yanny
password: passwordy

attributes releasedvalue
eduPersonScopedAffiliationmember@test.ukfederation.org.uk
eduPersonPrincipalNameyanny@test.ukfederation.org.uk
eduPersonTargetedID (opaque part)MDFNPC+S2DMY5LJEDWIDDABRELC=

username: laurel
password: passwordl (the letter l)

attributes releasedvalue
eduPersonScopedAffiliationmember@test.ukfederation.org.uk
eduPersonPrincipalNamelaurel@test.ukfederation.org.uk
eduPersonTargetedID (opaque part)mdFnPC+s2DmY5LjedWIddaBrElc=

Gwen

Does not release personal information to REFEDS R&S category SPs

username: gwen
password: passwordg

attributes releasedvalue
eduPersonScopedAffiliationmember@test.ukfederation.org.uk
eduPersonPrincipalNamegwen@test.ukfederation.org.uk
eduPersonTargetedIDdepends on the entityID of the SP