Versions Compared

Version Old Version 1 New Version 2
Changes made by

Bridget Almas

Bridget Almas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Test scenarios and setup for testing

Jira Legacy
serverSystem Jira
serverId4f23a7bf-fe0d-390f-9b92-bdff15338913
keyDRYD-1518
using Auth0 as an IdP

Configuration Scenario 1

Scenario Description

Email address used for both username and sso-id, both asserted via attribute in IdP authentication response

CSpace User Setup

Create a user on CSpace with the email testconfig1@example.com

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-sso-id-probes>

Relevant Auth0 IDP Metadata excerpt

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig1@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior if after changing email address changes on the Auth0 IdP

User is not found and login fails

Configuration Scenario 2

Scenario Description

Email address used for both username and sso-id, with email username asserted via attribute and sso-id via name-id in IdP authentication response

Preconditions

Create a user on CSpace with the email testconfig2@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

(Note the use of the name attribute for the username because Auth0 will drop the emailaddress attribute in this configuration ) since email is being used as the nameidentifier.)

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.auth0.com/name" />
</assertion-username-probes>
<assertion-sso-id-probes> 
. <name-id/>
</assertion-sso-id-probes>

Relevant Auth0 IDP Metadata excerpt

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig2@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig2@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior if after changing email address changes on the Auth0 IdP

User is not found and login fails

Configuration Scenario 3

Scenario Description

Email address used for both username and sso-id, with email username asserted via name-id and sso-id via attribute in IdP authentication response

Precondition

Create a user on CSpace with the email testconfig3@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

(Note the use of the name attribute for the sso-id because Auth0 will drop the emailaddress attribute in this configuration since email is being used as the nameidentifier.)

Code Block
<assertion-username-probes>
. <name-id/>
</assertion-username-probes>
<assertion-sso-id-probes> 
. <attribute name="http://schemas.auth0.com/name" />
</assertion-sso-id-probes>

Relevant Auth0 IDP Metadata excerpt

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig2@example>testconfig3@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig2@example>testconfig3@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is not found and login fails

Configuration Scenario 4

Scenario Description

Email address used for both username and sso-id, with both asserted via name-id in IdP authentication response

Precondition

Create a user on CSpace with the email testconfig4@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <name-id/>
</assertion-username-probes>
<assertion-sso-id-probes>
. <name-id/>
</assertion-sso-id-probes>

Relevant IDP Metadata excerpt

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig4@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig4@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is not found and login fails

Configuration Scenario 5

Scenario Description

Email address asserted as username, other id asserted as sso-id with each being asserted in a different attribute

Precondition

Create a user on CSpace with the email testconfig5@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
.<attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>
. <attribute name="http://schemas.auth0.com/identifier" />
</assertion-sso-id-probes>

Relevant IDP Metadata excerpt

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>testconfig@example

>testconfig5@example.com</saml:AttributeValue> </saml:Attribute>

<saml:Attribute Name="http://schemas.auth0.com/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0|6729603aba7c0c3e1bdf28d5</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior

if

after changing email address

changes

on

the

Auth0 IdP

User is

not

found and login

fails

succeeds (because attribute that is used for sso-id hasn’t changed)

Configuration Scenario

4

6

THIS IS THE MOST LIKELY ID SETUP

Scenario Description

Email address

used for both username and

asserted as username, other id asserted as sso-id

,

with

both asserted via

username being asserted an attribute and sso-id in the name-id

in IdP authentication response

Precondition

Create a user on CSpace with the email

testconfig3@example.com

testconfig6@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
.
<name-id
<attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>
. <name-id/>
</assertion-sso-id-probes>

Relevant IDP Metadata

excerpt

excerpts

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:50:42.934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string"

>testconfig@example

>testconfig6@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior

if

after changing email address

changes

on

the

Auth0 IdP

User is

not

found and login

fails

Username Assertion In

SSO-ID Assertion In

succeeds (because name identifier in the subject that is being used for sso-id hasn’t changed)

Configuration Scenario 7

Scenario Description

Email address asserted as

both username

username, other id asserted as sso-id with username being asserted in the name-id and sso-id

attribute

attribute

attribute

name-id

name-id

attribute

name-id

name-id

in an attribute

Precondition

Create a user on CSpace with the email testconfig7@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

(Note the use of the identifier attribute for sso-id )

Code Block
<assertion-username-probes>  . 
. <name-id/> 
</assertion-username-probes> 
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/identifier" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig7@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T02:06:46.509Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0|6729603aba7c0c3e1bdf28d5</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login succeeds (because the value for identifier attribute used for sso-id hasn’t changed)

Configuration Scenario 8

Mimics 8.0 functionality in 8.1

Scenario Description

Email address asserted as username,

other id

null value asserted as sso-id

attribute

attribute

attribute

name-id

name-id

attribute

, with each being asserted as a different attribute

Precondition

Create a user on CSpace with the email testconfig8@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login fails

name-id

attribute

Configuration Scenario 9

Mimics 8.0 functionality in 8.1

Scenario Description

Email address asserted as username, null value asserted as

sso-id (this scenario mimics 8.0 functionality in 8.1)

attribute

attribute

sso-id , with username being asserted in name-id and sso-id in an attribute

Precondition

Create a user on CSpace with the email testconfig9@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

Code Block
<assertion-username-probes>
. <name-id/>
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig9@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T02:06:46.509Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP

User is found and login fails

Configuration Scenario 10

Mimics 8.0 functionality in 8.1 - SUCCESS SEQUENCE

Scenario Description

Email address asserted as username, null value asserted as sso-id , with subsequent specification of a valid sso-id to enable subsequent login after email change.

Precondition

Create a user on CSpace with the email testconfig10@example.com

Auth0 Mappings

Code Block
{
  "mappings": {
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

Relevant SAML Config on CSpace Server (Step 1)

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <attribute name="http://schemas.auth0.com/nonexistent" /> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts (Step 1)

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Relevant SAML Config on CSpace Server (Step 2)

Code Block
<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>  . 
. <name-id/> 
</assertion-sso-id-probes>

Relevant IDP Metadata excerpts (Step 2)

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:50:42.934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior after SAML config change

User is found and login succeeds

Expected behavior after changing email address on Auth0 IdP after SAML config change

User is found and login succeeds