Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

Test scenarios and setup for testing DRYD-1518 - Getting issue details... STATUS

Configuration Scenario 1

Scenario Description

Email address used for both username and sso-id, both asserted via attribute in IdP authentication response

CSpace User Setup

Create a user on CSpace with the email testconfig1@example.com

Relevant SAML Config on CSpace Server

<assertion-username-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-username-probes>
<assertion-sso-id-probes>
. <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" />
</assertion-sso-id-probes>

Relevant IDP Metadata excerpt

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig1@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior if email address changes on the IdP

User is not found and login fails

Configuration Scenario 2

Scenario Description

Email address used for both username and sso-id, with email asserted via attribute and sso-id via name-id in IdP authentication response

Preconditions

Create a user on CSpace with the email testconfig2@example.com

Auth0 Mappings

{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

(Note the use of the name attribute for the username because Auth0 will drop the emailaddress attribute in this configuration) since email is being used as the nameidentifier.

<assertion-username-probes>
. <attribute name="http://schemas.auth0.com/name" />
</assertion-username-probes>
<assertion-sso-id-probes> 
. <name-id/>
</assertion-sso-id-probes>

Relevant IDP Metadata excerpt

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig2@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig2@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior if email address changes on the IdP

User is not found and login fails

Configuration Scenario 3

Scenario Description

Email address used for both username and sso-id, with email asserted via name-id and sso-id via attribute in IdP authentication response

Precondition

Create a user on CSpace with the email testconfig3@example.com

Auth0 Mappings

{
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
}

Relevant SAML Config on CSpace Server

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig2@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>

<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig2@example.com</saml:AttributeValue> </saml:Attribute>

Relevant IDP Metadata excerpt

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior if email address changes on the IdP

User is not found and login fails

Configuration Scenario 4

Scenario Description

Email address used for both username and sso-id, with both asserted via name-id in IdP authentication response

Precondition

Create a user on CSpace with the email testconfig3@example.com

Relevant SAML Config on CSpace Server

<assertion-username-probes>
. <name-id/>
</assertion-username-probes>
<assertion-sso-id-probes>
. <name-id/>
</assertion-sso-id-probes>

Relevant IDP Metadata excerpt

<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig@example.com</saml:AttributeValue> </saml:Attribute>

Expected behavior upon initial login

User is found and login succeeds

Expected behavior if email address changes on the IdP

User is not found and login fails

Username Assertion In

SSO-ID Assertion In

Email address asserted as both username and sso-id

attribute

attribute

attribute

name-id

name-id

attribute

name-id

name-id

Email address asserted as username, other id asserted as sso-id

attribute

attribute

attribute

name-id

name-id

attribute

Email address asserted as username, null value asserted as sso-id (this scenario mimics 8.0 functionality in 8.1)

attribute

attribute

name-id

attribute

  • No labels