SSO Testing

Test scenarios and setup for testing DRYD-1518: Add SSO ID field to user accounts and populate with SAML assertionResolved using Auth0 as an IdP

Configuration Scenario 1

Configuration Scenario 1
Scenario Description	Email address used for both `username` and `sso-id`, both asserted via attribute in IdP authentication response
CSpace User Setup	Create a user on CSpace with the email testconfig1@example.com
Relevant SAML Config on CSpace Server	`<assertion-username-probes> . <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> </assertion-username-probes> <assertion-sso-id-probes> . <attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> </assertion-sso-id-probes>`
Relevant Auth0 IDP Metadata excerpt	`<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig1@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is not found and login fails

Configuration Scenario 2

Configuration Scenario 2
Scenario Description	Email address used for both `username` and `sso-id`, with username asserted via attribute and sso-id via name-id in IdP authentication response
Preconditions	Create a user on CSpace with the email testconfig2@example.com
Auth0 Mappings	`{ "mappings": { "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" } }`
Relevant SAML Config on CSpace Server	(Note the use of the `name` attribute for the username because Auth0 will drop the `emailaddress` attribute in this configuration since email is being used as the nameidentifier.) `<assertion-username-probes> . <attribute name="http://schemas.auth0.com/name" /> </assertion-username-probes> <assertion-sso-id-probes> . <name-id/> </assertion-sso-id-probes>`
Relevant Auth0 IDP Metadata excerpt	`<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig2@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>` `<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig2@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is not found and login fails

Configuration Scenario 3

Configuration Scenario 3
Scenario Description	Email address used for both `username` and `sso-id`, with username asserted via name-id and sso-id via attribute in IdP authentication response
Precondition	Create a user on CSpace with the email testconfig3@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server	(Note the use of the `name` attribute for the sso-id because Auth0 will drop the `emailaddress` attribute in this configuration since email is being used as the nameidentifier.)
Relevant Auth0 IDP Metadata excerpt	`<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig3@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>` `<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig3@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is not found and login fails

Configuration Scenario 4

Configuration Scenario 4
Scenario Description	Email address used for both `username` and `sso-id`, with both asserted via name-id in IdP authentication response
Precondition	Create a user on CSpace with the email testconfig4@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server
Relevant IDP Metadata excerpt	`<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig4@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:29:08.526Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>` `<saml:Attribute Name="http://schemas.auth0.com/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig4@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is not found and login fails

Configuration Scenario 5

Configuration Scenario 5
Scenario Description	Email address asserted as `username`, other id asserted as `sso-id` with each being asserted in a different attribute
Precondition	Create a user on CSpace with the email testconfig5@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server
Relevant IDP Metadata excerpt	`<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig5@example.com</saml:AttributeValue> </saml:Attribute>` `<saml:Attribute Name="http://schemas.auth0.com/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0\|6729603aba7c0c3e1bdf28d5</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is found and login succeeds (because attribute that is used for sso-id hasn’t changed)

Configuration Scenario 6	THIS IS THE MOST LIKELY IDP SETUP

Configuration Scenario 6	THIS IS THE MOST LIKELY IDP SETUP
Scenario Description	Email address asserted as `username`, other id asserted as `sso-id` with username being asserted an attribute and sso-id in the name-id
Precondition	Create a user on CSpace with the email testconfig6@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server
Relevant IDP Metadata excerpts	`<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0\|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:50:42.934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>` `<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig6@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is found and login succeeds (because name identifier in the subject that is being used for sso-id hasn’t changed)

Configuration Scenario 7

Configuration Scenario 7
Scenario Description	Email address asserted as `username`, other id asserted as `sso-id` with username being asserted in the name-id and sso-id in an attribute
Precondition	Create a user on CSpace with the email testconfig7@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server	(Note the use of the identifier attribute for sso-id )
Relevant IDP Metadata excerpts	`<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig7@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T02:06:46.509Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>` `<saml:Attribute Name="http://schemas.auth0.com/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0\|6729603aba7c0c3e1bdf28d5</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is found and login succeeds (because the value for identifier attribute used for sso-id hasn’t changed)

Configuration Scenario 8	Mimics 8.0 functionality in 8.1

Configuration Scenario 8	Mimics 8.0 functionality in 8.1
Scenario Description	Email address asserted as `username`, null value asserted as `sso-id` , with each being asserted as a different attribute
Precondition	Create a user on CSpace with the email testconfig8@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server
Relevant IDP Metadata excerpts	`<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is found and login fails

Configuration Scenario 9	Mimics 8.0 functionality in 8.1

Configuration Scenario 9	Mimics 8.0 functionality in 8.1
Scenario Description	Email address asserted as `username`, null value asserted as `sso-id` , with username being asserted in name-id and sso-id in an attribute
Precondition	Create a user on CSpace with the email testconfig9@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server
Relevant IDP Metadata excerpts	`<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testconfig9@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T02:06:46.509Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>`
Expected behavior upon initial login	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP	User is found and login fails

Configuration Scenario 10	Mimics 8.0 functionality in 8.1 - SUCCESS SEQUENCE

Configuration Scenario 10	Mimics 8.0 functionality in 8.1 - SUCCESS SEQUENCE
Scenario Description	Email address asserted as `username`, null value asserted as `sso-id` , with subsequent specification of a valid sso-id to enable subsequent login after email change.
Precondition	Create a user on CSpace with the email testconfig10@example.com
Auth0 Mappings
Relevant SAML Config on CSpace Server (Step 1)
Relevant IDP Metadata excerpts (Step 1)	`<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig8@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior upon initial login	User is found and login succeeds
Relevant SAML Config on CSpace Server (Step 2)
Relevant IDP Metadata excerpts (Step 2)	`<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0\|6729603aba7c0c3e1bdf28d5</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-11-05T01:50:42.934Z" Recipient="https://manage.auth0.com/tester/samlp"/> </saml:SubjectConfirmation> </saml:Subject>` `<saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">testconfig10@example.com</saml:AttributeValue> </saml:Attribute>`
Expected behavior after SAML config change	User is found and login succeeds
Expected behavior after changing email address on Auth0 IdP after SAML config change	User is found and login succeeds