The Test Environment is the playground for testing new services with SURFconext. This environment has it's own SAML metadata and is in no way connected to the production environment of SURFconext and thus not connected to real identity providers and real users. In the Test environment test-IP's and test-accounts are available. Connecting to it is simple and a contract at this point is not necessary so you can start testing immediately.
This page will depict the following:
1. Import the Public SAML metadata of SURFconext (SAML)
For your service, import the Entity Descriptor of the SURFconext IdP Proxy in your Service Provider. Depending on the software you use, you must import the metadata-URL or place a file with this information on a location that is accessible by the service.
The Public SAML metadata or the 'Entity Descriptor' of the SURFconext IdP proxy for the test environment differs from the production environment. The following applies:
- Test Environment: https://metadata.test.surfconext.nl/idp-metadata.xml
- Production Environment: https://metadata.surfconext.nl/idp-metadata.xml
Service Providers that are connected to the 'Test Environment' of SURFconext can not and will not be connected to both identity providers on the production environment and the test environment. The user profiles from IdPs on the test environment are fictional or unverified. Real users, with their profiles can only connect to your service through the production environment of SURFconext. Once verified that you are connected to the production environment you must use the entity descriptor of the production environment as mentioned above.
2. Register your SAML enabled service in the dashboard
After the intake by telephone, the SURFconext team will add you to a team. If you have confirmed the membership of this team, members have access to designated services in the SP Dashboard. Here you can manage entities of the service you have been granted accesses to. If you are a member of multiple teams you will see the according services.
In the dashboard you can import the metadata of your service. Metadata can be provided in two ways:
- Metadata URL
- The URL is generated by your SAML 2.0 enabled software (ADFS, NETIQ, SimpleSAMLphp). During test you can use http but for production https, with an Overall Rating score B or higher on SSL Labs, is required
- Pasted metadata
- If the above generated link does not work, paste the metadata manually in the SP Dashboard.
Press 'import' and the fields will be filled automatically, when available in the metadata. If the input is not correct debug your software and change the settings in your SAML enabled software if needed.
Not provided by the import URL but necessary to promote a service to production is a solid motivation of each attribute used. Read our wiki 'Attribute best practice' to get to know more. In short, we want to use as few attributes as possible and as privacy preserving as possible. If you use too many, SURFconext can decline promotion of the service to production and ultimately an institution can decline your request to connect to the service.
2* Register your OpenID Connect service
Some OpenID Connect basics can be found here.
The SP Dashboard is not yet ready for OpenID Connect. This is scheduled for early 2019. In the mean time, if you wish to use OpenID Connect send an email to email@example.com with the following information:
- URL to your service
- Redirect URL(s)
- Name of the service
- Description of the service
- Logo URL of the service
- Which attributes (claims) you need
3. Configure your OpenID Connect service
SURFnet provides you with the necessary data for OpenID Connect, which are:
- A username + secret
- The .well-known URL with all the OpenID Connect configuration parameters. This URL can be used by your software to find all the configuration it needs. The test URL is https://oidc.test.surfconext.nl/.well-known/openid-configuration
Configure your service with these data to enable access through OpenID Connect. The scope "openid" is sufficient to get all configured claims
4. Test your connection with fictional IdPs and fictional users
After logging in to your service, you will see the WAYF-screen with the available test Identity Providers. SURFconext supplies two test IdP's:
- SURFconext Test IdP
- SURFconext Mujina IdP
SURFconext Test IdP
This test IdP allows you to test various login and attribute scenarios, common when dealing with SAML Identity Providers. Several fictitious user accounts are available with attributes matching real world scenarios. The users are also members of groups that you can use to test retrieval of group information.
Please note that the 'SURFconext Test IdP' is not available in the Production environment.
SURFconext Mujina Identity Provider
This test IdP lets you impersonate every possible user. You are able to select attributes and values of your choice. This is a great way of testing all attributes available to SURFconext. You can add the attributes as shown in the pull-downon the login page of Mujina. The attributes are described in detail on our attributes page.
- Username will be used as the value for the attribute 'urn:mace:dir:attribute-def:uid'
- Password is not necessary
The attribute 'urn:mace:dir:attribute-def:eduPersonOrcid' is currently not available for use with Mujina.
- An IdP will never be connected to SURFconext without the attributes 'urn:mace:dir:attribute-def:uid' and 'urn:mace:terena.org:attribute-def:schacHomeOrganization' so it is advised to always test with both these used.