Page tree
Skip to end of metadata
Go to start of metadata

The Test Environment is the playground for testing new services with SURFconext. It is in no way connected to the production environment of SURFconext and thus not connected to real identity providers and real users. In the Test environment test-IP's and test-accounts are available. Connecting to it is simple and a contract at this point is not necessary so you can start testing immediately.


This page will depict the following:

1. Configure your service for SURFconext

SAML

For your service, import the Entity Descriptor of the SURFconext IdP Proxy in your Service Provider. Depending on the software you use, you must import the metadata-URL or place a file with this information on a location that is accessible by the service. 


The Public SAML metadata or the 'Entity Descriptor' of the SURFconext IdP proxy for the test environment differs from the production environment. The following applies:

Service Providers that are connected to the 'Test Environment' of SURFconext can not and will not be connected to both identity providers on the production environment and the test environment. The user profiles from IdPs on the test environment are fictional or unverified. Real users, with their profiles can only connect to your service through the production environment of SURFconext. Once verified that you are connected to the production environment you must use the entity descriptor of the production environment as mentioned above.

OpenID Connect

SURFnet provides you through the SP Dashboard with the necessary data for OpenID Connect, which are:

Configure your service with these data to enable access through OpenID Connect.  The scope "openid" is sufficient to get all configured claims.

2. Register your SAML/OpenID Connect enabled service in the SP dashboard

After the intake by telephone, the SURFconext team will add you to a team. If you have confirmed the membership of this team, members have access to designated services in the SP Dashboard. You can manage entities of the service you have been granted accesses to. If you are a member of multiple teams you will see the according services.


User Attributes

Not provided by the import URL but necessary to promote a service to production is a solid motivation of each attribute used. Read our wiki 'Attribute best practice' to get to know more. In short, we want to use as few attributes as possible and as privacy preserving as possible. If you use too many, SURFconext can decline promotion of the service to production and ultimately an institution can decline your request to connect to the service.

3. Test your connection with fictional IdPs and fictional users

After logging in to your service, you will see the WAYF-screen with the available test Identity Providers. SURFconext supplies two test IdP's:

  • SURFconext Test IdP
  • SURFconext Mujina IdP

SURFconext Test IdP
This test IdP allows you to test various login and attribute scenarios, common when dealing with SAML Identity Providers. Several fictitious user accounts are available with attributes matching real world scenarios. The users are also members of groups that you can use to test retrieval of group information.

Please note that the 'SURFconext Test IdP' is not available in the Production environment.

SURFconext Mujina Identity Provider
This test IdP lets you impersonate every possible user. You are able to select attributes and values of your choice. This is a great way of testing all attributes available to SURFconext. You can add the attributes as shown in the pull-downon the login page of Mujina. The attributes are described in detail on our attributes page.

  • Username will be used as the value for the attribute 'urn:mace:dir:attribute-def:uid'
  • Password is not necessary
  • The attribute 'urn:mace:dir:attribute-def:eduPersonOrcid' is currently not available for use with Mujina.

  • An IdP will never be connected to SURFconext without the attributes 'urn:mace:dir:attribute-def:uid' and 'urn:mace:terena.org:attribute-def:schacHomeOrganization' so it is advised to always test with both these used.




  • No labels