SAML login/logout testing.
- For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
- Make sure
/etc/hostsis sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
- If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.org and ad.example.org
How to test
Verify the basics
Ensure you have no Kerberos credentials:
# kdestroy -A
Bring up your Firefox window and select admin->Logout if you are still logged into the IDP.
Go the protected site you just created on the SP, https://sp.example.com/sp/
You should be prompted with a form login.
User the user that was created during the IPA installation, ttest.
Once you've authenticated you should see a success page and a Logout link. This is a known issue, you should be redirected back to the SP, so let's go there manually. Go back to https://sp.example.com/sp/
You should get the welcome page.
Go back to the SP page, https://sp.example.com/sp/ and you should be redirected for login again.
Now we will try login using Kerberos authentication.
Go to a shell and run:
Go to https://sp.example.com/sp/ (or hit reload)
You may see a quick redirect to the IDP, then a return to the SP, and the welcome page displayed. If so then success!
If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.
All the test steps should end with the specified results.