From Fedora Project Wiki

No edit summary
 
(16 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{QA/Test_Case
|description=Service Provider Installation testing.
|description=Service Provider Installation testing.
|setup=
|setup=
Line 10: Line 11:
First, install the IPA-client packages:
First, install the IPA-client packages:


  # yum install ipa-client
  # dnf install freeipa-client


If you installed IPA with DNS then configure /etc/resolv.conf to point to it
If you installed IPA with DNS then configure /etc/resolv.conf to point to it
Line 24: Line 25:
Install the Ipsilon packages:
Install the Ipsilon packages:


  # yum install ipsilon
  # dnf install ipsilon-tools ipsilon-saml2


Configure the SP:
Configure the SP:


  # ipsilon-client-install --saml-idp-metadata https://ipa.example.com/idp/saml2/metadata --saml-auth /sp
  # ipsilon-client-install --saml-idp-metadata https://idp.example.com/idp/saml2/metadata --saml-auth /sp


The metadata will be downloaded from your IDP and since the IDP is on our IPA master, we use that name.
The metadata will be downloaded from your IDP and since the IDP is on our IPA master, we use that hostname.


Add the SP to the IDP:
We need to enable port 443 in the firewall:
 
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=80/tcp
# systemctl restart firewalld


On the IDP launch firefox and authenticate to the IDP as the admin user, http://ipa.example.com/idp/
Enable and restart Apache on the SP


Select Identity Providers -> SAML2 -> New
# systemctl enable httpd.service
# systemctl restart httpd.service


Get the metadata from the SP
Get the metadata from the SP (the path may need to be adjusted to match the hostname of your SP):


  # cat /etc/httpd/saml2/sp.example.com/metadata.xml
  # cat /etc/httpd/saml2/sp.example.com/metadata.xml


Copy and paste this into the form. The name you give the SP isn't important.
Or you can also browse to https://sp.example.com/saml2/metadata and download the file. This second option
will also verify that your firewall is properly configured to let HTTP/HTTPS communications through and
you have valid X509 certs.


Restart Apache on the SP
Add the SP to the IDP:
 
# systemctl restart httpd
 
==== Verify the basics ====
 
===== Forms-based login =====
 
Ensure you have no Kerberos credentials:
 
# kdestroy -A
 
Bring up your Firefox window and select admin->Logout if you are still logged into the IDP.
 
Go the protected site you just created on the SP, https://sp.example.com/sp/
 
You should be prompted with a form login.
 
User the user that was created during the IPA installation, ttest.


Once you've authenticated you should see a success page and a Logout link. This is a known issue, you should be redirected back to the SP, so let's go there manually. Go back to https://sp.example.com/sp/
# On the IDP launch firefox and authenticate to the IDP as the admin user, https://idp.example.com/idp/
# Click on ''Administration''.
# Select Identity Providers -> SAML2 -> Manage -> Add New
# Fill in the ''Name'' field.  The name you give the SP isn't important.
# Paste the SP metadata you previously obtained into the ''Metadata Text'' field on the form.
# Click the ''Save'' button.


You should get the welcome page.


Click Logout
==== Create Content ====


Go back to the SP page, https://sp.example.com/sp/ and you should be redirected for login again.
The installer automatically configures Apache to protect /sp/ so all we need to do is create the directory and add some content.


===== Kerberos-based login =====
Create the secure directory and add some content


Now we will try login using Kerberos authentication.
# mkdir /var/www/html/sp


Go to a shell and run:
Create /var/www/html/sp/index.html with these contents ('''be sure to modify the hostname in the link to match the hostname of your SP'''):


  kinit ttest
  <nowiki><html>
<p>
Congratulations, you're authenticated!
</p>
<p>
<a href="/saml2/logout?ReturnTo=https://sp.example.com/logged_out.html">Log out</a>
</p>
</html></nowiki>


Go to https://sp.example.com/sp/ (or hit reload)
Create /var/www/html/logged_out.html (note that this isn't in the sp directory) with these contents:


You may see a quick redirect to the IDP, then a return to the SP, and the welcome page displayed. If so then success!
<nowiki><html>
<title>Logout</title>
<p>
You've been logged out!
</p>
<p>
Now try to <a href="/sp/">log back in</a>
</p>
</html></nowiki>


Click Logout
We'll verify that everything is working in the next test case.


If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.


|results=
|results=

Latest revision as of 16:43, 12 March 2015

Description

Service Provider Installation testing.

Setup

  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty.
  2. The machine needs to be enrolled as an IPA client.

How to test

Installation

First, install the IPA-client packages:

# dnf install freeipa-client

If you installed IPA with DNS then configure /etc/resolv.conf to point to it

nameserver xx.xx.xx.xx

Enroll the machine against your IPA master

# ipa-client-install

If you are using the IPA DNS server then it should discover the IPA master and prompt you for credentials to enroll. Use admin and the admin password selected during IPA install.

Install the Ipsilon packages:

# dnf install ipsilon-tools ipsilon-saml2

Configure the SP:

# ipsilon-client-install --saml-idp-metadata https://idp.example.com/idp/saml2/metadata --saml-auth /sp

The metadata will be downloaded from your IDP and since the IDP is on our IPA master, we use that hostname.

We need to enable port 443 in the firewall:

# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=80/tcp
# systemctl restart firewalld

Enable and restart Apache on the SP

# systemctl enable httpd.service
# systemctl restart httpd.service

Get the metadata from the SP (the path may need to be adjusted to match the hostname of your SP):

# cat /etc/httpd/saml2/sp.example.com/metadata.xml

Or you can also browse to https://sp.example.com/saml2/metadata and download the file. This second option will also verify that your firewall is properly configured to let HTTP/HTTPS communications through and you have valid X509 certs.

Add the SP to the IDP:

  1. On the IDP launch firefox and authenticate to the IDP as the admin user, https://idp.example.com/idp/
  2. Click on Administration.
  3. Select Identity Providers -> SAML2 -> Manage -> Add New
  4. Fill in the Name field. The name you give the SP isn't important.
  5. Paste the SP metadata you previously obtained into the Metadata Text field on the form.
  6. Click the Save button.


Create Content

The installer automatically configures Apache to protect /sp/ so all we need to do is create the directory and add some content.

Create the secure directory and add some content

# mkdir /var/www/html/sp

Create /var/www/html/sp/index.html with these contents (be sure to modify the hostname in the link to match the hostname of your SP):

<html>
<p>
Congratulations, you're authenticated!
</p>
<p>
<a href="/saml2/logout?ReturnTo=https://sp.example.com/logged_out.html">Log out</a>
</p>
</html>

Create /var/www/html/logged_out.html (note that this isn't in the sp directory) with these contents:

<html>
<title>Logout</title>
<p>
You've been logged out!
</p>
<p>
Now try to <a href="/sp/">log back in</a>
</p>
</html>

We'll verify that everything is working in the next test case.

Expected Results

All the test steps should end with the specified results.