From Fedora Project Wiki

Revision as of 20:36, 5 March 2015 by Rcritten (talk | contribs)


Service Provider Installation testing.


  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty.
  2. The machine needs to be enrolled as an IPA client.

How to test


First, install the IPA-client packages:

# yum install ipa-client

If you installed IPA with DNS then configure /etc/resolv.conf to point to it

nameserver xx.xx.xx.xx

Enroll the machine against your IPA master

# ipa-client-install

If you are using the IPA DNS server then it should discover the IPA master and prompt you for credentials to enroll. Use admin and the admin password selected during IPA install.

Install the Ipsilon packages:

# yum install ipsilon

Configure the SP:

# ipsilon-client-install --saml-idp-metadata --saml-auth /sp

The metadata will be downloaded from your IDP and since the IDP is on our IPA master, we use that name.

Add the SP to the IDP:

On the IDP launch firefox and authenticate to the IDP as the admin user,

Select Identity Providers -> SAML2 -> New

Get the metadata from the SP

# cat /etc/httpd/saml2/

Copy and paste this into the form. The name you give the SP isn't important.

Restart Apache on the SP

# systemctl restart httpd

Create Content

The installer automatically configures Apache to protect /sp/ so all we need to do is create the directory and add some content.


Verify the basics

Forms-based login

Ensure you have no Kerberos credentials:

# kdestroy -A

Bring up your Firefox window and select admin->Logout if you are still logged into the IDP.

Go the protected site you just created on the SP,

You should be prompted with a form login.

User the user that was created during the IPA installation, ttest.

Once you've authenticated you should see a success page and a Logout link. This is a known issue, you should be redirected back to the SP, so let's go there manually. Go back to

You should get the welcome page.

Click Logout

Go back to the SP page, and you should be redirected for login again.

Kerberos-based login

Now we will try login using Kerberos authentication.

Go to a shell and run:

kinit ttest

Go to (or hit reload)

You may see a quick redirect to the IDP, then a return to the SP, and the welcome page displayed. If so then success!

Click Logout

If you click login again it should once again quickly redirect to the IDP and drop you back on the SP.

Expected Results

All the test steps should end with the specified results.