Skip to content

Add Subject Identifier Test Cases#12

Open
waldofouche wants to merge 3 commits intoGEANT:mainfrom
waldofouche:main
Open

Add Subject Identifier Test Cases#12
waldofouche wants to merge 3 commits intoGEANT:mainfrom
waldofouche:main

Conversation

@waldofouche
Copy link
Contributor

@waldofouche waldofouche commented Dec 2, 2025

Given that the Shibboleth IdP will be running with this plugin: https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/4500914216/OPFederationWIP

It would be good to add a section of SAML/OpenID Federation interoperability. I have started with the a simple? ( maybe not ) case where a relying party is both registered to SAML and OpenID Federation. The end user should appear as the same user, regardless of auth mechanism.

cc @philsmart for additional thoughts

@waldofouche waldofouche changed the title feat: Add Federation Interoperability Test Cases Add Federation Interoperability Test Cases Dec 2, 2025
@philsmart
Copy link
Contributor

philsmart commented Dec 2, 2025

Hi Waldo,

That is interesting. I hadn't thought of testing that kind of multi-protocol multi-federation approach. A few comments:

  1. For those tests we would require compatible software (multi-protocol), and the flow tests are not specifically about testing all the capabilities of software products. But, if we go ahead, we could add a specific prerequisite for some of the tests.
  2. We would need the service provider to support both protocols or run more than one software stack (SAML and OIDFed).
  3. The SAML flow we would expect to work, and the basic OIDC Fed flow would be covered by other tests. So maybe this is specifically a test that we can generate identical/appropriate subject identifiers? If so, maybe it could be scoped like that in the tests i.e., the test is that the OP generates 'suitable/appropriate/saml-identical' subject identifiers (which could be a bigger topic and set of tests about identifier generation/type).

So yeah, I do see the value in having tests about subject identifier generation for OPs, but we might not need active dual federation stacks and topologies to support that, not sure. Probably overlaps with the policies WG as well.

@waldofouche
Copy link
Contributor Author

waldofouche commented Dec 3, 2025
edited
Loading

Hi Phil,

Thanks for your thoughts. I agree that it would be better scoped to being able to generate `suitable/appropriate/saml-identical' subject identifiers. I've updated the docco c9eaf49

The main use-case I was considering was that since IdPs will support both protocols, it would be reasonable to ensure that SPs should compatible with the generated identifers from both stacks, so that when the time comes migrating from SAML -> OpenID Federation is simpler.

SP Implementation would vary wildly, but having the generation customizable from the OP side would be enough to satisfy this test case

@waldofouche waldofouche changed the title Add Federation Interoperability Test Cases Add Subject Identifier Test Cases Dec 3, 2025
@philsmart
Copy link
Contributor

philsmart commented Dec 3, 2025

Having tests for identifiers seems like a good idea to me. The new test in your updated pull request looks great.

@waldofouche waldofouche marked this pull request as ready for review December 3, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waldofouche @philsmart