Suppose you are the Service Provider using COTS federation product and your partner is Identity Provider using custom federation solution. Here are some personal recommendations for achieving SAML Single
Sign-On in a smooth manner.
- Identify the features you are implementing with your partner upfront such as HTTP Binding, Signing, encryption, logout, Query Attributes, Account Linking etc.,
- Discuss and agree the certificate, private key, encryption algorithms etc.,
- Setup local environment to do proof of concept with COTS products and make sure you implement all the agreed features.
- Make sure your partner having custom federation solution has done POC so that you are sure that they are adhering to SAML standards.
- If your partner has not done any POC in their local environment then you will need to validate the metadata manually before importing it to Service Provider.
- When partner metadata is validated and make sure it is imported in your Service Provider properly. Be heedful of syntactical errors.
- If your partner has SAML response tested by dummy client, then ask for SAML response. If the response is encoded, use a SAML decoder and verify if all the elements are present. This is where we ended up wasting lot of time while running the test and identifying each and every element missing in SAML response.
- It is always suggested to test the basic federation without Signing/Encryption/Attribute Query etc.,
- Once basic federation is tested, signing is next step.
- Then test the encryption.