The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

User Stories

This page lists some of the use cases that the MCB is meant to solve and the expected behavior in those cases.

All of these test cases assume the following hierarchy of assurance levels:

Password
Bronze
Silver

A higher level can satisfy a lower level (per configuration).

As you test a story, please indicate your initials, the date, and the outcome of the test in your Test Results column.  For example,

  • DHW (11/26/2013): Test successful. v0.9.5
  • DHW (11/26/2013): Test failed.  Lois was not required to re-authenticate. v0.9.5

If you will not be testing a particular story,

  • DHW (11/26/2013):  No test planned.
StoryTest Results - PaulTest Results - MikeTest Results - KeithTest Results - Dave L

1 - Assume a user has authenticated by a method they are not allowed to use. We present the list they are allowed to use. Should that list be filtered by the RPs requested context list? Alice used "password" for initial authentication. Alice is only allowed "bronze" and "silver". The RP requested "silver". So only show Alice "silver". Do not let her pick "bronze".

PSH (2014-01-05) Success. v0.9.7MW(2014-1-10) Success v0.9.7KW (2013-12-12) Success v0.9.5davel (2013-12-12) no test planned

2 - Bob tries to access an RP who requests Silver. The IdP is configured to use Password for initial authentication. Verify that Bob has to use Password, then has to use Silver before gaining access to the RP.

PSH (2014-01-05) Success. v0.9.7 MW(2014-1-10) Success v0.9.7KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
3 - Charlie is allowed only Password. Charlie attempts to access an RP that requires Bronze. The IdP is configured for initial authentication using Password. Verify that Charlie can do initial authentication and then the IdP sends an error to the RP since Charlie can never satisfy the requested context.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5

4 - Charlie is allowed only Password. Charlie attempts to access an RP that requires Bronze. The IdP is configured to only present requested contexts to the user. Verify that if Charlie passes authentication using Bronze, he is denied access to the RP based on policy.

MCB has been changed to use/show the configured authentication contexts if none of the requested contexts by the RP match the configured ones. So this test should have Bronze in the list of configured context values at minimum.

PSH (2014-01-05) Success. v0.9.7MW(2014-1-10) Success v0.9.7KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
5 - Doris is allowed only Bronze or Silver. Doris attempts to access an RP that requires only Password. The IdP is configured to use Password for initial authentication. Verify that if Doris successfully authenticates using Password, the IdP requires her to upgrade authentication to Bronze.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) No test planned
6 - Edgar is allowed Password, Bronze, or Silver. Edgar has already authenticated via Password to an RP who did not request a specific context. Now Edgar accesses an RP that requires Silver. Verify that the IdP forces Edgar to re-authenticate using Silver before granting access to the new RP.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
7 - Francis has authenticated via Bronze to RP1. Francis is allowed both Password and Bronze. Verify that Francis can access RP2 which only requested Password without re-authentication.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
8 - Gary is allowed Password and Bronze. Gary has authenticated to RP1 via Password. Gary tries to access RP2 which requests Bronze but also requests Passive Authentication. Verify that the access fails since the IdP is unable to upgrade Gary to Bronze and honor the passive request.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
9 - Holly has no assurance levels assigned (i.e. new/misconfigured user). The IdP is configured to show the requested contexts to the user for initial authentication. Holly accesses an RP that requests Password and Holly is able to authenticate successfully. Verify that Holly is denied access based on not having any assurance levels assigned.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
10 - Ingrid is allowed Password, Bronze, and Silver. The IdP is configured to present all methods to the user for initial authentication and the requested only option is set. The RP she accesses requests Silver. Verify that only Silver is presented to Ingrid for login.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) No test planned
11 - In an institution where Silver, Bronze, and Password don't require any additional token/credential check, John has authenticated via Password to RP1. John satisfies Password and Bronze and Silver just by using Password and his registry data. Verify that John can access RP2 which requested Silver without any additional prompts or UX/UI interruptions.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
12 - Klaus has no assurance levels assigned.  The IdP is configured to show the requested contexts to the user for initial authentication. Klaus accesses an RP that does not request an authentication context and Klaus is able to authenticate successfully. Verify that Klaus is allowed access. The option principalAuthnContextRequired must be set to false for this to work.PSH (2014-01-05) Success. v0.9.7MW(2014-1-10) Success v097 davel (2013-12-12) No test planned
13 - Lois has already authenticated successfully for a Silver SP during the current session.  She then browses to another SP that requires Silver and requested forced re-authentication.  Verify that Lois is required to authenticate again.PSH (2014-01-05) Success. v0.9.7MW(2013-12-12) Success v0.9.5KW (2013-12-12) Success v0.9.5davel (2013-12-12) Success v0.9.5
14 - Martin is certified for Silver and Bronze and browses to an SP that requests Silver and Password, in that priority order.  Verify that Martin is presented with Silver and Bronze authentication options, with Silver options preferred.PSH (2014-01-05) Success. v0.9.7MW(2014-1-10) Success v097KW (2013-12-12) Test failed; Only Silver was presented. v0.9.5davel (2013-12-12) no test planned