| Safe Haskell | None |
|---|---|
| Language | GHC2021 |
Test.Spar.MultiIngressSSO
Synopsis
- testMultiIngressSSOGeneralIdp :: HasCallStack => App ()
- testMultiIngressSSODomainBoundIdp :: HasCallStack => App ()
- testSsoWithoutMultiIngress :: HasCallStack => App ()
- checkAuthnRequest :: (HasCallStack, MakesValue domain) => domain -> String -> String -> String -> App ()
- checkAuthnRequestBase :: (HasCallStack, MakesValue domain) => domain -> Maybe String -> String -> String -> String -> App ()
- checkSPMetadata :: (HasCallStack, MakesValue domain) => domain -> String -> String -> App ()
- makeSuccessfulSamlLogin :: MakesValue domain => domain -> String -> String -> String -> String -> (IdPMetadata, SignPrivCreds) -> App ()
- finalizeLoginWithWrongZHost :: (MakesValue domain, HasCallStack) => String -> String -> domain -> String -> String -> (String, (IdPMetadata, SignPrivCreds)) -> App Response
Documentation
testMultiIngressSSOGeneralIdp :: HasCallStack => App () Source #
Test multi-ingress SSO with an IdP that is not bound to a domain.
In this case NO SSO login can happen as a redirect to a common IdP would leak information about relationships to a common backend. Also, in reality it is very hard (to impossible for some IdPs) to find a valid and sound configuration for multiple domains at IdP SaaS.
testMultiIngressSSODomainBoundIdp :: HasCallStack => App () Source #
Test multi-ingress SSO with an IdP that is bound to a domain.
The IdP is created on a multi-ingress domain. The details of managing
multi-ingress IdPs are covered in MultiIngressIdp. Here we want
to test that logins are possible with such an IdP, but only if the request's
and IdP's domains match.
testSsoWithoutMultiIngress :: HasCallStack => App () Source #
Test that without multi-ingress configuration, endpoints are domain-agnostic.
In the standard (non-multi-ingress) case, SAML endpoints work regardless of which domain (Z-Host) is used or if no Z-Host is specified.
checkAuthnRequest :: (HasCallStack, MakesValue domain) => domain -> String -> String -> String -> App () Source #
Check the AuthnRequest by the SP (Wire backend) to be sent to the IdP
Most important: The Issuer must fit to the multi-ingress domain (host).
checkAuthnRequestBase :: (HasCallStack, MakesValue domain) => domain -> Maybe String -> String -> String -> String -> App () Source #
Check the AuthnRequest by the SP (Wire backend) to be sent to the IdP
Compares the Issuer in the request against an expected target host URL. This allows testing that requests to different hosts produce different (or same) Issuer URLs.
checkSPMetadata :: (HasCallStack, MakesValue domain) => domain -> String -> String -> App () Source #
Check the metadata of the ServiceProvider (i.e. of the Wire backend on multi-ingress domain host)
makeSuccessfulSamlLogin :: MakesValue domain => domain -> String -> String -> String -> String -> (IdPMetadata, SignPrivCreds) -> App () Source #
finalizeLoginWithWrongZHost :: (MakesValue domain, HasCallStack) => String -> String -> domain -> String -> String -> (String, (IdPMetadata, SignPrivCreds)) -> App Response Source #