The UK federation Test Identity Provider
The UK federation Test IdP allows you to test access to your SP deployment, and can be used for troubleshooting. It is not intended for load testing.
The Display Name of the IdP is "UK federation test IdP" and the entityID is https://test-idp.ukfederation.org.uk/idp/shibboleth. Please note that the entityID is an identifier. It is not the location of the metadata for this IdP. The metadata can be found in the metadata aggregate or MDQ service that your SP uses.
We intend this Test IdP to be self-service as far as possible. If you find that your SP deployment doesn't allow access from the test IdP, please investigate your own system first. Read the error message, check in the logs. If you need more information or want to discuss the errors, you can contact the UK federation helpdesk.
Please note: to use our Test IdP, your SP must either be registered in the UK federation or be imported into the UK federation via eduGAIN.
Accounts and attributes
Several accounts corresponding to typical use cases are available on the Test IdP. Two accounts (Beth and Craig) are based on personas developed by EDINA and the other accounts illustrate other aspects of attribute usage in the UK federation (see also our background page on attributes and authorisation).
As this is an open-access IdP and the credentials are listed below, we cannot assert user accountability.
The IdP releases attributes for each account from the UK federation core attribute set. See section 7 of the UK federation Technical Recommendations for Participants for more information. In the descriptions below, we have used the shorthand name for the attribute rather than the formal URI, since the URI is different depending on whether you are testing SAML 1 or SAML 2 operation. For example, the friendly name eduPersonScopedAffiliation refers to the attribute urn:oid:1.3.6.1.4.1.5923.1.1.1.9 in SAML 2, or urn:mace:dir:attribute-def:eduPersonScopedAffiliation in SAML 1. The value passed in these two protocols is the same, even through the encoding of them into a SAML statement is different.
The eduPersonEntitlement value of http://ukfederation.org.uk/entitlements/example has been created by the UK federation specifically to allow SPs to test for the presence of this attribute. We do not define any meaning to this value and it is not intended to be used in production. It is
documented at http://www.ukfederation.org.uk/entitlements/example.
SPs in the REFEDS Research and Scholarship entity category
This entity category has been developed to facilitate access to collaborative tools and services such as wikis, blogs, project and grant management tools which require some personal information about people accessing the service to work effectively. It is not used for access to licensed content such as e-journals.
IdPs that support the REFEDS Research and Scholarship category, including this Test IdP, will release a defined bundle of personal details (including name and email address) for a subset of their accounts to these SPs. Personal details will be released for all accounts except "Gwen" (subject to explicit consent in the consent screen).
See our documentation on the REFEDS R&S entity category for more details
Alice, an affiliate
An affiliate is a user that has some relationship with the organization but not a full member. A typical use is for someone applying to study at an organization.
username: alice
password: passworda
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | affiliate@test.ukfederation.org.uk |
| eduPersonPrincipalName | alice@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |
Beth, a lecturer
This user is appropriate for any member of staff at an organization. The user is based on the EDINA persona for a lecturer in Higher Education.
username: beth
password: passwordb
| attribute | value |
|---|---|
| eduPersonScopedAfilliation | staff@test.ukfederation.org.uk and member@test.ukfederation.org.uk |
| eduPersonPrincipalName | beth@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |
| eduPersonEntitlement | http://ukfederation.org.uk/entitlements/example |
Craig, a student
This user is appropriate for any full-time or part-time student in education. It is based on the EDINA persona for a PhD student, although is representative of any student in HE or FE.
username: craig
password: passwordc
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | student@test.ukfederation.org.uk and member@test.ukfederation.org.uk |
| eduPersonPrincipalName | craig@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |
| eduPersonEntitlement | http://ukfederation.org.uk/entitlements/example |
Duns, a polymath
This account corresponds to a user who has a complicated relationship with the organization and therefore has two affiliations.
username: duns
password: passwordd
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | affiliate@test.ukfederation.org.uk and member@test.ukfederation.org.uk |
| eduPersonPrincipalName | duns@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |
Ewart, an alumnus
This account represents a person who is no longer a student at the organization.
username: ewart
password: passworde
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | alum@test.ukfederation.org.uk |
| eduPersonPrincipalName | ewart@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |
Library, a library-walk-in user
This account represents a user who has access to library but no other formal association with the organization. Whether such a user gains access to resources will depend on the SP.
username: library
password: passwordl (the letter l)
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | library-walk-in@test.ukfederation.org.uk |
Yanny and Laurel
These accounts represent a pair of users that have an eduPersonTargetedID (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) which differs only in case. This can be used to determine whether your SP is handling case-sensitivity correctly. If your system identifies Yanny and Laurel as the same user then your SP or application (or both) is broken and there is a risk that many subjects will be mapped to the same account in your application, and consequent loss of privacy.
The IdP releases the same values of eduPersonTargetedID to all SPs because these accounts are intended to test the case handling of your SP, not the pairwise nature of eduPersonTargetedID.
username: yanny
password: passwordy
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | member@test.ukfederation.org.uk |
| eduPersonPrincipalName | yanny@test.ukfederation.org.uk |
| eduPersonTargetedID (opaque part) | MDFNPC+S2DMY5LJEDWIDDABRELC= |
username: laurel
password: passwordl (the letter l)
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | member@test.ukfederation.org.uk |
| eduPersonPrincipalName | laurel@test.ukfederation.org.uk |
| eduPersonTargetedID (opaque part) | mdFnPC+s2DmY5LjedWIddaBrElc= |
Gwen
Does not release personal information to REFEDS R&S category SPs
username: gwen
password: passwordg
| attributes released | value |
|---|---|
| eduPersonScopedAffiliation | member@test.ukfederation.org.uk |
| eduPersonPrincipalName | gwen@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |
Josiah Carberry
Releases eduPersonOrcid if requested explicitly by means of a RequestedAttribute. Please see the specification at:
username: jcarberr
password: passwordj
| attributes released | value |
|---|---|
| eduPersonPrincipalName | jcarberr@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |
| eduPersonOrcid | https://orcid.org/0000-0002-1825-0097 |
Sylvester
This account is for SPs wishing to start developing authorization policies based on the REFEDS Assurance Framework. The value of eduPersonAssurance for this account is the REFEDS "prefix" only, which indicates that the IdP knows about the REFEDS Assurance Framework. There are no statements on the identity assurance of the account, because there can be none for an account open to the internet.
If you want to know more about the REFEDS Assurance Framework, please contact the UK federation Helpdesk.
username: sylvester
password: passwords
| attributes released | value |
|---|---|
| eduPersonAssurance | https://refeds.org/assurance |
| eduPersonPrincipalName | sylvester@test.ukfederation.org.uk |
| eduPersonTargetedID | depends on the entityID of the SP |