Functional test plan

[ghost]

Describe and enact

[ghost]

Comments from James Denman in his delivery of first engagement:

Gents,
Here's the latest VM as of a couple hours ago:
https://s3-us-west-1.amazonaws.com/shib/shibboleth_BETA2.ova
Login to the VM shibboleth/shibboleth
I begin by creating keys for the domain I want to run the Docker container in:
openssl genrsa -out "/home/shibboleth/ssl/tomcat/shib.key" 2048

openssl req -new -key "/home/shibboleth/ssl/tomcat/shib.key" \
                 -out "/home/shibboleth/ssl/tomcat/shib.csr"

openssl x509 -req -days 365 -in "/home/shibboleth/ssl/tomcat/shib.csr" \
                  -signkey "/home/shibboleth/ssl/tomcat/shib.key"  \
                  -out "/home/shibboleth/ssl/tomcat/shib.crt"

openssl rsa -in "/home/shibboleth/ssl/tomcat/shib.key" -text > private.pem
openssl x509 -inform PEM -in "/home/shibboleth/ssl/tomcat/shib.crt" > "/home/shibboleth/ssl/tomcat/shib.pem"

Then, I run $ ./bin/configure.sh, matching the Shib FQDN prompt ( idp.testbed.tier.internet2.edu) to the domain/hostname I entered into my Certs.

When prompted for Kerboros FQDN in the ./bin/configures.sh, I enter: testbed.tier.internet2.edu

Then, I run $ ./bin/shibbolth.sh , which starts docker for me. In a few moments, tomcat will be running exposing a Container port of 8443 to the VM at 443.

You can verify these mappings by running $ docker ps

The logs show Tomcat "INFO: Starting ProtocolHandler ["http-apr-8443"]"

Then, I log into the running Container: $ docker exec -it shibboleth bash

$ curl -k https://localhost:8443/idp/status
$ curl -k https://localhost:8443/idp/shibboleth
$ kinit kinit -V HTTP/idp.testbed.tier.internet2.edu
Using default cache: persistent:0:0

Using principal: HTTP/idp.testbed.tier.internet2.edu@TESTBED.TIER.INTERNET2.EDU

Password for HTTP/idp.testbed.tier.internet2.edu@TESTBED.TIER.INTERNET2.EDU:

kinit: Password incorrect while getting initial credentials

Then, I exit the container. At the VM level, I can try the following commands:

$ curl -k https://idp.testbed.tier.internet2.edu/idp/status

$ curl -k https://localhost/idp/status

$ curl -k https://127.0.0.1/idp/status

These all return connects (access denied). This is fine as it's just a smoke test.

Having set up my VBox network bridges and added idp.testbed.tier.internet2.edu into /etc/hosts for my main HOST laptop, I can visit: https://idp.testbed.tier.internet2.edu/idp/status which has clearly been redirected to my running Container inside of the VM due to Certificate details I created and Google Chrome's default pause page.
I then receive https://idp.testbed.tier.internet2.edu/idp/status in the browser the same error page:Replace or remove this logo

Web Login Service - Access Denied
You do not have access to the requested resource.
Clicking on https://sp.testbed.tier.internet2.edu/cgi-bin/secure/printenv prompts me to select my IdP FQDN (idp.testbed.tier.internet2.edu) then promptly returns me back to my Container-based browser connection via: https://idp.testbed.tier.internet2.edu/idp/profile/SAML2/Redirect/SSO?execution=e1s1
That's pretty much the end of the testing line since we don't have credentials forInCommon or https://cosign0.internet2.edu/cosign-bin/cosign.cgi to upload Certs.

[ghost]

https://sp.testbed.tier.internet2.edu/cgi-bin/secure/printenv asks for a domain name-- that will create a request that will refer to your own DNS, forwarding appropriately on to sp.testbed.

[ghost]

@cabynum if you want to write down what we do know in a Markdown file in this repo, that would be valuable.

[ghost]

Now provided to us from the TIER team, we'll work on integrating their plans into our documentation.