Single Sign On Testing


Could anyone please help in suggesting different ways through which we can test the Single Sign On functionality for Identity Management System.


1 Like

Hello @testerhsp!

My experience with Single Sign On (SSO) has been from a user’s perspective. When an application has been enabled for SSO, I should not expect to see a request for credentials when loading that application. When I turn that around and look at it from a testing perspective, I could review the list of applications that have SSO enabled and verify a handful of them.

From your question, it appears that SSO is set up in the Identity Management System. I would be curious to learn what kinds of evaluations were made by the developer to verify SSO operates as expected and how it interacts with the applications it supports.



In my experience your best starting to point is to identify where a user can go / what they can do once authenticated. Your basic test case would be to make sure their authenticated details are being passed between applications correctly and they are not prevented from accessing anything they should have access to. The opposite will of course be applicable too, are users still prevented from reaching things they should not.

Going a little deeper you can ask how a users credentials are going to be passed between applications. Depending on the architecture this may be passing auth credentials back and forth in a session cookie. Try to find out if there are any rules around this process (timeouts for example) and test them.

Depending on the size of the application you may also want to look into ‘session affinity’. Where your web traffic is being directed by a load balancer or across multiple containers you may need to ensure your users authenticated requests do not lose context when hitting a different node to the one it initially auth’d with.

Thats just a few things that have come up for me before, no doubt there are all kinds of others but hope it helps :slight_smile:

A couple of points I can think of:

  • How is access revoked? If, for example, an admin can force log the user out, ensure that takes efefct across the SSO applications and they do not remain logged into anything
  • Similar to the above, when should the logged in session end? Again ensure when it does the user is logged out of all SSO applications
  • If the SSO is cookie-based, are the cookies encrypted? What if the user has an inprivate browser session, i.e. does the SSO work? What about different browsers and devices, how should SSO work between those?
  • Finally, what logging should take place? For example, is there some central log that all thew applications should write back to? If so, that may be another thing to check

Hope this is of interest/help


Great exploration of risks on this topic, @gerardmccann!

1 Like

Thanks for the helpful suggestions, will try these in my testing.

1 Like

You’ll also want to get the SAML Tracer plug-in for Firefox for testing some you can confirm assertions.

Also, OneLogin has setup a bunch of tools for testing as well.