SSOCheck Rules

A test needs a rule to decide whether the test was successful or a failure. For example we expect the first test to be run as a reference SSO flow with unmodified SAML messages. This test must result in a successful sign on. Other tests – for example with a wrong signature – should result in a login failure. In that case a successful login to the service provider would actually mean a failed test.

A rule is returned from the SSOCheck Execution API for every test case. The rule defines how the Service Provider should behave when the test is run.

One Example: If the test is a signature exclusion attack, a SAML Assertion is sent to the Service Provider which should not lead to a successful single sign on. In that case the test will be passed if the sign on process fails. The API will return a rule value of 1 (= should fail).

In the table below the rule values are listed:

Rule Defintion
Rule value Test outcome on SSO failure Description
0 FAIL Login should succeed
1 OK Login should fail
2 INVALID Only partial step (e.g. first request of a replay test)
10 WARN Login should succeed – but failure is only a warning
11 WARN Login should fail – but success is only a warning

Please note: Rules are derived from specification or based on the attack type and may be subject to interpretation.