PingFederate is SAML 2.0 Interoperable - Again !!!

We have just successfully completed another round of SAML 2.0 Interoperability testing that is coordinated by the Liberty Alliance and the Drummond Group. You can get Liberty's take on this here.

For Ping this is always an extremely time consuming but important exercise. Testing our product with 5 other commercial SAML 2.0 implementations ensures our customers will have continued success when connecting to organizations that do not use PingFederate. We are constantly encouraging our customers to only connect to SAML 2.0 implementations that are certified as Liberty Interoperable as connecting with these products has proven to take significantly less effort.

As usual we focused on the IdP Lite and SP Lite interop profiles as these include the uses cases that our customer actually take advantage of. Most importantly, these tests are not solely focused on 'happy path' testing but also include a significant number of negative tests. As an example the products are all tested to determine how they handle bad digital signatures, assertion replay and expired assertions. This type of testing is critical as can be seen by the flaw that was found (and since fixed) in Googles SAML 2.0 implementation for Google Apps. One of the negative tests within the Liberty interoperability testing specifically addresses the issue Google ran into, namely that a SAML 2.0 Relying Party is required to ignore any SAML Assertions that do not contain an Audience value scoped to that Relying Party.

8. The Test Harness POSTs a SAML Response containing an assertion which does not contain an AudienceRestriction including the SP's unique identifier as an Audience.

SP CONFIRM: SP rejects the assertion.