KMMR SAML Test
← Back to SAML Test Home

SAML SP Test | IdP Integration, Metadata, and AuthnRequest Checks

Use this public guide when you want to connect to a remote IdP and test this environment as a SAML SP. It covers IdP metadata registration, SP metadata setup, ACS / SLO checks, AuthnRequest tuning, and NameID / attribute verification.

Open Test Console Open Metadata

Getting Started

  1. Register the remote IdP metadata
  2. Load this environment's SP metadata into the remote IdP
  3. Start login from the SP test screen and inspect the returned attributes

URLs Used On This Page

Metadata
https://sp.samltest.kmmr.jp/metadata/
ACS
https://sp.samltest.kmmr.jp/acs/
SLO
https://sp.samltest.kmmr.jp/slo/

What You Can Adjust in SP Testing

  • Switch login and logout bindings from the endpoints exposed by the saved metadata.
  • Set RequestedAuthnContext, Comparison, ForceAuthn, and isPassive.
  • Choose whether to send NameIDPolicy and specify its Format and AllowCreate value.
  • Control Scoping IDPList, AudienceRestriction, and whether the AuthnRequest is signed.

What You Can Inspect in SP Testing

  • The console shows the connected IdP, NameID, NameID Format, and SessionIndex after authentication.
  • Returned attributes are listed by name and value.
  • The SAML Response analysis, signature verification results, and decrypted contents are shown when needed.
  • During logout, you can distinguish between local SP logout and remote IdP SLO behavior.

Saved State and Loading UI

Remote metadata is stored only in the current browser session. The loading-screen duration is stored in this browser's localStorage and reused on later visits.

When To Use This SP Test Guide

Use this guide when you need to test SAML login against a remote IdP such as Entra ID, Okta, Keycloak, or another SAML product while treating this site as the SP. The main focus is ACS, EntityID, AuthnRequest behavior, and returned attributes.

SP Test Checklist

  • Collect the remote IdP metadata XML or metadata URL.
  • Make sure the remote IdP can load this environment's SP metadata.
  • Confirm EntityID, ACS URL, SLO URL, and any signing-certificate requirements.
  • Define the expected NameID format, required attributes, and whether signed AuthnRequests are needed.

Common SP Test Failure Points

  • The ACS URL is registered incorrectly, so the browser does not return to the expected location after login.
  • The IdP requires signed AuthnRequests, but request signing is disabled.
  • NameIDPolicy or RequestedAuthnContext is too strict for the IdP configuration.
  • EntityID or certificate data remains stale because the wrong metadata version is still in use.

SAML SP Test FAQ

What can I inspect in SP testing?

You can inspect IdP metadata import, AuthnRequest options, ACS return behavior, NameID, attributes, SAML Response signature verification, and decrypted content when relevant.

What is the ACS URL?

The AssertionConsumerService URL is the endpoint where the IdP posts the SAML Response. It is one of the most common SP configuration mistakes.

Can this guide help me check SLO?

Yes. You can review the SLO endpoint in metadata and distinguish local SP logout from remote IdP SLO behavior during logout testing.

How is NameID different from attributes?

NameID is the primary subject identifier for the session, while attributes carry additional values such as mail or displayName. Different SPs rely on them differently.

When should I sign the AuthnRequest?

Sign it when the IdP requires signed requests. The environment adds a query signature for HTTP-Redirect and an XML signature for HTTP-POST.

If you found this tool helpful, we’d love for you to share it on social media!


We display ads to support the operation of this site. We understand that it may be inconvenient, but we appreciate your understanding.