It retrieves the eduGAIN IdPs from eduGAIN Operator Team database via a JSON interface.
For each IdP that it was not manually disabled by the eduGAIN Operations Team or by IdP administrator via "robots.txt", the check verifies the SSL certificate of the IdP, creates a Wayfless URL for each SP involved and retrieves the IdP login page.
It expects to find the HTML form with a username and password field. Therefore, no complete login will happen at the Identity Provider because the check stops at the login page.
The SPs used for the check are "SP Demo" (https://sp-demo.idem.garr.it/shibboleth) from IDEM GARR AAI and the "AAI Viewer Interfederation Test" (https://attribute-viewer.aai.switch.ch/interfederation-test/shibboleth) from SWITCHaai. These SPs might change in the future if needed.
The SAML authentication request is not signed. Therefore, authentication request for any eduGAIN SP could be created because the SP's private key is not needed.
In the end, the check is run again for those IdPs that have not been checked due to a problem met with the headless webdriver and signals if there are problems on the log file.

Statuses and results

The tool uses the following statuses for IdPs:

Status	UI Color	Description and results
ERROR	Red	The IdP's response contains an HTTP Error or the web page returned does not look like a login page. The most probable causes for this error are HTTP errors (e.g.: 404 error) Invalid-Form: considers those IdPs that do not load a standard username/password login page and do not return messages like "No return endpoint available for relying party" or "No metadata found for relying party". Timeout: considers those IdPs that do not load a standard username/password login page within 60 seconds. The IdP most likely does not consume the eduGAIN metadata correctly. A typical case that falls into this category is when an IdP returns a message "No return endpoint available for relying party" or "No metadata found for relying party": No-eduGAIN-Metadata The IdP has a problem with its SSL certificate: SSL-Error
OK	Green	The IdP most likely correctly consumes eduGAIN metadata and returns a valid login page. This is no guarantee that login on this IdP works for all eduGAIN services but if the check is passed for an IdP, this is probable.
DISABLED	White	The IdP is excluded because it cannot be checked reliably. The "Page Source" column, when an entity is disabled, shows the reason for the disabling.

Common reasons for a failed check

Verify that you have a valid SSL certificate matching your IdP hostname and with a valid chain. You can test it yourself with SSL Labs checker: https://www.ssllabs.com/ssltest/
Verify that the IP used by the client that is performing the checks, is permitted to reach your IdP: any firewall in-between must be configured to let pass TCP packets with:
1. source IP X.X.X.X, source port 1024-65535
2. destination YOUR-IDP-IP destination port 443

Verify that your IdP Login page contains a text that matches with both the following regular expressions:

pattern_username = '<input[\s]+[^>]*((type=\s*[\'"](text|email)[\'"]|user)|(name=\s*[\'"](name)[\'"]))[^>]*>';

pattern_password = '<input[\s]+[^>]*(type=\s*[\'"]password[\'"]|password)[^>]*>';

Verify that your robots.txt is not unintentionally disabling ECCS

Limitations

There are some situations where the check cannot work reliably. In those cases, it is possible to disable the check for a particular IdP.
The so far known cases where the check might generate a false negative are:

...

The eduGAIN Connectivity Check 2 test web pages page is available at: https://technical-test.edugain.org/eccs2

...

Page tree

Versions Compared

Old Version 37

New Version 38

Key

Statuses and results

Common reasons for a failed check

Limitations

Page tree

Page History

Versions Compared

Old Version 37

New Version 38

Key

Statuses and results

Common reasons for a failed check

Limitations