Test your OIDC or SAML identity provider endpoint

Edit online

After a SAML or an OIDC identity provider is configured on a IBM® Verify tenant, you can enable test mode to test and validate the identity provider configuration.

Test mode can determine whether the IDP-generated token includes the intended claims or attributes and whether the attribute mapping that was configured for the IDP works as expected.

When test mode is enabled, append the test=true query parameter to the login URL to log in to test mode. For example, https://{tenantName}/idaas/mtfim/sps/idaas/login?realm_hint=$IdPRealm&test=true. If the test flow fails, an error page is prompted that shows the cause along with the received token. If the test flow succeeds, the result page is shown. It includes the received token and attribute-mapping results.

Testing you identity provider

Note: Because the token might contain PII information, IDP test mode by default is not enabled. Enabled it only for the time when you are debugging the IDP.
  1. Add the feature isv.beta.VDEV-111550 to your tenant.
  2. Create an OIDC or SAML identity provider.
  3. Access https://{tenantName}/idaas/mtfim/sps/idaas/login?realm_hint=$IdPRealm&test=true .
  4. Log in with your identity provider credentials.

At the end of the test login flow, the login is skipped, and the test result page is shown. It contains the attribute-mapping results and the IDP token.

When a SAML token is shown on the test page, it is XML-formated with the RelayState displayed in a separate text field. The ID token is displayed in the original format.
Note: If in the identity server attribute mapping, the idsuser claim is mapped to an advanced rule attribute or attached with a transform function. The mapped value is different from the idsuser claim value and the attribute-mapping table in the test page shows the mapped value.

If the token is consumed with an error, the test results page shows the cause of the failure and the IDP token. If the failure happens before the token is extracted and decrypted, the IDP token might display as empty.