Testing the SAML Configuration

If you are testing staff authentication, make sure the login you plan to use has a value in the SSO ID field.

Once you have set up your identity provider (IdP) and completed the metadata exchange, you can test your configuration. The Administration Application contains test routes you can use without having to enable SAML authentication.

To test your SAML configuration:

  1. In the Sierra Administration application, find the Back End Management section, and click SAML Configuration.
  2. Select the Management tab.
  3. Click ENABLE AUTH TEST ROUTES. Sierra enables the testing configuration on the back end of the system and displays links to test patron and staff authentication.

If the button reads AUTH TEST ROUTES DISABLED, you must add an identity provider before you can test your configuration.

  1. Depending on the authentication you want to test, click either Test patron auth or Test staff auth. Sierra displays a login page with links to authenticate using an external IdP service or Sierra's native authentication.
  2. Click the link to sign in using SAML. The external IdP's login page appears.
  3. Enter your credentials, and click Login. The IdP does one of the following:
    • If you entered valid credentials, the IdP authenticates you and redirects you to Sierra, which tries to log you in using the matchpoint you configured for the IdP.
    • If you entered invalid credentials, the IdP displays an error message. Try entering your credentials again.
  4. If prompted by your IdP, enter your consent preferences, and click Accept.
  5. On the test results page, verify that your Sierra login was successful. The system displays one of the following messages:
    • Successful login: "You are logged in as [user]."
    • Unsuccessful login: "Cannot identify your user."

If your login was unsuccessful, ensure you entered the correct information when adding your IdP. By reaching the test results page, it means you successfully authenticated with the IdP, but Sierra could not find a match for the information returned by the IdP against either the staff SSO ID field (for Staff SAML) or the specified Sierra index (for Patron SAML). To help with your troubleshooting, the test results page displays the available matchpoints from your IdP.

  1. Repeat these steps to test the other route if you are setting up both patron and staff authentication.
  2. When you are finished testing routes, return to the Management tab, and click DISABLE AUTH TEST ROUTES.

If your tests were successful, you can enable SAML authentication.