Test Plan for "Create setting to force the user to register/use new credentials for a specific group"
Test Plan
Introduction
This test plan is for https://gitlab.com/gitlab-org/gitlab-ee/issues/6260
The feature introduces new setting for SSO-connected group which when enabled forces the user to use the account/email associated with the SAML idp.
Scope
- The setting is only for SAML SSO enabled group
- Does not apply for instance wide SAML
- New user New user flow for SSOing into a GitLab.com group is out of scope
ACC Matrix
The matrix below identifies the Attributes, Components, and Capabilities relevant to the scope of this test plan.
Attributes (columns) are adverbs or adjectives that describe (at a high level) the qualities testing is meant to ensure Components have.
Components (rows) are nouns that define major parts of the product being tested.
Capabilities link Attributes and Components. They are what your product needs to do to make sure a Component fulfils an Attribute
This feature includes "Groups" and "Settings" functional area and so they included in the matrix.
For more information see the Google Testing Blog article about the 10 minute test plan and this wiki page from an open-source tool that implements the ACC model.
The numbers indicate the count of Capabilities at each intersection of Attribute and Component
| Secure | Responsive | Intuitive | Reliable | |
|---|---|---|---|---|
| Settings | 1 | 2 | ||
| Groups | 2 |
-
Settings is
- Intuitive
- It is easy to enable forcing idp linked credentials
- Reliable
- Once enabled, the user will be able to login to the group only with idp linked credentials.
- Once enabled, the user (except group owners) will be forced to either use an existing corporate account linked with idp or create a new account.
- Intuitive
-
Group is
- Secure
- When setting is enabled only idp managed accounts will be able to sign in to the group via SSO.
- Secure
Test Cases
Capabilities mentioned above can be used to guide the testing. Some cases not completely obvious from the capabilities are mentioned in below list. This list, however, should not be considered exhaustive and should only be used as a reference point for actual tests.
When adding new automated tests, please keep testing levels in mind.
Scenario 1: With setting enabled the first time.
- All existing users, except group owners, are unlinked from the idp and removed from group.
Scenario 2: With the setting enabled the first time, then disabled.
- The "dedicated accounts" restrictions are removed from the users. But they stay as part of the group.
Scenario 3: With the setting enabled the first time, then disabled and then re-enabled.
- The users (except group owners) will be required to create new accounts the first time only. On re-enabling the setting, the "dedicated accounts" restrictions are reimposed.