The first rule of TestShib is: never trust TestShib.

TestShib's policies dictate its own responsibilities, as well as the responsibilities of the providers that exchange information using it.

TestShib is specifically not intended to support production-level end-user access to protected resources. Organizations operating service providers are strongly discouraged from either releasing or protecting valuable information using TestShib. TestShib may be inaccessible for extended periods of time, and information provided may be inaccurate.

Access to TestShib is provided through OpenIdP.org and ProtectNetwork. At the level of assurance TestShib requires, these providers only verify a non-bouncing email address and make efforts to ensure the identity established through that email address is persistent for that user. No further identity check is performed.

The metadata is available at https://www.testshib.org/metadata/testshib-two-metadata.xml. The TestShib Service Provider and application both make detailed, unanomymized logs publicly available; never send any sensitive information to any part of TestShib.

TestShib doesn't define any specific attributes of its own, but it's still important to follow good attribute practices when testing. TestShib's default configuration contains only a limited number of attributes to minimize complexity. Many other useful attributes have been standardized by various organizations, and SAML names have been defined by MACE-Dir. Feel free to define custom attributes, but please name them appropriately.