ciam-es 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. checksums.yaml +7 -0
  2. data/.document +5 -0
  3. data/Gemfile +4 -0
  4. data/README.md +127 -0
  5. data/ciam-es.gemspec +23 -0
  6. data/lib/ciam-es.rb +14 -0
  7. data/lib/ciam/ruby-saml/authrequest.rb +206 -0
  8. data/lib/ciam/ruby-saml/coding.rb +34 -0
  9. data/lib/ciam/ruby-saml/error_handling.rb +27 -0
  10. data/lib/ciam/ruby-saml/logging.rb +26 -0
  11. data/lib/ciam/ruby-saml/logout_request.rb +126 -0
  12. data/lib/ciam/ruby-saml/logout_response.rb +132 -0
  13. data/lib/ciam/ruby-saml/metadata.rb +509 -0
  14. data/lib/ciam/ruby-saml/request.rb +81 -0
  15. data/lib/ciam/ruby-saml/response.rb +683 -0
  16. data/lib/ciam/ruby-saml/settings.rb +89 -0
  17. data/lib/ciam/ruby-saml/utils.rb +225 -0
  18. data/lib/ciam/ruby-saml/validation_error.rb +7 -0
  19. data/lib/ciam/ruby-saml/version.rb +5 -0
  20. data/lib/ciam/xml_security.rb +166 -0
  21. data/lib/ciam/xml_security_new.rb +373 -0
  22. data/lib/schemas/saml20assertion_schema.xsd +283 -0
  23. data/lib/schemas/saml20protocol_schema.xsd +302 -0
  24. data/lib/schemas/xenc_schema.xsd +146 -0
  25. data/lib/schemas/xmldsig_schema.xsd +318 -0
  26. data/test/certificates/certificate1 +12 -0
  27. data/test/logoutrequest_test.rb +98 -0
  28. data/test/request_test.rb +53 -0
  29. data/test/response_test.rb +219 -0
  30. data/test/responses/adfs_response_sha1.xml +46 -0
  31. data/test/responses/adfs_response_sha256.xml +46 -0
  32. data/test/responses/adfs_response_sha384.xml +46 -0
  33. data/test/responses/adfs_response_sha512.xml +46 -0
  34. data/test/responses/no_signature_ns.xml +48 -0
  35. data/test/responses/open_saml_response.xml +56 -0
  36. data/test/responses/response1.xml.base64 +1 -0
  37. data/test/responses/response2.xml.base64 +79 -0
  38. data/test/responses/response3.xml.base64 +66 -0
  39. data/test/responses/response4.xml.base64 +93 -0
  40. data/test/responses/response5.xml.base64 +102 -0
  41. data/test/responses/response_with_ampersands.xml +139 -0
  42. data/test/responses/response_with_ampersands.xml.base64 +93 -0
  43. data/test/responses/simple_saml_php.xml +71 -0
  44. data/test/responses/wrapped_response_2.xml.base64 +150 -0
  45. data/test/settings_test.rb +43 -0
  46. data/test/test_helper.rb +65 -0
  47. data/test/xml_security_test.rb +123 -0
  48. metadata +145 -0
@@ -0,0 +1,12 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
3
+ YWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv
4
+ Z2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloX
5
+ DTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
6
+ aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX
7
+ BgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
8
+ AoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDug
9
+ MK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0ed
10
+ MOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMB
11
+ AA==
12
+ -----END CERTIFICATE-----
@@ -0,0 +1,98 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class RequestTest < Test::Unit::TestCase
4
+
5
+ context "Logoutrequest" do
6
+ settings = Ciam::Saml::Settings.new
7
+
8
+ should "create the deflated SAMLRequest URL parameter" do
9
+ settings.idp_slo_target_url = "http://unauth.com/logout"
10
+ unauth_url = Ciam::Saml::Logoutrequest.new.create(settings)
11
+ assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
12
+
13
+ inflated = decode_saml_request_payload(unauth_url)
14
+
15
+ assert_match /^<samlp:LogoutRequest/, inflated
16
+ end
17
+
18
+ should "support additional params" do
19
+
20
+ unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :hello => nil })
21
+ assert unauth_url =~ /&hello=$/
22
+
23
+ unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :foo => "bar" })
24
+ assert unauth_url =~ /&foo=bar$/
25
+ end
26
+
27
+ should "set sessionindex" do
28
+ settings.idp_slo_target_url = "http://example.com"
29
+ sessionidx = UUID.new.generate
30
+ settings.sessionindex = sessionidx
31
+
32
+ unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
33
+ inflated = decode_saml_request_payload(unauth_url)
34
+
35
+ assert_match /<samlp:SessionIndex/, inflated
36
+ assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
37
+ end
38
+
39
+ should "set name_identifier_value" do
40
+ settings = Ciam::Saml::Settings.new
41
+ settings.idp_slo_target_url = "http://example.com"
42
+ settings.name_identifier_format = "transient"
43
+ name_identifier_value = "abc123"
44
+ settings.name_identifier_value = name_identifier_value
45
+
46
+ unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
47
+ inflated = decode_saml_request_payload(unauth_url)
48
+
49
+ assert_match /<saml:NameID/, inflated
50
+ assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
51
+ end
52
+
53
+ context "when the target url doesn't contain a query string" do
54
+ should "create the SAMLRequest parameter correctly" do
55
+ settings = Ciam::Saml::Settings.new
56
+ settings.idp_slo_target_url = "http://example.com"
57
+
58
+ unauth_url = Ciam::Saml::Logoutrequest.new.create(settings)
59
+ assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
60
+ end
61
+ end
62
+
63
+ context "when the target url contains a query string" do
64
+ should "create the SAMLRequest parameter correctly" do
65
+ settings = Ciam::Saml::Settings.new
66
+ settings.idp_slo_target_url = "http://example.com?field=value"
67
+
68
+ unauth_url = Ciam::Saml::Logoutrequest.new.create(settings)
69
+ assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
70
+ end
71
+ end
72
+
73
+ context "consumation of logout may need to track the transaction" do
74
+ should "have access to the request uuid" do
75
+ settings = Ciam::Saml::Settings.new
76
+ settings.idp_slo_target_url = "http://example.com?field=value"
77
+
78
+ unauth_req = Ciam::Saml::Logoutrequest.new
79
+ unauth_url = unauth_req.create(settings)
80
+
81
+ inflated = decode_saml_request_payload(unauth_url)
82
+ assert_match %r[ID='#{unauth_req.uuid}'], inflated
83
+ end
84
+ end
85
+ end
86
+
87
+ def decode_saml_request_payload(unauth_url)
88
+ payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
89
+ decoded = Base64.decode64(payload)
90
+
91
+ zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
92
+ inflated = zstream.inflate(decoded)
93
+ zstream.finish
94
+ zstream.close
95
+ inflated
96
+ end
97
+
98
+ end
@@ -0,0 +1,53 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class RequestTest < Test::Unit::TestCase
4
+
5
+ context "Authrequest" do
6
+ should "create the deflated SAMLRequest URL parameter" do
7
+ settings = Ciam::Saml::Settings.new
8
+ settings.idp_sso_target_url = "http://example.com"
9
+ auth_url = Ciam::Saml::Authrequest.new.create(settings)
10
+ assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
11
+ payload = CGI.unescape(auth_url.split("=").last)
12
+ decoded = Base64.decode64(payload)
13
+
14
+ zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
15
+ inflated = zstream.inflate(decoded)
16
+ zstream.finish
17
+ zstream.close
18
+
19
+ assert_match /^<samlp:AuthnRequest/, inflated
20
+ end
21
+
22
+ should "accept extra parameters" do
23
+ settings = Ciam::Saml::Settings.new
24
+ settings.idp_sso_target_url = "http://example.com"
25
+
26
+ auth_url = Ciam::Saml::Authrequest.new.create(settings, { :hello => "there" })
27
+ assert auth_url =~ /&hello=there$/
28
+
29
+ auth_url = Ciam::Saml::Authrequest.new.create(settings, { :hello => nil })
30
+ assert auth_url =~ /&hello=$/
31
+ end
32
+
33
+ context "when the target url doesn't contain a query string" do
34
+ should "create the SAMLRequest parameter correctly" do
35
+ settings = Ciam::Saml::Settings.new
36
+ settings.idp_sso_target_url = "http://example.com"
37
+
38
+ auth_url = Ciam::Saml::Authrequest.new.create(settings)
39
+ assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
40
+ end
41
+ end
42
+
43
+ context "when the target url contains a query string" do
44
+ should "create the SAMLRequest parameter correctly" do
45
+ settings = Ciam::Saml::Settings.new
46
+ settings.idp_sso_target_url = "http://example.com?field=value"
47
+
48
+ auth_url = Ciam::Saml::Authrequest.new.create(settings)
49
+ assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
50
+ end
51
+ end
52
+ end
53
+ end
@@ -0,0 +1,219 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class RubySamlTest < Test::Unit::TestCase
4
+
5
+ context "Response" do
6
+ should "raise an exception when response is initialized with nil" do
7
+ assert_raises(ArgumentError) { Ciam::Saml::Response.new(nil) }
8
+ end
9
+
10
+ should "be able to parse a document which contains ampersands" do
11
+ Ciam::XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
12
+ Ciam::Saml::Response.any_instance.stubs(:validate_conditions).returns(true)
13
+
14
+ response = Ciam::Saml::Response.new(ampersands_response)
15
+ settings = Ciam::Saml::Settings.new
16
+ settings.idp_cert_fingerprint = 'c51985d947f1be57082025050846eb27f6cab783'
17
+ response.settings = settings
18
+ response.validate!
19
+ end
20
+
21
+ should "adapt namespace" do
22
+ response = Ciam::Saml::Response.new(response_document)
23
+ assert !response.name_id.nil?
24
+ response = Ciam::Saml::Response.new(response_document_2)
25
+ assert !response.name_id.nil?
26
+ response = Ciam::Saml::Response.new(response_document_3)
27
+ assert !response.name_id.nil?
28
+ end
29
+
30
+ should "default to raw input when a response is not Base64 encoded" do
31
+ decoded = Base64.decode64(response_document_2)
32
+ response = Ciam::Saml::Response.new(decoded)
33
+ assert response.document
34
+ end
35
+
36
+ context "Assertion" do
37
+ should "only retreive an assertion with an ID that matches the signature's reference URI" do
38
+ response = Ciam::Saml::Response.new(wrapped_response_2)
39
+ response.stubs(:conditions).returns(nil)
40
+ settings = Ciam::Saml::Settings.new
41
+ settings.idp_cert_fingerprint = signature_fingerprint_1
42
+ response.settings = settings
43
+ assert response.name_id.nil?
44
+ end
45
+ end
46
+
47
+ context "#validate!" do
48
+ should "raise when encountering a condition that prevents the document from being valid" do
49
+ response = Ciam::Saml::Response.new(response_document)
50
+ assert_raise(Ciam::Saml::ValidationError) do
51
+ response.validate!
52
+ end
53
+ end
54
+ end
55
+
56
+ context "#is_valid?" do
57
+ should "return false when response is initialized with blank data" do
58
+ response = Ciam::Saml::Response.new('')
59
+ assert !response.is_valid?
60
+ end
61
+
62
+ should "return false if settings have not been set" do
63
+ response = Ciam::Saml::Response.new(response_document)
64
+ assert !response.is_valid?
65
+ end
66
+
67
+ should "return true when the response is initialized with valid data" do
68
+ response = Ciam::Saml::Response.new(response_document_4)
69
+ response.stubs(:conditions).returns(nil)
70
+ assert !response.is_valid?
71
+ settings = Ciam::Saml::Settings.new
72
+ assert !response.is_valid?
73
+ response.settings = settings
74
+ assert !response.is_valid?
75
+ settings.idp_cert_fingerprint = signature_fingerprint_1
76
+ assert response.is_valid?
77
+ end
78
+
79
+ should "return true when using certificate instead of fingerprint" do
80
+ response = Ciam::Saml::Response.new(response_document_4)
81
+ response.stubs(:conditions).returns(nil)
82
+ settings = Ciam::Saml::Settings.new
83
+ response.settings = settings
84
+ settings.idp_cert = signature_1
85
+ assert response.is_valid?
86
+ end
87
+
88
+ should "not allow signature wrapping attack" do
89
+ response = Ciam::Saml::Response.new(response_document_4)
90
+ response.stubs(:conditions).returns(nil)
91
+ settings = Ciam::Saml::Settings.new
92
+ settings.idp_cert_fingerprint = signature_fingerprint_1
93
+ response.settings = settings
94
+ assert response.is_valid?
95
+ assert response.name_id == "test@Ciam.com"
96
+ end
97
+
98
+ should "support dynamic namespace resolution on signature elements" do
99
+ response = Ciam::Saml::Response.new(fixture("no_signature_ns.xml"))
100
+ response.stubs(:conditions).returns(nil)
101
+ settings = Ciam::Saml::Settings.new
102
+ response.settings = settings
103
+ settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
104
+ Ciam::XMLSecurity::SignedDocument.any_instance.expects(:validate_doc).returns(true)
105
+ assert response.validate!
106
+ end
107
+
108
+ should "validate ADFS assertions" do
109
+ response = Ciam::Saml::Response.new(fixture(:adfs_response_sha256))
110
+ response.stubs(:conditions).returns(nil)
111
+ settings = Ciam::Saml::Settings.new
112
+ settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
113
+ response.settings = settings
114
+ assert response.validate!
115
+ end
116
+
117
+ should "validate SAML 2.0 XML structure" do
118
+ resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
119
+ response = Ciam::Saml::Response.new(Base64.encode64(resp_xml))
120
+ response.stubs(:conditions).returns(nil)
121
+ settings = Ciam::Saml::Settings.new
122
+ settings.idp_cert_fingerprint = signature_fingerprint_1
123
+ response.settings = settings
124
+ assert_raises(Ciam::Saml::ValidationError, 'Digest mismatch'){ response.validate! }
125
+ end
126
+ end
127
+
128
+ context "#name_id" do
129
+ should "extract the value of the name id element" do
130
+ response = Ciam::Saml::Response.new(response_document)
131
+ assert_equal "support@Ciam.com", response.name_id
132
+
133
+ response = Ciam::Saml::Response.new(response_document_3)
134
+ assert_equal "someone@example.com", response.name_id
135
+ end
136
+
137
+ should "be extractable from an OpenSAML response" do
138
+ response = Ciam::Saml::Response.new(fixture(:open_saml))
139
+ assert_equal "someone@example.org", response.name_id
140
+ end
141
+
142
+ should "be extractable from a Simple SAML PHP response" do
143
+ response = Ciam::Saml::Response.new(fixture(:simple_saml_php))
144
+ assert_equal "someone@example.com", response.name_id
145
+ end
146
+ end
147
+
148
+ context "#check_conditions" do
149
+ should "check time conditions" do
150
+ response = Ciam::Saml::Response.new(response_document)
151
+ assert !response.send(:validate_conditions, true)
152
+ response = Ciam::Saml::Response.new(response_document_6)
153
+ assert response.send(:validate_conditions, true)
154
+ time = Time.parse("2011-06-14T18:25:01.516Z")
155
+ Time.stubs(:now).returns(time)
156
+ response = Ciam::Saml::Response.new(response_document_5)
157
+ assert response.send(:validate_conditions, true)
158
+ end
159
+ end
160
+
161
+ context "#attributes" do
162
+ should "extract the first attribute in a hash accessed via its symbol" do
163
+ response = Ciam::Saml::Response.new(response_document)
164
+ assert_equal "demo", response.attributes[:uid]
165
+ end
166
+
167
+ should "extract the first attribute in a hash accessed via its name" do
168
+ response = Ciam::Saml::Response.new(response_document)
169
+ assert_equal "demo", response.attributes["uid"]
170
+ end
171
+
172
+ should "extract all attributes" do
173
+ response = Ciam::Saml::Response.new(response_document)
174
+ assert_equal "demo", response.attributes[:uid]
175
+ assert_equal "value", response.attributes[:another_value]
176
+ end
177
+
178
+ should "work for implicit namespaces" do
179
+ response = Ciam::Saml::Response.new(response_document_3)
180
+ assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
181
+ end
182
+
183
+ should "not raise on responses without attributes" do
184
+ response = Ciam::Saml::Response.new(response_document_4)
185
+ assert_equal Hash.new, response.attributes
186
+ end
187
+ end
188
+
189
+ context "#session_expires_at" do
190
+ should "extract the value of the SessionNotOnOrAfter attribute" do
191
+ response = Ciam::Saml::Response.new(response_document)
192
+ assert response.session_expires_at.is_a?(Time)
193
+
194
+ response = Ciam::Saml::Response.new(response_document_2)
195
+ assert response.session_expires_at.nil?
196
+ end
197
+ end
198
+
199
+ context "#issuer" do
200
+ should "return the issuer inside the response assertion" do
201
+ response = Ciam::Saml::Response.new(response_document)
202
+ assert_equal "https://app.Ciam.com/saml/metadata/13590", response.issuer
203
+ end
204
+
205
+ should "return the issuer inside the response" do
206
+ response = Ciam::Saml::Response.new(response_document_2)
207
+ assert_equal "wibble", response.issuer
208
+ end
209
+ end
210
+
211
+ context "#success" do
212
+ should "find a status code that says success" do
213
+ response = Ciam::Saml::Response.new(response_document)
214
+ response.success?
215
+ end
216
+ end
217
+
218
+ end
219
+ end
@@ -0,0 +1,46 @@
1
+ <?xml version="1.0"?>
2
+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
3
+ <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
4
+ <samlp:Status>
5
+ <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
6
+ </samlp:Status>
7
+ <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
8
+ <Issuer>http://login.example.com/issuer</Issuer>
9
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
10
+ <ds:SignedInfo>
11
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
12
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha1"/>
13
+ <ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
14
+ <ds:Transforms>
15
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
16
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
17
+ </ds:Transforms>
18
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/>
19
+ <ds:DigestValue>tGpkynNC34A5SFqDSfXmPSiIGpU=</ds:DigestValue>
20
+ </ds:Reference>
21
+ </ds:SignedInfo>
22
+ <ds:SignatureValue>WXtmslqh2npLtwhvU8yVx0pvH7E1s8ASksv7VtWirQDFrRRO9k+sNnQcGzA75QNyd6nP+T2e+ofIWyj8G70Rd6gEU4ZmV1vlGVq49Ilc7r/oxauitIuasOvrmpyHCXRbttYeWz4T5xoTCDx9RZQvI4fdrFugrymFT2OREFx1lSk=</ds:SignatureValue>
23
+ <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
24
+ <ds:X509Data>
25
+ <ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
26
+ </ds:X509Data>
27
+ </KeyInfo>
28
+ </ds:Signature>
29
+ <Subject>
30
+ <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
31
+ <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
32
+ <SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
33
+ </SubjectConfirmation>
34
+ </Subject>
35
+ <Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
36
+ <AudienceRestriction>
37
+ <Audience>example.com</Audience>
38
+ </AudienceRestriction>
39
+ </Conditions>
40
+ <AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
41
+ <AuthnContext>
42
+ <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
43
+ </AuthnContext>
44
+ </AuthnStatement>
45
+ </Assertion>
46
+ </samlp:Response>
@@ -0,0 +1,46 @@
1
+ <?xml version="1.0"?>
2
+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
3
+ <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
4
+ <samlp:Status>
5
+ <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
6
+ </samlp:Status>
7
+ <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
8
+ <Issuer>http://login.example.com/issuer</Issuer>
9
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
10
+ <ds:SignedInfo>
11
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
12
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
13
+ <ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
14
+ <ds:Transforms>
15
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
16
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
17
+ </ds:Transforms>
18
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
19
+ <ds:DigestValue>5mUndDm7OQSGNYVTevsJw3JRVZiwvlDnR2nprJ+6Mhc=</ds:DigestValue>
20
+ </ds:Reference>
21
+ </ds:SignedInfo>
22
+ <ds:SignatureValue>MmuXQdjutiuP7soIaB7nk9wSR8OGkmyH5n9aelMTOrV7gTVNDazgQ/GXMmYXTTrhdvGN65duLO0oYdsYGxwNIjlA1lYhoGeBgYuIB/4iKZ6oLSDgjMcQxHkSW1OJ8pIEuUa/3MPUUjaSlTg0me4WRxVdXp34A9Mtlj0DgrK9m0A=</ds:SignatureValue>
23
+ <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
24
+ <ds:X509Data>
25
+ <ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXptZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRVUZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T0RBMU1qVTFPVm9YRFRNeU1EUXgKTXpBMU1qVTFPVm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQW9mR3p4NFZvQzZDSENYdFJPdkVLSFRzRAppNkFBWCtoVWpiSVloeERsZUxMZUNVemZDaVVXOFkwbTVrWkVKbjJXSmt5Si8wRFdPZmE5b0c1ZUg1eXNKSWpVCnpTUjVkMGJldmJZMEV1OHJDTmh3S001UzdYaXltTzBGc09mcnh6TkJxbVRBblE2VFJYT25nY1BYTitXRWd4cmQKZDVoV1V5ZXh2dkQ2d05McWdVRUNBd0VBQWFPQ0FVb3dnZ0ZHTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRMk1xTFZwRnlyVmNNaGFXMzRHanFkTVF6c3dqQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRCQ0JnbGdoa2dCaHZoQ0FRMEVOUll6VkdWemRDQllOVEE1SUdObGNuUWdZM0psWVhSbFpDQm0KYjNJZ1QyNWxURzluYVc0Z1lua2dUR0YzY21WdVkyVWdVR2wwTUlHekJnTlZIU01FZ2Fzd2dhaUFGRFl5b3RXawpYS3RWd3lGcGJmZ2FPcDB4RE96Q29ZR01wSUdKTUlHR01Rc3dDUVlEVlFRR0V3SkJWVEVNTUFvR0ExVUVDQk1EClRsTlhNUTh3RFFZRFZRUUhFd1pUZVdSdVpYa3hEREFLQmdOVkJBb01BMUJKVkRFSk1BY0dBMVVFQ3d3QU1SZ3cKRmdZRFZRUUREQTlzWVhkeVpXNWpaWEJwZEM1amIyMHhKVEFqQmdrcWhraUc5dzBCQ1FFTUZteGhkM0psYm1ObApMbkJwZEVCbmJXRnBiQzVqYjIyQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFOM2VRMUM5T0JJbVgvdWZGClNIUC9FeUxPQjJPQ1dqdlNpSytNbndQRWsralRRdDZZYXIxMkRacWVnRGhrWC92OGplTWh4VnpwaStBcHA4M0YKYWFmUE54UFJYc01FTFRCblhDQUJ1YzZEakxBaFlvNGQ4TDhCWUovVjlxLzZRMzdNYVZmc0ZKWVVKNmFBQUppWQpwd1RMUWJidFpqaytZc0s5TzZFR1U4ZjE5djg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</ds:X509Certificate>
26
+ </ds:X509Data>
27
+ </KeyInfo>
28
+ </ds:Signature>
29
+ <Subject>
30
+ <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
31
+ <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
32
+ <SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
33
+ </SubjectConfirmation>
34
+ </Subject>
35
+ <Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
36
+ <AudienceRestriction>
37
+ <Audience>example.com</Audience>
38
+ </AudienceRestriction>
39
+ </Conditions>
40
+ <AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
41
+ <AuthnContext>
42
+ <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
43
+ </AuthnContext>
44
+ </AuthnStatement>
45
+ </Assertion>
46
+ </samlp:Response>