ciam-es 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.document +5 -0
- data/Gemfile +4 -0
- data/README.md +127 -0
- data/ciam-es.gemspec +23 -0
- data/lib/ciam-es.rb +14 -0
- data/lib/ciam/ruby-saml/authrequest.rb +206 -0
- data/lib/ciam/ruby-saml/coding.rb +34 -0
- data/lib/ciam/ruby-saml/error_handling.rb +27 -0
- data/lib/ciam/ruby-saml/logging.rb +26 -0
- data/lib/ciam/ruby-saml/logout_request.rb +126 -0
- data/lib/ciam/ruby-saml/logout_response.rb +132 -0
- data/lib/ciam/ruby-saml/metadata.rb +509 -0
- data/lib/ciam/ruby-saml/request.rb +81 -0
- data/lib/ciam/ruby-saml/response.rb +683 -0
- data/lib/ciam/ruby-saml/settings.rb +89 -0
- data/lib/ciam/ruby-saml/utils.rb +225 -0
- data/lib/ciam/ruby-saml/validation_error.rb +7 -0
- data/lib/ciam/ruby-saml/version.rb +5 -0
- data/lib/ciam/xml_security.rb +166 -0
- data/lib/ciam/xml_security_new.rb +373 -0
- data/lib/schemas/saml20assertion_schema.xsd +283 -0
- data/lib/schemas/saml20protocol_schema.xsd +302 -0
- data/lib/schemas/xenc_schema.xsd +146 -0
- data/lib/schemas/xmldsig_schema.xsd +318 -0
- data/test/certificates/certificate1 +12 -0
- data/test/logoutrequest_test.rb +98 -0
- data/test/request_test.rb +53 -0
- data/test/response_test.rb +219 -0
- data/test/responses/adfs_response_sha1.xml +46 -0
- data/test/responses/adfs_response_sha256.xml +46 -0
- data/test/responses/adfs_response_sha384.xml +46 -0
- data/test/responses/adfs_response_sha512.xml +46 -0
- data/test/responses/no_signature_ns.xml +48 -0
- data/test/responses/open_saml_response.xml +56 -0
- data/test/responses/response1.xml.base64 +1 -0
- data/test/responses/response2.xml.base64 +79 -0
- data/test/responses/response3.xml.base64 +66 -0
- data/test/responses/response4.xml.base64 +93 -0
- data/test/responses/response5.xml.base64 +102 -0
- data/test/responses/response_with_ampersands.xml +139 -0
- data/test/responses/response_with_ampersands.xml.base64 +93 -0
- data/test/responses/simple_saml_php.xml +71 -0
- data/test/responses/wrapped_response_2.xml.base64 +150 -0
- data/test/settings_test.rb +43 -0
- data/test/test_helper.rb +65 -0
- data/test/xml_security_test.rb +123 -0
- metadata +145 -0
@@ -0,0 +1,12 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
|
3
|
+
YWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv
|
4
|
+
Z2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloX
|
5
|
+
DTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
|
6
|
+
aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX
|
7
|
+
BgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
8
|
+
AoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDug
|
9
|
+
MK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0ed
|
10
|
+
MOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMB
|
11
|
+
AA==
|
12
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,98 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Logoutrequest" do
|
6
|
+
settings = Ciam::Saml::Settings.new
|
7
|
+
|
8
|
+
should "create the deflated SAMLRequest URL parameter" do
|
9
|
+
settings.idp_slo_target_url = "http://unauth.com/logout"
|
10
|
+
unauth_url = Ciam::Saml::Logoutrequest.new.create(settings)
|
11
|
+
assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
|
12
|
+
|
13
|
+
inflated = decode_saml_request_payload(unauth_url)
|
14
|
+
|
15
|
+
assert_match /^<samlp:LogoutRequest/, inflated
|
16
|
+
end
|
17
|
+
|
18
|
+
should "support additional params" do
|
19
|
+
|
20
|
+
unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :hello => nil })
|
21
|
+
assert unauth_url =~ /&hello=$/
|
22
|
+
|
23
|
+
unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :foo => "bar" })
|
24
|
+
assert unauth_url =~ /&foo=bar$/
|
25
|
+
end
|
26
|
+
|
27
|
+
should "set sessionindex" do
|
28
|
+
settings.idp_slo_target_url = "http://example.com"
|
29
|
+
sessionidx = UUID.new.generate
|
30
|
+
settings.sessionindex = sessionidx
|
31
|
+
|
32
|
+
unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
|
33
|
+
inflated = decode_saml_request_payload(unauth_url)
|
34
|
+
|
35
|
+
assert_match /<samlp:SessionIndex/, inflated
|
36
|
+
assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
|
37
|
+
end
|
38
|
+
|
39
|
+
should "set name_identifier_value" do
|
40
|
+
settings = Ciam::Saml::Settings.new
|
41
|
+
settings.idp_slo_target_url = "http://example.com"
|
42
|
+
settings.name_identifier_format = "transient"
|
43
|
+
name_identifier_value = "abc123"
|
44
|
+
settings.name_identifier_value = name_identifier_value
|
45
|
+
|
46
|
+
unauth_url = Ciam::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
|
47
|
+
inflated = decode_saml_request_payload(unauth_url)
|
48
|
+
|
49
|
+
assert_match /<saml:NameID/, inflated
|
50
|
+
assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
|
51
|
+
end
|
52
|
+
|
53
|
+
context "when the target url doesn't contain a query string" do
|
54
|
+
should "create the SAMLRequest parameter correctly" do
|
55
|
+
settings = Ciam::Saml::Settings.new
|
56
|
+
settings.idp_slo_target_url = "http://example.com"
|
57
|
+
|
58
|
+
unauth_url = Ciam::Saml::Logoutrequest.new.create(settings)
|
59
|
+
assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
context "when the target url contains a query string" do
|
64
|
+
should "create the SAMLRequest parameter correctly" do
|
65
|
+
settings = Ciam::Saml::Settings.new
|
66
|
+
settings.idp_slo_target_url = "http://example.com?field=value"
|
67
|
+
|
68
|
+
unauth_url = Ciam::Saml::Logoutrequest.new.create(settings)
|
69
|
+
assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
context "consumation of logout may need to track the transaction" do
|
74
|
+
should "have access to the request uuid" do
|
75
|
+
settings = Ciam::Saml::Settings.new
|
76
|
+
settings.idp_slo_target_url = "http://example.com?field=value"
|
77
|
+
|
78
|
+
unauth_req = Ciam::Saml::Logoutrequest.new
|
79
|
+
unauth_url = unauth_req.create(settings)
|
80
|
+
|
81
|
+
inflated = decode_saml_request_payload(unauth_url)
|
82
|
+
assert_match %r[ID='#{unauth_req.uuid}'], inflated
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
def decode_saml_request_payload(unauth_url)
|
88
|
+
payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
|
89
|
+
decoded = Base64.decode64(payload)
|
90
|
+
|
91
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
92
|
+
inflated = zstream.inflate(decoded)
|
93
|
+
zstream.finish
|
94
|
+
zstream.close
|
95
|
+
inflated
|
96
|
+
end
|
97
|
+
|
98
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Authrequest" do
|
6
|
+
should "create the deflated SAMLRequest URL parameter" do
|
7
|
+
settings = Ciam::Saml::Settings.new
|
8
|
+
settings.idp_sso_target_url = "http://example.com"
|
9
|
+
auth_url = Ciam::Saml::Authrequest.new.create(settings)
|
10
|
+
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
11
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
12
|
+
decoded = Base64.decode64(payload)
|
13
|
+
|
14
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
15
|
+
inflated = zstream.inflate(decoded)
|
16
|
+
zstream.finish
|
17
|
+
zstream.close
|
18
|
+
|
19
|
+
assert_match /^<samlp:AuthnRequest/, inflated
|
20
|
+
end
|
21
|
+
|
22
|
+
should "accept extra parameters" do
|
23
|
+
settings = Ciam::Saml::Settings.new
|
24
|
+
settings.idp_sso_target_url = "http://example.com"
|
25
|
+
|
26
|
+
auth_url = Ciam::Saml::Authrequest.new.create(settings, { :hello => "there" })
|
27
|
+
assert auth_url =~ /&hello=there$/
|
28
|
+
|
29
|
+
auth_url = Ciam::Saml::Authrequest.new.create(settings, { :hello => nil })
|
30
|
+
assert auth_url =~ /&hello=$/
|
31
|
+
end
|
32
|
+
|
33
|
+
context "when the target url doesn't contain a query string" do
|
34
|
+
should "create the SAMLRequest parameter correctly" do
|
35
|
+
settings = Ciam::Saml::Settings.new
|
36
|
+
settings.idp_sso_target_url = "http://example.com"
|
37
|
+
|
38
|
+
auth_url = Ciam::Saml::Authrequest.new.create(settings)
|
39
|
+
assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
context "when the target url contains a query string" do
|
44
|
+
should "create the SAMLRequest parameter correctly" do
|
45
|
+
settings = Ciam::Saml::Settings.new
|
46
|
+
settings.idp_sso_target_url = "http://example.com?field=value"
|
47
|
+
|
48
|
+
auth_url = Ciam::Saml::Authrequest.new.create(settings)
|
49
|
+
assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
@@ -0,0 +1,219 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RubySamlTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Response" do
|
6
|
+
should "raise an exception when response is initialized with nil" do
|
7
|
+
assert_raises(ArgumentError) { Ciam::Saml::Response.new(nil) }
|
8
|
+
end
|
9
|
+
|
10
|
+
should "be able to parse a document which contains ampersands" do
|
11
|
+
Ciam::XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
|
12
|
+
Ciam::Saml::Response.any_instance.stubs(:validate_conditions).returns(true)
|
13
|
+
|
14
|
+
response = Ciam::Saml::Response.new(ampersands_response)
|
15
|
+
settings = Ciam::Saml::Settings.new
|
16
|
+
settings.idp_cert_fingerprint = 'c51985d947f1be57082025050846eb27f6cab783'
|
17
|
+
response.settings = settings
|
18
|
+
response.validate!
|
19
|
+
end
|
20
|
+
|
21
|
+
should "adapt namespace" do
|
22
|
+
response = Ciam::Saml::Response.new(response_document)
|
23
|
+
assert !response.name_id.nil?
|
24
|
+
response = Ciam::Saml::Response.new(response_document_2)
|
25
|
+
assert !response.name_id.nil?
|
26
|
+
response = Ciam::Saml::Response.new(response_document_3)
|
27
|
+
assert !response.name_id.nil?
|
28
|
+
end
|
29
|
+
|
30
|
+
should "default to raw input when a response is not Base64 encoded" do
|
31
|
+
decoded = Base64.decode64(response_document_2)
|
32
|
+
response = Ciam::Saml::Response.new(decoded)
|
33
|
+
assert response.document
|
34
|
+
end
|
35
|
+
|
36
|
+
context "Assertion" do
|
37
|
+
should "only retreive an assertion with an ID that matches the signature's reference URI" do
|
38
|
+
response = Ciam::Saml::Response.new(wrapped_response_2)
|
39
|
+
response.stubs(:conditions).returns(nil)
|
40
|
+
settings = Ciam::Saml::Settings.new
|
41
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
42
|
+
response.settings = settings
|
43
|
+
assert response.name_id.nil?
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
context "#validate!" do
|
48
|
+
should "raise when encountering a condition that prevents the document from being valid" do
|
49
|
+
response = Ciam::Saml::Response.new(response_document)
|
50
|
+
assert_raise(Ciam::Saml::ValidationError) do
|
51
|
+
response.validate!
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
context "#is_valid?" do
|
57
|
+
should "return false when response is initialized with blank data" do
|
58
|
+
response = Ciam::Saml::Response.new('')
|
59
|
+
assert !response.is_valid?
|
60
|
+
end
|
61
|
+
|
62
|
+
should "return false if settings have not been set" do
|
63
|
+
response = Ciam::Saml::Response.new(response_document)
|
64
|
+
assert !response.is_valid?
|
65
|
+
end
|
66
|
+
|
67
|
+
should "return true when the response is initialized with valid data" do
|
68
|
+
response = Ciam::Saml::Response.new(response_document_4)
|
69
|
+
response.stubs(:conditions).returns(nil)
|
70
|
+
assert !response.is_valid?
|
71
|
+
settings = Ciam::Saml::Settings.new
|
72
|
+
assert !response.is_valid?
|
73
|
+
response.settings = settings
|
74
|
+
assert !response.is_valid?
|
75
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
76
|
+
assert response.is_valid?
|
77
|
+
end
|
78
|
+
|
79
|
+
should "return true when using certificate instead of fingerprint" do
|
80
|
+
response = Ciam::Saml::Response.new(response_document_4)
|
81
|
+
response.stubs(:conditions).returns(nil)
|
82
|
+
settings = Ciam::Saml::Settings.new
|
83
|
+
response.settings = settings
|
84
|
+
settings.idp_cert = signature_1
|
85
|
+
assert response.is_valid?
|
86
|
+
end
|
87
|
+
|
88
|
+
should "not allow signature wrapping attack" do
|
89
|
+
response = Ciam::Saml::Response.new(response_document_4)
|
90
|
+
response.stubs(:conditions).returns(nil)
|
91
|
+
settings = Ciam::Saml::Settings.new
|
92
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
93
|
+
response.settings = settings
|
94
|
+
assert response.is_valid?
|
95
|
+
assert response.name_id == "test@Ciam.com"
|
96
|
+
end
|
97
|
+
|
98
|
+
should "support dynamic namespace resolution on signature elements" do
|
99
|
+
response = Ciam::Saml::Response.new(fixture("no_signature_ns.xml"))
|
100
|
+
response.stubs(:conditions).returns(nil)
|
101
|
+
settings = Ciam::Saml::Settings.new
|
102
|
+
response.settings = settings
|
103
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
104
|
+
Ciam::XMLSecurity::SignedDocument.any_instance.expects(:validate_doc).returns(true)
|
105
|
+
assert response.validate!
|
106
|
+
end
|
107
|
+
|
108
|
+
should "validate ADFS assertions" do
|
109
|
+
response = Ciam::Saml::Response.new(fixture(:adfs_response_sha256))
|
110
|
+
response.stubs(:conditions).returns(nil)
|
111
|
+
settings = Ciam::Saml::Settings.new
|
112
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
113
|
+
response.settings = settings
|
114
|
+
assert response.validate!
|
115
|
+
end
|
116
|
+
|
117
|
+
should "validate SAML 2.0 XML structure" do
|
118
|
+
resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
|
119
|
+
response = Ciam::Saml::Response.new(Base64.encode64(resp_xml))
|
120
|
+
response.stubs(:conditions).returns(nil)
|
121
|
+
settings = Ciam::Saml::Settings.new
|
122
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
123
|
+
response.settings = settings
|
124
|
+
assert_raises(Ciam::Saml::ValidationError, 'Digest mismatch'){ response.validate! }
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
128
|
+
context "#name_id" do
|
129
|
+
should "extract the value of the name id element" do
|
130
|
+
response = Ciam::Saml::Response.new(response_document)
|
131
|
+
assert_equal "support@Ciam.com", response.name_id
|
132
|
+
|
133
|
+
response = Ciam::Saml::Response.new(response_document_3)
|
134
|
+
assert_equal "someone@example.com", response.name_id
|
135
|
+
end
|
136
|
+
|
137
|
+
should "be extractable from an OpenSAML response" do
|
138
|
+
response = Ciam::Saml::Response.new(fixture(:open_saml))
|
139
|
+
assert_equal "someone@example.org", response.name_id
|
140
|
+
end
|
141
|
+
|
142
|
+
should "be extractable from a Simple SAML PHP response" do
|
143
|
+
response = Ciam::Saml::Response.new(fixture(:simple_saml_php))
|
144
|
+
assert_equal "someone@example.com", response.name_id
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
context "#check_conditions" do
|
149
|
+
should "check time conditions" do
|
150
|
+
response = Ciam::Saml::Response.new(response_document)
|
151
|
+
assert !response.send(:validate_conditions, true)
|
152
|
+
response = Ciam::Saml::Response.new(response_document_6)
|
153
|
+
assert response.send(:validate_conditions, true)
|
154
|
+
time = Time.parse("2011-06-14T18:25:01.516Z")
|
155
|
+
Time.stubs(:now).returns(time)
|
156
|
+
response = Ciam::Saml::Response.new(response_document_5)
|
157
|
+
assert response.send(:validate_conditions, true)
|
158
|
+
end
|
159
|
+
end
|
160
|
+
|
161
|
+
context "#attributes" do
|
162
|
+
should "extract the first attribute in a hash accessed via its symbol" do
|
163
|
+
response = Ciam::Saml::Response.new(response_document)
|
164
|
+
assert_equal "demo", response.attributes[:uid]
|
165
|
+
end
|
166
|
+
|
167
|
+
should "extract the first attribute in a hash accessed via its name" do
|
168
|
+
response = Ciam::Saml::Response.new(response_document)
|
169
|
+
assert_equal "demo", response.attributes["uid"]
|
170
|
+
end
|
171
|
+
|
172
|
+
should "extract all attributes" do
|
173
|
+
response = Ciam::Saml::Response.new(response_document)
|
174
|
+
assert_equal "demo", response.attributes[:uid]
|
175
|
+
assert_equal "value", response.attributes[:another_value]
|
176
|
+
end
|
177
|
+
|
178
|
+
should "work for implicit namespaces" do
|
179
|
+
response = Ciam::Saml::Response.new(response_document_3)
|
180
|
+
assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
|
181
|
+
end
|
182
|
+
|
183
|
+
should "not raise on responses without attributes" do
|
184
|
+
response = Ciam::Saml::Response.new(response_document_4)
|
185
|
+
assert_equal Hash.new, response.attributes
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
189
|
+
context "#session_expires_at" do
|
190
|
+
should "extract the value of the SessionNotOnOrAfter attribute" do
|
191
|
+
response = Ciam::Saml::Response.new(response_document)
|
192
|
+
assert response.session_expires_at.is_a?(Time)
|
193
|
+
|
194
|
+
response = Ciam::Saml::Response.new(response_document_2)
|
195
|
+
assert response.session_expires_at.nil?
|
196
|
+
end
|
197
|
+
end
|
198
|
+
|
199
|
+
context "#issuer" do
|
200
|
+
should "return the issuer inside the response assertion" do
|
201
|
+
response = Ciam::Saml::Response.new(response_document)
|
202
|
+
assert_equal "https://app.Ciam.com/saml/metadata/13590", response.issuer
|
203
|
+
end
|
204
|
+
|
205
|
+
should "return the issuer inside the response" do
|
206
|
+
response = Ciam::Saml::Response.new(response_document_2)
|
207
|
+
assert_equal "wibble", response.issuer
|
208
|
+
end
|
209
|
+
end
|
210
|
+
|
211
|
+
context "#success" do
|
212
|
+
should "find a status code that says success" do
|
213
|
+
response = Ciam::Saml::Response.new(response_document)
|
214
|
+
response.success?
|
215
|
+
end
|
216
|
+
end
|
217
|
+
|
218
|
+
end
|
219
|
+
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
<?xml version="1.0"?>
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
4
|
+
<samlp:Status>
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
6
|
+
</samlp:Status>
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
10
|
+
<ds:SignedInfo>
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha1"/>
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
14
|
+
<ds:Transforms>
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
17
|
+
</ds:Transforms>
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/>
|
19
|
+
<ds:DigestValue>tGpkynNC34A5SFqDSfXmPSiIGpU=</ds:DigestValue>
|
20
|
+
</ds:Reference>
|
21
|
+
</ds:SignedInfo>
|
22
|
+
<ds:SignatureValue>WXtmslqh2npLtwhvU8yVx0pvH7E1s8ASksv7VtWirQDFrRRO9k+sNnQcGzA75QNyd6nP+T2e+ofIWyj8G70Rd6gEU4ZmV1vlGVq49Ilc7r/oxauitIuasOvrmpyHCXRbttYeWz4T5xoTCDx9RZQvI4fdrFugrymFT2OREFx1lSk=</ds:SignatureValue>
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
24
|
+
<ds:X509Data>
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
|
26
|
+
</ds:X509Data>
|
27
|
+
</KeyInfo>
|
28
|
+
</ds:Signature>
|
29
|
+
<Subject>
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
33
|
+
</SubjectConfirmation>
|
34
|
+
</Subject>
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
36
|
+
<AudienceRestriction>
|
37
|
+
<Audience>example.com</Audience>
|
38
|
+
</AudienceRestriction>
|
39
|
+
</Conditions>
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
41
|
+
<AuthnContext>
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
43
|
+
</AuthnContext>
|
44
|
+
</AuthnStatement>
|
45
|
+
</Assertion>
|
46
|
+
</samlp:Response>
|
@@ -0,0 +1,46 @@
|
|
1
|
+
<?xml version="1.0"?>
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
4
|
+
<samlp:Status>
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
6
|
+
</samlp:Status>
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
10
|
+
<ds:SignedInfo>
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
14
|
+
<ds:Transforms>
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
17
|
+
</ds:Transforms>
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
|
19
|
+
<ds:DigestValue>5mUndDm7OQSGNYVTevsJw3JRVZiwvlDnR2nprJ+6Mhc=</ds:DigestValue>
|
20
|
+
</ds:Reference>
|
21
|
+
</ds:SignedInfo>
|
22
|
+
<ds:SignatureValue>MmuXQdjutiuP7soIaB7nk9wSR8OGkmyH5n9aelMTOrV7gTVNDazgQ/GXMmYXTTrhdvGN65duLO0oYdsYGxwNIjlA1lYhoGeBgYuIB/4iKZ6oLSDgjMcQxHkSW1OJ8pIEuUa/3MPUUjaSlTg0me4WRxVdXp34A9Mtlj0DgrK9m0A=</ds:SignatureValue>
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
24
|
+
<ds:X509Data>
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXptZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRVUZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T0RBMU1qVTFPVm9YRFRNeU1EUXgKTXpBMU1qVTFPVm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQW9mR3p4NFZvQzZDSENYdFJPdkVLSFRzRAppNkFBWCtoVWpiSVloeERsZUxMZUNVemZDaVVXOFkwbTVrWkVKbjJXSmt5Si8wRFdPZmE5b0c1ZUg1eXNKSWpVCnpTUjVkMGJldmJZMEV1OHJDTmh3S001UzdYaXltTzBGc09mcnh6TkJxbVRBblE2VFJYT25nY1BYTitXRWd4cmQKZDVoV1V5ZXh2dkQ2d05McWdVRUNBd0VBQWFPQ0FVb3dnZ0ZHTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRMk1xTFZwRnlyVmNNaGFXMzRHanFkTVF6c3dqQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRCQ0JnbGdoa2dCaHZoQ0FRMEVOUll6VkdWemRDQllOVEE1SUdObGNuUWdZM0psWVhSbFpDQm0KYjNJZ1QyNWxURzluYVc0Z1lua2dUR0YzY21WdVkyVWdVR2wwTUlHekJnTlZIU01FZ2Fzd2dhaUFGRFl5b3RXawpYS3RWd3lGcGJmZ2FPcDB4RE96Q29ZR01wSUdKTUlHR01Rc3dDUVlEVlFRR0V3SkJWVEVNTUFvR0ExVUVDQk1EClRsTlhNUTh3RFFZRFZRUUhFd1pUZVdSdVpYa3hEREFLQmdOVkJBb01BMUJKVkRFSk1BY0dBMVVFQ3d3QU1SZ3cKRmdZRFZRUUREQTlzWVhkeVpXNWpaWEJwZEM1amIyMHhKVEFqQmdrcWhraUc5dzBCQ1FFTUZteGhkM0psYm1ObApMbkJwZEVCbmJXRnBiQzVqYjIyQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFOM2VRMUM5T0JJbVgvdWZGClNIUC9FeUxPQjJPQ1dqdlNpSytNbndQRWsralRRdDZZYXIxMkRacWVnRGhrWC92OGplTWh4VnpwaStBcHA4M0YKYWFmUE54UFJYc01FTFRCblhDQUJ1YzZEakxBaFlvNGQ4TDhCWUovVjlxLzZRMzdNYVZmc0ZKWVVKNmFBQUppWQpwd1RMUWJidFpqaytZc0s5TzZFR1U4ZjE5djg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</ds:X509Certificate>
|
26
|
+
</ds:X509Data>
|
27
|
+
</KeyInfo>
|
28
|
+
</ds:Signature>
|
29
|
+
<Subject>
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
33
|
+
</SubjectConfirmation>
|
34
|
+
</Subject>
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
36
|
+
<AudienceRestriction>
|
37
|
+
<Audience>example.com</Audience>
|
38
|
+
</AudienceRestriction>
|
39
|
+
</Conditions>
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
41
|
+
<AuthnContext>
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
43
|
+
</AuthnContext>
|
44
|
+
</AuthnStatement>
|
45
|
+
</Assertion>
|
46
|
+
</samlp:Response>
|