ruby-saml-nechotech 0.7.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.document +5 -0
- data/.gitignore +11 -0
- data/.travis.yml +5 -0
- data/Gemfile +13 -0
- data/LICENSE +19 -0
- data/README.md +128 -0
- data/Rakefile +41 -0
- data/lib/onelogin/ruby-saml/authrequest.rb +84 -0
- data/lib/onelogin/ruby-saml/logging.rb +26 -0
- data/lib/onelogin/ruby-saml/logoutrequest.rb +82 -0
- data/lib/onelogin/ruby-saml/logoutresponse.rb +154 -0
- data/lib/onelogin/ruby-saml/metadata.rb +66 -0
- data/lib/onelogin/ruby-saml/response.rb +186 -0
- data/lib/onelogin/ruby-saml/settings.rb +27 -0
- data/lib/onelogin/ruby-saml/validation_error.rb +7 -0
- data/lib/onelogin/ruby-saml/version.rb +5 -0
- data/lib/ruby-saml.rb +9 -0
- data/lib/schemas/saml20assertion_schema.xsd +283 -0
- data/lib/schemas/saml20protocol_schema.xsd +302 -0
- data/lib/schemas/xenc_schema.xsd +146 -0
- data/lib/schemas/xmldsig_schema.xsd +318 -0
- data/lib/xml_security.rb +169 -0
- data/ruby-saml-nechotech.gemspec +29 -0
- data/test/certificates/certificate1 +12 -0
- data/test/certificates/r1_certificate2_base64 +1 -0
- data/test/logoutrequest_test.rb +111 -0
- data/test/logoutresponse_test.rb +116 -0
- data/test/request_test.rb +97 -0
- data/test/response_test.rb +247 -0
- data/test/responses/adfs_response_sha1.xml +46 -0
- data/test/responses/adfs_response_sha256.xml +46 -0
- data/test/responses/adfs_response_sha384.xml +46 -0
- data/test/responses/adfs_response_sha512.xml +46 -0
- data/test/responses/logoutresponse_fixtures.rb +67 -0
- data/test/responses/no_signature_ns.xml +48 -0
- data/test/responses/open_saml_response.xml +56 -0
- data/test/responses/r1_response6.xml.base64 +1 -0
- data/test/responses/response1.xml.base64 +1 -0
- data/test/responses/response2.xml.base64 +79 -0
- data/test/responses/response3.xml.base64 +66 -0
- data/test/responses/response4.xml.base64 +93 -0
- data/test/responses/response5.xml.base64 +102 -0
- data/test/responses/response_with_ampersands.xml +139 -0
- data/test/responses/response_with_ampersands.xml.base64 +93 -0
- data/test/responses/simple_saml_php.xml +71 -0
- data/test/responses/starfield_response.xml.base64 +1 -0
- data/test/responses/wrapped_response_2.xml.base64 +150 -0
- data/test/settings_test.rb +46 -0
- data/test/test_helper.rb +75 -0
- data/test/xml_security_test.rb +160 -0
- metadata +189 -0
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
|
2
|
+
require 'rexml/document'
|
|
3
|
+
require 'responses/logoutresponse_fixtures'
|
|
4
|
+
class RubySamlTest < Test::Unit::TestCase
|
|
5
|
+
|
|
6
|
+
context "Logoutresponse" do
|
|
7
|
+
context "#new" do
|
|
8
|
+
should "raise an exception when response is initialized with nil" do
|
|
9
|
+
assert_raises(ArgumentError) { Onelogin::Saml::Logoutresponse.new(nil) }
|
|
10
|
+
end
|
|
11
|
+
should "default to empty settings" do
|
|
12
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new( valid_response)
|
|
13
|
+
assert logoutresponse.settings.nil?
|
|
14
|
+
end
|
|
15
|
+
should "accept constructor-injected settings" do
|
|
16
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, settings)
|
|
17
|
+
assert !logoutresponse.settings.nil?
|
|
18
|
+
end
|
|
19
|
+
should "accept constructor-injected options" do
|
|
20
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
|
|
21
|
+
assert !logoutresponse.options.empty?
|
|
22
|
+
end
|
|
23
|
+
should "support base64 encoded responses" do
|
|
24
|
+
expected_response = valid_response
|
|
25
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(Base64.encode64(expected_response), settings)
|
|
26
|
+
|
|
27
|
+
assert_equal expected_response, logoutresponse.response
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
context "#validate" do
|
|
32
|
+
should "validate the response" do
|
|
33
|
+
in_relation_to_request_id = random_id
|
|
34
|
+
|
|
35
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
|
|
36
|
+
|
|
37
|
+
assert logoutresponse.validate
|
|
38
|
+
|
|
39
|
+
assert_equal settings.issuer, logoutresponse.issuer
|
|
40
|
+
assert_equal in_relation_to_request_id, logoutresponse.in_response_to
|
|
41
|
+
|
|
42
|
+
assert logoutresponse.success?
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
should "invalidate responses with wrong id when given option :matches_uuid" do
|
|
46
|
+
|
|
47
|
+
expected_request_id = "_some_other_expected_uuid"
|
|
48
|
+
opts = { :matches_request_id => expected_request_id}
|
|
49
|
+
|
|
50
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, settings, opts)
|
|
51
|
+
|
|
52
|
+
assert !logoutresponse.validate
|
|
53
|
+
assert_not_equal expected_request_id, logoutresponse.in_response_to
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
should "invalidate responses with wrong request status" do
|
|
57
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response, settings)
|
|
58
|
+
|
|
59
|
+
assert !logoutresponse.validate
|
|
60
|
+
assert !logoutresponse.success?
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
context "#validate!" do
|
|
65
|
+
should "validates good responses" do
|
|
66
|
+
in_relation_to_request_id = random_id
|
|
67
|
+
|
|
68
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
|
|
69
|
+
|
|
70
|
+
logoutresponse.validate!
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
should "raises validation error when matching for wrong request id" do
|
|
74
|
+
|
|
75
|
+
expected_request_id = "_some_other_expected_id"
|
|
76
|
+
opts = { :matches_request_id => expected_request_id}
|
|
77
|
+
|
|
78
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, settings, opts)
|
|
79
|
+
|
|
80
|
+
assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
should "raise validation error for wrong request status" do
|
|
84
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response, settings)
|
|
85
|
+
|
|
86
|
+
assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
should "raise validation error when in bad state" do
|
|
90
|
+
# no settings
|
|
91
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response)
|
|
92
|
+
assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
should "raise validation error when in lack of issuer setting" do
|
|
96
|
+
bad_settings = settings
|
|
97
|
+
bad_settings.issuer = nil
|
|
98
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response, bad_settings)
|
|
99
|
+
assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
should "raise error for invalid xml" do
|
|
103
|
+
logoutresponse = Onelogin::Saml::Logoutresponse.new(invalid_xml_response, settings)
|
|
104
|
+
|
|
105
|
+
assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
|
|
106
|
+
end
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
# logoutresponse fixtures
|
|
112
|
+
def random_id
|
|
113
|
+
"_#{UUID.new.generate}"
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
end
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
|
2
|
+
|
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
|
4
|
+
|
|
5
|
+
context "Authrequest" do
|
|
6
|
+
should "create the deflated SAMLRequest URL parameter" do
|
|
7
|
+
settings = Onelogin::Saml::Settings.new
|
|
8
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
9
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
10
|
+
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
11
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
|
12
|
+
decoded = Base64.decode64(payload)
|
|
13
|
+
|
|
14
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
15
|
+
inflated = zstream.inflate(decoded)
|
|
16
|
+
zstream.finish
|
|
17
|
+
zstream.close
|
|
18
|
+
|
|
19
|
+
assert_match /^<samlp:AuthnRequest/, inflated
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
should "create the deflated SAMLRequest URL parameter including the Destination" do
|
|
23
|
+
settings = Onelogin::Saml::Settings.new
|
|
24
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
25
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
26
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
|
27
|
+
decoded = Base64.decode64(payload)
|
|
28
|
+
|
|
29
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
30
|
+
inflated = zstream.inflate(decoded)
|
|
31
|
+
zstream.finish
|
|
32
|
+
zstream.close
|
|
33
|
+
|
|
34
|
+
assert_match /<samlp:AuthnRequest[^<]* Destination='http:\/\/example.com'/, inflated
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
should "create the SAMLRequest URL parameter without deflating" do
|
|
38
|
+
settings = Onelogin::Saml::Settings.new
|
|
39
|
+
settings.compress_request = false
|
|
40
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
41
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
42
|
+
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
43
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
|
44
|
+
decoded = Base64.decode64(payload)
|
|
45
|
+
|
|
46
|
+
assert_match /^<samlp:AuthnRequest/, decoded
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
should "create the SAMLRequest URL parameter with IsPassive" do
|
|
50
|
+
settings = Onelogin::Saml::Settings.new
|
|
51
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
52
|
+
settings.passive = true
|
|
53
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
54
|
+
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
55
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
|
56
|
+
decoded = Base64.decode64(payload)
|
|
57
|
+
|
|
58
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
|
59
|
+
inflated = zstream.inflate(decoded)
|
|
60
|
+
zstream.finish
|
|
61
|
+
zstream.close
|
|
62
|
+
|
|
63
|
+
assert_match /<samlp:AuthnRequest[^<]* IsPassive='true'/, inflated
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
should "accept extra parameters" do
|
|
67
|
+
settings = Onelogin::Saml::Settings.new
|
|
68
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
69
|
+
|
|
70
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
|
|
71
|
+
assert auth_url =~ /&hello=there$/
|
|
72
|
+
|
|
73
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => nil })
|
|
74
|
+
assert auth_url =~ /&hello=$/
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
context "when the target url doesn't contain a query string" do
|
|
78
|
+
should "create the SAMLRequest parameter correctly" do
|
|
79
|
+
settings = Onelogin::Saml::Settings.new
|
|
80
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
81
|
+
|
|
82
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
83
|
+
assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
context "when the target url contains a query string" do
|
|
88
|
+
should "create the SAMLRequest parameter correctly" do
|
|
89
|
+
settings = Onelogin::Saml::Settings.new
|
|
90
|
+
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
91
|
+
|
|
92
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
93
|
+
assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
end
|
|
@@ -0,0 +1,247 @@
|
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
|
2
|
+
|
|
3
|
+
class RubySamlTest < Test::Unit::TestCase
|
|
4
|
+
|
|
5
|
+
context "Response" do
|
|
6
|
+
should "raise an exception when response is initialized with nil" do
|
|
7
|
+
assert_raises(ArgumentError) { Onelogin::Saml::Response.new(nil) }
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
should "be able to parse a document which contains ampersands" do
|
|
11
|
+
XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
|
|
12
|
+
Onelogin::Saml::Response.any_instance.stubs(:validate_conditions).returns(true)
|
|
13
|
+
|
|
14
|
+
response = Onelogin::Saml::Response.new(ampersands_response)
|
|
15
|
+
settings = Onelogin::Saml::Settings.new
|
|
16
|
+
settings.idp_cert_fingerprint = 'c51985d947f1be57082025050846eb27f6cab783'
|
|
17
|
+
response.settings = settings
|
|
18
|
+
response.validate!
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
should "adapt namespace" do
|
|
22
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
23
|
+
assert !response.name_id.nil?
|
|
24
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
|
25
|
+
assert !response.name_id.nil?
|
|
26
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
|
27
|
+
assert !response.name_id.nil?
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
should "default to raw input when a response is not Base64 encoded" do
|
|
31
|
+
decoded = Base64.decode64(response_document_2)
|
|
32
|
+
response = Onelogin::Saml::Response.new(decoded)
|
|
33
|
+
assert response.document
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
context "Assertion" do
|
|
37
|
+
should "only retreive an assertion with an ID that matches the signature's reference URI" do
|
|
38
|
+
response = Onelogin::Saml::Response.new(wrapped_response_2)
|
|
39
|
+
response.stubs(:conditions).returns(nil)
|
|
40
|
+
settings = Onelogin::Saml::Settings.new
|
|
41
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
42
|
+
response.settings = settings
|
|
43
|
+
assert response.name_id.nil?
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
context "#validate!" do
|
|
48
|
+
should "raise when encountering a condition that prevents the document from being valid" do
|
|
49
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
50
|
+
assert_raise(Onelogin::Saml::ValidationError) do
|
|
51
|
+
response.validate!
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
context "#is_valid?" do
|
|
57
|
+
should "return false when response is initialized with blank data" do
|
|
58
|
+
response = Onelogin::Saml::Response.new('')
|
|
59
|
+
assert !response.is_valid?
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
should "return false if settings have not been set" do
|
|
63
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
64
|
+
assert !response.is_valid?
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
should "return true when the response is initialized with valid data" do
|
|
68
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
|
69
|
+
response.stubs(:conditions).returns(nil)
|
|
70
|
+
assert !response.is_valid?
|
|
71
|
+
settings = Onelogin::Saml::Settings.new
|
|
72
|
+
assert !response.is_valid?
|
|
73
|
+
response.settings = settings
|
|
74
|
+
assert !response.is_valid?
|
|
75
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
76
|
+
assert response.is_valid?
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
should "should be idempotent when the response is initialized with invalid data" do
|
|
80
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
|
81
|
+
response.stubs(:conditions).returns(nil)
|
|
82
|
+
settings = Onelogin::Saml::Settings.new
|
|
83
|
+
response.settings = settings
|
|
84
|
+
assert !response.is_valid?
|
|
85
|
+
assert !response.is_valid?
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
should "should be idempotent when the response is initialized with valid data" do
|
|
89
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
|
90
|
+
response.stubs(:conditions).returns(nil)
|
|
91
|
+
settings = Onelogin::Saml::Settings.new
|
|
92
|
+
response.settings = settings
|
|
93
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
94
|
+
assert response.is_valid?
|
|
95
|
+
assert response.is_valid?
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
should "return true when using certificate instead of fingerprint" do
|
|
99
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
|
100
|
+
response.stubs(:conditions).returns(nil)
|
|
101
|
+
settings = Onelogin::Saml::Settings.new
|
|
102
|
+
response.settings = settings
|
|
103
|
+
settings.idp_cert = signature_1
|
|
104
|
+
assert response.is_valid?
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
should "not allow signature wrapping attack" do
|
|
108
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
|
109
|
+
response.stubs(:conditions).returns(nil)
|
|
110
|
+
settings = Onelogin::Saml::Settings.new
|
|
111
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
112
|
+
response.settings = settings
|
|
113
|
+
assert response.is_valid?
|
|
114
|
+
assert response.name_id == "test@onelogin.com"
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
should "support dynamic namespace resolution on signature elements" do
|
|
118
|
+
response = Onelogin::Saml::Response.new(fixture("no_signature_ns.xml"))
|
|
119
|
+
response.stubs(:conditions).returns(nil)
|
|
120
|
+
settings = Onelogin::Saml::Settings.new
|
|
121
|
+
response.settings = settings
|
|
122
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
|
123
|
+
XMLSecurity::SignedDocument.any_instance.expects(:validate_doc).returns(true)
|
|
124
|
+
assert response.validate!
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
should "validate ADFS assertions" do
|
|
128
|
+
response = Onelogin::Saml::Response.new(fixture(:adfs_response_sha256))
|
|
129
|
+
response.stubs(:conditions).returns(nil)
|
|
130
|
+
settings = Onelogin::Saml::Settings.new
|
|
131
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
|
132
|
+
response.settings = settings
|
|
133
|
+
assert response.validate!
|
|
134
|
+
end
|
|
135
|
+
|
|
136
|
+
should "validate the digest" do
|
|
137
|
+
response = Onelogin::Saml::Response.new(r1_response_document_6)
|
|
138
|
+
response.stubs(:conditions).returns(nil)
|
|
139
|
+
settings = Onelogin::Saml::Settings.new
|
|
140
|
+
settings.idp_cert = Base64.decode64(r1_signature_2)
|
|
141
|
+
response.settings = settings
|
|
142
|
+
assert response.validate!
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
should "validate SAML 2.0 XML structure" do
|
|
146
|
+
resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
|
|
147
|
+
response = Onelogin::Saml::Response.new(Base64.encode64(resp_xml))
|
|
148
|
+
response.stubs(:conditions).returns(nil)
|
|
149
|
+
settings = Onelogin::Saml::Settings.new
|
|
150
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
151
|
+
response.settings = settings
|
|
152
|
+
assert_raises(Onelogin::Saml::ValidationError, 'Digest mismatch'){ response.validate! }
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
context "#name_id" do
|
|
157
|
+
should "extract the value of the name id element" do
|
|
158
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
159
|
+
assert_equal "support@onelogin.com", response.name_id
|
|
160
|
+
|
|
161
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
|
162
|
+
assert_equal "someone@example.com", response.name_id
|
|
163
|
+
end
|
|
164
|
+
|
|
165
|
+
should "be extractable from an OpenSAML response" do
|
|
166
|
+
response = Onelogin::Saml::Response.new(fixture(:open_saml))
|
|
167
|
+
assert_equal "someone@example.org", response.name_id
|
|
168
|
+
end
|
|
169
|
+
|
|
170
|
+
should "be extractable from a Simple SAML PHP response" do
|
|
171
|
+
response = Onelogin::Saml::Response.new(fixture(:simple_saml_php))
|
|
172
|
+
assert_equal "someone@example.com", response.name_id
|
|
173
|
+
end
|
|
174
|
+
end
|
|
175
|
+
|
|
176
|
+
context "#check_conditions" do
|
|
177
|
+
should "check time conditions" do
|
|
178
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
179
|
+
assert !response.send(:validate_conditions, true)
|
|
180
|
+
response = Onelogin::Saml::Response.new(response_document_6)
|
|
181
|
+
assert response.send(:validate_conditions, true)
|
|
182
|
+
time = Time.parse("2011-06-14T18:25:01.516Z")
|
|
183
|
+
Time.stubs(:now).returns(time)
|
|
184
|
+
response = Onelogin::Saml::Response.new(response_document_5)
|
|
185
|
+
assert response.send(:validate_conditions, true)
|
|
186
|
+
end
|
|
187
|
+
end
|
|
188
|
+
|
|
189
|
+
context "#attributes" do
|
|
190
|
+
should "extract the first attribute in a hash accessed via its symbol" do
|
|
191
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
192
|
+
assert_equal "demo", response.attributes[:uid]
|
|
193
|
+
end
|
|
194
|
+
|
|
195
|
+
should "extract the first attribute in a hash accessed via its name" do
|
|
196
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
197
|
+
assert_equal "demo", response.attributes["uid"]
|
|
198
|
+
end
|
|
199
|
+
|
|
200
|
+
should "extract all attributes" do
|
|
201
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
202
|
+
assert_equal "demo", response.attributes[:uid]
|
|
203
|
+
assert_equal "value", response.attributes[:another_value]
|
|
204
|
+
end
|
|
205
|
+
|
|
206
|
+
should "work for implicit namespaces" do
|
|
207
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
|
208
|
+
assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
|
|
209
|
+
end
|
|
210
|
+
|
|
211
|
+
should "not raise on responses without attributes" do
|
|
212
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
|
213
|
+
assert_equal Hash.new, response.attributes
|
|
214
|
+
end
|
|
215
|
+
end
|
|
216
|
+
|
|
217
|
+
context "#session_expires_at" do
|
|
218
|
+
should "extract the value of the SessionNotOnOrAfter attribute" do
|
|
219
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
220
|
+
assert response.session_expires_at.is_a?(Time)
|
|
221
|
+
|
|
222
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
|
223
|
+
assert response.session_expires_at.nil?
|
|
224
|
+
end
|
|
225
|
+
end
|
|
226
|
+
|
|
227
|
+
context "#issuer" do
|
|
228
|
+
should "return the issuer inside the response assertion" do
|
|
229
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
230
|
+
assert_equal "https://app.onelogin.com/saml/metadata/13590", response.issuer
|
|
231
|
+
end
|
|
232
|
+
|
|
233
|
+
should "return the issuer inside the response" do
|
|
234
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
|
235
|
+
assert_equal "wibble", response.issuer
|
|
236
|
+
end
|
|
237
|
+
end
|
|
238
|
+
|
|
239
|
+
context "#success" do
|
|
240
|
+
should "find a status code that says success" do
|
|
241
|
+
response = Onelogin::Saml::Response.new(response_document)
|
|
242
|
+
response.success?
|
|
243
|
+
end
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
end
|
|
247
|
+
end
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
|
4
|
+
<samlp:Status>
|
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
|
6
|
+
</samlp:Status>
|
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
10
|
+
<ds:SignedInfo>
|
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha1"/>
|
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
14
|
+
<ds:Transforms>
|
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
17
|
+
</ds:Transforms>
|
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/>
|
|
19
|
+
<ds:DigestValue>tGpkynNC34A5SFqDSfXmPSiIGpU=</ds:DigestValue>
|
|
20
|
+
</ds:Reference>
|
|
21
|
+
</ds:SignedInfo>
|
|
22
|
+
<ds:SignatureValue>WXtmslqh2npLtwhvU8yVx0pvH7E1s8ASksv7VtWirQDFrRRO9k+sNnQcGzA75QNyd6nP+T2e+ofIWyj8G70Rd6gEU4ZmV1vlGVq49Ilc7r/oxauitIuasOvrmpyHCXRbttYeWz4T5xoTCDx9RZQvI4fdrFugrymFT2OREFx1lSk=</ds:SignatureValue>
|
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
24
|
+
<ds:X509Data>
|
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
|
|
26
|
+
</ds:X509Data>
|
|
27
|
+
</KeyInfo>
|
|
28
|
+
</ds:Signature>
|
|
29
|
+
<Subject>
|
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
|
33
|
+
</SubjectConfirmation>
|
|
34
|
+
</Subject>
|
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
|
36
|
+
<AudienceRestriction>
|
|
37
|
+
<Audience>example.com</Audience>
|
|
38
|
+
</AudienceRestriction>
|
|
39
|
+
</Conditions>
|
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
41
|
+
<AuthnContext>
|
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
|
43
|
+
</AuthnContext>
|
|
44
|
+
</AuthnStatement>
|
|
45
|
+
</Assertion>
|
|
46
|
+
</samlp:Response>
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
|
4
|
+
<samlp:Status>
|
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
|
6
|
+
</samlp:Status>
|
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
10
|
+
<ds:SignedInfo>
|
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
|
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
14
|
+
<ds:Transforms>
|
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
17
|
+
</ds:Transforms>
|
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
|
|
19
|
+
<ds:DigestValue>5mUndDm7OQSGNYVTevsJw3JRVZiwvlDnR2nprJ+6Mhc=</ds:DigestValue>
|
|
20
|
+
</ds:Reference>
|
|
21
|
+
</ds:SignedInfo>
|
|
22
|
+
<ds:SignatureValue>MmuXQdjutiuP7soIaB7nk9wSR8OGkmyH5n9aelMTOrV7gTVNDazgQ/GXMmYXTTrhdvGN65duLO0oYdsYGxwNIjlA1lYhoGeBgYuIB/4iKZ6oLSDgjMcQxHkSW1OJ8pIEuUa/3MPUUjaSlTg0me4WRxVdXp34A9Mtlj0DgrK9m0A=</ds:SignatureValue>
|
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
24
|
+
<ds:X509Data>
|
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXptZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRVUZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T0RBMU1qVTFPVm9YRFRNeU1EUXgKTXpBMU1qVTFPVm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQW9mR3p4NFZvQzZDSENYdFJPdkVLSFRzRAppNkFBWCtoVWpiSVloeERsZUxMZUNVemZDaVVXOFkwbTVrWkVKbjJXSmt5Si8wRFdPZmE5b0c1ZUg1eXNKSWpVCnpTUjVkMGJldmJZMEV1OHJDTmh3S001UzdYaXltTzBGc09mcnh6TkJxbVRBblE2VFJYT25nY1BYTitXRWd4cmQKZDVoV1V5ZXh2dkQ2d05McWdVRUNBd0VBQWFPQ0FVb3dnZ0ZHTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRMk1xTFZwRnlyVmNNaGFXMzRHanFkTVF6c3dqQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRCQ0JnbGdoa2dCaHZoQ0FRMEVOUll6VkdWemRDQllOVEE1SUdObGNuUWdZM0psWVhSbFpDQm0KYjNJZ1QyNWxURzluYVc0Z1lua2dUR0YzY21WdVkyVWdVR2wwTUlHekJnTlZIU01FZ2Fzd2dhaUFGRFl5b3RXawpYS3RWd3lGcGJmZ2FPcDB4RE96Q29ZR01wSUdKTUlHR01Rc3dDUVlEVlFRR0V3SkJWVEVNTUFvR0ExVUVDQk1EClRsTlhNUTh3RFFZRFZRUUhFd1pUZVdSdVpYa3hEREFLQmdOVkJBb01BMUJKVkRFSk1BY0dBMVVFQ3d3QU1SZ3cKRmdZRFZRUUREQTlzWVhkeVpXNWpaWEJwZEM1amIyMHhKVEFqQmdrcWhraUc5dzBCQ1FFTUZteGhkM0psYm1ObApMbkJwZEVCbmJXRnBiQzVqYjIyQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFOM2VRMUM5T0JJbVgvdWZGClNIUC9FeUxPQjJPQ1dqdlNpSytNbndQRWsralRRdDZZYXIxMkRacWVnRGhrWC92OGplTWh4VnpwaStBcHA4M0YKYWFmUE54UFJYc01FTFRCblhDQUJ1YzZEakxBaFlvNGQ4TDhCWUovVjlxLzZRMzdNYVZmc0ZKWVVKNmFBQUppWQpwd1RMUWJidFpqaytZc0s5TzZFR1U4ZjE5djg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</ds:X509Certificate>
|
|
26
|
+
</ds:X509Data>
|
|
27
|
+
</KeyInfo>
|
|
28
|
+
</ds:Signature>
|
|
29
|
+
<Subject>
|
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
|
33
|
+
</SubjectConfirmation>
|
|
34
|
+
</Subject>
|
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
|
36
|
+
<AudienceRestriction>
|
|
37
|
+
<Audience>example.com</Audience>
|
|
38
|
+
</AudienceRestriction>
|
|
39
|
+
</Conditions>
|
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
41
|
+
<AuthnContext>
|
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
|
43
|
+
</AuthnContext>
|
|
44
|
+
</AuthnStatement>
|
|
45
|
+
</Assertion>
|
|
46
|
+
</samlp:Response>
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
|
4
|
+
<samlp:Status>
|
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
|
6
|
+
</samlp:Status>
|
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
10
|
+
<ds:SignedInfo>
|
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
|
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
14
|
+
<ds:Transforms>
|
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
17
|
+
</ds:Transforms>
|
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha384"/>
|
|
19
|
+
<ds:DigestValue>XU0mb78TVA+VwcA71jxe5osjiOzOP/OwDcJ8t/mn2d9+/V2zxejEo9+fkSY2ZR0Z</ds:DigestValue>
|
|
20
|
+
</ds:Reference>
|
|
21
|
+
</ds:SignedInfo>
|
|
22
|
+
<ds:SignatureValue>bq1zDllmAFzx0O3HAAoedSqQIl/n2+mK2Vx1pK0/yEpuc84ovwmau/ZfHk3MFNQjuxL+JmlO7I3c6CEmOGeAupFTpnFGkRfJGSu6ilvcL4yasPq80LNEcCYhApiEW2pJXs5t3sfOdG2MJHTuMvz4MtnrLd9Cuf/EQK2a27HDrB4=</ds:SignatureValue>
|
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
24
|
+
<ds:X509Data>
|
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
|
|
26
|
+
</ds:X509Data>
|
|
27
|
+
</KeyInfo>
|
|
28
|
+
</ds:Signature>
|
|
29
|
+
<Subject>
|
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
|
33
|
+
</SubjectConfirmation>
|
|
34
|
+
</Subject>
|
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
|
36
|
+
<AudienceRestriction>
|
|
37
|
+
<Audience>example.com</Audience>
|
|
38
|
+
</AudienceRestriction>
|
|
39
|
+
</Conditions>
|
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
41
|
+
<AuthnContext>
|
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
|
43
|
+
</AuthnContext>
|
|
44
|
+
</AuthnStatement>
|
|
45
|
+
</Assertion>
|
|
46
|
+
</samlp:Response>
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
|
4
|
+
<samlp:Status>
|
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
|
6
|
+
</samlp:Status>
|
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
10
|
+
<ds:SignedInfo>
|
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
|
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
14
|
+
<ds:Transforms>
|
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
17
|
+
</ds:Transforms>
|
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
|
|
19
|
+
<ds:DigestValue>ZiOdC+GEvslNaP+yncB5droDFBwPeK9EjIpQ2LEI+y/3KPtIjGlp+eEQTVROxq3pqxJiNmSHJvtHzxytxzZsew==</ds:DigestValue>
|
|
20
|
+
</ds:Reference>
|
|
21
|
+
</ds:SignedInfo>
|
|
22
|
+
<ds:SignatureValue>JyaWS+PkmpsYZOcjb1Hws3RL1hlyfBY9VeUb7R/5UbeaESpS5Pe2dpfbYWZiOmY/3aYmkv9AEgveVwjddwp+wTQ4jZ91LG8L+ObX1Coq/j0Yj8aXeOBMxdueYmvJQGjHSEn2z0oKypGnbzM5gP/V8Aixa+e1/Kv+A/GcOX1K4SA=</ds:SignatureValue>
|
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
24
|
+
<ds:X509Data>
|
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
|
|
26
|
+
</ds:X509Data>
|
|
27
|
+
</KeyInfo>
|
|
28
|
+
</ds:Signature>
|
|
29
|
+
<Subject>
|
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
|
33
|
+
</SubjectConfirmation>
|
|
34
|
+
</Subject>
|
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
|
36
|
+
<AudienceRestriction>
|
|
37
|
+
<Audience>example.com</Audience>
|
|
38
|
+
</AudienceRestriction>
|
|
39
|
+
</Conditions>
|
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
41
|
+
<AuthnContext>
|
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
|
43
|
+
</AuthnContext>
|
|
44
|
+
</AuthnStatement>
|
|
45
|
+
</Assertion>
|
|
46
|
+
</samlp:Response>
|