ruby-samlnechotech 0.7.23
Sign up to get free protection for your applications and to get access to all the features.
- data/.document +5 -0
- data/.gitignore +11 -0
- data/.travis.yml +5 -0
- data/Gemfile +13 -0
- data/LICENSE +19 -0
- data/README.md +128 -0
- data/Rakefile +41 -0
- data/lib/onelogin/ruby-samlnechotech/authrequest.rb +84 -0
- data/lib/onelogin/ruby-samlnechotech/logging.rb +26 -0
- data/lib/onelogin/ruby-samlnechotech/logoutrequest.rb +82 -0
- data/lib/onelogin/ruby-samlnechotech/logoutresponse.rb +154 -0
- data/lib/onelogin/ruby-samlnechotech/metadata.rb +66 -0
- data/lib/onelogin/ruby-samlnechotech/response.rb +186 -0
- data/lib/onelogin/ruby-samlnechotech/settings.rb +27 -0
- data/lib/onelogin/ruby-samlnechotech/validation_error.rb +7 -0
- data/lib/onelogin/ruby-samlnechotech/version.rb +5 -0
- data/lib/ruby-samlnechotech.rb +9 -0
- data/lib/schemas/saml20assertion_schema.xsd +283 -0
- data/lib/schemas/saml20protocol_schema.xsd +302 -0
- data/lib/schemas/xenc_schema.xsd +146 -0
- data/lib/schemas/xmldsig_schema.xsd +318 -0
- data/lib/xml_security.rb +169 -0
- data/ruby-samlnechotech.gemspec +29 -0
- data/test/certificates/certificate1 +12 -0
- data/test/certificates/r1_certificate2_base64 +1 -0
- data/test/logoutrequest_test.rb +111 -0
- data/test/logoutresponse_test.rb +116 -0
- data/test/request_test.rb +97 -0
- data/test/response_test.rb +247 -0
- data/test/responses/adfs_response_sha1.xml +46 -0
- data/test/responses/adfs_response_sha256.xml +46 -0
- data/test/responses/adfs_response_sha384.xml +46 -0
- data/test/responses/adfs_response_sha512.xml +46 -0
- data/test/responses/logoutresponse_fixtures.rb +67 -0
- data/test/responses/no_signature_ns.xml +48 -0
- data/test/responses/open_saml_response.xml +56 -0
- data/test/responses/r1_response6.xml.base64 +1 -0
- data/test/responses/response1.xml.base64 +1 -0
- data/test/responses/response2.xml.base64 +79 -0
- data/test/responses/response3.xml.base64 +66 -0
- data/test/responses/response4.xml.base64 +93 -0
- data/test/responses/response5.xml.base64 +102 -0
- data/test/responses/response_with_ampersands.xml +139 -0
- data/test/responses/response_with_ampersands.xml.base64 +93 -0
- data/test/responses/simple_saml_php.xml +71 -0
- data/test/responses/starfield_response.xml.base64 +1 -0
- data/test/responses/wrapped_response_2.xml.base64 +150 -0
- data/test/settings_test.rb +46 -0
- data/test/test_helper.rb +75 -0
- data/test/xml_security_test.rb +160 -0
- metadata +172 -0
@@ -0,0 +1,247 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RubySamlTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Response" do
|
6
|
+
should "raise an exception when response is initialized with nil" do
|
7
|
+
assert_raises(ArgumentError) { Onelogin::Saml::Response.new(nil) }
|
8
|
+
end
|
9
|
+
|
10
|
+
should "be able to parse a document which contains ampersands" do
|
11
|
+
XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
|
12
|
+
Onelogin::Saml::Response.any_instance.stubs(:validate_conditions).returns(true)
|
13
|
+
|
14
|
+
response = Onelogin::Saml::Response.new(ampersands_response)
|
15
|
+
settings = Onelogin::Saml::Settings.new
|
16
|
+
settings.idp_cert_fingerprint = 'c51985d947f1be57082025050846eb27f6cab783'
|
17
|
+
response.settings = settings
|
18
|
+
response.validate!
|
19
|
+
end
|
20
|
+
|
21
|
+
should "adapt namespace" do
|
22
|
+
response = Onelogin::Saml::Response.new(response_document)
|
23
|
+
assert !response.name_id.nil?
|
24
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
25
|
+
assert !response.name_id.nil?
|
26
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
27
|
+
assert !response.name_id.nil?
|
28
|
+
end
|
29
|
+
|
30
|
+
should "default to raw input when a response is not Base64 encoded" do
|
31
|
+
decoded = Base64.decode64(response_document_2)
|
32
|
+
response = Onelogin::Saml::Response.new(decoded)
|
33
|
+
assert response.document
|
34
|
+
end
|
35
|
+
|
36
|
+
context "Assertion" do
|
37
|
+
should "only retreive an assertion with an ID that matches the signature's reference URI" do
|
38
|
+
response = Onelogin::Saml::Response.new(wrapped_response_2)
|
39
|
+
response.stubs(:conditions).returns(nil)
|
40
|
+
settings = Onelogin::Saml::Settings.new
|
41
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
42
|
+
response.settings = settings
|
43
|
+
assert response.name_id.nil?
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
context "#validate!" do
|
48
|
+
should "raise when encountering a condition that prevents the document from being valid" do
|
49
|
+
response = Onelogin::Saml::Response.new(response_document)
|
50
|
+
assert_raise(Onelogin::Saml::ValidationError) do
|
51
|
+
response.validate!
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
context "#is_valid?" do
|
57
|
+
should "return false when response is initialized with blank data" do
|
58
|
+
response = Onelogin::Saml::Response.new('')
|
59
|
+
assert !response.is_valid?
|
60
|
+
end
|
61
|
+
|
62
|
+
should "return false if settings have not been set" do
|
63
|
+
response = Onelogin::Saml::Response.new(response_document)
|
64
|
+
assert !response.is_valid?
|
65
|
+
end
|
66
|
+
|
67
|
+
should "return true when the response is initialized with valid data" do
|
68
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
69
|
+
response.stubs(:conditions).returns(nil)
|
70
|
+
assert !response.is_valid?
|
71
|
+
settings = Onelogin::Saml::Settings.new
|
72
|
+
assert !response.is_valid?
|
73
|
+
response.settings = settings
|
74
|
+
assert !response.is_valid?
|
75
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
76
|
+
assert response.is_valid?
|
77
|
+
end
|
78
|
+
|
79
|
+
should "should be idempotent when the response is initialized with invalid data" do
|
80
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
81
|
+
response.stubs(:conditions).returns(nil)
|
82
|
+
settings = Onelogin::Saml::Settings.new
|
83
|
+
response.settings = settings
|
84
|
+
assert !response.is_valid?
|
85
|
+
assert !response.is_valid?
|
86
|
+
end
|
87
|
+
|
88
|
+
should "should be idempotent when the response is initialized with valid data" do
|
89
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
90
|
+
response.stubs(:conditions).returns(nil)
|
91
|
+
settings = Onelogin::Saml::Settings.new
|
92
|
+
response.settings = settings
|
93
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
94
|
+
assert response.is_valid?
|
95
|
+
assert response.is_valid?
|
96
|
+
end
|
97
|
+
|
98
|
+
should "return true when using certificate instead of fingerprint" do
|
99
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
100
|
+
response.stubs(:conditions).returns(nil)
|
101
|
+
settings = Onelogin::Saml::Settings.new
|
102
|
+
response.settings = settings
|
103
|
+
settings.idp_cert = signature_1
|
104
|
+
assert response.is_valid?
|
105
|
+
end
|
106
|
+
|
107
|
+
should "not allow signature wrapping attack" do
|
108
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
109
|
+
response.stubs(:conditions).returns(nil)
|
110
|
+
settings = Onelogin::Saml::Settings.new
|
111
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
112
|
+
response.settings = settings
|
113
|
+
assert response.is_valid?
|
114
|
+
assert response.name_id == "test@onelogin.com"
|
115
|
+
end
|
116
|
+
|
117
|
+
should "support dynamic namespace resolution on signature elements" do
|
118
|
+
response = Onelogin::Saml::Response.new(fixture("no_signature_ns.xml"))
|
119
|
+
response.stubs(:conditions).returns(nil)
|
120
|
+
settings = Onelogin::Saml::Settings.new
|
121
|
+
response.settings = settings
|
122
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
123
|
+
XMLSecurity::SignedDocument.any_instance.expects(:validate_doc).returns(true)
|
124
|
+
assert response.validate!
|
125
|
+
end
|
126
|
+
|
127
|
+
should "validate ADFS assertions" do
|
128
|
+
response = Onelogin::Saml::Response.new(fixture(:adfs_response_sha256))
|
129
|
+
response.stubs(:conditions).returns(nil)
|
130
|
+
settings = Onelogin::Saml::Settings.new
|
131
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
132
|
+
response.settings = settings
|
133
|
+
assert response.validate!
|
134
|
+
end
|
135
|
+
|
136
|
+
should "validate the digest" do
|
137
|
+
response = Onelogin::Saml::Response.new(r1_response_document_6)
|
138
|
+
response.stubs(:conditions).returns(nil)
|
139
|
+
settings = Onelogin::Saml::Settings.new
|
140
|
+
settings.idp_cert = Base64.decode64(r1_signature_2)
|
141
|
+
response.settings = settings
|
142
|
+
assert response.validate!
|
143
|
+
end
|
144
|
+
|
145
|
+
should "validate SAML 2.0 XML structure" do
|
146
|
+
resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
|
147
|
+
response = Onelogin::Saml::Response.new(Base64.encode64(resp_xml))
|
148
|
+
response.stubs(:conditions).returns(nil)
|
149
|
+
settings = Onelogin::Saml::Settings.new
|
150
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
151
|
+
response.settings = settings
|
152
|
+
assert_raises(Onelogin::Saml::ValidationError, 'Digest mismatch'){ response.validate! }
|
153
|
+
end
|
154
|
+
end
|
155
|
+
|
156
|
+
context "#name_id" do
|
157
|
+
should "extract the value of the name id element" do
|
158
|
+
response = Onelogin::Saml::Response.new(response_document)
|
159
|
+
assert_equal "support@onelogin.com", response.name_id
|
160
|
+
|
161
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
162
|
+
assert_equal "someone@example.com", response.name_id
|
163
|
+
end
|
164
|
+
|
165
|
+
should "be extractable from an OpenSAML response" do
|
166
|
+
response = Onelogin::Saml::Response.new(fixture(:open_saml))
|
167
|
+
assert_equal "someone@example.org", response.name_id
|
168
|
+
end
|
169
|
+
|
170
|
+
should "be extractable from a Simple SAML PHP response" do
|
171
|
+
response = Onelogin::Saml::Response.new(fixture(:simple_saml_php))
|
172
|
+
assert_equal "someone@example.com", response.name_id
|
173
|
+
end
|
174
|
+
end
|
175
|
+
|
176
|
+
context "#check_conditions" do
|
177
|
+
should "check time conditions" do
|
178
|
+
response = Onelogin::Saml::Response.new(response_document)
|
179
|
+
assert !response.send(:validate_conditions, true)
|
180
|
+
response = Onelogin::Saml::Response.new(response_document_6)
|
181
|
+
assert response.send(:validate_conditions, true)
|
182
|
+
time = Time.parse("2011-06-14T18:25:01.516Z")
|
183
|
+
Time.stubs(:now).returns(time)
|
184
|
+
response = Onelogin::Saml::Response.new(response_document_5)
|
185
|
+
assert response.send(:validate_conditions, true)
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
189
|
+
context "#attributes" do
|
190
|
+
should "extract the first attribute in a hash accessed via its symbol" do
|
191
|
+
response = Onelogin::Saml::Response.new(response_document)
|
192
|
+
assert_equal "demo", response.attributes[:uid]
|
193
|
+
end
|
194
|
+
|
195
|
+
should "extract the first attribute in a hash accessed via its name" do
|
196
|
+
response = Onelogin::Saml::Response.new(response_document)
|
197
|
+
assert_equal "demo", response.attributes["uid"]
|
198
|
+
end
|
199
|
+
|
200
|
+
should "extract all attributes" do
|
201
|
+
response = Onelogin::Saml::Response.new(response_document)
|
202
|
+
assert_equal "demo", response.attributes[:uid]
|
203
|
+
assert_equal "value", response.attributes[:another_value]
|
204
|
+
end
|
205
|
+
|
206
|
+
should "work for implicit namespaces" do
|
207
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
208
|
+
assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
|
209
|
+
end
|
210
|
+
|
211
|
+
should "not raise on responses without attributes" do
|
212
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
213
|
+
assert_equal Hash.new, response.attributes
|
214
|
+
end
|
215
|
+
end
|
216
|
+
|
217
|
+
context "#session_expires_at" do
|
218
|
+
should "extract the value of the SessionNotOnOrAfter attribute" do
|
219
|
+
response = Onelogin::Saml::Response.new(response_document)
|
220
|
+
assert response.session_expires_at.is_a?(Time)
|
221
|
+
|
222
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
223
|
+
assert response.session_expires_at.nil?
|
224
|
+
end
|
225
|
+
end
|
226
|
+
|
227
|
+
context "#issuer" do
|
228
|
+
should "return the issuer inside the response assertion" do
|
229
|
+
response = Onelogin::Saml::Response.new(response_document)
|
230
|
+
assert_equal "https://app.onelogin.com/saml/metadata/13590", response.issuer
|
231
|
+
end
|
232
|
+
|
233
|
+
should "return the issuer inside the response" do
|
234
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
235
|
+
assert_equal "wibble", response.issuer
|
236
|
+
end
|
237
|
+
end
|
238
|
+
|
239
|
+
context "#success" do
|
240
|
+
should "find a status code that says success" do
|
241
|
+
response = Onelogin::Saml::Response.new(response_document)
|
242
|
+
response.success?
|
243
|
+
end
|
244
|
+
end
|
245
|
+
|
246
|
+
end
|
247
|
+
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
<?xml version="1.0"?>
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
4
|
+
<samlp:Status>
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
6
|
+
</samlp:Status>
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
10
|
+
<ds:SignedInfo>
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha1"/>
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
14
|
+
<ds:Transforms>
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
17
|
+
</ds:Transforms>
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/>
|
19
|
+
<ds:DigestValue>tGpkynNC34A5SFqDSfXmPSiIGpU=</ds:DigestValue>
|
20
|
+
</ds:Reference>
|
21
|
+
</ds:SignedInfo>
|
22
|
+
<ds:SignatureValue>WXtmslqh2npLtwhvU8yVx0pvH7E1s8ASksv7VtWirQDFrRRO9k+sNnQcGzA75QNyd6nP+T2e+ofIWyj8G70Rd6gEU4ZmV1vlGVq49Ilc7r/oxauitIuasOvrmpyHCXRbttYeWz4T5xoTCDx9RZQvI4fdrFugrymFT2OREFx1lSk=</ds:SignatureValue>
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
24
|
+
<ds:X509Data>
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
|
26
|
+
</ds:X509Data>
|
27
|
+
</KeyInfo>
|
28
|
+
</ds:Signature>
|
29
|
+
<Subject>
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
33
|
+
</SubjectConfirmation>
|
34
|
+
</Subject>
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
36
|
+
<AudienceRestriction>
|
37
|
+
<Audience>example.com</Audience>
|
38
|
+
</AudienceRestriction>
|
39
|
+
</Conditions>
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
41
|
+
<AuthnContext>
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
43
|
+
</AuthnContext>
|
44
|
+
</AuthnStatement>
|
45
|
+
</Assertion>
|
46
|
+
</samlp:Response>
|
@@ -0,0 +1,46 @@
|
|
1
|
+
<?xml version="1.0"?>
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
4
|
+
<samlp:Status>
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
6
|
+
</samlp:Status>
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
10
|
+
<ds:SignedInfo>
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
14
|
+
<ds:Transforms>
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
17
|
+
</ds:Transforms>
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
|
19
|
+
<ds:DigestValue>5mUndDm7OQSGNYVTevsJw3JRVZiwvlDnR2nprJ+6Mhc=</ds:DigestValue>
|
20
|
+
</ds:Reference>
|
21
|
+
</ds:SignedInfo>
|
22
|
+
<ds:SignatureValue>MmuXQdjutiuP7soIaB7nk9wSR8OGkmyH5n9aelMTOrV7gTVNDazgQ/GXMmYXTTrhdvGN65duLO0oYdsYGxwNIjlA1lYhoGeBgYuIB/4iKZ6oLSDgjMcQxHkSW1OJ8pIEuUa/3MPUUjaSlTg0me4WRxVdXp34A9Mtlj0DgrK9m0A=</ds:SignatureValue>
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
24
|
+
<ds:X509Data>
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXptZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRVUZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T0RBMU1qVTFPVm9YRFRNeU1EUXgKTXpBMU1qVTFPVm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQW9mR3p4NFZvQzZDSENYdFJPdkVLSFRzRAppNkFBWCtoVWpiSVloeERsZUxMZUNVemZDaVVXOFkwbTVrWkVKbjJXSmt5Si8wRFdPZmE5b0c1ZUg1eXNKSWpVCnpTUjVkMGJldmJZMEV1OHJDTmh3S001UzdYaXltTzBGc09mcnh6TkJxbVRBblE2VFJYT25nY1BYTitXRWd4cmQKZDVoV1V5ZXh2dkQ2d05McWdVRUNBd0VBQWFPQ0FVb3dnZ0ZHTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRMk1xTFZwRnlyVmNNaGFXMzRHanFkTVF6c3dqQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRCQ0JnbGdoa2dCaHZoQ0FRMEVOUll6VkdWemRDQllOVEE1SUdObGNuUWdZM0psWVhSbFpDQm0KYjNJZ1QyNWxURzluYVc0Z1lua2dUR0YzY21WdVkyVWdVR2wwTUlHekJnTlZIU01FZ2Fzd2dhaUFGRFl5b3RXawpYS3RWd3lGcGJmZ2FPcDB4RE96Q29ZR01wSUdKTUlHR01Rc3dDUVlEVlFRR0V3SkJWVEVNTUFvR0ExVUVDQk1EClRsTlhNUTh3RFFZRFZRUUhFd1pUZVdSdVpYa3hEREFLQmdOVkJBb01BMUJKVkRFSk1BY0dBMVVFQ3d3QU1SZ3cKRmdZRFZRUUREQTlzWVhkeVpXNWpaWEJwZEM1amIyMHhKVEFqQmdrcWhraUc5dzBCQ1FFTUZteGhkM0psYm1ObApMbkJwZEVCbmJXRnBiQzVqYjIyQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFOM2VRMUM5T0JJbVgvdWZGClNIUC9FeUxPQjJPQ1dqdlNpSytNbndQRWsralRRdDZZYXIxMkRacWVnRGhrWC92OGplTWh4VnpwaStBcHA4M0YKYWFmUE54UFJYc01FTFRCblhDQUJ1YzZEakxBaFlvNGQ4TDhCWUovVjlxLzZRMzdNYVZmc0ZKWVVKNmFBQUppWQpwd1RMUWJidFpqaytZc0s5TzZFR1U4ZjE5djg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</ds:X509Certificate>
|
26
|
+
</ds:X509Data>
|
27
|
+
</KeyInfo>
|
28
|
+
</ds:Signature>
|
29
|
+
<Subject>
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
33
|
+
</SubjectConfirmation>
|
34
|
+
</Subject>
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
36
|
+
<AudienceRestriction>
|
37
|
+
<Audience>example.com</Audience>
|
38
|
+
</AudienceRestriction>
|
39
|
+
</Conditions>
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
41
|
+
<AuthnContext>
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
43
|
+
</AuthnContext>
|
44
|
+
</AuthnStatement>
|
45
|
+
</Assertion>
|
46
|
+
</samlp:Response>
|
@@ -0,0 +1,46 @@
|
|
1
|
+
<?xml version="1.0"?>
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
4
|
+
<samlp:Status>
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
6
|
+
</samlp:Status>
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
10
|
+
<ds:SignedInfo>
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
14
|
+
<ds:Transforms>
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
17
|
+
</ds:Transforms>
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha384"/>
|
19
|
+
<ds:DigestValue>XU0mb78TVA+VwcA71jxe5osjiOzOP/OwDcJ8t/mn2d9+/V2zxejEo9+fkSY2ZR0Z</ds:DigestValue>
|
20
|
+
</ds:Reference>
|
21
|
+
</ds:SignedInfo>
|
22
|
+
<ds:SignatureValue>bq1zDllmAFzx0O3HAAoedSqQIl/n2+mK2Vx1pK0/yEpuc84ovwmau/ZfHk3MFNQjuxL+JmlO7I3c6CEmOGeAupFTpnFGkRfJGSu6ilvcL4yasPq80LNEcCYhApiEW2pJXs5t3sfOdG2MJHTuMvz4MtnrLd9Cuf/EQK2a27HDrB4=</ds:SignatureValue>
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
24
|
+
<ds:X509Data>
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
|
26
|
+
</ds:X509Data>
|
27
|
+
</KeyInfo>
|
28
|
+
</ds:Signature>
|
29
|
+
<Subject>
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
33
|
+
</SubjectConfirmation>
|
34
|
+
</Subject>
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
36
|
+
<AudienceRestriction>
|
37
|
+
<Audience>example.com</Audience>
|
38
|
+
</AudienceRestriction>
|
39
|
+
</Conditions>
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
41
|
+
<AuthnContext>
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
43
|
+
</AuthnContext>
|
44
|
+
</AuthnStatement>
|
45
|
+
</Assertion>
|
46
|
+
</samlp:Response>
|
@@ -0,0 +1,46 @@
|
|
1
|
+
<?xml version="1.0"?>
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
4
|
+
<samlp:Status>
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
6
|
+
</samlp:Status>
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
10
|
+
<ds:SignedInfo>
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
14
|
+
<ds:Transforms>
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
17
|
+
</ds:Transforms>
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
|
19
|
+
<ds:DigestValue>ZiOdC+GEvslNaP+yncB5droDFBwPeK9EjIpQ2LEI+y/3KPtIjGlp+eEQTVROxq3pqxJiNmSHJvtHzxytxzZsew==</ds:DigestValue>
|
20
|
+
</ds:Reference>
|
21
|
+
</ds:SignedInfo>
|
22
|
+
<ds:SignatureValue>JyaWS+PkmpsYZOcjb1Hws3RL1hlyfBY9VeUb7R/5UbeaESpS5Pe2dpfbYWZiOmY/3aYmkv9AEgveVwjddwp+wTQ4jZ91LG8L+ObX1Coq/j0Yj8aXeOBMxdueYmvJQGjHSEn2z0oKypGnbzM5gP/V8Aixa+e1/Kv+A/GcOX1K4SA=</ds:SignatureValue>
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
24
|
+
<ds:X509Data>
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
|
26
|
+
</ds:X509Data>
|
27
|
+
</KeyInfo>
|
28
|
+
</ds:Signature>
|
29
|
+
<Subject>
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
33
|
+
</SubjectConfirmation>
|
34
|
+
</Subject>
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
36
|
+
<AudienceRestriction>
|
37
|
+
<Audience>example.com</Audience>
|
38
|
+
</AudienceRestriction>
|
39
|
+
</Conditions>
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
41
|
+
<AuthnContext>
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
43
|
+
</AuthnContext>
|
44
|
+
</AuthnStatement>
|
45
|
+
</Assertion>
|
46
|
+
</samlp:Response>
|
@@ -0,0 +1,67 @@
|
|
1
|
+
#encoding: utf-8
|
2
|
+
|
3
|
+
def default_response_opts
|
4
|
+
{
|
5
|
+
:uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
|
6
|
+
:issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
|
7
|
+
:settings => settings
|
8
|
+
}
|
9
|
+
end
|
10
|
+
|
11
|
+
def valid_response(opts = {})
|
12
|
+
opts = default_response_opts.merge!(opts)
|
13
|
+
|
14
|
+
"<samlp:LogoutResponse
|
15
|
+
xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
|
16
|
+
ID=\"#{random_id}\" Version=\"2.0\"
|
17
|
+
IssueInstant=\"#{opts[:issue_instant]}\"
|
18
|
+
Destination=\"#{opts[:settings].assertion_consumer_logout_service_url}\"
|
19
|
+
InResponseTo=\"#{opts[:uuid]}\">
|
20
|
+
<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
|
21
|
+
<samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
|
22
|
+
<samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
|
23
|
+
Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
|
24
|
+
</samlp:StatusCode>
|
25
|
+
</samlp:Status>
|
26
|
+
</samlp:LogoutResponse>"
|
27
|
+
end
|
28
|
+
|
29
|
+
def unsuccessful_response(opts = {})
|
30
|
+
opts = default_response_opts.merge!(opts)
|
31
|
+
|
32
|
+
"<samlp:LogoutResponse
|
33
|
+
xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
|
34
|
+
ID=\"#{random_id}\" Version=\"2.0\"
|
35
|
+
IssueInstant=\"#{opts[:issue_instant]}\"
|
36
|
+
Destination=\"#{opts[:settings].assertion_consumer_logout_service_url}\"
|
37
|
+
InResponseTo=\"#{opts[:uuid]}\">
|
38
|
+
<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
|
39
|
+
<samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
|
40
|
+
<samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
|
41
|
+
Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
|
42
|
+
</samlp:StatusCode>
|
43
|
+
</samlp:Status>
|
44
|
+
</samlp:LogoutResponse>"
|
45
|
+
end
|
46
|
+
|
47
|
+
def invalid_xml_response
|
48
|
+
"<samlp:SomethingAwful
|
49
|
+
xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
|
50
|
+
ID=\"#{random_id}\" Version=\"2.0\">
|
51
|
+
</samlp:SomethingAwful>"
|
52
|
+
end
|
53
|
+
|
54
|
+
def settings
|
55
|
+
@settings ||= Onelogin::Saml::Settings.new(
|
56
|
+
{
|
57
|
+
:assertion_consumer_service_url => "http://app.muda.no/sso/consume",
|
58
|
+
:assertion_consumer_logout_service_url => "http://app.muda.no/sso/consume_logout",
|
59
|
+
:issuer => "http://app.muda.no",
|
60
|
+
:sp_name_qualifier => "http://sso.muda.no",
|
61
|
+
:idp_sso_target_url => "http://sso.muda.no/sso",
|
62
|
+
:idp_slo_target_url => "http://sso.muda.no/slo",
|
63
|
+
:idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
|
64
|
+
:name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
|
65
|
+
}
|
66
|
+
)
|
67
|
+
end
|