saml2 1.0.0

data/spec/fixtures/authnrequest.xml

@@ -0,0 +1,12 @@
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" IssueInstant="2007-12-10T11:39:34Z" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://siteadmin.test.instructure.com/saml_consume">
+    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+      http://siteadmin.instructure.com/saml2
+    </saml:Issuer>
+    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="moodle.bridge.feide.no" AllowCreate="true" />
+    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
+        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+        </saml:AuthnContextClassRef>
+    </samlp:RequestedAuthnContext>
+</samlp:AuthnRequest>
+

data/spec/fixtures/calculated.txt

@@ -0,0 +1 @@
+<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cdfc3faf-90ad-462f-880d-677483210684" IssueInstant="2015-02-12T22:51:29Z" Version="2.0"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984" NotBefore="2015-02-12T22:51:29Z" NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

data/spec/fixtures/certificate.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQKEw5Db2R5IFNBTUwgVGVzdDEk
+MCIGA1UEAxMbaHR0cDovL3Nzby5jYW52YXMuZGV2L1NBTUwyMB4XDTE1MDIwOTIy
+MTkxOVoXDTE1MDMxMTIyMTkxOVowWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0
+YWgxFzAVBgNVBAoTDkNvZHkgU0FNTCBUZXN0MSQwIgYDVQQDExtodHRwOi8vc3Nv
+LmNhbnZhcy5kZXYvU0FNTDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwlbZhVkDi6YAHFpkxSoInc9Jrmezv0XKi8YzrDzO9Y7zHJlYygUQmgvD4I5fQ
+tVW8sbp7gS5cCBmjbGJRXx3996qLq12//WLYMDkHktrbU1zZ6vsJ8ajHyQv4OFvq
+qBnForSkuJbNi/QVTKiwbbBOZ75CbNBs1InoMN5MY2S5NhG9JhLjpktxNKfXFEi5
+Wr0rc2T0lSbTHv7L6DUFKeKX7uK9bNREozZDwkyYUHZl1Vez88WiJw7CmzNEnm5v
+13M6e60788M7E5FZBkTDkFK5+RV10ycYYNN7E8l0HzWSaB4+aJhKsK/Q7Yv+MG/j
+Oj8KMeZvEJfhxx1Dz8idgy8RAgMBAAGjgcAwgb0wHQYDVR0OBBYEFOvkP77RRJET
+X//KwdohNVfZBSvbMIGNBgNVHSMEgYUwgYKAFOvkP77RRJETX//KwdohNVfZBSvb
+oV+kXTBbMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEChMOQ29k
+eSBTQU1MIFRlc3QxJDAiBgNVBAMTG2h0dHA6Ly9zc28uY2FudmFzLmRldi9TQU1M
+MoIJAIz/He5UafnhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAQ6
+iucYVoOHBXHGybLUj8i3yZEI8C0mZQ/NBsihMGBP58vNSSKUJr4JPvYUIudwkLVH
+T1FWdfMVVVUxqJvCFWfWcpCyKTe4FQ0WyTasq1F9LtCaeMczlkpK+E2XBlNyPGoo
+1fCDO6pXD7EIOprIFl3blspb5ROF8lCESjFKmyxVGHEOMs2GA0cX3xvW+AvCbYUC
+Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
+5y5OLZblsTw3CPgxgMcCiBSYXnO0VTpT9ANW/SpeSE8XnfumxUjsUtxO4qN4O2es
+ZtltN+yN40INHGRWnHc=
+-----END CERTIFICATE-----
+`

data/spec/fixtures/entities.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+  <EntityDescriptor entityID="urn:entity1">
+    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://entity1.com/SAML2/Login" index="0"/>
+    </SPSSODescriptor>
+  </EntityDescriptor>
+  <EntityDescriptor entityID="urn:entity2">
+    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://entity2.com/SAML2/Login" index="0"/>
+    </SPSSODescriptor>
+  </EntityDescriptor>
+</EntitiesDescriptor>

data/spec/fixtures/privatekey.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAsJW2YVZA4umABxaZMUqCJ3PSa5ns79FyovGM6w8zvWO8xyZW
+MoFEJoLw+COX0LVVvLG6e4EuXAgZo2xiUV8d/feqi6tdv/1i2DA5B5La21Nc2er7
+CfGox8kL+Dhb6qgZxaK0pLiWzYv0FUyosG2wTme+QmzQbNSJ6DDeTGNkuTYRvSYS
+46ZLcTSn1xRIuVq9K3Nk9JUm0x7+y+g1BSnil+7ivWzURKM2Q8JMmFB2ZdVXs/PF
+oicOwpszRJ5ub9dzOnutO/PDOxORWQZEw5BSufkVddMnGGDTexPJdB81kmgePmiY
+SrCv0O2L/jBv4zo/CjHmbxCX4ccdQ8/InYMvEQIDAQABAoIBACp0xHXgtBcahwKt
+R0XXoTV1Hnlqd9ItLH/KzdPSQuFdMo07RWw9MjKENwWiISU4BBYrMSfypj/QXsGx
+FG52DRL70hBkslSvym0qIvwULfSftWpbmeIJLUhjqTIT8t2XbyLafM5B51giNxxL
+4x8QMFyZiuATo4UXENU3sqrxFs2EsRtPPp2MLXz/bCTjpm4nozwCN8hl7dxBVc6m
+pJS2QmUyiYSxwuozVbl1mO2DeNrVZ235XUBNEwhxSHTHFRcfuHDOc/l+7e+oKK+r
+cNhSS3BFKC66b3ekc6Ffw76Ixi/6ABa+uBBxdHMpeFfheJXLOCfcZdL1EiXK5kvg
+mHf4kUECgYEA4CKC3wHKiaQ1MTMlYFPD30YZy7ANr81czAPADguiH9RN+LEQNh9U
+c2wfnvz8u7nGU7n6AaFNDHd9nYVt56Bn1hpqTJY+UPZBJHbNpYkhTVEb9lfwXPia
+FURy0wUnr5qCbDy5kEEi7W4CXLaV4WC0r+AioJ6VQAPAdipV1I8WMEkCgYEAybCY
+75m+Etpaq52ue/geHVhen1FWFjzU9lxFaKu6LDbiVAnOdw6CaSW6dQR8Wzet0r4g
+QCJIOLIEb8b2hyHC5tQEweKJxKFcpacQkL1x9zePux6wLYEUVUMh4O8lMoucEGNY
+lea6gS2dSiE/iOqqopgXAuNlDQ2g0RGIkd44mIkCgYEAkSBngwSC43rK4m+OnP/A
+DVszqrr1MccUdhlbivynXlq2nffwWksRAKebFfQTpW4V5/K82b9ax167nHpf/qHT
+ekOiXrLN6Nh6t6ShZbUUNh71rx2jyl9CTdEDVHW7C65NEs6DDM/QUNJxfxzOkZ9v
+f43uffgRBeEoBptE9hwsLtkCgYBTCXgNvXh5/pgx69t4grCzWDyszynoQedT/q08
+6ObfaUFJZDgy4DBk5fmcT9p7G7Ne/pP8k6C0ZuZYtsus2wOJUWUcBg6+e8jPErdJ
+QBX5uFBes8XJFkmuyNLb7tmbs8rvHFfOb439vS/y4zlrP2I9Suy+baye8StyqAtY
+MuuOMQKBgQCZsjjCBOKVqK9k0NxRZAsx802X0Ux5aHHvtHs39Z1CoXSFB58x5jce
+NQRs3vQhjmcoz3ABhnJtFLCVlhvo8M+NiwVPXWOqt2cQUTAOigUBiPV53Nx+azG5
+t6wYGJtOFhhdM4pfmqcBzRYggYPLQnN6Evqqmvv0SdXPeiSlMsHZnA==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/response_signed.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotBefore="2015-02-12T22:51:29Z" NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<Reference URI="#_cdfc3faf-90ad-462f-880d-677483210684">
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<DigestValue>tcGklXG37kbAGysq5Z1xJFzWrqZy17G4EmjsUkM/aR8=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>GCgO76VB/ZVbt9S5gxCr1d1UVjrwRc4ylJYw4qkQ30PCkfI6wTGNxzoKajJgJcdC
+xuawi10veuIfubziijAFd1CHX33egXpqW+Q1+ddgQE4JSukgZg5TE8up/HxXwQ7r
+nVsLFXFB2Q3maoFTA2zt/jjKThYNEq/KXY+fQHB+pbYwkXQXK0MwL2sdX2zxZSCM
+DpTQDSCIMpaEPV8my6NnZI8qTHZGu8JvBJZUfQVi5ZGElIFQowrN9dRfe6Lbv4tM
+0jopAodYSarvQvBjjVQWe4ffqOOoSg5jGlma44WLwO05RQfo0VpLjNP06P9PePNc
+5sUzApqsEgsVa+WxGztlBA==</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQKEw5Db2R5IFNBTUwgVGVzdDEk
+MCIGA1UEAxMbaHR0cDovL3Nzby5jYW52YXMuZGV2L1NBTUwyMB4XDTE1MDIwOTIy
+MTkxOVoXDTE1MDMxMTIyMTkxOVowWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0
+YWgxFzAVBgNVBAoTDkNvZHkgU0FNTCBUZXN0MSQwIgYDVQQDExtodHRwOi8vc3Nv
+LmNhbnZhcy5kZXYvU0FNTDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwlbZhVkDi6YAHFpkxSoInc9Jrmezv0XKi8YzrDzO9Y7zHJlYygUQmgvD4I5fQ
+tVW8sbp7gS5cCBmjbGJRXx3996qLq12//WLYMDkHktrbU1zZ6vsJ8ajHyQv4OFvq
+qBnForSkuJbNi/QVTKiwbbBOZ75CbNBs1InoMN5MY2S5NhG9JhLjpktxNKfXFEi5
+Wr0rc2T0lSbTHv7L6DUFKeKX7uK9bNREozZDwkyYUHZl1Vez88WiJw7CmzNEnm5v
+13M6e60788M7E5FZBkTDkFK5+RV10ycYYNN7E8l0HzWSaB4+aJhKsK/Q7Yv+MG/j
+Oj8KMeZvEJfhxx1Dz8idgy8RAgMBAAGjgcAwgb0wHQYDVR0OBBYEFOvkP77RRJET
+X//KwdohNVfZBSvbMIGNBgNVHSMEgYUwgYKAFOvkP77RRJETX//KwdohNVfZBSvb
+oV+kXTBbMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEChMOQ29k
+eSBTQU1MIFRlc3QxJDAiBgNVBAMTG2h0dHA6Ly9zc28uY2FudmFzLmRldi9TQU1M
+MoIJAIz/He5UafnhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAQ6
+iucYVoOHBXHGybLUj8i3yZEI8C0mZQ/NBsihMGBP58vNSSKUJr4JPvYUIudwkLVH
+T1FWdfMVVVUxqJvCFWfWcpCyKTe4FQ0WyTasq1F9LtCaeMczlkpK+E2XBlNyPGoo
+1fCDO6pXD7EIOprIFl3blspb5ROF8lCESjFKmyxVGHEOMs2GA0cX3xvW+AvCbYUC
+Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
+5y5OLZblsTw3CPgxgMcCiBSYXnO0VTpT9ANW/SpeSE8XnfumxUjsUtxO4qN4O2es
+ZtltN+yN40INHGRWnHc=</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature></saml:Assertion></samlp:Response>

data/spec/fixtures/response_with_attribute_signed.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotBefore="2015-02-12T22:51:29Z" NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" Name="urn:oid:2.5.4.42" FriendlyName="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP"><saml:AttributeValue xsi:type="xsd:string">cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<Reference URI="#_cdfc3faf-90ad-462f-880d-677483210684">
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<DigestValue>G6PWZur5jAV2j+08LFvnZbQhU61B3QYOaKlncC0A2iE=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>ld3IvZ/JzGFKrxV/YVxtNJD3j7mISXYjtum6OjLuzpXUBmqdzIlQ87YQkLmm4h0M
+Nay3eEQGHho66x/ZoZljQpj1hUgj0od4v4pYubj9JFubr8WnQfIX67w3B/CZPlBO
+5Giai7KdvQtZzVzkQpWxzUOsHUJPWjt3b2S82bdwlRDn4VfCtFzhkd8+R3Mh0Rwm
+Yd7GUqKdxWvvvG0r5l1zblxnwzE4f9j6Q2Z01gdabYYiGBjLOKTkEJU6CnxM0O9E
+uOk0LvUnDhxMywIxwZYupOWNM2xUth0B9sBYUw8zala9II7vVoPNFb/Gk7+H18YB
+7TNJu+kWiAqpPKbJQY4KjQ==</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQKEw5Db2R5IFNBTUwgVGVzdDEk
+MCIGA1UEAxMbaHR0cDovL3Nzby5jYW52YXMuZGV2L1NBTUwyMB4XDTE1MDIwOTIy
+MTkxOVoXDTE1MDMxMTIyMTkxOVowWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0
+YWgxFzAVBgNVBAoTDkNvZHkgU0FNTCBUZXN0MSQwIgYDVQQDExtodHRwOi8vc3Nv
+LmNhbnZhcy5kZXYvU0FNTDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwlbZhVkDi6YAHFpkxSoInc9Jrmezv0XKi8YzrDzO9Y7zHJlYygUQmgvD4I5fQ
+tVW8sbp7gS5cCBmjbGJRXx3996qLq12//WLYMDkHktrbU1zZ6vsJ8ajHyQv4OFvq
+qBnForSkuJbNi/QVTKiwbbBOZ75CbNBs1InoMN5MY2S5NhG9JhLjpktxNKfXFEi5
+Wr0rc2T0lSbTHv7L6DUFKeKX7uK9bNREozZDwkyYUHZl1Vez88WiJw7CmzNEnm5v
+13M6e60788M7E5FZBkTDkFK5+RV10ycYYNN7E8l0HzWSaB4+aJhKsK/Q7Yv+MG/j
+Oj8KMeZvEJfhxx1Dz8idgy8RAgMBAAGjgcAwgb0wHQYDVR0OBBYEFOvkP77RRJET
+X//KwdohNVfZBSvbMIGNBgNVHSMEgYUwgYKAFOvkP77RRJETX//KwdohNVfZBSvb
+oV+kXTBbMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEChMOQ29k
+eSBTQU1MIFRlc3QxJDAiBgNVBAMTG2h0dHA6Ly9zc28uY2FudmFzLmRldi9TQU1M
+MoIJAIz/He5UafnhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAQ6
+iucYVoOHBXHGybLUj8i3yZEI8C0mZQ/NBsihMGBP58vNSSKUJr4JPvYUIudwkLVH
+T1FWdfMVVVUxqJvCFWfWcpCyKTe4FQ0WyTasq1F9LtCaeMczlkpK+E2XBlNyPGoo
+1fCDO6pXD7EIOprIFl3blspb5ROF8lCESjFKmyxVGHEOMs2GA0cX3xvW+AvCbYUC
+Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
+5y5OLZblsTw3CPgxgMcCiBSYXnO0VTpT9ANW/SpeSE8XnfumxUjsUtxO4qN4O2es
+ZtltN+yN40INHGRWnHc=</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature></saml:Assertion></samlp:Response>

data/spec/fixtures/service_provider.xml

@@ -0,0 +1,79 @@
+<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2">
+  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+
+    <KeyDescriptor use="encryption">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>
+            SSB1c2UgdGhpcyBmb3IgZW5jcnlwdGlvbg==
+          </X509Certificate>
+        </X509Data>
+      </KeyInfo>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
+        <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
+      </EncryptionMethod>
+    </KeyDescriptor>
+
+    <KeyDescriptor use="signing">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data>
+          <X509Certificate>
+            MIIE8TCCA9mgAwIBAgIJAITusxON60cKMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD
+            VQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkx
+            GTAXBgNVBAoTEEluc3RydWN0dXJlLCBJbmMxEzARBgNVBAsTCk9wZXJhdGlvbnMx
+            IDAeBgNVBAMTF0NhbnZhcyBTQU1MIENlcnRpZmljYXRlMSIwIAYJKoZIhvcNAQkB
+            FhNvcHNAaW5zdHJ1Y3R1cmUuY29tMB4XDTEzMDQyMjE3NDQ0M1oXDTE1MDQyMjE3
+            NDQ0M1owgasxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5T
+            YWx0IExha2UgQ2l0eTEZMBcGA1UEChMQSW5zdHJ1Y3R1cmUsIEluYzETMBEGA1UE
+            CxMKT3BlcmF0aW9uczEgMB4GA1UEAxMXQ2FudmFzIFNBTUwgQ2VydGlmaWNhdGUx
+            IjAgBgkqhkiG9w0BCQEWE29wc0BpbnN0cnVjdHVyZS5jb20wggEiMA0GCSqGSIb3
+            DQEBAQUAA4IBDwAwggEKAoIBAQDHRYRp/slsoqD7iPFo+8UFjqd+LgSQ062x09CG
+            m5uW9smY/x2ig8hxfd05Dtk42wrA9frRh6QiEhtoy8qL/4g/LOmYq5USDdzLXsPF
+            /nqTVPkTOhGcuSpfJbxucRsMfGL6IvrGqLNxpyfroyV1dv9/fim+d6bs7js5k1i5
+            EkKksgVlnnpUpOx5pswWVcZICeIJwTMe1C0KHcpUMycZxMHueJ+Y7tWHtWW+R75T
+            QWdWjL+TevEL57B3cW19+9Sud2Y63DcwP6V0aDrwArxQwmp73uUb5ol6gSSvD+Ol
+            CIsf6S/5gqMdgqxJJsWqzBOTeDsVr8m2Dx3VX7Plho7pk06FAgMBAAGjggEUMIIB
+            EDAdBgNVHQ4EFgQUQy1zIfZP/NZKPYLGugNSjjBnTYgwgeAGA1UdIwSB2DCB1YAU
+            Qy1zIfZP/NZKPYLGugNSjjBnTYihgbGkga4wgasxCzAJBgNVBAYTAlVTMQ0wCwYD
+            VQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEZMBcGA1UEChMQSW5z
+            dHJ1Y3R1cmUsIEluYzETMBEGA1UECxMKT3BlcmF0aW9uczEgMB4GA1UEAxMXQ2Fu
+            dmFzIFNBTUwgQ2VydGlmaWNhdGUxIjAgBgkqhkiG9w0BCQEWE29wc0BpbnN0cnVj
+            dHVyZS5jb22CCQCE7rMTjetHCjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
+            A4IBAQC1dgkv3cT4KRMR42mIKgJRp4Jf7swUrtoAFOdOr1R6fjI/9bFNSVNgauiQ
+            flN6q8QA5B2sbDihiSqAylm9F34hpI3C3PvzSWzuIk+Z2FPHcA05CZtwrUWj1M0c
+            eBXxXragtR7ZYtIbEb0srzBfwoFYvWnLU7tM8t6wM6+1rxvOuQFVCCSXyptsGoBl
+            D9qyzAbyYDgJZYpbTjaA9bqhpkn/9CLN3JhNHLyBVr03fp3hQqNwZ2do9bFZBnW0
+            c5Dx9pbKTvC3TAUb2cwUD69yTYS1oq7//yIC2ha2ouzkV/VpB1fcF5YEj2pc6uaj
+            lOTDX4Eg7OBEkTzU8cX04b15bJfE
+          </X509Certificate>
+        </X509Data>
+      </KeyInfo>
+    </KeyDescriptor>
+
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                         Location="https://siteadmin.instructure.com/saml_logout"/>
+    <AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                              Location="https://siteadmin.instructure.com/saml_consume"/>
+    <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                              Location="https://siteadmin.staging.instructure.com/saml_consume"/>
+    <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                              Location="https://siteadmin.beta.instructure.com/saml_consume"/>
+    <AssertionConsumerService index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                              Location="https://siteadmin.test.instructure.com/saml_consume"/>
+
+    <AttributeConsumingService index="0">
+      <ServiceName xml:lang="en">service</ServiceName>
+      <RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" />
+    </AttributeConsumingService>
+  </SPSSODescriptor>
+  <Organization>
+    <OrganizationName xml:lang="en">Canvas</OrganizationDisplayName>
+    <OrganizationDisplayName xml:lang="en">Canvas</OrganizationDisplayName>
+    <OrganizationURL xml:lang="en">https://www.canvaslms.com/</OrganizationDisplayName>
+  </Organization>
+  <ContactPerson contactType="technical">
+    <SurName>Administrator</SurName>
+    <EmailAddress>mailto:info@instructure.com</EmailAddress>
+  </ContactPerson>
+</EntityDescriptor>

data/spec/fixtures/xmlsec.txt

@@ -0,0 +1 @@
+<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_cdfc3faf-90ad-462f-880d-677483210684" IssueInstant="2015-02-12T22:51:29Z" Version="2.0"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984" NotBefore="2015-02-12T22:51:29Z" NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>

data/spec/lib/attribute_consuming_service_spec.rb

@@ -0,0 +1,74 @@
+require_relative '../spec_helper'
+
+module SAML2
+  describe AttributeConsumingService do
+    describe "#create_statement" do
+      let(:acs) do
+        requested_attributes = [
+            RequestedAttribute.new('name', true),
+            RequestedAttribute.new('age')
+        ]
+        AttributeConsumingService.new('my service', requested_attributes)
+      end
+
+      it "should require name attribute" do
+        -> { acs.create_statement({}) }.must_raise RequiredAttributeMissing
+      end
+
+      it "should create a statement" do
+        stmt = acs.create_statement('name' => 'cody')
+        stmt.attributes.length.must_equal 1
+        stmt.attributes.first.name.must_equal 'name'
+        stmt.attributes.first.value.must_equal 'cody'
+      end
+
+      it "should include optional attributes" do
+        stmt = acs.create_statement('name' => 'cody', 'age' => 29)
+        stmt.attributes.length.must_equal 2
+        stmt.attributes.first.name.must_equal 'name'
+        stmt.attributes.first.value.must_equal 'cody'
+        stmt.attributes.last.name.must_equal 'age'
+        stmt.attributes.last.value.must_equal 29
+      end
+
+      it "should ignore extra attributes" do
+        stmt = acs.create_statement('name' => 'cody', 'height' => 73)
+        stmt.attributes.length.must_equal 1
+        stmt.attributes.first.name.must_equal 'name'
+        stmt.attributes.first.value.must_equal 'cody'
+      end
+
+      it "should materialize deferred attributes" do
+        stmt = acs.create_statement('name' => -> { 'cody' })
+        stmt.attributes.length.must_equal 1
+        stmt.attributes.first.name.must_equal 'name'
+        stmt.attributes.first.value.must_equal 'cody'
+      end
+
+      it "should match explicit name formats" do
+        acs.requested_attributes.first.name_format = 'format'
+        stmt = acs.create_statement([Attribute.new('name', 'cody', nil, 'format'),
+                                     Attribute.new('name', 'unspecified'),
+                                     Attribute.new('name', 'other', nil, 'otherformat')])
+        stmt.attributes.length.must_equal 1
+        stmt.attributes.first.name.must_equal 'name'
+        stmt.attributes.first.value.must_equal 'cody'
+      end
+
+      it "should match explicitly requested name formats" do
+        acs.requested_attributes.first.name_format = 'format'
+        stmt = acs.create_statement('name' => 'cody')
+        stmt.attributes.length.must_equal 1
+        stmt.attributes.first.name.must_equal 'name'
+        stmt.attributes.first.value.must_equal 'cody'
+      end
+
+      it "should match explicitly provided name formats" do
+        stmt = acs.create_statement([Attribute.new('name', 'cody', 'format')])
+        stmt.attributes.length.must_equal 1
+        stmt.attributes.first.name.must_equal 'name'
+        stmt.attributes.first.value.must_equal 'cody'
+      end
+    end
+  end
+end

data/spec/lib/attribute_spec.rb

@@ -0,0 +1,39 @@
+require_relative '../spec_helper'
+
+module SAML2
+  describe Attribute do
+    let(:eduPersonPrincipalNameXML) { <<XML.strip
+<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+  <saml:AttributeValue xsi:type="xsd:string">user@domain</saml:AttributeValue>
+</saml:Attribute>
+XML
+  }
+
+    it "should auto-parse X500 attributes" do
+      attr = Attribute.from_xml(Nokogiri::XML(eduPersonPrincipalNameXML).root)
+      attr.must_be_instance_of Attribute::X500
+      attr.value.must_equal "user@domain"
+      attr.name.must_equal Attribute::X500::EduPerson::PRINCIPAL_NAME
+      attr.friendly_name.must_equal 'eduPersonPrincipalName'
+      attr.name_format.must_equal Attribute::NameFormats::URI
+    end
+
+    it "should serialize an X500 attribute correctly" do
+      attr = Attribute.create('eduPersonPrincipalName', 'user@domain')
+      attr.must_be_instance_of Attribute::X500
+      attr.value.must_equal "user@domain"
+      attr.name.must_equal Attribute::X500::EduPerson::PRINCIPAL_NAME
+      attr.friendly_name.must_equal 'eduPersonPrincipalName'
+      attr.name_format.must_equal Attribute::NameFormats::URI
+
+      doc = Nokogiri::XML::Builder.new do |builder|
+        builder['saml'].Root('xmlns:saml' => Namespaces::SAML) do |builder|
+          attr.build(builder)
+          builder.parent.child['xmlns:saml'] = Namespaces::SAML
+        end
+      end.doc
+      xml = doc.root.child.to_s
+      xml.must_equal eduPersonPrincipalNameXML
+    end
+  end
+end

data/spec/lib/authn_request_spec.rb

@@ -0,0 +1,52 @@
+require_relative '../spec_helper'
+
+module SAML2
+  describe AuthnRequest do
+    let(:sp) { Entity.parse(fixture('service_provider.xml')).roles.first }
+    let(:request) { AuthnRequest.parse(fixture('authnrequest.xml')) }
+
+    describe '.decode' do
+      it "should not choke on empty string" do
+        authnrequest = AuthnRequest.decode('')
+        authnrequest.valid_schema?.must_equal false
+      end
+
+      it "should not choke on garbage" do
+        authnrequest = AuthnRequest.decode('abc')
+        authnrequest.valid_schema?.must_equal false
+      end
+    end
+
+    it "should be valid" do
+      request.valid_schema?.must_equal true
+      request.resolve(sp).must_equal true
+      request.assertion_consumer_service.location.must_equal "https://siteadmin.test.instructure.com/saml_consume"
+    end
+
+    it "should not be valid if the ACS url is not in the SP" do
+      request.stub(:assertion_consumer_service_url, "garbage") do
+        request.resolve(sp).must_equal false
+      end
+    end
+
+    it "should use the default ACS if not specified" do
+      request.stub(:assertion_consumer_service_url, nil) do
+        request.resolve(sp).must_equal true
+        request.assertion_consumer_service.location.must_equal "https://siteadmin.instructure.com/saml_consume"
+      end
+    end
+
+    it "should find the ACS by index" do
+      request.stub(:assertion_consumer_service_url, nil) do
+        request.stub(:assertion_consumer_service_index, 2) do
+          request.resolve(sp).must_equal true
+          request.assertion_consumer_service.location.must_equal "https://siteadmin.beta.instructure.com/saml_consume"
+        end
+      end
+    end
+
+    it "should find the NameID policy" do
+      request.name_id_policy.must_equal NameID::Policy.new(true, NameID::Format::PERSISTENT)
+    end
+  end
+end

data/spec/lib/entity_spec.rb

@@ -0,0 +1,45 @@
+require_relative '../spec_helper'
+
+module SAML2
+  describe Entity do
+    it "should parse and validate" do
+      entity = Entity.parse(fixture('service_provider.xml'))
+      entity.valid_schema?.must_equal true
+    end
+
+    it "should return nil when not valid schema" do
+      entity = Entity.parse("<xml></xml>")
+      entity.must_equal nil
+    end
+
+    it "should return nil on non-XML" do
+      entity = Entity.parse("garbage")
+      entity.must_equal nil
+    end
+
+    describe "valid schema" do
+      let(:entity) { Entity.parse(fixture('service_provider.xml')) }
+
+      it "should find the id" do
+        entity.entity_id.must_equal "http://siteadmin.instructure.com/saml2"
+      end
+
+      it "should parse the organization" do
+        entity.organization.display_name.must_equal 'Canvas'
+        entity.organization.display_name('en').must_equal 'Canvas'
+        entity.organization.display_name('es').must_equal nil
+        entity.organization.display_name(:all).must_equal en: 'Canvas'
+      end
+    end
+
+    describe Entity::Group do
+      it "should parse and validate" do
+        group = Entity.parse(fixture('entities.xml'))
+        group.must_be_instance_of Entity::Group
+        group.valid_schema?.must_equal true
+
+        group.map(&:entity_id).must_equal ['urn:entity1', 'urn:entity2']
+      end
+    end
+  end
+end