saml2 2.1.0 → 2.2.0

data/lib/saml2/role.rb

@@ -19,11 +19,22 @@ module SAML2
 
     attr_writer :supported_protocols, :keys
 
+    # Non-serialized field representing private keys for performing
+    # decryption/signing operations
+    # @return [Array<OpenSSL::PKey>]
+    attr_accessor :private_keys
+
+    # Non-serialized field representing fingerprints of certificates that
+    # you don't actually have the full certificate for.
+    attr_accessor :fingerprints
+
     def initialize
       super
       @supported_protocols = Set.new
       @supported_protocols << Protocols::SAML2
       @keys = []
+      @private_keys = []
+      @fingerprints = []
     end
 
     # (see Base#from_xml)

data/lib/saml2/signable.rb

@@ -13,9 +13,10 @@ module SAML2
           if signed_node == ''
             @signature = nil unless xml == xml.document.root
           elsif signed_node != "##{xml['ID']}"
+            @signature = nil
+          else
             # validating the schema will automatically add ID attributes, so check that first
             xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
-            @signature = nil
           end
         end
       end
@@ -41,24 +42,51 @@ module SAML2
     #   a match is found, the certificate embedded in the signature will be
     #   added to the list of certificates used for verifying the signature.
     # @param cert optional [Array<String>, String]
+    # @param allow_expired_certificate [Boolean]
+    #   If set to true, verification_time will be adjusted to be just within the
+    #   certificate's expiration time, so that an expired certificate error will
+    #   not be thrown.
     # @return [Array<String>] An empty array on success, details of errors on failure.
-    def validate_signature(fingerprint: nil, cert: nil, verification_time: nil)
+    def validate_signature(fingerprint: nil,
+                           cert: nil,
+                           verification_time: nil,
+                           allow_expired_certificate: false)
       return ["not signed"] unless signed?
 
       certs = Array(cert)
+      certs = certs.dup if certs.equal?(cert)
       # see if any given fingerprints match the certificate embedded in the XML;
       # if so, extract the certificate, and add it to the allowed certificates list
-      Array(fingerprint)&.each do |fp|
+      Array(fingerprint).each do |fp|
         certs << signing_key.certificate if signing_key&.fingerprint == KeyInfo.format_fingerprint(fp)
       end
       certs = certs.uniq
-      return ["no certificate found"] if certs.empty?
+      return ["no trusted certificate found"] if certs.empty?
+
+      verify_certificate = true
+      if signing_key
+        signing_cert = signing_key.certificate
+        if allow_expired_certificate
+          verification_time = signing_cert.not_after - 1
+        end
+
+        # we explicitly trust the signing certificate, but it's not self-signed;
+        # xmlsec is weird and decides not to trust it in that case, so we skip
+        # certificate verification by xmlsec, and do it ourselves
+        if certs.include?(signing_cert) &&  signing_cert.issuer != signing_cert.subject
+          verification_time ||= Time.now.utc
+          return ["certificate has expired"] if verification_time > signing_cert.not_after
+          return ["certificate is not yet valid"] if verification_time < signing_cert.not_before
+
+          verify_certificate = false
+        end
+      end
 
       begin
-        # verify_certificates being false is hopefully a temporary thing, until I can figure
-        # out how to get xmlsec to root a trust chain in a non-root certificate
-        result = signature.verify_with(certs: certs, verification_time: verification_time, verify_certificates: false)
-        result ? [] : ["signature does not match"]
+        result = signature.verify_with(certs: certs,
+                                       verification_time: verification_time,
+                                       verify_certificates: verify_certificate)
+        result ? [] : ["signature is invalid"]
       rescue XMLSec::VerificationError => e
         [e.message]
       end

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = '2.1.0'
+  VERSION = '2.2.0'
 end

data/spec/fixtures/certificate.pem

@@ -22,4 +22,3 @@ Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
 5y5OLZblsTw3CPgxgMcCiBSYXnO0VTpT9ANW/SpeSE8XnfumxUjsUtxO4qN4O2es
 ZtltN+yN40INHGRWnHc=
 -----END CERTIFICATE-----
-`

data/spec/fixtures/external-uri-reference-response.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="Rbd1ca4d500b80130b5178ada0d47c52294f418ad" Version="2.0" IssueInstant="2014-06-03T12:43:56Z" Destination="">
+ <saml:Issuer>https://app.example.com/saml/</saml:Issuer>
+ <samlp:Status>
+   <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+ </samlp:Status>
+ <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx9cb71b16-ad32-1735-fdcc-7a68b98ba9be" IssueInstant="2014-06-03T12:43:56Z">
+   <saml:Issuer>https://app.example.com/saml/</saml:Issuer>
+   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+     <ds:SignedInfo>
+       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+       <ds:Reference URI="http://localhost:2345/myserverallday">
+         <ds:Transforms>
+           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+         </ds:Transforms>
+         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+         <ds:DigestValue>Q40aDbTJ0gA35qMt9bk6RLDaHM8=</ds:DigestValue>
+       </ds:Reference>
+     </ds:SignedInfo>
+     <ds:SignatureValue>evqiVwhRAqUlLxQrzmmKQ/TNVseqj4k0dO8CghneerLLW5mHqOPLQrAFyBgr8BK5
+gqmnFnm8a6rjSuqMj8xCTVGq4jXwz38WXx8iYCP1pQJASzWPFq9HicHoGVo9UT7a
+xyrTA51M+HswpueFnwE8anx0llBDNisxjZMX7ixdwc8=</ds:SignatureValue>
+     <ds:KeyInfo>
+       <ds:X509Data>
+         <ds:X509Certificate>MIIECDCCAvCgAwIBAgIUH1Nywt/+Cklv5RvuPPer8PNG7ggwDQYJKoZIhvcNAQEFBQAwUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA3J1YjEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDM1Mzc2MB4XDTEzMTEyNjE2MjgwN1oXDTE4MTEyNzE2MjgwN1owUzELMAkGA1UEBhMCVVMxDDAKBgNVBAoMA3J1YjEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDM1Mzc2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxINN52pg/eD9k4REEKq+1VQ+f7RxYVm0D2iTpJjFhBCi8jKhwMgQGqt/4x3iTx6i0swgi0xZIwMdsBlAB/83AFuXSK6hmZCY08zyM7x+wvj3EWwwC6fokvZvbb0PuIg7d4xgkMiSpDsCMg9XiDJytp8Obokmc0EPc0xEWdwIIwhPpy4TAdswcD5aTXnBn9fB/KRdmVR7VvnqCWqdTmOd3RxvvpcnLOHsycumGLVWukBNxHExALU6yTGMesJbg0fPhoN+MHxNYfe8NWBKFVEjdcvfVC9Ivemzj2xGDU1xMZ+v8uqt0pVV1LOmNcs5CvpMhZFSQFcu8dk77AAY2MJthQIDAQABo4HTMIHQMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK2I7+srPutX2VzEnIwGmtCofTuhMIGQBgNVHSMEgYgwgYWAFK2I7+srPutX2VzEnIwGmtCofTuhoVekVTBTMQswCQYDVQQGEwJVUzEMMAoGA1UECgwDcnViMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgMzUzNzaCFB9TcsLf/gpJb+Ub7jz3q/DzRu4IMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAnfgwE60ClcQ80b+GaFtEImzWlW7jIxpljSeRJ9Rbd6SSRxSck0Xwz17jtCnOaBeQ2igGyQfJA5R2OymaG9RqehGFdVEFbPC4OFwO1byUoGII9tReSKqtlemaEamgDLoYnnGVjFQ4/0EX4Ax2SjKNqwt+TgQykixfoo4GmCeFSSZnkoOEHUUWRDLqKK40AySnO8qA38g7fL+calsjqIcefy5Z5X1uybcFuif4IRvB6FpOMTPNj507cpCuqZw/sujVO+I00XD9VwuPT6TH9WerJp4Ye8J4HynADKsg6oJd61cqvQn33seNLIB/uA2U2uK/EY5c7m3I2VDgBDODbNZTng==</ds:X509Certificate>
+       </ds:X509Data>
+     </ds:KeyInfo>
+   </ds:Signature>
+   <saml:Subject>
+     <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.com</saml:NameID>
+     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+       <saml:SubjectConfirmationData NotOnOrAfter="2014-06-03T12:46:56Z" Recipient=""/>
+     </saml:SubjectConfirmation>
+   </saml:Subject>
+   <saml:Conditions NotBefore="2014-06-03T12:40:56Z" NotOnOrAfter="2014-06-03T12:46:56Z">
+     <saml:AudienceRestriction>
+       <saml:Audience/>
+     </saml:AudienceRestriction>
+   </saml:Conditions>
+   <saml:AuthnStatement AuthnInstant="2014-06-03T12:43:55Z" SessionNotOnOrAfter="2014-06-04T12:43:56Z" SessionIndex="_c01bb660-cd47-0131-de03-782bcb56fcaa">
+     <saml:AuthnContext>
+       <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+     </saml:AuthnContext>
+   </saml:AuthnStatement>
+ </saml:Assertion>
+</samlp:Response>

data/spec/fixtures/othercertificate.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEKzCCAxOgAwIBAgIJAPuxHXVDuOfZMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYD
+VQQGEwJVUzENMAsGA1UECAwEVXRhaDEXMBUGA1UEBwwOU2FsdCBMYWtlIENpdHkx
+GTAXBgNVBAoMEEluc3RydWN0dXJlLCBJbmMxEzARBgNVBAsMCk9wZXJhdGlvbnMx
+IDAeBgNVBAMMF0NhbnZhcyBTQU1MIENlcnRpZmljYXRlMSIwIAYJKoZIhvcNAQkB
+FhNvcHNAaW5zdHJ1Y3R1cmUuY29tMB4XDTE3MDQwODIxMDQwNVoXDTE5MDQyMjIx
+MDQwNVowgasxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5T
+YWx0IExha2UgQ2l0eTEZMBcGA1UECgwQSW5zdHJ1Y3R1cmUsIEluYzETMBEGA1UE
+CwwKT3BlcmF0aW9uczEgMB4GA1UEAwwXQ2FudmFzIFNBTUwgQ2VydGlmaWNhdGUx
+IjAgBgkqhkiG9w0BCQEWE29wc0BpbnN0cnVjdHVyZS5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDOokl8TPWm4LL6rqEnPjL0t5QWw76WOTA9JzLJ
+xjKwtIWlGAlyRQ+gEmD5vaFAzoYl62BIm2yCy+EdUR9D/3X9Hq+22ysy7pWj8rda
+JeQ1XAX2xMlphZhMHnKdKBfDxLMaIEKQg942xBTkY3yeDsc8YezR0sSBToumQs23
+PVnIq7u1U+UAry0Q33ovmJRV50kQk3Qccl6omSDXezUIB+LYqI2ghoIo/+XfHaPe
+pHWj3XnXKBGtlDIpUbgVIbqdHcsE9uRHK6YfeiWqX+fW0h8rcn5z3cj5awzYJ8kk
+GKACS6TNccfFCouMoKskBB4ot2WBuIKEyJNqg7kn/wlCzsoHAgMBAAGjUDBOMB0G
+A1UdDgQWBBQ3lOrDsVPyDFZyZhjbbLZpdStYODAfBgNVHSMEGDAWgBQ3lOrDsVPy
+DFZyZhjbbLZpdStYODAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBy
+mkrTdaGCS5wSswAKwHmrTdZQdD4ksXszvQKZEiLtenoDyE7JomCME1a5BaGuDjaD
+BbVEO8StAEjQeCoGCkW0tkqBfgwSNGaIZp7SXcMSHN866D1r7whwjAXSehVSf1LS
+XYyMh2wcgbKVZB71EP8hIG37fl5dcCZJ+qhnExTf+EXgf3MwuE3eTnuiXem2F0lz
+1Vj8vkef+qr9wdSHoZ/L9Xje03wYSAT0J2KlbkUZNb/me6ZxeOWMWbCsYu4+OBfc
+Wi+n2KDSFd6xI4DLm0685DP4hzlycGDiUmOHrt/ZpZEVBs1d/ooxfZhs6dCEUyUn
+SQJDMGy5cRRcanOu2OwE
+-----END CERTIFICATE-----

data/spec/fixtures/response_tampered_certificate.xml

@@ -0,0 +1,25 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer>issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<Reference URI="#_cdfc3faf-90ad-462f-880d-677483210684">
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<DigestValue>HFJ1RMKtE+J23K/mQqdClLWsdjwboU9M+uTX+PcN/LU=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>oRUU3idevSgM2QCidYqLAL5Ki2H8qxvkIVw9yNrbv9Mg2D7126wPMerWyKeP+ops
+6ploHMV0MQRyEFA+4PJ3ZsBU1daVSt3plh+6Szm5zIhWUEc3HhvQirv5IP1lfcxQ
+IopKnpiZkH9QMLolCLMIfCbOIuIfmssmsEagU/S3aoRVgZLA/x15z2hNEiB+tMqr
+Elc7i5V81ztnEx47yJhf/mAiZcnLqpnbpJ9XN4NF43QSgkRNU4vCQsx0zA6gj9MB
+D5h/CKy7KMn+LtaLkHIfv6Y//xN+61PrQ7sr5FIsCGg9XBvXC3PrwEVdADx4/dZO
+JrJ/DBFeEc8K1KSMXm5qrQ==</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-02-12T22:51:24Z" NotOnOrAfter="2015-02-12T22:51:59Z"><saml:AudienceRestriction><saml:Audience>http://siteadmin.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/response_tampered_signature.xml

@@ -0,0 +1,46 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z" Destination="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"><saml:Issuer>issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="_cdfc3faf-90ad-462f-880d-677483210684" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"><saml:Issuer>issuer</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+<Reference URI="#_cdfc3faf-90ad-462f-880d-677483210684">
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<DigestValue>HFJ1RMKtE+J23K/mQqdClLWsdjwboU9M+uTX+PcN/LU=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>oRUU3idevSgM2QCidYqLAL5Ki2H8qxvkIVw9yNrbv9Mg2D7126wPMerWyKeP+ops
+6ploHMV0MQRyEFA+4PJ3ZsBU1daVSt3plh+6Szm5zIhWUEc3HhvQirv5IP1lfcxQ
+IopKnpiZkH9QMLolCLMIfCbOIuIfmssmsEagU/S3aoRVgZLA/x15z2hNEiB+tMqr
+Elc7i5V81ztnEx47yJhf/mAiZcnLqpnbpJ9XN4NF43QSgkRNU4vCQsx0zA6gj9MB
+D5h/CKy7KMn+LtaLkHIfv7Y//xN+61PrQ7sr5FIsCGg9XBvXC3PrwEVdADx4/dZO
+JrJ/DBFeEc8K1KSMXm5qrQ==</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
+BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQKEw5Db2R5IFNBTUwgVGVzdDEk
+MCIGA1UEAxMbaHR0cDovL3Nzby5jYW52YXMuZGV2L1NBTUwyMB4XDTE1MDIwOTIy
+MTkxOVoXDTE1MDMxMTIyMTkxOVowWzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0
+YWgxFzAVBgNVBAoTDkNvZHkgU0FNTCBUZXN0MSQwIgYDVQQDExtodHRwOi8vc3Nv
+LmNhbnZhcy5kZXYvU0FNTDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCwlbZhVkDi6YAHFpkxSoInc9Jrmezv0XKi8YzrDzO9Y7zHJlYygUQmgvD4I5fQ
+tVW8sbp7gS5cCBmjbGJRXx3996qLq12//WLYMDkHktrbU1zZ6vsJ8ajHyQv4OFvq
+qBnForSkuJbNi/QVTKiwbbBOZ75CbNBs1InoMN5MY2S5NhG9JhLjpktxNKfXFEi5
+Wr0rc2T0lSbTHv7L6DUFKeKX7uK9bNREozZDwkyYUHZl1Vez88WiJw7CmzNEnm5v
+13M6e60788M7E5FZBkTDkFK5+RV10ycYYNN7E8l0HzWSaB4+aJhKsK/Q7Yv+MG/j
+Oj8KMeZvEJfhxx1Dz8idgy8RAgMBAAGjgcAwgb0wHQYDVR0OBBYEFOvkP77RRJET
+X//KwdohNVfZBSvbMIGNBgNVHSMEgYUwgYKAFOvkP77RRJETX//KwdohNVfZBSvb
+oV+kXTBbMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEChMOQ29k
+eSBTQU1MIFRlc3QxJDAiBgNVBAMTG2h0dHA6Ly9zc28uY2FudmFzLmRldi9TQU1M
+MoIJAIz/He5UafnhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAQ6
+iucYVoOHBXHGybLUj8i3yZEI8C0mZQ/NBsihMGBP58vNSSKUJr4JPvYUIudwkLVH
+T1FWdfMVVVUxqJvCFWfWcpCyKTe4FQ0WyTasq1F9LtCaeMczlkpK+E2XBlNyPGoo
+1fCDO6pXD7EIOprIFl3blspb5ROF8lCESjFKmyxVGHEOMs2GA0cX3xvW+AvCbYUC
+Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
+5y5OLZblsTw3CPgxgMcCiBSYXnO0VTpT9ANW/SpeSE8XnfumxUjsUtxO4qN4O2es
+ZtltN+yN40INHGRWnHc=</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-02-12T22:51:24Z" NotOnOrAfter="2015-02-12T22:51:59Z"><saml:AudienceRestriction><saml:Audience>http://siteadmin.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/response_with_encrypted_assertion.xml

@@ -0,0 +1,58 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                ID="_9a15e699-2d04-4ba7-a521-cfa4dcd21f44" Version="2.0" IssueInstant="2015-02-12T22:51:29Z"
+                Destination="https://siteadmin.test.instructure.com/saml_consume"
+                InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984">
+  <saml:Issuer>issuer</saml:Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:EncryptedAssertion>
+    <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
+          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+            <KeyName/>
+          </KeyInfo>
+          <CipherData>
+            <CipherValue>TyII9BENRVZpAFr5D4pVan4bfLdHW0BhnTZElAcq2beO7tYeV7yQH3LxyCy/eWYz
+              2AF69eFTPMFHSDqRKyHwqAeM2tfAQxgQmDTXWMESBND8CmgRLU4r5I0aV0gfLlfA
+              JmCeYavG8SbySnJ+WMNle/AAx9z3iN95+yIrZJ03HV/V7CXU1N3Dc84UAjRS3JNs
+              VO9woqtQd/Yq89wnrl8plfGTlzQChKlpZiY4eENBo432dA97ixjPfqnceBXE8oRt
+              LX2YrM1g1NazpWk2qHcxC/J7YBHbrY+pwUlMYL6KG6Et460lXX35dU5/R5avVZhP
+              DkzURwKKRC0BRfMDSuznAQ==</CipherValue>
+          </CipherData>
+        </EncryptedKey>
+      </KeyInfo>
+      <CipherData>
+        <CipherValue>wb+NaImnUFi7gdRSTIIK7H9Req2SLC0K2ayQURsSYLRnlMwoNOxK2JLj52hy2a1/
+          5PD2456UEM9u6M/CfsLkAp4pa0eOuluSiXB0zPaBYsdfQyzyGfWnzIzqNBIJT4Kv
+          BxmBrL/JY+ZXCArw16Z4gcS1xYL2afx67Q1bdlzEZwBPW5el8IsVMA0gob3Bmr7E
+          nEP13R2OQppdqHhV5Fl7LnARJoeXVLwB2ZG3SwxVvdOJzNKBGQdudU8eDeZVm6Le
+          dR0viMhKN2lI6L2UxOdDaziO+Zzz4kJUQGT5sf3M84dmx6QJcY/0JIQ8Ybb7T7Pz
+          IRtEkeANdDgV9gGA+mIuJZyxTazPStMGl7bbwqC1EPsXKXFxIy6Nki1lvrOfUc2K
+          Jn+ee5mr6NppiwD6g2Fv9OzJWFSJxn5RyYswgw5jydaZOFBDPBFysNb/0Rd8fYk5
+          ona1pTe/9tCws++faXWt2vVYIa3n4qOvWadW/Np71MGFZN/Peg/L218OoMCgXB4k
+          AC48GOLsHKIQ4ea+wnAaeyzYG2DZUzvmg9CH8KhtbSm/qt5MxMjt/2lC1RcBK7+l
+          onJUmTx0EXlr2MdOg4GO2B8veW8BA5VFPTQOjBCP5yyILUyeNR9HzxHnEIU5NI5h
+          EUqWaNngGTHYTsmcwI0OeLzI4KIn3Hb7B5OncAr/hD5Y8ar565hIY15BVN3JaDKs
+          pqLqVvU1VvgopIO4KyRnqNtWTqTflRbgm6TVJ0rZtmiizMD4GLgNWc18zlyBouJi
+          07INnTKhqOX6PAmb88kaelSMr9Dq/DpLpW2My594RCVApVAwo1ZSvzmrpy0jfW8/
+          L2O+Xb3GCzJuu5xyS5GUfENS2hq+RQgq27IXW6OUNfr2utaUZesCCGxLBzAtTZpz
+          g80vpYanezGJl0DsF+1L21rvcErwPphvFwWbukyug9ngVzzZfEh7vRbX1Gn+Humr
+          1c3cppkDxPdROzaFmMmo4QA71u0u3GhTO6mansAnQpwzaYwBjCIybkzlVJN9DFaL
+          0Q3xfaHi+6dVNHJFTd/cx0qUXetSCmO5dwWK5Z26RoZIZyrVfIYNpNGYh1vIWlj3
+          LH4BLgzTMiYP15reKtHANuxy4SU6ulAJ2DrODwUwq0dsKnBzZCeWSt4M7zwAc4mj
+          bFTgDcNZGIKkwdizzAZmmTx3hYNp7llyZP3bEGOc3Aadgzj87srI0KpAcOt+aFCw
+          nTr02e+7DFKrOwIlrUeVk3GQ1gpbl+W1iHbixv0LGRVg5KphJ2zNlrunIbvTEZWq
+          Z0wBvsV+PQEcZUkOaif9wHseq8crJEa2KQS5IHKvHJxC9MCTtmTKN99JIVjI4Ytf
+          43/pu6Sg9jzN67WcsLEoN4ykTo5a6XRBEEvO2tPehh9b0e+VCeL/wSkQ2sYqiGhR
+          BLSbO+5vXRf54iKIkv9/lUSRL+ihc9Balz+6q+dLwu8OKELprsXrXPcX6oQFVmu6
+          gnNXGR0BqVuSSZvp/mYicaOJDnNkPhiiBNzanfXhjZNuBLKtP3smxWWD7CogRdPl
+          a9dhOZAX0wvIbjDUkFB32SUnSoh7oTU3Jcg/RjRY+TxDBnh2f3/R3jm5HXm/sifM
+          6xBwqisHA4cPi9bcY1Ig6w==</CipherValue>
+      </CipherData>
+    </EncryptedData>
+  </saml:EncryptedAssertion>
+</samlp:Response>

data/spec/fixtures/test3-response.xml

@@ -0,0 +1,9 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_32f10e8e465fcef72368e220faeb81db4c72f0c687" Version="2.0" IssueInstant="2012-08-03T20:07:15Z" Destination="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_32f10e8e465fcef72368e220faeb81db4c72f0c687"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>S6Ne11nB7g1OyQAGYrFEOnu5QAQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>mgqZUiA3matrj6Zy4Dl+1ghsgoOl8wPH2mrFM9PAqrYB0skuJUZhYUkCegEbEX9WROEhoZ2bgwJQqeUPyX7leMPe7SSdUDNKf9kiuvpcCYZs1lFSEd51Ec8f+HvejmHUJAU+JIRWpp1VkYUZATihwjGLok3NGi/ygoajNh42vZ4=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_6212b7e8c069d0f948c8648991d357addc4095a82f" Version="2.0" IssueInstant="2012-08-03T20:07:15Z"><saml:Issuer>http://phpsite/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_6212b7e8c069d0f948c8648991d357addc4095a82f"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>kaZN1+moS328pr2zn8SKUML1ElI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>1kUEkG33ZGQMf/1H1gzqBOhT5N2I35vM04Jp67xVjnZXF54AqPq1ZaM+Wjgx++AjEbL7ksaYuM3JSyK7GlZ77VmzpLsMqn4eM00K7Y+CeZy5LB24vcngXPxBk6BdUYkVk0vOsUfAAZ+mRX/zzBW7Z4C7qbjNGhAAJgi13JoBWpU=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard1.localdomain/saml2" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_3b3e7714b72e29dc4290321a075fa0b73333a4f25f</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2012-08-03T20:12:15Z" Recipient="http://shard1.localdomain:3000/saml_consume" InResponseTo="d0016ec858d92360c597a01d155944f8df8fdb116d"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2012-08-03T20:06:45Z" NotOnOrAfter="2012-08-03T20:12:15Z"><saml:AudienceRestriction><saml:Audience>http://shard1.localdomain/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2012-08-03T20:07:15Z" SessionNotOnOrAfter="2012-08-04T04:07:15Z" SessionIndex="_02f26af30a37afb92081f3a73728810193efd7fa6e"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:type="xs:string">student@example.edu</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/test6-response.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_641f919c529eb4b9c2c6447d577483256d45ac9c43" Version="2.0" IssueInstant="2014-09-16T22:15:53Z" Destination="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_641f919c529eb4b9c2c6447d577483256d45ac9c43"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>JjgISND0GviF1NMyrGHvCAAjQTE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sHnaxEHN/COmtv0AzcnLV5GT2iOp9jtIo3cLeyO/ByzytLlWr5T7SKUK9pl3vs1faLiFm/S5r62srB/nf7AWFG0VRGi2QXb/gqu9A0Bm1PnqTRAtHHxH1E8oVKadiNTP1GXtmYphCgnM3ZCW6g7wUt/uS8+7sU9Q1TOTAVPzNso=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_3213cbee5db3b66a763035443e746877d161f0a7a5" Version="2.0" IssueInstant="2014-09-16T22:15:53Z"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_3213cbee5db3b66a763035443e746877d161f0a7a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fVMHYHwOvYPwyftkUgdYe0MREmM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hVs09lhchv3LKLa/JHNUkDB8Ze7p8g+HFoZmim2vZzvO0DX6SBT9dYDyJgHSwpyfNUr5Ba70/4Sw9/uGFBjhCqe1oQ5VqbmZW34ugvvXShzcnt6v/8S4e2tgOpnUS3XfQwYLt8Rq4k1D9fr3SdWws5UGbt5pSYGGyYgY+1AB9ow=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard-2.canvas.dev/saml2" Format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">testuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-09-16T22:20:53Z" Recipient="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-09-16T22:15:23Z" NotOnOrAfter="2014-09-16T22:20:53Z"><saml:AudienceRestriction><saml:Audience>http://shard-2.canvas.dev/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-09-16T22:15:53Z" SessionNotOnOrAfter="2014-09-17T06:15:53Z" SessionIndex="_9f28445329a5ada29cca3cfae83a08d289d0816bc0"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas</saml:AttributeValue></saml:Attribute><saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas Üser</saml:AttributeValue></saml:Attribute><saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Üser</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/test7-response.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_641f919c529eb4b9c2c6447d577483256d45ac9c43" Version="2.0" IssueInstant="2014-09-16T22:15:53Z" Destination="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_641f919c529eb4b9c2c6447d577483256d45ac9c43"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>JjgISND0GviF1NMyrGHvCAAjQTE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sHnaxEHN/COmtv0AzcnLV5GT2iOp9jtIo3cLeyO/ByzytLlWr5T7SKUK9pl3vs1faLiFm/S5r62srB/nf7AWFG0VRGi2QXb/gqu9A0Bm1PnqTRAtHHxH1E8oVKadiNTP1GXtmYphCgnM3ZCW6g7wUt/uS8+7sU9Q1TOTAVPzNso=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_3213cbee5db3b66a763035443e746877d161f0a7a5" Version="2.0" IssueInstant="2014-09-16T22:15:53Z"><saml:Issuer>http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_3213cbee5db3b66a763035443e746877d161f0a7a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fVMHYHwOvYPwyftkUgdYe0MREmM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hVs09lhchv3LKLa/JHNUkDB8Ze7p8g+HFoZmim2vZzvO0DX6SBT9dYDyJgHSwpyfNUr5Ba70/4Sw9/uGFBjhCqe1oQ5VqbmZW34ugvvXShzcnt6v/8S4e2tgOpnUS3XfQwYLt8Rq4k1D9fr3SdWws5UGbt5pSYGGyYgY+1AB9ow=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://shard-2.canvas.dev/saml2" Format="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">testuser<!-- comment -->@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-09-16T22:20:53Z" Recipient="http://shard-2.canvas.dev/saml_consume" InResponseTo="ffb009599eec994f0a4cbadbff1628f90695e44d22"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-09-16T22:15:23Z" NotOnOrAfter="2014-09-16T22:20:53Z"><saml:AudienceRestriction><saml:Audience>http://shard-2.canvas.dev/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-09-16T22:15:53Z" SessionNotOnOrAfter="2014-09-17T06:15:53Z" SessionIndex="_9f28445329a5ada29cca3cfae83a08d289d0816bc0"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">testuser@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas</saml:AttributeValue></saml:Attribute><saml:Attribute Name="displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Canvas Üser</saml:AttributeValue></saml:Attribute><saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Üser</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/xml_missigned_assertion.xml

@@ -0,0 +1,84 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e5d6a82d-17b4-4bbb-9875-d76ba51fd4d6" Version="2.0" IssueInstant="2015-02-27T19:12:52Z" Destination=""><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe4" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+<Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe4">
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+<DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
+kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
+kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
+cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
+CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
+MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
+QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
+T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
+SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
+EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
++q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
+tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
+sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
+dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
+AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
+7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
+hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
+3CcHYg==</X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature></saml:Assertion>
+
+  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe5" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>admin</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+    <SignedInfo>
+      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe5">
+        <Transforms>
+          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </Transforms>
+        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
+      </Reference>
+    </SignedInfo>
+    <SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
+      kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
+      kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
+    <KeyInfo>
+      <X509Data>
+        <X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
+          BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
+          cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
+          CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
+          MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
+          QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
+          T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
+          SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
+          EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
+          +q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
+          tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
+          sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
+          VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
+          dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
+          AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
+          /zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
+          7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
+          hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
+          3CcHYg==</X509Certificate>
+      </X509Data>
+    </KeyInfo>
+  </Signature></saml:Assertion>
+
+</samlp:Response>

data/spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml

@@ -0,0 +1,11 @@
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="Rca160a86480551b76b463ee206bd8deeb47a11f8" IssueInstant="2014-02-01T13:48:10.831Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://app.onelogin.com/saml/metadata/344357</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><saml2p:StatusDetail><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx77d6c794-8295-f1c4-298e-c25ecae8046d" IssueInstant="2014-02-01T13:48:10.831Z" Version="2.0"><saml2:Issuer>https://app.onelogin.com/saml/metadata/344357</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">evilnds1@gmail.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2014-02-01T13:51:10.831Z"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2014-02-01T13:45:10.831Z" NotOnOrAfter="2014-02-01T13:51:10.831Z"><saml2:AudienceRestriction><saml2:Audience/></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2014-02-01T13:48:10.831Z" SessionIndex="_f918ae80-4092-0131-57de-782bcb56fcaa" SessionNotOnOrAfter="2014-02-01T14:48:10.831Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:StatusDetail></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx77d6c794-8295-f1c4-298e-c25ecae8046d" IssueInstant="2014-02-01T13:48:10.831Z" Version="2.0"><saml2:Issuer>https://app.onelogin.com/saml/metadata/344357</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx77d6c794-8295-f1c4-298e-c25ecae8046d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>YgLTtFKmQhg5sI6ri4RCWW4bNl8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BWA+UYpDNnJ6kqNFEHEFiAgumplPQxzdjuEKbnZldkNE2tCvQdZ46dil0G0375dRKtRTZKLV3aL/JyhJ7hJ835IldfJ2AhDfpI+jr+KjF06amx1o6lOy0qBo0U/HzCRaG8c/ZS1BUW2eMJrBFg0QvKN5uzwst8epIa3QRaBXt5o=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICRzCCAbCgAwIBAgIIFH/2Xc6W0VYwDQYJKoZIhvcNAQEFBQAwZjEQMA4GA1UEBhMHVW5rbm93
+bjEQMA4GA1UEBxMHVW5rbm93bjEXMBUGCgmSJomT8ixkARkWB1Vua25vd24xEjAQBgNVBAsTCXBl
+blRlc3RlcjETMBEGA1UEAxMKd3NhdHRhY2tlcjAeFw0xMzA4MTcxMDAwMjZaFw0xNDA4MTcxMDAw
+MjZaMGYxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xFzAVBgoJkiaJk/IsZAEZ
+FgdVbmtub3duMRIwEAYDVQQLEwlwZW5UZXN0ZXIxEzARBgNVBAMTCndzYXR0YWNrZXIwgZ8wDQYJ
+KoZIhvcNAQEBBQADgY0AMIGJAoGBAIvdbrUPV/hHq0if17Ut1UyJHYvkfsKD7WU/QshqEc3Iefti
+2jsOG6hecBGZzwEfk0V2OFIO/xkmnvf21uTnNI6ktVypBEPCRWyAYjUguettLv9gi+6vlP0OZUC9
+b+ilu3QykIADFfgTJ9sR5x3zKVzlhFlckaYZoI+ajG/On961AgMBAAEwDQYJKoZIhvcNAQEFBQAD
+gYEAF2UzN7k3+rc5NE84FqzgeX7T/QY5ZSjiSCzDTg92a41Gmw95fF3UqGfxSBZOwRdm618PhAGV
+6lYq8ok4mbrTA7F/11lyFwmMSjRizjtznQmtVVXPZVfutNv8oaIRr2cyGf9pxCfpCG0jyXvusX22
+q9PkfQW/qHgIaBovmMd2Jak=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">bob.trust@gmx.de</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2014-02-01T13:51:10.831Z"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2014-02-01T13:45:10.831Z" NotOnOrAfter="2014-02-01T13:51:10.831Z"><saml2:AudienceRestriction><saml2:Audience/></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2014-02-01T13:48:10.831Z" SessionIndex="_f918ae80-4092-0131-57de-782bcb56fcaa" SessionNotOnOrAfter="2014-02-01T14:48:10.831Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>