saml_camel 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e0e20021e2de63470880efb9945ec8b5c12753b5
-  data.tar.gz: 052896eea287da266b34d697cf289395b0a8f005
+  metadata.gz: 10d5430e20fe2c208e8f6b5c23eb6619cab0c2a1
+  data.tar.gz: c41a7aca05f8d811e970d49cca9b46dafdbbe3a0
 SHA512:
-  metadata.gz: b9647a4c8bb82f637ff715ddb3e06970d3e505bd3907c3d198ab5a2f4aa45664ec0323a732015d33a476d334b813a1f36c8c6266d4c9cdf4c6ece2777b0de671
-  data.tar.gz: 8119f4a0ff3a33c5c0772599e38487d3598662119c2fb3effd5939a18d12df72552fe26c603a65607f76af1a248cd733aed6e92efb3465a89d0b918105353f8d
+  metadata.gz: c9ce2f9753fd6fe3dfc8ef4e3bd71b51d507ddc3b488f5c8a69312bc0ee739c71212e5d43e374bc603e1f0294a21a908bade01758e2609695a5550e64d4ebcd1
+  data.tar.gz: 710161acccafad9bd900433440881c96d6bca2f392cc0320a91e3225dfd85144d9a912ece2c084608f5d23d78b661870b5343469472073f9f6820537db6b3196

data/README.md

@@ -83,8 +83,10 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
 9. Logging is turned on by default. Logging is configured in `config/saml/development/settings.json`. To utilize logging saml_logging should be set to true (default), and primary_id must have a value. primary_id is the saml attribute you consider to be a primary identifier for a user
 
 
-10. Users can go to http://localhost:3000/saml/attributes to view attributes being passed through
-
+10. Convenience Endpoints (assuming enginte is mounted to `saml` path):
+  - `/saml/attributes` view attributes being passed through
+  - `/saml/metadata` generate metadata for your sp
+  - `/saml/testAuthn` forces authentication and returns decrypted saml response, test auth path must be set to `true` in settings
 
 ## Example settings.json
 ```json
@@ -92,13 +94,16 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
   "_comment": "note you will need to restart the application when you make changes to this file",
   "settings": {
     "acs": "http://localhost:3000/saml/consumeSaml",
-    "entity_id": "https://samlCamel.com/doesNotResolve",
+    "raw_response_acs": "http://localhost:3000/saml/consumeSaml/rawResponse",
+    "entity_id": "https://samlCamel.com/doesNotHaveToResolve",
     "sso_url": "https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO",
     "logout_url": "https://shib.oit.duke.edu/cgi-bin/logout.pl",
     "primary_id": "eduPersonPrincipalName",
     "sp_session_timeout": 1,
     "sp_session_lifetime": 8,
-    "saml_logging": true
+    "test_auth_path": true,
+    "saml_logging": true,
+    "debug": false
   },
   "attribute_map": {
     "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "eduPersonScopedAffiliation",
@@ -123,6 +128,13 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
 }
 ```
 
+## Testing
+If saml_protect is called during testing the app will more than likely hang as it is
+waiting for a user to authenticate at the idp. To get around this you have two options:
+
+1. You can not call saml_protect in the test environment and mock your users
+2. Use `SamlCaml::ServiceProvider.mock_saml_cache(permit_key: 'some permit key', ip_address: 'enter your host ip here')`. This will setup a cache(note caching for test must be enabled). In addition you will need to mock to session variables. set `session[:sp_session]` to `Time.now` and set mock attributes in `session[:saml_attributes]`  
+
 
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/app/controllers/concerns/saml_camel/saml_service.rb

@@ -1,6 +1,9 @@
-require_dependency "saml_camel/application_controller"
+# frozen_string_literal: true
 
-module SamlCamel::SamlService
+require_dependency 'saml_camel/application_controller'
+
+# Helper Methods for SamlController
+module SamlCamel::SamlService # rubocop:disable Style/ClassAndModuleChildren
   extend ActiveSupport::Concern
 
   def cache_available?(app_cache)
@@ -12,24 +15,26 @@ module SamlCamel::SamlService
     end
   end
 
-  def saml_protect
+  # TODO: refactor
+  def saml_protect # rubocop:disable Metrics/MethodLength, Metrics/AbcSize:
     user_cache = cache_available?(Rails.cache.fetch(session[:saml_session_id])) if session[:saml_session_id]
     if session[:saml_session_id] && user_cache
-      sp = SamlCamel::ServiceProvider.new(cache_permit_key: session[:saml_session_id].to_sym, saml_attributes: session[:saml_attributes])
-      session[:sp_session] = sp.validate_sp_session(session[:sp_session],request.remote_ip)
-      unless (session[:saml_response_success] || session[:sp_session])
+      sp = SamlCamel::ServiceProvider.new(
+        cache_permit_key: session[:saml_session_id].to_sym,
+        saml_attributes: session[:saml_attributes]
+      )
+      session[:sp_session] = sp.validate_sp_session(session[:sp_session], request.remote_ip)
+      unless session[:saml_response_success] || session[:sp_session]
         saml_request_url = sp.generate_saml_request(request)
         redirect_to(saml_request_url)
       end
-
     else
       session[:saml_session_id] = SamlCamel::ServiceProvider.generate_permit_key
-      saml_request_url = SamlCamel::ServiceProvider.new(cache_permit_key: session[:saml_session_id].to_sym).generate_saml_request(request)
+      saml_request_url = SamlCamel::ServiceProvider.new(
+        cache_permit_key: session[:saml_session_id].to_sym
+      ).generate_saml_request(request)
       redirect_to(saml_request_url)
     end
-    session[:saml_response_success] = nil #keeps us from looping
+    session[:saml_response_success] = nil # keeps us from looping
   end
-
-
-
 end

data/app/controllers/saml_camel/application_controller.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 module SamlCamel
+  # application controller
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception
   end

data/app/controllers/saml_camel/saml_controller.rb

@@ -1,53 +1,54 @@
-require_dependency "saml_camel/application_controller"
+# frozen_string_literal: true
 
+require_dependency 'saml_camel/application_controller'
 module SamlCamel
+  # handles SamlCamel SP
   class SamlController < ApplicationController
     include SamlCamel::SamlService
-    skip_before_action :verify_authenticity_token ,only: [:consume,:logout]
+    skip_before_action :verify_authenticity_token, only: %i[consume logout raw_response]
     before_action :saml_protect, only: [:attr_check]
 
+    def attr_check; end
+    # consumes the saml response from the IDP
+    # TODO break out into separate methods if possible
+    # TODO rubocop also suggests to many assignments going on in consume
 
-
-    #convinence route to see attributes that are coming through
-    def index
-      @attributes = session[:saml_attributes]
-    end
-
-
-    #consumes the saml response from the IDP
-    def consume
+    def consume # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       permit_key = session[:saml_session_id].to_sym
-      user_cache =  Rails.cache.fetch(permit_key)
-      raise "Unable to access cache. Ensure cache is configrued according to documentation." unless cache_available?(user_cache)
+      user_cache = Rails.cache.fetch(permit_key)
+      unless cache_available?(user_cache)
+        raise 'Unable to access cache. Ensure cache is configured according to documentation.'
+      end
       redirect_path = user_cache[:redirect_url]
-      sp = SamlCamel::ServiceProvider.new(cache_permit_key: permit_key, saml_attributes: session[:saml_attributes])
+      sp = SamlCamel::ServiceProvider.new(
+        cache_permit_key: permit_key, saml_attributes: session[:saml_attributes]
+      )
       ol_response = SamlCamel::ServiceProvider.ol_response(params[:SAMLResponse])
 
-      if sp.validate_idp_response(ol_response,request.remote_ip)
+      if sp.validate_idp_response(ol_response, request.remote_ip)
         # authorize_success, log the user
         session[:saml_response_success] = true
         sp.set_saml_session_lifetime
         session[:sp_session] = Time.now
-
         session[:saml_attributes] = SamlCamel::Transaction.map_attributes(ol_response.attributes)
         SamlCamel::Logging.successful_auth(session[:saml_attributes])
 
         redirect_to redirect_path
       else # otherwise list out the errors in the response
-        if  session[:saml_session_id]
+        if session[:saml_session_id]
           permit_key = session[:saml_session_id].to_sym
           Rails.cache.delete(permit_key)
           session[:saml_session_id] = nil
         end
         session[:sp_session] = nil
         session[:saml_response_success] = false
-        response.errors
+        # response.errors
         SamlCamel::Logging.auth_failure(ol_response.errors)
 
-        redirect_to action: "failure", locals:{errors: ol_response.errors}
+        redirect_to action: 'failure', locals: { errors: ol_response.errors }
       end
-    rescue => e
-      if  session[:saml_session_id]
+    rescue StandardError => e
+      if session[:saml_session_id]
         permit_key = session[:saml_session_id].to_sym
         Rails.cache.delete(permit_key)
       end
@@ -56,35 +57,52 @@ module SamlCamel
       session[:sp_session] = nil
 
       SamlCamel::Logging.auth_failure(e)
-      redirect_to action: "failure", locals:{errors: e}
+      redirect_to action: 'failure', locals: { errors: e }
     end
 
-
-    #route to show saml failures
+    # route to show saml failures
     def failure
       @error = params[:locals][:errors]
     end
 
+    # convinence route to see attributes that are coming through
+    def index
+      @attributes = session[:saml_attributes]
+    end
 
-    #kills SP session and redirects to IDP to kill idp session
+    # kills SP session and redirects to IDP to kill idp session
     def logout
       SamlCamel::Logging.logout(session[:saml_attributes])
       session[:saml_attributes] = nil
       session[:sp_session] = nil
 
-      # return_url = SamlCamel::Transaction.logout #this methods logs the user out of the IDP, and returns a url to be redirected to
-      redirect_to SP_SETTINGS["settings"]["logout_url"]
+      # return_url = SamlCamel::Transaction.logout #this methods logs the user
+      # out of the IDP, and returns a url to be redirected to
+      redirect_to SP_SETTINGS['settings']['logout_url']
     end
 
+    # generate a metadata page that you may need to share with an IDP
+    def metadata
+      settings = SamlCamel::Transaction.saml_settings
+      meta = OneLogin::RubySaml::Metadata.new
+      render xml: meta.generate(settings)
+    end
 
-    def attr_check
+    # meant to force authn and then be redirected to raw response to view raw decrypted response
+    def force_authn
+      saml_request_url = SamlCamel::ServiceProvider.new.generate_saml_request(request, force_authn: true)
+      redirect_to(saml_request_url)
     end
 
+    def raw_response
+      ol_response = SamlCamel::ServiceProvider.ol_response(params[:SAMLResponse], raw_response: true)
+      render xml: ol_response.decrypted_document.to_s if ol_response.is_valid?
+    end
 
     private
+
     def saml_settings
       SamlCamel::Transaction.saml_settings
     end
-
   end
 end

data/app/models/saml_camel/application_record.rb

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
+
 module SamlCamel
   class ApplicationRecord
-
   end
 end

data/app/models/saml_camel/service_provider.rb

@@ -1,121 +1,143 @@
+# frozen_string_literal: true
+
 module SamlCamel
+  # class serves as core buisness logic for SamlCamle SP
   class ServiceProvider
-    attr_reader :cache_permit_key, :user_cache, :saml_attributes
+    attr_reader :cache_permit_key, :saml_attributes
 
-    def initialize(cache_permit_key: nil, user_cache: nil, saml_attributes: nil)
-      @cache_permit_key = cache_permit_key.to_sym
+    def initialize(cache_permit_key: nil, saml_attributes: nil)
+      @cache_permit_key = cache_permit_key.try(:to_sym)
       @saml_attributes = saml_attributes
       @user_cache = Rails.cache.fetch(@cache_permit_key)
     end
 
-
     def self.generate_permit_key
-      secure_random = SecureRandom.base64.chomp.gsub( /\W/, '' )
+      secure_random = SecureRandom.base64.chomp.gsub(/\W/, '')
       "samlCamel#{secure_random}"
     end
 
-    def self.ol_response(idp_response)
-      response          = OneLogin::RubySaml::Response.new(idp_response, :settings => SamlCamel::Transaction.saml_settings)
-      response.settings = SamlCamel::Transaction.saml_settings
+    def self.mock_saml_cache(permit_key: nil, ip_address: nil)
+      lifetime = SP_SETTINGS['settings']['sp_session_lifetime']
+      Rails.cache.fetch(@cache_permit_key, expires_in: lifetime.hours) do
+        { ip_address: host_request.remote_ip }
+      end
+    end
+
+    # ol OneLogin
+    def self.ol_response(idp_response, raw_response: false)
+      settings = SamlCamel::Transaction.saml_settings(raw_response: raw_response)
+      response          = OneLogin::RubySaml::Response.new(idp_response, settings: settings)
+      response.settings = settings
 
       response
     end
 
-  
-    def check_expired_session(sp_session)
-      # cache_available?(user_cache) TODO come back to this
-      sp_timeout = SP_SETTINGS["settings"]["sp_session_timeout"]
-      sp_lifetime = SP_SETTINGS['settings']["sp_session_lifetime"]
+    # TODO: method too complex
+    def check_expired_session(sp_session) # rubocop:disable Metrics/MethodLength, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/LineLength
+      sp_timeout = SP_SETTINGS['settings']['sp_session_timeout']
+      sp_lifetime = SP_SETTINGS['settings']['sp_session_lifetime']
 
       set_saml_session_lifetime if @user_cache[:session_start_time].nil?
       sp_session_init_time = @user_cache[:session_start_time]
 
-
+      SamlCamel::Logging.debug('Checking if session expired') if SP_DEBUG
       ######## set session[:sp_session] maybe a seperate method
       if sp_session
-
-        #if the session has timed out remove session, otherwise refresh
-        if (Time.now - Time.parse(sp_session)) < sp_timeout.hour
-          return Time.now
-        else
+        # if the session has exceeded the allowed lifetime, remove session
+        if (Time.now - sp_session_init_time) > sp_lifetime.hour
           SamlCamel::Logging.expired_session(@saml_attributes)
           return nil
         end
 
-        #if the session has exceeded the allowed lifetime, remove session
-        if (Time.now - sp_session_init_time) > sp_lifetime.hour
+        # if the session has timed out remove session, otherwise refresh
+        if (Time.now - Time.parse(sp_session)) < sp_timeout.hour
+          SamlCamel::Logging.debug('Session within timeout, session renewed') if SP_DEBUG
+          Time.now
+        else
           SamlCamel::Logging.expired_session(@saml_attributes)
-          return  nil
+          return nil
         end
-      else #if no sp session return nil
+      else # if no sp session return nil
+        SamlCamel::Logging.debug('No session found when checking expiration') if SP_DEBUG
         return nil
       end
     end
 
+    # TODO: method too complex
+    def duplicate_response_id?(response_id, count: 3) # rubocop:disable Metrics/MethodLength, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/LineLength
+      SamlCamel::Logging.debug('Checking uniqueness of response id') if SP_DEBUG
 
-    def duplicate_response_id?(response_id, count: 3)
-      #use semaphore to only allow 1 thread at a time to access
+      # use semaphore to only allow 1 thread at a time to access
       @semaphore ||= Mutex.new
-      @semaphore.synchronize {
-        ids = Rails.cache.fetch("saml_camel_response_ids")
+      @semaphore.synchronize { #  rubocop:disable Style/BlockDelimiters
+        ids = Rails.cache.fetch('saml_camel_response_ids')
         if ids
           if ids.include?(response_id)
-            session[:sp_session] = nil
-            raise "SAML response ID already issued."
+            SamlCamel::Logging.debug('Response id has already been used') if SP_DEBUG
+            raise 'SAML response ID already issued.'
           else
+            SamlCamel::Logging.debug("Unique Response ID #{response_id}") if SP_DEBUG
             ids << response_id
-            Rails.cache.fetch("saml_camel_response_ids", expires_in: 1.hours) do
+            Rails.cache.fetch('saml_camel_response_ids', expires_in: 1.hours) do
               ids
             end
           end
         else
-          Rails.cache.fetch("saml_camel_response_ids", expires_in: 1.hours) do
+          SamlCamel::Logging.debug("Unique Response ID #{response_id}") if SP_DEBUG
+          Rails.cache.fetch('saml_camel_response_ids', expires_in: 1.hours) do
             [response_id]
           end
         end
       }
     rescue ThreadError
-       puts "locked "* 50
-      if count > 0
+      puts 'locked ' * 50
+      # SamlCamel::Logging.debug('Response ID check locked, trying again') if SP_DEBUG
+      if count.positive? # rubocop:disable Style/GuardClause
         sleep(0.1)
         duplicate_response_id?(response_id, count: count - 1)
-      else raise "Resposne ID Validation Error"
+      else raise 'Resposne ID Validation Error'
       end
     end
 
-
-
-    #generates a saml requests and establishes a cache for the user
-    def generate_saml_request(host_request)
+    # generates a saml requests and establishes a cache for the user
+    def generate_saml_request(host_request, force_authn: false)
+      SamlCamel::Logging.debug("Creating request for #{host_request.remote_ip}") if SP_DEBUG
       request = OneLogin::RubySaml::Authrequest.new
-      lifetime =  SamlCamel::SP_SETTINGS['settings']["sp_session_lifetime"]
+      lifetime = SP_SETTINGS['settings']['sp_session_lifetime']
 
-      #store ip address and original url request in memory to be used for verification and redirect after response
+      # store ip address and original url request in memory to be used for
+      # verification and redirect after response
       Rails.cache.fetch(@cache_permit_key, expires_in: lifetime.hours) do
-        {ip_address: host_request.remote_ip,  redirect_url:  host_request.url }
+        { ip_address: host_request.remote_ip, redirect_url: host_request.url }
       end
-      request.create(SamlCamel::Transaction.saml_settings)
+      request.create(SamlCamel::Transaction.saml_settings(raw_response: force_authn))
     end
 
-    #set saml_session lifetime, called if none set
+
+    # set saml_session lifetime, called if none set
+    # TODO: this may need to be renamed, it's not really setting the lifetime
+    # it's refreshing the last time a user authenticated
     def set_saml_session_lifetime
       user_saml_cache = Rails.cache.fetch(@cache_permit_key)
       user_saml_cache[:session_start_time] = Time.now
-      sp_lifetime = SP_SETTINGS['settings']["sp_session_lifetime"]
+      sp_lifetime = SP_SETTINGS['settings']['sp_session_lifetime']
+
+      SamlCamel::Logging.debug("Setting lifetime of session. Lifetime of #{sp_lifetime} hours") if SP_DEBUG
       Rails.cache.fetch(@cache_permit_key, expires_in: sp_lifetime.hours) do
-        user_saml_cache #not sure if this can use @user_cache
+        user_saml_cache
       end
     end
 
-    #NOTE these methods will raise errors if not a valid response_id
-     # which in turn will trigger a resuce that kills the sp session
-    def validate_idp_response(response,remote_ip)
+    # NOTE these methods will raise errors if not a valid response_id
+    # which in turn will trigger a resuce that kills the sp session
+    def validate_idp_response(response, remote_ip)
+      SamlCamel::Logging.debug('Validating IDP response') if SP_DEBUG
       if response.is_valid?
-        #validate not sha1
+        # validate not sha1
         verify_sha_type(response)
 
-        #validate IP address
-        raise "IP mismatch error" unless validate_ip(remote_ip)
+        # validate IP address
+        raise 'IP mismatch error' unless validate_ip(remote_ip)
 
         response_id = response.id(response.document)
         duplicate_response_id?(response_id)
@@ -126,36 +148,42 @@ module SamlCamel
       end
     end
 
-    #validate that ip address has not changed
+    # validate that ip address has not changed
     def validate_ip(remote_ip)
-      # cache_available?(saml_cache) TODO come back to this
+      if SP_DEBUG
+        SamlCamel::Logging.debug(
+          "Validating IP consistancy. IP @ request = #{@user_cache[:ip_address]}
+ | current IP = #{remote_ip}"
+        )
+      end
+
       return true if remote_ip == @user_cache[:ip_address]
-      SamlCamel::Logging.bad_ip(@saml_attributes, @user_cache[:ip_address], remote_ip)
-      return nil
+      SamlCamel::Logging.bad_ip(@saml_attributes,
+                                @user_cache[:ip_address],
+                                remote_ip)
+      nil
     end
 
-    #validates a the sp timestamps and ip. returns a new timestamp if everything is good
-    # otherwise returns nil
-    def validate_sp_session(sp_session,remote_ip)
+    # validates a the sp timestamps and ip. returns a new timestamp if
+    # everything is good otherwise returns nil
+
+    def validate_sp_session(sp_session, remote_ip)
       new_session = check_expired_session(sp_session)
-      if new_session
-        has_valid_ip = validate_ip(remote_ip)
-      else
-        return nil
-      end
-      return new_session if has_valid_ip
+      valid_ip = validate_ip(remote_ip) if new_session
+      return new_session if new_session && valid_ip
     end
 
-
     def verify_sha_type(response)
-      #was suggested to use an xml parser, however was having great difficulyt with nokogiri
-      #open to trying a different parser or advice on nokogiri as it's not reacting as I would typically expect it to
+      SamlCamel::Logging.debug('Verify response is not SHA1') if SP_DEBUG
+
+      # was suggested to use an xml parser, however was having great difficulyt
+      # with nokogiri open to trying a different parser or advice on nokogiri as
+      # it's not reacting as I would typically expect it to
       raw_xml_string = response.decrypted_document.to_s
-      attr_scan = raw_xml_string.scan(/<ds:SignatureMethod.*\/>/)
-      is_sha1 = attr_scan[0].match("sha1")
+      attr_scan = raw_xml_string.scan(%r{<ds:SignatureMethod.*\/>})
+      is_sha1 = attr_scan[0].match('sha1')
 
-      raise "SHA1 algorithm not supported " if is_sha1
+      raise 'SHA1 algorithm not supported' if is_sha1
     end
-
   end
 end

data/app/models/saml_camel/shib.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 module SamlCamel
+  # handle shib attributes
   class Shib
-
-    ATTRIBUTE_MAP = JSON.parse(File.read("config/saml/shibboleth.json"))
+    ATTRIBUTE_MAP = JSON.parse(File.read('config/saml/shibboleth.json'))
 
     def self.attributes(request)
       attrs = {}
@@ -11,16 +13,9 @@ module SamlCamel
       attrs
     end
 
-    def self.create_identity(values_hash)
-      identity = {}
-      values_hash.each {|k,v| identity[k] = v}
-      identity
+    # sets shib headers directly
+    def self.set_headers(request: nil, identity: nil)
+      identity.each { |k, v| request.env[k] = v }
     end
-
-    #sets shib headers directly
-    def self.set_headers(request: nil,identity: nil)
-      identity.each {|k,v| request.env[k] = v }
-    end
-
   end
 end

data/config/routes.rb

@@ -1,9 +1,15 @@
+settings = JSON.parse(File.read("config/saml/#{Rails.env}/settings.json"))
+# NOTE there are two saml dirs, 1 in config and 1 in dummy. They need to be in
+# both places so users can run their tests, but the gem can develop with it's
+# own tests as well
+
 SamlCamel::Engine.routes.draw do
   get "/" => "saml#index"
   get "/attributes" => 'saml#attr_check'
   get "/failure" => 'saml#failure'
+  get "/metadata" => 'saml#metadata'
+  get "/testAuthn" => 'saml#force_authn' if settings.dig('settings', 'test_auth_path')
   post "/consumeSaml" => "saml#consume"
+  post "/consumeSaml/rawResponse" => "saml#raw_response"
   post "/logout" => "saml#logout"
 end
-#TODO check ip_address stored by the IDP
-#TODO chceck ip address on every check ra

data/config/saml/development/idp_certificate.crt

@@ -0,0 +1,25 @@
+MIIEWjCCA0KgAwIBAgIJAP1rB/FjRgy6MA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
+BAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEPMA0GA1UEBxMGRHVyaGFt
+MRgwFgYDVQQKEw9EdWtlIFVuaXZlcnNpdHkxDDAKBgNVBAsTA09JVDEaMBgGA1UE
+AxMRc2hpYi5vaXQuZHVrZS5lZHUwHhcNMTAwOTA5MTI0NDU1WhcNMjgwOTA0MTI0
+NDU1WjB7MQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExDzAN
+BgNVBAcTBkR1cmhhbTEYMBYGA1UEChMPRHVrZSBVbml2ZXJzaXR5MQwwCgYDVQQL
+EwNPSVQxGjAYBgNVBAMTEXNoaWIub2l0LmR1a2UuZWR1MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAt+hnl6gSRi0Y8VuNl6PCPYejj7VfVs/y8bRa5zAY
+RHwb75+vBSs2j1yeUcSore9Ba5Ni7v947V34afRMGRPOqr4TEDZxU+1Bg0zAvSrR
+n4Y8B+zyJuhtOpmOZzTwE9o/Oc+CB4kYV/K0woKZdcoxHJm8TbqBqdxU4fFYUlNU
+o4Dr5jRdCSr9MHBOqGWXtQMg16qYNB7StNk4twY29FNnpZwkVTfsE76uVsRMkG8i
+6/RiHpXZ/ioOOqndptbEGdsOIE3ivAJOZdvYwnDe5NnTH06P01HsxH3OOnYqhuG2
+J6qdhqoelGeHRG+jfl8YkYXCcKQvja2tJ5G+6iqSN7DP6QIDAQABo4HgMIHdMB0G
+A1UdDgQWBBQHYXwB6otkfyMOmUI59j8823hFRDCBrQYDVR0jBIGlMIGigBQHYXwB
+6otkfyMOmUI59j8823hFRKF/pH0wezELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5v
+cnRoIENhcm9saW5hMQ8wDQYDVQQHEwZEdXJoYW0xGDAWBgNVBAoTD0R1a2UgVW5p
+dmVyc2l0eTEMMAoGA1UECxMDT0lUMRowGAYDVQQDExFzaGliLm9pdC5kdWtlLmVk
+dYIJAP1rB/FjRgy6MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAG7q
+wJpiSLJbx2gj/cGDYeuBW/CeRGNghjQ/mb076P3WXsRNPAimcXulSUbQkS6eDH4t
+Ifvsa0jf4FRsEOwH/x8354/0wyv4RwuavX25kjpmoFn3O+eKokyzsc7/Q2gsm0mv
+V8XQo+5b+4we8AFYlAVp26nLeIqAiJM8xZJ9yHuzVL1O4yxIWIKECWHLqY5+1nas
+XNiLURrHhsK5pZUPLuhzJFgZuJT62TtnrjJXlrRhJ389VSkh6R64C6ncjNkg6/Cu
+tA6SX0infqNRyPRNJK+bnQd1yOP4++tjD/lAPE+5tiD/waI3fArt43ZE/qp7pYMS
+9TEfyQ5QpfRYAUFWXBc=
+  

data/config/saml/development/saml_certificate.crt

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuTCCA6GgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCVVMx
+FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMQ8wDQYDVQQHDAZEdXJoYW0xGDAWBgNV
+BAoMD0R1a2UgVW5pdmVyc2l0eTEMMAoGA1UECwwDT0lUMR0wGwYDVQQDDBRzYW1s
+IGNhbWVsIGR1bW15IGFwcDEdMBsGCSqGSIb3DQEJARYOZGExMjlAZHVrZS5lZHUw
+HhcNMTgwNTIyMTcxMDMwWhcNMTkwNTIyMTcxMDMwWjCBnTELMAkGA1UEBhMCVVMx
+FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMQ8wDQYDVQQHDAZEdXJoYW0xGDAWBgNV
+BAoMD0R1a2UgVW5pdmVyc2l0eTEMMAoGA1UECwwDT0lUMR0wGwYDVQQDDBRzYW1s
+IGNhbWVsIGR1bW15IGFwcDEdMBsGCSqGSIb3DQEJARYOZGExMjlAZHVrZS5lZHUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+OHs74gT5AmdSsLgHETvX
+50+S0NgWp5dcovfuMYFV+1CFX1MhgjhBQSwkA9U/0pfKf/eoU18O2gI2y46OK8j2
+e5oyUuKv1UQWe2RHKvxvNrwvvUVcLY4mJDZf0d4q6EyTVo2aWHwoskxnQpjbusgp
+Vq178Jfaeu/QaiBtq82vPlu0tfCeOXIyEdyRiOyc2bQvS5MW6FvzWtgatiNUnJJe
+sBM/JUiFOvf3qG7LHEzpaIBmoHBwxG5b3yjrGgGTdw+5gyXdPEwEeiTddMvYlXWM
+t+VMoTmsaBxrXRJBvpLxGWHZRb0VcoVTqWjcKVD/hR0A7H6ogaoOatHDWM41b3ZL
+AgMBAAGjggEAMIH9MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGh/Y36w7wcL
+nLXFC0dUpboAAV+ZMIHKBgNVHSMEgcIwgb+AFGh/Y36w7wcLnLXFC0dUpboAAV+Z
+oYGjpIGgMIGdMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmEx
+DzANBgNVBAcMBkR1cmhhbTEYMBYGA1UECgwPRHVrZSBVbml2ZXJzaXR5MQwwCgYD
+VQQLDANPSVQxHTAbBgNVBAMMFHNhbWwgY2FtZWwgZHVtbXkgYXBwMR0wGwYJKoZI
+hvcNAQkBFg5kYTEyOUBkdWtlLmVkdYIBADANBgkqhkiG9w0BAQsFAAOCAQEAFE/X
+DPipapLFDnu2jCMR4lhDeEF2Pm1DIibiy6ZvmzCstj++MYOI7gKkUgeUUhFTEQIV
+fZIo5gIWkyoPVOwGALLTme01Tdk3Mul4pV0iqMn4k3F9NsC9wRy4WR2yPF9GYa/e
+ktK+ZBYt/2SZA4vS5q63jsMC0TjkrTGJokXohwScWDc4kIFfvU6biWW7zBCVfpaa
+YfsLYNBTbZ7VqEVFzcpYv8LBTOYoToAS5+yuAwrIdPEfqx3R4tIwGCik4tSByQFO
+i/VvEL5rTWhmUrKPh1hriPVYZ9gW2Mk87Snlyswsqv5d8+ITVgF+RL+cutUA29C+
+moSLPLaWINlhqvuRXw==
+-----END CERTIFICATE-----

data/config/saml/development/saml_key.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAvjh7O+IE+QJnUrC4BxE71+dPktDYFqeXXKL37jGBVftQhV9T
+IYI4QUEsJAPVP9KXyn/3qFNfDtoCNsuOjivI9nuaMlLir9VEFntkRyr8bza8L71F
+XC2OJiQ2X9HeKuhMk1aNmlh8KLJMZ0KY27rIKVate/CX2nrv0GogbavNrz5btLXw
+njlyMhHckYjsnNm0L0uTFuhb81rYGrYjVJySXrATPyVIhTr396huyxxM6WiAZqBw
+cMRuW98o6xoBk3cPuYMl3TxMBHok3XTL2JV1jLflTKE5rGgca10SQb6S8Rlh2UW9
+FXKFU6lo3ClQ/4UdAOx+qIGqDmrRw1jONW92SwIDAQABAoIBAHZpuKU9fPT5/xHl
+upmDq+oqL0nowivQJhRfytE3dhjtOmHcRma8poJQrMa6sBxr31wKr0PUqn8XTXuI
+2fQ843w003dyS3VD4H/STklTRBODUkCxpSTNowixUDvz7EZvl4O8xKeJX7kBzTgW
+qAtYydOaBqL50b4K+5CVEBzVb1Qf/DKhCbBeYvnwAcUVT+t5lDGUh+54pLTHmeGZ
+2as+1MeBWLMR/ynMDziVVR3XIM02+pHPEwiI9ZTazUAKRJnskb5gBpHqtGiZSijC
+zQq+GSnnBPvvc0gtjqf+KF/6NLy/zDGmpF1e+blCnnLPUQGPTkClq59EHdn8jedO
+YyRrWmkCgYEA9VqRMziTAi79yP2rLqE7cMKPDtrOilHK8fDk5N2xxzEsVoKUsotq
+x384sfmrA3oVSNQsPi/DF16eH1cLaQL86rTaUKl4DqO6rLBPhQVjrmuwdWgnKKGn
+9XMEp8lBC7KwAnaQKP7c83WarU/FbF08BbPkHob1wuAyMrD7wRv2XDcCgYEAxnl8
+SuHwIooIyiW2/oDjoqCrdtgOLXzdOK2OSDcY+jARVkOA8N0ingPOb18RLOTmjGk5
+KZDHa8xZzdd0Bt7xz3WV2FipYxnkkY7sJosJpMrY8k/QUip9i2D04uLypwVBfT7P
+q3GOgOrP+nvRya8HLHKm0rf7+sU2mGIsSrVYtI0CgYBzQUIoL5FPW0e4XQFG/FJx
+29NcBQk1DMsq8CB2KnZSvhS35st3O+rDIE4/vKrLDVRmS9UkuUcJ+VaKHler0s2A
+a8iKT7GoHt2YNZKFSEzVKJ1R6cVLXvUJZihvsSivGBd6cLuzplWgwEQS2gBBsWJ6
+w1CLzpYwHyU1jtIUmtAV7QKBgCtC3bnAx8PvjHzrfZi55WRUWyt7apO1rM6m3eWV
+xOb7xTulWRynRt1kfQG/mhHMDwi6AtCxkxZHI6f/d3Xr8I9E1RWkNb+5LB4iJg08
+ryxxXppqlUDjrBvOVXKC/1syhRTUtRVsmiA1joHNrWulsA2bLAuwOMdvZzgN5hOe
+tagdAoGAP7kdbprmkT/7xX8puX6WD4MXQ+dgyb3FvpCIfQT8x0t/ndMI2wMc4keg
+woD2L56tjtVyFH8LQz1sU7LroSc8XF2joZOdQePrnyTVUISoMiTqaXMPIO6l6pez
+x7g1PP3ey5LOoX7LG5ule/6qNMtRhVOFok0vA9ZuuIIkkmYSo1c=
+-----END RSA PRIVATE KEY-----