SAML test skeleton

9 years ago · 46e7e36070
parent ea1b78b1e7
commit 46e7e36070
4 changed files with 445 additions and 10 deletions
--- a/lemonldap-ng-handler/MANIFEST
+++ b/lemonldap-ng-handler/MANIFEST
@ -10,6 +10,7 @@ lib/Lemonldap/NG/Handler/API/CGI.pm
 lib/Lemonldap/NG/Handler/API/ExperimentalNginx.pm
 lib/Lemonldap/NG/Handler/AuthBasic.pm
 lib/Lemonldap/NG/Handler/CGI.pm
+lib/Lemonldap/NG/Handler/Lib/AuthBasic.pm
 lib/Lemonldap/NG/Handler/Main.pm
 lib/Lemonldap/NG/Handler/Main/Init.pm
 lib/Lemonldap/NG/Handler/Main/Jail.pm
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@ -353,6 +353,7 @@ t/26-AuthRemote.t
 t/27-AuthProxy.t
 t/28-AuthChoice.t
 t/29-AuthSSL.t
+t/30-Auth-and-issuer-SAML.t
 t/40-Notifications-DBI.t
 t/50-IssuerGet.t
 t/90-translations.t
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
@ -34,14 +34,6 @@ BEGIN {
    }
    else {
        eval "use constant GLIB => 1";
-        Glib::Log->set_handler(
-            "Lasso",
-            [qw/ error critical warning message info debug /],
-            sub {
-                $_[0]
-                  ->lmLog( $_[0] . " error " . $_[1] . ": " . $_[2], 'debug' );
-            }
-        );
    }

    # Load Lasso.pm
@ -99,6 +91,16 @@ sub init {
    else {
        $self->lmLog( 'Lasso thin-sessions flag set', 'debug' );
    }
+    if (GLIB) {
+        Glib::Log->set_handler(
+            "Lasso",
+            [qw/ error critical warning message info debug /],
+            sub {
+                $self->lmLog( $_[0] . " error " . $_[1] . ": " . $_[2],
+                    'debug' );
+            }
+        );
+    }

    # Conf initialization

@ -132,8 +134,7 @@ sub loadService {
    # Create Lasso server with service metadata
    my $server = $self->createServer(
        $service_metadata->serviceToXML(
-            $self->getApacheHtdocsPath() . "/skins/common/saml2-metadata.tpl",
-            $self
+            $self->conf->{templateDir} . "/common/saml2-metadata.tpl", $self->conf
        ),
        $self->conf->{samlServicePrivateKeySig},
        $self->conf->{samlServicePrivateKeySigPwd},
--- a/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML.t
+++ b/lemonldap-ng-portal/t/30-Auth-and-issuer-SAML.t
@ -0,0 +1,432 @@
+use Test::More;
+use strict;
+
+require 't/test-lib.pm';
+
+my $tests = 0;
+my $debug = 'error';
+my $res;
+
+SKIP: {
+    eval "use Lasso";
+    if ($@) {
+        skip 'Lasso not found', $tests;
+    }
+    my $issuer = issuer();
+
+    #my $sp     = sp();
+}
+
+count($tests);
+done_testing( count() );
+
+sub issuer {
+    return LLNG::Manager::Test->new(
+        {
+            ini => {
+                samlAttributeAuthorityDescriptorAttributeServiceSOAP => '',
+                logLevel                                             => $debug,
+                domain                 => 'idp.com',
+                portal                 => 'auth.idp.com',
+                authentication         => 'Demo',
+                userDB                 => 'Demo',
+                issuerDBSAMLActivation => "1",
+                samlAttributeAuthorityDescriptorAttributeServiceSOAP =>
+'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
+                samlAuthnContextMapKerberos                   => 4,
+                samlAuthnContextMapPassword                   => 2,
+                samlAuthnContextMapPasswordProtectedTransport => 3,
+                samlAuthnContextMapTLSClient                  => 5,
+                samlCommonDomainCookieActivation              => 0,
+                samlEntityID                      => '#PORTAL#/saml/metadata',
+                samlIDPMetaDataExportedAttributes => {},
+                samlIDPMetaDataOptionsAdaptSessionUtime        => 0,
+                samlIDPMetaDataOptionsAllowLoginFromIDP        => 0,
+                samlIDPMetaDataOptionsAllowProxiedAuthn        => 0,
+                samlIDPMetaDataOptionsCheckAudience            => 1,
+                samlIDPMetaDataOptionsCheckSLOMessageSignature => 1,
+                samlIDPMetaDataOptionsCheckSSOMessageSignature => 1,
+                samlIDPMetaDataOptionsCheckTime                => 1,
+                samlIDPMetaDataOptionsEncryptionMode           => 'none',
+                samlIDPMetaDataOptionsForceAuthn               => 0,
+                samlIDPMetaDataOptionsForceUTF8                => 0,
+                samlIDPMetaDataOptionsIsPassive                => 0,
+                samlIDPMetaDataOptionsNameIDFormat             => '',
+                samlIDPMetaDataOptionsRelayStateURL            => 0,
+                samlIDPMetaDataOptionsRequestedAuthnContext    => '',
+                samlIDPMetaDataOptionsResolutionRule           => '',
+                samlIDPMetaDataOptionsSignSLOMessage           => -1,
+                samlIDPMetaDataOptionsSignSSOMessage           => -1,
+                samlIDPMetaDataOptionsSLOBinding               => '',
+                samlIDPMetaDataOptionsSSOBinding               => '',
+                samlIDPMetaDataOptionsStoreSAMLToken           => 0,
+                samlIdPResolveCookie => 'lemonldapidp',
+                samlIDPSSODescriptorArtifactResolutionServiceArtifact =>
+'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
+                samlIDPSSODescriptorSingleLogoutServiceHTTPPost =>
+'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
+                samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect =>
+'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
+                samlIDPSSODescriptorSingleLogoutServiceSOAP =>
+'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;',
+                samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact =>
+'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;',
+                samlIDPSSODescriptorSingleSignOnServiceHTTPPost =>
+'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;',
+                samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect =>
+'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;',
+                samlIDPSSODescriptorSingleSignOnServiceSOAP =>
+'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;',
+                samlIDPSSODescriptorWantAuthnRequestsSigned => 1,
+                samlMetadataForceUTF8                       => 1,
+                samlNameIDFormatMapEmail                    => 'mail',
+                samlNameIDFormatMapKerberos                 => 'uid',
+                samlNameIDFormatMapWindows                  => 'uid',
+                samlNameIDFormatMapX509                     => 'mail',
+                samlRelayStateTimeout                       => 600,
+                samlServiceUseCertificateInResponse         => 0,
+                samlSPMetaDataExportedAttributes            => {},
+                samlSPMetaDataOptions                       => {
+                    'sp.com' => {
+                        samlSPMetaDataOptionsEncryptionMode => 'none',
+                    }
+                },
+                samlSPMetaDataOptionsCheckSLOMessageSignature   => 1,
+                samlSPMetaDataOptionsCheckSSOMessageSignature   => 1,
+                samlSPMetaDataOptionsEnableIDPInitiatedURL      => 0,
+                samlSPMetaDataOptionsEncryptionMode             => 'none',
+                samlSPMetaDataOptionsForceUTF8                  => 1,
+                samlSPMetaDataOptionsNameIDFormat               => '',
+                samlSPMetaDataOptionsNotOnOrAfterTimeout        => 72000,
+                samlSPMetaDataOptionsOneTimeUse                 => 0,
+                samlSPMetaDataOptionsSessionNotOnOrAfterTimeout => 72000,
+                samlSPMetaDataOptionsSignSLOMessage             => -1,
+                samlSPMetaDataOptionsSignSSOMessage             => -1,
+                samlSPSSODescriptorArtifactResolutionServiceArtifact =>
+'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
+                samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact =>
+'1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
+                samlSPSSODescriptorAssertionConsumerServiceHTTPPost =>
+'0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
+                samlSPSSODescriptorAuthnRequestsSigned => 1,
+                samlSPSSODescriptorSingleLogoutServiceHTTPPost =>
+'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
+                samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>
+'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
+                samlSPSSODescriptorSingleLogoutServiceSOAP =>
+'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;',
+                samlSPSSODescriptorWantAssertionsSigned => 1,
+                samlUseQueryStringSpecific              => 0,
+
+                samlOrganizationDisplayName => "IDP",
+                samlOrganizationName        => "IDP",
+                samlOrganizationURL         => "https://www.idp.com/",
+                samlServicePrivateKeyEnc    => "-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAnfKBDG/K0TnGT7Xu8q1N45sNWvIK91SqNg8nvN2uVeKoHADT
+csus5Xn3id5+8Q9TuMFsW9kIEeXiaPKXQa9ryfSNDhWDWloNkpGEeWif2BnHUu46
+Abu1UBWb0mH6VwcG1PR4qHruLis1odjQ1qnVDNfSEASVIppEBYjDX203ypmURIzU
+6h53GRRRlf1BLWkbVn9ysmDeR57Xw5Rsx/+tBlcnMrkv/40DSUkehQIl2JmlFrl2
+Caik+gU4pd20apA/pNLjBZF0OmGoS08AIR5NMd0KFa6CwZUUSHJqH5GFy5Y2yl4l
+g8K0klAS9q7L7aXI+eFQZhkwidjpxXnHPyxIGQIDAQABAoIBAHnfqjX3eO8SfnP5
+NURp90Td2mNHirCn0qLd9NKl1ySMPR1GgeH9SQ7Umu32EcteAUL5dOw2PiTZVmeW
+cKINgsWVftXUQcOQ4xIqWKb51QUBdy0FhxrZRSFjWxXt5iYK1PmzHfsax/g1/S9C
+RnqtFyjOy1bywkSt9jiy+9YBR2B7BDhLHlILbijWn5zaecaV4YA+L1UK4M/mehdb
+0FVPavbGpnlqBRTY+7YXfZ/mRPCfn5DvO9lW1O0pJMmNdBh9kmm3DxHf6AkK47a
+43gO/dRWiWo2rZ/+Jw7uyqOb23U0MydP7kia0p3tzCUBPsrlgnichYG5RNFp0wqy
+3VT1TYECgYEA0Y9vENy1jJd+s7WbGrsRtSKxfZgtJr0yjSlQVYrIlwbZSGn+ndxq
+V2vVlwIgLX3pz6T40BMfk6SNx08jjy0Sgn6OAM0ILrinno8yWcSAMCmfCU0S/3O1
+55bqtcnk4XTHBHzJ5OrnrPaW5ourvJz0lcWEKMg3BXxLzaF6ZRy85nECgYEAwPMD
+LNAKLCDrUMyYFOpPyPLe7wvszcFvPipGgerSgFP1c6N7xaMUdHDYqBfuis1khPGF
+YcMHeNBYmzX6yEGbp3lrB4PHpUySmTU3mv3u9I05aahInK21gXum3uRkCWyyIF6V
+T/qeszl9mVOCp0CC4eG3IMVpaD0UKDEHVhERYCkCgYAjuTPRyA4a3Wh38ilysRkf
+q75eDqcDx5Tqg3RyYKo5NK2troP9HSnzpSpQB8i8eI53G0RfFCN5479XjqIdMi3J
+mRFUCZ+vd0L7wKVwsBK6Ix49U6o9adhElnGEc9pUpLeYiD1SjMjZr1+iBYVNLeRz
+86vH1/mpMbsqXrCis/dvwQKBgGttomHr/w3s0jftget7PirrFrbP0+wHfDGHhjRF
+kyhCFtJovrwefYALaIXGtVjw3LusYZA570oT7pGUb2naJZkMYEwR0jG1vZWx7KDO
+K6JbkxDB0pPxn7JVL2bAkPYyX8boAohCSOQO6WBZ/8+xem3bp4OGhpa0EyoBik0g
+OaVpAoGATj4SyYsE10hGT676iie8zy3fi5IPC3E+x4QlVuusaLtuY8LJA50stjtx
+gUa/JAKlZZL+gvzvOviQIxyfIChXOdTt5uiOYkdHJDbAF3NSrji7hrXq4v8UZv75
+8hBrwJZIpy6y01dRlrriHmPRtEq1pk7JX2uUg0sP5g4BEcsaCbc=
+-----END RSA PRIVATE KEY-----
+",
+                samlServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAtR/wgDqWB4Maho5V6TjcL/NbNfjgIh7GcgkrB5RZcVT1GTej
+JlMjUQdgBKBuZXQN+7/29P6UcGq1kYalURq6S8SpeJ1ofp5rBEoD/TIkvU0JOcid
+65wp+fdzXGXsfiZvHraU74jSCgjP/wqfVGRyBIQzB0SIxSpnrsigqNsE1E94toDM
+x4wovjHu/9ABAImREV7Sz83OeFF00/sghrjTEJOD/gHf04JCn9MgNOqvSTysr9LX
+Wg/oUKQDEYeTq9ux6pq/oqv1MxwONbSZPtN5yD41mi+hT8Rh+W8Je8rsiML4VMxz
+sb1l9303asw6suo5bLTISKNSbu1nt1NkpNxzywIDAQABAoIBAQCQkbvPPfP+bwC/
+IeEk1IO7qkzFWa7czR+safD0jc6OjTdNN4F716Q6yt4zEzLKu8VliiW+C23EBQiD
+7asKf4DvdTun0ExVtHDK7aEdeealSlXwz1ZtdypyILbtq1UGo/rR0v4x601rQPl0
+IrBmFf6D6FkqleNtLJmxguXpoVfLdYKNwkxH2ux+GOA9r2o5pUCQmJGDap5YWRuQ
+uB71ewJjVWujaL3e1ac/5cP7/tqWmgAiOaN8sYdD6+oWOR47bHj8JKcMBSl4y2QC
+dL31cGmmf5KqBbtISki3RXfHHjT7E3Z85CbESkKTZlEb1ar3XmepY6Z7V5UO16oz
+fFE5R6khAoGBAOl9Qb+qYVVO5ugE65ORjYVeuXykANhM9ssiY5a6zuAakWzw7Zv3
+k6PXm9p7azlEXAlTnTXVwHYMyuuzZDvQ8LRV1iBOdPuIkUAmaQ5K9ASD7VcoHexh
+k8DAKf9Ln7sTRaMdvgceRNczOmJOBIEpTZkssA/jVGXZsoyTWYl1en/ZAoGBAMaW
+RnNbSNprEV2b8UeAJ6i77c4SXwu1I8X2NLtiLScb1ETBjfrdHmdlJglfyd/0gmhH
+p/43Ku2iGUoY5KtuOI6QmahrJYQscRQhoj252VXadG6fNWWAlpgdCm9houhHb5BF
+3zge/bTr0anUe9EA7Z/ymav12rEouoNjIlhI9C5DAoGATR85a2SMt8/TB0owwdJu
+62GpZNkLCmcJkXkvaecUVAOSi2hdI4o4MwMRkK35cbX5rH74y4JqCtQY5pefgP53
+sykzDAK+MyMdzxGg2764MRGegI5Yq+5jDmSquo+xF+q6srEtRk6iMG7UVwosBLmu
+zuxqzySoiOfKSRKWnYe3SakCgYEAwWMkVkAmETXE4oDzFSsS8/mW2l//mPocTTK3
+JWe1CunJ6+8FYbAlZJEW2ngismp8+CoXybNVpbZ+pC7buKoMf6EHUgCNt0pEEFO0
+mCG9KSMk0XlPWXpArP9S4yaUq1itpzSz7QYZES+4rIcU0HLz9RgeWFyCTJWaFErc
+7laVG9sCgYBKOtk5WlIOP4BxSd2y4cYzohgwTZIs1/2kTEn1u4eH73M1xvAlHHFB
+wSF5QXgDKJ8pPAOhNWpdLO/PdtnQn91nOvTNc+ShJZzjdbneUdQVpWpoBf72uA+N
+6rIVf1JBUL2p7HFHaGdUZC7KGQ+yv6ZHrE1+7202nuDvJdvGEEdFsQ==
+-----END RSA PRIVATE KEY-----
+",
+                samlServicePublicKeyEnc => "-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnfKBDG/K0TnGT7Xu8q1N
+45sNWvIK91SqNg8nvN2uVeKoHADTcsus5Xn3id5+8Q9TuMFsW9kIEeXiaPKXQa9r
+yfSNDhWDWloNkpGEeWif2BnHUu46Abu1UBWb0mH6VwcG1PR4qHruLis1odjQ1qnV
+DNfSEASVIppEBYjDX203ypmURIzU6h53GRRRlf1BLWkbVn9ysmDeR57Xw5Rsx/+t
+BlcnMrkv/40DSUkehQIl2JmlFrl2Caik+gU4pd20apA/pNLjBZF0OmGoS08AIR5N
+Md0KFa6CwZUUSHJqH5GFy5Y2yl4lg8K0klAS9q7L7aXI+eFQZhkwidjpxXnHPyxI
+GQIDAQAB
+-----END PUBLIC KEY-----
+",
+                samlServicePublicKeySig => "-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR/wgDqWB4Maho5V6Tjc
+L/NbNfjgIh7GcgkrB5RZcVT1GTejJlMjUQdgBKBuZXQN+7/29P6UcGq1kYalURq6
+S8SpeJ1ofp5rBEoD/TIkvU0JOcid65wp+fdzXGXsfiZvHraU74jSCgjP/wqfVGRy
+BIQzB0SIxSpnrsigqNsE1E94toDMx4wovjHu/9ABAImREV7Sz83OeFF00/sghrjT
+EJOD/gHf04JCn9MgNOqvSTysr9LXWg/oUKQDEYeTq9ux6pq/oqv1MxwONbSZPtN5
+yD41mi+hT8Rh+W8Je8rsiML4VMxzsb1l9303asw6suo5bLTISKNSbu1nt1NkpNxz
+ywIDAQAB
+-----END PUBLIC KEY-----
+",
+                samlSPMetaDataXML => {
+                    "sp.com" => {
+                        samlSPMetaDataXML => "<?xml version=\"1.0\"?>
+<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\"
+xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"
+xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"
+entityID=\"http://auth.sp.com/saml/metadata\">
+<IDPSSODescriptor
+WantAuthnRequestsSigned=\"true\"
+protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+<KeyDescriptor use=\"signing\">
+<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
+<ds:KeyValue>
+ <RSAKeyValue xmlns=\"http://www.w3.org/2000/09/xmldsig#\">
+  <Modulus>u4iToYAEmWQxgZDihGVzMMql1elPn37domWcvXeU2E4yt2hh5jkQHiFjgodfOlNeRIw5QJVlUBwr
+CQvbaKRFXd7BrOhQIDC0TZPRVB0XHarUtsCuDekN4/2GKSzHsoToKUVPWq9thsuek3xkpsJGZNX
+7bglfEc9+QQpYTqN1rkdN1PVU0epNMokFFGho5pLRqLUV5+I/QXAL49jfTjaSxsp4UndTI8/+mGS
+RSq+nrT2zyQRM/vkj5vR9ZVz67HO/+Wk3Mx6RAwkVcMdgMAqCq8odmbI0yCRZiTL9ybKWRKqWJoK
+J0p5+Q2fPEBPupQZR09Jt/JPuLVSsGfCxi9Nqw==
+</Modulus>
+  <Exponent>AQAB
+</Exponent>
+ </RSAKeyValue>
+</ds:KeyValue>
+</ds:KeyInfo>
+</KeyDescriptor>
+<KeyDescriptor use=\"encryption\">
+<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
+<ds:KeyValue>
+ <RSAKeyValue xmlns=\"http://www.w3.org/2000/09/xmldsig#\">
+  <Modulus>sRaod2RZ8hMFBl+VhsnhyPM8l/Fj1obnBxfQIaWuHFIFfXiGe/CYHuZ5QJQLnZxHMJX6LL3Sh+Us
+og3p0jpijpcg0QgfBSEkfopKTgReYN8DiDIll0rV1XdTni7E85Nd1YyNy3ui/ZD+UShWwqu6jLVL
+R+QUm+/1LIKYb3OCBTvOlY7xHoP6NSU1+Mr+YzGBUacdO2vnNxe/PQhxIeP1zO0njuqGHkwEpy8r
+UWRZbbDn31TmKjqlhgtsz5HPhbRaYEExhyepKgBiNz+RyxtYXVhuG8OrWQDoS5gYHSjdw1CTJyix
+eJwyoqA9RGYguG5nh9zndi3LWAh7Z0lx+tIz+w==
+</Modulus>
+  <Exponent>AQAB
+</Exponent>
+ </RSAKeyValue>
+</ds:KeyValue>
+</ds:KeyInfo>
+</KeyDescriptor>
+<ArtifactResolutionService
+isDefault=\"true\"
+index=\"0\"
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\"
+Location=\"http://auth.sp.com/saml/artifact\" />
+<SingleLogoutService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\"
+Location=\"http://auth.sp.com/saml/singleLogoutSOAP\" />
+<SingleLogoutService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"
+Location=\"http://auth.sp.com/saml/singleLogout\"
+
+      ResponseLocation=\"http://auth.sp.com/saml/singleLogoutReturn\"
+/>
+<SingleLogoutService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
+Location=\"http://auth.sp.com/saml/singleLogout\"
+
+ResponseLocation=\"http://auth.sp.com/saml/singleLogoutReturn\"
+/>
+<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
+<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
+<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
+<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
+<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+<SingleSignOnService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"
+Location=\"http://auth.sp.com/saml/singleSignOn\"
+/>
+<SingleSignOnService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
+Location=\"http://auth.sp.com/saml/singleSignOn\"
+/>
+<SingleSignOnService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\"
+Location=\"http://auth.sp.com/saml/singleSignOnArtifact\"
+/>
+<SingleSignOnService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\"
+Location=\"http://auth.sp.com/saml/singleSignOnSOAP\" />
+</IDPSSODescriptor>
+
+  <SPSSODescriptor
+AuthnRequestsSigned=\"true\"
+WantAssertionsSigned=\"true\"
+protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+<KeyDescriptor use=\"signing\">
+<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
+<ds:KeyValue>
+ <RSAKeyValue xmlns=\"http://www.w3.org/2000/09/xmldsig#\">
+  <Modulus>u4iToYAEmWQxgZDihGVzMMql1elPn37domWcvXeU2E4yt2hh5jkQHiFjgodfOlNeRIw5QJVlUBwr
+CQvbaKRFXd7BrOhQIDC0TZPRVB0XHarUtsCuDekN4/2GKSzHsoToKUVPWq9thsuek3xkpsJGZNX
+7bglfEc9+QQpYTqN1rkdN1PVU0epNMokFFGho5pLRqLUV5+I/QXAL49jfTjaSxsp4UndTI8/+mGS
+RSq+nrT2zyQRM/vkj5vR9ZVz67HO/+Wk3Mx6RAwkVcMdgMAqCq8odmbI0yCRZiTL9ybKWRKqWJoK
+J0p5+Q2fPEBPupQZR09Jt/JPuLVSsGfCxi9Nqw==
+</Modulus>
+  <Exponent>AQAB
+</Exponent>
+ </RSAKeyValue>
+</ds:KeyValue>
+</ds:KeyInfo>
+</KeyDescriptor>
+<KeyDescriptor use=\"encryption\">
+<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
+<ds:KeyValue>
+ <RSAKeyValue xmlns=\"http://www.w3.org/2000/09/xmldsig#\">
+  <Modulus>sRaod2RZ8hMFBl+VhsnhyPM8l/Fj1obnBxfQIaWuHFIFfXiGe/CYHuZ5QJQLnZxHMJX6LL3Sh+Us
+og3p0jpijpcg0QgfBSEkfopKTgReYN8DiDIll0rV1XdTni7E85Nd1YyNy3ui/ZD+UShWwqu6jLVL
+R+QUm+/1LIKYb3OCBTvOlY7xHoP6NSU1+Mr+YzGBUacdO2vnNxe/PQhxIeP1zO0njuqGHkwEpy8r
+UWRZbbDn31TmKjqlhgtsz5HPhbRaYEExhyepKgBiNz+RyxtYXVhuG8OrWQDoS5gYHSjdw1CTJyix
+eJwyoqA9RGYguG5nh9zndi3LWAh7Z0lx+tIz+w==
+</Modulus>
+  <Exponent>AQAB
+</Exponent>
+ </RSAKeyValue>
+</ds:KeyValue>
+</ds:KeyInfo>
+</KeyDescriptor>
+<ArtifactResolutionService
+isDefault=\"true\"
+index=\"0\"
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\"
+Location=\"http://auth.sp.com/saml/artifact\" />
+<SingleLogoutService
+Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\"
+      Location=\"http://auth.sp.com/saml/proxySingleLogoutSOAP\" />
+    <SingleLogoutService
+      Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"
+      Location=\"http://auth.sp.com/saml/proxySingleLogout\"
+      
+      ResponseLocation=\"http://auth.sp.com/saml/proxySingleLogoutReturn\"
+      />
+    <SingleLogoutService
+      Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
+      Location=\"http://auth.sp.com/saml/proxySingleLogout\"
+      
+      ResponseLocation=\"http://auth.sp.com/saml/proxySingleLogoutReturn\"
+      />
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+    <AssertionConsumerService
+      isDefault=\"true\"
+      index=\"0\"
+      Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\"
+      Location=\"http://auth.sp.com/saml/proxySingleSignOnArtifact\" />
+    <AssertionConsumerService
+      isDefault=\"false\"
+      index=\"1\"
+      Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
+      Location=\"http://auth.sp.com/saml/proxySingleSignOnPost\" />
+  </SPSSODescriptor>
+
+  <AttributeAuthorityDescriptor
+    protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+    <KeyDescriptor use=\"signing\">
+      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
+          <ds:KeyValue>
+ <RSAKeyValue xmlns=\"http://www.w3.org/2000/09/xmldsig#\">
+  <Modulus>u4iToYAEmWQxgZDihGVzMMql1elPn37domWcvXeU2E4yt2hh5jkQHiFjgodfOlNeRIw5QJVlUBwr
+CQvbaKRFXd7BrOhQIDC0TZPRVB0XHarUtsCuDekN4/2GKSzHsoToKUVPWq9thsuek3xkpsJGZNX
+7bglfEc9+QQpYTqN1rkdN1PVU0epNMokFFGho5pLRqLUV5+I/QXAL49jfTjaSxsp4UndTI8/+mGS
+RSq+nrT2zyQRM/vkj5vR9ZVz67HO/+Wk3Mx6RAwkVcMdgMAqCq8odmbI0yCRZiTL9ybKWRKqWJoK
+J0p5+Q2fPEBPupQZR09Jt/JPuLVSsGfCxi9Nqw==
+</Modulus>
+  <Exponent>AQAB
+</Exponent>
+ </RSAKeyValue>
+</ds:KeyValue>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <KeyDescriptor use=\"encryption\">
+      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
+          <ds:KeyValue>
+ <RSAKeyValue xmlns=\"http://www.w3.org/2000/09/xmldsig#\">
+  <Modulus>sRaod2RZ8hMFBl+VhsnhyPM8l/Fj1obnBxfQIaWuHFIFfXiGe/CYHuZ5QJQLnZxHMJX6LL3Sh+Us
+og3p0jpijpcg0QgfBSEkfopKTgReYN8DiDIll0rV1XdTni7E85Nd1YyNy3ui/ZD+UShWwqu6jLVL
+R+QUm+/1LIKYb3OCBTvOlY7xHoP6NSU1+Mr+YzGBUacdO2vnNxe/PQhxIeP1zO0njuqGHkwEpy8r
+UWRZbbDn31TmKjqlhgtsz5HPhbRaYEExhyepKgBiNz+RyxtYXVhuG8OrWQDoS5gYHSjdw1CTJyix
+eJwyoqA9RGYguG5nh9zndi3LWAh7Z0lx+tIz+w==
+</Modulus>
+  <Exponent>AQAB
+</Exponent>
+ </RSAKeyValue>
+</ds:KeyValue>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <AttributeService
+      Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\"
+      Location=\"http://auth.sp.com/saml/AA/SOAP\"/>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+  </AttributeAuthorityDescriptor>
+  
+  <Organization>
+    <OrganizationName xml:lang=\"en\">Example</OrganizationName>
+    <OrganizationDisplayName xml:lang=\"en\">Example</OrganizationDisplayName>
+    <OrganizationURL xml:lang=\"en\">http://www.sp.com</OrganizationURL>
+  </Organization>
+
+</EntityDescriptor>
+"
+                    },
+                },
+                samlStorageOptions => {},
+                userPivot          => "uid",
+            }
+        }
+    );
+}
+
+sub sp {
+    return LLNG::Manager::Test->new(
+        {
+            ini => {
+                logLevel       => $debug,
+                domain         => 'sp.com',
+                authentication => 'SAML',
+                userDB         => 'SAML',
+            }
+        }
+    );
+}