Skip to content
GitLab
Menu
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
LemonLDAP NG
lemonldap-ng
Commits
959a4349
Commit
959a4349
authored
Jul 09, 2021
by
Yadd
Browse files
Merge branch '2328-propagate-logout-through-chaining' into 'v2.0'
test chained SAML login with 2 IDP + logout in SOAP (
#2328
) See merge request
!203
parents
a85e47ec
70af572c
Pipeline
#14636
passed with stage
in 14 minutes and 53 seconds
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
lemonldap-ng-portal/t/37-Logout-from-2-chained-SAML-SP-SOAP.t
0 → 100644
View file @
959a4349
use
lib
'
inc
';
use
Test::
More
;
use
strict
;
use
IO::
String
;
use
LWP::
UserAgent
;
use
LWP::Protocol::
PSGI
;
use
MIME::
Base64
;
# ------------ ----------------------------- ----------------
# | SAML SP | <-> |SAML IDP + SAML SP (proxy) | <-> | SAML IdP |
# ------------ ----------------------------- ----------------
#
# Use case:
# - login from SP up to SAML IdP
# - logout asked from SP, and propagated up to SAML IdP
# logout between all SAML SP and IdP is done with SOAP binding
BEGIN
{
require
'
t/test-lib.pm
';
require
'
t/oidc-lib.pm
';
require
'
t/saml-lib.pm
';
}
my
$maintests
=
13
;
my
$debug
=
'
error
';
my
(
$sp
,
$proxy
,
$idp
,
$res
);
# Overloads method register, for enabling direct POST requests between SP, PROXY and IDP
LWP::Protocol::
PSGI
->
register
(
sub
{
my
$req
=
Plack::
Request
->
new
(
@
_
);
ok
(
$req
->
uri
=~
m#http://auth.((?:sp|proxy|idp)).com(.*)#
,
'
REST request
'
);
my
$host
=
$
1
;
my
$url
=
$
2
;
my
(
$res
,
$client
);
count
(
1
);
if
(
$host
eq
'
sp
'
)
{
pass
("
Request to SP, endpoint
$url
");
$client
=
$sp
;
}
elsif
(
$host
eq
'
proxy
'
)
{
pass
('
Request from PROXY to PROXY
');
$client
=
$proxy
;
}
elsif
(
$host
eq
'
idp
'
)
{
pass
('
Request to IDP
');
$client
=
$idp
;
}
else
{
fail
('
Aborting REST request (external)
');
return
HTTP::
Response
->
new
(
500
);
}
if
(
$req
->
method
=~
/^post$/i
)
{
my
$s
=
$req
->
content
;
ok
(
$res
=
$client
->
_post
(
$url
,
IO::
String
->
new
(
$s
),
length
=>
length
(
$s
),
type
=>
$req
->
header
('
Content-Type
'),
),
'
Execute post request
'
);
}
else
{
ok
(
$res
=
$client
->
_get
(
$url
,
custom
=>
{
HTTP_AUTHORIZATION
=>
$req
->
header
('
Authorization
'),
}
),
'
Execute get request
'
);
}
ok
(
$res
->
[
0
]
==
200
,
'
Response is 200
'
);
ok
(
getHeader
(
$res
,
'
Content-Type
'
)
=~
m#^(application/json|text/xml)#
,
'
Content is JSON|XML
'
)
or
explain
(
$res
->
[
1
],
'
Content-Type => (application/json|text/xml)
'
);
count
(
4
);
return
$res
;
}
);
SKIP:
{
eval
"
use Lasso
";
if
(
$@
)
{
skip
'
Lasso not found
',
$maintests
;
}
# Initialization
$idp
=
register
(
'
idp
',
\
&idp
);
$sp
=
register
(
'
sp
',
\
&sp
);
$proxy
=
register
(
'
proxy
',
\
&proxy
);
# LOGIN PROCESS ############################################################
# Query SP for auth
ok
(
$res
=
$sp
->
_get
(
'
/
',
accept
=>
'
text/html
'
),
'
Unauth SP request
'
);
my
(
$url
,
$query
)
=
expectRedirection
(
$res
,
qr#http://auth.proxy.com(/saml/singleSignOn)\?(.*)$#
);
# Push request to PROXY
switch
('
proxy
');
ok
(
$res
=
$proxy
->
_get
(
$url
,
query
=>
$query
,
accept
=>
'
text/html
'
),
"
Push request to PROXY, endpoint
$url
"
);
my
$pdataproxy
=
expectCookie
(
$res
,
'
lemonldappdata
'
);
my
(
$urlidp
,
$queryidp
)
=
expectRedirection
(
$res
,
qr#http://auth.idp.com(/saml/singleSignOn)\?(.*)$#
);
# Push request to IDP
switch
('
idp
');
# Try to authenticate to IdP
ok
(
$res
=
$idp
->
_get
(
$urlidp
,
query
=>
$queryidp
,
accept
=>
'
text/html
'),
"
SAML Authentication on idp, endpoint
$urlidp
"
);
my
$pdataidp
=
expectCookie
(
$res
,
'
lemonldappdata
'
);
my
(
$host
,
$tmp
);
# expectForm (result, host, uri, @requiredfield)
(
$host
,
$tmp
,
$query
)
=
expectForm
(
$res
,
'
#
',
undef
,
(
'
url
',
'
timezone
',
'
skin
',
'
user
',
'
password
'
)
);
$query
=~
s/user=/user=dwho/
;
$query
=~
s/password=/password=dwho/
;
ok
(
$res
=
$idp
->
_post
(
$urlidp
,
IO::
String
->
new
(
$query
),
accept
=>
'
text/html
',
cookie
=>
"
lemonldappdata=
$pdataidp
",
length
=>
length
(
$query
),
),
"
Post authentication, endpoint
$urlidp
"
);
$pdataidp
=
expectCookie
(
$res
,
'
lemonldappdata
'
);
my
$cookieidp
=
expectCookie
(
$res
,
'
lemonldap
'
);
(
$host
,
$url
,
$query
)
=
expectForm
(
$res
,
'
auth.proxy.com
',
'
/saml/proxySingleSignOnPost
',
'
SAMLResponse
',
'
RelayState
'
);
my
(
$resp
)
=
$query
=~
qr/SAMLResponse=([^&]*)/
;
# Post SAML response to PROXY
switch
('
proxy
');
ok
(
$res
=
$proxy
->
_post
(
$url
,
IO::
String
->
new
(
$query
),
accept
=>
'
text/html
',
length
=>
length
(
$query
),
cookie
=>
"
lemonldappdata=
$pdataproxy
",
),
'
Post SAML response to PROXY
'
);
$pdataproxy
=
expectCookie
(
$res
,
'
lemonldappdata
'
);
my
$cookieproxy
=
expectCookie
(
$res
,
'
lemonldap
'
);
(
$url
,
$query
)
=
expectRedirection
(
$res
,
qr#^http://auth.proxy.com(/saml)\?*(.*)$#
);
ok
(
$res
=
$proxy
->
_get
(
$url
,
query
=>
$query
,
accept
=>
'
text/html
',
cookie
=>
"
lemonldappdata=
$pdataproxy
; lemonldap=
$cookieproxy
"
),
"
internal redirection to PROXY, endpoint
$url
"
);
(
$host
,
$url
,
$query
)
=
expectForm
(
$res
,
'
auth.sp.com
',
'
/saml/proxySingleSignOnPost
',
'
SAMLResponse
'
);
my
(
$resp
)
=
$query
=~
qr/SAMLResponse=([^&]*)/
;
# Post SAML response to PROXY
switch
('
sp
');
ok
(
$res
=
$sp
->
_post
(
$url
,
IO::
String
->
new
(
$query
),
accept
=>
'
text/html
',
length
=>
length
(
$query
),
),
'
Post SAML response to SP
'
);
my
$cookiesp
=
expectCookie
(
$res
,
'
lemonldap
'
);
# Authentication done on SP + PROXY + IDP
# LOGOUT PROCESS ###########################################################
$url
=
'
/
';
$query
=
'
logout=1
';
ok
(
$res
=
$sp
->
_get
(
$url
,
query
=>
$query
,
accept
=>
'
text/html
',
cookie
=>
"
lemonldap=
$cookiesp
",
),
'
Call logout from SP
'
);
# lemonldap cookie set to "0"
$cookiesp
=
expectCookie
(
$res
,
'
lemonldap
'
);
ok
(
$cookiesp
eq
"
0
",
'
Test empty cookie on SP
'
);
ok
(
$res
->
[
2
]
->
[
0
]
=~
/trmsg="47"/
,
'
Test disconnexion message on SP
'
);
# test connexion on PROXY
switch
('
proxy
');
ok
(
$res
=
$proxy
->
_get
(
'
/
',
query
=>
'',
accept
=>
'
text/html
',
cookie
=>
"
lemonldap=
$cookieproxy
",
),
'
Test if still logged on PROXY
'
);
my
(
$urlidp
,
$queryidp
)
=
expectRedirection
(
$res
,
qr#http://auth.idp.com(/saml/singleSignOn)\?(.*)$#
);
# test connexion on IDP
switch
('
idp
');
ok
(
$res
=
$idp
->
_get
(
'
/
',
query
=>
'',
accept
=>
'
text/html
',
cookie
=>
"
lemonldap=
$cookieidp
",
),
'
Test if still logged on IDP
'
);
like
(
$res
->
[
2
]
->
[
0
],
qr/userfield/
,
'
test presence of user field in form (prove successful logout)
'
);
}
count
(
$maintests
);
clean_sessions
();
done_testing
(
count
()
);
sub
proxy
{
return
LLNG::Manager::
Test
->
new
(
{
ini
=>
{
logLevel
=>
$debug
,
domain
=>
'
proxy.com
',
portal
=>
'
http://auth.proxy.com
',
authentication
=>
'
SAML
',
userDB
=>
'
Same
',
issuerDBOpenIDConnectActivation
=>
"
1
",
samlOrganizationDisplayName
=>
"
proxy
",
samlOrganizationName
=>
"
proxy
",
samlOrganizationURL
=>
"
http://www.proxy.com/
",
samlServicePrivateKeyEnc
=>
saml_key_proxy_private_enc
,
samlServicePrivateKeySig
=>
saml_key_proxy_private_sig
,
samlServicePublicKeyEnc
=>
saml_key_proxy_public_enc
,
samlServicePublicKeySig
=>
saml_key_proxy_public_sig
,
samlIDPSSODescriptorWantAuthnRequestsSigned
=>
1
,
samlSPSSODescriptorWantAssertionsSigned
=>
1
,
samlIDPMetaDataXML
=>
{
'
idp
'
=>
{
samlIDPMetaDataXML
=>
samlIDPComplexMetaDataXML
(
'
idp
',
'
HTTP-Redirect
',
'
SOAP
'
)
},
},
samlIDPMetaDataOptions
=>
{
'
idp
'
=>
{
'
samlIDPMetaDataOptionsAdaptSessionUtime
'
=>
0
,
'
samlIDPMetaDataOptionsAllowLoginFromIDP
'
=>
0
,
'
samlIDPMetaDataOptionsAllowProxiedAuthn
'
=>
0
,
'
samlIDPMetaDataOptionsCheckAudience
'
=>
1
,
'
samlIDPMetaDataOptionsCheckSLOMessageSignature
'
=>
1
,
'
samlIDPMetaDataOptionsCheckSSOMessageSignature
'
=>
1
,
'
samlIDPMetaDataOptionsCheckTime
'
=>
1
,
'
samlIDPMetaDataOptionsDisplayName
'
=>
'
idp
',
'
samlIDPMetaDataOptionsEncryptionMode
'
=>
'
none
',
'
samlIDPMetaDataOptionsForceAuthn
'
=>
0
,
'
samlIDPMetaDataOptionsForceUTF8
'
=>
0
,
'
samlIDPMetaDataOptionsIcon
'
=>
'',
'
samlIDPMetaDataOptionsIsPassive
'
=>
0
,
'
samlIDPMetaDataOptionsNameIDFormat
'
=>
'',
'
samlIDPMetaDataOptionsRelayStateURL
'
=>
0
,
'
samlIDPMetaDataOptionsRequestedAuthnContext
'
=>
'',
'
samlIDPMetaDataOptionsResolutionRule
'
=>
'',
'
samlIDPMetaDataOptionsSLOBinding
'
=>
'
http-soap
',
'
samlIDPMetaDataOptionsSSOBinding
'
=>
'
http-redirect
',
'
samlIDPMetaDataOptionsSignSLOMessage
'
=>
1
,
'
samlIDPMetaDataOptionsSignSSOMessage
'
=>
1
,
'
samlIDPMetaDataOptionsSignatureMethod
'
=>
'',
'
samlIDPMetaDataOptionsStoreSAMLToken
'
=>
0
}
},
samlIDPMetaDataExportedAttributes
=>
{
'
idp
'
=>
{
'
cn
'
=>
'
1;cn
',
'
uid
'
=>
'
1;uid
',
'
mail
'
=>
'
1;mail
',
}
},
issuerDBSAMLActivation
=>
1
,
restSessionServer
=>
1
,
samlSPMetaDataOptions
=>
{
sp
=>
{
'
samlSPMetaDataOptionsCheckSLOMessageSignature
'
=>
1
,
'
samlSPMetaDataOptionsCheckSSOMessageSignature
'
=>
1
,
'
samlSPMetaDataOptionsEnableIDPInitiatedURL
'
=>
0
,
'
samlSPMetaDataOptionsEncryptionMode
'
=>
'
none
',
'
samlSPMetaDataOptionsForceUTF8
'
=>
1
,
'
samlSPMetaDataOptionsNameIDFormat
'
=>
'',
'
samlSPMetaDataOptionsNotOnOrAfterTimeout
'
=>
72000
,
'
samlSPMetaDataOptionsOneTimeUse
'
=>
0
,
'
samlSPMetaDataOptionsSessionNotOnOrAfterTimeout
'
=>
72000
,
'
samlSPMetaDataOptionsSignSLOMessage
'
=>
-
1
,
'
samlSPMetaDataOptionsSignSSOMessage
'
=>
1
,
'
samlSPMetaDataOptionsSignatureMethod
'
=>
''
}
},
samlSPMetaDataXML
=>
{
sp
=>
{
samlSPMetaDataXML
=>
samlSPComplexMetaDataXML
(
'
sp
',
'
HTTP-Redirect
',
'
SOAP
'
),
'
samlSPSSODescriptorAuthnRequestsSigned
'
=>
1
,
'
samlSPSSODescriptorWantAssertionsSigned
'
=>
1
,
}
},
samlSPMetaDataExportedAttributes
=>
{
'
sp
'
=>
{
'
cn
'
=>
'
1;cn
',
'
uid
'
=>
'
1;uid
',
'
mail
'
=>
'
1;mail
',
}
},
samlSPSSODescriptorAuthnRequestsSigned
=>
1
,
},
}
);
}
sub
sp
{
return
LLNG::Manager::
Test
->
new
(
{
ini
=>
{
logLevel
=>
$debug
,
domain
=>
'
sp.com
',
portal
=>
'
http://auth.sp.com
',
authentication
=>
'
SAML
',
userDB
=>
'
Same
',
issuerDBOpenIDConnectActivation
=>
"
1
",
samlOrganizationDisplayName
=>
"
SP
",
samlOrganizationName
=>
"
SP
",
samlOrganizationURL
=>
"
http://www.sp.com/
",
samlServicePrivateKeyEnc
=>
saml_key_sp_private_enc
,
samlServicePrivateKeySig
=>
saml_key_sp_private_sig
,
samlServicePublicKeyEnc
=>
saml_key_sp_public_enc
,
samlServicePublicKeySig
=>
saml_key_sp_public_sig
,
samlIDPSSODescriptorWantAuthnRequestsSigned
=>
1
,
samlSPSSODescriptorWantAssertionsSigned
=>
1
,
samlIDPMetaDataXML
=>
{
'
proxy
'
=>
{
samlIDPMetaDataXML
=>
samlProxyComplexMetaDataXML
(
'
proxy
',
'
HTTP-Redirect
',
'
SOAP
'
)
},
},
samlIDPMetaDataOptions
=>
{
'
proxy
'
=>
{
'
samlIDPMetaDataOptionsAdaptSessionUtime
'
=>
0
,
'
samlIDPMetaDataOptionsAllowLoginFromIDP
'
=>
0
,
'
samlIDPMetaDataOptionsAllowProxiedAuthn
'
=>
0
,
'
samlIDPMetaDataOptionsCheckAudience
'
=>
1
,
'
samlIDPMetaDataOptionsCheckSLOMessageSignature
'
=>
1
,
'
samlIDPMetaDataOptionsCheckSSOMessageSignature
'
=>
1
,
'
samlIDPMetaDataOptionsCheckTime
'
=>
1
,
'
samlIDPMetaDataOptionsDisplayName
'
=>
'
proxy
',
'
samlIDPMetaDataOptionsEncryptionMode
'
=>
'
none
',
'
samlIDPMetaDataOptionsForceAuthn
'
=>
0
,
'
samlIDPMetaDataOptionsForceUTF8
'
=>
0
,
'
samlIDPMetaDataOptionsIcon
'
=>
'',
'
samlIDPMetaDataOptionsIsPassive
'
=>
0
,
'
samlIDPMetaDataOptionsNameIDFormat
'
=>
'',
'
samlIDPMetaDataOptionsRelayStateURL
'
=>
0
,
'
samlIDPMetaDataOptionsRequestedAuthnContext
'
=>
'',
'
samlIDPMetaDataOptionsResolutionRule
'
=>
'',
'
samlIDPMetaDataOptionsSLOBinding
'
=>
'
http-soap
',
'
samlIDPMetaDataOptionsSSOBinding
'
=>
'
http-redirect
',
'
samlIDPMetaDataOptionsSignSLOMessage
'
=>
1
,
'
samlIDPMetaDataOptionsSignSSOMessage
'
=>
1
,
'
samlIDPMetaDataOptionsSignatureMethod
'
=>
'',
'
samlIDPMetaDataOptionsStoreSAMLToken
'
=>
0
}
},
samlIDPMetaDataExportedAttributes
=>
{
'
proxy
'
=>
{
'
cn
'
=>
'
1;cn
',
'
uid
'
=>
'
1;uid
',
'
mail
'
=>
'
1;mail
',
}
},
}
}
);
}
sub
idp
{
return
LLNG::Manager::
Test
->
new
(
{
ini
=>
{
logLevel
=>
$debug
,
domain
=>
'
idp.com
',
portal
=>
'
http://auth.idp.com
',
authentication
=>
'
Demo
',
userDB
=>
'
Same
',
issuerDBSAMLActivation
=>
1
,
restSessionServer
=>
1
,
samlSPMetaDataOptions
=>
{
proxy
=>
{
'
samlSPMetaDataOptionsCheckSLOMessageSignature
'
=>
1
,
'
samlSPMetaDataOptionsCheckSSOMessageSignature
'
=>
1
,
'
samlSPMetaDataOptionsEnableIDPInitiatedURL
'
=>
0
,
'
samlSPMetaDataOptionsEncryptionMode
'
=>
'
none
',
'
samlSPMetaDataOptionsForceUTF8
'
=>
1
,
'
samlSPMetaDataOptionsNameIDFormat
'
=>
'',
'
samlSPMetaDataOptionsNotOnOrAfterTimeout
'
=>
72000
,
'
samlSPMetaDataOptionsOneTimeUse
'
=>
0
,
'
samlSPMetaDataOptionsSessionNotOnOrAfterTimeout
'
=>
72000
,
'
samlSPMetaDataOptionsSignSLOMessage
'
=>
-
1
,
'
samlSPMetaDataOptionsSignSSOMessage
'
=>
1
,
'
samlSPMetaDataOptionsSignatureMethod
'
=>
''
}
},
samlSPMetaDataXML
=>
{
proxy
=>
{
samlSPMetaDataXML
=>
samlProxyComplexMetaDataXML
(
'
proxy
',
'
HTTP-Redirect
',
'
SOAP
'
),
'
samlSPSSODescriptorAuthnRequestsSigned
'
=>
1
,
'
samlSPSSODescriptorWantAssertionsSigned
'
=>
1
,
}
},
samlSPMetaDataExportedAttributes
=>
{
'
proxy
'
=>
{
'
cn
'
=>
'
1;cn
',
'
uid
'
=>
'
1;uid
',
'
mail
'
=>
'
1;mail
',
}
},
samlOrganizationDisplayName
=>
"
IDP
",
samlOrganizationName
=>
"
IDP
",
samlOrganizationURL
=>
"
http://www.idp.com
",
samlServicePublicKeySig
=>
saml_key_idp_public_sig
,
samlServicePrivateKeyEnc
=>
saml_key_idp_private_enc
,
samlServicePrivateKeySig
=>
saml_key_idp_private_sig
,
samlServicePublicKeyEnc
=>
saml_key_idp_public_enc
,
samlSPSSODescriptorAuthnRequestsSigned
=>
1
,
},
}
);
}
lemonldap-ng-portal/t/saml-lib.pm
View file @
959a4349
...
...
@@ -807,6 +807,192 @@ EOF
;
}
sub
samlProxyComplexMetaDataXML
{
my
(
$name
,
$typeSSO
,
$typeSLO
)
=
@_
;
my
$org
=
uc
(
$name
);
return
<<"EOF"
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="http://auth.$name.com/saml/metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">
<Modulus>ztmb1JZk/agkYYm23D4dqaLS4EKHKrjO4eBvwtWZLexAGR1KDpcrHqLyqJoal+q4A8drI7lxElSt
6xRKJ4DIxQM1jqRcmE6EzdL6BfTaRace3zIuhjDSQUZJdtFtlJynQT1cJbx5ZYhqZbYANm9NZRcY
Z5gWeyF9nl41xA79AMuYlpt7eWDR8cnQJXwV790991FQ9yA2BBgTdSKkFqZ72P4lWu4shz3JCGf5
hyq03hCHQ7bsfpgAdCrbQPTuJNFtS599ClMu+AcRcwJcS233pHd306PRHCXn3Eapq6gEoHxgLVNp
+luAIhRA9EaOnZ0nVkFwFKn3vLXzV01iTliMeQ==
</Modulus>
<Exponent>AQAB
</Exponent>
</RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">
<Modulus>2vzoUiQ4GsM5qLjoxslEDKj+RrPh/A743JCWe1Hbadjd5yD4gPwmJUxMF+MJcQlo/TkmKbTonPdI
oAqDknbUxfFTntp0VkdKrB64xr0Stpy7123hPszat3SbU3RYypdobEcuSAS77w9X1KnkRL1+CIe5
9qSsghO3l3b2IJ6qPFXdx/cro7+K3O7w8wAEJ9KmxA0KdiZpSFgTAqfNDSKx8NLwZOeDpsHouAxy
1E2kine+9ESBTRAM2PgiGZvU5JA1SZscdEg3wTftJxxPFnAJMwtqM3IVC6B+TqsIP5Wlk1PQQqH7
5gjtBYDVduynBwU+l/UUmp1aDRZupuH8PF51pw==
</Modulus>
<Exponent>AQAB
</Exponent>
</RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://auth.$name.com/saml/artifact" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:$typeSLO"
Location="http://auth.$name.com/saml/singleLogout"
ResponseLocation="http://auth.$name.com/saml/singleLogoutReturn" />
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:$typeSSO"
Location="http://auth.$name.com/saml/singleSignOn" />
</IDPSSODescriptor>
<SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">
<Modulus>ztmb1JZk/agkYYm23D4dqaLS4EKHKrjO4eBvwtWZLexAGR1KDpcrHqLyqJoal+q4A8drI7lxElSt
6xRKJ4DIxQM1jqRcmE6EzdL6BfTaRace3zIuhjDSQUZJdtFtlJynQT1cJbx5ZYhqZbYANm9NZRcY
Z5gWeyF9nl41xA79AMuYlpt7eWDR8cnQJXwV790991FQ9yA2BBgTdSKkFqZ72P4lWu4shz3JCGf5
hyq03hCHQ7bsfpgAdCrbQPTuJNFtS599ClMu+AcRcwJcS233pHd306PRHCXn3Eapq6gEoHxgLVNp
+luAIhRA9EaOnZ0nVkFwFKn3vLXzV01iTliMeQ==
</Modulus>
<Exponent>AQAB
</Exponent>
</RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyValue>
<RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">
<Modulus>2vzoUiQ4GsM5qLjoxslEDKj+RrPh/A743JCWe1Hbadjd5yD4gPwmJUxMF+MJcQlo/TkmKbTonPdI
oAqDknbUxfFTntp0VkdKrB64xr0Stpy7123hPszat3SbU3RYypdobEcuSAS77w9X1KnkRL1+CIe5
9qSsghO3l3b2IJ6qPFXdx/cro7+K3O7w8wAEJ9KmxA0KdiZpSFgTAqfNDSKx8NLwZOeDpsHouAxy
1E2kine+9ESBTRAM2PgiGZvU5JA1SZscdEg3wTftJxxPFnAJMwtqM3IVC6B+TqsIP5Wlk1PQQqH7
5gjtBYDVduynBwU+l/UUmp1aDRZupuH8PF51pw==
</Modulus>
<Exponent>AQAB
</Exponent>
</RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://auth.$name.com/saml/artifact" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:$typeSLO"
Location="http://auth.$name.com/saml/proxySingleLogout"
ResponseLocation="http://auth.$name.com/saml/proxySingleLogoutReturn" />
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://auth.$name.com/saml/proxySingleSignOnPost" />
<AssertionConsumerService isDefault="false" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://auth.$name.com/saml/proxySingleSignOnArtifact" />
</SPSSODescriptor>
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">