Projet

Général

Profil

0001-WIP-support-federation-file-loading-19396.patch

Paul Marillonnet, 19 juillet 2018 12:21

Télécharger (100 ko)

Voir les différences:

Subject: [PATCH] WIP support federation file loading (#19396)

 README                         |  13 +
 mellon/adapters.py             | 150 ++++++++--
 mellon/app_settings.py         |  18 +-
 mellon/federation_utils.py     | 301 +++++++++++++++++++
 mellon/utils.py                | 184 +++++++++---
 mellon/views.py                |  43 ++-
 setup.py                       |   1 +
 tests/conftest.py              |   7 +
 tests/dummy_md.xml             | 367 +++++++++++++++++++++++
 tests/federation-sample.xml    | 530 +++++++++++++++++++++++++++++++++
 tests/test_default_adapter.py  |  10 +-
 tests/test_federation_utils.py |  35 +++
 tests/test_sso_slo.py          |  88 +++++-
 tests/test_utils.py            | 114 +++++--
 tests/utils.py                 |  12 +-
 15 files changed, 1760 insertions(+), 113 deletions(-)
 create mode 100644 mellon/federation_utils.py
 create mode 100644 tests/dummy_md.xml
 create mode 100644 tests/federation-sample.xml
 create mode 100644 tests/test_federation_utils.py
README
82 82
the absolute path toward a metadata file. All other keys are override
83 83
of generic settings.
84 84

  
85
MELLON_FEDERATIONS
86
------------------
87

  
88
A list of dictionaries, only one key 'FEDERATION' is mandatory in those
89
dictionaries. It should contain the local path or the remote URL for the
90
metadata file describing the SAML-based federation to be loaded in mellon. Both
91
relative and absolute paths are supported.
92
Additional parameters can be given as key/value pairs in the dictionaries, on
93
a similar basis as the aforementioned MELLON_IDENTITY_PROVIDERS config.
94
For each dictionary describing a federation, these parameters will apply to
95
any successfully-loaded provider belonging to that federation.
96
These parameters also override the global settings.
97

  
85 98
MELLON_PUBLIC_KEYS
86 99
------------------
87 100

  
mellon/adapters.py
11 11
from django.contrib.auth.models import Group
12 12
from django.utils import six
13 13
from django.utils.encoding import force_text
14
from django.utils.text import slugify
14 15

  
15 16
from . import utils, app_settings, models
17
from mellon.federation_utils import idp_metadata_store, url2filename, \
18
        idp_metadata_extract_entity_id, idp_metadata_is_cached, \
19
        idp_metadata_load, idp_settings_store, idp_settings_load, \
20
        fingerprint_mapping_single_update
16 21

  
17 22

  
18 23
class UserCreationError(Exception):
......
25 30

  
26 31
    def get_idp(self, entity_id):
27 32
        '''Find the first IdP definition matching entity_id'''
28
        for idp in self.get_idps():
29
            if entity_id == idp['ENTITY_ID']:
30
                return idp
33
        idp = {}
34

  
35
        # First, check whether the provider is cached
36
        if idp_metadata_is_cached(entity_id):
37
            metadata_content = idp_metadata_load(entity_id)
38
            idp.update({'METADATA': metadata_content,
39
                   'ENTITY_ID': entity_id})
40
            # Extra settings loaded if the provider comes from a federation
41
            idp.update(idp_settings_load(entity_id) or {})
42

  
43
        # If not, try to fetch it from the mellon settings
44
        else:
45
            for idp in self.get_identity_providers_setting():
46
                if not idp.get('METADATA_URL') and not idp.get('METADATA'):
47
                    self.logger.error(u'missing METADATA or METADATA_URL in idp %s', idp or '')
48
                    continue
49

  
50
                elif 'METADATA_URL' in idp and 'METADATA' not in idp:
51
                    metadata = utils.get_metadata_from_url(idp)
52
                    if not metadata:
53
                        continue
54
                    idp['METADATA'] = metadata
55

  
56
                if 'ENTITY_ID' not in idp:
57
                    if idp['METADATA'].startswith('/') or idp['METADATA'].startswith('./'):
58
                    # In case the entity ID isn't provided in the settings, it
59
                    # needs to be fetched from the content of the metadata file
60
                        metadata_path = idp['METADATA']
61
                        if 'FEDERATION' in idp:
62
                            metadata_path = default_storage.path(metadata_path)
63
                        content = open(metadata_path, 'r').read()
64
                    else:
65
                        content = idp['METADATA']
66
                    idp['ENTITY_ID'] = idp_metadata_extract_entity_id(content)
67

  
68
                if idp['ENTITY_ID'] == entity_id:
69
                    break
70

  
71
        return idp.copy()
31 72

  
32 73
    def get_identity_providers_setting(self):
33
        return app_settings.IDENTITY_PROVIDERS
74
        # First, providers from federation as declared in the mellon settings
75
        for federation_data in self.get_federations():
76
            if not isinstance(federation_data, dict) or \
77
                    'FEDERATION' not in federation_data:
78
                continue
79
            fed_extra_attrs = federation_data.copy()
80
            # Federation can be declared as URLs. If so, their content needs
81
            # to be fetched and cached
82
            fed_filepath, _ = utils.get_federation_metadata(federation_data.get('FEDERATION'))
83

  
84
            try:
85
                tree = ET.parse(fed_filepath)
86
                root = tree.getroot()
87
                for child in root:
88
                    provider = {}
89
                    entity_id = idp_metadata_extract_entity_id(ET.tostring(child))
90
                    if not entity_id:
91
                        # The XML tag wasn't an IDPSSODescriptor
92
                        continue
93
                    # Store the metadata content in cache
94
                    provider['METADATA'] = idp_metadata_store(ET.tostring(child).decode('utf-8'))
95
                    provider['ENTITY_ID'] = entity_id
96
                    # Add in each provider the federation-wise configuration
97
                    provider.update(fed_extra_attrs)
98
                    idp_settings_store(provider)
99
                    fingerprint_mapping_single_update(entity_id)
100
                    yield provider
101
            except:
102
                self.logger.error('Couldn\'t load federation metadata file %r',
103
                                  fed_filepath)
104
                continue
105

  
106
        # Then, the non-federated providers
107
        for extra_provider in app_settings.IDENTITY_PROVIDERS:
108
            if 'ENTITY_ID' in extra_provider:
109
                entity_id = extra_provider.get('ENTITY_ID')
110
            else:
111
                if 'METADATA' in extra_provider:
112
                    metadata = extra_provider.get('METADATA')
113
                elif 'METADATA_URL' in extra_provider:
114
                    metadata = utils.get_metadata_from_url(extra_provider)
115
                else:
116
                    continue
117
                entity_id = idp_metadata_extract_entity_id(metadata)
118

  
119
            fingerprint_mapping_single_update(entity_id)
120
            yield extra_provider
121

  
122
    def get_federations(self):
123
        for federation in getattr(app_settings, 'FEDERATIONS', []):
124
            yield federation
34 125

  
35 126
    def get_idps(self):
36 127
        for i, idp in enumerate(self.get_identity_providers_setting()):
37 128
            if 'METADATA_URL' in idp and 'METADATA' not in idp:
38
                verify_ssl_certificate = utils.get_setting(
39
                    idp, 'VERIFY_SSL_CERTIFICATE')
40
                try:
41
                    response = requests.get(idp['METADATA_URL'], verify=verify_ssl_certificate)
42
                    response.raise_for_status()
43
                except requests.exceptions.RequestException as e:
44
                    self.logger.error(
45
                        u'retrieval of metadata URL %r failed with error %s for %d-th idp',
46
                        idp['METADATA_URL'], e, i)
129
                md_content = utils.get_metadata_from_url(idp)
130

  
131
                if not md_content:
47 132
                    continue
48
                idp['METADATA'] = response.text
49
            elif 'METADATA' in idp:
50
                if idp['METADATA'].startswith('/'):
51
                    idp['METADATA'] = open(idp['METADATA']).read()
52
            else:
133

  
134
                if 'FEDERATION' in idp:
135
                    # IdPs from federation are cached on filesystem
136
                    # only the filename is kept in memory
137
                    idp['METADATA'] = idp_metadata_store(md_content)
138
                    entity_id = idp.get('ENTITY_ID')
139
                    if not entity_id:
140
                        idp['ENTITY_ID'] = idp_metadata_extract_entity_id(md_content)
141
                    # load federation-specific configuration
142
                    idp.update(idp_settings_load(idp.get('ENTITY_ID')))
143
                else:
144
                    idp['METADATA'] = md_content
145

  
146
            elif idp.get('METADATA', '').startswith('/') or \
147
                    idp.get('METADATA', '').startswith('./') and \
148
                    'FEDERATION' not in idp:
149
                idp['METADATA'] = open(idp['METADATA'], 'r').read()
150

  
151
            elif not idp.get('METADATA'):
53 152
                self.logger.error(u'missing METADATA or METADATA_URL in %d-th idp', i)
54 153
                continue
55
            if 'ENTITY_ID' not in idp:
56
                try:
57
                    doc = ET.fromstring(idp['METADATA'])
58
                except (TypeError, ET.ParseError):
59
                    self.logger.error(u'METADATA of %d-th idp is invalid', i)
60
                    continue
61
                if doc.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF:
62
                    self.logger.error(u'METADATA of %d-th idp has no EntityDescriptor root tag', i)
63
                    continue
64

  
65
                if not 'entityID' in doc.attrib:
66
                    self.logger.error(
67
                        u'METADATA of %d-th idp has no entityID attribute on its root tag', i)
68
                    continue
69
                idp['ENTITY_ID'] = doc.attrib['entityID']
70 154
            yield idp
71 155

  
72 156
    def authorize(self, idp, saml_attributes):
mellon/app_settings.py
38 38
        'LOGIN_URL': 'mellon_login',
39 39
        'LOGOUT_URL': 'mellon_logout',
40 40
        'ARTIFACT_RESOLVE_TIMEOUT': 10.0,
41
        'FEDERATIONS': [],
42
        # 'FINGERPRINT_FILENAME': '__fingerprint_mappings',
43
        # 'METADATA_CACHE_DIR': 'metadata-cache',
41 44
    }
42 45

  
46
    @property
47
    def FEDERATIONS(self):
48
        from django.conf import settings
49
        if settings.hasattr('MELLON_FEDERATIONS'):
50
            federations = settings.MELLON_FEDERATIONS
51
        if isinstance(federations, dict):
52
            federations = [federations]
53
        return federations
54

  
43 55
    @property
44 56
    def IDENTITY_PROVIDERS(self):
45 57
        from django.conf import settings
58
        idps = []
46 59
        try:
47
            idps = settings.MELLON_IDENTITY_PROVIDERS
60
            if hasattr(settings, 'MELLON_IDENTITY_PROVIDERS'):
61
                idps = settings.MELLON_IDENTITY_PROVIDERS
62
            elif not hasattr(settings, 'MELLON_FEDERATIONS'):
63
                raise AttributeError
48 64
        except AttributeError:
49 65
            return []
50 66
        if isinstance(idps, dict):
mellon/federation_utils.py
1
import fcntl
2
import json
3
import lasso
4
import logging
5
import tempfile
6
from datetime import timedelta
7

  
8
from django.utils.text import slugify
9
from datetime import datetime
10
from hashlib import sha1
11

  
12
import requests
13
from xml.etree import ElementTree as ET
14
import os
15
import hashlib
16
import os.path
17

  
18
from django.core.files.storage import default_storage
19

  
20

  
21
def truncate_unique(s, length=250):
22
    if len(s) < length:
23
        return s
24
    md5 = hashlib.md5(s.encode('ascii')).hexdigest()
25
    # we should be the first and last characters from the URL
26
    l = (length - len(md5)) / 2 - 2  # four additional characters
27
    assert l > 20
28
    return s[:l] + '...' + s[-l:] + '_' + md5
29

  
30

  
31
def url2filename(url):
32
    return truncate_unique(slugify(url), 230)
33

  
34

  
35
def get_entity_id_from_fingerprint(fingerprint):
36
    logger = logging.getLogger(__name__)
37
    unix_path = default_storage.path('metadata-cache/__fingerprint_mapping')
38
    if not os.path.exists(unix_path):
39
        return
40

  
41
    try:
42
        mapping = dict()
43
        with open(default_storage.path(filepath), 'r+') as f:
44
            try:
45
                # Shared yet blocking lock, as obtaining the entity id is critical
46
                # to the SAML artifact resolution.
47
                fcntl.lockf(f, fcntl.LOCK_SH)
48
            except:
49
                logger.exception(u"failed to acquire shared blocking lock on "
50
                    "the entity_id fingerprint cache file")
51
            else:
52
                mapping = json.loads(f.read())
53
            finally:
54
                fcntl.lockf(f, fcntl.LOCK_UN)
55
    except:
56
        logger.exception(u"could read the entity_id fingerprint cache file")
57

  
58
    return mapping.get(fingerprint, None)
59

  
60

  
61
def fingerprint_mapping_single_update(entity_id):
62
    """Adds an entry in the <sha1(entity_id), entity_id> mapping.
63
    The mapping cache file may be created in not already existing.
64
    """
65
    logger = logging.getLogger(__name__)
66
    unix_path = default_storage.path('metadata-cache/__fingerprint_mapping')
67
    dirname = os.path.dirname(unix_path)
68

  
69
    try:
70
        if not os.path.exists(dirname):
71
            os.makedirs(dirname)
72
        f = open(default_storage.path(filepath), 'rw+')
73
        try:
74
            fcntl.lockf(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
75
        except:
76
            logger.exception(u"failed to acquire the exclusive non blocking "
77
                "lock on the entity_id fingerprint cache file")
78
            return
79
        else:
80
            with tempfile.NamedTemporaryFile(dir=os.path.dirname(unix_path), delete=False) as temp:
81
                try:
82
                    mapping = json.loads(f.read())
83
                    m = sha1()
84
                    m.update(entity_id)
85
                    mapping.append({m.digest(): entity_id})
86
                    temp.write(json.dumps(mapping))
87
                    temp.flush()
88
                    os.rename(temp.name, unix_path)
89
                    pass
90
                except:
91
                    logger.error('Could\'nt fetch %r', url)
92
                    os.unlink(temp.name)
93
                finally:
94
                    fcntl.lockf(f, fcntl.LOCK_UN)
95
        finally:
96
            f.close()
97
    except:
98
        logger.exception(u"could create the intermediary 'metadata-cache' "
99
                         "folder")
100

  
101

  
102
def load_federation_cache(url):
103
    logger = logging.getLogger(__name__)
104
    try:
105
        filename = url2filename(url)
106
        path = os.path.join('metadata-cache', filename)
107

  
108
        unix_path = default_storage.path(path)
109
        dirname = os.path.dirname(unix_path)
110
        if not os.path.exists(dirname):
111
            os.makedirs(dirname)
112
        f = open(unix_path, 'w')
113
        try:
114
            fcntl.lockf(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
115
        except IOError:
116
            return
117
        else:
118
            with tempfile.NamedTemporaryFile(dir=os.path.dirname(unix_path), delete=False) as temp:
119
                try:
120
                    # increase modified time by one hour to prevent too many updates
121
                    st = os.stat(unix_path)
122
                    os.utime(unix_path, (st.st_atime, st.st_mtime + 3600))
123
                    response = requests.get(url)
124
                    response.raise_for_status()
125
                    temp.write(response.content)
126
                    temp.flush()
127
                    os.rename(temp.name, unix_path)
128
                except:
129
                    logger.error('Could\'nt fetch %r', url)
130
                    os.unlink(temp.name)
131
                finally:
132
                    fcntl.lockf(f, fcntl.LOCK_UN)
133
        finally:
134
            f.close()
135
    except OSError:
136
        logger.exception(u"could create the intermediary 'metadata-cache' "
137
                         "folder")
138
        return
139
    except:
140
        logger.exception(u'failed to load federation from %s', url)
141

  
142

  
143
def get_federation_from_url(url, update_cache=False):
144
    logger = logging.getLogger(__name__)
145
    filename = url2filename(url)
146
    filepath = os.path.join('metadata-cache', filename)
147
    if not default_storage.exists(filepath) or update_cache or \
148
            default_storage.created_time(filepath) < datetime.now() - timedelta(days=1):
149
        load_federation_cache(url)
150
    else:
151
        logger.warning('federation %s has not been loaded', url)
152
    return default_storage.path(filepath)
153

  
154

  
155
def idp_metadata_filepath(entity_id):
156
    filename = url2filename(entity_id)
157
    filepath = os.path.join('./metadata-cache', filename)
158
    return filepath
159

  
160

  
161
def idp_settings_filepath(entity_id):
162
    filename = url2filename(entity_id) + "_settings.json"
163
    filepath = os.path.join('./metadata-cache', filename)
164
    return filepath
165

  
166

  
167
def idp_metadata_is_cached(entity_id):
168
    filepath = idp_metadata_filepath(entity_id)
169
    if not default_storage.exists(filepath):
170
        return False
171
    return True
172

  
173

  
174
def idp_metadata_is_file(metadata):
175
    # XXX too restrictive (e.g. 'metadata/http-somemetadataserver-com-md00.xml'
176
    # could be a file too...)
177
    # On the opposite, `if "http://" in metadata or "https://" in metadata:" is
178
    # equally restrictive.
179
    # Using a URLValidator doesn't seem adequate either.
180
    if metadata.startswith('/') or metadata.startswith('./'):
181
        return True
182

  
183

  
184
def idp_metadata_needs_refresh(entity_id, update_cache=False):
185
    filepath = idp_metadata_filepath(entity_id)
186
    if not default_storage.exists(filepath) or update_cache or \
187
            default_storage.created_time(filepath) < datetime.now() - timedelta(days=1):
188
        return True
189
    return False
190

  
191

  
192
def idp_settings_needs_refresh(entity_id, update_cache=False):
193
    filepath = idp_settings_filepath(entity_id)
194
    if not default_storage.exists(filepath) or update_cache or \
195
            default_storage.created_time(filepath) < datetime.now() - timedelta(days=1):
196
        return True
197
    return False
198

  
199

  
200
def idp_metadata_store(metadata_content):
201
    entity_id = idp_metadata_extract_entity_id(metadata_content)
202
    if not entity_id:
203
        return
204
    logger = logging.getLogger(__name__)
205
    filepath = idp_metadata_filepath(entity_id)
206

  
207
    dirname = os.path.dirname(filepath)
208
    if not default_storage.exists(dirname):
209
        os.makedirs(default_storage.path(dirname))
210

  
211
    if idp_metadata_needs_refresh(entity_id):
212
        with open(default_storage.path(filepath), 'w') as f:
213
            try:
214
                fcntl.lockf(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
215
                f.write(metadata_content)
216
                fcntl.lockf(f, fcntl.LOCK_UN)
217
            except:
218
                logger.error('Couldn\'t store metadata for EntityID %r',
219
                        entity_id)
220
                return
221
    return default_storage.path(filepath)
222

  
223

  
224
def idp_metadata_load(entity_id):
225
    logger = logging.getLogger(__name__)
226
    filepath = idp_metadata_filepath(entity_id)
227
    if default_storage.exists(filepath):
228
        logger.info('Loading metadata for EntityID %r', entity_id)
229
        with open(default_storage.path(filepath), 'r') as f:
230
            return f.read()
231
    else:
232
        logger.warning('No metadata file for EntityID %r', entity_id)
233

  
234

  
235
def idp_settings_store(idp):
236
    """
237
    Stores an IDP settings when loaded from a federation.
238
    """
239
    logger = logging.getLogger(__name__)
240
    entity_id = idp.get('ENTITY_ID')
241
    filepath = idp_settings_filepath(entity_id)
242
    idp_settings = {}
243

  
244
    if not entity_id:
245
        return
246

  
247
    dirname = os.path.dirname(filepath)
248
    if not default_storage.exists(dirname):
249
        os.makedirs(default_storage.path(dirname))
250

  
251
    for key, value in idp.items():
252
        if key not in ('METADATA', 'ENTITY_ID'):
253
            idp_settings.update({key: value})
254

  
255
    if idp_settings_needs_refresh(entity_id) and idp_settings:
256
        with open(default_storage.path(filepath), 'w') as f:
257
            try:
258
                fcntl.lockf(f, fcntl.LOCK_EX | fcntl.LOCK_NB)
259
                f.write(json.dumps(idp_settings))
260
                fcntl.lockf(f, fcntl.LOCK_UN)
261
            except:
262
                logger.error('Couldn\'t store settings for EntityID %r',
263
                        entity_id)
264

  
265

  
266
def idp_settings_load(entity_id):
267
    logger = logging.getLogger(__name__)
268
    filepath = idp_settings_filepath(entity_id)
269
    if default_storage.exists(filepath):
270
        logger.info('Loading JSON settings for EntityID %r', entity_id)
271
        with open(default_storage.path(filepath), 'r') as f:
272
            try:
273
                idp_settings = json.loads(f.read())
274
            except:
275
                logger.warning('Couldn\'t load JSON settings for EntityID %r',
276
                        entity_id)
277
            else:
278
                return idp_settings
279
    else:
280
        logger.warning('No JSON settings file for EntityID %r', entity_id)
281

  
282
    return {}
283

  
284

  
285
def idp_metadata_extract_entity_id(metadata_content):
286
    logger = logging.getLogger(__name__)
287
    try:
288
        doc = ET.fromstring(metadata_content)
289
    except (TypeError, ET.ParseError):
290
        logger.error(u'METADATA of idp %r is invalid', metadata_content)
291
        return
292
    if doc.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF:
293
        logger.error(u'METADATA of idp %r has no EntityDescriptor root tag',
294
                metadata_content)
295
        return
296
    if not 'entityID' in doc.attrib:
297
        logger.error(
298
                u'METADATA of idp %r has no entityID attribute on its root tag',
299
                metadata_content)
300
        return
301
    return doc.attrib['entityID']
mellon/utils.py
3 3
import importlib
4 4
from functools import wraps
5 5
import isodate
6
import requests
7
import requests.exceptions
6 8
from xml.parsers import expat
7 9

  
8 10
from django.contrib import auth
11
from django.core.exceptions import ValidationError
9 12
from django.core.urlresolvers import reverse
13
from django.core.validators import URLValidator
10 14
from django.template.loader import render_to_string
11 15
from django.utils.timezone import make_aware, now, make_naive, is_aware, get_default_timezone
12 16
from django.conf import settings
......
14 18
import lasso
15 19

  
16 20
from . import app_settings
21
from .federation_utils import get_federation_from_url, idp_metadata_is_file, \
22
        idp_metadata_load, idp_metadata_extract_entity_id
17 23

  
18 24

  
19 25
def create_metadata(request):
......
48 54

  
49 55
def create_server(request):
50 56
    logger = logging.getLogger(__name__)
51
    root = request.build_absolute_uri('/')
52
    cache = getattr(settings, '_MELLON_SERVER_CACHE', {})
53
    if root not in cache:
54
        metadata = create_metadata(request)
55
        if app_settings.PRIVATE_KEY:
56
            private_key = app_settings.PRIVATE_KEY
57
            private_key_password = app_settings.PRIVATE_KEY_PASSWORD
58
        elif app_settings.PRIVATE_KEYS:
59
            private_key = app_settings.PRIVATE_KEYS[0]
60
            private_key_password = None
61
            if isinstance(private_key, (tuple, list)):
62
                private_key_password = private_key[1]
63
                private_key = private_key[0]
64
        else:  # no signature
65
            private_key = None
66
            private_key_password = None
67
        server = lasso.Server.newFromBuffers(metadata, private_key_content=private_key,
68
                                             private_key_password=private_key_password)
69
        server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
70
        private_keys = app_settings.PRIVATE_KEYS
71
        # skip first key if it is already loaded
72
        if not app_settings.PRIVATE_KEY:
73
            private_keys = app_settings.PRIVATE_KEYS[1:]
74
        for key in private_keys:
75
            password = None
76
            if isinstance(key, (tuple, list)):
77
                password = key[1]
78
                key = key[0]
79
            server.setEncryptionPrivateKeyWithPassword(key, password)
80
        for idp in get_idps():
81
            try:
82
                server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, idp['METADATA'])
83
            except lasso.Error as e:
84
                logger.error(u'bad metadata in idp %r', idp['ENTITY_ID'])
85
                logger.debug(u'lasso error: %s', e)
86
                continue
87
        cache[root] = server
88
        settings._MELLON_SERVER_CACHE = cache
89
    return settings._MELLON_SERVER_CACHE.get(root)
90

  
91

  
92
def create_login(request):
93
    server = create_server(request)
57
    metadata = create_metadata(request)
58
    if app_settings.PRIVATE_KEY:
59
        private_key = app_settings.PRIVATE_KEY
60
        private_key_password = app_settings.PRIVATE_KEY_PASSWORD
61
    elif app_settings.PRIVATE_KEYS:
62
        private_key = app_settings.PRIVATE_KEYS[0]
63
        private_key_password = None
64
        if isinstance(private_key, (tuple, list)):
65
            private_key_password = private_key[1]
66
            private_key = private_key[0]
67
    else:  # no signature
68
        private_key = None
69
        private_key_password = None
70
    server = lasso.Server.newFromBuffers(metadata, private_key_content=private_key,
71
                                         private_key_password=private_key_password)
72
    server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
73
    private_keys = app_settings.PRIVATE_KEYS
74
    # skip first key if it is already loaded
75
    if not app_settings.PRIVATE_KEY:
76
        private_keys = app_settings.PRIVATE_KEYS[1:]
77
    for key in private_keys:
78
        password = None
79
        if isinstance(key, (tuple, list)):
80
            password = key[1]
81
            key = key[0]
82
        server.setEncryptionPrivateKeyWithPassword(key, password)
83
    return server
84

  
85

  
86
def get_federation_metadata(federation):
87
    logger = logging.getLogger(__name__)
88
    fedmd = None
89
    pemcert = None
90
    if (isinstance(federation, tuple) and len(federation) == 2):
91
        logger.info('Loading local cert-based federation %r',
92
                    federation)
93
        if federation[1].endswith('.pem'):
94
            fedmd = federation[0]
95
            pemcert = federation[1]
96
    else:
97
        urlval = URLValidator()
98
        try:
99
            urlval(federation)
100
        except ValidationError:
101
            logger.info('Loading file-based federation %s',
102
                        federation)
103
            fedmd = federation
104
        else:
105
            logger.info('Fetching and loading url-based federation %s',
106
                        federation)
107
            fedmd = get_federation_from_url(federation)
108
    return (fedmd, pemcert)
109

  
110

  
111
def create_login(request, server=None):
112
    if not server:
113
        server = create_server(request)
94 114
    login = lasso.Login(server)
95 115
    if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS:
96 116
        login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
......
113 133
                yield idp
114 134

  
115 135

  
136
def get_federations():
137
    for adapter in get_adapters():
138
        if hasattr(adapter, 'get_federations'):
139
            for federation in adapter.get_federations():
140
                yield federation
141

  
142

  
116 143
def flatten_datetime(d):
117 144
    d = d.copy()
118 145
    for key, value in d.items():
......
180 207
    return idp.get(name) or getattr(app_settings, name, default)
181 208

  
182 209

  
183
def create_logout(request):
210
def create_logout(request, server=None):
184 211
    logger = logging.getLogger(__name__)
185
    server = create_server(request)
212
    if not server:
213
        server = create_server(request)
186 214
    mellon_session = request.session.get('mellon_session', {})
187 215
    entity_id = mellon_session.get('issuer')
188 216
    session_index = mellon_session.get('session_index')
......
259 287
    parser.XmlDeclHandler = xmlDeclHandler
260 288
    parser.Parse(content, True)
261 289
    return xml_encoding
290

  
291

  
292
def create_loaded_server(request):
293

  
294
    def add_provider_from_idp(server, idp):
295
        logger = logging.getLogger(__name__)
296
        metadata = idp.get('METADATA')
297
        entity_id = idp.get('ENTITY_ID')
298
        try:
299
            if 'FEDERATION' in idp and idp_metadata_is_file(metadata):
300
                # Federated IdPs have their own cache management:
301
                if idp_metadata_is_file(metadata):
302
                    if not entity_id:
303
                        entity_id = idp_metadata_extract_entity_id(metadata)
304
                    server.addProviderFromBuffer(
305
                            lasso.PROVIDER_ROLE_IDP,
306
                            idp_metadata_load(entity_id))
307
            elif metadata.startswith('/') or metadata.startswith('./'):
308
                # Simply call the adequate built-in lasso routine
309
                server.addProvider(lasso.PROVIDER_ROLE_IDP, metadata)
310
            else:
311
                # The metadata supplied is directly the content buffer:
312
                server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, metadata)
313
        except lasso.ServerAddProviderFailedError as e:
314
            logger.error('Error %s: Failed to load idp %s', e, metadata)
315

  
316
    if request.method == 'GET':
317
        payload = request.META.get('QUERY_STRING') or ''
318
    elif request.method == 'POST':
319
        payload = request.POST.get('SAMLResponse') or ''
320
    else:
321
        payload = ''
322

  
323
    remote_provider_id = lasso.profileGetIssuer(payload)
324

  
325
    if remote_provider_id:
326
        server = create_server(request)
327
        idp = get_idp(remote_provider_id)
328
        idp_metadata = idp.get('METADATA')
329
        if not idp_metadata:
330
            return server
331
        add_provider_from_idp(server, idp)
332
    else:
333
        # No remote provider identifier was provided, but the server still needs
334
        # to be created:
335
        server = create_server(request)
336
        for idp in get_idps():
337
            add_provider_from_idp(server, idp)
338

  
339
    return server
340

  
341
def get_metadata_from_url(idp):
342
    logger = logging.getLogger(__name__)
343

  
344
    verify_ssl_certificate = get_setting(
345
        idp, 'VERIFY_SSL_CERTIFICATE')
346

  
347
    try:
348
        response = requests.get(idp['METADATA_URL'], verify=verify_ssl_certificate)
349
        response.raise_for_status()
350
    except requests.exceptions.RequestException as e:
351
        logger.error(
352
                u'retrieval of metadata URL %r failed with error %s',
353
                idp['METADATA_URL'], e)
354
    else:
355
        return response.content.decode('utf-8')
mellon/views.py
1
import base64
2
import binascii
1 3
import logging
2 4
import requests
3 5
import lasso
......
19 21
from django.db import transaction
20 22
from django.utils.translation import ugettext as _
21 23

  
22
from . import app_settings, utils
24
from . import app_settings, utils, federation_utils
25
from federation_utils import idp_metadata_load, get_entity_id_from_fingerprint
23 26

  
24 27

  
25 28
lasso.setFlag('thin-sessions')
......
111 114
        if not utils.is_nonnull(request.POST['SAMLResponse']):
112 115
            return HttpResponseBadRequest('SAMLResponse contains a null character')
113 116
        self.log.info('Got SAML Response', extra={'saml_response': request.POST['SAMLResponse']})
114
        self.profile = login = utils.create_login(request)
117

  
118
        server = utils.create_loaded_server(request)
119
        self.profile = login = utils.create_login(request, server)
120

  
115 121
        idp_message = None
116 122
        status_codes = []
123

  
117 124
        # prevent null characters in SAMLResponse
118 125
        try:
119 126
            login.processAuthnResponseMsg(request.POST['SAMLResponse'])
......
244 251
            artifact = request.POST['SAMLart']
245 252
            relay_state = request.POST.get('RelayState')
246 253

  
247
        self.profile = login = utils.create_login(request)
254
        try:
255
            decoded_message = base64.b64decode(message)
256
        except:
257
            raise ValueError('artifact %r is not a base64 encoded value')
258

  
259
        fingerprint = binascii.hexlify(decoded_message[4:24])
260
        entity_id = get_entity_id_from_fingerprint(fingerprint)
261
        if entity_id:
262
            server = utils.create_server(request)
263
            server.addProviderFromBuffer(idp_metadata_load(entity_id))
264
        else:
265
            server = utils.create_loaded_server(request)
266
        self.profile = login = utils.create_login(request, server)
267

  
248 268
        if relay_state and utils.is_nonnull(relay_state):
249 269
            login.msgRelayState = relay_state
270

  
250 271
        try:
251 272
            login.initRequest(message, method)
252 273
        except lasso.ProfileInvalidArtifactError:
......
349 370
        idp = self.get_idp(request)
350 371
        if idp is None:
351 372
            return HttpResponseBadRequest('no idp found')
352
        self.profile = login = utils.create_login(request)
353
        self.log.debug('authenticating to %r', idp['ENTITY_ID'])
373
        entity_id = idp.get('ENTITY_ID') or federation_utils.idp_metadata_extract_entity_id(idp.get('METADATA'))
374
        self.log.debug('authenticating to %r', entity_id)
375

  
376
        server = utils.create_loaded_server(request)
377
        self.profile = login = utils.create_login(request, server)
378

  
354 379
        try:
355
            login.initAuthnRequest(idp['ENTITY_ID'], lasso.HTTP_METHOD_REDIRECT)
380
            login.initAuthnRequest(entity_id, lasso.HTTP_METHOD_REDIRECT)
356 381
            authn_request = login.request
357 382
            # configure NameID policy
358 383
            policy = authn_request.nameIdPolicy
......
409 434

  
410 435
    def idp_logout(self, request):
411 436
        '''Handle logout request emitted by the IdP'''
412
        self.profile = logout = utils.create_logout(request)
437
        server = utils.create_loaded_server(request)
438
        self.profile = logout = utils.create_logout(request, server)
413 439
        try:
414 440
            logout.processRequestMsg(request.META['QUERY_STRING'])
415 441
        except lasso.Error as e:
......
464 490

  
465 491
    def sp_logout_response(self, request):
466 492
        '''Launch a logout request to the identity provider'''
467
        self.profile = logout = utils.create_logout(request)
493
        server = utils.create_loaded_server(request)
494
        self.profile = login = utils.create_logout(request, server)
468 495
        # the user shouldn't be logged anymore at this point but it may happen
469 496
        # that a concurrent SSO happened in the meantime, so we do another
470 497
        # logout to make sure.
setup.py
94 94
          'django>=1.5,<2.0',
95 95
          'requests',
96 96
          'isodate',
97
          'pytz',
97 98
      ],
98 99
      setup_requires=[
99 100
          'django>=1.5,<2.0',
tests/conftest.py
42 42
    caplog.handler.stream = py.io.TextIO()
43 43
    caplog.handler.records = []
44 44
    return caplog
45

  
46

  
47
# XXX temporary workaround
48
#     non-federated IdPs shouldn't have their MD cached
49
@pytest.fixture(autouse=True)
50
def mellon_settings(settings, tmpdir):
51
        settings.MEDIA_ROOT = str(tmpdir)
tests/dummy_md.xml
1
<?xml version="1.0" encoding="UTF-8" standalone="no"?><md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:pyff="http://pyff.io/NS" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_20171018T113001Z" Name="https://federation.renater.fr/" cacheDuration="PT1H" validUntil="2017-10-27T11:30:01Z"><ds:Signature>
2
<ds:SignedInfo>
3
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
4
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
5
<ds:Reference URI="">
6
<ds:Transforms>
7
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
8
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
9
</ds:Transforms>
10
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
11
<ds:DigestValue>JKdLdd5yGvkFdb1fCAByMMnurIKYhZepRouZfOjIUrg=</ds:DigestValue>
12
</ds:Reference>
13
</ds:SignedInfo>
14
<ds:SignatureValue>
15
OTexfi8c63TsP1V9j5m6digA2NomUfqBtT8pPKhwdqEDQS5qLh6fxvT+wWkP6JaIhkP8nxwpbArl
16
7cUHkRv5ibZzcknIAjXYMhsSTtFQUq89OMcDHtZHG54jiKyHPhu2+XEbvv6DsAYanYC6SHEnGjNG
17
opnOEUB2XqeycsvvTQQIuWZEoABTVcKYyk2CW7Ij5EUmPOAPiidtbt8lzrtkV6dwLbkyoEbChAyj
18
emrL/oS01aJgT9sQoJxR8lyRMGiZ/BwQqYTareiKwOXLPdGThzsfZXD8de9T1xuysILaAM7sHPJV
19
QfrQJm80Zo2MM/GnhJTO9rc4m3kRnRhqmA6qMw==
20
</ds:SignatureValue>
21
<ds:KeyInfo>
22
<ds:KeyValue>
23
<ds:RSAKeyValue>
24
<ds:Modulus>
25
71+vTf66BPgYUF7sm4T++W69qMVyGQn9wNqpBLc6sp53eq/JRTOUD26Yehjsld5qN52Bv2r5QG7o
26
4VU123akXUYzupvq1f+tmF9NwYa7MPEPFzCzJHhNXjZNRxcsW1WLW34fhQCm0oak3oSPoNo5qeGi
27
jNsTSkgSt1mPH0P8d95af2VJnT6zbrclxvH4emqpT9oGLsWqKWLlIbZ7u1PUjuNVwLHuj909/apm
28
C13RBIpV52fey4qey34bnRHdCTknZeN/TJLTJ9hMWzz9TbdjfIFaiF7MeY+OYRXzUJeQuHHMu/2I
29
emkoR26mYi6irvmx8AdPcPCwcRKw2Ca4xLhbNw==
30
</ds:Modulus>
31
<ds:Exponent>AQAB</ds:Exponent>
32
</ds:RSAKeyValue>
33
</ds:KeyValue>
34
<ds:X509Data>
35
<ds:X509Certificate>
36
MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFk
37
YXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAs
38
MSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3
39
DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lF
40
M5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxb
41
VYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaop
42
YuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8
43
gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAf
44
MB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODry
45
XwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8
46
cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzT
47
Vob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5
48
e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVd
49
XgSard8RfR3OyZlf6M4aSGQA73sskQ==
50
</ds:X509Certificate>
51
</ds:X509Data>
52
</ds:KeyInfo>
53
</ds:Signature><md:EntityDescriptor entityID="https://aishib.agropolis.fr/idp/shibboleth">
54
			<md:Extensions>
55
				<mdrpi:RegistrationInfo registrationAuthority="https://federation.renater.fr/" registrationInstant="2013-06-06T11:49:20Z">
56
					<mdrpi:RegistrationPolicy xml:lang="en">https://services.renater.fr/federation/en/metadata_registration_practice_statement</mdrpi:RegistrationPolicy>
57
				</mdrpi:RegistrationInfo>
58
			</md:Extensions>
59
		<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
60
			<md:Extensions>
61
    				<shibmd:Scope regexp="false">agropolis.fr</shibmd:Scope>
62

  
63
			    <mdui:UIInfo>
64

  
65
			      <mdui:DisplayName xml:lang="en">Agropolis International</mdui:DisplayName>
66

  
67
			      <mdui:Logo height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAACPUlEQVQoz21SPW8TQRR8u7d3ju34Er6UCHACRqK4Bjk0oDSEjiYSBQVS8k9AkWgp+AuUASGEaCASkoPcgARVMF8iTnxJwMFJfL47397u3u6jsGVFwLzmFTN6ozdDEBEAAOD4kiRJsVgkhMA/YMfZzc3NVstnzGq1/KXlJfgf2Ii9XquVZ2YWbi5Io4MsbfPeZK4wRm0AOH6KICIivq2tV6/O5cYLHztbW9FvYTKuZaLk7PjpW+UrJXtspCHGmGazCQBnZ8svtj/0tbAINYhcy1DyThpRhHtztyedwkBDAWBnZ6dSqbzZ+7THu0IraTJplDSZ0JnQ2Y+482jj1cgSRUTHdrhW9fa3SKaxErFKIyUiKaIsjVQaKf5s631HxP1+X2vNwjB0J9zd+OgnD044Ra4lI5ZBw7XqyeRQREciaqe9xoE/K/OFfIENnqBM1uZBqlWBOYxQjYZnqieTThru8zCU3AASIAjIXNellGLePkjCUPICy1mEDAShSg7SqCsTBtQ7WfY3vlarVUYpdUsuAs5PXV7dfpe3HEYtjSbNZJwJoRUi3rl4fSrvfufctm0ySA0RD0V84+WDL1EbCCDCYIDApeKZ+uKK6faDIPA8jw7jIORUbry2eH+5Mu8ARTSAkCPW3QvX6osrE+B8bjQ8zxu2aACDaIwxxuzzsLbbePj88a8k0Mb4vr/2ei3LMoOIiGRU0iGGVuDp6pNz5fNSiKnpac/zgAABMuzSXwIggIjdbrdUKjHGYGQaAAD+AJBJecXxnEvWAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ4OjE1KzAyOjAwpWiGMQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0ODoxNSswMjowMNQ1Po0AAAAASUVORK5CYII=</mdui:Logo>
68
			      <mdui:InformationURL xml:lang="fr">http://www.agropolis.fr</mdui:InformationURL>
69

  
70
          		      <mdui:DisplayName xml:lang="fr">Agropolis International</mdui:DisplayName>
71

  
72
      			    </mdui:UIInfo>
73
			</md:Extensions>
74
				<md:KeyDescriptor use="signing">
75
<ds:KeyInfo>
76

  
77
					  <ds:X509Data>
78
					    <ds:X509Certificate>
79
					      MIIDNzCCAh+gAwIBAgIUYY3sGXwChkj2CRy6QFDvkdj2zlAwDQYJKoZIhvcNAQEF
80
BQAwHjEcMBoGA1UEAxMTYWlzaGliLmFncm9wb2xpcy5mcjAeFw0xMzA1MTUxMzM3
81
MTJaFw0zMzA1MTUxMzM3MTJaMB4xHDAaBgNVBAMTE2Fpc2hpYi5hZ3JvcG9saXMu
82
ZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxrDy6lrhIBjcxv16n
83
4UJ2cEMYPO4wSmfDwhO6feoSIEuIblYRHE2nQKirMokwD6seF4rbDHyxLXg/ColL
84
VLv+0CJteIOZjSCgSN90WzQRrC1Ex5sJfPu6yPEXvW8H1906gEg6ok8rlCIHRGfE
85
15pHK5eqxQS5f2n8c2t/Uk33/FBj79/hb3Cd7vE4mdlvReD3AFswC0lV4bPmj3Ka
86
KUuMj9xwipwnfWCu6p2/ZJF4M3ADU5grXHJ2Vqmd8DWm5raaObKjYwJddbRBByI8
87
bJJLIwAQQmX4Dh4hf1QKlf2oqWPWVQxLQp0erL1U8IWmj1RG8TTH9xOJl6kkEhYq
88
Z2gfAgMBAAGjbTBrMEoGA1UdEQRDMEGCE2Fpc2hpYi5hZ3JvcG9saXMuZnKGKmh0
89
dHBzOi8vYWlzaGliLmFncm9wb2xpcy5mci9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4E
90
FgQU9A7iQ8Qo+t2JCpKuOOV9YBoYs4MwDQYJKoZIhvcNAQEFBQADggEBAG0LOW6I
91
F+M8n2NpzyQjfVCJCA6QhWjbXrfemiPJFZGZZb2dVmHof4yCpCUYgHOBoZaXPOlB
92
nLYsUWvFZ6V2GELZpLHzHSSrYidieW07qQkh1DwcIYpvtZgLviOtT/tCEGsk925f
93
DUoGdeIqpqt54WZcW9+TbKicvjg3JT4BFOQ17bFNwPW+YjTbvsWYxen+e0mRp4vM
94
V0yMu2f3bccVhePASSZGL3yod3sJ1dPvlrJO9c35BekhtirolVjZqMQ0AYPVifua
95
yIU0dWXsZkAOcBL9kZFbJcYRUIxMgvp8U2Zdv1+ZlwOyXnnWDOOh9wjuT7FAyObU
96
ChvjHlgZHkvLwJI=
97
					    </ds:X509Certificate>
98
					  </ds:X509Data>
99

  
100
					</ds:KeyInfo>
101
				</md:KeyDescriptor>
102

  
103

  
104

  
105

  
106

  
107
			<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
108
			<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
109

  
110

  
111
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://aishib.agropolis.fr/idp/profile/SAML2/POST/SSO"/>
112

  
113
	        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://aishib.agropolis.fr/idp/profile/SAML2/Redirect/SSO"/>
114

  
115

  
116
			<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://aishib.agropolis.fr/idp/profile/Shibboleth/SSO"/>
117

  
118

  
119
		</md:IDPSSODescriptor>
120

  
121

  
122

  
123
		<md:Organization>
124

  
125
			<md:OrganizationName xml:lang="en">Agropolis International</md:OrganizationName>
126
			<md:OrganizationDisplayName xml:lang="en">Agropolis International</md:OrganizationDisplayName>
127
			<md:OrganizationURL xml:lang="en">http://www.agropolis.fr</md:OrganizationURL>
128

  
129
		</md:Organization>
130

  
131

  
132

  
133
			    <md:ContactPerson contactType="technical">
134
				 <md:SurName>Jean Cerda</md:SurName>
135
				 <md:EmailAddress>cerda@agropolis.fr</md:EmailAddress>
136
		        </md:ContactPerson>
137

  
138

  
139

  
140
			    <md:ContactPerson contactType="technical">
141
				 <md:SurName>Jean-Pierre  Allano</md:SurName>
142
				 <md:EmailAddress>allano@agropolis.fr</md:EmailAddress>
143
		        </md:ContactPerson>
144

  
145

  
146

  
147

  
148
	</md:EntityDescriptor><md:EntityDescriptor entityID="https://ambre.vetagro-sup.fr/idp/shibboleth">
149
			<md:Extensions>
150
				<mdrpi:RegistrationInfo registrationAuthority="https://federation.renater.fr/" registrationInstant="2013-01-14T16:11:53Z">
151
					<mdrpi:RegistrationPolicy xml:lang="en">https://services.renater.fr/federation/en/metadata_registration_practice_statement</mdrpi:RegistrationPolicy>
152
				</mdrpi:RegistrationInfo>
153
			</md:Extensions>
154
		<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
155
			<md:Extensions>
156
    				<shibmd:Scope regexp="false">vetagro-sup.fr</shibmd:Scope>
157

  
158
			    <mdui:UIInfo>
159

  
160
			      <mdui:DisplayName xml:lang="en">Vetagro Sup</mdui:DisplayName>
161

  
162
			      <mdui:Logo height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAB/klEQVQ4y2NkQAP///+X+/jxI/PO7dujP3/7kf7v778ffDzciw2MDFaqq6t/Y2RkfIysngndAEZGxkezZ8/25xEQqVDTs5eRVrNU4RQUL7x9+7YtumasBjAwMDBISIgbcvBKct998p7h1fvfDKyc4nz//jF6yjAwSBNlwM+fP3/9/PmT4dbl4wysrCwMf//9Z/r7959UcFISD1EGPH107xgfD9sbTg52hrcvHjDw87Aw/Pz+7tLEefNuEmWAm6ffxvu3Ll4zMjZleHz/KsO7lw+f3bh+czs2tVgNsLS0fPfs4b3VnKy//wrycW84e2L/uobmtg0MpIKurt6N////Z8jPzxcnWTMDAwPD79//tbq7+9bhU8OMTfD//8cMP79L1X/8tjxMQYHXT0Uh88aBgyuvEW3Aly+8ntw8jLU3bx20cnH/xPz2jTyvk9OGpTt3NhIOxP//GRgkJGR8tPVeyElIvWA4dfIqg57Bff0nD+eHExULIb5dqkYmYgYm5r8YPH3vMzx//omBk+edpI4+vxVRBnz5zPqbi4vt7a9fv//9+cvAYG79jIGZmZWBg4NJiCgDdh4sfHD/7u9j714Z/BYWiGBQVkxjePNK8+erV5+uYDOABTMM/nP09y9Z8+OHgNjli9ahf//++8vGwrlAS0tp/v///7kYGRm/IasHAIVTy8DG/VpJAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjUwOjA5KzAyOjAwfDtz7wAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo1MDowOSswMjowMA1my1MAAAAASUVORK5CYII=</mdui:Logo>
163
			      <mdui:InformationURL xml:lang="fr">http://www.vetagro-sup.fr</mdui:InformationURL>
164

  
165
          		      <mdui:DisplayName xml:lang="fr">Vetagro Sup</mdui:DisplayName>
166

  
167
      			    </mdui:UIInfo>
168
			</md:Extensions>
169
				<md:KeyDescriptor use="signing">
170
<ds:KeyInfo>
171

  
172
					  <ds:X509Data>
173
					    <ds:X509Certificate>
174
					      MIIDPDCCAiSgAwIBAgIVAL9PsuadPSIZcMHNxlK/oevezmzWMA0GCSqGSIb3DQEB
175
BQUAMB8xHTAbBgNVBAMTFGFtYnJlLnZldGFncm8tc3VwLmZyMB4XDTEyMTEwODEw
176
MTQwNFoXDTMyMTEwODEwMTQwNFowHzEdMBsGA1UEAxMUYW1icmUudmV0YWdyby1z
177
dXAuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc/ptfpmkomwmT
178
4RsID+1Ce1dX0eUjcLgSOZN8hVpHWLag2ERWkpmvB5aK7BAFcI5i//Gk80tAiasu
179
JtlZhBnEw54aTJRGpyL2CVkHyl6SMRxprIi1Ji67IoGqEgUeGaheAxo+tG5e1WSc
180
bIbldcSKdwvjAV+7HSB4C6NqLsAzJH25++yaRH2uf2LTD0TDzNR9Q2hVj/VyYWR+
181
K3HWI1Snjn/i7aFfZZhYmBkwHuQOaPhwCM+khikg5XicMsxUhHCMi93UgHGIsdkr
182
IEGj4xydBTUKsLaykeuFS8EgXbWwCLGkeX76w8xDoFIpnppU/yFd9v7Zg3EBfn4p
183
kTW3GdIjAgMBAAGjbzBtMEwGA1UdEQRFMEOCFGFtYnJlLnZldGFncm8tc3VwLmZy
184
hitodHRwczovL2FtYnJlLnZldGFncm8tc3VwLmZyL2lkcC9zaGliYm9sZXRoMB0G
185
A1UdDgQWBBTPTqWkVHrHXFjmxMWkNt/sp2h5ozANBgkqhkiG9w0BAQUFAAOCAQEA
186
FvXMtfBUmRZCzz8CjanGzr1TBUPmnkrKci5AtkseKw9YlfUmBXTHB01y697nYq6m
187
RB6KhvfW212h9CF0IOEEjoadgDhXqGYhq8PnAOtT4Ty3XDy8SbRh8aQWfvnfSngv
188
FdpHRiSpj5UXXuT5zTtkf59h58XKtEfCkMbUzvdOgUobJzpD0WISmQHPQnx+Neg6
189
9j7oMRrDiZjS39Om8Imu9xvsnddDM3PlsDBIsvrr1o7K5iLkEdR1YYX0ZNDbiFuw
190
QXXl2dwQPB8KrScPUvCe57slU2gFQvvIBzjQysxC6V6TPSuM3A/ee56lACuB3jKj
191
oYkHQc5Gj/1rSMLmu9aLMg==
192
					    </ds:X509Certificate>
193
					  </ds:X509Data>
194

  
195
					</ds:KeyInfo>
196
				</md:KeyDescriptor>
197

  
198

  
199

  
200

  
201

  
202
			<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
203
			<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
204

  
205

  
206
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ambre.vetagro-sup.fr/idp/profile/SAML2/POST/SSO"/>
207

  
208
	        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ambre.vetagro-sup.fr/idp/profile/SAML2/Redirect/SSO"/>
209

  
210

  
211
			<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://ambre.vetagro-sup.fr/idp/profile/Shibboleth/SSO"/>
212

  
213

  
214
		</md:IDPSSODescriptor>
215

  
216

  
217

  
218
		<md:Organization>
219

  
220
			<md:OrganizationName xml:lang="en">Vetagro Sup</md:OrganizationName>
221
			<md:OrganizationDisplayName xml:lang="en">Vetagro Sup</md:OrganizationDisplayName>
222
			<md:OrganizationURL xml:lang="en">http://www.vetagro-sup.fr</md:OrganizationURL>
223

  
224
		</md:Organization>
225

  
226

  
227

  
228
			    <md:ContactPerson contactType="technical">
229
				 <md:SurName>Nicolas Aulas</md:SurName>
230
				 <md:EmailAddress>nicolas.aulas@vetagro-sup.fr</md:EmailAddress>
231
		        </md:ContactPerson>
232

  
233

  
234

  
235

  
236

  
237

  
238
	</md:EntityDescriptor><md:EntityDescriptor entityID="https://antimoine.insa-strasbourg.fr/idp/shibboleth">
239
			<md:Extensions>
240
				<mdrpi:RegistrationInfo registrationAuthority="https://federation.renater.fr/" registrationInstant="2014-02-11T08:44:08Z">
241
					<mdrpi:RegistrationPolicy xml:lang="en">https://services.renater.fr/federation/en/metadata_registration_practice_statement</mdrpi:RegistrationPolicy>
242
				</mdrpi:RegistrationInfo>
243
			</md:Extensions>
244
		<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
245
			<md:Extensions>
246
    				<shibmd:Scope regexp="false">insa-strasbourg.fr</shibmd:Scope>
247

  
248
			    <mdui:UIInfo>
249

  
250
			      <mdui:DisplayName xml:lang="en">INSA Strasbourg</mdui:DisplayName>
251

  
252
			      <mdui:Logo height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAq1BMVEXeAACEhoTWz87nQTn3oqXnIBjvgnvWlpT/5+fnEAjvZWOltrXnNDH3mpT/9/fnCAD/4+fvioz3x8bnVVL3qq3nKCnvkpTnHBjvcXP3sq3vgoT/7+/nFBDnODH3mpz////nDAj3z87vlpTveXv3vr3nAACMmpznRUL3pqXnJCHnFAj/+//nDADvjoz3y87vXVr3rq3nLCnvdXP3srXvhoT/8/fvODH3npz3lpQaie6kAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAAe0lEQVQY053OwQqCQBhF4VM22VSMMWrFGP2kkIpUQ1nz/m8Ws20TeFeHb3WRnzEBBjO8xRjZrURi0TFiy+UITjTpjIKaOndZuDSGxF0j9G1+e7CuLN1nE2F7VI28tAoqMMezP1ieFOOp7RPueBXKSqdnMq8Wg66nPP0LX4uIG4jEwJ0sAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ5OjA0KzAyOjAwIHfmJQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0OTowNCswMjowMFEqXpkAAAAASUVORK5CYII=</mdui:Logo>
253
			      <mdui:InformationURL xml:lang="fr">http://www.insa-strasbourg.fr</mdui:InformationURL>
254

  
255
          		      <mdui:DisplayName xml:lang="fr">INSA Strasbourg</mdui:DisplayName>
256

  
257
      			    </mdui:UIInfo>
258
			</md:Extensions>
259
				<md:KeyDescriptor use="signing">
260
<ds:KeyInfo>
261

  
262
					  <ds:X509Data>
263
					    <ds:X509Certificate>
264
					      MIIDUDCCAjigAwIBAgIVAIbX8U0uAqAhuXm1jWxiFpggtDTDMA0GCSqGSIb3DQEB
265
CwUAMCQxIjAgBgNVBAMMGXNvdWZyZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcNMTYw
266
OTI3MTIzNjIxWhcNMzYwOTI3MTIzNjIxWjAkMSIwIAYDVQQDDBlzb3VmcmUuaW5z
267
YS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
268
sEE02sLRPAG5N81DMHEeGpI2MYF8yG/RiwH07cFIlLqgV80ewOmi0FWPYijxMb8A
269
bmx0RwUMvJBVI6WMxtT9fykhID20k8rWOuYOzvaynzVqCktqVgKoEAxP1PFE9b0n
270
iGKFprjjNl9ZD90GOUsxbAO7yXG9Q4WBa/eThl6XkUvNkSaZp5hcdWrgcAdsae3q
271
iD/uxFa38NXNNeRLGyfxjd2K5qYSzbwBza9s9TOq1+pfw7sxu3/4BnfQ0RLGO6co
272
4tH4Mufh0ome4cyYk4pvW5DOd1AznxDb8HpqvE0zwEsa69c/FDX0akgFZydmc77a
273
j6USn6JKjjbO49yGtG1gVQIDAQABo3kwdzAdBgNVHQ4EFgQUjzMsxZYiokPYxper
274
9zadM8J0F0kwVgYDVR0RBE8wTYIZc291ZnJlLmluc2Etc3RyYXNib3VyZy5mcoYw
275
aHR0cHM6Ly9zb3VmcmUuaW5zYS1zdHJhc2JvdXJnLmZyL2lkcC9zaGliYm9sZXRo
276
MA0GCSqGSIb3DQEBCwUAA4IBAQBFJKsiS3yfWuDB/E+iqQ0TuQJzL5+JIcloN0dw
277
BFxW3VZOju15zeQ7LwRBg9S4SGLMPJU+LM1lvr68cK9brut/FjF51SETIXEeCWo3
278
7+PIqgOCzraLNinmpU/OtN8ENalOPvpS6Jvbd23qB2t+IqOtZ+j15b0Yq4/on1E3
279
W2F9CVzKpe4EwmmtCPQbe7U1wvhgFylEx797pex8veWs79YSYwqvcKMh79dzl8Fo
280
/CgsO5pDrfKmc6SGMkByq75dZj+PqhZDzZ9EFTxbrXOTaS08VRN6a5Rh2iYRnGxq
281
yZl66tPcaIm5PHgOEmu5X4lPkUoY+Jt36Gj3SGCbYt8qH5S0
282
					    </ds:X509Certificate>
283
					  </ds:X509Data>
284

  
285
					</ds:KeyInfo>
286
				</md:KeyDescriptor>
287

  
288

  
289

  
290
				<md:KeyDescriptor use="signing">
291
				       <ds:KeyInfo>
292
					  <ds:X509Data>
293
					    <ds:X509Certificate>
294
					      MIIDXDCCAkSgAwIBAgIVAKI+qiqDCk9wTTqn7OVAoZrvj/CpMA0GCSqGSIb3DQEB
295
BQUAMCcxJTAjBgNVBAMTHGFudGltb2luZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcN
296
MTQwMTEzMTAzOTU4WhcNMzQwMTEzMTAzOTU4WjAnMSUwIwYDVQQDExxhbnRpbW9p
297
bmUuaW5zYS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
298
CgKCAQEAtuM8lRjlVjjmrHq9VtguaOMQL+Wd99BiOs56kL3Mbctg1FwH69LYThCW
299
6dOz6WJg/jU/naF7jEikXKc71xGyu7Ph7Iqa9S5hoXXAT8u/0q2nZDeTOraJqKe1
300
FMF2RzXhEEMyQO3CiKNK9b+tbKoNZS7FQCixMZklWZPt4EcEKd6jyRq1WYX3dpnb
301
r9I/aCdhtK/PGvGe5gKTDoTR2HKyWKJTc/obf8x/vlYIEwiaGgdlqI2KiBE0x48n
302
zQdP6XVi3T8ZWbnkLmCfgJtP2C8PtEJuwDRAy0Z9N4DSwvxn5YCVYgBLSi0TLa10
303
B/lUqqBezZrTrA9p9Lt8JtGXW5YGHwIDAQABo38wfTBcBgNVHREEVTBTghxhbnRp
304
bW9pbmUuaW5zYS1zdHJhc2JvdXJnLmZyhjNodHRwczovL2FudGltb2luZS5pbnNh
305
LXN0cmFzYm91cmcuZnIvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFLFkjPZUc9JY
306
qrWjldJ/iGGkKAt4MA0GCSqGSIb3DQEBBQUAA4IBAQBSk/wU1mRn4VF2ifmy261K
307
DK7uX+t1H1hh8S38fKSFU7HoNXJTV3vQnmBOpYIGC1gtvmb+qjqpNtikU2zO84Gq
308
Q0bXHxYF2d9RUP89mKaFxE5uNcXFmlOA3ChZY3pMT5zwAPI/T60tGrex7zci7OLn
309
JDAQj/q4Yk9ejx6JTFggQSCCVh+oV/SDIMd2p5AY6H3mto3b6XCk7Lssa8a/D30k
310
pEkZnhTKdN82eRyynuOR7UDU4tasV4d7Mi/j53f5ihnRcsvwh/pYodjoVYY8cEcZ
311
JLnAXYF8coSwh8UN4D/0NHsvTuSOFQc85hGrqacMsvxiQiw9mv01AX5+A5YLEbVQ
312
					    </ds:X509Certificate>
313
					  </ds:X509Data>
314
					</ds:KeyInfo>
315
				</md:KeyDescriptor>
316

  
317

  
318

  
319
			   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/Redirect/SLO"/>
320

  
321
			   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/POST/SLO"/>
322

  
323
			   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/SOAP/SLO"/>
324

  
325

  
326
			<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
327
			<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
328

  
329

  
330
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/POST/SSO"/>
331

  
332
	        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/Redirect/SSO"/>
333

  
334

  
335
			<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://antimoine.insa-strasbourg.fr/idp/profile/Shibboleth/SSO"/>
336

  
337

  
338
		</md:IDPSSODescriptor>
339

  
340

  
341

  
342
		<md:Organization>
343

  
344
			<md:OrganizationName xml:lang="en">INSA Strasbourg</md:OrganizationName>
345
			<md:OrganizationDisplayName xml:lang="en">INSA Strasbourg</md:OrganizationDisplayName>
346
			<md:OrganizationURL xml:lang="en">http://www.insa-strasbourg.fr</md:OrganizationURL>
347

  
348
		</md:Organization>
349

  
350

  
351

  
352
			    <md:ContactPerson contactType="technical">
353
				 <md:SurName>Lahsen BOUZID</md:SurName>
354
				 <md:EmailAddress>lahsen.bouzid@insa-strasbourg.fr</md:EmailAddress>
355
		        </md:ContactPerson>
356

  
357

  
358

  
359
			    <md:ContactPerson contactType="technical">
360
				 <md:SurName>Simon SCHERRER</md:SurName>
361
				 <md:EmailAddress>simon.scherrer@insa-strasbourg.fr</md:EmailAddress>
362
		        </md:ContactPerson>
363

  
364

  
365

  
366

  
367
	</md:EntityDescriptor></md:EntitiesDescriptor>
tests/federation-sample.xml
1
<?xml version="1.0" encoding="UTF-8" standalone="no"?><md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:pyff="http://pyff.io/NS" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_20171018T113001Z" Name="https://federation.renater.fr/" cacheDuration="PT1H" validUntil="2017-10-27T11:30:01Z"><ds:Signature>
2
<ds:SignedInfo>
3
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
4
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
5
<ds:Reference URI="">
6
<ds:Transforms>
7
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
8
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
9
</ds:Transforms>
10
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
11
<ds:DigestValue>JKdLdd5yGvkFdb1fCAByMMnurIKYhZepRouZfOjIUrg=</ds:DigestValue>
12
</ds:Reference>
13
</ds:SignedInfo>
14
<ds:SignatureValue>
15
OTexfi8c63TsP1V9j5m6digA2NomUfqBtT8pPKhwdqEDQS5qLh6fxvT+wWkP6JaIhkP8nxwpbArl
16
7cUHkRv5ibZzcknIAjXYMhsSTtFQUq89OMcDHtZHG54jiKyHPhu2+XEbvv6DsAYanYC6SHEnGjNG
17
opnOEUB2XqeycsvvTQQIuWZEoABTVcKYyk2CW7Ij5EUmPOAPiidtbt8lzrtkV6dwLbkyoEbChAyj
18
emrL/oS01aJgT9sQoJxR8lyRMGiZ/BwQqYTareiKwOXLPdGThzsfZXD8de9T1xuysILaAM7sHPJV
19
QfrQJm80Zo2MM/GnhJTO9rc4m3kRnRhqmA6qMw==
20
</ds:SignatureValue>
21
<ds:KeyInfo>
22
<ds:KeyValue>
23
<ds:RSAKeyValue>
24
<ds:Modulus>
25
71+vTf66BPgYUF7sm4T++W69qMVyGQn9wNqpBLc6sp53eq/JRTOUD26Yehjsld5qN52Bv2r5QG7o
26
4VU123akXUYzupvq1f+tmF9NwYa7MPEPFzCzJHhNXjZNRxcsW1WLW34fhQCm0oak3oSPoNo5qeGi
27
jNsTSkgSt1mPH0P8d95af2VJnT6zbrclxvH4emqpT9oGLsWqKWLlIbZ7u1PUjuNVwLHuj909/apm
28
C13RBIpV52fey4qey34bnRHdCTknZeN/TJLTJ9hMWzz9TbdjfIFaiF7MeY+OYRXzUJeQuHHMu/2I
29
emkoR26mYi6irvmx8AdPcPCwcRKw2Ca4xLhbNw==
30
</ds:Modulus>
31
<ds:Exponent>AQAB</ds:Exponent>
32
</ds:RSAKeyValue>
33
</ds:KeyValue>
34
<ds:X509Data>
35
<ds:X509Certificate>
36
MIIC9zCCAd+gAwIBAgIEfe6j3jANBgkqhkiG9w0BAQsFADAsMSowKAYDVQQDEyFTQU1MIE1ldGFk
37
YXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTYwNzI5MDczNjM4WhcNMjYwNjA3MDczNjM4WjAs
38
MSowKAYDVQQDEyFTQU1MIE1ldGFkYXRhIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3
39
DQEBAQUAA4IBDwAwggEKAoIBAQDvX69N/roE+BhQXuybhP75br2oxXIZCf3A2qkEtzqynnd6r8lF
40
M5QPbph6GOyV3mo3nYG/avlAbujhVTXbdqRdRjO6m+rV/62YX03Bhrsw8Q8XMLMkeE1eNk1HFyxb
41
VYtbfh+FAKbShqTehI+g2jmp4aKM2xNKSBK3WY8fQ/x33lp/ZUmdPrNutyXG8fh6aqlP2gYuxaop
42
YuUhtnu7U9SO41XAse6P3T39qmYLXdEEilXnZ97Lip7LfhudEd0JOSdl439MktMn2ExbPP1Nt2N8
43
gVqIXsx5j45hFfNQl5C4ccy7/Yh6aShHbqZiLqKu+bHwB09w8LBxErDYJrjEuFs3AgMBAAGjITAf
44
MB0GA1UdDgQWBBTT88iZzWO+hN9SBUkpx871lmTuLTANBgkqhkiG9w0BAQsFAAOCAQEABoPpODry
45
XwiM5jjtqk6veR02FevCKHpZP6Od7Kqcfs6lg5LcQmGUOgpmW3Gg4UMjBYkgARsT2Nsnah1CJqa8
46
cjvv8p5KEIhY0hVS8iMJnrb3PDeiFSeP4xSfct/6z/ebV4+QFl22bsm2zpAC6BpFz8+IJ/jAmQzT
47
Vob4MAUeQPnwwzm3xz6yanLZx7BK5cfrTCa+hrarNQCboRjXPwiejF8WRCxpgRHH6yNs5QH/Z6o5
48
e3tUP7uEpn2Ob+kcLsEMGb9DghkoDAgkHCOZeTy+7hgxt+/T94cLTa58gVtvEOnd0GuL7Vfd+IVd
49
XgSard8RfR3OyZlf6M4aSGQA73sskQ==
50
</ds:X509Certificate>
51
</ds:X509Data>
52
</ds:KeyInfo>
53
</ds:Signature><md:EntityDescriptor entityID="https://access-check.edugain.org/simplesaml/saml2/idp/metadata.php">
54
			<md:Extensions>
55
				<mdrpi:RegistrationInfo registrationAuthority="https://federation.renater.fr/" registrationInstant="2015-01-30T15:32:58Z">
56
					<mdrpi:RegistrationPolicy xml:lang="en">https://services.renater.fr/federation/en/metadata_registration_practice_statement</mdrpi:RegistrationPolicy>
57
				</mdrpi:RegistrationInfo>
58
			</md:Extensions>
59
		<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
60
			<md:Extensions>
61
    				<shibmd:Scope regexp="false">access-check.edugain.org</shibmd:Scope>
62

  
63
			    <mdui:UIInfo>
64

  
65
			      <mdui:DisplayName xml:lang="en">eduGAIN Access Check</mdui:DisplayName>
66

  
67
			      <mdui:Logo height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAABbUlEQVQoz52RPW4UQRCFv6ru6fnZNSxCJuVKpFwAicR3IUI+AakvhQhI7JU8M/1T3QQzsg1sAhWV3qtPVaonfPrCX9W+fpTP3y7otzceGJKJxCiujpVUkCv0+m3K967hixUfWgWSHwAPxG6UqtIFbEFHGoCqR721BX+wirO8LVGg+a6amEXXjqxhM5ZxNFPvX1Odocn5ZwB7HCn4hWI42wxD6KWUBVfIZxXd9J2zNhHFmro2Gx3QPKSReGCiV40ESM/A1NcxTDnn7HvLFViXBRZ6MKJnmwaktca/lFzO4fZG7n5e0D9cK4DjFI69yrGbwvhqP7KWp7kR99QrQAn3cW5N5/SQ1rivDgdUCUegFfkDkKF26TG7FijzZoS0sM7kM7D6gncvgG5d7cEdu6wN+v3R/cRwQgaAdnA2vACQvn9Tk6NNqjtwjis1Iyp4JOpafwvu3ZAYa3TV2fBjBnjfe8uLKErOZLk6fU//lcMvhuSrh7MzMwcAAAAldEVYdGRhdGU6Y3JlYXRlADIwMTUtMDctMjBUMTA6NTA6MTErMDI6MDCDfj0WAAAAJXRFWHRkYXRlOm1vZGlmeQAyMDE1LTA3LTIwVDEwOjUwOjExKzAyOjAw8iOFqgAAAABJRU5ErkJggg==</mdui:Logo>
68
			      <mdui:InformationURL xml:lang="fr">http://www.renater.fr</mdui:InformationURL>
69
			      <mdui:Description xml:lang="en">eduGAIN Access Check allows administrators of a Service Provider (SP) registered in eduGAIN to create test accounts with different profiles to validate the behaviour and test federated login. The test accounts can only be used to access own services.</mdui:Description>
70
          		      <mdui:DisplayName xml:lang="fr">eduGAIN Access Check</mdui:DisplayName>
71
          		      <mdui:Description xml:lang="fr">eduGAIN Access Check allows administrators of a Service Provider (SP) registered in eduGAIN to create test accounts with different profiles to validate the behaviour and test federated login. The test accounts can only be used to access own services.</mdui:Description>
72
      			    </mdui:UIInfo>
73
			</md:Extensions>
74
				<md:KeyDescriptor use="signing">
75
<ds:KeyInfo>
76

  
77
					  <ds:X509Data>
78
					    <ds:X509Certificate>
79
					      MIID2zCCAsOgAwIBAgIJAJpdV2MFitUqMA0GCSqGSIb3DQEBBQUAMIGDMQswCQYD
80
VQQGEwJGUjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MQ4wDAYDVQQKDAVHRUFOVDEd
81
MBsGA1UEAwwUdGVzdC1pZHAuZWR1Z2Fpbi5vcmcxLjAsBgkqhkiG9w0BCQEWH3Rl
82
c3RpZHBhY2NvdW50bWFuYWdlckBnZWFudC5uZXQwHhcNMTQxMjE4MTAxODU5WhcN
83
MjQxMjE3MTAxODU5WjCBgzELMAkGA1UEBhMCRlIxFTATBgNVBAcMDERlZmF1bHQg
84
Q2l0eTEOMAwGA1UECgwFR0VBTlQxHTAbBgNVBAMMFHRlc3QtaWRwLmVkdWdhaW4u
85
b3JnMS4wLAYJKoZIhvcNAQkBFh90ZXN0aWRwYWNjb3VudG1hbmFnZXJAZ2VhbnQu
86
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo48FFP0P/81e3WHb
87
U91F/TYDZC/JypEqO2XQNH50baXpk2JrJFVFOWdgdK6qWHsLznuxngRsfOasAaVA
88
Ob1Bf3g2xgPUd2htSLxds+o/Y24DOM6ZairxbWJk2rOvLhJFchlrcNWCpMtUCkfJ
89
xmqGmeo93XAud5byj3wQ1NuH2o8rjTPAkMgQdr8D2b8EG1NYEH00AqRlXZTFCWGL
90
KDEuZwyta6vgMQYT4K6UF/F+HWF2wzbmVgRTHguJ0rzNqz6t+9CtLkhyZO+/57Ro
91
4U0ikshVWkUOENPKCnB1t+ebs/AsNozbIGA/HcdtwUwDgIowv/K0hdnLDC1vz6/S
92
F3rnGQIDAQABo1AwTjAdBgNVHQ4EFgQUgWN9jmJxOEHYU5m8D0atl895HxowHwYD
93
VR0jBBgwFoAUgWN9jmJxOEHYU5m8D0atl895HxowDAYDVR0TBAUwAwEB/zANBgkq
94
hkiG9w0BAQUFAAOCAQEAXvlBHMaBK6m0PQNanTqGBRdRAFt8Xkr5texD5mPTmS/7
95
nqnxlN0orqYWGCaARmQE+T77EB2a2n9g2s130pUXwJxcbUwIOdPKH6CMKEHT/512
96
bndJXQ3DyhkuVSLtRFOdfleIhi8qUkNC9FWxM4jDHDTTQtNEHnCjFxlhxw+ri5QJ
97
AVKpH9MkcuIkM6Jx+QhNwTDwCRIJffoDOH420yR5EWx/sQ4tjKQGiFOPv/WHFjXd
98
LqHU+X8ErzxeNmUHHST6pHePWRCMtoPTdCPhEroJhou6NMHh8ylQOIVHt6gggc7r
99
kUWMUybDUxPp49qMeNkdKqFPby2aW7ouKRoOXuxZhg==
100
					    </ds:X509Certificate>
101
					  </ds:X509Data>
102

  
103
					</ds:KeyInfo>
104
				</md:KeyDescriptor>
105

  
106

  
107

  
108

  
109

  
110

  
111
			<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
112

  
113

  
114

  
115
	        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://access-check.edugain.org/simplesaml/saml2/idp/SSOService.php"/>
116

  
117

  
118

  
119
		</md:IDPSSODescriptor>
120

  
121

  
122

  
123
		<md:Organization>
124

  
125
			<md:OrganizationName xml:lang="en">eduGAIN Access Check</md:OrganizationName>
126
			<md:OrganizationDisplayName xml:lang="en">eduGAIN Access Check</md:OrganizationDisplayName>
127
			<md:OrganizationURL xml:lang="en">http://www.renater.fr</md:OrganizationURL>
128

  
129
		</md:Organization>
130

  
131

  
132
			    <md:ContactPerson contactType="technical">
133
			     <md:EmailAddress>edugain-integration@geant.net</md:EmailAddress>
134
		        </md:ContactPerson>
135

  
136

  
137
	</md:EntityDescriptor><md:EntityDescriptor entityID="https://aishib.agropolis.fr/idp/shibboleth">
138
			<md:Extensions>
139
				<mdrpi:RegistrationInfo registrationAuthority="https://federation.renater.fr/" registrationInstant="2013-06-06T11:49:20Z">
140
					<mdrpi:RegistrationPolicy xml:lang="en">https://services.renater.fr/federation/en/metadata_registration_practice_statement</mdrpi:RegistrationPolicy>
141
				</mdrpi:RegistrationInfo>
142
			</md:Extensions>
143
		<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
144
			<md:Extensions>
145
    				<shibmd:Scope regexp="false">agropolis.fr</shibmd:Scope>
146

  
147
			    <mdui:UIInfo>
148

  
149
			      <mdui:DisplayName xml:lang="en">Agropolis International</mdui:DisplayName>
150

  
151
			      <mdui:Logo height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAACPUlEQVQoz21SPW8TQRR8u7d3ju34Er6UCHACRqK4Bjk0oDSEjiYSBQVS8k9AkWgp+AuUASGEaCASkoPcgARVMF8iTnxJwMFJfL47397u3u6jsGVFwLzmFTN6ozdDEBEAAOD4kiRJsVgkhMA/YMfZzc3NVstnzGq1/KXlJfgf2Ii9XquVZ2YWbi5Io4MsbfPeZK4wRm0AOH6KICIivq2tV6/O5cYLHztbW9FvYTKuZaLk7PjpW+UrJXtspCHGmGazCQBnZ8svtj/0tbAINYhcy1DyThpRhHtztyedwkBDAWBnZ6dSqbzZ+7THu0IraTJplDSZ0JnQ2Y+482jj1cgSRUTHdrhW9fa3SKaxErFKIyUiKaIsjVQaKf5s631HxP1+X2vNwjB0J9zd+OgnD044Ra4lI5ZBw7XqyeRQREciaqe9xoE/K/OFfIENnqBM1uZBqlWBOYxQjYZnqieTThru8zCU3AASIAjIXNellGLePkjCUPICy1mEDAShSg7SqCsTBtQ7WfY3vlarVUYpdUsuAs5PXV7dfpe3HEYtjSbNZJwJoRUi3rl4fSrvfufctm0ySA0RD0V84+WDL1EbCCDCYIDApeKZ+uKK6faDIPA8jw7jIORUbry2eH+5Mu8ARTSAkCPW3QvX6osrE+B8bjQ8zxu2aACDaIwxxuzzsLbbePj88a8k0Mb4vr/2ei3LMoOIiGRU0iGGVuDp6pNz5fNSiKnpac/zgAABMuzSXwIggIjdbrdUKjHGYGQaAAD+AJBJecXxnEvWAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ4OjE1KzAyOjAwpWiGMQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0ODoxNSswMjowMNQ1Po0AAAAASUVORK5CYII=</mdui:Logo>
152
			      <mdui:InformationURL xml:lang="fr">http://www.agropolis.fr</mdui:InformationURL>
153

  
154
          		      <mdui:DisplayName xml:lang="fr">Agropolis International</mdui:DisplayName>
155

  
156
      			    </mdui:UIInfo>
157
			</md:Extensions>
158
				<md:KeyDescriptor use="signing">
159
<ds:KeyInfo>
160

  
161
					  <ds:X509Data>
162
					    <ds:X509Certificate>
163
					      MIIDNzCCAh+gAwIBAgIUYY3sGXwChkj2CRy6QFDvkdj2zlAwDQYJKoZIhvcNAQEF
164
BQAwHjEcMBoGA1UEAxMTYWlzaGliLmFncm9wb2xpcy5mcjAeFw0xMzA1MTUxMzM3
165
MTJaFw0zMzA1MTUxMzM3MTJaMB4xHDAaBgNVBAMTE2Fpc2hpYi5hZ3JvcG9saXMu
166
ZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxrDy6lrhIBjcxv16n
167
4UJ2cEMYPO4wSmfDwhO6feoSIEuIblYRHE2nQKirMokwD6seF4rbDHyxLXg/ColL
168
VLv+0CJteIOZjSCgSN90WzQRrC1Ex5sJfPu6yPEXvW8H1906gEg6ok8rlCIHRGfE
169
15pHK5eqxQS5f2n8c2t/Uk33/FBj79/hb3Cd7vE4mdlvReD3AFswC0lV4bPmj3Ka
170
KUuMj9xwipwnfWCu6p2/ZJF4M3ADU5grXHJ2Vqmd8DWm5raaObKjYwJddbRBByI8
171
bJJLIwAQQmX4Dh4hf1QKlf2oqWPWVQxLQp0erL1U8IWmj1RG8TTH9xOJl6kkEhYq
172
Z2gfAgMBAAGjbTBrMEoGA1UdEQRDMEGCE2Fpc2hpYi5hZ3JvcG9saXMuZnKGKmh0
173
dHBzOi8vYWlzaGliLmFncm9wb2xpcy5mci9pZHAvc2hpYmJvbGV0aDAdBgNVHQ4E
174
FgQU9A7iQ8Qo+t2JCpKuOOV9YBoYs4MwDQYJKoZIhvcNAQEFBQADggEBAG0LOW6I
175
F+M8n2NpzyQjfVCJCA6QhWjbXrfemiPJFZGZZb2dVmHof4yCpCUYgHOBoZaXPOlB
176
nLYsUWvFZ6V2GELZpLHzHSSrYidieW07qQkh1DwcIYpvtZgLviOtT/tCEGsk925f
177
DUoGdeIqpqt54WZcW9+TbKicvjg3JT4BFOQ17bFNwPW+YjTbvsWYxen+e0mRp4vM
178
V0yMu2f3bccVhePASSZGL3yod3sJ1dPvlrJO9c35BekhtirolVjZqMQ0AYPVifua
179
yIU0dWXsZkAOcBL9kZFbJcYRUIxMgvp8U2Zdv1+ZlwOyXnnWDOOh9wjuT7FAyObU
180
ChvjHlgZHkvLwJI=
181
					    </ds:X509Certificate>
182
					  </ds:X509Data>
183

  
184
					</ds:KeyInfo>
185
				</md:KeyDescriptor>
186

  
187

  
188

  
189

  
190

  
191
			<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
192
			<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
193

  
194

  
195
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://aishib.agropolis.fr/idp/profile/SAML2/POST/SSO"/>
196

  
197
	        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://aishib.agropolis.fr/idp/profile/SAML2/Redirect/SSO"/>
198

  
199

  
200
			<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://aishib.agropolis.fr/idp/profile/Shibboleth/SSO"/>
201

  
202

  
203
		</md:IDPSSODescriptor>
204

  
205

  
206

  
207
		<md:Organization>
208

  
209
			<md:OrganizationName xml:lang="en">Agropolis International</md:OrganizationName>
210
			<md:OrganizationDisplayName xml:lang="en">Agropolis International</md:OrganizationDisplayName>
211
			<md:OrganizationURL xml:lang="en">http://www.agropolis.fr</md:OrganizationURL>
212

  
213
		</md:Organization>
214

  
215

  
216

  
217
			    <md:ContactPerson contactType="technical">
218
				 <md:SurName>Jean Cerda</md:SurName>
219
				 <md:EmailAddress>cerda@agropolis.fr</md:EmailAddress>
220
		        </md:ContactPerson>
221

  
222

  
223

  
224
			    <md:ContactPerson contactType="technical">
225
				 <md:SurName>Jean-Pierre  Allano</md:SurName>
226
				 <md:EmailAddress>allano@agropolis.fr</md:EmailAddress>
227
		        </md:ContactPerson>
228

  
229

  
230

  
231

  
232
	</md:EntityDescriptor><md:EntityDescriptor entityID="https://ambre.vetagro-sup.fr/idp/shibboleth">
233
			<md:Extensions>
234
				<mdrpi:RegistrationInfo registrationAuthority="https://federation.renater.fr/" registrationInstant="2013-01-14T16:11:53Z">
235
					<mdrpi:RegistrationPolicy xml:lang="en">https://services.renater.fr/federation/en/metadata_registration_practice_statement</mdrpi:RegistrationPolicy>
236
				</mdrpi:RegistrationInfo>
237
			</md:Extensions>
238
		<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
239
			<md:Extensions>
240
    				<shibmd:Scope regexp="false">vetagro-sup.fr</shibmd:Scope>
241

  
242
			    <mdui:UIInfo>
243

  
244
			      <mdui:DisplayName xml:lang="en">Vetagro Sup</mdui:DisplayName>
245

  
246
			      <mdui:Logo height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAB/klEQVQ4y2NkQAP///+X+/jxI/PO7dujP3/7kf7v778ffDzciw2MDFaqq6t/Y2RkfIysngndAEZGxkezZ8/25xEQqVDTs5eRVrNU4RQUL7x9+7YtumasBjAwMDBISIgbcvBKct998p7h1fvfDKyc4nz//jF6yjAwSBNlwM+fP3/9/PmT4dbl4wysrCwMf//9Z/r7959UcFISD1EGPH107xgfD9sbTg52hrcvHjDw87Aw/Pz+7tLEefNuEmWAm6ffxvu3Ll4zMjZleHz/KsO7lw+f3bh+czs2tVgNsLS0fPfs4b3VnKy//wrycW84e2L/uobmtg0MpIKurt6N////Z8jPzxcnWTMDAwPD79//tbq7+9bhU8OMTfD//8cMP79L1X/8tjxMQYHXT0Uh88aBgyuvEW3Aly+8ntw8jLU3bx20cnH/xPz2jTyvk9OGpTt3NhIOxP//GRgkJGR8tPVeyElIvWA4dfIqg57Bff0nD+eHExULIb5dqkYmYgYm5r8YPH3vMzx//omBk+edpI4+vxVRBnz5zPqbi4vt7a9fv//9+cvAYG79jIGZmZWBg4NJiCgDdh4sfHD/7u9j714Z/BYWiGBQVkxjePNK8+erV5+uYDOABTMM/nP09y9Z8+OHgNjli9ahf//++8vGwrlAS0tp/v///7kYGRm/IasHAIVTy8DG/VpJAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjUwOjA5KzAyOjAwfDtz7wAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo1MDowOSswMjowMA1my1MAAAAASUVORK5CYII=</mdui:Logo>
247
			      <mdui:InformationURL xml:lang="fr">http://www.vetagro-sup.fr</mdui:InformationURL>
248

  
249
          		      <mdui:DisplayName xml:lang="fr">Vetagro Sup</mdui:DisplayName>
250

  
251
      			    </mdui:UIInfo>
252
			</md:Extensions>
253
				<md:KeyDescriptor use="signing">
254
<ds:KeyInfo>
255

  
256
					  <ds:X509Data>
257
					    <ds:X509Certificate>
258
					      MIIDPDCCAiSgAwIBAgIVAL9PsuadPSIZcMHNxlK/oevezmzWMA0GCSqGSIb3DQEB
259
BQUAMB8xHTAbBgNVBAMTFGFtYnJlLnZldGFncm8tc3VwLmZyMB4XDTEyMTEwODEw
260
MTQwNFoXDTMyMTEwODEwMTQwNFowHzEdMBsGA1UEAxMUYW1icmUudmV0YWdyby1z
261
dXAuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc/ptfpmkomwmT
262
4RsID+1Ce1dX0eUjcLgSOZN8hVpHWLag2ERWkpmvB5aK7BAFcI5i//Gk80tAiasu
263
JtlZhBnEw54aTJRGpyL2CVkHyl6SMRxprIi1Ji67IoGqEgUeGaheAxo+tG5e1WSc
264
bIbldcSKdwvjAV+7HSB4C6NqLsAzJH25++yaRH2uf2LTD0TDzNR9Q2hVj/VyYWR+
265
K3HWI1Snjn/i7aFfZZhYmBkwHuQOaPhwCM+khikg5XicMsxUhHCMi93UgHGIsdkr
266
IEGj4xydBTUKsLaykeuFS8EgXbWwCLGkeX76w8xDoFIpnppU/yFd9v7Zg3EBfn4p
267
kTW3GdIjAgMBAAGjbzBtMEwGA1UdEQRFMEOCFGFtYnJlLnZldGFncm8tc3VwLmZy
268
hitodHRwczovL2FtYnJlLnZldGFncm8tc3VwLmZyL2lkcC9zaGliYm9sZXRoMB0G
269
A1UdDgQWBBTPTqWkVHrHXFjmxMWkNt/sp2h5ozANBgkqhkiG9w0BAQUFAAOCAQEA
270
FvXMtfBUmRZCzz8CjanGzr1TBUPmnkrKci5AtkseKw9YlfUmBXTHB01y697nYq6m
271
RB6KhvfW212h9CF0IOEEjoadgDhXqGYhq8PnAOtT4Ty3XDy8SbRh8aQWfvnfSngv
272
FdpHRiSpj5UXXuT5zTtkf59h58XKtEfCkMbUzvdOgUobJzpD0WISmQHPQnx+Neg6
273
9j7oMRrDiZjS39Om8Imu9xvsnddDM3PlsDBIsvrr1o7K5iLkEdR1YYX0ZNDbiFuw
274
QXXl2dwQPB8KrScPUvCe57slU2gFQvvIBzjQysxC6V6TPSuM3A/ee56lACuB3jKj
275
oYkHQc5Gj/1rSMLmu9aLMg==
276
					    </ds:X509Certificate>
277
					  </ds:X509Data>
278

  
279
					</ds:KeyInfo>
280
				</md:KeyDescriptor>
281

  
282

  
283

  
284

  
285

  
286
			<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
287
			<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
288

  
289

  
290
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ambre.vetagro-sup.fr/idp/profile/SAML2/POST/SSO"/>
291

  
292
	        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ambre.vetagro-sup.fr/idp/profile/SAML2/Redirect/SSO"/>
293

  
294

  
295
			<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://ambre.vetagro-sup.fr/idp/profile/Shibboleth/SSO"/>
296

  
297

  
298
		</md:IDPSSODescriptor>
299

  
300

  
301

  
302
		<md:Organization>
303

  
304
			<md:OrganizationName xml:lang="en">Vetagro Sup</md:OrganizationName>
305
			<md:OrganizationDisplayName xml:lang="en">Vetagro Sup</md:OrganizationDisplayName>
306
			<md:OrganizationURL xml:lang="en">http://www.vetagro-sup.fr</md:OrganizationURL>
307

  
308
		</md:Organization>
309

  
310

  
311

  
312
			    <md:ContactPerson contactType="technical">
313
				 <md:SurName>Nicolas Aulas</md:SurName>
314
				 <md:EmailAddress>nicolas.aulas@vetagro-sup.fr</md:EmailAddress>
315
		        </md:ContactPerson>
316

  
317

  
318

  
319

  
320

  
321

  
322
	</md:EntityDescriptor><md:EntityDescriptor entityID="https://antimoine.insa-strasbourg.fr/idp/shibboleth">
323
			<md:Extensions>
324
				<mdrpi:RegistrationInfo registrationAuthority="https://federation.renater.fr/" registrationInstant="2014-02-11T08:44:08Z">
325
					<mdrpi:RegistrationPolicy xml:lang="en">https://services.renater.fr/federation/en/metadata_registration_practice_statement</mdrpi:RegistrationPolicy>
326
				</mdrpi:RegistrationInfo>
327
			</md:Extensions>
328
		<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
329
			<md:Extensions>
330
    				<shibmd:Scope regexp="false">insa-strasbourg.fr</shibmd:Scope>
331

  
332
			    <mdui:UIInfo>
333

  
334
			      <mdui:DisplayName xml:lang="en">INSA Strasbourg</mdui:DisplayName>
335

  
336
			      <mdui:Logo height="16" width="16">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAq1BMVEXeAACEhoTWz87nQTn3oqXnIBjvgnvWlpT/5+fnEAjvZWOltrXnNDH3mpT/9/fnCAD/4+fvioz3x8bnVVL3qq3nKCnvkpTnHBjvcXP3sq3vgoT/7+/nFBDnODH3mpz////nDAj3z87vlpTveXv3vr3nAACMmpznRUL3pqXnJCHnFAj/+//nDADvjoz3y87vXVr3rq3nLCnvdXP3srXvhoT/8/fvODH3npz3lpQaie6kAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAAAQAAAAEABcxq3DAAAAe0lEQVQY053OwQqCQBhF4VM22VSMMWrFGP2kkIpUQ1nz/m8Ws20TeFeHb3WRnzEBBjO8xRjZrURi0TFiy+UITjTpjIKaOndZuDSGxF0j9G1+e7CuLN1nE2F7VI28tAoqMMezP1ieFOOp7RPueBXKSqdnMq8Wg66nPP0LX4uIG4jEwJ0sAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE1LTA3LTIwVDEwOjQ5OjA0KzAyOjAwIHfmJQAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxNS0wNy0yMFQxMDo0OTowNCswMjowMFEqXpkAAAAASUVORK5CYII=</mdui:Logo>
337
			      <mdui:InformationURL xml:lang="fr">http://www.insa-strasbourg.fr</mdui:InformationURL>
338

  
339
          		      <mdui:DisplayName xml:lang="fr">INSA Strasbourg</mdui:DisplayName>
340

  
341
      			    </mdui:UIInfo>
342
			</md:Extensions>
343
				<md:KeyDescriptor use="signing">
344
<ds:KeyInfo>
345

  
346
					  <ds:X509Data>
347
					    <ds:X509Certificate>
348
					      MIIDUDCCAjigAwIBAgIVAIbX8U0uAqAhuXm1jWxiFpggtDTDMA0GCSqGSIb3DQEB
349
CwUAMCQxIjAgBgNVBAMMGXNvdWZyZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcNMTYw
350
OTI3MTIzNjIxWhcNMzYwOTI3MTIzNjIxWjAkMSIwIAYDVQQDDBlzb3VmcmUuaW5z
351
YS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
352
sEE02sLRPAG5N81DMHEeGpI2MYF8yG/RiwH07cFIlLqgV80ewOmi0FWPYijxMb8A
353
bmx0RwUMvJBVI6WMxtT9fykhID20k8rWOuYOzvaynzVqCktqVgKoEAxP1PFE9b0n
354
iGKFprjjNl9ZD90GOUsxbAO7yXG9Q4WBa/eThl6XkUvNkSaZp5hcdWrgcAdsae3q
355
iD/uxFa38NXNNeRLGyfxjd2K5qYSzbwBza9s9TOq1+pfw7sxu3/4BnfQ0RLGO6co
356
4tH4Mufh0ome4cyYk4pvW5DOd1AznxDb8HpqvE0zwEsa69c/FDX0akgFZydmc77a
357
j6USn6JKjjbO49yGtG1gVQIDAQABo3kwdzAdBgNVHQ4EFgQUjzMsxZYiokPYxper
358
9zadM8J0F0kwVgYDVR0RBE8wTYIZc291ZnJlLmluc2Etc3RyYXNib3VyZy5mcoYw
359
aHR0cHM6Ly9zb3VmcmUuaW5zYS1zdHJhc2JvdXJnLmZyL2lkcC9zaGliYm9sZXRo
360
MA0GCSqGSIb3DQEBCwUAA4IBAQBFJKsiS3yfWuDB/E+iqQ0TuQJzL5+JIcloN0dw
361
BFxW3VZOju15zeQ7LwRBg9S4SGLMPJU+LM1lvr68cK9brut/FjF51SETIXEeCWo3
362
7+PIqgOCzraLNinmpU/OtN8ENalOPvpS6Jvbd23qB2t+IqOtZ+j15b0Yq4/on1E3
363
W2F9CVzKpe4EwmmtCPQbe7U1wvhgFylEx797pex8veWs79YSYwqvcKMh79dzl8Fo
364
/CgsO5pDrfKmc6SGMkByq75dZj+PqhZDzZ9EFTxbrXOTaS08VRN6a5Rh2iYRnGxq
365
yZl66tPcaIm5PHgOEmu5X4lPkUoY+Jt36Gj3SGCbYt8qH5S0
366
					    </ds:X509Certificate>
367
					  </ds:X509Data>
368

  
369
					</ds:KeyInfo>
370
				</md:KeyDescriptor>
371

  
372

  
373

  
374
				<md:KeyDescriptor use="signing">
375
				       <ds:KeyInfo>
376
					  <ds:X509Data>
377
					    <ds:X509Certificate>
378
					      MIIDXDCCAkSgAwIBAgIVAKI+qiqDCk9wTTqn7OVAoZrvj/CpMA0GCSqGSIb3DQEB
379
BQUAMCcxJTAjBgNVBAMTHGFudGltb2luZS5pbnNhLXN0cmFzYm91cmcuZnIwHhcN
380
MTQwMTEzMTAzOTU4WhcNMzQwMTEzMTAzOTU4WjAnMSUwIwYDVQQDExxhbnRpbW9p
381
bmUuaW5zYS1zdHJhc2JvdXJnLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
382
CgKCAQEAtuM8lRjlVjjmrHq9VtguaOMQL+Wd99BiOs56kL3Mbctg1FwH69LYThCW
383
6dOz6WJg/jU/naF7jEikXKc71xGyu7Ph7Iqa9S5hoXXAT8u/0q2nZDeTOraJqKe1
384
FMF2RzXhEEMyQO3CiKNK9b+tbKoNZS7FQCixMZklWZPt4EcEKd6jyRq1WYX3dpnb
385
r9I/aCdhtK/PGvGe5gKTDoTR2HKyWKJTc/obf8x/vlYIEwiaGgdlqI2KiBE0x48n
386
zQdP6XVi3T8ZWbnkLmCfgJtP2C8PtEJuwDRAy0Z9N4DSwvxn5YCVYgBLSi0TLa10
387
B/lUqqBezZrTrA9p9Lt8JtGXW5YGHwIDAQABo38wfTBcBgNVHREEVTBTghxhbnRp
388
bW9pbmUuaW5zYS1zdHJhc2JvdXJnLmZyhjNodHRwczovL2FudGltb2luZS5pbnNh
389
LXN0cmFzYm91cmcuZnIvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFLFkjPZUc9JY
390
qrWjldJ/iGGkKAt4MA0GCSqGSIb3DQEBBQUAA4IBAQBSk/wU1mRn4VF2ifmy261K
391
DK7uX+t1H1hh8S38fKSFU7HoNXJTV3vQnmBOpYIGC1gtvmb+qjqpNtikU2zO84Gq
392
Q0bXHxYF2d9RUP89mKaFxE5uNcXFmlOA3ChZY3pMT5zwAPI/T60tGrex7zci7OLn
393
JDAQj/q4Yk9ejx6JTFggQSCCVh+oV/SDIMd2p5AY6H3mto3b6XCk7Lssa8a/D30k
394
pEkZnhTKdN82eRyynuOR7UDU4tasV4d7Mi/j53f5ihnRcsvwh/pYodjoVYY8cEcZ
395
JLnAXYF8coSwh8UN4D/0NHsvTuSOFQc85hGrqacMsvxiQiw9mv01AX5+A5YLEbVQ
396
					    </ds:X509Certificate>
397
					  </ds:X509Data>
398
					</ds:KeyInfo>
399
				</md:KeyDescriptor>
400

  
401

  
402

  
403
			   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/Redirect/SLO"/>
404

  
405
			   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/POST/SLO"/>
406

  
407
			   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/SOAP/SLO"/>
408

  
409

  
410
			<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
411
			<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
412

  
413

  
414
			<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/POST/SSO"/>
415

  
416
	        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://antimoine.insa-strasbourg.fr/idp/profile/SAML2/Redirect/SSO"/>
417

  
418

  
419
			<md:SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://antimoine.insa-strasbourg.fr/idp/profile/Shibboleth/SSO"/>
420

  
421

  
422
		</md:IDPSSODescriptor>
423

  
424

  
425

  
426
		<md:Organization>
427

  
428
			<md:OrganizationName xml:lang="en">INSA Strasbourg</md:OrganizationName>
429
			<md:OrganizationDisplayName xml:lang="en">INSA Strasbourg</md:OrganizationDisplayName>
430
			<md:OrganizationURL xml:lang="en">http://www.insa-strasbourg.fr</md:OrganizationURL>
431

  
432
		</md:Organization>
433

  
434

  
435

  
436
			    <md:ContactPerson contactType="technical">
437
				 <md:SurName>Lahsen BOUZID</md:SurName>
438
				 <md:EmailAddress>lahsen.bouzid@insa-strasbourg.fr</md:EmailAddress>
439
		        </md:ContactPerson>
440

  
441

  
442

  
443
			    <md:ContactPerson contactType="technical">
444
				 <md:SurName>Simon SCHERRER</md:SurName>
445
				 <md:EmailAddress>simon.scherrer@insa-strasbourg.fr</md:EmailAddress>
446
		        </md:ContactPerson>
447

  
448

  
449

  
450

  
451
        </md:EntityDescriptor>
452
    
453
<md:EntityDescriptor entityID="http://idp5/metadata">
454
<md:IDPSSODescriptor
455
    WantAuthnRequestsSigned="true"
456
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
457
<md:KeyDescriptor use="signing">
458
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
459
      <ds:X509Data><ds:X509Certificate>
460
MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
461
MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
462
dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
463
MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
464
UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
465
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
466
h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
467
6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
468
uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
469
ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
470
+3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
471
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
472
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
473
A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
474
AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
475
BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
476
pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
477
fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
478
NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
479
LlTxKnCrWAXftSm1rNtewTsF
480
</ds:X509Certificate></ds:X509Data>
481
    </ds:KeyInfo>
482
  </md:KeyDescriptor>
483
  <md:ArtifactResolutionService isDefault="true" index="0"
484
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
485
    Location="http://idp5/artifact" />
486
  <md:SingleLogoutService
487
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
488
    Location="http://idp5/singleLogoutSOAP" />
489
  <md:SingleLogoutService
490
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
491
    Location="http://idp5/singleLogout"
492
    ResponseLocation="http://idp5/singleLogoutReturn" />
493
  <md:ManageNameIDService
494
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
495
    Location="http://idp5/manageNameIdSOAP" />
496
  <md:ManageNameIDService
497
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
498
    Location="http://idp5/manageNameId"
499
    ResponseLocation="http://idp5/manageNameIdReturn" />
500
  <md:SingleSignOnService
501
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
502
    Location="http://idp5/singleSignOn" />
503
  <md:SingleSignOnService
504
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
505
    Location="http://idp5/singleSignOnSOAP" />
506
</md:IDPSSODescriptor>
507
<md:AuthnAuthorityDescriptor
508
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
509
	<md:AuthnQueryService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/authnQueryService"/>
510
	<md:AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/authnAuthAssertionIDRequestService"/>
511
	<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
512
</md:AuthnAuthorityDescriptor>
513
<md:PDPDescriptor
514
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
515
	<md:AuthzService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/authzService"/>
516
	<md:AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/PDPAuthAssertionIDRequestService"/>
517
	<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:kerberos</md:NameIDFormat>
518
</md:PDPDescriptor>
519
<md:AttributeAuthorityDescriptor
520
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
521
	<md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://idp6/attributeService"/>
522
	<md:AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://idp6/AttributeAuthAssertionIDRequestService"/>
523
	<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
524
</md:AttributeAuthorityDescriptor>
525
<md:Organization>
526
   <md:OrganizationName xml:lang="en">Entr'ouvert</md:OrganizationName>
527
</md:Organization>
528

  
529
</md:EntityDescriptor>
530
    </md:EntitiesDescriptor>
tests/test_default_adapter.py
95 95
    assert user.email == 'test@example.net'
96 96
    assert user.is_superuser is False
97 97
    assert user.is_staff is False
98
    assert len(caplog.records) == 4
98
    assert len(caplog.records) == 5
99 99
    assert 'created new user' in caplog.text
100 100
    assert 'set field first_name' in caplog.text
101 101
    assert 'set field last_name' in caplog.text
......
108 108
    user = SAMLBackend().authenticate(saml_attributes=saml_attributes)
109 109
    assert user.groups.count() == 3
110 110
    assert set(user.groups.values_list('name', flat=True)) == set(saml_attributes['group'])
111
    assert len(caplog.records) == 4
111
    assert len(caplog.records) == 5
112 112
    assert 'created new user' in caplog.text
113 113
    assert 'adding group GroupA' in caplog.text
114 114
    assert 'adding group GroupB' in caplog.text
......
118 118
    user = SAMLBackend().authenticate(saml_attributes=saml_attributes2)
119 119
    assert user.groups.count() == 2
120 120
    assert set(user.groups.values_list('name', flat=True)) == set(saml_attributes2['group'])
121
    assert len(caplog.records) == 5
121
    assert len(caplog.records) == 7
122 122
    assert 'removing group GroupA' in caplog.records[-1].message
123 123

  
124 124

  
......
148 148
    del local_saml_attributes['email']
149 149
    user = SAMLBackend().authenticate(saml_attributes=local_saml_attributes)
150 150
    assert not user.email
151
    assert len(caplog.records) == 4
151
    assert len(caplog.records) == 5
152 152
    assert 'created new user' in caplog.text
153 153
    assert re.search(r'invalid reference.*email', caplog.text)
154 154
    assert 'set field first_name' in caplog.text
......
166 166
    local_saml_attributes['first_name'] = [('y' * 32)]
167 167
    user = SAMLBackend().authenticate(saml_attributes=local_saml_attributes)
168 168
    assert user.first_name == 'y' * 30
169
    assert len(caplog.records) == 4
169
    assert len(caplog.records) == 5
170 170
    assert 'created new user' in caplog.text
171 171
    assert 'set field first_name' in caplog.text
172 172
    assert 'to value %r ' % (u'y' * 30) in caplog.text
tests/test_federation_utils.py
1
import os
2
import time
3

  
4
from django.core.files.storage import default_storage
5
from django.utils.text import slugify
6
from httmock import HTTMock
7

  
8
from mellon.federation_utils import get_federation_from_url, truncate_unique
9
from utils import sample_federation_response
10

  
11

  
12
def test_mock_fedmd_caching():
13
    url = u'https://dummy.mdserver/metadata.xml'
14
    filepath = default_storage.path(os.path.join('metadata-cache/', truncate_unique(slugify(url))))
15

  
16
    with HTTMock(sample_federation_response):
17
        tmp = get_federation_from_url(url)
18

  
19
    assert default_storage.path(tmp) == filepath
20

  
21
    st = os.stat(filepath)
22

  
23
    assert os.path.isfile(filepath)
24
    assert st.st_mtime < time.time() + 3600
25

  
26
    with HTTMock(sample_federation_response):
27
        get_federation_from_url(url)
28
    stnew = os.stat(filepath)
29

  
30
    assert stnew.st_ctime == st.st_ctime
31
    assert stnew.st_mtime == st.st_mtime
32

  
33
    storig = os.stat(os.path.join('tests', 'federation-sample.xml'))
34

  
35
    assert storig.st_size == st.st_size
tests/test_sso_slo.py
9 9
from django.utils import six
10 10
from django.utils.six.moves.urllib import parse as urlparse
11 11

  
12
from mellon.utils import create_metadata
12
from mellon.utils import create_metadata, create_server
13
from django.utils.http import urlencode
13 14

  
14 15
from httmock import all_requests, HTTMock, response as mock_response
15 16

  
......
21 22
    return open('tests/metadata.xml').read()
22 23

  
23 24

  
25
@fixture
26
def federation_metadata():
27
    return './tests/federation-sample.xml'
28

  
29

  
24 30
@fixture
25 31
def idp_private_key():
26 32
    return open('tests/idp-private-key.pem').read()
......
48 54
    return private_settings
49 55

  
50 56

  
57
@fixture
58
def federated_sp_settings(private_settings, federation_metadata, sp_private_key, public_key):
59
    private_settings.MELLON_FEDERATIONS = [{
60
        'FEDERATION': federation_metadata,
61
    }]
62
    private_settings.MELLON_PUBLIC_KEYS = [public_key]
63
    private_settings.MELLON_PRIVATE_KEYS = [sp_private_key]
64
    private_settings.MELLON_NAME_ID_POLICY_FORMAT = lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
65
    private_settings.LOGIN_REDIRECT_URL = '/'
66
    return private_settings
67

  
68

  
51 69
@fixture
52 70
def sp_metadata(sp_settings, rf):
53 71
    request = rf.get('/')
54 72
    return create_metadata(request)
55 73

  
56 74

  
75
@fixture
76
def federated_sp_metadata(federated_sp_settings, rf):
77
    request = rf.get('/')
78
    return create_metadata(request)
79

  
80

  
57 81
class MockIdp(object):
58 82
    def __init__(self, idp_metadata, private_key, sp_metadata):
59 83
        self.server = server = lasso.Server.newFromBuffers(idp_metadata, private_key)
......
120 144
    return MockIdp(idp_metadata, idp_private_key, sp_metadata)
121 145

  
122 146

  
147
@fixture
148
def federated_idp(federated_sp_settings, idp_metadata, idp_private_key, federated_sp_metadata):
149
    return MockIdp(idp_metadata, idp_private_key, federated_sp_metadata)
150

  
151

  
123 152
def test_sso_slo(db, app, idp, caplog, sp_settings):
124 153
    response = app.get(reverse('mellon_login') + '?next=/whatever/')
125 154
    url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
......
210 239
    assert 'created new user' in caplog.text
211 240
    assert 'logged in using SAML' in caplog.text
212 241
    assert response['Location'].endswith('/whatever/')
242

  
243

  
244
def test_login_federation(db, app, federated_idp, caplog, federated_sp_settings):
245
    qs = urlencode({
246
        'entityID': 'http://idp5/metadata',
247
    })
248
    response = app.get('/login/?' + qs)
249
    url, body, _ = federated_idp.process_authn_request_redirect(response['Location'])
250
    assert url.endswith(reverse('mellon_login'))
251
    response = app.post(reverse('mellon_login'), params={'SAMLResponse': body})
252
    assert 'created new user' in caplog.text
253
    assert 'logged in using SAML' in caplog.text
254
    assert response['Location'].endswith(federated_sp_settings.LOGIN_REDIRECT_URL)
255

  
256

  
257
def test_sso_artifact_federation(db, app, caplog, federated_sp_settings, idp_metadata, idp_private_key, rf):
258
    qs = urlencode({
259
        'entityID': 'http://idp5/metadata',
260
    })
261
    federated_sp_settings.MELLON_DEFAULT_ASSERTION_CONSUMER_BINDING = 'artifact'
262
    request = rf.get('/')
263
    federated_sp_metadata = create_metadata(request)
264
    idp = MockIdp(idp_metadata, idp_private_key, federated_sp_metadata)
265
    response = app.get('/login/?' + qs)
266
    url, body, _ = idp.process_authn_request_redirect(response['Location'])
267
    assert body is None
268
    assert reverse('mellon_login') in url
269
    assert 'SAMLart' in url
270
    acs_artifact_url = url.split('testserver', 1)[1]
271
    with HTTMock(idp.mock_artifact_resolver()):
272
        response = app.get(acs_artifact_url)
273
    assert 'created new user' in caplog.text
274
    assert 'logged in using SAML' in caplog.text
275
    assert response['Location'].endswith(federated_sp_settings.LOGIN_REDIRECT_URL)
276
    # force delog
277
    app.session.flush()
278
    assert 'dead artifact' not in caplog.text
279
    with HTTMock(idp.mock_artifact_resolver()):
280
        response = app.get(acs_artifact_url)
281
    # verify retry login was asked
282
    assert 'dead artifact' in caplog.text
283
    assert response.status_code == 302
284
    assert reverse('mellon_login') in url
285
    response = response.follow()
286
    url, body, _ = idp.process_authn_request_redirect(response['Location'])
287
    reset_caplog(caplog)
288
    # verify caplog has been cleaned
289
    assert 'created new user' not in caplog.text
290
    assert body is None
291
    assert reverse('mellon_login') in url
292
    assert 'SAMLart' in url
293
    acs_artifact_url = url.split('testserver', 1)[1]
294
    with HTTMock(idp.mock_artifact_resolver()):
295
        response = app.get(acs_artifact_url)
296
    assert 'created new user' in caplog.text
297
    assert 'logged in using SAML' in caplog.text
298
    assert response['Location'].endswith(federated_sp_settings.LOGIN_REDIRECT_URL)
tests/test_utils.py
1
import re
2 1
import datetime
2
import logging
3
import os
4
import re
3 5

  
4 6
import mock
5 7
import lasso
6 8
import requests.exceptions
7 9
from httmock import HTTMock
8 10

  
9
from mellon.utils import create_server, create_metadata, iso8601_to_datetime, flatten_datetime
11
from mellon.utils import create_server, create_metadata, iso8601_to_datetime, \
12
        flatten_datetime, get_idp, create_loaded_server
10 13
import mellon.utils
11 14
from xml_utils import assert_xml_constraints
12 15

  
13
from utils import error_500, metadata_response
16
from utils import error_500, metadata_response, sample_federation_response, \
17
        html_response, dummy_md_response
14 18

  
15 19

  
16
def test_create_server_connection_error(mocker, rf, private_settings, caplog):
20
def test_create_server_connection_error_lazy(mocker, rf, private_settings, caplog):
17 21
    mocker.patch('requests.get',
18 22
                 side_effect=requests.exceptions.ConnectionError('connection error'))
19 23
    private_settings.MELLON_IDENTITY_PROVIDERS = [
......
23 27
    ]
24 28
    request = rf.get('/')
25 29
    create_server(request)
26
    assert 'connection error' in caplog.text
30
    assert 'failed with error' not in caplog.text
31
    create_loaded_server(request)
32
    assert 'failed with error' in caplog.text
27 33

  
28 34

  
29
def test_create_server_internal_server_error(mocker, rf, private_settings, caplog):
35
def test_create_server_internal_server_error_lazy(mocker, rf, private_settings, caplog):
30 36
    private_settings.MELLON_IDENTITY_PROVIDERS = [
31 37
        {
32 38
            'METADATA_URL': 'http://example.com/metadata',
33 39
        }
34 40
    ]
35 41
    request = rf.get('/')
36
    assert not 'failed with error' in caplog.text
42
    assert 'failed with error' not in caplog.text
37 43
    with HTTMock(error_500):
38 44
        create_server(request)
45
    assert 'failed with error' not in caplog.text
46
    with HTTMock(error_500):
47
        create_loaded_server(request)
39 48
    assert 'failed with error' in caplog.text
40 49

  
41 50

  
42
def test_create_server_invalid_metadata(mocker, rf, private_settings, caplog):
51
def test_load_federation_file_lazy(mocker, rf, private_settings, caplog, tmpdir):
52
    private_settings.MELLON_FEDERATIONS = [
53
            {'FEDERATION': 'tests/federation-sample.xml'},
54
    ]
55
    request = rf.get('/')
56
    assert 'failed with error' not in caplog.text
57
    with HTTMock(html_response):
58
        server = create_server(request)
59
    assert len(server.providers) == 0
60
    with HTTMock(html_response):
61
        server = create_loaded_server(request)
62
    assert len(server.providers) == 5
63

  
64

  
65
def test_load_federation_url_lazy(mocker, rf, private_settings, caplog, tmpdir):
66
    private_settings.MELLON_FEDERATIONS = [
67
            {'FEDERATION': 'https://dummy.server/metadata.xml'},
68
    ]
69
    request = rf.get('/')
70
    assert 'failed with error' not in caplog.text
71
    with HTTMock(dummy_md_response):
72
        server = create_server(request)
73
    assert len(server.providers) == 0
74
    with HTTMock(dummy_md_response):
75
        server = create_loaded_server(request)
76
    assert len(server.providers) == 3
77

  
78

  
79
def test_federation_parameters_lazy(mocker, rf, private_settings, caplog, tmpdir):
80
    private_settings.MELLON_FEDERATIONS = [{
81
            'FEDERATION': 'tests/federation-sample.xml',
82
            'VERIFY_SSL_CERTIFICATE': False,
83
            'ERROR_REDIRECT_AFTER_TIMEOUT': 150,
84
            'PROVISION': True
85
    }]
86
    request = rf.get('/')
87
    assert 'failed with error' not in caplog.text
88
    with HTTMock(html_response):
89
        server = create_server(request)
90
    assert len(server.providers) == 0
91
    with HTTMock(dummy_md_response):
92
        server = create_loaded_server(request)
93
    assert len(server.providers) == 5
94
    for entity_id in server.providers.keys():
95
        idp = get_idp(entity_id)
96
        assert idp
97
        assert idp['VERIFY_SSL_CERTIFICATE'] is False
98
        assert idp['ERROR_REDIRECT_AFTER_TIMEOUT'] == 150
99
        assert idp['PROVISION'] is True
100

  
101

  
102
def test_create_server_invalid_metadata_lazy(mocker, rf, private_settings, caplog):
103
    caplog.set_level(logging.DEBUG)
43 104
    private_settings.MELLON_IDENTITY_PROVIDERS = [
44 105
        {
45 106
            'METADATA': 'xxx',
......
49 110
    assert not 'failed with error' in caplog.text
50 111
    with HTTMock(error_500):
51 112
        create_server(request)
52
    assert len(caplog.records) == 1
53
    assert re.search('METADATA.*is invalid', caplog.text)
113
    assert len(caplog.records) == 0
114
    assert not re.search('METADATA.*is invalid|bad metadata in idp|Failed to add new provider.', caplog.text)
115

  
116
    # Server created for one single provider:
117
    with HTTMock(error_500):
118
        create_loaded_server(request)
119
    assert len(caplog.records) == 4
120
    assert re.search('METADATA.*is invalid|bad metadata in idp|Failed to add new provider.', caplog.text)
54 121

  
55 122

  
56 123
def test_create_server_invalid_metadata_file(mocker, rf, private_settings, caplog):
......
67 134
    assert len(server.providers) == 0
68 135

  
69 136

  
70
def test_create_server_good_metadata_file(mocker, rf, private_settings, caplog):
137
def test_create_server_good_metadata_file_lazy(mocker, rf, private_settings, caplog):
71 138
    private_settings.MELLON_IDENTITY_PROVIDERS = [
72 139
        {
73
            'METADATA': '/xxx',
140
            'METADATA': './tests/metadata.xml',
74 141
        }
75 142
    ]
76 143
    request = rf.get('/')
77
    with mock.patch(
78
        'mellon.adapters.open', mock.mock_open(read_data=open('tests/metadata.xml').read()),
79
            create=True):
144
    with HTTMock(html_response):
80 145
        server = create_server(request)
81 146
    assert 'ERROR' not in caplog.text
147
    assert len(server.providers) == 0
148
    with HTTMock(html_response):
149
        server = create_loaded_server(request)
82 150
    assert len(server.providers) == 1
83 151

  
84 152

  
85
def test_create_server_good_metadata(mocker, rf, private_settings, caplog):
153
def test_create_server_good_metadata_lazy(mocker, rf, private_settings, caplog):
86 154
    private_settings.MELLON_IDENTITY_PROVIDERS = [
87 155
        {
88 156
            'METADATA': open('tests/metadata.xml').read(),
......
92 160
    assert not 'failed with error' in caplog.text
93 161
    server = create_server(request)
94 162
    assert 'ERROR' not in caplog.text
163
    assert len(server.providers) == 0
164
    server = create_loaded_server(request)
95 165
    assert len(server.providers) == 1
96 166

  
97 167

  
98
def test_create_server_invalid_idp_dict(mocker, rf, private_settings, caplog):
168
def test_create_server_invalid_idp_dict_lazy(mocker, rf, private_settings, caplog):
99 169
    private_settings.MELLON_IDENTITY_PROVIDERS = [
100 170
        {
101 171
        }
......
103 173
    request = rf.get('/')
104 174
    assert not 'failed with error' in caplog.text
105 175
    create_server(request)
106
    assert 'missing METADATA' in caplog.text
176
    assert 'missing METADATA' not in caplog.text
177
    server = create_loaded_server(request)
178
    assert not len(server.providers)
107 179

  
108 180

  
109
def test_create_server_good_metadata_url(mocker, rf, private_settings, caplog):
181
def test_create_server_good_metadata_url_lazy(mocker, rf, private_settings, caplog):
110 182
    private_settings.MELLON_IDENTITY_PROVIDERS = [
111 183
        {
112 184
            'METADATA_URL': 'http://example.com/metadata',
......
118 190
    with HTTMock(metadata_response):
119 191
        server = create_server(request)
120 192
    assert 'ERROR' not in caplog.text
193
    assert len(server.providers) == 0
194

  
195
    with HTTMock(dummy_md_response):
196
        server = create_loaded_server(request)
121 197
    assert len(server.providers) == 1
122 198

  
123 199

  
tests/utils.py
13 13

  
14 14
@all_requests
15 15
def metadata_response(url, request):
16
    return response(200, content=open('tests/metadata.xml').read())
16
    return response(200, content=open('tests/metadata.xml', 'r').read())
17

  
18

  
19
@all_requests
20
def dummy_md_response(url, request):
21
    return response(200, content=open('tests/dummy_md.xml', 'r').read())
22

  
23

  
24
@all_requests
25
def sample_federation_response(url, request):
26
    return response(200, content=open('tests/federation-sample.xml', 'r').read())
17 27

  
18 28

  
19 29
def reset_caplog(cap):
20
-