django-saml2-idp

Merge lp:~roadmr/django-saml2-idp/custom-certificate-support into lp:~ubuntuone-pqm-team/django-saml2-idp/stable

custom-certificate-support
Merge into stable

Proposed by Daniel Manrique on 2017-12-07

Status:	Merged
Merged at revision:	70
Proposed branch:	lp:~roadmr/django-saml2-idp/custom-certificate-support
Merge into:	lp:~ubuntuone-pqm-team/django-saml2-idp/stable
Diff against target:	415 lines (+193/-45) 5 files modified idptest/saml2idp/base.py (+4/-3) idptest/saml2idp/tests/signing.py (+148/-26) idptest/saml2idp/xml_render.py (+14/-10) idptest/saml2idp/xml_signing.py (+25/-4) requirements.txt (+2/-2)
To merge this branch:	bzr merge lp:~roadmr/django-saml2-idp/custom-certificate-support
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ricardo Kirkner (community)		2017-12-07	Approve on 2017-12-11
Review via email: mp+334947@code.launchpad.net

Commit message

Add custom certificate support.

A "certificate" parameter was added to the get_signature_xml method and to methods that call this, all the way up to the ones called by Processor subclasses.

The parameter has a default of None in all methods that support it. If get_signature_xml ultimately doesn't get a certificate value, it will use the globally-configured certificate, as it always has.

If the certificate parameter has a string containing a PEM-formatted certificate (with ---BEGIN/END--- certificate delimiters), it will be included in the assertion instead of the globally-configured one.

The certificate is expected to be derived from the globally-configured private key; there's no custom private key support.

The validation behavior is (as with the global certificate) whatever M2Crypto.X509.load_cert_string() raises for an invalid certificate.

The test suite was expanded to account for custom certificates and also explicitly tests the google apps-compatible xml generators which were not previously tested.

Description of the change

Add custom certificate support.

A "certificate" parameter was added to the get_signature_xml method and to methods that call this, all the way up to the ones called by Processor subclasses.

The parameter has a default of None in all methods that support it. If get_signature_xml ultimately doesn't get a certificate value, it will use the globally-configured certificate, as it always has.

The certificate is expected to be derived from the globally-configured private key; there's no custom private key support.

The validation behavior is (as with the global certificate) whatever M2Crypto.X509.load_cert_string() raises for an invalid certificate.

The test suite was expanded to account for custom certificates and also explicitly tests the google apps-compatible xml generators which were not previously tested.

Revision history for this message

Ricardo Kirkner (ricardokirkner) wrote on 2017-12-11:

LGTM

review: Approve

Revision history for this message

Daniel Manrique (roadmr) wrote on 2017-12-11:

FIxed review comments.

lp:~roadmr/django-saml2-idp/custom-certificate-support updated on 2017-12-11

89. By Daniel Manrique on 2017-12-11: review fixes

Revision history for this message

Daniel Manrique (roadmr) wrote on 2017-12-11:

Merging manually.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Daniel Manrique

Ubuntu One PQM Team

 === modified file 'idptest/saml2idp/base.py'
 --- idptest/saml2idp/base.py	2012-08-20 18:41:37 +0000
 +++ idptest/saml2idp/base.py	2017-12-11 19:14:27 +0000
@@ -131,12 +131,13 @@
          """
          raise NotImplemented()
--    def _format_response(self):
++    def _format_response(self, certificate=None):
          """
          Formats _response_params as _response_xml.
          """
--        sign_it=saml2idp_metadata.SAML2IDP_CONFIG['signing']
--        self._response_xml = xml_render.get_response_xml(self._response_params, signed=sign_it)
++        sign_it = saml2idp_metadata.SAML2IDP_CONFIG['signing']
++        self._response_xml = xml_render.get_response_xml(
++            self._response_params, signed=sign_it, certificate=certificate)
      def _get_django_response_params(self):
          """
 === modified file 'idptest/saml2idp/tests/signing.py'
 --- idptest/saml2idp/tests/signing.py	2012-06-27 20:26:38 +0000
 +++ idptest/saml2idp/tests/signing.py	2017-12-11 19:14:27 +0000
@@ -2,7 +2,11 @@
  import unittest
  from saml2idp import xml_render
  from saml2idp.xml_signing import get_signature_xml
--from saml2idp.xml_templates import ASSERTION_SALESFORCE, RESPONSE
++from saml2idp.xml_templates import (
++    ASSERTION_GOOGLE_APPS,
++    ASSERTION_SALESFORCE,
++    RESPONSE,
++)
  IDP_PARAMS = {
      'ISSUER': 'http://127.0.0.1:8000',
@@ -15,7 +19,7 @@
  ASSERTION_SALESFORCE_PARAMS = {
      'ASSERTION_ID': '_7ccdda8bc6b328570c03b218d7521772998da45374',
--    'ASSERTION_SIGNATURE': '', # it's unsigned
++    'ASSERTION_SIGNATURE': '',  # it's unsigned
      'AUDIENCE': 'example.net',
      'AUTH_INSTANT': '2011-08-11T23:38:34Z',
      'ISSUE_INSTANT': '2011-08-11T23:38:34Z',
@@ -29,6 +33,26 @@
  ASSERTION_SALESFORCE_XML = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>'
  SIGNED_ASSERTION_SALESFORCE_XML = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>b7HwOJQgKYvhWcrUH17T8WXTY24=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WP+9aFiuj52WLW6ebwSaQhF2nU/wtyP3E2dudTa6mVTSjItpqduUqWR3rp/q39Hsehde6i+4RlbGQkZUwZSPEw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>'
++SIGNED_ASSERTION_SALESFORCE_XML_CUSTOM = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>b7HwOJQgKYvhWcrUH17T8WXTY24=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WP+9aFiuj52WLW6ebwSaQhF2nU/wtyP3E2dudTa6mVTSjItpqduUqWR3rp/q39Hsehde6i+4RlbGQkZUwZSPEw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICMTCCAdugAwIBAgIJAIlHgvpeylz2MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzAeFw0xNzEyMDYyMTU4NTBaFw0xODEyMDYyMTU4NTBaMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDXDZoJuGJUlAK9sXVnouWkVPw21rbEOO4I5L9vBJI3t6G/uqtDPg+aYcGA3L/coGJriecDotXD6a7FnRVpr0rrAgMBAAGjUDBOMB0GA1UdDgQWBBTPIFH368TxvKCq8PoJn/DppA+KQzAfBgNVHSMEGDAWgBTPIFH368TxvKCq8PoJn/DppA+KQzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EA1mV57y79x9QjFJO5iHgqhXKJuCVVaGx4TaVMcX1exWLLNp37CTvn0zsTdXhlc4MKsznXr3dLrZhVoTHVlkin8w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>'
++
++ASSERTION_GOOGLE_APPS_PARAMS = {
++    'ASSERTION_ID': '_7ccdda8bc6b328570c03b218d7521772998da45374',
++    'ASSERTION_SIGNATURE': '',  # it's unsigned
++    'AUDIENCE': 'google.example.net',
++    'AUTH_INSTANT': '2011-08-11T23:38:34Z',
++    'ISSUE_INSTANT': '2011-08-11T23:38:34Z',
++    'NOT_BEFORE': '2011-08-11T23:38:04Z',
++    'NOT_ON_OR_AFTER': '2011-08-11T23:43:34Z',
++    'SESSION_NOT_ON_OR_AFTER': '2011-08-12T07:38:34Z',
++    'SP_NAME_QUALIFIER': 'google.example.net',
++    'SUBJECT': 'randomuser@example.com',
++    'SUBJECT_FORMAT': 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
++}
++
++ASSERTION_GOOGLE_APPS_XML = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="google.example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>'
++SIGNED_ASSERTION_GOOGLE_APPS_XML = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>6CyR79BkYhTW72Sat2KiBxvgG38=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Eyaqg5Vx1095Z+5OLIM2vSTFmSawRP4qzakMol/w/xIwjCLiu++OFzpv9TUeRELnA4F/WuEukUVV+59gUqz5RA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="google.example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>'
++SIGNED_ASSERTION_GOOGLE_APPS_XML_CUSTOM = '<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>6CyR79BkYhTW72Sat2KiBxvgG38=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Eyaqg5Vx1095Z+5OLIM2vSTFmSawRP4qzakMol/w/xIwjCLiu++OFzpv9TUeRELnA4F/WuEukUVV+59gUqz5RA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICMTCCAdugAwIBAgIJAIlHgvpeylz2MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzAeFw0xNzEyMDYyMTU4NTBaFw0xODEyMDYyMTU4NTBaMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDXDZoJuGJUlAK9sXVnouWkVPw21rbEOO4I5L9vBJI3t6G/uqtDPg+aYcGA3L/coGJriecDotXD6a7FnRVpr0rrAgMBAAGjUDBOMB0GA1UdDgQWBBTPIFH368TxvKCq8PoJn/DppA+KQzAfBgNVHSMEGDAWgBTPIFH368TxvKCq8PoJn/DppA+KQzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EA1mV57y79x9QjFJO5iHgqhXKJuCVVaGx4TaVMcX1exWLLNp37CTvn0zsTdXhlc4MKsznXr3dLrZhVoTHVlkin8w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="google.example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>'
++
  RESPONSE_PARAMS = {
      'ASSERTION': '',
@@ -41,14 +65,36 @@
      'SUBJECT_FORMAT': 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
+ }
--RESPONSE_XML = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
++RESPONSE_SALESFORCE_XML = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
  RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>b7HwOJQgKYvhWcrUH17T8WXTY24=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WP+9aFiuj52WLW6ebwSaQhF2nU/wtyP3E2dudTa6mVTSjItpqduUqWR3rp/q39Hsehde6i+4RlbGQkZUwZSPEw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
--
  SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>sxi1OztMxi2taVoT3kxaVXQrVx4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>tErJwi7CBpFWXQRKxEcpkoNZKDv2D1D1hBOlEWWYOyrU5eGaaLFrQ/dMA3D7S0lGjGEf7YkkgiZOAE4dKVHhUg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>b7HwOJQgKYvhWcrUH17T8WXTY24=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WP+9aFiuj52WLW6ebwSaQhF2nU/wtyP3E2dudTa6mVTSjItpqduUqWR3rp/q39Hsehde6i+4RlbGQkZUwZSPEw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
++SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML_CUSTOM = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>sxi1OztMxi2taVoT3kxaVXQrVx4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>tErJwi7CBpFWXQRKxEcpkoNZKDv2D1D1hBOlEWWYOyrU5eGaaLFrQ/dMA3D7S0lGjGEf7YkkgiZOAE4dKVHhUg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICMTCCAdugAwIBAgIJAIlHgvpeylz2MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzAeFw0xNzEyMDYyMTU4NTBaFw0xODEyMDYyMTU4NTBaMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDXDZoJuGJUlAK9sXVnouWkVPw21rbEOO4I5L9vBJI3t6G/uqtDPg+aYcGA3L/coGJriecDotXD6a7FnRVpr0rrAgMBAAGjUDBOMB0GA1UdDgQWBBTPIFH368TxvKCq8PoJn/DppA+KQzAfBgNVHSMEGDAWgBTPIFH368TxvKCq8PoJn/DppA+KQzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EA1mV57y79x9QjFJO5iHgqhXKJuCVVaGx4TaVMcX1exWLLNp37CTvn0zsTdXhlc4MKsznXr3dLrZhVoTHVlkin8w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>b7HwOJQgKYvhWcrUH17T8WXTY24=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WP+9aFiuj52WLW6ebwSaQhF2nU/wtyP3E2dudTa6mVTSjItpqduUqWR3rp/q39Hsehde6i+4RlbGQkZUwZSPEw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"><saml:AudienceRestriction><saml:Audience>example.net</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
++
++RESPONSE_GOOGLE_APPS_XML = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="google.example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
++RESPONSE_WITH_SIGNED_ASSERTION_GOOGLE_APPS_XML = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>6CyR79BkYhTW72Sat2KiBxvgG38=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Eyaqg5Vx1095Z+5OLIM2vSTFmSawRP4qzakMol/w/xIwjCLiu++OFzpv9TUeRELnA4F/WuEukUVV+59gUqz5RA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="google.example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
++SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_GOOGLE_APPS_XML = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>gKuvvIsDFU3vjLr1gEjbNK11Wh0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PNDqw6f8k55hrR9wlb0BqxebweV9oEzgjcPqQ2WVMD9Cf/DwHcvfNprIflY/u/hsiWaINoCWXZ9EVaVyO/NM9w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>6CyR79BkYhTW72Sat2KiBxvgG38=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Eyaqg5Vx1095Z+5OLIM2vSTFmSawRP4qzakMol/w/xIwjCLiu++OFzpv9TUeRELnA4F/WuEukUVV+59gUqz5RA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="google.example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
++SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_GOOGLE_APPS_XML_CUSTOM = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://www.example.net/a/example.com/acs" ID="_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4" InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_2972e82c07bb5453956cc11fb19cad97ed26ff8bb4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>gKuvvIsDFU3vjLr1gEjbNK11Wh0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PNDqw6f8k55hrR9wlb0BqxebweV9oEzgjcPqQ2WVMD9Cf/DwHcvfNprIflY/u/hsiWaINoCWXZ9EVaVyO/NM9w==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICMTCCAdugAwIBAgIJAIlHgvpeylz2MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzAeFw0xNzEyMDYyMTU4NTBaFw0xODEyMDYyMTU4NTBaMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDXDZoJuGJUlAK9sXVnouWkVPw21rbEOO4I5L9vBJI3t6G/uqtDPg+aYcGA3L/coGJriecDotXD6a7FnRVpr0rrAgMBAAGjUDBOMB0GA1UdDgQWBBTPIFH368TxvKCq8PoJn/DppA+KQzAfBgNVHSMEGDAWgBTPIFH368TxvKCq8PoJn/DppA+KQzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EA1mV57y79x9QjFJO5iHgqhXKJuCVVaGx4TaVMcX1exWLLNp37CTvn0zsTdXhlc4MKsznXr3dLrZhVoTHVlkin8w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></samlp:StatusCode></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7ccdda8bc6b328570c03b218d7521772998da45374" IssueInstant="2011-08-11T23:38:34Z" Version="2.0"><saml:Issuer>http://127.0.0.1:8000</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_7ccdda8bc6b328570c03b218d7521772998da45374"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>6CyR79BkYhTW72Sat2KiBxvgG38=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Eyaqg5Vx1095Z+5OLIM2vSTFmSawRP4qzakMol/w/xIwjCLiu++OFzpv9TUeRELnA4F/WuEukUVV+59gUqz5RA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email" SPNameQualifier="google.example.net">randomuser@example.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="mpjibjdppiodcpciaefmdahiipjpcghdcfjodkbi" NotOnOrAfter="2011-08-11T23:43:34Z" Recipient="https://www.example.net/a/example.com/acs"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2011-08-11T23:38:04Z" NotOnOrAfter="2011-08-11T23:43:34Z"></saml:Conditions><saml:AuthnStatement AuthnInstant="2011-08-11T23:38:34Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>'
++
++CUSTOM_CERT_STRING = """-----BEGIN CERTIFICATE-----
++MIICMTCCAdugAwIBAgIJAIlHgvpeylz2MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNV
++BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYD
++VQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBj
++dXN0b20gdGVzdGluZzAeFw0xNzEyMDYyMTU4NTBaFw0xODEyMDYyMTU4NTBaMHQx
++CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJl
++MRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRl
++IGZvciBjdXN0b20gdGVzdGluZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDXDZoJ
++uGJUlAK9sXVnouWkVPw21rbEOO4I5L9vBJI3t6G/uqtDPg+aYcGA3L/coGJriecD
++otXD6a7FnRVpr0rrAgMBAAGjUDBOMB0GA1UdDgQWBBTPIFH368TxvKCq8PoJn/Dp
++pA+KQzAfBgNVHSMEGDAWgBTPIFH368TxvKCq8PoJn/DppA+KQzAMBgNVHRMEBTAD
++AQH/MA0GCSqGSIb3DQEBCwUAA0EA1mV57y79x9QjFJO5iHgqhXKJuCVVaGx4TaVM
++cX1exWLLNp37CTvn0zsTdXhlc4MKsznXr3dLrZhVoTHVlkin8w==
++-----END CERTIFICATE-----
++"""
++
  class XmlTest(unittest.TestCase):
      def _test(self, got, exp):
--        #TODO: Maybe provide more meaningful output. YAGNI?
++        # TODO: Maybe provide more meaningful output. YAGNI?
          msg = 'Did not get expected XML.\nExp: %s\nGot: %s' % (exp, got)
          self.assertEqual(exp, got, msg)
@@ -59,49 +105,94 @@
          got = string.Template(template_source).substitute(parameters)
          self._test(got, exp)
++
  class TestSigning(XmlTest):
--    def test1(self):
++    def test_signing_default_cert(self):
          signature_xml = get_signature_xml("this is a test", 'abcd' * 10)
          expected_xml = '<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>+ia+Gd5r/5P3C8IwhDTkpEC7rQI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>t1IywxEzobY8ZyHL+iuB+E3zzVAWByUjRqFTdyNerGbGSRwo0oYWx6hcYX+ST1DTDaQ50gV2PJeibbykFsA3vQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICKzCCAdWgAwIBAgIJAM8DxRNtPj90MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTEwODEyMjA1MTIzWhcNMTIwODExMjA1MTIzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANcNmgm4YlSUAr2xdWei5aRU/DbWtsQ47gjkv28Ekje3ob+6q0M+D5phwYDcv9ygYmuJ5wOi1cPprsWdFWmvSusCAwEAAaOBpzCBpDAdBgNVHQ4EFgQUzyBR9+vE8bygqvD6CZ/w6aQPikMwdQYDVR0jBG4wbIAUzyBR9+vE8bygqvD6CZ/w6aQPikOhSaRHMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGSCCQDPA8UTbT4/dDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAIQuPLA/mlMJAMF680kL7reX5WgyRwAtRzJK6FgNjE7kRaLZQ79UKYVYa0VAyrRdoNEyVhG4tJFEiQJzaLWsl/A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>'
          self._test(signature_xml, expected_xml)
--class TestAssertionSalesForce(XmlTest):
++    def test_signing_custom_cert(self):
++        signature_xml = get_signature_xml(
++            "this is a test", 'abcd' * 10, certificate=CUSTOM_CERT_STRING)
++        expected_xml = '<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>+ia+Gd5r/5P3C8IwhDTkpEC7rQI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>t1IywxEzobY8ZyHL+iuB+E3zzVAWByUjRqFTdyNerGbGSRwo0oYWx6hcYX+ST1DTDaQ50gV2PJeibbykFsA3vQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICMTCCAdugAwIBAgIJAIlHgvpeylz2MA0GCSqGSIb3DQEBCwUAMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzAeFw0xNzEyMDYyMTU4NTBaFw0xODEyMDYyMTU4NTBaMHQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARIZXJlMRgwFgYDVQQKDA9kamFuZ28tc2FtbDJpZHAxJzAlBgNVBAMMHkNlcnRpZmljYXRlIGZvciBjdXN0b20gdGVzdGluZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDXDZoJuGJUlAK9sXVnouWkVPw21rbEOO4I5L9vBJI3t6G/uqtDPg+aYcGA3L/coGJriecDotXD6a7FnRVpr0rrAgMBAAGjUDBOMB0GA1UdDgQWBBTPIFH368TxvKCq8PoJn/DppA+KQzAfBgNVHSMEGDAWgBTPIFH368TxvKCq8PoJn/DppA+KQzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA0EA1mV57y79x9QjFJO5iHgqhXKJuCVVaGx4TaVMcX1exWLLNp37CTvn0zsTdXhlc4MKsznXr3dLrZhVoTHVlkin8w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>'
++        self._test(signature_xml, expected_xml)
++
++
++class TestAssertion(object):
++    """Mixin of common assertion test methods using class parameters to customize."""
      def test_assertion(self):
          # This test simply verifies that the template isn't bad.
          params = {}
          params.update(IDP_PARAMS)
          params.update(REQUEST_PARAMS)
--        params.update(ASSERTION_SALESFORCE_PARAMS)
--        self._test_template(ASSERTION_SALESFORCE, params, ASSERTION_SALESFORCE_XML)
++        params.update(self.ASSERTION_PARAMS)
++        self._test_template(self.ASSERTION, params, self.ASSERTION_XML)
      def test_assertion_rendering(self):
          # Verifies that the xml rendering is OK.
          params = {}
          params.update(IDP_PARAMS)
          params.update(REQUEST_PARAMS)
--        params.update(ASSERTION_SALESFORCE_PARAMS)
--        got = xml_render.get_assertion_salesforce_xml(params, signed=False)
--        self._test(got, ASSERTION_SALESFORCE_XML)
++        params.update(self.ASSERTION_PARAMS)
++        got = self.render_method(params, signed=False)
++        self._test(got, self.ASSERTION_XML)
      def test_signed_assertion(self):
          # This test verifies that the assertion got signed properly.
          params = {}
          params.update(IDP_PARAMS)
          params.update(REQUEST_PARAMS)
--        params.update(ASSERTION_SALESFORCE_PARAMS)
--        got = xml_render.get_assertion_salesforce_xml(params, signed=True)
--        self._test(got, SIGNED_ASSERTION_SALESFORCE_XML)
--
--
--class TestResponse(XmlTest):
++        params.update(self.ASSERTION_PARAMS)
++        got = self.render_method(params, signed=True)
++        self._test(got, self.SIGNED_ASSERTION_XML)
++
++    def test_signed_assertion_custom_cert(self):
++        # This test verifies that the assertion got signed properly with a
++        # custom cert
++        params = {}
++        params.update(IDP_PARAMS)
++        params.update(REQUEST_PARAMS)
++        params.update(self.ASSERTION_PARAMS)
++        got = self.render_method(
++            params, signed=True, certificate=CUSTOM_CERT_STRING)
++        self._test(got, self.SIGNED_ASSERTION_XML_CUSTOM)
++
++
++class TestAssertionGoogleApps(XmlTest, TestAssertion):
++    ASSERTION_PARAMS = ASSERTION_GOOGLE_APPS_PARAMS
++    ASSERTION = ASSERTION_GOOGLE_APPS
++    ASSERTION_XML = ASSERTION_GOOGLE_APPS_XML
++    SIGNED_ASSERTION_XML = SIGNED_ASSERTION_GOOGLE_APPS_XML
++    SIGNED_ASSERTION_XML_CUSTOM = SIGNED_ASSERTION_GOOGLE_APPS_XML_CUSTOM
++
++    # render_method should just call one of the get_assertion_*_xml methods.
++    def render_method(self, *args, **kwargs):
++        return xml_render.get_assertion_googleapps_xml(*args, **kwargs)
++
++
++class TestAssertionSalesForce(XmlTest, TestAssertion):
++    ASSERTION_PARAMS = ASSERTION_SALESFORCE_PARAMS
++    ASSERTION = ASSERTION_SALESFORCE
++    ASSERTION_XML = ASSERTION_SALESFORCE_XML
++    SIGNED_ASSERTION_XML = SIGNED_ASSERTION_SALESFORCE_XML
++    SIGNED_ASSERTION_XML_CUSTOM = SIGNED_ASSERTION_SALESFORCE_XML_CUSTOM
++
++    # render_method should just call one of the get_assertion_*_xml methods.
++    def render_method(self, *args, **kwargs):
++        return xml_render.get_assertion_salesforce_xml(*args, **kwargs)
++
++
++class TestResponse(object):
++    """Mixin of common response test methods,"""
      def test_response(self):
          # This test simply verifies that the template isn't bad.
          params = {}
          params.update(IDP_PARAMS)
          params.update(REQUEST_PARAMS)
          params.update(RESPONSE_PARAMS)
--        params['ASSERTION'] = ASSERTION_SALESFORCE_XML
--        self._test_template(RESPONSE, params, RESPONSE_XML)
++        params['ASSERTION'] = self.ASSERTION_XML
++        self._test_template(RESPONSE, params, self.RESPONSE_XML)
      def test_response_rendering(self):
          # Verifies that the rendering is OK.
@@ -109,9 +200,9 @@
          params.update(IDP_PARAMS)
          params.update(REQUEST_PARAMS)
          params.update(RESPONSE_PARAMS)
--        params['ASSERTION'] = ASSERTION_SALESFORCE_XML
++        params['ASSERTION'] = self.ASSERTION_XML
          got = xml_render.get_response_xml(params, signed=False)
--        self._test(got, RESPONSE_XML)
++        self._test(got, self.RESPONSE_XML)
      def test_response_with_signed_assertion(self):
          # This test also verifies that the template isn't bad.
@@ -119,9 +210,9 @@
          params.update(IDP_PARAMS)
          params.update(REQUEST_PARAMS)
          params.update(RESPONSE_PARAMS)
--        params['ASSERTION'] = SIGNED_ASSERTION_SALESFORCE_XML
++        params['ASSERTION'] = self.SIGNED_ASSERTION_XML
          got = xml_render.get_response_xml(params, signed=False)
--        self._test(got, RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML)
++        self._test(got, self.RESPONSE_WITH_SIGNED_ASSERTION_XML)
      def test_signed_response_with_signed_assertion(self):
          # This test verifies that the response got signed properly.
@@ -129,6 +220,37 @@
          params.update(IDP_PARAMS)
          params.update(REQUEST_PARAMS)
          params.update(RESPONSE_PARAMS)
--        params['ASSERTION'] = SIGNED_ASSERTION_SALESFORCE_XML
++        params['ASSERTION'] = self.SIGNED_ASSERTION_XML
          got = xml_render.get_response_xml(params, signed=True)
--        self._test(got, SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML)
++        self._test(got, self.SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_XML)
++
++    def test_signed_response_with_signed_assertion_custom_cert(self):
++        # This test verifies that the response got signed properly with a
++        # custom cert.
++        params = {}
++        params.update(IDP_PARAMS)
++        params.update(REQUEST_PARAMS)
++        params.update(RESPONSE_PARAMS)
++        params['ASSERTION'] = self.SIGNED_ASSERTION_XML
++        got = xml_render.get_response_xml(
++            params, signed=True, certificate=CUSTOM_CERT_STRING)
++        self._test(
++            got, self.SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_XML_CUSTOM)
++
++
++class TestResponseSalesForce(TestResponse, XmlTest):
++    ASSERTION_XML = ASSERTION_SALESFORCE_XML
++    RESPONSE_XML = RESPONSE_SALESFORCE_XML
++    RESPONSE_WITH_SIGNED_ASSERTION_XML = RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML
++    SIGNED_ASSERTION_XML = SIGNED_ASSERTION_SALESFORCE_XML
++    SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_XML = SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML
++    SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_XML_CUSTOM = SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_SALESFORCE_XML_CUSTOM
++
++
++class TestResponseGoogleApps(TestResponse, XmlTest):
++    ASSERTION_XML = ASSERTION_GOOGLE_APPS_XML
++    RESPONSE_XML = RESPONSE_GOOGLE_APPS_XML
++    RESPONSE_WITH_SIGNED_ASSERTION_XML = RESPONSE_WITH_SIGNED_ASSERTION_GOOGLE_APPS_XML
++    SIGNED_ASSERTION_XML = SIGNED_ASSERTION_GOOGLE_APPS_XML
++    SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_XML = SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_GOOGLE_APPS_XML
++    SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_XML_CUSTOM = SIGNED_RESPONSE_WITH_SIGNED_ASSERTION_GOOGLE_APPS_XML_CUSTOM
 === modified file 'idptest/saml2idp/xml_render.py'
 --- idptest/saml2idp/xml_render.py	2012-06-27 20:26:38 +0000
 +++ idptest/saml2idp/xml_render.py	2017-12-11 19:14:27 +0000
@@ -54,7 +54,7 @@
      template = string.Template(SUBJECT)
      params['SUBJECT_STATEMENT'] = template.substitute(params)
--def _get_assertion_xml(template, parameters, signed=False):
++def _get_assertion_xml(template, parameters, signed=False, certificate=None):
      # Reset signature.
      params = {}
      params.update(parameters)
@@ -72,7 +72,8 @@
          return unsigned
      # Sign it.
--    signature_xml = get_signature_xml(unsigned, params['ASSERTION_ID'])
++    signature_xml = get_signature_xml(
++        unsigned, params['ASSERTION_ID'], certificate=certificate)
      params['ASSERTION_SIGNATURE'] = signature_xml
      signed = template.substitute(params)
@@ -80,13 +81,15 @@
      logging.debug(signed)
      return signed
--def get_assertion_googleapps_xml(parameters, signed=False):
--    return _get_assertion_xml(ASSERTION_GOOGLE_APPS, parameters, signed)
--
--def get_assertion_salesforce_xml(parameters, signed=False):
--    return _get_assertion_xml(ASSERTION_SALESFORCE, parameters, signed)
--
--def get_response_xml(parameters, signed=False):
++def get_assertion_googleapps_xml(parameters, signed=False, certificate=None):
++    return _get_assertion_xml(
++        ASSERTION_GOOGLE_APPS, parameters, signed, certificate=certificate)
++
++def get_assertion_salesforce_xml(parameters, signed=False, certificate=None):
++    return _get_assertion_xml(
++        ASSERTION_SALESFORCE, parameters, signed, certificate=certificate)
++
++def get_response_xml(parameters, signed=False, certificate=None):
      """
      Returns XML for response, with signatures, if signed is True.
      """
@@ -105,7 +108,8 @@
          return unsigned
      # Sign it.
--    signature_xml = get_signature_xml(unsigned, params['RESPONSE_ID'])
++    signature_xml = get_signature_xml(
++        unsigned, params['RESPONSE_ID'], certificate=certificate)
      params['RESPONSE_SIGNATURE'] = signature_xml
      signed = template.substitute(params)
 === modified file 'idptest/saml2idp/xml_signing.py'
 --- idptest/saml2idp/xml_signing.py	2012-07-06 20:22:21 +0000
 +++ idptest/saml2idp/xml_signing.py	2017-12-11 19:14:27 +0000
@@ -13,6 +13,10 @@
  from xml_templates import SIGNED_INFO, SIGNATURE
  def load_cert_data(certificate_file):
++    """Backward-compatible alias for load_cert_data_from_file."""
++    return load_cert_data_from_file(certificate_file)
++
++def load_cert_data_from_file(certificate_file):
      """
      Returns the certificate data out of the certificate_file.
      """
@@ -20,16 +24,31 @@
      cert_data = ''.join(certificate.as_pem().split('\n')[1:-2])
      return cert_data
--def get_signature_xml(subject, reference_uri):
++def load_cert_data_from_string(certificate):
++    """
++    Returns the certificate data out of the certificate string.
++    """
++    certificate = M2Crypto.X509.load_cert_string(certificate)
++    cert_data = ''.join(certificate.as_pem().split('\n')[1:-2])
++    return cert_data
++
++def get_signature_xml(subject, reference_uri, certificate=None):
      """
      Returns XML Signature for subject.
++
++    If certificate is a string, it will be included in the SAML assertion
++    instead of the globally-defined certificate. This allows, for example,
++    overriding the certificate on a per-SP basis.
      """
      config = saml2idp_metadata.SAML2IDP_CONFIG
      private_key_file = config['private_key_file']
      certificate_file = config['certificate_file']
      logging.debug('get_signature_xml - Begin.')
      logging.debug('Using private key file: ' + private_key_file)
--    logging.debug('Using certificate file: ' + certificate_file)
++    if certificate:
++        logging.debug('Using certificate data: ' + certificate)
++    else:
++        logging.debug('Using certificate file: ' + certificate_file)
      logging.debug('Subject: ' + subject)
      # Hash the subject.
@@ -53,8 +72,10 @@
      logging.debug('RSA Signature: ' + rsa_signature)
      # Load the certificate.
--    cert_data = load_cert_data(certificate_file)
--
++    if certificate:
++        cert_data = load_cert_data_from_string(certificate)
++    else:
++        cert_data = load_cert_data_from_file(certificate_file)
      # Put the signed_info and rsa_signature into the XML signature.
      signed_info_short = signed_info.replace(' xmlns:ds="http://www.w3.org/2000/09/xmldsig#"', '')
      signature_xml = string.Template(SIGNATURE).substitute({
 === modified file 'requirements.txt'
 --- requirements.txt	2012-05-18 15:55:11 +0000
 +++ requirements.txt	2017-12-11 19:14:27 +0000
@@ -1,3 +1,3 @@
--m2crypto>=0.20.1
--Django>=1.1.1
++m2crypto==0.25.1
++Django>=1.1.1,<1.5.0
  BeautifulSoup>=3.2.0