perl-net-saml2
diff --git a/‎lib/Net/SAML2.pm‎
Lines changed: 11 additions & 5 deletions b/‎lib/Net/SAML2.pm‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎xt/testapp/README.md‎
Lines changed: 20 additions & 9 deletions b/‎xt/testapp/README.md‎
Lines changed: 20 additions & 9 deletions
diff --git a/‎xt/testapp/lib/Saml2Test.pm‎
Lines changed: 140 additions & 12 deletions b/‎xt/testapp/lib/Saml2Test.pm‎
Lines changed: 140 additions & 12 deletions
@@ -102,25 +102,31 @@ Identity Providers (IdPs).  It has been tested against:
 
 =over
 
-=item GSuite (Google)
+=item Auth0 (requires Net::SAML2 >=0.39)
 
 =item Azure (Microsoft Office 365)
 
-=item OneLogin
+=item GSuite (Google)
 
 =item Jump
 
-=item Mircosoft ADFS
-
 =item Keycloak
 
-=item Auth0 (requires Net::SAML2 >=0.39)
+=item Mircosoft ADFS (not recently tested)
+
+=item Okta
+
+=item OneLogin
 
 =item PingIdentity
 
 Version 0.54 and newer support EncryptedAssertions.  No changes required to existing
 SP applications if EncryptedAssertions are not in use.
 
+=item SAMLTEST.ID (requires Net::SAML2 >=0.63)
+
+=item Shibboleth (requires Net::SAML2 >=0.63)
+
 =back
 
 =head1 MAJOR CAVEATS
 
@@ -50,6 +50,7 @@ The testapp now supports a simplified automatic configuration for testing agains
    2. Download the metadata from your IdP and save it as IdPs/google/metadata.xml
    3. Download the cacert.pem from the IdP and save it as IdPs/google/cacert.pem
    4. Optionally create IdPs/google/config.yml for custom settings for the IdP (if the a custom config.yml does not exist it will refresh the settings from the default config.yml.
+   4. Optionally create IdPs/google/mappings.yml for custom IdP attribute mappings.  If a custom mappings.yml does not does not exist it will use the defaul mappings.
 
 The index page will automatically list each configured Identity Provider as a link to initiate login against that IdP.
 
@@ -66,6 +67,10 @@ IdPs/
     google/
         cacert.pem
         metadata.yml
+    shibboleth
+        cacert.pem
+        metadata.yml
+        mappings.yml (optional)
 
 ### Run lighttpd to deliver metadata.xml
 
@@ -94,15 +99,21 @@ If there is an option to upload the metadata.xml that is probably your first ste
 
 Saml2Test expects the Identity Provider to provide an assertion with the following values:
 
-   1. DN
-   2. CN
-   3. EmailAddress
-   4. FirstName
-   5. Address
-   6. Phone
-   7. EmployeeNumber
-
-Note that DN and CN (and others) may not be available.  That can be customized in views/user.tt if you want to choose other options.  However the Identity Provider must provide the assertion attributes that match the expected names in views/user.tt.
+   1. EmailAddress
+   2. FirstName
+   3. LastName
+   4. Address
+   5. PhoneNumber
+   6. EmployeeNumber
+
+If the Identity Provider does not provide assertion attributes that match the expected names above you can create a custom mapping in IdPs/idp_name/mappings.yml in the following format.  The setting is the name the testapp expects and the value is the attribure name that the IdP provides in the Assertion.
+
+EmailAddress: "urn:oid:0.9.2342.19200300.100.1.3"
+FirstName: "urn:oid:2.5.4.42"
+LastName: "urn:oid:2.5.4.4"
+Address: "urn:oid:2.5.4.9"
+PhoneNumber: "urn:oid:2.5.4.20"
+EmployeeNumber: "urn:oid:0.9.2342.19200300.100.1.1"
 
 ## Debugging
 
 
@@ -21,7 +21,7 @@ use URN::OASIS::SAML2 qw(:bindings :urn);
 
 our $VERSION = '0.2';
 
-get '/' => sub {
+sub load_idps {
     if ( ! -x './IdPs' ) {
         return "<html><pre>You must have a xt/testapp/IdPs directory</pre></html>";
     }
@@ -44,12 +44,23 @@ get '/' => sub {
         push @idps, \%tempidp;
     }
 
-    template 'index', { 'idps' => \@idps, 'sign_metadata' => config->{sign_metadata} };
+    return @idps;
+}
+
+get '/' => sub {
+    my @idps = load_idps();
+
+    template 'index', {
+                        'idps' => \@idps,
+                        'sign_metadata' => config->{sign_metadata},
+                        (defined params->{logout}) ? ('logout' => params->{logout}) : (),
+                    };
 };
 
 get '/login' => sub {
 
     config->{cacert} = 'IdPs/' . params->{idp} . '/cacert.pem';
+    config->{idp_name} = params->{idp};
     config->{idp} = 'http://localhost:8880/IdPs/' . params->{idp} . '/metadata.xml';
     if ( -f 'IdPs/' . params->{idp} . '/config.yml' ) {
         my $config_file = YAML::LoadFile('IdPs/' . params->{idp} . '/config.yml');
@@ -61,7 +72,6 @@ get '/login' => sub {
         for my $key (keys %$config_file) {
             config->{$key} = $config_file->{$key};
         }
-
     }
     my $idp = _idp();
     my $sp = _sp();
@@ -71,6 +81,8 @@ get '/login' => sub {
         defined (config->{is_passive}) ? (is_passive  => config->{is_passive}) : (),
     );
 
+    config->{slo_urls} = $idp->slo_urls();
+
     my $authnreq = $sp->authn_request(
         $idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),
         $idp->format || '', # default format.
@@ -85,7 +97,7 @@ get '/login' => sub {
 };
 
 get '/logout-local' => sub {
-    redirect '/', 302;
+    redirect '/?logout=local', 302;
 };
 
 get '/logout-redirect' => sub {
@@ -144,7 +156,7 @@ get '/logout-soap' => sub {
                          );
 
     my $logoutreq = $sp->logout_request(
-        $idp->entityid, params->{nameid}, $idp->format, params->{session},
+        $slo_url, params->{nameid}, $idp->format || undef, params->{session},
         \%logout_params
     )->as_xml;
 
@@ -164,39 +176,103 @@ get '/logout-soap' => sub {
 
     my $res = $soap->request($logoutreq);
 
-    redirect '/', 302;
+    if ($res) {
+        my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
+            xml => $res
+        );
+        if ($logout->success) {
+            print STDERR "\nLogout Success Status - $logout->{issuer}\n";
+        }
+    }
+    else {
+        return "<html><pre>Bad Logout Response</pre></html>";
+    }
+
+    redirect '/?logout=SOAP', 302;
     return "Redirected\n";
 };
 
 post '/consumer-post' => sub {
     my $post = Net::SAML2::Binding::POST->new(
         cacert => config->{cacert},
     );
+
     my $ret = $post->handle_response(
         params->{SAMLResponse}
     );
 
     if ($ret) {
+
         my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
             xml         => decode_base64(params->{SAMLResponse}),
             key_file    => config->{key},
             cacert      => config->{cacert},
         );
 
+        if (! $assertion->valid(config->{issuer})) {
+            return '<html><pre>Bad Assertion</pre></html>';
+        }
+
         my $name_qualifier      = $assertion->nameid_name_qualifier();
         my $sp_name_qualifier   = $assertion->nameid_sp_name_qualifier();
 
+        my $slo_urls = config->{slo_urls};
+
+        my $user_attributes = get_user_attributes($assertion);
+
         template 'user', {
-                            assertion => $assertion,
+                            user_attributes => $user_attributes,
                             (defined $name_qualifier ? (name_qualifier => $name_qualifier) : ()),
                             (defined $sp_name_qualifier ? (sp_name_qualifier => $sp_name_qualifier) : ()),
+                            (defined $slo_urls ? (slo_urls => $slo_urls) : ()),
+                            message => 'Successful Login via POST',
                          };
     }
     else {
         return "<html><pre>Bad Assertion</pre></html>";
     }
 };
 
+sub get_attribute_map {
+
+    my $attribute_mappings;
+
+    my $file = 'IdPs/' . config->{idp_name} . '/mappings.yml';
+
+    if ( -e $file ) {
+        $attribute_mappings = YAML::LoadFile($file);
+    } else {
+
+        $attribute_mappings->{EmailAddress} = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress';
+        $attribute_mappings->{FirstName} = 'fname';
+        $attribute_mappings->{LastName} = 'lname';
+        $attribute_mappings->{Address} = 'Address';
+        $attribute_mappings->{PhoneNumber} = 'PhoneNumber';
+        $attribute_mappings->{EmployeeNumber} = 'EmployeeNumber';
+    }
+
+    return $attribute_mappings;
+}
+
+sub get_user_attributes {
+    my $assertion = shift;
+
+    my %user;
+
+    my $map = get_attribute_map();
+    $user{issuer} = $assertion->{issuer};
+    $user{session} = $assertion->{session};
+    $user{nameid} = $assertion->nameid();
+    $user{EmailAddress} = $assertion->{attributes}{$map->{EmailAddress}}[0];
+    $user{FirstName} = $assertion->{attributes}{$map->{FirstName}}[0];
+    $user{LastName} = $assertion->{attributes}{$map->{LastName}}[0];
+    $user{Address} = $assertion->{attributes}{$map->{Address}}[0];
+    $user{PhoneNumber} = $assertion->{attributes}{$map->{PhoneNumber}}[0];
+    $user{EmployeeNumber} = $assertion->{attributes}{$map->{EmployeeNumber}}[0];
+
+    return \%user;
+}
+
 get '/consumer-artifact' => sub {
     my $idp = _idp();
     my $idp_cert = $idp->cert('signing');
@@ -228,13 +304,23 @@ get '/consumer-artifact' => sub {
             xml => $response
         );
 
+        if ( ! $assertion->valid(config->{issuer})) {
+            return '<html><pre>Bad Assertion</pre></html>';
+        }
+
         my $name_qualifier      = $assertion->nameid_name_qualifier();
         my $sp_name_qualifier   = $assertion->nameid_sp_name_qualifier();
 
+        my $slo_urls = config->{slo_urls};
+
+        my $user_attributes = get_user_attributes($assertion);
+
         template 'user', {
-                            assertion => $assertion,
+                            user_attributes => $user_attributes,
                             ($name_qualifier ? (name_qualifier => $name_qualifier) : ()),
                             ($sp_name_qualifier ? (sp_name_qualifier => $sp_name_qualifier) : ()),
+                            slo_urls => ($slo_urls ? $slo_urls : ()),
+                            message => 'Successful Login via SOAP',
                          };
     }
     else {
@@ -255,14 +341,14 @@ get '/sls-redirect-response' => sub {
         my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
             xml => $response
         );
-        if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+        if ($logout->success) {
             print STDERR "\nLogout Success Status - $logout->{issuer}\n";
         }
     }
     else {
         return "<html><pre>Bad Logout Response</pre></html>";
     }
-    redirect $relaystate || '/', 302;
+    redirect $relaystate || '/?logout=redirect', 302;
     return "Redirected\n";
 };
 
@@ -281,15 +367,57 @@ post '/sls-post-response' => sub {
         my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
             xml => decode_base64(params->{SAMLResponse})
         );
-        if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
+        if ($logout->success) {
+            print STDERR "\nLogout Success Status - $logout->{issuer}\n";
+        }
+    }
+    else {
+        return "<html><pre>Bad Logout Response</pre></html>";
+    }
+
+    redirect "/?logout=POST", 302;
+    return "Redirected\n";
+};
+
+get '/sls-consumer-artifact' => sub {
+    my $idp = _idp();
+    my $idp_cert = $idp->cert('signing');
+    my $art_url  = $idp->art_url('urn:oasis:names:tc:SAML:2.0:bindings:SOAP');
+
+    my $artifact = params->{SAMLart};
+
+    my $sp = _sp();
+    my $request = $sp->artifact_request($art_url, $artifact)->as_xml;
+
+    my $ua = LWP::UserAgent->new;
+
+    require LWP::Protocol::https;
+    $ua->ssl_opts( (verify_hostname => config->{ssl_verify_hostname}));
+
+    my $soap = Net::SAML2::Binding::SOAP->new(
+        ua       => $ua,
+        url      => $art_url,
+        key      => config->{key},
+        cert     => config->{cert},
+        idp_cert => $idp_cert,
+    );
+
+    my $response = $soap->request($request);
+
+    if ($response) {
+        my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
+            xml => $response,
+        );
+
+        if ($logout->success) {
             print STDERR "\nLogout Success Status - $logout->{issuer}\n";
         }
     }
     else {
         return "<html><pre>Bad Logout Response</pre></html>";
     }
 
-    redirect '/', 302;
+    redirect "/?logout=SOAP-ARTIFACT", 302;
     return "Redirected\n";
 };