Add SAML AuthN request signing tests (#61582)

- Add a unit test for our signing code
- Change SAML IT to use signed authentication requests for Shibboleth to consume

Backport of #48444

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthnRequestBuilderTests.java

@@ -16,8 +16,6 @@ import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.core.NameID;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml.saml2.metadata.SingleSignOnService;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -38,17 +36,7 @@ public class SamlAuthnRequestBuilderTests extends SamlTestCase {
     @Before
     public void init() throws Exception {
         SamlUtils.initialize(logger);
-
+        idpDescriptor = buildIdPDescriptor(IDP_URL, IDP_ENTITY_ID);
-        final SingleSignOnService sso = SamlUtils.buildObject(SingleSignOnService.class, SingleSignOnService.DEFAULT_ELEMENT_NAME);
-        sso.setLocation(IDP_URL);
-        sso.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
-
-        final IDPSSODescriptor idpRole = SamlUtils.buildObject(IDPSSODescriptor.class, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
-        idpRole.getSingleSignOnServices().add(sso);
-
-        idpDescriptor = SamlUtils.buildObject(EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME);
-        idpDescriptor.setEntityID(IDP_ENTITY_ID);
-        idpDescriptor.getRoleDescriptors().add(idpRole);
     }
 
     public void testBuildRequestWithPersistentNameAndNoForceAuth() throws Exception {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRedirectTests.java

@@ -7,9 +7,11 @@ package org.elasticsearch.xpack.security.authc.saml;
 
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
+import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.core.Issuer;
 import org.opensaml.saml.saml2.core.LogoutRequest;
 import org.opensaml.saml.saml2.core.NameID;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.security.x509.X509Credential;
 
 import java.io.UnsupportedEncodingException;
@@ -19,7 +21,9 @@ import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
 import java.security.SignatureException;
+import java.time.Clock;
 import java.util.Base64;
+import java.util.Collections;
 
 import static java.util.Collections.emptySet;
 import static java.util.Collections.singleton;
@@ -29,6 +33,9 @@ import static org.hamcrest.Matchers.startsWith;
 public class SamlRedirectTests extends SamlTestCase {
 
     private static final String IDP_ENTITY_ID = "https://idp.test/";
+    private static final String SP_ENTITY_ID = "https://sp.example.com/";
+    private static final String ACS_URL = "https://sp.example.com/saml/acs";
+    private static final String IDP_URL = "https://idp.test/saml/sso/redirect";
     private static final String LOGOUT_URL = "https://idp.test/saml/logout";
 
     private static final SigningConfiguration NO_SIGNING = new SigningConfiguration(emptySet(), null);
@@ -87,16 +94,32 @@ public class SamlRedirectTests extends SamlTestCase {
         final SamlRedirect redirect = new SamlRedirect(buildLogoutRequest(LOGOUT_URL + "?"), spConfig);
         final String url = redirect.getRedirectUrl();
         final String queryParam = url.split("\\?")[1].split("&Signature")[0];
-        final String params[] = url.split("\\?")[1].split("&");
+        final String signature = validateUrlAndGetSignature(redirect.getRedirectUrl());
-        assert (params.length == 3);
+        assertThat(validateSignature(queryParam,  signature, credential), equalTo(true));
-        String sigAlg = parseAndUrlDecodeParameter(params[1]);
+        assertThat(validateSignature(queryParam,  signature, invalidCredential), equalTo(false));
-        // We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
+        assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), signature, credential), equalTo(false));
-        assertThat(sigAlg, equalTo("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
+    }
-        sigAlg = "SHA256withRSA";
+
-        final String signature = parseAndUrlDecodeParameter(params[2]);
+    public void testAuthnRequestSigning() throws Exception {
-        assertThat(validateSignature(queryParam, sigAlg, signature, credential), equalTo(true));
+        final X509Credential credential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
-        assertThat(validateSignature(queryParam, sigAlg, signature, invalidCredential), equalTo(false));
+        X509Credential invalidCredential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
-        assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), sigAlg, signature, credential), equalTo(false));
+        while (invalidCredential.getEntityCertificate().getSerialNumber().equals(credential.getEntityCertificate().getSerialNumber())) {
+            invalidCredential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
+        }
+        final SigningConfiguration signingConfig = new SigningConfiguration(singleton("*"), credential);
+        SpConfiguration sp = new SpConfiguration(SP_ENTITY_ID, ACS_URL, LOGOUT_URL, signingConfig, null, Collections.emptyList());
+
+        EntityDescriptor idpDescriptor = buildIdPDescriptor(IDP_URL, IDP_ENTITY_ID);
+
+        final SamlRedirect redirect = new SamlRedirect(new SamlAuthnRequestBuilder(sp, SAMLConstants.SAML2_POST_BINDING_URI,
+            idpDescriptor, SAMLConstants.SAML2_REDIRECT_BINDING_URI, Clock.systemUTC()).build(), signingConfig);
+        final String url = redirect.getRedirectUrl();
+        final String queryParam = url.split("\\?")[1].split("&Signature")[0];
+        final String signature = validateUrlAndGetSignature(redirect.getRedirectUrl());
+        assertThat(validateSignature(queryParam, signature, credential), equalTo(true));
+        assertThat(validateSignature(queryParam, signature, invalidCredential), equalTo(false));
+        assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), signature, credential),
+            equalTo(false));
     }
 
     private String parseAndUrlDecodeParameter(String parameter) throws UnsupportedEncodingException {
@@ -104,16 +127,25 @@ public class SamlRedirectTests extends SamlTestCase {
         return URLDecoder.decode(value, "UTF-8");
     }
 
-    private boolean validateSignature(String queryParam, String sigAlg, String signature, X509Credential credential) {
+    private String validateUrlAndGetSignature(String url) throws UnsupportedEncodingException {
+        final String params[] = url.split("\\?")[1].split("&");
+        assert (params.length == 3);
+        String sigAlg = parseAndUrlDecodeParameter(params[1]);
+        // We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
+        assertThat(sigAlg, equalTo("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
+        return parseAndUrlDecodeParameter(params[2]);
+    }
+
+    private boolean validateSignature(String queryParam, String signature, X509Credential credential) {
         try {
-            Signature sig = Signature.getInstance(sigAlg);
+            // We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
+            Signature sig = Signature.getInstance("SHA256withRSA");
             sig.initVerify(credential.getPublicKey());
             sig.update(queryParam.getBytes(StandardCharsets.UTF_8));
             return sig.verify(Base64.getDecoder().decode(signature));
         } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
             return false;
         }
-
     }
 
     private LogoutRequest buildLogoutRequest(String logoutUrl) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java

@@ -16,6 +16,10 @@ import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
 import org.elasticsearch.xpack.core.ssl.PemUtils;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml.saml2.metadata.SingleSignOnService;
 import org.opensaml.security.credential.Credential;
 import org.opensaml.security.x509.impl.X509KeyManagerX509CredentialAdapter;
 
@@ -135,4 +139,18 @@ public abstract class SamlTestCase extends ESTestCase {
         assertThat("Exception " + exception + " should be a SAML exception", SamlUtils.isSamlException(exception), is(true));
         return exception;
     }
+
+    protected EntityDescriptor buildIdPDescriptor(String idpUrl, String idpEntityId) {
+        final SingleSignOnService sso = SamlUtils.buildObject(SingleSignOnService.class, SingleSignOnService.DEFAULT_ELEMENT_NAME);
+        sso.setLocation(idpUrl);
+        sso.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+
+        final IDPSSODescriptor idpRole = SamlUtils.buildObject(IDPSSODescriptor.class, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+        idpRole.getSingleSignOnServices().add(sso);
+
+        EntityDescriptor idpDescriptor = SamlUtils.buildObject(EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME);
+        idpDescriptor.setEntityID(idpEntityId);
+        idpDescriptor.getRoleDescriptors().add(idpRole);
+        return idpDescriptor;
+    }
 }

x-pack/qa/saml-idp-tests/build.gradle

@@ -14,7 +14,8 @@ testFixtures.useFixture ":x-pack:test:idp-fixture"
 
 String outputDir = "${project.buildDir}/generated-resources/${project.name}"
 def copyIdpFiles = tasks.register("copyIdpFiles", Copy) {
-  from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml');
+  from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml',
+    'idp/shibboleth-idp/credentials/sp-signing.key', 'idp/shibboleth-idp/credentials/sp-signing.crt');
   into outputDir
 }
 project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpFiles)
@@ -58,6 +59,8 @@ testClusters.integTest {
   setting 'xpack.security.authc.realms.saml.shibboleth.sp.acs', 'http://localhost:54321/saml/acs1'
   setting 'xpack.security.authc.realms.saml.shibboleth.attributes.principal', 'uid'
   setting 'xpack.security.authc.realms.saml.shibboleth.attributes.name', 'urn:oid:2.5.4.3'
+  setting 'xpack.security.authc.realms.saml.shibboleth.signing.key', 'sp-signing.key'
+  setting 'xpack.security.authc.realms.saml.shibboleth.signing.certificate', 'sp-signing.crt'
   // SAML realm 2 (uses authorization_realms)
   setting 'xpack.security.authc.realms.saml.shibboleth_native.order', '2'
   setting 'xpack.security.authc.realms.saml.shibboleth_native.idp.entity_id', 'https://test.shibboleth.elastic.local/'
@@ -66,6 +69,8 @@ testClusters.integTest {
   setting 'xpack.security.authc.realms.saml.shibboleth_native.sp.acs', 'http://localhost:54321/saml/acs2'
   setting 'xpack.security.authc.realms.saml.shibboleth_native.attributes.principal', 'uid'
   setting 'xpack.security.authc.realms.saml.shibboleth_native.authorization_realms', 'native'
+  setting 'xpack.security.authc.realms.saml.shibboleth_native.signing.key', 'sp-signing.key'
+  setting 'xpack.security.authc.realms.saml.shibboleth_native.signing.certificate', 'sp-signing.crt'
   // SAML realm 3 (used for negative tests with multiple realms)
   setting 'xpack.security.authc.realms.saml.shibboleth_negative.order', '3'
   setting 'xpack.security.authc.realms.saml.shibboleth_negative.idp.entity_id', 'https://test.shibboleth.elastic.local/'
@@ -74,12 +79,16 @@ testClusters.integTest {
   setting 'xpack.security.authc.realms.saml.shibboleth_negative.sp.acs', 'http://localhost:54321/saml/acs3'
   setting 'xpack.security.authc.realms.saml.shibboleth_negative.attributes.principal', 'uid'
   setting 'xpack.security.authc.realms.saml.shibboleth_negative.authorization_realms', 'native'
+  setting 'xpack.security.authc.realms.saml.shibboleth_negative.signing.key', 'sp-signing.key'
+  setting 'xpack.security.authc.realms.saml.shibboleth_negative.signing.certificate', 'sp-signing.crt'
   setting 'xpack.security.authc.realms.native.native.order', '4'
 
   setting 'xpack.ml.enabled', 'false'
   setting 'logger.org.elasticsearch.xpack.security', 'TRACE'
 
   extraConfigFile 'idp-metadata.xml', file(outputDir + "/idp-metadata.xml")
+  extraConfigFile 'sp-signing.key', file(outputDir + "/sp-signing.key")
+  extraConfigFile 'sp-signing.crt', file(outputDir + "/sp-signing.crt")
 
   user username: "test_admin", password: 'x-pack-test-password'
 }

x-pack/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java

@@ -156,7 +156,6 @@ public class SamlAuthenticationIT extends ESRestTestCase {
      * <li>Uses that token to verify the user details</li>
      * </ol>
      */
-
     public void testLoginUserWithSamlRoleMapping() throws Exception {
         // this realm name comes from the config in build.gradle
         final Tuple<String, String> authTokens = loginViaSaml("shibboleth");

x-pack/test/idp-fixture/docker-compose.yml

@@ -37,6 +37,7 @@ services:
     volumes:
       - ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
       - ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
+      - ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
       - ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini
 
   oidc-provider:

x-pack/test/idp-fixture/idp/shibboleth-idp/conf/idp.properties

@@ -57,6 +57,7 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
 #idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
 #idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
 
+
 # Sets the bean ID to use as a default security configuration set
 #idp.security.config = shibboleth.DefaultSecurityConfiguration
 
@@ -72,13 +73,13 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
 #idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
 # To pick only one set to one of:
 #   shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
-#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+#idp.trust.certificates = shibboleth.ExplicitKeyX509TrustEngine
 # To pick only one set to one of:
 #   shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
 
 # If true, encryption will happen whenever a key to use can be located, but
 # failure to encrypt won't result in request failure.
-#idp.encryption.optional = false
+idp.encryption.optional = true
 
 # Configuration of client- and server-side storage plugins
 #idp.storage.cleanupInterval = PT10M

x-pack/test/idp-fixture/idp/shibboleth-idp/conf/metadata-providers.xml

@@ -59,9 +59,11 @@
     responsibility to ensure that the contents on disk are trustworthy.
     -->
     
-    <!--
+    <!-- One metadada file per realm that we use in our elasticsearch/x-pack/qa/saml-idp-tests/build.gradle -->
-    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
+    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata.xml"/>
-    -->
+    <MetadataProvider id="LocalMetadata2"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata2.xml"/>
+    <MetadataProvider id="LocalMetadata3"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata3.xml"/>
+
 
 
     <!--

x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/sp-signing.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTEx
+MTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym42c5
+E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+
+uyVbpKDGjtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FU
+vaxxd36mjwbsZCXIjkOsi+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOU
+HSH/pnBFiXciU6bVHcZA3IRYnxzaTT2EQZEXyryfQuk3TWe9YvVusXs6kd9uW4x+
+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yOkGXqReesodPZYBC4OOaG
+rZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1gewF6jlhBw
+HEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a
+9CTjq+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ
+18iOCpmd0n/E6ZPyugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUN
+KYyRhoxwkPRa9dzuogdDo41lz95xwikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbS
+PQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl5KW1vL44+m0LnMAwHwYDVR0j
+BBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
+rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99l
+QJpPuJ8eFM/B2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVx
+CHBC66K+oYydbuUgzR+WGrEhIkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmM
+zSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8bQRaYnm6aV3kCb1Qv/Wadqk/7oeie
+J16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28bM+uH/UOp6CTgODp
+OYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik3z7T
+M4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVu
+C9pRcZXpVgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz
+4wgyJjVe88Cld/4VhPj2JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnK
+BOe4cVwR3qN0Hi7WqK8loakPVNnnpu7kGUvBKOeiKrXCBMgslffMbTw2ViTtEJo=
+-----END CERTIFICATE-----

x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/sp-signing.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCeNmv5oV+QsORg
+lGd62oSAklrevH8sbiMW6wym42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtL
+Usjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDGjtrXZowGnUXPz7hsM2yofRiDUIjT
+sujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOsi+jW/bM9RWQd3KF3
+8Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2EQZEX
+yryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94m
+rLDtG+yOkGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/U
+cAVsANJqQUfFqe7pr1gewF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+M
+QpckffdmvF4WHwGAJvRf4AXW+G3a9CTjq+E5I29+dWSvuMIIY/howKxQ9Q+IQhZY
+GhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPyugCSlVZzSjSP+i/xz3c9
+rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95xwikxDunT
+SUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABAoICADdxLsldyZV0x7MojlK4/LHp
+l7pyJ8a0GcvQNrDNA8E2pddNlblwShsuoNGA5UNkNxfeSYx+GNR6SdKNgil0kSaF
+vMuJrm+TeRTyw8rYv/67Kk5BFK5AJWRSZUN0HaDDVAdmxe8NV2e88xXsnj7t1HCz
+lOU/39intwODYKFPGgiuJx3kGBfaCz0Po0XyxLhUlxWv9f3EsV7dkB/tmIlG/qLD
+d0Q0Z/eI4nzDL/y1spgW1XE3LCTSFVOMKOyJ8I2OOTqtF3lQk/wi1euWeh79Xaip
+kW8GnKdbvqk5sSiFIGifrvuuwfa782vssOUrEvYNiKsoSaSJ9N82XSUEY0PUA0Mt
+HzMbJHS1kGHBsDJ2u4s6CUYXkztaiLg1TCsXn13KVdhWF8flAddVWp7KPgWQqWkf
+ymivfAMNtDmSUTjMbsAYyRm228JVMemNLsxh98lUnyxK9pjbzylygSTArm0yGA8S
+RtPT4bAlmPHiNUeSL7GSXAXS71q9sfza3NRAwgUY2t9Y3dpwHn76ptxijBary/vj
+CCjn8YBBCgdZ4TNUkzpHHzSmyXOGCdImsYpvHvOR0rlgnEPCti+JZhOjWJgOVD33
+U8r6CMM+YoO5W5ukUr4g3sBasyoPFj3GV0Cp9J9i9QVK3Ruk2kbSa0yhTZzjprBx
+GElDj1Qj74TycxwIQEupAoIBAQDRuIOt4Th3Ni0r8QdsT0h4Yj2MTq9cOIwYHiGT
+ivFz6zaupxUbQSTPNeF97UtO+Jv0VHgjnfPQ8B52bruGnvHd5uEi5GPNTfEhPSCr
+WCHM8YzIXoIF/tC6QscLwLcfwJsD6Di1wdaIXAnjt/hP4NxwxQgx7jJte9y9lCEq
+eV30kASJgyZ+pk0ehLy1fyzVUiF31rfHVnhpKMeIjlubWv6IXjVOqEjJXaqVH2jr
+A4hhyuXmkTgYxVwTd/IjLNwLZdrWZtgDZIWYHwplp1byAtqH+vdMFafEhIQ9puQ+
+MWu4ByKc1smvlWILJ5NrG/MUajNWji7oCG13dx3m/uxSvFcTAoIBAQDBIB9LXJOU
+B//fHjH7RiN1v3PqU9NBZt4hIPg72+kZrdfKHaTcVidaII65rovagP1ZdmKdpm3Q
+DpxoDBiCN4urco22tb7wGGraPk3iQMHFoJrusqzqWDSYxFW5iH1HruyZpsbAsMJD
+HH/c4RQO3YWuGAv/1TkVRZ9NAiukh7EofdBGzDVXnOVW6coxuhZmE0NERne66ifl
+vFDC3Ubky137pBcUM+udJjPq4AbNerPTkSJ5toMHzpHnipj98+i8l5GYMgNom/O7
+Y9Lh4AXDY2FAeCbMDEz0HdUboU6pmcTXWBEg8fV/3NMWMcYXl/GEKF3LRQVpKP+E
+eKKXyEuI+8tvAoIBAQCn3hO42LAD7B+YLqQMdCHECo7NgiYnoTOyElw551uBt+Lb
+Re5FFI3MNoq563j+S00582r+x23j7m/TyKreBNgBEM9gyIOCUEMUogNGY5MaorZX
+pB5bgi29Cbqdk7KA/gCWzgimo/N+zn00A4wFFC4fLfdzUACZVi3IqYsqnl8wZR7c
+m1fyxFayePk8JgHS9pzHed089+AF/JhKm/iDkABxU0dEILuyQwFJwAyRIRDHhksj
+lVXbrg4Xn0j4Eu5HSU4zk7qQbKPqsd32pE2aBeK6OY49HpBdYt0fJDlJ9vEMKtnv
+xJVHsED8QL9lWsflrWROghzVqflFSNlsjtzHFO51AoIBAQCubAqXj9ch3U+0/Zp6
+rNAd6noQawDjkrqQBSztMyKGNMIuIzPgZFdKSRlejkx1XgZzJD7Qz51iSa/tMO95
+vB0DDYT8PY1jX0oyLg89hur7SKBlcS5GwL9QMhKSbLlpYo0CAOSE55+r6TN6FDZ/
+bobrw4Ai4TqbAbRsYsdz47GXNnpDVu/eXy+qnaAl5UGRk1gvc81zHURHcxslw5/h
+x+LsATlu362u0vAU85xxPJ7pN62Ba9tP07tm+YBP7FiI7ANtB86YTjGFTxUJN8E8
+xKbzCRFRPNLLr53nRHq9JsnnC/z8Wks13gUviGi2ql5Q0/xSN9Y5MfQEeseuehHu
+eCs1AoIBAB7xSu5160Nf2Bc7bgPZC9HuJC6kzjmfb9MDLJkAHCyWxyu6s9T2Bgfg
+k1CYpUxbDeegGHVuLE3uPgPhrJSQcwNxRGYepzHU+S785ROoSheaaQutvmUifmNB
+30uNtw+cBHxCfpX86XC4tdBgRbgzdhfvdyX9wWxkO8drl11jI/aKmsrwg2+Zcf3t
+ydwALh51eOyiCGDl957I0oHEMDxc/dmBQk2KhZkbxYCwSb0N2Q42eQi44o5FZRWA
+bdl9qzMWmbWx6DwnznFjeOBJp7flh9c1xFn8q6ryzBDilUP0R+l1g7BiXrCfmaGB
+RrUiXgUEGJ6fmJUv9GjuMOY0CRq07GA=
+-----END PRIVATE KEY-----

x-pack/test/idp-fixture/idp/shibboleth-idp/metadata/README.asciidoc

@@ -0,0 +1,14 @@
+Metadata for the SPs can be generated by using the saml realm configurations in
+`elasticsearch/x-pack/qa/saml-idp-tests/build.gradle` in a
+local elasticsearch installation and running:
+
+[source, sh]
+--------------------
+bin/elasticsearch-saml-metadata -realm <thenameoftherealm>
+--------------------
+
+The XML file then needs to be copied to /idp/shibboleth-idp/metadata and referenced in the configuration ( `metadata-providers.xml`) as
+
+```
+ <MetadataProvider id="someidhere"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/<thefilename>.xml"/>
+```

x-pack/test/idp-fixture/idp/shibboleth-idp/metadata/sp-metadata.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://mock1.http.elastic.local/">
+    <md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:KeyDescriptor use="signing">
+            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                <ds:X509Data>
+                    <ds:X509Certificate>MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQELBQAwRTELMAkG
+                        A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
+                        UHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTExMTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMw
+                        EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIi
+                        MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym
+                        42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDG
+                        jtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOs
+                        i+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2E
+                        QZEXyryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yO
+                        kGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1ge
+                        wF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a9CTj
+                        q+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPy
+                        ugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95x
+                        wikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl
+                        5KW1vL44+m0LnMAwHwYDVR0jBBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUw
+                        AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
+                        rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99lQJpPuJ8eFM/B
+                        2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVxCHBC66K+oYydbuUgzR+WGrEh
+                        IkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmMzSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8b
+                        QRaYnm6aV3kCb1Qv/Wadqk/7oeieJ16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28
+                        bM+uH/UOp6CTgODpOYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik
+                        3z7TM4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVuC9pRcZXp
+                        VgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz4wgyJjVe88Cld/4VhPj2
+                        JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnKBOe4cVwR3qN0Hi7WqK8loakPVNnnpu7k
+                        GUvBKOeiKrXCBMgslffMbTw2ViTtEJo=</ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </md:KeyDescriptor>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:54321/saml/acs1" index="1" isDefault="true"/>
+        <md:AttributeConsumingService index="1" isDefault="true">
+            <md:ServiceName xml:lang="en-US">elasticsearch</md:ServiceName>
+            <md:RequestedAttribute FriendlyName="name" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+            <md:RequestedAttribute FriendlyName="uid" Name="0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+        </md:AttributeConsumingService>
+    </md:SPSSODescriptor>
+</md:EntityDescriptor>

x-pack/test/idp-fixture/idp/shibboleth-idp/metadata/sp-metadata2.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="somethingwronghere">
+  <md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQELBQAwRTELMAkG
+A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTExMTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym
+42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDG
+jtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOs
+i+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2E
+QZEXyryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yO
+kGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1ge
+wF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a9CTj
+q+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPy
+ugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95x
+wikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl
+5KW1vL44+m0LnMAwHwYDVR0jBBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUw
+AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
+rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99lQJpPuJ8eFM/B
+2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVxCHBC66K+oYydbuUgzR+WGrEh
+IkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmMzSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8b
+QRaYnm6aV3kCb1Qv/Wadqk/7oeieJ16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28
+bM+uH/UOp6CTgODpOYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik
+3z7TM4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVuC9pRcZXp
+VgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz4wgyJjVe88Cld/4VhPj2
+JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnKBOe4cVwR3qN0Hi7WqK8loakPVNnnpu7k
+GUvBKOeiKrXCBMgslffMbTw2ViTtEJo=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:54321/saml/acs3" index="1" isDefault="true"/>
+    <md:AttributeConsumingService index="1" isDefault="true">
+      <md:ServiceName xml:lang="en-US">elasticsearch</md:ServiceName>
+      <md:RequestedAttribute FriendlyName="uid" Name="0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+    </md:AttributeConsumingService>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>

x-pack/test/idp-fixture/idp/shibboleth-idp/metadata/sp-metadata3.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://mock2.http.elastic.local/">
+  <md:SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQELBQAwRTELMAkG
+A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTExMTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMw
+EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym
+42c5E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+uyVbpKDG
+jtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FUvaxxd36mjwbsZCXIjkOs
+i+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOUHSH/pnBFiXciU6bVHcZA3IRYnxzaTT2E
+QZEXyryfQuk3TWe9YvVusXs6kd9uW4x+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yO
+kGXqReesodPZYBC4OOaGrZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1ge
+wF6jlhBwHEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a9CTj
+q+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ18iOCpmd0n/E6ZPy
+ugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUNKYyRhoxwkPRa9dzuogdDo41lz95x
+wikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbSPQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl
+5KW1vL44+m0LnMAwHwYDVR0jBBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUw
+AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
+rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99lQJpPuJ8eFM/B
+2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVxCHBC66K+oYydbuUgzR+WGrEh
+IkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmMzSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8b
+QRaYnm6aV3kCb1Qv/Wadqk/7oeieJ16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28
+bM+uH/UOp6CTgODpOYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik
+3z7TM4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVuC9pRcZXp
+VgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz4wgyJjVe88Cld/4VhPj2
+JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnKBOe4cVwR3qN0Hi7WqK8loakPVNnnpu7k
+GUvBKOeiKrXCBMgslffMbTw2ViTtEJo=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:54321/saml/acs2" index="1" isDefault="true"/>
+    <md:AttributeConsumingService index="1" isDefault="true">
+      <md:ServiceName xml:lang="en-US">elasticsearch</md:ServiceName>
+      <md:RequestedAttribute FriendlyName="uid" Name="0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
+    </md:AttributeConsumingService>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>