/**
     * Test unmarshalling / marshalling of XML with Extensions element
     */
    public function testExtensionOrdering()
    {
        $document = new DOMDocument();
        $document->loadXML(<<<AUTHNREQUEST
<samlp:AuthnRequest
  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_306f8ec5b618f361c70b6ffb1480eade"
  Version="2.0"
  IssueInstant="2004-12-05T09:21:59Z"
  Destination="https://idp.example.org/SAML2/SSO/Artifact"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
  AssertionConsumerServiceURL="https://sp.example.com/SAML2/SSO/Artifact">
  <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
  <samlp:Extensions>
      <myns:AttributeList xmlns:myns="urn:mynamespace">
          <myns:Attribute name="UserName" value=""/>
      </myns:AttributeList>
  </samlp:Extensions>
  <samlp:NameIDPolicy
    AllowCreate="true"
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>
AUTHNREQUEST
);
        $authnRequest = new SAML2_AuthnRequest($document->documentElement);
        $this->assertXmlStringEqualsXmlString($document->C14N(), $authnRequest->toUnsignedXML()->C14N());
    }
Пример #2
0
    public function testMarshalling()
    {
        $fixtureRequestDom = new DOMDocument();
        $fixtureRequestDom->loadXML(<<<XML
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_bec424fa5103428909a30ff1e31168327f79474984"
                    Version="2.0"
                    IssueInstant="2007-12-10T11:39:34Z"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="http://moodle.bridge.feide.no/simplesaml/saml2/sp/AssertionConsumerService.php">
    <saml:Issuer>urn:mace:feide.no:services:no.feide.moodle</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
                        SPNameQualifier="moodle.bridge.feide.no"
                        AllowCreate="true" />
    <samlp:RequestedAuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
XML
, LIBXML_NOBLANKS);
        $request = new SAML2_AuthnRequest($fixtureRequestDom->firstChild);
        $context = $request->getRequestedAuthnContext();
        $this->assertEquals('_bec424fa5103428909a30ff1e31168327f79474984', $request->getId());
        $this->assertEquals('urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', $context['AuthnContextClassRef'][0]);
        $requestXml = $requestDocument = $request->toUnsignedXML()->ownerDocument->C14N();
        $fixtureXml = $fixtureRequestDom->C14N();
        $this->assertXmlStringEqualsXmlString($requestXml, $fixtureXml, 'Request after Unmarshalling and re-marshalling remains the same');
    }
 /**
  * @return EngineBlock_Corto_Module_Bindings
  */
 private function mockBindingsModule()
 {
     $spRequest = new SAML2_AuthnRequest();
     $spRequest->setId('SPREQUEST');
     $spRequest->setIssuer('testSp');
     $spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
     $ebRequest = new SAML2_AuthnRequest();
     $ebRequest->setId('EBREQUEST');
     $ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
     $dummyLog = new Psr\Log\NullLogger();
     $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummyLog);
     $authnRequestRepository->store($spRequest);
     $authnRequestRepository->store($ebRequest);
     $authnRequestRepository->link($ebRequest, $spRequest);
     $assertion = new SAML2_Assertion();
     $assertion->setAttributes(array('urn:org:openconext:corto:internal:sp-entity-id' => array('testSp'), 'urn:mace:dir:attribute-def:cn' => array(null)));
     $responseFixture = new SAML2_Response();
     $responseFixture->setInResponseTo('EBREQUEST');
     $responseFixture->setAssertions(array($assertion));
     $responseFixture = new EngineBlock_Saml2_ResponseAnnotationDecorator($responseFixture);
     $responseFixture->setOriginalIssuer('testIdP');
     // Mock bindings module
     /** @var EngineBlock_Corto_Module_Bindings $bindingsModuleMock */
     $bindingsModuleMock = Phake::mock('EngineBlock_Corto_Module_Bindings');
     Phake::when($bindingsModuleMock)->receiveResponse()->thenReturn($responseFixture);
     return $bindingsModuleMock;
 }
 public function testToString()
 {
     $request = new SAML2_AuthnRequest();
     $request->setId('TEST123');
     $request->setIssueInstant(0);
     $annotatedRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($request);
     $annotatedRequest->setDebug();
     $this->assertEquals('{"sspMessage":"<?xml version=\\"1.0\\"?>\\n<samlp:AuthnRequest xmlns:samlp=\\"urn:oasis:names:tc:SAML:2.0:protocol\\" xmlns:saml=\\"urn:oasis:names:tc:SAML:2.0:assertion\\" ID=\\"TEST123\\" Version=\\"2.0\\" IssueInstant=\\"1970-01-01T00:00:00Z\\"\\/>\\n","voContext":null,"keyId":null,"explicitVoContext":true,"wasSigned":false,"debug":true,"unsolicited":false,"transparent":false,"deliverByBinding":null}', $annotatedRequest->__toString());
 }
Пример #5
0
 public function testUnmarshalling()
 {
     $authnRequest = new SAML2_AuthnRequest();
     $authnRequest->setRequestedAuthnContext(array('AuthnContextClassRef' => array('accr1', 'accr2'), 'Comparison' => 'better'));
     $authnRequestElement = $authnRequest->toUnsignedXML();
     $requestedAuthnContextElements = SAML2_Utils::xpQuery($authnRequestElement, './saml_protocol:RequestedAuthnContext');
     $this->assertCount(1, $requestedAuthnContextElements);
     $requestedAuthnConextElement = $requestedAuthnContextElements[0];
     $this->assertEquals('better', $requestedAuthnConextElement->getAttribute("Comparison"));
     $authnContextClassRefElements = SAML2_Utils::xpQuery($requestedAuthnConextElement, './saml_assertion:AuthnContextClassRef');
     $this->assertCount(2, $authnContextClassRefElements);
     $this->assertEquals('accr1', $authnContextClassRefElements[0]->textContent);
     $this->assertEquals('accr2', $authnContextClassRefElements[1]->textContent);
 }
 /**
  * @param string $destinationUrl
  * @param string $assertionConsumerServiceURL
  * @param string $issuerUrl
  * @return SAML2_AuthnRequest
  */
 public function create($destinationUrl, $assertionConsumerServiceURL, $issuerUrl)
 {
     $request = new SAML2_AuthnRequest();
     $request->setDestination($destinationUrl);
     $request->setAssertionConsumerServiceURL($assertionConsumerServiceURL);
     $request->setIssuer($issuerUrl);
     $request->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST);
     $request->setNameIdPolicy(array('Format' => SAML2_Const::NAMEID_TRANSIENT, 'AllowCreate' => true));
     return $request;
 }
 /**
  * @param SAML2_AuthnRequest $authnRequest
  * @param SimpleSAML_Configuration $idpConfig
  * @param $nameId
  * @param $issuer
  * @param array $attributes
  * @return SAML2_Response
  */
 public function create(SAML2_AuthnRequest $authnRequest, SimpleSAML_Configuration $idpConfig, $nameId, $issuer, array $attributes)
 {
     /* $returnAttributes contains the attributes we should return. Send them. */
     $assertion = new SAML2_Assertion();
     $assertion->setIssuer($issuer);
     $assertion->setNameId(array('Value' => $nameId, 'Format' => SAML2_Const::NAMEID_UNSPECIFIED));
     $assertion->setNotBefore(time());
     $assertion->setNotOnOrAfter(time() + 5 * 60);
     // Valid audiences is not required so disabled for now
     // $assertion->setValidAudiences(array($authnRequest->getIssuer()));
     $assertion->setAttributes($attributes);
     $assertion->setAttributeNameFormat(SAML2_Const::NAMEFORMAT_UNSPECIFIED);
     $assertion->setAuthnContext(SAML2_Const::AC_PASSWORD);
     $subjectConfirmation = new SAML2_XML_saml_SubjectConfirmation();
     $subjectConfirmation->Method = SAML2_Const::CM_BEARER;
     $subjectConfirmation->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
     $subjectConfirmation->SubjectConfirmationData->NotOnOrAfter = time() + 5 * 60;
     $subjectConfirmation->SubjectConfirmationData->Recipient = $authnRequest->getAssertionConsumerServiceURL();
     $subjectConfirmation->SubjectConfirmationData->InResponseTo = $authnRequest->getId();
     $assertion->setSubjectConfirmation(array($subjectConfirmation));
     $response = new SAML2_Response();
     $response->setRelayState($authnRequest->getRelayState());
     $response->setDestination($authnRequest->getAssertionConsumerServiceURL());
     $response->setIssuer($issuer);
     $response->setInResponseTo($authnRequest->getId());
     $response->setAssertions(array($assertion));
     $this->addSigns($response, $idpConfig);
     return $response;
 }
 /**
  * @param string $samlMessageXml
  * @param string $class
  * @return SAML_Message
  */
 public function deserialize($samlMessageXml, $class)
 {
     $elementName = $this->getElementForClass($class);
     $document = new DOMDocument();
     $document->loadXML($samlMessageXml);
     $messageDomElement = $document->getElementsByTagNameNs('urn:oasis:names:tc:SAML:2.0:protocol', $elementName)->item(0);
     if ($class === 'SAML2_AuthnRequest') {
         return SAML2_AuthnRequest::fromXML($messageDomElement);
     } else {
         if ($class === 'SAML2_Response') {
             return SAML2_Response::fromXML($messageDomElement);
         }
     }
     throw new EngineBlock_Exception('Unknown message type for deserialization?');
 }
 /**
  * @return EngineBlock_Saml2_AuthnRequestAnnotationDecorator
  */
 protected function _createDebugRequest()
 {
     $sspRequest = new SAML2_AuthnRequest();
     $sspRequest->setId($this->_server->getNewId(\OpenConext\Component\EngineBlockFixtures\IdFrame::ID_USAGE_SAML2_REQUEST));
     $sspRequest->setIssuer($this->_server->getUrl('spMetadataService'));
     $request = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($sspRequest);
     $request->setDebug();
     return $request;
 }
Пример #10
0
 /**
  * Build an authentication request based on information in the metadata.
  *
  * @param SimpleSAML_Configuration $spMetadata  The metadata of the service provider.
  * @param SimpleSAML_Configuration $idpMetadata  The metadata of the identity provider.
  */
 public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
 {
     $ar = new SAML2_AuthnRequest();
     if ($spMetadata->hasValue('NameIDPolicy')) {
         $nameIdPolicy = $spMetadata->getString('NameIDPolicy', NULL);
     } else {
         $nameIdPolicy = $spMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT);
     }
     if ($nameIdPolicy !== NULL) {
         $ar->setNameIdPolicy(array('Format' => $nameIdPolicy, 'AllowCreate' => TRUE));
     }
     $ar->setIssuer($spMetadata->getString('entityid'));
     $ar->setDestination($idpMetadata->getString('SingleSignOnService'));
     $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
     $ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
     if ($spMetadata->hasValue('AuthnContextClassRef')) {
         $accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
         $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
     }
     self::addRedirectSign($spMetadata, $idpMetadata, $ar);
     return $ar;
 }
 /**
  * launchkey_form - login form for wp-login.php
  *
  * @since 1.1.0
  *
  * @param string $class A space separated list of classes to set on the "class" attribute of a containing DIV for the login button
  * @param string $id The value to set on the "id" attribute of a containing DIV for the login button
  * @param string $style A string of HTML style code tto set on the "style" attribute of a containing DIV for the login button
  */
 public function launchkey_form($class = '', $id = '', $style = '')
 {
     if (isset($_GET['launchkey_error'])) {
         $this->wp_facade->_echo($this->template->render_template('error', array('error' => 'Error!', 'message' => 'The LaunchKey request was denied or an issue was detected during authentication. Please try again.')));
     } elseif (isset($_GET['launchkey_ssl_error'])) {
         $this->wp_facade->_echo($this->template->render_template('error', array('error' => 'Error!', 'message' => 'There was an error trying to request the LaunchKey servers. If this persists you may need to disable SSL verification.')));
     } elseif (isset($_GET['launchkey_security'])) {
         $this->wp_facade->_echo($this->template->render_template('error', array('error' => 'Error!', 'message' => 'There was a security issue detected and you have been logged out for your safety. Log back in to ensure a secure session.')));
     }
     $container = SAML2_Utils::getContainer();
     $request = new SAML2_AuthnRequest();
     $request->setId($container->generateId());
     //$request->setProviderName( parse_url( $this->wp_facade->home_url( '/' ), PHP_URL_HOST ) );
     $request->setDestination($this->login_url);
     $request->setIssuer($this->entity_id);
     $request->setRelayState($this->wp_facade->admin_url());
     $request->setAssertionConsumerServiceURL($this->wp_facade->wp_login_url());
     $request->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST);
     $request->setIsPassive(false);
     $request->setNameIdPolicy(array('Format' => SAML2_Const::NAMEID_PERSISTENT, 'AllowCreate' => true));
     // Send it off using the HTTP-Redirect binding
     $binding = new SAML2_HTTPRedirect();
     $binding->setDestination($this->login_url);
     $this->wp_facade->_echo($this->template->render_template('launchkey-form', array('class' => $class, 'id' => $id, 'style' => $style, 'login_url' => $binding->getRedirectURL($request), 'login_text' => 'Log in with', 'login_with_app_name' => 'LaunchKey', 'size' => in_array($this->wp_facade->get_locale(), array('fr_FR', 'es_ES')) ? 'small' : 'medium')));
 }
Пример #12
0
 /**
  * Build an authentication request based on information in the metadata.
  *
  * @param SimpleSAML_Configuration $spMetadata  The metadata of the service provider.
  * @param SimpleSAML_Configuration $idpMetadata  The metadata of the identity provider.
  */
 public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
 {
     $ar = new SAML2_AuthnRequest();
     // get the NameIDPolicy to apply. IdP metadata has precedence.
     $nameIdPolicy = array();
     if ($idpMetadata->hasValue('NameIDPolicy')) {
         $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
     } elseif ($spMetadata->hasValue('NameIDPolicy')) {
         $nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
     }
     if (!is_array($nameIdPolicy)) {
         // handle old configurations where 'NameIDPolicy' was used to specify just the format
         $nameIdPolicy = array('Format' => $nameIdPolicy);
     }
     $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
     $policy = array('Format' => $nameIdPolicy_cf->getString('Format', SAML2_Const::NAMEID_TRANSIENT), 'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true));
     $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
     if ($spNameQualifier !== false) {
         $policy['SPNameQualifier'] = $spNameQualifier;
     }
     $ar->setNameIdPolicy($policy);
     $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
     $ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
     $protbind = $spMetadata->getValueValidate('ProtocolBinding', array(SAML2_Const::BINDING_HTTP_POST, SAML2_Const::BINDING_HOK_SSO, SAML2_Const::BINDING_HTTP_ARTIFACT, SAML2_Const::BINDING_HTTP_REDIRECT), SAML2_Const::BINDING_HTTP_POST);
     /* Shoaib - setting the appropriate binding based on parameter in sp-metadata defaults to HTTP_POST */
     $ar->setProtocolBinding($protbind);
     $ar->setIssuer($spMetadata->getString('entityid'));
     $ar->setAssertionConsumerServiceIndex($spMetadata->getInteger('AssertionConsumerServiceIndex', NULL));
     $ar->setAttributeConsumingServiceIndex($spMetadata->getInteger('AttributeConsumingServiceIndex', NULL));
     if ($spMetadata->hasValue('AuthnContextClassRef')) {
         $accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
         $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
     }
     self::addRedirectSign($spMetadata, $idpMetadata, $ar);
     return $ar;
 }
Пример #13
0
    /**
     * Test for setting IDPEntry values via setIDPList.
     * Tests legacy support (single string), array of attributes, and skipping of unknown attributes.
     */
    public function testIDPlistAttributes()
    {
        // basic AuthnRequest
        $request = new SAML2_AuthnRequest();
        $request->setIssuer('https://gateway.example.org/saml20/sp/metadata');
        $request->setDestination('https://tiqr.example.org/idp/profile/saml2/Redirect/SSO');
        $request->setIDPList(array('Legacy1', array('ProviderID' => 'http://example.org/AAP', 'Name' => 'N00T', 'Loc' => 'https://mies'), array('ProviderID' => 'urn:example:1', 'Name' => 'Voorbeeld', 'Something' => 'Else')));
        $expectedStructureDocument = new DOMDocument();
        $expectedStructureDocument->loadXML(<<<AUTHNREQUEST
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID=""
    Version=""
    IssueInstant=""
    Destination="">
    <saml:Issuer></saml:Issuer>
    <samlp:Scoping><samlp:IDPList>
        <samlp:IDPEntry ProviderID="Legacy1"/>
        <samlp:IDPEntry ProviderID="http://example.org/AAP" Name="N00T" Loc="https://mies"/>
        <samlp:IDPEntry ProviderID="urn:example:1" Name="Voorbeeld"/>
    </samlp:IDPList></samlp:Scoping>
</samlp:AuthnRequest>
AUTHNREQUEST
);
        $expectedStructure = $expectedStructureDocument->documentElement;
        $requestStructure = $request->toUnsignedXML();
        $this->assertEqualXMLStructure($expectedStructure, $requestStructure);
    }
 private function mockGlobals()
 {
     $_POST['ID'] = 'test';
     $_POST['consent'] = 'yes';
     $assertion = new SAML2_Assertion();
     $assertion->setAttributes(array('urn:mace:dir:attribute-def:mail' => '*****@*****.**'));
     $spRequest = new SAML2_AuthnRequest();
     $spRequest->setId('SPREQUEST');
     $spRequest->setIssuer('https://sp.example.edu');
     $spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
     $ebRequest = new SAML2_AuthnRequest();
     $ebRequest->setId('EBREQUEST');
     $ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
     $dummySessionLog = new Psr\Log\NullLogger();
     $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummySessionLog);
     $authnRequestRepository->store($spRequest);
     $authnRequestRepository->store($ebRequest);
     $authnRequestRepository->link($ebRequest, $spRequest);
     $sspResponse = new SAML2_Response();
     $sspResponse->setInResponseTo('EBREQUEST');
     $sspResponse->setAssertions(array($assertion));
     $_SESSION['consent']['test']['response'] = new EngineBlock_Saml2_ResponseAnnotationDecorator($sspResponse);
 }
 /**
  * @return string[] EntityIds in Scoping > RequesterID element.
  */
 public function getRequesterIds()
 {
     return $this->sspMessage->getRequesterID();
 }
Пример #16
0
 /**
  * Build an authentication request based on information in the metadata.
  *
  * @param SimpleSAML_Configuration $spMetadata  The metadata of the service provider.
  * @param SimpleSAML_Configuration $idpMetadata  The metadata of the identity provider.
  */
 public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
 {
     $ar = new SAML2_AuthnRequest();
     if ($spMetadata->hasValue('NameIDPolicy')) {
         $nameIdPolicy = $spMetadata->getString('NameIDPolicy', NULL);
     } else {
         $nameIdPolicy = $spMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT);
     }
     if ($nameIdPolicy !== NULL) {
         $ar->setNameIdPolicy(array('Format' => $nameIdPolicy, 'AllowCreate' => TRUE));
     }
     $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
     $ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
     $protbind = $spMetadata->getValueValidate('ProtocolBinding', array(SAML2_Const::BINDING_HTTP_POST, SAML2_Const::BINDING_HOK_SSO, SAML2_Const::BINDING_HTTP_ARTIFACT, SAML2_Const::BINDING_HTTP_REDIRECT), SAML2_Const::BINDING_HTTP_POST);
     /* Shoaib - setting the appropriate binding based on parameter in sp-metadata defaults to HTTP_POST */
     $ar->setProtocolBinding($protbind);
     $ar->setIssuer($spMetadata->getString('entityid'));
     $ar->setAssertionConsumerServiceIndex($spMetadata->getInteger('AssertionConsumerServiceIndex', NULL));
     $ar->setAttributeConsumingServiceIndex($spMetadata->getInteger('AttributeConsumingServiceIndex', NULL));
     if ($spMetadata->hasValue('AuthnContextClassRef')) {
         $accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
         $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
     }
     self::addRedirectSign($spMetadata, $idpMetadata, $ar);
     return $ar;
 }
Пример #17
0
    /**
     * Due to the fact that the symmetric key is generated each time, we cannot test whether or not the resulting XML
     * matches a specific XML, but we can test whether or not the resulting structure is actually correct, conveying
     * all information required to decrypt the NameId.
     */
    public function testThatAnEncryptedNameIdResultsInTheCorrectXmlStructure()
    {
        // the NameID we're going to encrypt
        $nameId = array('Value' => md5('Arthur Dent'), 'Format' => SAML2_Const::NAMEID_ENCRYPTED);
        // basic AuthnRequest
        $request = new SAML2_AuthnRequest();
        $request->setIssuer('https://gateway.stepup.org/saml20/sp/metadata');
        $request->setDestination('https://tiqr.stepup.org/idp/profile/saml2/Redirect/SSO');
        $request->setNameId($nameId);
        // encrypt the NameID
        $key = SAML2_CertificatesMock::getPublicKey();
        $request->encryptNameId($key);
        $expectedStructureDocument = new DOMDocument();
        $expectedStructureDocument->loadXML(<<<AUTHNREQUEST
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID=""
    Version=""
    IssueInstant=""
    Destination="">
    <saml:Issuer></saml:Issuer>
    <saml:Subject>
        <saml:EncryptedID xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
            <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element">
                <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
                <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                    <xenc:EncryptedKey>
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                        <xenc:CipherData>
                            <xenc:CipherValue></xenc:CipherValue>
                        </xenc:CipherData>
                    </xenc:EncryptedKey>
                </dsig:KeyInfo>
                <xenc:CipherData>
                    <xenc:CipherValue></xenc:CipherValue>
                </xenc:CipherData>
            </xenc:EncryptedData>
        </saml:EncryptedID>
    </saml:Subject>
</samlp:AuthnRequest>
AUTHNREQUEST
);
        $expectedStructure = $expectedStructureDocument->documentElement;
        $requestStructure = $request->toUnsignedXML();
        $this->assertEqualXMLStructure($expectedStructure, $requestStructure);
    }
 /**
  * @depends test_login_url_has_valid_auth_request
  * @param SAML2_AuthnRequest $request
  */
 public function test_login_url_request_name_id_policy_format_as_persistent_and_allow_create_as_true(SAML2_AuthnRequest $request)
 {
     $this->assertEquals(array('Format' => SAML2_Const::NAMEID_PERSISTENT, 'AllowCreate' => true), $request->getNameIdPolicy());
 }