def test_authn_response_no_name_id(self, context, idp_conf, sp_conf): response_binding = BINDING_HTTP_REDIRECT fakesp_conf = SPConfig().load(sp_conf, metadata_construction=False) fakesp = FakeSP(fakesp_conf) fakeidp_conf = IdPConfig().load(idp_conf, metadata_construction=False) fakeidp = FakeIdP(USERS, config=fakeidp_conf) destination, request_params = fakesp.make_auth_req( idp_conf["entityid"]) # Use the fake IdP to mock up an authentication request that has no # <NameID> element. url, auth_resp = fakeidp.handle_auth_req_no_name_id( request_params["SAMLRequest"], request_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) backend = self.samlbackend context.request = auth_resp context.state[backend.name] = { "relay_state": request_params["RelayState"], } backend.authn_response(context, response_binding) context, internal_resp = backend.auth_callback_func.call_args[0] self.assert_authn_response(internal_resp) assert backend.name not in context.state
def test_authn_response_no_name_id(self, context, idp_conf, sp_conf): response_binding = BINDING_HTTP_REDIRECT fakesp_conf = SPConfig().load(sp_conf, metadata_construction=False) fakesp = FakeSP(fakesp_conf) fakeidp_conf = IdPConfig().load(idp_conf, metadata_construction=False) fakeidp = FakeIdP(USERS, config=fakeidp_conf) destination, request_params = fakesp.make_auth_req( idp_conf["entityid"]) # Use the fake IdP to mock up an authentication request that has no # <NameID> element. url, auth_resp = fakeidp.handle_auth_req_no_name_id( request_params["SAMLRequest"], request_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) backend = self.samlbackend context.request = auth_resp context.state[backend.name] = { "relay_state": request_params["RelayState"], } backend.authn_response(context, response_binding) context, internal_resp = backend.auth_callback_func.call_args[0] assert_authn_response(internal_resp) assert backend.name not in context.state
def test_authn_response(self, context, idp_conf, sp_conf): response_binding = BINDING_HTTP_REDIRECT fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False)) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) destination, request_params = fakesp.make_auth_req( idp_conf["entityid"]) url, auth_resp = fakeidp.handle_auth_req( request_params["SAMLRequest"], request_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) context.request = auth_resp context.state[self.samlbackend.name] = { "relay_state": request_params["RelayState"] } self.samlbackend.authn_response(context, response_binding) context, internal_resp = self.samlbackend.auth_callback_func.call_args[ 0] self.assert_authn_response(internal_resp) assert self.samlbackend.name not in context.state
def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_config, idp_conf): subject_id = "testuser1" # proxy config satosa_config_dict["FRONTEND_MODULES"] = [oidc_frontend_config] satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config] satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name], "saml": [attr_name]} for attr_name in USERS[subject_id]} _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict)) # application test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), Response) # get frontend OP config info provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8")) # create auth req claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[subject_id]})) req_args = {"scope": "openid", "response_type": "id_token", "client_id": CLIENT_ID, "redirect_uri": REDIRECT_URI, "nonce": "nonce", "claims": claims_request.to_json()} auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args) # make auth req to proxy proxied_auth_req = test_client.get(auth_req) assert proxied_auth_req.status == "303 See Other" # config test IdP backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0]) idp_conf["metadata"]["inline"].append(backend_metadata_str) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf)) # create auth resp req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query)) url, authn_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, subject_id, response_binding=BINDING_HTTP_REDIRECT) # make auth resp to proxy authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp) authn_resp = test_client.get(authn_resp_req) assert authn_resp.status == "303 See Other" # verify auth resp from proxy resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).fragment)) signing_key = RSAKey(key=rsa_load(oidc_frontend_config["config"]["signing_key_path"]), use="sig", alg="RS256") id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key]) assert all( (name, values) in id_token_claims.items() for name, values in OIDC_USERS[subject_id].items() )
def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_config, idp_conf): user_id = "testuser1" # proxy config satosa_config_dict["FRONTEND_MODULES"] = [oidc_frontend_config] satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config] satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name], "saml": [attr_name]} for attr_name in USERS[user_id]} _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict)) # application test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), BaseResponse) # get frontend OP config info provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8")) # create auth req claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[user_id]})) req_args = {"scope": "openid", "response_type": "id_token", "client_id": CLIENT_ID, "redirect_uri": REDIRECT_URI, "nonce": "nonce", "claims": claims_request.to_json()} auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args) # make auth req to proxy proxied_auth_req = test_client.get(auth_req) assert proxied_auth_req.status == "303 See Other" # config test IdP backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0]) idp_conf["metadata"]["inline"].append(backend_metadata_str) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) # create auth resp req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query)) url, authn_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, user_id, response_binding=BINDING_HTTP_REDIRECT) # make auth resp to proxy authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp) authn_resp = test_client.get("/" + authn_resp_req) assert authn_resp.status == "303 See Other" # verify auth resp from proxy resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).fragment)) signing_key = RSAKey(key=rsa_load(oidc_frontend_config["config"]["signing_key_path"]), use="sig", alg="RS256") id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key]) assert all((k, v[0]) in id_token_claims.items() for k, v in USERS[user_id].items())
def setup(self): """ Initiates the test. :return: None """ self.sp = FakeSP(None, config=SPConfig().load( TestConfiguration.get_instance().fake_sp_config, metadata_construction=False)) self.idp = FakeIdP( USERS, IdPConfig().load(TestConfiguration.get_instance().fake_idp_config, metadata_construction=False))
def test_start_auth_disco(self, sp_conf, idp_conf): """ Performs a complete test for the module satosa.backends.saml2. The flow should be accepted. """ samlbackend = SamlBackend(lambda context, internal_resp: (context, internal_resp), INTERNAL_ATTRIBUTES, {"config": sp_conf, "disco_srv": "https://my.dicso.com/role/idp.ds", "state_id": "saml_backend_test_id"}) test_state_key = "test_state_key_456afgrh" response_binding = BINDING_HTTP_REDIRECT fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) internal_req = InternalRequest(UserIdHashType.persistent, "example.se/sp.xml") state = State() state.add(test_state_key, "my_state") context = Context() context.state = state resp = samlbackend.start_auth(context, internal_req) assert resp.status == "303 See Other", "Must be a redirect to the discovery server." disco_resp = parse_qs(urlparse(resp.message).query) info = parse_qs(urlparse(disco_resp["return"][0]).query) info[samlbackend.idp_disco_query_param] = idp_conf["entityid"] context = Context() context.request = info context.state = state resp = samlbackend.disco_response(context) assert resp.status == "303 See Other" req_params = dict(parse_qsl(urlparse(resp.message).query)) url, fake_idp_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) context = Context() context.request = fake_idp_resp context.state = state context, internal_resp = samlbackend.authn_response(context, response_binding) assert isinstance(context, Context), "Not correct instance!" assert context.state.get(test_state_key) == "my_state", "Not correct state!" assert internal_resp.auth_info.auth_class_ref == PASSWORD, "Not correct authentication!" _dict = internal_resp.get_attributes() expected_data = {'surname': ['Testsson 1'], 'mail': ['*****@*****.**'], 'displayname': ['Test Testsson'], 'givenname': ['Test 1'], 'edupersontargetedid': ['one!for!all']} for key in _dict: assert expected_data[key] == _dict[key]
def run_test(self, satosa_config_dict, sp_conf, idp_conf, saml_backend_config, frontend_config): user_id = "testuser1" # proxy config satosa_config_dict["FRONTEND_MODULES"] = [frontend_config] satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config] satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"saml": [attr_name]} for attr_name in USERS[user_id]} frontend_metadata, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict)) # application test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), BaseResponse) # config test SP frontend_metadata_str = str(frontend_metadata[frontend_config["name"]][0]) sp_conf["metadata"]["inline"].append(frontend_metadata_str) fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False)) # create auth req destination, req_args = fakesp.make_auth_req(frontend_metadata[frontend_config["name"]][0].entity_id) auth_req = urlparse(destination).path + "?" + urlencode(req_args) # make auth req to proxy proxied_auth_req = test_client.get(auth_req) assert proxied_auth_req.status == "303 See Other" # config test IdP backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0]) idp_conf["metadata"]["inline"].append(backend_metadata_str) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) # create auth resp req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query)) url, authn_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, user_id, response_binding=BINDING_HTTP_REDIRECT) # make auth resp to proxy authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp) authn_resp = test_client.get("/" + authn_resp_req) assert authn_resp.status == "303 See Other" # verify auth resp from proxy resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).query)) auth_resp = fakesp.parse_authn_request_response(resp_dict["SAMLResponse"], BINDING_HTTP_REDIRECT) assert auth_resp.ava == USERS[user_id]
def test_authn_response(self, context, idp_conf, sp_conf): response_binding = BINDING_HTTP_REDIRECT fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False)) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) destination, request_params = fakesp.make_auth_req(idp_conf["entityid"]) url, auth_resp = fakeidp.handle_auth_req(request_params["SAMLRequest"], request_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) context.request = auth_resp context.state[self.samlbackend.name] = {"relay_state": request_params["RelayState"]} self.samlbackend.authn_response(context, response_binding) context, internal_resp = self.samlbackend.auth_callback_func.call_args[0] self.assert_authn_response(internal_resp) assert self.samlbackend.name not in context.state
def test_full_flow(self, context, idp_conf, sp_conf): test_state_key = "test_state_key_456afgrh" response_binding = BINDING_HTTP_REDIRECT fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) context.state[test_state_key] = "my_state" # start auth flow (redirecting to discovery server) resp = self.samlbackend.start_auth(context, InternalRequest(None, None)) self.assert_redirect_to_discovery_server(resp, sp_conf) # fake response from discovery server disco_resp = parse_qs(urlparse(resp.message).query) info = parse_qs(urlparse(disco_resp["return"][0]).query) info["entityID"] = idp_conf["entityid"] request_context = Context() request_context.request = info request_context.state = context.state # pass discovery response to backend and check that it redirects to the selected IdP resp = self.samlbackend.disco_response(request_context) self.assert_redirect_to_idp(resp, idp_conf) # fake auth response to the auth request req_params = dict(parse_qsl(urlparse(resp.message).query)) url, fake_idp_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) response_context = Context() response_context.request = fake_idp_resp response_context.state = request_context.state # pass auth response to backend and verify behavior self.samlbackend.authn_response(response_context, response_binding) context, internal_resp = self.samlbackend.auth_callback_func.call_args[ 0] assert self.samlbackend.name not in context.state assert context.state[test_state_key] == "my_state" self.assert_authn_response(internal_resp)
def setup(self): """ Initiates the test. :return: None """ self.sp = FakeSP(None, config=SPConfig().load(TestConfiguration.get_instance(). fake_sp_config, metadata_construction=False)) self.idp = FakeIdP(USERS, IdPConfig().load(TestConfiguration.get_instance().fake_idp_config, metadata_construction=False))
def test_full_flow(self, context, idp_conf, sp_conf): test_state_key = "test_state_key_456afgrh" response_binding = BINDING_HTTP_REDIRECT fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) context.state[test_state_key] = "my_state" # start auth flow (redirecting to discovery server) resp = self.samlbackend.start_auth(context, InternalData()) self.assert_redirect_to_discovery_server(resp, sp_conf) # fake response from discovery server disco_resp = parse_qs(urlparse(resp.message).query) info = parse_qs(urlparse(disco_resp["return"][0]).query) info["entityID"] = idp_conf["entityid"] request_context = Context() request_context.request = info request_context.state = context.state # pass discovery response to backend and check that it redirects to the selected IdP resp = self.samlbackend.disco_response(request_context) self.assert_redirect_to_idp(resp, idp_conf) # fake auth response to the auth request req_params = dict(parse_qsl(urlparse(resp.message).query)) url, fake_idp_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) response_context = Context() response_context.request = fake_idp_resp response_context.state = request_context.state # pass auth response to backend and verify behavior self.samlbackend.authn_response(response_context, response_binding) context, internal_resp = self.samlbackend.auth_callback_func.call_args[0] assert self.samlbackend.name not in context.state assert context.state[test_state_key] == "my_state" self.assert_authn_response(internal_resp)
def run_test(self, satosa_config_dict, sp_conf, idp_conf, saml_backend_config, frontend_config): subject_id = "testuser1" # proxy config satosa_config_dict["FRONTEND_MODULES"] = [frontend_config] satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config] satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = { attr_name: { "saml": [attr_name] } for attr_name in USERS[subject_id] } frontend_metadata, backend_metadata = create_entity_descriptors( SATOSAConfig(satosa_config_dict)) # application test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), BaseResponse) # config test SP frontend_metadata_str = str( frontend_metadata[frontend_config["name"]][0]) sp_conf["metadata"]["inline"].append(frontend_metadata_str) fakesp = FakeSP(SPConfig().load(sp_conf, metadata_construction=False)) # create auth req destination, req_args = fakesp.make_auth_req( frontend_metadata[frontend_config["name"]][0].entity_id) auth_req = urlparse(destination).path + "?" + urlencode(req_args) # make auth req to proxy proxied_auth_req = test_client.get(auth_req) assert proxied_auth_req.status == "303 See Other" # config test IdP backend_metadata_str = str( backend_metadata[saml_backend_config["name"]][0]) idp_conf["metadata"]["inline"].append(backend_metadata_str) fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) # create auth resp req_params = dict( parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query)) url, authn_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, subject_id, response_binding=BINDING_HTTP_REDIRECT) # make auth resp to proxy authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp) authn_resp = test_client.get("/" + authn_resp_req) assert authn_resp.status == "303 See Other" # verify auth resp from proxy resp_dict = dict( parse_qsl(urlparse(authn_resp.data.decode("utf-8")).query)) auth_resp = fakesp.parse_authn_request_response( resp_dict["SAMLResponse"], BINDING_HTTP_REDIRECT) assert auth_resp.ava == USERS[subject_id]
def test_start_auth_disco(self, sp_conf, idp_conf): """ Performs a complete test for the module satosa.backends.saml2. The flow should be accepted. """ samlbackend = SamlBackend( lambda context, internal_resp: (context, internal_resp), INTERNAL_ATTRIBUTES, { "config": sp_conf, "disco_srv": "https://my.dicso.com/role/idp.ds", "state_id": "saml_backend_test_id" }) test_state_key = "test_state_key_456afgrh" response_binding = BINDING_HTTP_REDIRECT fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf, metadata_construction=False)) internal_req = InternalRequest(UserIdHashType.persistent, "example.se/sp.xml") state = State() state.add(test_state_key, "my_state") context = Context() context.state = state resp = samlbackend.start_auth(context, internal_req) assert resp.status == "303 See Other", "Must be a redirect to the discovery server." disco_resp = parse_qs(urlparse(resp.message).query) info = parse_qs(urlparse(disco_resp["return"][0]).query) info[samlbackend.idp_disco_query_param] = idp_conf["entityid"] context = Context() context.request = info context.state = state resp = samlbackend.disco_response(context) assert resp.status == "303 See Other" req_params = dict(parse_qsl(urlparse(resp.message).query)) url, fake_idp_resp = fakeidp.handle_auth_req( req_params["SAMLRequest"], req_params["RelayState"], BINDING_HTTP_REDIRECT, "testuser1", response_binding=response_binding) context = Context() context.request = fake_idp_resp context.state = state context, internal_resp = samlbackend.authn_response( context, response_binding) assert isinstance(context, Context), "Not correct instance!" assert context.state.get( test_state_key) == "my_state", "Not correct state!" assert internal_resp.auth_info.auth_class_ref == PASSWORD, "Not correct authentication!" _dict = internal_resp.get_attributes() expected_data = { 'surname': ['Testsson 1'], 'mail': ['*****@*****.**'], 'displayname': ['Test Testsson'], 'givenname': ['Test 1'], 'edupersontargetedid': ['one!for!all'] } for key in _dict: assert expected_data[key] == _dict[key]
class TestProxy: """ Performs a complete flow test for the proxy. Verifies SAML -> PROXY -> SAML. """ @pytest.fixture(autouse=True) def setup(self): """ Initiates the test. :return: None """ self.sp = FakeSP(None, config=SPConfig().load(TestConfiguration.get_instance(). fake_sp_config, metadata_construction=False)) self.idp = FakeIdP(USERS, IdPConfig().load(TestConfiguration.get_instance().fake_idp_config, metadata_construction=False)) def test_flow(self): """ Performs the test. """ e_id = 'https://localhost:8090/proxy.xml' target_id = 'https://example.com/unittest_idp.xml' url = "{}&entityID={}".format(self.sp.make_auth_req(e_id), quote(target_id)) app = WsgiApplication(config=TestConfiguration.get_instance().proxy_config) test_client = Client(app.run_server, BaseResponse) parsed = urlparse(url) request = "{}?{}".format(parsed.path, parsed.query) resp = test_client.get(request) assert resp.status == '303 See Other' headers = dict(resp.headers) assert headers["Set-Cookie"], "Did not save state in cookie!" url = headers["location"] req = parse_qs(urlsplit(url).query) assert 'SAMLRequest' in req assert 'RelayState' in req action, body = self.idp.handle_auth_req(req['SAMLRequest'][0], req['RelayState'][0], BINDING_HTTP_REDIRECT, 'testuser1') parsed = urlparse(action) request = "{}?{}".format(parsed.path, parsed.query) resp = test_client.post(request, data=urlencode(body), headers=[("Cookie", headers["Set-Cookie"]), ("Content-Type", "application/x-www-form-urlencoded")]) assert resp.status == '302 Found' headers = dict(resp.headers) url = headers["location"] req = parse_qs(urlsplit(url).query) assert 'SAMLResponse' in req assert 'RelayState' in req resp = self.sp.parse_authn_request_response(req['SAMLResponse'][0], BINDING_HTTP_REDIRECT) identity = resp.ava assert identity["displayName"][0] == "Test Testsson"
class TestProxy: """ Performs a complete flow test for the proxy. Verifies SAML -> PROXY -> SAML. """ @pytest.fixture(autouse=True) def setup(self): """ Initiates the test. :return: None """ self.sp = FakeSP(None, config=SPConfig().load( TestConfiguration.get_instance().fake_sp_config, metadata_construction=False)) self.idp = FakeIdP( USERS, IdPConfig().load(TestConfiguration.get_instance().fake_idp_config, metadata_construction=False)) def test_flow(self): """ Performs the test. """ e_id = 'https://localhost:8090/proxy.xml' target_id = 'https://example.com/unittest_idp.xml' url = "{}&entityID={}".format(self.sp.make_auth_req(e_id), quote(target_id)) app = WsgiApplication( config=TestConfiguration.get_instance().proxy_config) test_client = Client(app.run_server, BaseResponse) parsed = urlparse(url) request = "{}?{}".format(parsed.path, parsed.query) resp = test_client.get(request) assert resp.status == '303 See Other' headers = dict(resp.headers) assert headers["Set-Cookie"], "Did not save state in cookie!" url = headers["location"] req = parse_qs(urlsplit(url).query) assert 'SAMLRequest' in req assert 'RelayState' in req action, body = self.idp.handle_auth_req(req['SAMLRequest'][0], req['RelayState'][0], BINDING_HTTP_REDIRECT, 'testuser1') parsed = urlparse(action) request = "{}?{}".format(parsed.path, parsed.query) resp = test_client.post(request, data=urlencode(body), headers=[("Cookie", headers["Set-Cookie"]), ("Content-Type", "application/x-www-form-urlencoded") ]) assert resp.status == '302 Found' headers = dict(resp.headers) url = headers["location"] req = parse_qs(urlsplit(url).query) assert 'SAMLResponse' in req assert 'RelayState' in req resp = self.sp.parse_authn_request_response(req['SAMLResponse'][0], BINDING_HTTP_REDIRECT) identity = resp.ava assert identity["displayName"][0] == "Test Testsson"