From 02585fca0b8b77e15179b04e36cbe299a2dda0da Mon Sep 17 00:00:00 2001
From: chasegawa <chasegawa@unicon.net>
Date: Mon, 10 Apr 2023 11:59:18 -0700
Subject: [PATCH] SHIBUI-2550 Fixes for cert issues in auth testbed

---
 .../JPAXMLObjectProviderInitializer.java      |   2 +-
 ...0bfe6fa4495100f5c193fa5b7ca4192c150923.xml |  48 +++++++++++++++++-
 testbed/authentication/shibui/application.yml |   4 +-
 .../shibui/saml-signing-cert.crt              | Bin 0 -> 683 bytes
 .../shibui/saml-signing-cert.key              |  28 ++++++++++
 .../shibui/saml-signing-cert.pem              |  17 +++++++
 .../authentication/shibui/samlKeystore.jks    | Bin 0 -> 2621 bytes
 testbed/authentication/shibui/sp-metadata.xml |  36 +++++++++++++
 8 files changed, 131 insertions(+), 4 deletions(-)
 create mode 100644 testbed/authentication/shibui/saml-signing-cert.crt
 create mode 100644 testbed/authentication/shibui/saml-signing-cert.key
 create mode 100644 testbed/authentication/shibui/saml-signing-cert.pem
 create mode 100644 testbed/authentication/shibui/samlKeystore.jks
 create mode 100644 testbed/authentication/shibui/sp-metadata.xml

diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java
index b13078e56..5bcba70bf 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/opensaml/config/JPAXMLObjectProviderInitializer.java
@@ -8,7 +8,7 @@ public class JPAXMLObjectProviderInitializer extends AbstractXMLObjectProviderIn
     protected String[] getConfigResources() {
         return new String[]{
                 "/jpa-default-config.xml",
-                "/encryption-config.xml",
+                "/jpa-encryption-config.xml",
                 "/jpa-saml2-assertion-config.xml",
                 "/jpa-saml2-metadata-algorithm-config.xml",
                 "/jpa-saml2-metadata-attr-config.xml",
diff --git a/testbed/authentication/shibboleth-idp/metadata/dynamic/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml b/testbed/authentication/shibboleth-idp/metadata/dynamic/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml
index 3d2f94edf..816c9d1ed 100644
--- a/testbed/authentication/shibboleth-idp/metadata/dynamic/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml
+++ b/testbed/authentication/shibboleth-idp/metadata/dynamic/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml
@@ -15,6 +15,52 @@
         <md:Extensions>
             <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient"/>
         </md:Extensions>
+        <md:KeyDescriptor use="signing">
+          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+            <ds:X509Data>
+              <ds:X509Certificate>
+                  MIICpzCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAwzODM1
+                  YTU5NjdjMjEwHhcNMjMwNDEwMTg0MTM5WhcNNDMwNDEwMTg0MTM5WjAXMRUwEwYD
+                  VQQDDAwzODM1YTU5NjdjMjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+                  AQCQWxxf38Fa4VLYUPRn9Lb+Fvyy7wlrOtYdj7yG+PN0qKE3B+ye+vj9iiLLJBfe
+                  CqJMzjivJcWjz6PYp9XDHJl3m3BchiGakwCnQahWps2qo9wdbN+QNj0VxE8E2JuB
+                  CMRIL+qUpwbn81QLTwZDk/9W8tAJzZ9n1m9uo/uuFjObGUMJ8r4KjX8IeX2xNhUz
+                  HtIjmHKR5gUKflKkkpwNa/AvPX7O1a4ML92bBGmtOe3DoOgzILUIP4klWDJFoA1e
+                  Ok6tz3GqQ62JXHKHWJh5+r6olvZyfQ2TynfODoCHYVi99TDV7QZMY9HBLATVI2TE
+                  IMz8qeCgBinEhr6fj1rIaOmHAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAHL4bMge
+                  gJgyooagqTL7UUp3ZVSrYEEpTCR1l7JgmdvunGk8qxNVqu0Ir5HGJhy6/MiSkVkM
+                  hgpBKC+yeV7hFbVEdMEABMs7Ge+uMtsDQs1wa9uT+FjMJ00ibtDMYqQfQ2F9bddI
+                  58VbYmxpxKsflaZGo6gKWwllreFXzfxAdOCAMwbLyZS/plX+pXEAXTNQO6wXcioZ
+                  VMsjAf1gmmTeSccTNWscaloYcRyND3slGaKShWOwm7AupA+7KwHj9PqSnj4kXR1f
+                  9pwd6uZ9jhCb/fh2Xna2Blq+1H1juKKxYCESgA+6xb70EwCqAx71pnHChkTIDNOp
+                  ZhiDnL3iAjiYgPQ=
+              </ds:X509Certificate>
+            </ds:X509Data>
+          </ds:KeyInfo>
+        </md:KeyDescriptor>
+        <md:KeyDescriptor use="encryption">
+          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+            <ds:X509Data>
+              <ds:X509Certificate>
+                  MIICpzCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAwzODM1
+                  YTU5NjdjMjEwHhcNMjMwNDEwMTg0MTM5WhcNNDMwNDEwMTg0MTM5WjAXMRUwEwYD
+                  VQQDDAwzODM1YTU5NjdjMjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+                  AQCQWxxf38Fa4VLYUPRn9Lb+Fvyy7wlrOtYdj7yG+PN0qKE3B+ye+vj9iiLLJBfe
+                  CqJMzjivJcWjz6PYp9XDHJl3m3BchiGakwCnQahWps2qo9wdbN+QNj0VxE8E2JuB
+                  CMRIL+qUpwbn81QLTwZDk/9W8tAJzZ9n1m9uo/uuFjObGUMJ8r4KjX8IeX2xNhUz
+                  HtIjmHKR5gUKflKkkpwNa/AvPX7O1a4ML92bBGmtOe3DoOgzILUIP4klWDJFoA1e
+                  Ok6tz3GqQ62JXHKHWJh5+r6olvZyfQ2TynfODoCHYVi99TDV7QZMY9HBLATVI2TE
+                  IMz8qeCgBinEhr6fj1rIaOmHAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAHL4bMge
+                  gJgyooagqTL7UUp3ZVSrYEEpTCR1l7JgmdvunGk8qxNVqu0Ir5HGJhy6/MiSkVkM
+                  hgpBKC+yeV7hFbVEdMEABMs7Ge+uMtsDQs1wa9uT+FjMJ00ibtDMYqQfQ2F9bddI
+                  58VbYmxpxKsflaZGo6gKWwllreFXzfxAdOCAMwbLyZS/plX+pXEAXTNQO6wXcioZ
+                  VMsjAf1gmmTeSccTNWscaloYcRyND3slGaKShWOwm7AupA+7KwHj9PqSnj4kXR1f
+                  9pwd6uZ9jhCb/fh2Xna2Blq+1H1juKKxYCESgA+6xb70EwCqAx71pnHChkTIDNOp
+                  ZhiDnL3iAjiYgPQ=
+              </ds:X509Certificate>
+            </ds:X509Data>
+          </ds:KeyInfo>
+        </md:KeyDescriptor>
         <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;idplogoutrequest=true"/>
         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
         <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
@@ -22,4 +68,4 @@
         <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
         <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient" index="0"/>
     </md:SPSSODescriptor>
-</md:EntityDescriptor>
+</md:EntityDescriptor>
\ No newline at end of file
diff --git a/testbed/authentication/shibui/application.yml b/testbed/authentication/shibui/application.yml
index 73f30063f..942d3aaaf 100644
--- a/testbed/authentication/shibui/application.yml
+++ b/testbed/authentication/shibui/application.yml
@@ -10,8 +10,8 @@ shibui:
   pac4j-enabled: true
   pac4j:
     keystorePath: "/conf/samlKeystore.jks"
-    keystorePassword: "changeit"
-    privateKeyPassword: "changeit"
+    keystorePassword: "password"
+    privateKeyPassword: "password"
     serviceProviderEntityId: "https://unicon.net/test/shibui"
     serviceProviderMetadataPath: "/conf/sp-metadata.xml"
     identityProviderMetadataPath: "/conf/idp-metadata.xml"
diff --git a/testbed/authentication/shibui/saml-signing-cert.crt b/testbed/authentication/shibui/saml-signing-cert.crt
new file mode 100644
index 0000000000000000000000000000000000000000..b316a0d31512ddfb10d1099fa96d4d0e72b68e4f
GIT binary patch
literal 683
zcmXqLVp?v{#Mr-pnTe5!iILHOmyJ`a&7<u*FC!x>D}#Z!p{Ri{8*?ZNGY^lkg|TU(
zsim2DvXP;IoH(zMv4M%9fuV(op|NF@IIjsZ7q`YHMkQoR7+D#Zn;7{SfR5l|YGPz$
zm=G-!fB#_A!=M`hU(&y9`zQ8i(|gWrt823Td)j_{E?KeAoc+zbUqAkKDV<gkzsI%6
z=bXiQ)uW5gFTSz->S39g<+BT7+7xF^W?1gHB5c{&Rg3S)=G>oPW-EHcpXJ8vMvfyM
z`md%eXM6rRgxjCZdGi0TPZv1P&QHIVpSSq;Ix*wflFpo;_Hp&rb5z!DG!r$JyQDm$
zXyP+guDYNlljiVdf6%wBJ9l**kN(}+ESYO9-yUA@!dPJ|hkd7Ngpun4-Z(42wdV_0
zIj`-EDQb_HQTc1%ifP}9YI!H0DnG~9(4H8v_p8Cxw`@Mi7Z2*NTvbjvqHyNV$_ESB
zG>^3Ho8KRGBI9K{6Eh<NdNcq-h>@Y_N6rbkh8aeS+7_%d`W@(1o*J?`!BNvkrF8nH
zgqgSB&B?S`EgZV)Eywza$JAtY{W&pdVkA!+m!pRMrpma7qFY@`4l=Nuww8Rq&geF?
z)7gUT+mnApoKg2x%DZqTX^FgZVr}kqkLO3DlX5bTtd^g;%x&=su4vBGwGYG3{&6UI
z&|u7V`s9@T%R>JxEo6u_4zOM$UZf=%a$1@3Z^EpUd!EOIO|xaPq9h7sdikqWB^OO<
zP2MnjgWeMU-P(+gzx<js&rT&)HvZcj*;mhM`vhkH{ZSTIwv8=n-<8_r9g8+5C<-<3
l?>f5gi!j3~X1TA+3J<lpoZz{<GEJg+&fZ5%7Bd>Y006f77&-s|

literal 0
HcmV?d00001

diff --git a/testbed/authentication/shibui/saml-signing-cert.key b/testbed/authentication/shibui/saml-signing-cert.key
new file mode 100644
index 000000000..fc2dbca71
--- /dev/null
+++ b/testbed/authentication/shibui/saml-signing-cert.key
@@ -0,0 +1,28 @@
+-----BEGIN saml-signing-cert.key-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCQWxxf38Fa4VLY
+UPRn9Lb+Fvyy7wlrOtYdj7yG+PN0qKE3B+ye+vj9iiLLJBfeCqJMzjivJcWjz6PY
+p9XDHJl3m3BchiGakwCnQahWps2qo9wdbN+QNj0VxE8E2JuBCMRIL+qUpwbn81QL
+TwZDk/9W8tAJzZ9n1m9uo/uuFjObGUMJ8r4KjX8IeX2xNhUzHtIjmHKR5gUKflKk
+kpwNa/AvPX7O1a4ML92bBGmtOe3DoOgzILUIP4klWDJFoA1eOk6tz3GqQ62JXHKH
+WJh5+r6olvZyfQ2TynfODoCHYVi99TDV7QZMY9HBLATVI2TEIMz8qeCgBinEhr6f
+j1rIaOmHAgMBAAECggEAbFKSNjdXhnSyj/QfkqqFbqGdOkA5FyftZ/1mAPpq5c1s
+PDlMC/hUQx0XAsywxEPCilPtITD83/F+B6PZujGJz8DqTeOw76cDxH52bZ95kWSo
+VcRO9o5cxCqtCPvppKgJcgnSw32apw9mr527G5bA8mP+THzp8ydsMuAGihnK28Sz
+nDIiR8dVBdNUTzIm5gqMiNYnCWkAQ9Tsiq1a0uU8JW4f923U3lkXFlG2AOkvnr/H
+fGXfNJbOz1RmEd6nGAcDf1+Jb85FS7LFckeP25rGSBcfbLwCtykuUvzx6oDeqIEt
+/eShYUSWtQf6ed1zXa1xrbTJUPwj/ILbayiCZJF7EQKBgQDdzo11mvv3tMmDtlH3
+1opqRKmUr42ih6cp0AwYKy2cFujd+kutPvgmlI0NKkEW8MtDVMpjTXvAoVCPxxVu
+/leb00wCWzge0gkYG+1WtopDqzHLlOoiNqTaAitZSArUNQkZBSE89NR2sK2awvr4
+oScK0JxmT129A2jWEcd2SAAdZQKBgQCmnAM1FPj66n3AmfX1fGOAZG6KGPDw88ZH
+84J1GT7NTweGvf/9wrkw6Wo7MVJPVUTIK/ypEP1sLa8Mn8/RDXMNRcDd6PHGEomU
+N4ZF6/zQI2DRbzVIxu9t0iicotf+yTOazaC4JLDz4aPYU2+uLdyJp4F5PnDy+L1A
+ZzKL/aACewKBgAsWZCPY13eOZfRbjMViyBB/1ipEjEPvm/+PEsuyfNksm/9cn6PN
+XgIvss1Rq2dGKiL3fhZwrRr39Vr6jKu7sw1rBoWnoaqIvUOjQb3v6gFv8VFH5FxJ
+dvwe16Pi4gexjv7dLsgpROWZ91OhI4KCK71yqB7FIN5t6TOqN9pFxxuxAoGAa+Gx
+ofmGjtKvwrrurJpyw3xEp18nBJ6U0Zo36yMBq2d09CarT+F6kNVTWCjDp2MLOqJg
+5AiAUD/0jTQeGLuguANms0pW4261byfU5gm8lfmSg4qC8jD+cBoY+fPn8K7Pn3lu
+jE4V1pVQxo6gTiScHPY9vAhWkr3FraIk9Mixh2kCgYEAzVYGTLKOaCK+k3td+io2
+4Aikqv1Sy07o4r0/bv1ReE1NSdGezf5Ign1bz5RBWYTz27kpTh/pYr6HXQodHjsQ
+EZfODuFcyPA2iDgU3Xb3sA0iW3wz8fmgeN3/Yaz0Gf6a/6Lzgh0yDV83qfoWpjsZ
+zA7Iu2Ui1N5kAqZqloeifsk=
+-----END saml-signing-cert.key-----
diff --git a/testbed/authentication/shibui/saml-signing-cert.pem b/testbed/authentication/shibui/saml-signing-cert.pem
new file mode 100644
index 000000000..d224a1fb1
--- /dev/null
+++ b/testbed/authentication/shibui/saml-signing-cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN saml-signing-cert.pem-----
+MIICpzCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAwzODM1
+YTU5NjdjMjEwHhcNMjMwNDEwMTg0MTM5WhcNNDMwNDEwMTg0MTM5WjAXMRUwEwYD
+VQQDDAwzODM1YTU5NjdjMjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCQWxxf38Fa4VLYUPRn9Lb+Fvyy7wlrOtYdj7yG+PN0qKE3B+ye+vj9iiLLJBfe
+CqJMzjivJcWjz6PYp9XDHJl3m3BchiGakwCnQahWps2qo9wdbN+QNj0VxE8E2JuB
+CMRIL+qUpwbn81QLTwZDk/9W8tAJzZ9n1m9uo/uuFjObGUMJ8r4KjX8IeX2xNhUz
+HtIjmHKR5gUKflKkkpwNa/AvPX7O1a4ML92bBGmtOe3DoOgzILUIP4klWDJFoA1e
+Ok6tz3GqQ62JXHKHWJh5+r6olvZyfQ2TynfODoCHYVi99TDV7QZMY9HBLATVI2TE
+IMz8qeCgBinEhr6fj1rIaOmHAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAHL4bMge
+gJgyooagqTL7UUp3ZVSrYEEpTCR1l7JgmdvunGk8qxNVqu0Ir5HGJhy6/MiSkVkM
+hgpBKC+yeV7hFbVEdMEABMs7Ge+uMtsDQs1wa9uT+FjMJ00ibtDMYqQfQ2F9bddI
+58VbYmxpxKsflaZGo6gKWwllreFXzfxAdOCAMwbLyZS/plX+pXEAXTNQO6wXcioZ
+VMsjAf1gmmTeSccTNWscaloYcRyND3slGaKShWOwm7AupA+7KwHj9PqSnj4kXR1f
+9pwd6uZ9jhCb/fh2Xna2Blq+1H1juKKxYCESgA+6xb70EwCqAx71pnHChkTIDNOp
+ZhiDnL3iAjiYgPQ=
+-----END saml-signing-cert.pem-----
diff --git a/testbed/authentication/shibui/samlKeystore.jks b/testbed/authentication/shibui/samlKeystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..db7290260d694b57a9d65e2bbec7e27112bcec0b
GIT binary patch
literal 2621
zcma)+S5y<|7KPIx)X=L)8G1?RAVpe~YD5u`qV!IH2w?&u5RoRLLkSGMcS0EmDj*^t
z?Fxf*kf5Q-z|b`!AUA8xT{G)G-TScrbIy1EeI7T8$f64Zf>A{H0SvB?Xr4%C2QmRm
zi0~B%5x&g8izp(L_FpULB!mbZXW&tW24SrKaj~%gK_x_}5d-R@eExPo*-^JqI{%Dp
zC`AabfcHrZd1_32d)Ivxa8%NBwTTl70?8skKyefsjQOvNAUG6&x&VW_C7J`h!4RMV
z1o3QClM1VL^qty{4;*Nhf<TCn-)%l-S3Ip?w+<%HJczc;jiBwSMP5Xvg<Rw!<$T!*
z7ixJy1|_`HWKkOa*?>aQZ(h%kQJ#}}#G<VB#kH=Vz5;1<SNBQ!aBH4Jav7OZ{;+qg
zE7)gv$6&*%P@uka8aL%jv*^85;c7(Due|)r%|LDo1q|sKlJ@E)7Zu;;0{1oFgD4gs
zPmE<9Y*e2ORu(6<>p^;EhkUzwQ4^1IBOa*AA!MH}-sxR1gYj>+Y5Ex^eyaf#>jWaj
z%HvHmOX_-#khjxj^&M7@Ys!M>fypKY5g!BK4`=8Y<FC1VJT;t#<f2vtpWv5*9VS2g
zAD3lb>Bq{wE!t`=?~6Rh+fT@mH&XZzcqubigu~h6MOfs3?Ll8LU}f|5GvkaHLY553
z+J4Jwn8>_-n@O)cwE1n;YN9g4*wN?nu;OyX(Zdl?W^p-TB*Z3%7o&rx<_^}q{0b*{
z{o%S4ljp+U`oypAhEW!57-HCg#jML5j0|~Ddbc`D<_rZju-nmnPUxCD&av9}P5Dbm
zQ7mmL=VdL89y9M!q&{2EWGU1eRQ{+zOh!-zFLnuDlzo+xft85Q-OMA)Vtq|BGXoP;
zR$)u`j{;O2C#xIzMk^5XPhN4-uYy(^kh}8*^Ukz`m>g|zz0YbqPBM>nSB9V$ymvLr
zFx>6_4Q#vAxNIbEp<xsT!MkMk2rv30&UpS*MJ6}7%+G1EVPJhC`>d;@ye>g3@}7KP
zbQGO-S!!*dZ+3QC!pc|EsPjws)FNle%MH-!ZDadiM1&7n6U8kl*@OX4dQoy|c>!LT
zs(~Oj`>%_7EG9nTd16W4{S;EI{H?wLf^?6*kcFvI&S>bgigGGE4wp~&-m*Pvx}{>u
zy!*peI25B>BMD9T(eVn6Y`#m4C^G=*@yD+ecJitDo`yZfi<^?nwq2UR8GM~~)kChr
zY!l?>Qwg$yH}=goGLGtodZ&LbAhTSWY!9zi>3v%?DYz6Y{cUCLh_siwr|Ntdn$2c<
zT04Skmw|ez+dRS}yzQDH@qfBbTQ%U<*W<HC#P9eN$P4q(*YeSZIj(qcbqI}Iq#!xB
z7d)rC=4PMKh)xpJ#3#q%c(nVv{Jrd%r!xn+>J~I0q;<OI%7fYIyksR<IoUP0mI-}h
zcS!TkhAaC&?R;wG>d}rp8ENg`Z6EGU%Uk_bJ~f-Wy?YHV>2b9R#Ru2j-20OvQ;Dh<
z%!%%*7O|jNOMP$0S8=7f&FUj;D+a`MF{Pgk^OangkvMA>?T<!5h_*cT5ii%pi6C8@
zMO(AYi8=!4`;+XQ`NYH7OIr7{g0PJo=e9xDLnDo41-kMQYzii>umJYB`77Qvwf?;J
zp>c?Ig1O|NrDg3un4NkO!seaH#V%nV>PG)AZFG*E&TJmBc95f3g(+;|x*@pLWCHvM
zJ#tn3URGBTA!9$XJ47{*;<GI^zNviplRv59DaU7C*?7^x!xz;4tJl$l>D&}n-qC=j
zRaq0v8L+nXERn2l&{k@YS*UV;s}fNAD*NcY-M%!rf15)s8Jw%0dR#yYphVD~X>d58
zc)1g#92zePImohCC59Wruf62`AWeGy9KB)o?KC!-N-<U2aOAl_*_%+0(mvnPDL~h`
z7^{Y(Fn`A-oLALE%m{D~;0_1|1Oe0lJ^+74^=1$PL*a}r7!b&K|C&MoI7aWw5SAev
z!xau-FqFhU2l-TaA>4NU!QSGkS~{w#nrf;jl&+>4iU{8S`x6tagb1cF5ETRjFv{#d
z8{q$n_J{1^8(Qi{dZQcTco<47%PPPo`TvP_CYr>!2<nETBj#>0Ghga%91-kxEo`tM
z@|y(IeqBuWaf1m-94SN1-#*fuvmER~M4WwXCX?KXNTyn(5*ZwX8J~`G|Ci^D)bPO9
ztW3v4X}@?L6NWo$Eu#q+u~JFZcgGQS{q^@uHZKP|9)xurt5WJLU${LFTx}Xo>g2?w
zztPvcJSkvaCj~JZN<G;eW9}LK^8P}KsK>%-BS2;Nh`UC6M&$GD_zvMZ|IwAzum$h6
zRc6};5uM+_JT{VX4PhDj&fYP8maq!J2&PZU4VmnZCSGu>S&BXNFv7PWg_MLe+^K!x
z7|zf)5shf+-d3=8aSfsJW0Ey6z;h%WFO7FR^ixNFB#Q<lc~pXMHI@9d!XiD{eBVzL
z+ceJab#XC)3X)vlOo2?cZG|b;>}wkLw#FW43`L|mPxz~3UJ!J+ax-yAXx(DB|LF{5
zCeOnO+XIjTjuFCqueoZo!G8n=5y)eF6lM(cLrkirH}+=Hv&$`nk&Q@4Xh&_g(9L<D
zl=}Xb*auCK8Ex3o{t_0+I?-qSX!X6Lw@hd{h{qq<Sf6lRSCkSZC+)~}VM}n@`Sh+L
zE}`A@?eAzltbjXrey|kT<&Q#J-3&w7LoFs%V(MB3<grQ5Ak1YbPj2NH>T@%B-wttu
zDC~7huZ_#5=GRD<A>+liWq*|?Iv%W_PYoiDUb+@6oxSMh-WP3gu!514Vi&s1UF9qQ
z5+D)pDVXgNtSZj4@pX=wUyzI=JSDd%KBe-CE+rhSLDBDjU-;qN>y47@&(C){rF~ms
z9K^7$Orho6me(KW@%i>1{XikF05AT_{OnG#xDe=ZSgNi<N!uPJL0qN9$Geh$31_1k
zW(sU2J5XQy)uB%K9P!b2O6B{M*pI+;s)L1*sH$^rPyJG2Mm2o5Uu|pnZZ<&APQB?m
z_w<{O;%V}3)PxS1zOB?^I&0CRBua<fXb!u4ym~q)Hw*b(=4);hGevkZ9m4f{t%cLX
zdnV)Czj=}hpDuUj`>`sJb~yHAIfl!q?5*RzU4yvhLj%|*NA#So;ujlzlJU$n4G*V{
z6Fv4E^H3<qSjs?t8Kz?a0>2*neNHo^>HUL{u%GT_*f@Pnk0J>;HaJfnnwqAh)e#j-
zw9R7as}H*EcDMTMx|Z{{*%f-n5S=Uw?l%QchA0UX90pb70E2{~00?h>rdkTKu7B*4
qsjBu<9U9#>)@>KU%VV-r#+jjHo6s=8jHk~=`CD-cfxy7Tl79o@;gwAQ

literal 0
HcmV?d00001

diff --git a/testbed/authentication/shibui/sp-metadata.xml b/testbed/authentication/shibui/sp-metadata.xml
new file mode 100644
index 000000000..8e69e2ef3
--- /dev/null
+++ b/testbed/authentication/shibui/sp-metadata.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_a4f1148876c44abdbf44064883e3ad916ce9ffe" entityID="https://unicon.net/test/shibui" validUntil="2043-04-10T18:41:41.634Z">
+    <md:Extensions>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512"/>
+        <alg:SigningMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
+        <alg:DigestMethod xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+    </md:Extensions>
+    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
+        <md:Extensions>
+            <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient"/>
+        </md:Extensions>
+        <md:KeyDescriptor use="signing"/>
+        <md:KeyDescriptor use="encryption"/>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient&amp;logoutendpoint=true"/>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://shibui.unicon.local/callback?client_name=shibUIAuthClient" index="0"/>
+    </md:SPSSODescriptor>
+</md:EntityDescriptor>