From 020193f3b1ec021c18e449e668ddd749342e25d4 Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Fri, 15 Sep 2023 16:17:37 +0200
Subject: [PATCH] fix: relaystate optional (#59)

* fix: make relaystate optional

* fix: delete NotBefore in subjectConfirmationData
---
 pkg/provider/login_test.go | 33 ++++++++++++++++++++
 pkg/provider/redirect.go   |  3 --
 pkg/provider/sso.go        | 10 ------
 pkg/provider/sso_test.go   | 63 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 96 insertions(+), 13 deletions(-)

diff --git a/pkg/provider/login_test.go b/pkg/provider/login_test.go
index c806a22..1bf9e81 100644
--- a/pkg/provider/login_test.go
+++ b/pkg/provider/login_test.go
@@ -81,6 +81,39 @@ func TestSSO_loginHandleFunc(t *testing.T) {
 				state: "",
 				err:   false,
 			}},
+		{
+			"login redirect without RelayState successful",
+			args{
+				metadataEndpoint: "/saml/metadata",
+				issuer:           "http://localhost:50002",
+				config: &IdentityProviderConfig{
+					SignatureAlgorithm: dsig.RSASHA256SignatureMethod,
+					MetadataIDPConfig:  &MetadataIDPConfig{},
+					Endpoints: &EndpointConfig{
+						Callback: getEndpointPointer("/saml/login", "http://localhost:50002/saml/login"),
+					},
+				},
+				certificate: "-----BEGIN CERTIFICATE-----\nMIICvDCCAaQCCQD6E8ZGsQ2usjANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVt\neXNlcnZpY2UuZXhhbXBsZS5jb20wHhcNMjIwMjE3MTQwNjM5WhcNMjMwMjE3MTQw\nNjM5WjAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7XKdCRxUZXjdqVqwwwOJqc1Ch0nOSmk+U\nerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWcWAHJloqZ7GBS7NpDhzV8\nG+cXQ+bTU0Lu2e73zCQb30XUdKhWiGfDKaU+1xg9CD/2gIfsYPs3TTq1sq7oCs5q\nLdUHaVL5kcRaHKdnTi7cs5i9xzs3TsUnXcrJPwydjp+aEkyRh07oMpXBEobGisfF\n2p1MA6pVW2gjmywf7D5iYEFELQhM7poqPN3/kfBvU1n7Lfgq7oxmv/8LFi4Zopr5\nnyqsz26XPtUy1WqTzgznAmP+nN0oBTERFVbXXdRa3k2v4cxTNPn/AgMBAAEwDQYJ\nKoZIhvcNAQELBQADggEBAJYxROWSOZbOzXzafdGjQKsMgN948G/hHwVuZneyAcVo\nLMFTs1Weya9Z+snMp1u0AdDGmQTS9zGnD7syDYGOmgigOLcMvLMoWf5tCQBbEukW\n8O7DPjRR0XypChGSsHsqLGO0B0HaTel0HdP9Si827OCkc9Q+WbsFG/8/4ToGWL+u\nla1WuLawozoj8umPi9D8iXCoW35y2STU+WFQG7W+Kfdu+2CYz/0tGdwVqNG4Wsfa\nwWchrS00vGFKjm/fJc876gAfxiMH1I9fZvYSAxAZ3sVI//Ml2sUdgf067ywQ75oa\nLSS2NImmz5aos3vuWmOXhILd7iTU+BD8Uv6vWbI7I1M=\n-----END CERTIFICATE-----\n",
+				key:         "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7XKdCRxUZXjdq\nVqwwwOJqc1Ch0nOSmk+UerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWc\nWAHJloqZ7GBS7NpDhzV8G+cXQ+bTU0Lu2e73zCQb30XUdKhWiGfDKaU+1xg9CD/2\ngIfsYPs3TTq1sq7oCs5qLdUHaVL5kcRaHKdnTi7cs5i9xzs3TsUnXcrJPwydjp+a\nEkyRh07oMpXBEobGisfF2p1MA6pVW2gjmywf7D5iYEFELQhM7poqPN3/kfBvU1n7\nLfgq7oxmv/8LFi4Zopr5nyqsz26XPtUy1WqTzgznAmP+nN0oBTERFVbXXdRa3k2v\n4cxTNPn/AgMBAAECggEAF+rV9yH30Ysza8GwrXCR9qDN1Dp3QmmsavnXkonEvPoq\nEr2T3o0//6mBp6CLDboMQGQBjblJwl+3Y6PgZolvHAMOsMdHfYNPEo7FSzUBzEw+\nqRrs5HkMyvoPgfV6X8F97W3tiD4Q/AmHkMILl+MxbnfPXM54gWqPuwIqxY1uaCk5\nREwyb7WBon3rd58ceOI1SLRjod6SbqWBMMSN3cJ+5VEPObFjw/RlhNQ5rBI8G5Kt\nso2zBU5C4BB2CvqlWy98WDKJkTvWHbiTjZCy8BQ+gQ6UJM2vaNELFOVpuMGQnMIi\noWiX10Jg2e1gP9j3TdrohlGF8M3+TXjSFKNmeX0DUQKBgQDx7UazUWS5RtkgnjH9\nw2xH2xkstJVD7nAS8VTxNwcrgjVXPvTJha9El904obUjyRX7ppb02tuH5ML/bZh6\n9lL4bP5+SHcJ10e4q8CK/KAGHD6BYAbaGXRq0CoSk5a3vv5XPdob4T5qKCIHFpnu\nMfbvdbEoameLOyRYOGu/yVZIiwKBgQDGQs7FRTisHV0xooiRmlvYF0dcd19qpLed\nqhgJNqBPOTEvvGvJNRoi39haEY3cuTqsxZ5FAlFlVFMUUozz+d0xBLLInoVY/Y4h\nhSdGmdw/A6oHodLqyEp3N5RZNdLlh8/nDS3xXzMotAl75bW5kc2ttcRhRdtyNJ9Z\nup0PgppO3QKBgEC45upAQz8iCiKkz+EA8C4FGqYQJcLHvmoC8GOcAioMqrKNoDVt\ns2cZbdChynEpcd0iQ058YrDnbZeiPWHgFnBp0Gf+gQI7+u8X2+oTDci0s7Au/YZJ\nuxB8YlUX8QF1clvqqzg8OVNzKy9UR5gm+9YyWVPjq5HfH6kOZx0nAxNjAoGAERt8\nqgsCC9/wxbKnpCC0oh3IG5N1WUdjTKh7sHfVN2DQ/LR+fHsniTDVg1gWbKBTDsty\nj7PWgC7ZiFxjKz45NtyX7LW4/efLFttdezsVhR500nnFMFseCdFy7Iu3afThHKfH\nehdj27RFSTqWBrAtFjsj+dzERcOCqIRwvwDe/cUCgYEA5+1mzVXDVjKsWylKJPk+\nZZA4LUfvmTj3VLNDZrlSAI/xEikCFio0QWEA2TQYTAwbXTrKwQSeHQRhv7OTc1h+\nMhpAgvs189ze5J4jiNmULEkkrO+Cxxnw8tyV+UFRZtzW9gUoVBwXiZ/Wbl9sfnlO\nwLJHc0j6OltPcPJmxHP8gQI=\n-----END PRIVATE KEY-----\n",
+				request: request{
+					ID:            "test",
+					AuthRequestID: "test",
+					Binding:       RedirectBinding,
+					AcsURL:        "url",
+					UserID:        "userid",
+					Done:          true,
+				},
+				sp: sp{
+					appID:    "test",
+					entityID: "http://localhost:8000/saml/metadata",
+					metadata: "PEVudGl0eURlc2NyaXB0b3IgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDptZXRhZGF0YSIgdmFsaWRVbnRpbD0iMjAyMi0wNC0yOFQxMTozMjowNC43OTdaIiBlbnRpdHlJRD0iaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NhbWwvbWV0YWRhdGEiPgogIDxTUFNTT0Rlc2NyaXB0b3IgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDptZXRhZGF0YSIgdmFsaWRVbnRpbD0iMjAyMi0wNC0yOFQxMTozMjowNC43OTY5MjNaIiBwcm90b2NvbFN1cHBvcnRFbnVtZXJhdGlvbj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBdXRoblJlcXVlc3RzU2lnbmVkPSJ0cnVlIiBXYW50QXNzZXJ0aW9uc1NpZ25lZD0idHJ1ZSI+CiAgICA8S2V5RGVzY3JpcHRvciB1c2U9ImVuY3J5cHRpb24iPgogICAgICA8S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CiAgICAgICAgPFg1MDlEYXRhIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICAgICAgICAgIDxYNTA5Q2VydGlmaWNhdGUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPk1JSUN2RENDQWFRQ0NRRDZFOFpHc1EydXNqQU5CZ2txaGtpRzl3MEJBUXNGQURBZ01SNHdIQVlEVlFRRERCVnRlWE5sY25acFkyVXVaWGhoYlhCc1pTNWpiMjB3SGhjTk1qSXdNakUzTVRRd05qTTVXaGNOTWpNd01qRTNNVFF3TmpNNVdqQWdNUjR3SEFZRFZRUUREQlZ0ZVhObGNuWnBZMlV1WlhoaGJYQnNaUzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM3WEtkQ1J4VVpYamRxVnF3d3dPSnFjMUNoMG5PU21rK1VlcmtVcWx2aVdIZGVMUitGb2xIS2pxTHpDQmxvQXo0eFZjMERGZlI3NmdXY1dBSEpsb3FaN0dCUzdOcERoelY4RytjWFErYlRVMEx1MmU3M3pDUWIzMFhVZEtoV2lHZkRLYVUrMXhnOUNELzJnSWZzWVBzM1RUcTFzcTdvQ3M1cUxkVUhhVkw1a2NSYUhLZG5UaTdjczVpOXh6czNUc1VuWGNySlB3eWRqcCthRWt5UmgwN29NcFhCRW9iR2lzZkYycDFNQTZwVlcyZ2pteXdmN0Q1aVlFRkVMUWhNN3BvcVBOMy9rZkJ2VTFuN0xmZ3E3b3htdi84TEZpNFpvcHI1bnlxc3oyNlhQdFV5MVdxVHpnem5BbVArbk4wb0JURVJGVmJYWGRSYTNrMnY0Y3hUTlBuL0FnTUJBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUpZeFJPV1NPWmJPelh6YWZkR2pRS3NNZ045NDhHL2hId1Z1Wm5leUFjVm9MTUZUczFXZXlhOVorc25NcDF1MEFkREdtUVRTOXpHbkQ3c3lEWUdPbWdpZ09MY012TE1vV2Y1dENRQmJFdWtXOE83RFBqUlIwWHlwQ2hHU3NIc3FMR08wQjBIYVRlbDBIZFA5U2k4MjdPQ2tjOVErV2JzRkcvOC80VG9HV0wrdWxhMVd1TGF3b3pvajh1bVBpOUQ4aVhDb1czNXkyU1RVK1dGUUc3VytLZmR1KzJDWXovMHRHZHdWcU5HNFdzZmF3V2NoclMwMHZHRktqbS9mSmM4NzZnQWZ4aU1IMUk5Zlp2WVNBeEFaM3NWSS8vTWwyc1VkZ2YwNjd5d1E3NW9hTFNTMk5JbW16NWFvczN2dVdtT1hoSUxkN2lUVStCRDhVdjZ2V2JJN0kxTT08L1g1MDlDZXJ0aWZpY2F0ZT4KICAgICAgICA8L1g1MDlEYXRhPgogICAgICA8L0tleUluZm8+CiAgICAgIDxFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyI+PC9FbmNyeXB0aW9uTWV0aG9kPgogICAgICA8RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI2FlczE5Mi1jYmMiPjwvRW5jcnlwdGlvbk1ldGhvZD4KICAgICAgPEVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNhZXMyNTYtY2JjIj48L0VuY3J5cHRpb25NZXRob2Q+CiAgICAgIDxFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjcnNhLW9hZXAtbWdmMXAiPjwvRW5jcnlwdGlvbk1ldGhvZD4KICAgIDwvS2V5RGVzY3JpcHRvcj4KICAgIDxLZXlEZXNjcmlwdG9yIHVzZT0ic2lnbmluZyI+CiAgICAgIDxLZXlJbmZvIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICAgICAgICA8WDUwOURhdGEgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogICAgICAgICAgPFg1MDlDZXJ0aWZpY2F0ZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+TUlJQ3ZEQ0NBYVFDQ1FENkU4WkdzUTJ1c2pBTkJna3Foa2lHOXcwQkFRc0ZBREFnTVI0d0hBWURWUVFEREJWdGVYTmxjblpwWTJVdVpYaGhiWEJzWlM1amIyMHdIaGNOTWpJd01qRTNNVFF3TmpNNVdoY05Nak13TWpFM01UUXdOak01V2pBZ01SNHdIQVlEVlFRRERCVnRlWE5sY25acFkyVXVaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzdYS2RDUnhVWlhqZHFWcXd3d09KcWMxQ2gwbk9TbWsrVWVya1VxbHZpV0hkZUxSK0ZvbEhLanFMekNCbG9BejR4VmMwREZmUjc2Z1djV0FISmxvcVo3R0JTN05wRGh6VjhHK2NYUStiVFUwTHUyZTczekNRYjMwWFVkS2hXaUdmREthVSsxeGc5Q0QvMmdJZnNZUHMzVFRxMXNxN29DczVxTGRVSGFWTDVrY1JhSEtkblRpN2NzNWk5eHpzM1RzVW5YY3JKUHd5ZGpwK2FFa3lSaDA3b01wWEJFb2JHaXNmRjJwMU1BNnBWVzJnam15d2Y3RDVpWUVGRUxRaE03cG9xUE4zL2tmQnZVMW43TGZncTdveG12LzhMRmk0Wm9wcjVueXFzejI2WFB0VXkxV3FUemd6bkFtUCtuTjBvQlRFUkZWYlhYZFJhM2sydjRjeFROUG4vQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSll4Uk9XU09aYk96WHphZmRHalFLc01nTjk0OEcvaEh3VnVabmV5QWNWb0xNRlRzMVdleWE5Witzbk1wMXUwQWRER21RVFM5ekduRDdzeURZR09tZ2lnT0xjTXZMTW9XZjV0Q1FCYkV1a1c4TzdEUGpSUjBYeXBDaEdTc0hzcUxHTzBCMEhhVGVsMEhkUDlTaTgyN09Da2M5UStXYnNGRy84LzRUb0dXTCt1bGExV3VMYXdvem9qOHVtUGk5RDhpWENvVzM1eTJTVFUrV0ZRRzdXK0tmZHUrMkNZei8wdEdkd1ZxTkc0V3NmYXdXY2hyUzAwdkdGS2ptL2ZKYzg3NmdBZnhpTUgxSTlmWnZZU0F4QVozc1ZJLy9NbDJzVWRnZjA2N3l3UTc1b2FMU1MyTkltbXo1YW9zM3Z1V21PWGhJTGQ3aVRVK0JEOFV2NnZXYkk3STFNPTwvWDUwOUNlcnRpZmljYXRlPgogICAgICAgIDwvWDUwOURhdGE+CiAgICAgIDwvS2V5SW5mbz4KICAgIDwvS2V5RGVzY3JpcHRvcj4KICAgIDxTaW5nbGVMb2dvdXRTZXJ2aWNlIEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIExvY2F0aW9uPSJodHRwOi8vbG9jYWxob3N0OjgwMDAvc2FtbC9zbG8iIFJlc3BvbnNlTG9jYXRpb249Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9zYW1sL3NsbyI+PC9TaW5nbGVMb2dvdXRTZXJ2aWNlPgogICAgPEFzc2VydGlvbkNvbnN1bWVyU2VydmljZSBCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBMb2NhdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NhbWwvYWNzIiBpbmRleD0iMSI+PC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2U+CiAgICA8QXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlIEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLUFydGlmYWN0IiBMb2NhdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NhbWwvYWNzIiBpbmRleD0iMiI+PC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2U+CiAgPC9TUFNTT0Rlc2NyaXB0b3I+CjwvRW50aXR5RGVzY3JpcHRvcj4=",
+				},
+			},
+			res{
+				code:  302,
+				state: "",
+				err:   false,
+			}},
 		{
 			"login post successful",
 			args{
diff --git a/pkg/provider/redirect.go b/pkg/provider/redirect.go
index c1c4ae6..b12ce64 100644
--- a/pkg/provider/redirect.go
+++ b/pkg/provider/redirect.go
@@ -42,9 +42,6 @@ func verifyRedirectSignature(
 		if authRequest() == "" {
 			return fmt.Errorf("no authrequest provided but required")
 		}
-		if relayState() == "" {
-			return fmt.Errorf("no relaystate provided but required")
-		}
 		if sig() == "" {
 			return fmt.Errorf("no signature provided but required")
 		}
diff --git a/pkg/provider/sso.go b/pkg/provider/sso.go
index 78f2c24..f521c7f 100644
--- a/pkg/provider/sso.go
+++ b/pkg/provider/sso.go
@@ -65,16 +65,6 @@ func (p *IdentityProvider) ssoHandleFunc(w http.ResponseWriter, r *http.Request)
 		},
 	)
 
-	// verify that relayState is provided
-	checkerInstance.WithConditionalValueNotEmpty(
-		func() bool { return authRequestForm.Binding == RedirectBinding },
-		"relayState",
-		func() string { return authRequestForm.RelayState },
-		func() {
-			response.sendBackResponse(r, w, response.makeDeniedResponse(fmt.Errorf("empty relaystate").Error(), p.timeFormat))
-		},
-	)
-
 	// verify that request is not empty
 	checkerInstance.WithValueNotEmptyCheck(
 		"SAMLRequest",
diff --git a/pkg/provider/sso_test.go b/pkg/provider/sso_test.go
index fddd9b9..2ede723 100644
--- a/pkg/provider/sso_test.go
+++ b/pkg/provider/sso_test.go
@@ -195,6 +195,21 @@ func TestSSO_getAuthRequestFromRequest(t *testing.T) {
 				false,
 			},
 		},
+		{
+			"signed redirect binding without RelayState",
+			&http.Request{URL: &url.URL{RawQuery: "SAMLRequest=request&SAMLEncoding=encoding&SigAlg=alg&Signature=sig"}},
+			res{
+				&AuthRequestForm{
+					AuthRequest: "request",
+					Encoding:    "encoding",
+					RelayState:  "",
+					SigAlg:      "alg",
+					Sig:         "sig",
+					Binding:     RedirectBinding,
+				},
+				false,
+			},
+		},
 		{
 			"unsigned redirect binding",
 			&http.Request{URL: &url.URL{RawQuery: "SAMLRequest=request&SAMLEncoding=encoding&RelayState=state"}},
@@ -230,6 +245,25 @@ func TestSSO_getAuthRequestFromRequest(t *testing.T) {
 				false,
 			},
 		},
+		{
+			"post binding without RelayState",
+			&http.Request{
+				Form: map[string][]string{
+					"SAMLRequest": {"request"},
+				},
+				URL: &url.URL{RawQuery: ""}},
+			res{
+				&AuthRequestForm{
+					AuthRequest: "request",
+					Encoding:    "",
+					RelayState:  "",
+					SigAlg:      "",
+					Sig:         "",
+					Binding:     PostBinding,
+				},
+				false,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -468,6 +502,35 @@ func TestSSO_ssoHandleFunc(t *testing.T) {
 				state: "",
 				err:   false,
 			}},
+		{
+			"redirect request without RelayState",
+			args{
+				issuer:           "http://localhost:50002",
+				metadataEndpoint: "/saml/metadata",
+				config: &IdentityProviderConfig{
+					SignatureAlgorithm: dsig.RSASHA256SignatureMethod,
+					MetadataIDPConfig:  &MetadataIDPConfig{},
+					Endpoints: &EndpointConfig{
+						SingleSignOn: getEndpointPointer("/saml/SSO", "http://localhost:50002/saml/SSO"),
+					},
+				},
+				certificate: "-----BEGIN CERTIFICATE-----\nMIICvDCCAaQCCQD6E8ZGsQ2usjANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVt\neXNlcnZpY2UuZXhhbXBsZS5jb20wHhcNMjIwMjE3MTQwNjM5WhcNMjMwMjE3MTQw\nNjM5WjAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7XKdCRxUZXjdqVqwwwOJqc1Ch0nOSmk+U\nerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWcWAHJloqZ7GBS7NpDhzV8\nG+cXQ+bTU0Lu2e73zCQb30XUdKhWiGfDKaU+1xg9CD/2gIfsYPs3TTq1sq7oCs5q\nLdUHaVL5kcRaHKdnTi7cs5i9xzs3TsUnXcrJPwydjp+aEkyRh07oMpXBEobGisfF\n2p1MA6pVW2gjmywf7D5iYEFELQhM7poqPN3/kfBvU1n7Lfgq7oxmv/8LFi4Zopr5\nnyqsz26XPtUy1WqTzgznAmP+nN0oBTERFVbXXdRa3k2v4cxTNPn/AgMBAAEwDQYJ\nKoZIhvcNAQELBQADggEBAJYxROWSOZbOzXzafdGjQKsMgN948G/hHwVuZneyAcVo\nLMFTs1Weya9Z+snMp1u0AdDGmQTS9zGnD7syDYGOmgigOLcMvLMoWf5tCQBbEukW\n8O7DPjRR0XypChGSsHsqLGO0B0HaTel0HdP9Si827OCkc9Q+WbsFG/8/4ToGWL+u\nla1WuLawozoj8umPi9D8iXCoW35y2STU+WFQG7W+Kfdu+2CYz/0tGdwVqNG4Wsfa\nwWchrS00vGFKjm/fJc876gAfxiMH1I9fZvYSAxAZ3sVI//Ml2sUdgf067ywQ75oa\nLSS2NImmz5aos3vuWmOXhILd7iTU+BD8Uv6vWbI7I1M=\n-----END CERTIFICATE-----\n",
+				key:         "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7XKdCRxUZXjdq\nVqwwwOJqc1Ch0nOSmk+UerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWc\nWAHJloqZ7GBS7NpDhzV8G+cXQ+bTU0Lu2e73zCQb30XUdKhWiGfDKaU+1xg9CD/2\ngIfsYPs3TTq1sq7oCs5qLdUHaVL5kcRaHKdnTi7cs5i9xzs3TsUnXcrJPwydjp+a\nEkyRh07oMpXBEobGisfF2p1MA6pVW2gjmywf7D5iYEFELQhM7poqPN3/kfBvU1n7\nLfgq7oxmv/8LFi4Zopr5nyqsz26XPtUy1WqTzgznAmP+nN0oBTERFVbXXdRa3k2v\n4cxTNPn/AgMBAAECggEAF+rV9yH30Ysza8GwrXCR9qDN1Dp3QmmsavnXkonEvPoq\nEr2T3o0//6mBp6CLDboMQGQBjblJwl+3Y6PgZolvHAMOsMdHfYNPEo7FSzUBzEw+\nqRrs5HkMyvoPgfV6X8F97W3tiD4Q/AmHkMILl+MxbnfPXM54gWqPuwIqxY1uaCk5\nREwyb7WBon3rd58ceOI1SLRjod6SbqWBMMSN3cJ+5VEPObFjw/RlhNQ5rBI8G5Kt\nso2zBU5C4BB2CvqlWy98WDKJkTvWHbiTjZCy8BQ+gQ6UJM2vaNELFOVpuMGQnMIi\noWiX10Jg2e1gP9j3TdrohlGF8M3+TXjSFKNmeX0DUQKBgQDx7UazUWS5RtkgnjH9\nw2xH2xkstJVD7nAS8VTxNwcrgjVXPvTJha9El904obUjyRX7ppb02tuH5ML/bZh6\n9lL4bP5+SHcJ10e4q8CK/KAGHD6BYAbaGXRq0CoSk5a3vv5XPdob4T5qKCIHFpnu\nMfbvdbEoameLOyRYOGu/yVZIiwKBgQDGQs7FRTisHV0xooiRmlvYF0dcd19qpLed\nqhgJNqBPOTEvvGvJNRoi39haEY3cuTqsxZ5FAlFlVFMUUozz+d0xBLLInoVY/Y4h\nhSdGmdw/A6oHodLqyEp3N5RZNdLlh8/nDS3xXzMotAl75bW5kc2ttcRhRdtyNJ9Z\nup0PgppO3QKBgEC45upAQz8iCiKkz+EA8C4FGqYQJcLHvmoC8GOcAioMqrKNoDVt\ns2cZbdChynEpcd0iQ058YrDnbZeiPWHgFnBp0Gf+gQI7+u8X2+oTDci0s7Au/YZJ\nuxB8YlUX8QF1clvqqzg8OVNzKy9UR5gm+9YyWVPjq5HfH6kOZx0nAxNjAoGAERt8\nqgsCC9/wxbKnpCC0oh3IG5N1WUdjTKh7sHfVN2DQ/LR+fHsniTDVg1gWbKBTDsty\nj7PWgC7ZiFxjKz45NtyX7LW4/efLFttdezsVhR500nnFMFseCdFy7Iu3afThHKfH\nehdj27RFSTqWBrAtFjsj+dzERcOCqIRwvwDe/cUCgYEA5+1mzVXDVjKsWylKJPk+\nZZA4LUfvmTj3VLNDZrlSAI/xEikCFio0QWEA2TQYTAwbXTrKwQSeHQRhv7OTc1h+\nMhpAgvs189ze5J4jiNmULEkkrO+Cxxnw8tyV+UFRZtzW9gUoVBwXiZ/Wbl9sfnlO\nwLJHc0j6OltPcPJmxHP8gQI=\n-----END PRIVATE KEY-----\n",
+				request: request{
+					ID:          "test",
+					Binding:     RedirectBinding,
+					SAMLRequest: url.QueryEscape("nJJBj9MwEIX/ijX3NG6a7DbWJlLZClFpYatN4cBt6k6oJccungmw/x61XaQioRy42vP5ved5D4yDP5nVKMfwQt9HYlG/Bh/YnC8aGFMwEdmxCTgQG7GmW318MsVMG2SmJC4GuEFO08wpRYk2elCbdQPukFlNd/c9LQpczPve6r3taVHWdbWoal3bfr7c03JJc1BfKLGLoYFipkFtmEfaBBYM0kChiyLTZVbc7XRtyntTVrOyrr6CWhOLCygX8ihyMnnuo0V/jCym0loX+dl33nXPoFZ/Ij3GwONAqaP0w1n6/PL0D3qptb7CaBnU9i3bOxcOLnyb/oj9dYjNh91um22fux20l2WYS7Kk3sc0oEw/cj5xh6y/jBoK4uQV2gmfAwkeUPAhv5Fq30rwCQfarLfRO/v6H/KSMLCjIKBW3sefj4lQqAFJI0HeXiX/rlr7OwAA//8="),
+				},
+				sp: sp{
+					entityID: "http://localhost:8000/saml/metadata",
+					metadata: "<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2022-04-28T11:32:04.797Z\" entityID=\"http://localhost:8000/saml/metadata\">\n  <SPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2022-04-28T11:32:04.796923Z\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\" AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\">\n    <KeyDescriptor use=\"encryption\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIICvDCCAaQCCQD6E8ZGsQ2usjANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wHhcNMjIwMjE3MTQwNjM5WhcNMjMwMjE3MTQwNjM5WjAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7XKdCRxUZXjdqVqwwwOJqc1Ch0nOSmk+UerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWcWAHJloqZ7GBS7NpDhzV8G+cXQ+bTU0Lu2e73zCQb30XUdKhWiGfDKaU+1xg9CD/2gIfsYPs3TTq1sq7oCs5qLdUHaVL5kcRaHKdnTi7cs5i9xzs3TsUnXcrJPwydjp+aEkyRh07oMpXBEobGisfF2p1MA6pVW2gjmywf7D5iYEFELQhM7poqPN3/kfBvU1n7Lfgq7oxmv/8LFi4Zopr5nyqsz26XPtUy1WqTzgznAmP+nN0oBTERFVbXXdRa3k2v4cxTNPn/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJYxROWSOZbOzXzafdGjQKsMgN948G/hHwVuZneyAcVoLMFTs1Weya9Z+snMp1u0AdDGmQTS9zGnD7syDYGOmgigOLcMvLMoWf5tCQBbEukW8O7DPjRR0XypChGSsHsqLGO0B0HaTel0HdP9Si827OCkc9Q+WbsFG/8/4ToGWL+ula1WuLawozoj8umPi9D8iXCoW35y2STU+WFQG7W+Kfdu+2CYz/0tGdwVqNG4WsfawWchrS00vGFKjm/fJc876gAfxiMH1I9fZvYSAxAZ3sVI//Ml2sUdgf067ywQ75oaLSS2NImmz5aos3vuWmOXhILd7iTU+BD8Uv6vWbI7I1M=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n    </KeyDescriptor>\n    <KeyDescriptor use=\"signing\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIICvDCCAaQCCQD6E8ZGsQ2usjANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wHhcNMjIwMjE3MTQwNjM5WhcNMjMwMjE3MTQwNjM5WjAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7XKdCRxUZXjdqVqwwwOJqc1Ch0nOSmk+UerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWcWAHJloqZ7GBS7NpDhzV8G+cXQ+bTU0Lu2e73zCQb30XUdKhWiGfDKaU+1xg9CD/2gIfsYPs3TTq1sq7oCs5qLdUHaVL5kcRaHKdnTi7cs5i9xzs3TsUnXcrJPwydjp+aEkyRh07oMpXBEobGisfF2p1MA6pVW2gjmywf7D5iYEFELQhM7poqPN3/kfBvU1n7Lfgq7oxmv/8LFi4Zopr5nyqsz26XPtUy1WqTzgznAmP+nN0oBTERFVbXXdRa3k2v4cxTNPn/AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJYxROWSOZbOzXzafdGjQKsMgN948G/hHwVuZneyAcVoLMFTs1Weya9Z+snMp1u0AdDGmQTS9zGnD7syDYGOmgigOLcMvLMoWf5tCQBbEukW8O7DPjRR0XypChGSsHsqLGO0B0HaTel0HdP9Si827OCkc9Q+WbsFG/8/4ToGWL+ula1WuLawozoj8umPi9D8iXCoW35y2STU+WFQG7W+Kfdu+2CYz/0tGdwVqNG4WsfawWchrS00vGFKjm/fJc876gAfxiMH1I9fZvYSAxAZ3sVI//Ml2sUdgf067ywQ75oaLSS2NImmz5aos3vuWmOXhILd7iTU+BD8Uv6vWbI7I1M=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n    </KeyDescriptor>\n    <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/saml/slo\" ResponseLocation=\"http://localhost:8000/saml/slo\"></SingleLogoutService>\n    <AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/saml/acs\" index=\"1\"></AssertionConsumerService>\n    <AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"http://localhost:8000/saml/acs\" index=\"2\"></AssertionConsumerService>\n  </SPSSODescriptor>\n</EntityDescriptor>",
+				},
+			},
+			res{
+				code:  303,
+				state: "",
+				err:   false,
+			}},
 		{
 			"redirect request form parse error",
 			args{