diff --git a/tests/data/idp6-saml2/certificate.pem b/tests/data/idp6-saml2/certificate.pem
new file mode 100644
index 00000000..9bdaf99d
--- /dev/null
+++ b/tests/data/idp6-saml2/certificate.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+-----END CERTIFICATE-----
diff --git a/tests/data/sp11-multikey-saml2/certificate-after-rollover.pem b/tests/data/sp11-multikey-saml2/certificate-after-rollover.pem
new file mode 100644
index 00000000..9bdaf99d
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/certificate-after-rollover.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+-----END CERTIFICATE-----
diff --git a/tests/data/sp11-multikey-saml2/certificate-before-rollover.pem b/tests/data/sp11-multikey-saml2/certificate-before-rollover.pem
new file mode 100644
index 00000000..cb830e75
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/certificate-before-rollover.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHjCCAYegAwIBAgIJAKCn8J6jYs6kMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MjAxNDE2WhcNMTEwMjE4MjAxNDE2WjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2Hp+elCwcCogL1
+ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41vG5auA4ve1Xp
+F11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQABo3YwdDAdBgNV
+HQ4EFgQUssAKE1M50yrgLpqoFzRbSOeZ41swRQYDVR0jBD4wPIAUssAKE1M50yrg
+LpqoFzRbSOeZ41uhGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCgp/Ceo2LO
+pDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABPxbVQuuVzkfZFmeUJH
+S6WSvTKoEfJKXm7xLB9ChtPixZkPN6XXYaV0zx6cIwiUBi97ijcMU4W/+s5Xn4rB
+/HJ2UWPlObpjZOxdl1eGsrTw8l7LWPls1B0b0wYms32q6bDVwPWVlDqc5Z13b9M3
+8bNF5SUdZmcRJzk3LKXZ9nkA
+-----END CERTIFICATE-----
diff --git a/tests/data/sp11-multikey-saml2/metadata-after-rollover.xml b/tests/data/sp11-multikey-saml2/metadata-after-rollover.xml
new file mode 100644
index 00000000..3fe5f754
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/metadata-after-rollover.xml
@@ -0,0 +1,88 @@
+
+
+
+
+
+
+
+MIICHjCCAYegAwIBAgIJAKCn8J6jYs6kMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MjAxNDE2WhcNMTEwMjE4MjAxNDE2WjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2Hp+elCwcCogL1
+ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41vG5auA4ve1Xp
+F11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQABo3YwdDAdBgNV
+HQ4EFgQUssAKE1M50yrgLpqoFzRbSOeZ41swRQYDVR0jBD4wPIAUssAKE1M50yrg
+LpqoFzRbSOeZ41uhGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCgp/Ceo2LO
+pDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABPxbVQuuVzkfZFmeUJH
+S6WSvTKoEfJKXm7xLB9ChtPixZkPN6XXYaV0zx6cIwiUBi97ijcMU4W/+s5Xn4rB
+/HJ2UWPlObpjZOxdl1eGsrTw8l7LWPls1B0b0wYms32q6bDVwPWVlDqc5Z13b9M3
+8bNF5SUdZmcRJzk3LKXZ9nkA
+
+
+
+
+
+
+
+
+ MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+
+
+
+
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+
+
+ Example SAML 2.0 metadatas
+
+
diff --git a/tests/data/sp11-multikey-saml2/metadata-before-rollover.xml b/tests/data/sp11-multikey-saml2/metadata-before-rollover.xml
new file mode 100644
index 00000000..bfb91a5d
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/metadata-before-rollover.xml
@@ -0,0 +1,88 @@
+
+
+
+
+
+
+
+MIICHjCCAYegAwIBAgIJAKCn8J6jYs6kMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+BAoTCkVudHJvdXZlcnQwHhcNMTEwMTE5MjAxNDE2WhcNMTEwMjE4MjAxNDE2WjAV
+MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2Hp+elCwcCogL1
+ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41vG5auA4ve1Xp
+F11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQABo3YwdDAdBgNV
+HQ4EFgQUssAKE1M50yrgLpqoFzRbSOeZ41swRQYDVR0jBD4wPIAUssAKE1M50yrg
+LpqoFzRbSOeZ41uhGaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQCgp/Ceo2LO
+pDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBABPxbVQuuVzkfZFmeUJH
+S6WSvTKoEfJKXm7xLB9ChtPixZkPN6XXYaV0zx6cIwiUBi97ijcMU4W/+s5Xn4rB
+/HJ2UWPlObpjZOxdl1eGsrTw8l7LWPls1B0b0wYms32q6bDVwPWVlDqc5Z13b9M3
+8bNF5SUdZmcRJzk3LKXZ9nkA
+
+
+
+
+
+
+
+
+ MIIDnjCCAoagAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJGUjEP
+MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczETMBEGA1UEChMKRW50cm91
+dmVydDEPMA0GA1UEAxMGRGFtaWVuMB4XDTA2MTAyNzA5MDc1NFoXDTExMTAyNjA5
+MDc1NFowVDELMAkGA1UEBhMCRlIxDzANBgNVBAgTBkZyYW5jZTEOMAwGA1UEBxMF
+UGFyaXMxEzARBgNVBAoTCkVudHJvdXZlcnQxDzANBgNVBAMTBkRhbWllbjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM06Hx6VgHYR9wUf/tZVVTRkVWNq
+h9x+PvHA2qH4OYMuqGs4Af6lU2YsZvnrmRdcFWv0+UkdAgXhReCWAZgtB1pd/W9m
+6qDRldCCyysow6xPPKRz/pOTwRXm/fM0QGPeXzwzj34BXOIOuFu+n764vKn18d+u
+uVAEzk1576pxTp4pQPzJfdNLrLeQ8vyCshoFU+MYJtp1UA+h2JoO0Y8oGvywbUxH
+ioHN5PvnzObfAM4XaDQohmfxM9Uc7Wp4xKAc1nUq5hwBrHpjFMRSz6UCfMoJSGIi
++3xJMkNCjL0XEw5NKVc5jRKkzSkN5j8KTM/k1jPPsDHPRYzbWWhnNtd6JlkCAwEA
+AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
+ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFP2WWMDShux3iF74+SoO1xf6qhqaMB8G
+A1UdIwQYMBaAFGjl6TRXbQDHzSlZu+e8VeBaZMB5MA0GCSqGSIb3DQEBBQUAA4IB
+AQAZ/imK7UMognXbs5RfSB8cMW6iNAI+JZqe9XWjvtmLfIIPbHM96o953SiFvrvQ
+BZjGmmPMK3UH29cjzDx1R/RQaYTyMrHyTePLh3BMd5mpJ/9eeJCSxPzE2ECqWRUa
+pkjukecFXqmRItwgTxSIUE9QkpzvuQRb268PwmgroE0mwtiREADnvTFkLkdiEMew
+fiYxZfJJLPBqwlkw/7f1SyzXoPXnz5QbNwDmrHelga6rKSprYKb3pueqaIe8j/AP
+NC1/bzp8cGOcJ88BD5+Ny6qgPVCrMLE5twQumJ12V3SvjGNtzFBvg2c/9S5OmVqR
+LlTxKnCrWAXftSm1rNtewTsF
+
+
+
+
+
+
+
+
+
+
+
+
+ urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+
+
+ Example SAML 2.0 metadatas
+
+
diff --git a/tests/data/sp11-multikey-saml2/private-key-after-rollover.pem b/tests/data/sp11-multikey-saml2/private-key-after-rollover.pem
new file mode 100644
index 00000000..626e1fcc
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/private-key-after-rollover.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzTofHpWAdhH3BR/+1lVVNGRVY2qH3H4+8cDaofg5gy6oazgB
+/qVTZixm+euZF1wVa/T5SR0CBeFF4JYBmC0HWl39b2bqoNGV0ILLKyjDrE88pHP+
+k5PBFeb98zRAY95fPDOPfgFc4g64W76fvri8qfXx3665UATOTXnvqnFOnilA/Ml9
+00ust5Dy/IKyGgVT4xgm2nVQD6HYmg7Rjyga/LBtTEeKgc3k++fM5t8AzhdoNCiG
+Z/Ez1RztanjEoBzWdSrmHAGsemMUxFLPpQJ8yglIYiL7fEkyQ0KMvRcTDk0pVzmN
+EqTNKQ3mPwpMz+TWM8+wMc9FjNtZaGc213omWQIDAQABAoIBAEPj5keHzWdBqiXX
+38WnlPgv+M9afndCjDANTEYoh14OIUjWzlIe/ufd6HLkrVA89hkwgQbewbyQOT2C
+YiSlQLl0PlKMCTIKIzVHD07HvXNTAwykEqNfTZChSYEa1/Ixre+MXvugF8nwdKxk
+8xN0qXTQF6OXeVYvQNAAdng743YON4ubqKlEezIwnfG/jcoZrGkiTpx+k1JXJsZN
+4dHKFP12RRhUTGjaOkBo41w8GNKQLFpy1vqAOYMyi1SJcrwpAu3H0iQug9SylQaM
+bFjt8j/m13gu3zXIJbi8xbyg3nqpxl9dxcZG/cDA9z2tLu/h3G3nPq7CXvkZxmjl
+ePvOCwECgYEA9zbwYMtd8tT3PHtrCtjwkfxV0dvMmfNw/rRT4ShWtKLmgX+K9nz/
+T4qpbehz4z7OvsLjQ6Bt6wjMNMw9SEBeEMyDVTpmzSD2PowARegmeLX4CsilqHHl
+/AMYUtywEQ2f65/CWPiMIt8mLnEyJ/dsyVLpuzGUNNt34Yaqpu2qXnUCgYEA1IUy
+PObmTh3I8ZyESyGhbu2TYs0A8Zy6eTIAv0ijOIpmUykzjE5pR9sB3nYEd4GTHPEv
+hF6SWfNIDDr83TqThJYzkFyXMCxiVLH55U42wlsvwp4jTnOI3K/7Y7U/lEmBlgcl
+JbIIv1t9okg3+Kuu4i7iB6JR89cSO/Wfcdu/c9UCgYAHE5eF7cxeqyH4pT/HK7aX
+NzXtr/EHZySQ5fCQvWrd+NvIUTJVI/ba/AklkEXg92dLpqCCyxDabYIK8N3AN7d5
+m6EWy3kt3geueqt3VNHlGrBi/qNfUwNWV3BWzuJrWox9XjFeAp9gUCrzoWHiKv7+
+NFVkemLXsICaABTaemsqEQKBgQDJJ4n1u1gieG7Kwqs1sg9rP9RRoFlUWFTogjvS
+0p4r1lQkQstX8qAUM2gBeROhSjRFIMUpNZqxKWT4rpzJibg3tzP3YKx6HIi2Qf+W
+3AFY1ZbPT397sj/JI4l/Rv93DFxr9TdkBq/g8GhqQpE3/sj5rgaj0zBe7SOFPWg+
+DRGaQQKBgEEcSF5KmpIHnhi3WlfGiEtx3kcD63orKME0YYA5BM6wnmRT4QiSw+qj
+i7ljrKGSbmdMFC3ArM42/k2lXYpVLsYWmyaRYSgbdowxLM1XxDJMFIPR2uG6N+vi
+HzWkRxi2SXKU42vfs5eA0itHvQP2DfUx8VuvtwVbOxDGgntYia70
+-----END RSA PRIVATE KEY-----
diff --git a/tests/data/sp11-multikey-saml2/private-key-before-rollover.pem b/tests/data/sp11-multikey-saml2/private-key-before-rollover.pem
new file mode 100644
index 00000000..ac7a9b59
--- /dev/null
+++ b/tests/data/sp11-multikey-saml2/private-key-before-rollover.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDGI2g/WLmdODxhiraxFklG09r6C/yjX06zTt1MapA5+eIcEg2H
+p+elCwcCogL1ZK9/vYlU2yzIGgxV5mVVUybgdQuIvmEi8BlWM4HM5np97J/g6r41
+vG5auA4ve1XpF11rVO9Ru1LIQwMaHXJVf0yojNLH6VOmJU3GDELjKB+VLwIDAQAB
+AoGAKqJ3zhmzZwcwxvRoN1bKUblIh0GJDUZ20tKHf+f2PONuKgggbS5OBA+JZKGj
+7VXLBbutD1tSGYSxXtKCv4dy97xDWlsWmc9AhWss0i7bYMQ+bps0buCtLclrBbOA
+5N9/NU1j2E+V7CStQ8C7P3DbEjYuwm9lB+A85HFaONXhT5ECQQDzAKw8j/+6M5Ib
+asuO+Vj7WIelVaXJ2pjLrf78pQInYt1elO/bqqi4AMJu953OIY7dlDKlu1BPd+9J
+5/lrw6q7AkEA0LxtXRfiJrcZdQf8X6Uq51hceQSbnkWB+d4CREMtAK2tpbsb/kJc
+INvG2ncVb0MUbv/6jrlHZf7/oua6PpbaHQJBANpHT2+zVd33dxXjr2gFeTWFh4sv
+TRXtovTKndJpkm64surD1FU4jgeCvySYjorbwA4vkfMnN/O6Yxq7ImP3xgMCQQDP
+TYOTxAd/CbNHrnGvj7qnXfMg4TmoG0H1pM49ezWzicl+YfBwOPmETKEWENSB1m3x
+u1nc6xeErZa280yeonTlAkAHzm/BUqAY8I1IMQMcNn4db9CJK3pRHRHjPxYMClWK
+TPsLK5iak13+EZ6r9Lej/i1J4cujVh7ijA7J9zH+01Ve
+-----END RSA PRIVATE KEY-----
diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
index 27c0f820..448e1fa6 100644
--- a/tests/login_tests_saml2.c
+++ b/tests/login_tests_saml2.c
@@ -799,6 +799,107 @@ START_TEST(test05_sso_idp_with_key_rollover)
}
END_TEST
+#define make_context(ctx, server_prefix, server_suffix, provider_role, \
+ provider_prefix, provider_suffix) \
+ ctx = lasso_server_new( \
+ TESTSDATADIR server_prefix "/metadata" server_suffix ".xml", \
+ TESTSDATADIR server_prefix "/private-key" server_suffix ".pem", \
+ NULL, /* Secret key to unlock private key */ \
+ TESTSDATADIR server_prefix "/certificate" server_suffix ".pem"); \
+ check_not_null(ctx); \
+ check_good_rc(lasso_server_add_provider( \
+ ctx, \
+ provider_role, \
+ TESTSDATADIR provider_prefix "/metadata" provider_suffix ".xml", \
+ NULL, \
+ NULL)); \
+ providers = g_hash_table_get_values(ctx->providers); \
+ check_not_null(providers); \
+ lasso_provider_set_encryption_mode(LASSO_PROVIDER(providers->data), \
+ LASSO_ENCRYPTION_MODE_ASSERTION | LASSO_ENCRYPTION_MODE_NAMEID); \
+ g_list_free(providers);
+
+void
+sso_sp_with_key_rollover(LassoServer *idp_context, LassoServer *sp_context)
+{
+ LassoLogin *idp_login_context;
+ LassoLogin *sp_login_context;
+
+ check_not_null(idp_login_context = lasso_login_new(idp_context));
+ check_not_null(sp_login_context = lasso_login_new(sp_context))
+
+ /* Create response */
+ check_good_rc(lasso_login_init_idp_initiated_authn_request(idp_login_context,
+ "http://sp11/metadata"));
+
+ lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(idp_login_context->parent.request)->ProtocolBinding,
+ LASSO_SAML2_METADATA_BINDING_POST);
+ lasso_assign_string(LASSO_SAMLP2_AUTHN_REQUEST(idp_login_context->parent.request)->NameIDPolicy->Format,
+ LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT);
+ LASSO_SAMLP2_AUTHN_REQUEST(idp_login_context->parent.request)->NameIDPolicy->AllowCreate = 1;
+
+ check_good_rc(lasso_login_process_authn_request_msg(idp_login_context, NULL));
+ check_good_rc(lasso_login_validate_request_msg(idp_login_context,
+ 1, /* authentication_result */
+ 0 /* is_consent_obtained */
+ ));
+
+ check_good_rc(lasso_login_build_assertion(idp_login_context,
+ LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
+ "FIXME: authenticationInstant",
+ "FIXME: reauthenticateOnOrAfter",
+ "FIXME: notBefore",
+ "FIXME: notOnOrAfter"));
+ check_good_rc(lasso_login_build_authn_response_msg(idp_login_context));
+ check_not_null(idp_login_context->parent.msg_body);
+ check_not_null(idp_login_context->parent.msg_url);
+
+ /* Process response */
+ check_good_rc(lasso_login_process_authn_response_msg(sp_login_context,
+ idp_login_context->parent.msg_body));
+ check_good_rc(lasso_login_accept_sso(sp_login_context));
+
+ /* Cleanup */
+ lasso_release_gobject(idp_login_context);
+ lasso_release_gobject(sp_login_context);
+}
+
+START_TEST(test06_sso_sp_with_key_rollover)
+{
+ LassoServer *idp_context_before_rollover = NULL;
+ LassoServer *idp_context_after_rollover = NULL;
+ LassoServer *sp_context_before_rollover = NULL;
+ LassoServer *sp_context_after_rollover = NULL;
+ GList *providers;
+
+ /* Create an IdP context for IdP initiated SSO with provider metadata 1 */
+ make_context(idp_context_before_rollover, "idp6-saml2", "", LASSO_PROVIDER_ROLE_SP,
+ "sp11-multikey-saml2", "-before-rollover")
+ make_context(idp_context_after_rollover, "idp6-saml2", "", LASSO_PROVIDER_ROLE_SP,
+ "sp11-multikey-saml2", "-after-rollover")
+ make_context(sp_context_before_rollover, "sp11-multikey-saml2", "-before-rollover",
+ LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", "")
+ lasso_server_set_encryption_private_key(sp_context_before_rollover,
+ TESTSDATADIR "sp11-multikey-saml2/private-key-after-rollover.pem");
+ make_context(sp_context_after_rollover, "sp11-multikey-saml2", "-after-rollover",
+ LASSO_PROVIDER_ROLE_IDP, "idp6-saml2", "")
+ lasso_server_set_encryption_private_key(sp_context_after_rollover,
+ TESTSDATADIR "sp11-multikey-saml2/private-key-before-rollover.pem");
+
+ /* Tests... */
+ sso_sp_with_key_rollover(idp_context_before_rollover, sp_context_before_rollover);
+ sso_sp_with_key_rollover(idp_context_after_rollover, sp_context_before_rollover);
+ sso_sp_with_key_rollover(idp_context_before_rollover, sp_context_after_rollover);
+ sso_sp_with_key_rollover(idp_context_after_rollover, sp_context_after_rollover);
+
+ /* Cleanup */
+ lasso_release_gobject(idp_context_before_rollover);
+ lasso_release_gobject(idp_context_after_rollover);
+ lasso_release_gobject(sp_context_before_rollover);
+ lasso_release_gobject(sp_context_after_rollover);
+}
+END_TEST
+
Suite*
login_saml2_suite()
{
@@ -808,16 +909,19 @@ login_saml2_suite()
TCase *tc_spLoginMemory = tcase_create("Login initiated by service provider without key loading");
TCase *tc_spSloSoap = tcase_create("Login initiated by service provider without key loading and with SLO SOAP");
TCase *tc_idpKeyRollover = tcase_create("Login initiated by idp, idp use two differents signing keys (simulate key roll-over)");
+ TCase *tc_spKeyRollover = tcase_create("Login initiated by idp, sp use two differents encrypting keys (simulate key roll-over)");
suite_add_tcase(s, tc_generate);
suite_add_tcase(s, tc_spLogin);
suite_add_tcase(s, tc_spLoginMemory);
suite_add_tcase(s, tc_spSloSoap);
suite_add_tcase(s, tc_idpKeyRollover);
+ suite_add_tcase(s, tc_spKeyRollover);
tcase_add_test(tc_generate, test01_saml2_generateServersContextDumps);
tcase_add_test(tc_spLogin, test02_saml2_serviceProviderLogin);
tcase_add_test(tc_spLoginMemory, test03_saml2_serviceProviderLogin);
tcase_add_test(tc_spSloSoap, test04_sso_then_slo_soap);
tcase_add_test(tc_idpKeyRollover, test05_sso_idp_with_key_rollover);
+ tcase_add_test(tc_spKeyRollover, test06_sso_sp_with_key_rollover);
return s;
}