cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Adding more unit tests
Date Thu, 24 Jul 2014 16:14:28 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 4feee2252 -> 87e87a056


Adding more unit tests


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/87e87a05
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/87e87a05
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/87e87a05

Branch: refs/heads/master
Commit: 87e87a056f4948a8a427b5d57659f8f7bed9356a
Parents: 4feee22
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Jul 24 17:14:16 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Jul 24 17:14:16 2014 +0100

----------------------------------------------------------------------
 .../federation/FederationProcessorTest.java     |    9 +-
 .../cxf/fediz/core/samlsso/CustomValidator.java |   54 +
 .../fediz/core/samlsso/SAMLResponseTest.java    | 1167 ++++++++----------
 .../test/resources/fediz_test_config_saml.xml   |    2 +-
 4 files changed, 600 insertions(+), 632 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/87e87a05/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationProcessorTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationProcessorTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationProcessorTest.java
index fd564b2..09a8921 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationProcessorTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationProcessorTest.java
@@ -47,6 +47,7 @@ import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.config.FederationProtocol;
 import org.apache.cxf.fediz.core.config.FedizConfigurator;
 import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.Protocol;
 import org.apache.cxf.fediz.core.config.jaxb.AudienceUris;
 import org.apache.cxf.fediz.core.config.jaxb.CertificateStores;
 import org.apache.cxf.fediz.core.config.jaxb.ContextConfig;
@@ -380,7 +381,7 @@ public class FederationProcessorTest {
     }
     
     /**
-     * Validate SAML 2 token where role information is provided
+     * Validate SAML 1 token where role information is provided
      * within another SAML attribute
      */
     @org.junit.Test
@@ -447,7 +448,7 @@ public class FederationProcessorTest {
         
         configurator = null;
         FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
-        ((FederationProtocol)config.getProtocol()).setRoleURI(null);
+        config.getProtocol().setRoleURI(null);
         
         FedizProcessor wfProc = new FederationProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
@@ -964,8 +965,8 @@ public class FederationProcessorTest {
         
         configurator = null;
         FedizContext config = getFederationConfigurator().getFedizContext("CUSTTOK");
-        FederationProtocol fp = (FederationProtocol)config.getProtocol();
-        List<TokenValidator> validators = fp.getTokenValidators();
+        Protocol protocol = config.getProtocol();
+        List<TokenValidator> validators = protocol.getTokenValidators();
         Assert.assertEquals("Two validators must be found", 2, validators.size());
         Assert.assertEquals("First validator must be custom validator",
                             CustomValidator.class.getName(), validators.get(0).getClass().getName());

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/87e87a05/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/CustomValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/CustomValidator.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/CustomValidator.java
new file mode 100644
index 0000000..2c7f8aa
--- /dev/null
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/CustomValidator.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.samlsso;
+
+import org.w3c.dom.Element;
+import org.apache.cxf.fediz.core.TokenValidator;
+import org.apache.cxf.fediz.core.TokenValidatorRequest;
+import org.apache.cxf.fediz.core.TokenValidatorResponse;
+import org.apache.cxf.fediz.core.config.FedizContext;
+
+
+public class CustomValidator implements TokenValidator {
+
+    @Override
+    public boolean canHandleTokenType(String tokenType) {
+        return true;
+    }
+
+    @Override
+    public boolean canHandleToken(Element token) {
+        return true;
+    }
+
+    @Override
+    public TokenValidatorResponse validateAndProcessToken(
+        TokenValidatorRequest request, 
+        FedizContext config
+    ) {
+        return new TokenValidatorResponse(null,
+                                          SAMLResponseTest.TEST_USER,
+                                          SAMLResponseTest.TEST_IDP_ISSUER,
+                                          null,
+                                          null,
+                                          SAMLResponseTest.TEST_REQUEST_URL);
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/87e87a05/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
index 09e626a..4a8fa6a 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
@@ -21,6 +21,7 @@ package org.apache.cxf.fediz.core.samlsso;
 
 import java.io.File;
 import java.io.IOException;
+import java.math.BigInteger;
 import java.net.URL;
 import java.net.URLEncoder;
 import java.util.Collections;
@@ -40,13 +41,17 @@ import org.w3c.dom.Node;
 import org.apache.cxf.fediz.common.STSUtil;
 import org.apache.cxf.fediz.common.SecurityTestUtil;
 import org.apache.cxf.fediz.core.AbstractSAMLCallbackHandler;
+import org.apache.cxf.fediz.core.AbstractSAMLCallbackHandler.MultiValue;
 import org.apache.cxf.fediz.core.Claim;
 import org.apache.cxf.fediz.core.ClaimTypes;
 import org.apache.cxf.fediz.core.FederationConstants;
 import org.apache.cxf.fediz.core.KeystoreCallbackHandler;
+import org.apache.cxf.fediz.core.SAML1CallbackHandler;
 import org.apache.cxf.fediz.core.SAML2CallbackHandler;
+import org.apache.cxf.fediz.core.TokenValidator;
 import org.apache.cxf.fediz.core.config.FedizConfigurator;
 import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.config.Protocol;
 import org.apache.cxf.fediz.core.config.SAMLProtocol;
 import org.apache.cxf.fediz.core.exception.ProcessingException;
 import org.apache.cxf.fediz.core.exception.ProcessingException.TYPE;
@@ -311,399 +316,327 @@ public class SAMLResponseTest {
     }
     
     /**
-     * Validate SAML 2 token which includes the role attribute with 2 values
-     * Roles are encoded as a multi-value saml attribute
+     * Validate SAML 1 token (this is not allowed / supported)
+     */
     @org.junit.Test
-    public void validateSAML2Token() throws Exception {
-        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+    public void validateSAML1Token() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
+        SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
+
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
-        Assert.assertEquals("Principal name wrong", TEST_USER,
-                            wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-        assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
-        
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
+        try {
+            wfProc.processRequest(wfReq, config);
+            fail("Failure expected on an unsupported token type in response");
+        } catch (ProcessingException ex) {
+            if (!TYPE.INVALID_REQUEST.equals(ex.getType())) {
+                fail("Expected ProcessingException with BAD_REQUEST type");
+            }
+        }
     }
     
     /**
-     * Validate SAML 2 token which includes the role attribute with 2 values
-     * Roles are encoded as a multi-value saml attribute
-     * Not RequestedSecurityTokenCollection in this test, default in all others
+     * Validate SAML 2 token which doesn't include the role SAML attribute
+     */
     @org.junit.Test
-    public void validateSAML2TokenRSTR() throws Exception {
-        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
-        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
-        callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_MSG);
+    public void validateSAML2TokenWithoutRoles() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
         
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
         
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
         
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
         
-        Assert.assertEquals("Principal name wrong", TEST_USER,
-                            wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-    }
-    
-    /**
-     * Validate SAML 2 token which doesn't include the role SAML attribute
-    @org.junit.Test
-    public void validateSAML2TokenWithoutRoles() throws Exception {
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
         callbackHandler.setRoles(null);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
         
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
         
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
         
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+        FedizRequest wfReq = new FedizRequest();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
         
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
         
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
         Assert.assertEquals("No roles must be found", null, wfRes.getRoles());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
+        Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
     }
     
+    
     /**
      * Validate SAML 2 token where role information is provided
      * within another SAML attribute
+     */
     @org.junit.Test
     public void validateSAML2TokenDifferentRoleURI() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
-        callbackHandler.setSubjectName(TEST_USER);
-        callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
-        Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-        assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
-    }
-    
-    /**
-     * Validate SAML 2 token where role information is provided
-     * within another SAML attribute
-    @org.junit.Test
-    public void validateSAML1TokenDifferentRoleURI() throws Exception {
-        SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
-        callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
-        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
         callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
+
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
-        Assert.assertEquals("Principal name wrong", TEST_USER, wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+
+        Assert.assertEquals("Principal name wrong", TEST_USER,
+                            wfRes.getUsername());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
         Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
+        Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
         assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
     }
     
     /**
      * Validate SAML 2 token which includes role attribute
      * but RoleURI is not configured
+     */
     @org.junit.Test
     public void validateSAML2TokenRoleURINotConfigured() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("CUSTOMROLEURI");
+        config.getProtocol().setRoleURI(null);
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
+        callbackHandler.setRoleAttributeName("http://schemas.mycompany.com/claims/role");
 
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
-        ((FederationProtocol)config.getProtocol()).setRoleURI(null);
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
-        Assert.assertEquals("Principal name wrong", TEST_USER,
-                            wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", null, wfRes.getRoles());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-    }
-    
-    /**
-     * Validate SAML 1.1 token which includes the role attribute with 2 values
-     * Roles are encoded as a multi-value saml attribute
-    @org.junit.Test
-    public void validateSAML1Token() throws Exception {
-        SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
-        callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
-        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
-        callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
 
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
-        Assert.assertEquals("Principal name wrong", TEST_USER,
-                            wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-        assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
-    }
-    
-    /**
-     * Validate SAML 1.1 token which includes the role attribute with 2 values
-     * Roles are encoded as a multi-value saml attribute
-     * Token embedded in RSTR 2005/02 - WS Federation 1.0
-    @org.junit.Test
-    public void validateSAML1TokenWSFed10() throws Exception {
-        SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
-        callbackHandler.setStatement(SAML1CallbackHandler.Statement.ATTR);
-        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
-        callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
 
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_2005_02_MSG);
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
+
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Two roles must be found", null, wfRes.getRoles());
+        Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
     }
     
+    
     /**
      * Validate SAML 2 token which includes the role attribute with 2 values
      * Roles are encoded as a multiple saml attributes with the same name
+     */
     @org.junit.Test
     public void validateSAML2TokenRoleMultiAttributes() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
         callbackHandler.setMultiValueType(MultiValue.MULTI_ATTR);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
+
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
 
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
+
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
+        Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
         assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
     }
 
     /**
      * Validate SAML 2 token which includes the role attribute with 2 values
      * Roles are encoded as a single saml attribute with encoded value
+     * 
+     * TODO
+     */
     @org.junit.Test
+    @org.junit.Ignore
     public void validateSAML2TokenRoleEncodedValue() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
         callbackHandler.setMultiValueType(MultiValue.ENC_VALUE);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
+
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
-        FederationProtocol fp = (FederationProtocol)config.getProtocol();
-        fp.setRoleDelimiter(",");
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
 
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
+
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles().size());
+        Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
         assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
     }
     
@@ -711,33 +644,64 @@ public class SAMLResponseTest {
      * Validate SAML 2 token which includes the role attribute with 2 values
      * The configured subject of the trusted issuer doesn't match with
      * the issuer of the SAML token
+     */
     @org.junit.Test
     public void validateUnsignedSAML2Token() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
+
         ConditionsBean cp = new ConditionsBean();
         AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
+        audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
         cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
         callbackHandler.setConditions(cp);
         
+        // Subject Confirmation Data
+        SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+        subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
+        subjectConfirmationData.setInResponseTo(requestId);
+        subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+        subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
+        callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
+        
         SAMLCallback samlCallback = new SAMLCallback();
         SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
         SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = createSamlToken(assertion, "mystskey", false);
+        Element response = createSamlResponse(assertion, "mystskey", false, requestId);
+        String responseStr = encodeResponse(response);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        // Load and update the config to enforce an error
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");       
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         try {
             wfProc.processRequest(wfReq, config);
             Assert.fail("Processing must fail because of missing signature");
@@ -751,86 +715,113 @@ public class SAMLResponseTest {
     /**
      * Validate SAML 2 token twice which causes an exception
      * due to replay attack
+     */
     @org.junit.Test
     public void testReplayAttack() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
+        callbackHandler.setMultiValueType(MultiValue.ENC_VALUE);
+
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
 
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
+
         Assert.assertEquals("Principal name wrong", TEST_USER,
-                wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+                            wfRes.getUsername());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
         
-        wfProc = new FederationProcessorImpl();
+        wfProc = new SAMLProcessorImpl();
         try {
             wfProc.processRequest(wfReq, config);
             fail("Failure expected on a replay attack");
         } catch (ProcessingException ex) {
-            if (!TYPE.TOKEN_REPLAY.equals(ex.getType())) {
-                fail("Expected ProcessingException with TOKEN_REPLAY type");
+            if (!TYPE.INVALID_REQUEST.equals(ex.getType())) {
+                fail("Expected ProcessingException with INVALID_REQUEST type");
             }
         }
     }
     
-    
     /**
      * Validate SAML 2 token which includes the role attribute with 2 values
      * The configured subject of the trusted issuer doesn't match with
      * the issuer of the SAML token
+     */
     @org.junit.Test
     public void validateSAML2TokenSeveralCertStore() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT2");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
 
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = createSamlToken(assertion, "mystskey", true);
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        // Load and update the config to enforce an error
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT2");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
         
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
         Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                             .size());
     }
@@ -839,51 +830,84 @@ public class SAMLResponseTest {
      * Validate SAML 2 token which includes the role attribute with 2 values
      * The configured subject of the trusted issuer doesn't match with
      * the issuer of the SAML token
+     */
     @org.junit.Test
     public void validateSAML2TokenSeveralCertStoreTrustedIssuer() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT3");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = createSamlToken(assertion, "mystskey", true);
+
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        // Load and update the config to enforce an error
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT3");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
         
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
         Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                             .size());
     }
     
     /**
      * Validate SAML 2 token which is expired
+     */
     @org.junit.Test
     public void validateSAML2TokenExpired() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
+        
         ConditionsBean cp = new ConditionsBean();
         DateTime currentTime = new DateTime();
         currentTime = currentTime.minusSeconds(60);
@@ -892,24 +916,35 @@ public class SAMLResponseTest {
         currentTime = currentTime.minusSeconds(300);
         cp.setNotBefore(currentTime);
         AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
+        audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
         cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
         callbackHandler.setConditions(cp);
         
+        // Subject Confirmation Data
+        SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+        subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
+        subjectConfirmationData.setInResponseTo(requestId);
+        subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+        subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
+        callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
+        
         SAMLCallback samlCallback = new SAMLCallback();
         SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
         SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        Element response = createSamlResponse(assertion, "mystskey", true, requestId);
+        String responseStr = encodeResponse(response);
         
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
 
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         try {
             wfProc.processRequest(wfReq, config);
             fail("Failure expected on expired SAML token");
@@ -923,13 +958,34 @@ public class SAMLResponseTest {
     /**
      * Validate SAML 2 token which is not yet valid (in 30 seconds)
      * but within the maximum clock skew range (60 seconds)
+     */
     @org.junit.Test
     public void validateSAML2TokenClockSkewRange() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+        config.setMaximumClockSkew(BigInteger.valueOf(60));
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
+        
         ConditionsBean cp = new ConditionsBean();
         DateTime currentTime = new DateTime();
         currentTime = currentTime.plusSeconds(300);
@@ -938,30 +994,40 @@ public class SAMLResponseTest {
         currentTime = currentTime.plusSeconds(30);
         cp.setNotBefore(currentTime);
         AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
+        audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
         cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
         callbackHandler.setConditions(cp);
         
+        // Subject Confirmation Data
+        SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
+        subjectConfirmationData.setAddress(TEST_CLIENT_ADDRESS);
+        subjectConfirmationData.setInResponseTo(requestId);
+        subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
+        subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
+        callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
+        
         SAMLCallback samlCallback = new SAMLCallback();
         SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
         SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
+        Element response = createSamlResponse(assertion, "mystskey", true, requestId);
+        String responseStr = encodeResponse(response);
         
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
-        config.setMaximumClockSkew(BigInteger.valueOf(60));
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
         
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
         Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                             .size());
     }
@@ -969,268 +1035,110 @@ public class SAMLResponseTest {
     /**
      * "Validate" SAML 2 token with a custom token validator
      * If a validator is configured it precedes the SAMLTokenValidator as part of Fediz
+     */
     @org.junit.Test
     public void validateSAML2TokenCustomValidator() throws Exception {
-        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
-        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
-        callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
+        // Mock up a Request
         FedizContext config = getFederationConfigurator().getFedizContext("CUSTTOK");
-        FederationProtocol fp = (FederationProtocol)config.getProtocol();
-        List<TokenValidator> validators = fp.getTokenValidators();
+        Protocol protocol = config.getProtocol();
+        List<TokenValidator> validators = protocol.getTokenValidators();
         Assert.assertEquals("Two validators must be found", 2, validators.size());
         Assert.assertEquals("First validator must be custom validator",
                             CustomValidator.class.getName(), validators.get(0).getClass().getName());
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
-        Assert.assertEquals("Principal name wrong", TEST_USER,
-                            wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-    }
 
-    /**
-     * "Validate" SAML 2 token with a custom token validator
-     * If a validator is configured it precedes the SAMLTokenValidator as part of Fediz
-    @org.junit.Test
-    public void validateSAML2TokenMaxClockSkewNotDefined() throws Exception {
-        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
-        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
-        callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = createSamlToken(assertion, "mystskey", true);
-        
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = getFederationConfigurator().getFedizContext("NOCLOCKSKEW");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
-        
-        Assert.assertEquals("Principal name wrong", TEST_USER,
-                            wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-    }
-    
-    /**
-     * Validate an encrypted SAML 2 token which includes the role attribute with 2 values
-     * Roles are encoded as a multi-value saml attribute
-    @org.junit.Test
-    public void validateEncryptedSAML2Token() throws Exception {
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
+
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
 
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = encryptAndSignToken(assertion);
-        
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = 
-            getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
         FedizResponse wfRes = wfProc.processRequest(wfReq, config);
         
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
-        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
-                            .size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-        assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
     }
-    
+
     /**
-     * Validate a HolderOfKey SAML 2 token
+     * "Validate" SAML 2 token with a custom token validator
+     * If a validator is configured it precedes the SAMLTokenValidator as part of Fediz
+     */
     @org.junit.Test
-    public void validateHOKSAML2Token() throws Exception {
-        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
-        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
-        callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
-        
-        Crypto clientCrypto = CryptoFactory.getInstance("client-crypto.properties");
-        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
-        cryptoType.setAlias("myclientkey");
-        X509Certificate[] certs = clientCrypto.getX509Certificates(cryptoType);
-        callbackHandler.setCerts(certs);
+    public void validateSAML2TokenMaxClockSkewNotDefined() throws Exception {
+        // Mock up a Request
+        FedizContext config = getFederationConfigurator().getFedizContext("NOCLOCKSKEW");
 
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        WSPasswordCallback[] cb = {
-            new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE)
-        };
-        cbPasswordHandler.handle(cb);
-        String password = cb[0].getPassword();
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
 
-        assertion.signAssertion("mystskey", password, crypto, false);
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                                                     TEST_IDP_ISSUER,
+                                                     requestId,
+                                                     TEST_REQUEST_URL,
+                                                     (String)config.getProtocol().getIssuer(),
+                                                     null,
+                                                     System.currentTimeMillis());
 
-        Document doc = STSUtil.toSOAPPart(STSUtil.SAMPLE_RSTR_COLL_MSG);
-        Element token = assertion.toDOM(doc);
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        ((SAMLProtocol)config.getProtocol()).getStateManager().setRequestState(relayState, requestState);
 
-        Element e = SAMLProcessorTest.findElement(doc, "RequestedSecurityToken",
-                                                        FederationConstants.WS_TRUST_13_NS);
-        if (e == null) {
-            e = SAMLProcessorTest.findElement(doc, "RequestedSecurityToken",
-                                                    FederationConstants.WS_TRUST_2005_02_NS);
-        }
-        e.appendChild(token);
-                               
-        String rstr = DOM2Writer.nodeToString(doc);
-        
-        FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-        
-        configurator = null;
-        FedizContext config = 
-            getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
-        
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        try {
-            wfProc.processRequest(wfReq, config);
-            fail("Failure expected on missing client certs");
-        } catch (ProcessingException ex) {
-            // expected
-        }
-        
-        // Now set client certs
-        wfReq.setCerts(certs);      
-        wfProc.processRequest(wfReq, config);
-    }
-    
-    @org.junit.Test
-    public void validateSAML2TokenWithConfigCreatedWithAPI() throws Exception {
-        
-        ContextConfig config = new ContextConfig();
-        
-        config.setName("whatever");
-
-        // Configure certificate store
-        CertificateStores certStores = new CertificateStores();
-        TrustManagersType tm0 = new TrustManagersType();       
-        KeyStoreType ks0 = new KeyStoreType();
-        ks0.setType("JKS");
-        ks0.setPassword("storepass");
-        ks0.setFile("ststrust.jks");
-        tm0.setKeyStore(ks0);
-        certStores.getTrustManager().add(tm0);
-        config.setCertificateStores(certStores);
-        
-        // Configure trusted IDP
-        TrustedIssuers trustedIssuers = new TrustedIssuers();
-        TrustedIssuerType ti0 = new TrustedIssuerType();
-        ti0.setCertificateValidation(ValidationType.CHAIN_TRUST);
-        ti0.setName("FedizSTSIssuer");
-        ti0.setSubject(".*CN=www.sts.com.*");
-        trustedIssuers.getIssuer().add(ti0);
-        config.setTrustedIssuers(trustedIssuers);
-
-        FederationProtocolType protocol = new FederationProtocolType();
-        config.setProtocol(protocol);
-
-        AudienceUris audienceUris = new AudienceUris();
-        audienceUris.getAudienceItem().add("https://localhost/fedizhelloworld");
-        config.setAudienceUris(audienceUris);
-
-        protocol.setRoleURI("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
-
-        FedizContext fedContext = new FedizContext(config);
-        fedContext.init();
-        
+        // Create SAML Response
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
         callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
         callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
-        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
-        ConditionsBean cp = new ConditionsBean();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE);
-        cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
 
-        SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
-        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
-        
-        String rstr = createSamlToken(assertion, "mystskey", true, STSUtil.SAMPLE_RSTR_MSG);
-        
+        String responseStr = createSamlResponseStr(callbackHandler, requestId);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
         FedizRequest wfReq = new FedizRequest();
-        wfReq.setAction(FederationConstants.ACTION_SIGNIN);
-        wfReq.setResponseToken(rstr);
-                
-        FedizProcessor wfProc = new FederationProcessorImpl();
-        FedizResponse wfRes = wfProc.processRequest(wfReq, fedContext);
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
+        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
         
         Assert.assertEquals("Principal name wrong", TEST_USER,
                             wfRes.getUsername());
-        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
         Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
                             .size());
-        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
-        
-        fedContext.close();
-
+        Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
     }
-    */
     
     private String createSamlResponseStr(String requestId) throws Exception {
         // Create SAML Assertion
@@ -1241,11 +1149,16 @@ public class SAMLResponseTest {
         callbackHandler.setIssuer(TEST_IDP_ISSUER);
         callbackHandler.setSubjectName(TEST_USER);
         
+        return createSamlResponseStr(callbackHandler, requestId);
+    }
+    
+    private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
+                                         String requestId) throws Exception {
         ConditionsBean cp = new ConditionsBean();
         AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
         audienceRestriction.getAudienceURIs().add(TEST_REQUEST_URL);
         cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
-        callbackHandler.setConditions(cp);
+        saml2CallbackHandler.setConditions(cp);
         
         // Subject Confirmation Data
         SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
@@ -1253,10 +1166,10 @@ public class SAMLResponseTest {
         subjectConfirmationData.setInResponseTo(requestId);
         subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
         subjectConfirmationData.setRecipient(TEST_REQUEST_URL);
-        callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
+        saml2CallbackHandler.setSubjectConfirmationData(subjectConfirmationData);
         
         SAMLCallback samlCallback = new SAMLCallback();
-        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SAMLUtil.doSAMLCallback(saml2CallbackHandler, samlCallback);
         SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
         Element response = createSamlResponse(assertion, "mystskey", true, requestId);
         return encodeResponse(response);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/87e87a05/plugins/core/src/test/resources/fediz_test_config_saml.xml
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/resources/fediz_test_config_saml.xml b/plugins/core/src/test/resources/fediz_test_config_saml.xml
index 8c971d6..cf6228e 100644
--- a/plugins/core/src/test/resources/fediz_test_config_saml.xml
+++ b/plugins/core/src/test/resources/fediz_test_config_saml.xml
@@ -109,7 +109,7 @@
 				<claimType type="a particular claim type" optional="true" />
 			</claimTypesRequested>
 			<tokenValidators>
-				<validator>org.apache.cxf.fediz.core.CustomValidator</validator>
+				<validator>org.apache.cxf.fediz.core.samlsso.CustomValidator</validator>
 				<validator>org.apache.cxf.fediz.core.NonexistentCustomValidator</validator>
 			</tokenValidators>
 		</protocol>


Mime
View raw message