Skip to main content
Skip table of contents

Javascipt editor test inputs

A selection of test inputs to use with the Javascript editor.

There is information at the bottom of the page about changing the attribute names and values to suit your exact testing needs.

Default test rule

This one is included in a blank Javascript rule when it is created and features a wide selection of attributes as examples, some of which have different federation namespaces (depricated old attributes from the old Athens service in this case) and some you would not expect to see in general use. Iin the order they appear in the example they are:

SAML attributeExample value(s)Notes
urn:oid:1.3.6.1.4.1.5923.1.1.1.9
member@idp.example.org.uk
staff@idp.example.org.uk

Released by default.

A multivalued attribute containing both the role and federation scope of a user.

The federation scope is the organisation identifier that should be used in a SAML federation.

urn:mace:example.org.uk:athens:attribute-def:federation:1.0:identifier
urn:mace:example.org.uk:athens:federation:uk
Deprecated - do not use on a live service
urn:mace:example.org.uk:athens:attribute-def:person:1.0:username
example.username
Deprecated - do not use on a live service
urn:mace:example.org.uk:athens:attribute-def:organisation:1.0:identifier
12345678
Deprecated - do not use on a live service
forenames
John
Not released by default
surname
Doe
Not released by default
http://example.org.uk/federation/attributes/1.0/organisationid
idp.example.org
Deprecated - do not use on a live service
organisationNum
12345678
Deprecated - do not use on a live service
username
aa
Not released by default
urn:oid:1.3.6.1.4.1.5923.1.1.1.7
https://auth.example.com/terms-and-conditions

Released by default (if configured by an IdP for a service provider)

The 'entitlement' attribute. Could say anything. Used for greater granularity - e.g. identifying medical students at a regular University.

urn:oid:1.3.6.1.4.1.5923.1.1.1.10
egFw5UJnXPMFObZHwjHayLib7

Released by default.

This one is the 'targetedID' and is a persistent and opaque user ID



Standard test rule

XML
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://auth.example.com/SHIRE/SAML2/POST"
    ID="k5yxgep5qstu0o4wilgh0lig5i0f7ir4u42sszps" InResponseTo="_stm8i5uiukr2vd5mtlih5fslz0mb7ebdtlvyb2jb" IssueInstant="2000-01-01T00:00:00.000Z"
    Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.org.uk</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="adce3fa93f9944bc8432af64e1251e18"
        IssueInstant="2000-01-01T00:00:00.000Z" Version="2.0">
        <saml:Issuer>https://idp.example.org.uk</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.org.uk/openathens/example"
                SPNameQualifier="https://auth.example.com/">rGiG4OHayheCmsayLib7gegFw5UJnXPMFObZHwjHu5UVynHI4LwfzqF1l6WBRawb5Iifn7DMTzRbzoGI</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_qjQoKaeMabG8OKVmJUzN" NotOnOrAfter="2017-02-23T11:13:03.452Z"
                    Recipient="https://auth.example.com/SHIRE/SAML2/POST" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2000-01-01T00:00:00.000Z" NotOnOrAfter="2000-01-01T00:00:02.000Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://auth.example.com/</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2000-01-01T00:00:00.000Z" SessionIndex="rgegFw5UJnXPMFObZHwjHGiG4OHayheCmsgegFw5UJnXPMFObZHwjHayLib7">
            <saml:SubjectLocality Address="127.0.0.1" />
            <saml:AuthnContext>
                <saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextDeclRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>member@idp.example.org.uk</saml:AttributeValue>
                <saml:AttributeValue>staff@idp.example.org.uk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:example.org.uk:athens:attribute-def:federation:1.0:identifier"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>urn:mace:example.org.uk:athens:federation:uk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:example.org.uk:athens:attribute-def:person:1.0:username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>example.username</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:mace:example.org.uk:athens:attribute-def:organisation:1.0:identifier"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>1234567</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="forenames" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>John</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>Doe</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://example.org.uk/federation/attributes/1.0/organisationid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>idp.example.org.uk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="organisationNum" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>1234567</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>jd@idp.example.org.uk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>https://auth.example.com/terms-and-conditions</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example.org.uk"
                        SPNameQualifier="https://auth.example.com/">egFw5UJnXPMFObZHwjHayLib7</saml:NameID>
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Basic federation attributes with multivalued role

This one features just the bare minimum you are likely to get from a typical federation IdP in any federation around the world.

SAML attributeExample value(s)Notes
urn:oid:1.3.6.1.4.1.5923.1.1.1.9
member@idp.example.org.uk
staff@idp.example.org.uk

Released by default.

A multivalued attribute containing both the role and federation scope of a user.

The federation scope is the organisation identifier that should be used in a SAML federation.

urn:oid:1.3.6.1.4.1.5923.1.1.1.10
egFw5UJnXPMFObZHwjHayLib7

Released by default.

This one is the 'targetedID' and is a persistent and opaque user ID

Example SAML statement with minimum attributes

XML
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://auth.example.com/SHIRE/SAML2/POST"
    ID="k5yxgep5qstu0o4wilgh0lig5i0f7ir4u42sszps" InResponseTo="_stm8i5uiukr2vd5mtlih5fslz0mb7ebdtlvyb2jb" IssueInstant="2000-01-01T00:00:00.000Z"
    Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.org.uk</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="adce3fa93f9944bc8432af64e1251e18"
        IssueInstant="2000-01-01T00:00:00.000Z" Version="2.0">
        <saml:Issuer>https://idp.example.org.uk</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.org.uk/openathens/example"
                SPNameQualifier="https://auth.example.com/">rGiG4OHayheCmsayLib7gegFw5UJnXPMFObZHwjHu5UVynHI4LwfzqF1l6WBRawb5Iifn7DMTzRbzoGI</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_qjQoKaeMabG8OKVmJUzN" NotOnOrAfter="2017-02-23T11:13:03.452Z"
                    Recipient="https://auth.example.com/SHIRE/SAML2/POST" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2000-01-01T00:00:00.000Z" NotOnOrAfter="2000-01-01T00:00:02.000Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://auth.example.com/</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2000-01-01T00:00:00.000Z" SessionIndex="rgegFw5UJnXPMFObZHwjHGiG4OHayheCmsgegFw5UJnXPMFObZHwjHayLib7">
            <saml:SubjectLocality Address="127.0.0.1" />
            <saml:AuthnContext>
                <saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextDeclRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>member@idp.example.org.uk</saml:AttributeValue>
                <saml:AttributeValue>staff@idp.example.org.uk</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue>
                    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example.org.uk"
                        SPNameQualifier="https://auth.example.com/">egFw5UJnXPMFObZHwjHayLib7</saml:NameID>
                </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>


How to edit an attribute statement for testing

Without having to understand SAML, here is what you need to know to edit the attribute names and values to suit your own tests.

  1. Do not mess with anything outside of the attribute statement - the tester will reject invalid SAML. The attribute statement is within these two tags:

    CODE
    <saml:AttributeStatement>
    ...
    </saml:AttributeStatement>
  2. Each attribute will look something like this -

    CODE
    <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>member@idp.example.org.uk</saml:AttributeValue>
        <saml:AttributeValue>staff@idp.example.org.uk</saml:AttributeValue>
    </saml:Attribute>


    You can ignore the NameFormat part for these. It is important, but for... other things; it does not matter for this as long as it is there (to keep the SAML valid). The important parts are the Attribute Name and value. As you can see the attribute name is in quotes, and attribute values are each tagged within the attribute. You must have at least one value and all but the user identifier can have multiple values.

    You can either remove the unused attributes from your test input, or leave them in to check how your script handles additional input.

When a scripted rule is executed by the service there are various safeguards in place to protect the service. The ones you need to know about are:

  • Execution time is capped and if this is reached the evaluation instance is dropped and the end-user gets an error message.
  • Any error during runtime drops the evaluation instance and the end-user gets an error message



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.