Javascipt editor test inputs
A selection of test inputs to use with the Javascript editor.
There is information at the bottom of the page about changing the attribute names and values to suit your exact testing needs.
Default test rule
This one is included in a blank Javascript rule when it is created and features a wide selection of attributes as examples, some of which have different federation namespaces (depricated old attributes from the old Athens service in this case) and some you would not expect to see in general use. Iin the order they appear in the example they are:
| SAML attribute | Example value(s) | Notes |
|---|---|---|
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | member@idp.example.org.uk staff@idp.example.org.uk | Released by default. A multivalued attribute containing both the role and federation scope of a user. The federation scope is the organisation identifier that should be used in a SAML federation. |
urn:mace:example.org.uk:athens:attribute-def:federation:1.0:identifier | urn:mace:example.org.uk:athens:federation:uk | Deprecated - do not use on a live service |
urn:mace:example.org.uk:athens:attribute-def:person:1.0:username | example.username | Deprecated - do not use on a live service |
urn:mace:example.org.uk:athens:attribute-def:organisation:1.0:identifier | 12345678 | Deprecated - do not use on a live service |
forenames | John | Not released by default |
surname | Doe | Not released by default |
http://example.org.uk/federation/attributes/1.0/organisationid | idp.example.org | Deprecated - do not use on a live service |
organisationNum | 12345678 | Deprecated - do not use on a live service |
username | aa | Not released by default |
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | https://auth.example.com/terms-and-conditions | Released by default (if configured by an IdP for a service provider) The 'entitlement' attribute. Could say anything. Used for greater granularity - e.g. identifying medical students at a regular University. |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | egFw5UJnXPMFObZHwjHayLib7 | Released by default. This one is the 'targetedID' and is a persistent and opaque user ID |
Standard test rule
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://auth.example.com/SHIRE/SAML2/POST"
ID="k5yxgep5qstu0o4wilgh0lig5i0f7ir4u42sszps" InResponseTo="_stm8i5uiukr2vd5mtlih5fslz0mb7ebdtlvyb2jb" IssueInstant="2000-01-01T00:00:00.000Z"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.org.uk</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="adce3fa93f9944bc8432af64e1251e18"
IssueInstant="2000-01-01T00:00:00.000Z" Version="2.0">
<saml:Issuer>https://idp.example.org.uk</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.org.uk/openathens/example"
SPNameQualifier="https://auth.example.com/">rGiG4OHayheCmsayLib7gegFw5UJnXPMFObZHwjHu5UVynHI4LwfzqF1l6WBRawb5Iifn7DMTzRbzoGI</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_qjQoKaeMabG8OKVmJUzN" NotOnOrAfter="2017-02-23T11:13:03.452Z"
Recipient="https://auth.example.com/SHIRE/SAML2/POST" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2000-01-01T00:00:00.000Z" NotOnOrAfter="2000-01-01T00:00:02.000Z">
<saml:AudienceRestriction>
<saml:Audience>https://auth.example.com/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2000-01-01T00:00:00.000Z" SessionIndex="rgegFw5UJnXPMFObZHwjHGiG4OHayheCmsgegFw5UJnXPMFObZHwjHayLib7">
<saml:SubjectLocality Address="127.0.0.1" />
<saml:AuthnContext>
<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextDeclRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>member@idp.example.org.uk</saml:AttributeValue>
<saml:AttributeValue>staff@idp.example.org.uk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:mace:example.org.uk:athens:attribute-def:federation:1.0:identifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>urn:mace:example.org.uk:athens:federation:uk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:mace:example.org.uk:athens:attribute-def:person:1.0:username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>example.username</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:mace:example.org.uk:athens:attribute-def:organisation:1.0:identifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>1234567</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="forenames" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>John</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>Doe</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://example.org.uk/federation/attributes/1.0/organisationid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>idp.example.org.uk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="organisationNum" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>1234567</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>jd@idp.example.org.uk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>https://auth.example.com/terms-and-conditions</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example.org.uk"
SPNameQualifier="https://auth.example.com/">egFw5UJnXPMFObZHwjHayLib7</saml:NameID>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>Basic federation attributes with multivalued role
This one features just the bare minimum you are likely to get from a typical federation IdP in any federation around the world.
| SAML attribute | Example value(s) | Notes |
|---|---|---|
urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | member@idp.example.org.uk staff@idp.example.org.uk | Released by default. A multivalued attribute containing both the role and federation scope of a user. The federation scope is the organisation identifier that should be used in a SAML federation. |
urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | egFw5UJnXPMFObZHwjHayLib7 | Released by default. This one is the 'targetedID' and is a persistent and opaque user ID |
Example SAML statement with minimum attributes
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://auth.example.com/SHIRE/SAML2/POST"
ID="k5yxgep5qstu0o4wilgh0lig5i0f7ir4u42sszps" InResponseTo="_stm8i5uiukr2vd5mtlih5fslz0mb7ebdtlvyb2jb" IssueInstant="2000-01-01T00:00:00.000Z"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.org.uk</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="adce3fa93f9944bc8432af64e1251e18"
IssueInstant="2000-01-01T00:00:00.000Z" Version="2.0">
<saml:Issuer>https://idp.example.org.uk</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.example.org.uk/openathens/example"
SPNameQualifier="https://auth.example.com/">rGiG4OHayheCmsayLib7gegFw5UJnXPMFObZHwjHu5UVynHI4LwfzqF1l6WBRawb5Iifn7DMTzRbzoGI</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_qjQoKaeMabG8OKVmJUzN" NotOnOrAfter="2017-02-23T11:13:03.452Z"
Recipient="https://auth.example.com/SHIRE/SAML2/POST" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2000-01-01T00:00:00.000Z" NotOnOrAfter="2000-01-01T00:00:02.000Z">
<saml:AudienceRestriction>
<saml:Audience>https://auth.example.com/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2000-01-01T00:00:00.000Z" SessionIndex="rgegFw5UJnXPMFObZHwjHGiG4OHayheCmsgegFw5UJnXPMFObZHwjHayLib7">
<saml:SubjectLocality Address="127.0.0.1" />
<saml:AuthnContext>
<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextDeclRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>member@idp.example.org.uk</saml:AttributeValue>
<saml:AttributeValue>staff@idp.example.org.uk</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.example.org.uk"
SPNameQualifier="https://auth.example.com/">egFw5UJnXPMFObZHwjHayLib7</saml:NameID>
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>How to edit an attribute statement for testing
Without having to understand SAML, here is what you need to know to edit the attribute names and values to suit your own tests.
Do not mess with anything outside of the attribute statement - the tester will reject invalid SAML. The attribute statement is within these two tags:
CODE<saml:AttributeStatement> ... </saml:AttributeStatement>Each attribute will look something like this -
CODE<saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>member@idp.example.org.uk</saml:AttributeValue> <saml:AttributeValue>staff@idp.example.org.uk</saml:AttributeValue> </saml:Attribute>
You can ignore the NameFormat part for these. It is important, but for... other things; it does not matter for this as long as it is there (to keep the SAML valid). The important parts are the Attribute Name and value. As you can see the attribute name is in quotes, and attribute values are each tagged within the attribute. You must have at least one value and all but the user identifier can have multiple values.You can either remove the unused attributes from your test input, or leave them in to check how your script handles additional input.
When a scripted rule is executed by the service there are various safeguards in place to protect the service. The ones you need to know about are:
- Execution time is capped and if this is reached the evaluation instance is dropped and the end-user gets an error message.
- Any error during runtime drops the evaluation instance and the end-user gets an error message