connector/saml: refactor tests and add self-signed responses

Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.

connector/saml/testdata/gen.sh

@@ -0,0 +1,47 @@
+#!/bin/bash -ex
+
+# Always run from the testdata directory
+cd "$(dirname "$0")"
+
+# Uncomment these commands to regenerate the CA files.
+#
+# openssl req \
+#     -nodes \
+#     -newkey rsa:2048 \
+#     -keyout ca.key \
+#     -new -x509 -days 7300 \
+#     -extensions v3_ca \
+#     -out ca.crt \
+#     -subj "/O=DEX/CN=coreos.com"
+# 
+# openssl req \
+#     -nodes \
+#     -newkey rsa:2048 \
+#     -keyout bad-ca.key \
+#     -new -x509 -days 7300 \
+#     -extensions v3_ca \
+#     -out bad-ca.crt \
+#     -subj "/O=BAD/CN=coreos.com"
+
+# Sign these files using xmlsec1.
+#
+# Templates MUST have a <Signature> element already embedded in them so
+# xmlsec1 can know where to embed the signature.
+#
+# See: https://sgros.blogspot.com/2013/01/signing-xml-document-using-xmlsec1.html
+
+xmlsec1 --sign --privkey-pem ca.key,ca.crt --output good-resp.xml good-resp.tmpl
+xmlsec1 --sign --privkey-pem ca.key,ca.crt --output bad-status.xml bad-status.tmpl
+
+# Sign a specific sub element, not just the root.
+#
+# Values match up to the <Response URI="#(ID)"> element in the documents.
+xmlsec1 --sign --privkey-pem ca.key,ca.crt  \
+    --id-attr:ID Assertion \
+    --output assertion-signed.xml assertion-signed.tmpl
+
+xmlsec1 --sign --privkey-pem ca.key,ca.crt \
+    --id-attr:ID Assertion \
+    --output two-assertions-first-signed.xml \
+    two-assertions-first-signed.tmpl
+