From 4dc3ed36c32eda3b348cbab5e2b55de6653e614a Mon Sep 17 00:00:00 2001
From: Mateusz Mandera <mateusz.mandera@protonmail.com>
Date: Sun, 29 Sep 2019 06:32:56 +0200
Subject: [PATCH] auth: Add initial SAML authentication support.

There are a few outstanding issues that we expect to resolve beforce
including this in a release, but this is good checkpoint to merge.

This PR is a collaboration with Tim Abbott.

Fixes #716.
---
 docs/production/authentication-methods.md     |  91 ++++++++
 docs/subsystems/auth.md                       |  23 ++
 .../images/landing-page/logos/saml-icon.png   | Bin 0 -> 29323 bytes
 static/styles/portico/portico-signin.scss     |   5 +
 templates/zerver/config_error.html            |  13 ++
 zerver/migrations/0250_saml_auth.py           |  21 ++
 zerver/models.py                              |   3 +-
 zerver/tests/fixtures/saml/idp.crt            |  21 ++
 zerver/tests/fixtures/saml/samlresponse.txt   |  33 +++
 zerver/tests/fixtures/saml/zulip.crt          |  21 ++
 zerver/tests/fixtures/saml/zulip.key          |  28 +++
 zerver/tests/test_auth_backends.py            | 215 +++++++++++++++++-
 zerver/tests/test_docs.py                     |   8 +
 zerver/views/auth.py                          |  69 +++++-
 zproject/backends.py                          | 128 +++++++++++
 zproject/dev_settings.py                      |   4 +
 zproject/prod_settings_template.py            |  59 ++++-
 zproject/settings.py                          |  35 +++
 zproject/test_settings.py                     |  35 +++
 zproject/urls.py                              |   4 +
 20 files changed, 807 insertions(+), 9 deletions(-)
 create mode 100644 static/images/landing-page/logos/saml-icon.png
 create mode 100644 zerver/migrations/0250_saml_auth.py
 create mode 100644 zerver/tests/fixtures/saml/idp.crt
 create mode 100644 zerver/tests/fixtures/saml/samlresponse.txt
 create mode 100644 zerver/tests/fixtures/saml/zulip.crt
 create mode 100644 zerver/tests/fixtures/saml/zulip.key

diff --git a/docs/production/authentication-methods.md b/docs/production/authentication-methods.md
index 995f02577e..1b5edbbbc0 100644
--- a/docs/production/authentication-methods.md
+++ b/docs/production/authentication-methods.md
@@ -34,6 +34,97 @@ Each of these requires one to a handful of lines of configuration in
 `settings.py`, as well as a secret in `zulip-secrets.conf`.  Details
 are documented in your `settings.py`.
 
+## SAML
+
+Zulip 2.1 and later has beta support for SAML authentication, used by
+Okta, OneLogin, and many other IdPs (identity providers).  You can
+configure it as follows:
+
+1. These instructions assume you have an installed Zulip server.  You
+   can have created an organization already using EmailAuthBackend, or
+   plan to create the organization using SAML authentication.
+
+1. Tell your IdP how to find your Zulip server:
+
+    * **SP Entity ID**: `https://yourzulipdomain.example.com`.
+    * **SSO URL**:
+      `https://yourzulipdomain.example.com/complete/saml/`.  This is
+      the "SAML ACS url" in SAML terminology.
+
+   The `Entity ID` should match the value of
+   `SOCIAL_AUTH_SAML_SP_ENTITY_ID` computed in the Zulip settings.
+   You can run on your Zulip server
+   `/home/zulip/deployments/current/scripts/setup/get-django-setting
+   SOCIAL_AUTH_SAML_SP_ENTITY_ID` to get the computed value.
+
+2. Tell Zulip how to connect to your SAML provider server by filling
+   out the section of `/etc/zulip/settings.py` on your Zulip server
+   with the heading "SAML Authentication".
+   * You will need to update `SOCIAL_AUTH_SAML_ORG_INFO` with your
+     organization name (`displayname` may appear in the SAML
+     authentication flow; `name` won't be displayed to humans).
+   * Fill out `SOCIAL_AUTH_SAML_ENABLED_IDPS` with data provided by
+     your identity provider.  You may find [the python-social-auth
+     SAML
+     docs](https://python-social-auth-docs.readthedocs.io/en/latest/backends/saml.html)
+     helpful.  You'll need to obtain several values from your IdP's
+     metadata and enter them on the right-hand side of this
+     Python dictionary:
+     1. Set the outer `idp_name` key to be an identifier for your IdP,
+        e.g. `testshib` or `okta`.  This field may be used later if
+        Zulip adds support for declaring multiple IdPs here.
+     2. The IdP should provide the `url` and `entity_id` values.
+     3. Save the `x509cert` value to a file; you'll use it in the
+        instructions below.
+     4. The values needed in the `attr_` fields are often configurable
+        in your IdP's interface when setting up SAML authentication
+        (referred to as "Attribute Statements" with Okta, or
+        "Attribute Mapping" with GSuite).  You'll want to connect
+        these so that Zulip gets the email address (used as a unique
+        user ID) and name for the user.
+
+3. Install the certificate(s) required for SAML authentication.  You
+    will definitely need the public certificate of your IdP.  Some IdP
+    providers also support the Zulip server (Service Provider) having
+    a certificate used for encryption and signing.  We detail these
+    steps as optional below, because they aren't required for basic
+    setup, and some IdPs like Okta don't fully support Service
+    Provider certificates.  You should install them as follows:
+
+    1. On your Zulip server, `mkdir -p /etc/zulip/saml/idps/`
+    2. Put the IDP public certificate in `/etc/zulip/saml/idps/{idp_name}.crt`
+    3. (Optional) Put the Zulip server public certificate in `/etc/zulip/saml/zulip-cert.crt`
+    4. (Optional) Put the Zulip server private key in `/etc/zulip/saml/zulip-private-key.key`
+    5. Set the proper permissions on these files and directories:
+
+    ```
+    chown -R zulip.zulip /etc/zulip/saml/
+    find /etc/zulip/saml/ -type f -exec chmod 644 -- {} +
+    chmod 640 /etc/zulip/saml/zulip-private-key.key
+    ```
+
+4. (Optional) If you configured the optional public and private server
+   certificates above, you can enable the additional setting
+   `"authnRequestsSigned": True` in `SOCIAL_AUTH_SAML_SECURITY_CONFIG`
+   to have the SAMLRequests the server will be issuing to the IdP
+   signed using those certificates.  Additionally, if the IdP supports
+   it, you can upload the public certificate to enable encryption of
+   assertions in the SAMLResponses the IdP will send about
+   authenticated users.
+
+5. Enable the `zproject.backends.SAMLAuthBackend` auth backend, in
+`AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py`.
+
+6. [Restart the Zulip server](settings.html) to ensure your settings
+changes take effect.  The Zulip login page should now have a button
+for SAML authentication that you can use to login or create an account
+(including when creating a new organization).
+
+7. If the configuration was successful, the server's metadata can be
+found at `https://yourzulipdomain.example.com/saml/metadata.xml`. You
+can use this for verifying your configuration or provide it to your
+IdP.
+
 ```eval_rst
 .. _ldap:
 ```
diff --git a/docs/subsystems/auth.md b/docs/subsystems/auth.md
index a2173c3a98..9c7f818c66 100644
--- a/docs/subsystems/auth.md
+++ b/docs/subsystems/auth.md
@@ -56,6 +56,29 @@ Here are the full procedures for dev:
   `social_auth_github_key` to the client ID and `social_auth_github_secret`
   to the client secret.
 
+### SAML
+
+* Register a SAML authentication with Okta at
+  https://zulipchat-admin.okta.com/admin/apps/saml-wizard/create.  Specify:
+    * `http://localhost:9991/complete/saml/` for the "Single sign on URL"`.
+    * `http://localhost:9991` for the "Audience URI (SP Entity ID)".
+    * Skip "Default RelayState".
+    * Skip "Name ID format".
+    * Set 'Email` for "Application username format".
+    * Provide "Attribute statements" of `email` to `user.email`,
+      `first_name` to `user.firstName`, and `last_name` to `user.lastName`.
+* Assign at least one account to the in the "Assignments" tab.  Uou'll
+  be logging in using this email address in the development
+  environment (so make sure that email has an account and can login
+  to the target realm).
+* Visit the big "Setup instructions" button on the "Sign on" tab.
+* Edit `zproject/dev-secrets.conf` to add the two values provided:
+    * Set `saml_url = http...` from "Identity Provider Single Sign-On
+      URL".
+    * Set `saml_entity_id = http://...` from "Identity Provider Issuer".
+    * Download the certificate and put it at the path `zproject/dev_saml.cert`.
+* Now you should have working SAML authentication!
+
 ### When SSL is required
 
 Some OAuth providers (such as Facebook) require HTTPS on the callback
diff --git a/static/images/landing-page/logos/saml-icon.png b/static/images/landing-page/logos/saml-icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..13fe0e8d17fedf40abbedf93d6504dc440cfbb55
GIT binary patch
literal 29323
zcmZ5ocRbbK|0m_9vXaQSgix|K*NUi!M5wHc$ey|8C41f^8Cj7iD|@?{m#k!E?>+9l
z_PqD^zE^$f`}?Cu-TOZ0bzZOM>-iezyw5H4fw~I$IfipYL`39w?<hSaA|e3;f0)mb
z0^iW)r@aRLB6GO&*qMlkj~)Mq7@8^fl8A_v=&q82HgtG(43=cz>OG0uO+HE?zIf}_
z*HgmWGq<STJSKL0B!sopE$n?z>h0o|)3jFBU-izV6fs(G(WYE(`&nPv@bG|dS@lX-
zptAq)6E5wtRyZedKt7G}#W&~fo+aZDzI$ih2Uj8f>`e!U+w*m}bJxQDswp^D;Pgi2
zLdv0g=Ym()_1N|~qBMyC3Y*2SkbD}SO1C6?l<fx05EhA${WUlyyx4!5JL(OZsP(?m
z&BzdU(<78Sb>YWJ#lmZBQ9-RKA-^PAaF=<A8c2Kv)6;hYLL?ZjTn|vnu>GRkHkoa_
z1P@tUSzi)|00YuOp7lJ949!eui*fwPuSOIAk{_6vwp80{3Fo=2%5IY1(^gumSs7sc
z^`M`H+Vh~wQ;dOuXo~p9;x`EfS`}P*Y`BQ+mzLI+3`e#*!0c~IBpEpjw6&-Fub;jP
z`?X5J3L#Ry-O@uFk?~>b;`QYhsBEesdTPezv%mu-(hzDumcWM}i_En2s_f~#*{?D5
zk_>Fe>$zvnQu^8`xAausV<wL@R}MV&OFJ?eYZb97$l;47vb3{wi98oM{xwm7p)84t
z%|GZg6`1H2Nx)g)p%9p1Q~fM?d2wK`^NY*CI#wZ(nbeNnq9Ut3zMr2OMZO-9nWUlu
z%YXkMXs>Ol&thkLKC(od&5nhZO-B(>=#rFJl&qrZ?Fz4RPhMy#<%WL0_W0xho0xKe
z)vrqwL&ev=<XrV0lPPDUkcSevlaa?gQ1GebI1fnWGnqLE(X&%Z6Ijm<3OP$00Adv*
zqCRz&Qr?D$?KCi2^bB%avyvwE7g0;tYf-UJBn>3-Ha1&2rj4YIX_r;RKNT$D-NOW!
zqE5?bKwT&_dT=>DF{6CZU<`1+r39d2#CUn35TuVX8*!hyP-+!KJarYqIyAW$`8`ux
zoSr=Gt{qvNi65HiO-N+El}+y1xQE1f#n;#dwAsymH~@mfXqeXToiU58#t(7=Gj66A
z*_+<h8zU-0E#7Fg@>Bry+&>#N{?(17Rh;nYN+h}4r&D3A%!R<CD`ZjmP>j<J%6*bB
zEBhMgm4UP=Kr0b`36I7(ZTUp~pfe35mbV;ovq_Oc8N?iR-lFmY^ydI{yiH6EMa6W2
zs<nudELF94{BjE^PX~Ym_9yio9~Z&=KMiC0v<f#rXK`+K^FdHG61z2<7uY(>${ASg
zkmnmnvIQlo*i0V%LMSkk+l@0F?ygDmaf8RdVk!`FB`}yGc5IEAxyKdLjKm(q%BaH6
zzl{>^l2}J6GLK%Q&aqJfO%b1^V7Nplo#JtWR9x;d{_mGZ=+8l<w=+)7jmBxe`nWP3
zr;9^yEBFF9EmJeq_D_C&mXx?UQO-{)ZXboRAHAe;!6qtMLx$ELE~B$3=RDYM1U}y_
z&Cj=7C&Bl$ild6JPC}|nqOo2+Z$Ovi<HQ3%P(AU?9=0VC(=?BqK4cVcnVjz|++4~c
zzo&Flzl0k<1DGkoSG70iIP^1<^bGN-1`;YJH4c$FgrgRu#?cf~^dg2h!M9oUT@z0n
zUu63`K5DkJ0E<~AB1kjvQ0)5b+I{FrqpCb`EeO}u;qN|$mvI`@_6uQe<OQ2)so1S{
zL)K0l+u4c177RR9RP>Ll2Alf}JZ<&MTt3VEmd5?uX7q5ZdS<*D6?M2?H{xsd?NNcZ
zt^V=wU<)ud?<^h{Uwu*)-3nel6UBhn7Iuw*UrvLDc9ZSBv}`W1-Wo^0gV_sEv9dx~
zwdw`=*>sef?klq!_`erN4%$`ouGb#gd5WD&ugzf3_gS-^K~7*O7<(%v*>rYYcUJ{3
zu|m>f>kEb0<{6^5@Tddh*Y^%=%W1L1KA%@S_S<J{QBXknCvhg%Z0wbCF9Qpu4fPbV
z-H3bS$`HA=3SIuZx4~PkH+JVo&!g9=byGnE7TrlKQ<~ez5e+&O01^?B@W|MpDY&N0
zF0(uC?dG*sHZmQ3pOWE%3FZyYG%_cLl>;C8E})xK;0LJ5#V@2tr;O+nti6wLo!3ep
z!FQxwk1H%SkG85Om}_z4&$pDuG|68pC=xf2e7eZAneKGAKT?^U7occ(0c<-5vpr(x
zEJ-W+0<{=YUOU5#DJw^e$-WlxzHuYYcnAl~;$&jxNiX{TY^Gw8i1-%oj<Wf-Y2*hW
zu1Zg<*#AOC+c|hWa(I9wa<3-3`}UZH6*Bp@zK0e}#4RE3`#=sXf3|@{JuK?clsi+~
z5^kV;`aEod>y`hfGp(LJOL6JDNS_YlkLLE;DaVE1AFx6KKrcWl0DNTKGk3o4ira?C
zVfR?7RB3q&9eUECxL_YqzNgbxT}?KjA+&smTTpoqz?U};CG>S-U)LkS;rw1Z8q?7r
znPC5cr(Vspn3Ub)hc2~8bENFN<x1wb;A$fvCHXDtU5Tw_;>)?$g!Mk0Za1nC9XRfs
zpuZrrP?dVrwzuR~JA#FmtVVtxhxZ4anj&t#5S6L<cuw!R$j=^Jo_#Z&tThX0XkfgD
z8s(mP%tH2rCAJ?PNf>!H%3X6v!Y8KZ4sy~I4vbtVy0Kx7q1A2j9ADYUIX%V{OTI|Z
zJSrnY+y<=C6^Gbs-jg#rNcUqc_gS`>pp`q$ce@f&^2;j<?VCgz+&M#bfc1Yr4acEp
z3Y~+iA4S8?cN<(n;rc0?&2=jdADPI~#vZfi$Weh``!80=-pFARgL9eS>bx;?{N92C
zV|JSo&CX-na#!Szi%~`U5MIxWq65e35AslXF@GTONxWl>bh#kAqjyx_nUm}Ez!EPW
z@v`@Zr`%6x6;b(IA0TEFd!EIzD;Qzl)G~dX%ktSV!1T&lqf|@?583PS52aImq_C5w
zIVSBhaK;O7diRUsnhU&L9s#+e)%aucGN^&%2|crp<i$Rm+eDZs>_D=6j`anQ84IWB
zCKzkwmMd983lIFzzMP=oM^UHOCJ_7sUhB?<SQM_ySiZkV9A}veMR{gqG`4Iu=^X>=
z)1+sJL*m#a{o!(#VMn3x>XLIUKk&;Q%I$qv^hk(Y2*r$20)fRXF@L-1OGrhJ<;P4M
zs*ctg+mZRm;l|0@`W~^|-FR`#8Ky6^btECTc?7MoTh4{+6y5W_PYlYBxJ;Y*>jvdN
zT4-tO$cZtW3jnFfN&yLkD^lsn4r+o9wpaLmCOQ}_L@%Ha&X0ijY-flM?M8nx0&3=C
zTY4(6K;dLO9d)@%lTb$VyLu!`xZF|Rd((v|W>ON)7gLoBEd@TaoQJYMOJv#d-Iiz@
zNUXvs%G>VudE>TVGjO?mvO~!<ieYJ~>0`u3eZ{gU0LVwAts6D?fuc(;1!HSWA8r>$
z2is`Vpg)^kY;+Jysf>CL>y!Vuqy_W?Jmf$%kD>&|(d-~okCbw8Wed*o88<z9;Vp--
zIe${N`(i2V5MynZ+>ns|sh?kFS0@m114ly(CdcKtabx+$nVC+&N#l&n%*>?hGM?-v
z=0<Ma42phe*8a(OUGgZ#2<60{!ewzE-ZIG42j3qzlj&-2>Ku==guq?K9+Fcrc2k2n
zXqox)?#W2`Xt~I@PtUkDt2F3)1fp3#FX~YP4+bV@;K<ZmY`~)LWh9b6@5tDtcGaAe
z{XSpqE$C|{mkR4g(>;!x!LZIXr>i7*EIv)_lVGC7+<@l~S|=C7zLO9eJc)I2Ir6wb
z9!k-w=2ha>bRV&KIL&VRK7Hd`y@H}bM(LGPiB!zB)P<TZArw8tLqZ}Ya&}mB0djJN
z&s*)+n~-06$GN0a3i%nP=1N{%s|!@j=_E~{$D-nFby~+AK|zk6X(P`8F<xoi52RiP
z7syp9R{ki1m#)$6`4`<(wAVf6-c|P{(^4`}GXu?|5n-8qN1M4u=7opl5VnJy)VT+`
zI*@EPmn~&;no8B2H}I$lD(2UUv9a)p;*I+8Y#S+*_@%yZTFT`s%sb9hhr1{`=GUf*
ziia~Zh|Q;k6Sf6f784*>i)Me1)5w}^2o;(%<EoS$7KH#mB~2Bef9;%XK-YX9H?u1<
zl@t>46tG?4P?ic@0+Bjs%yYUOyhwymh_($2F~s<x(;oFWy5Q9akvkfj2s=d8BIV`l
z_1(8cF*%5RY7zw{^9dDuz}w1zx6={`1x+`UVp>D?xJ?h2Y|nU>JKNkIs&({}9~b5~
zY3Y@_3UJ<(n+hz#ei9<5si{{6#;MDX<`&46h+SS9xU9ZOY%Zvou0Ra-^a!pSM3JUK
zk3L4W!XZb-O4@w&&ie*}qv%waZ2pRKoJ-VxY~6ZFe-QDM0(*w({a;Gz{RgnU!@X6O
z{n56V=D1p+%PG~|gg-_v-9?4??7t%pqk~z#9N|!Mm!#bw%=kZWFWfW!dr>tgM1F+1
zy;rf{WcE{F-=ITJ8UWg+0Q~7L3-p8vN^@DGEQhW3Rkn7@rR8o)gSY9Lr*#dflMVR8
z^TYYV0vGtc&%#!^m^F}-G#X7nC<9^75>d~U;-GK7S8=dtf1GdOB`|!D4M8=2at;8w
zhDPOExl}mQQfpRv&66PZQtwj;i(S<}`rgiC6laif7&<jc14pt?z_`Kg6&rJU?E{57
z33A7(ZdE2F_xtzgMJ}DC{B)6dUBCIR&#^yZwd(l7;%XIle$_!@#m2JrIULPmJr@`b
z_>F75dKZi|RF0~hz%^x&pU$Y9p>6QLejB+>U8w9LFl-@LEH$uO?f)nT@NUk`mmDLS
zaQ<q@<rGi5H>O{mkx|guL&|3FU98q947JO2iMJ?s_dceM5}GZ_)r<@SoG?Ourolf{
z2^ki$_bS@BWP4)2taFz4$B?V0{_afs%=erENB4FzAR)5sPIzkM9u70>+<G$UjdL}>
z>Dl=H!f7rK_{bU?BwJKU=QhxMz3L$avA`$xengU{-@SYjB2F-B-L^f(U?@I2S^8yD
zRlx-H?wF^>>TqSFuSgrp`$(&&-@I6otFp47+9LLuJk;UKq8^Q1+{vm4><1&U1nXDL
z;YL^Nk1=zO{r!XV5!WkF<DS!91!L53$n?wF&XCy&++J2*i{Rz*k=sy#=MEj=-(y;D
zgShthP&jx6PImC8_|Kwo@fK;=f!vd^>|(qox^+i`g>^WV3(6!0?)^D4iU{lk`RQqr
zDTVtzJuH9%^aI|<_A>*bFgsR;wAxyke9w^$=*oysgGM-`4Gw$kxG;zl1I9$rGcX9T
zlB3sYao2z`K)!A%x_-m0W+Rsp*exjqFB;qU`@@m;M_;N3&QcKHvh_hx>W-lN_T&Lo
zU0eb|Bu-&u!$=+PU&*gd2NQjGj*oQ}-Q%d4_gc-tAo6pR7b7SrNoU{MJ>J}}a2|U?
zqRG|%u2yioc6#A{s}MbFdH%jvu8}?Eo!Xl1s=A72&E1S=TV@pe8%TPH`8@y%AnnI&
zGAw2EtM+0sb-NSv=jnz;Qp}~@)<e3nn5=0{xB4&P@X;+f6O4I*2vrDWK=2|JbA-Jm
z4!ig55EtIA@yW8j!FeW#R*p{BaIUPv-3jNt+r(>)ZOF^W$_Aj3-9*B`YdU*WEN3Zu
zo{7+Rb79eL)7Zl?DYqNrn6A{&mHb1pn0zMWZj~#HvD|wOb_H<a#&=yL2)5lwdJ4!|
zcLbz#l;$Lv)BPRCU=uQ!P&h8%FaDz{9YV;iVhW*TF?gFagQ)C+EOq(l#sVKA@fD@d
zqIlkcrs|*k6aZ=tjpC;#Q#U6l4s#9dH!CSGM@qw%<(i%rY+mqZt8yNjXvr%-3iOMg
z^_&rg&A#EW+5ls&La3NIrU#y4+16`%4RSfZ6c_W1@76KqIb9lkSI;$FoO-NnGbCgw
zz`2-bzZUK`fp#Y7OvOxvX=MlC^<KpZQ_*Zixnb36Hk0K{SubwH798<=%5hGyvmCGK
z)%-HZr($VPgoaSO+4aL6Y!+G%s*`AD?Ck99O$N)_u*EuL!=`5tGeu2gdS8v7dCkLR
z?OCZ<Lal{Qr~8+9&+*`RUdj{;r(deG+N*NGm}3&;4r&(f{F-hqi0D4*S(y3R9Otgl
zw^zE7kc^?_x!t#ZzQ6Lq8PjG(m)BpDrQMqBk6H@$+H51o4+dD^Zitc6<(kETr#Qgi
zO>5G0(zUfUj3;9EE@iJ7TdvnxN+r;3OsK|@-6-x`EopiXS#R~kv2)?-usFj7^&)IO
zEaa*E@p)n+e;y-OS1+_b;sst=r_ZsAteSAh#@EGcK`GgT=!whB5!OSc_7QNO+479q
z+A-s#mSf6MMmUu39L-D-&y?RHE6VOTec@t~x`l<V*L*MRa&od=Z2MAFZ1@-Cy|{XZ
zbp<b0h!Tj&b<hAu^|YKq`SYc^mi;F+dqv9{g)(~)!zJZzO)7F5BZW|m`M6@%-f)$x
zz<SjR3zI+y{PfUFG-`1%G6Y3W#%W?{2|L<|L@au2X;tiO+lTDd?UInbx_dafAWP$R
zoYA|v7d-$@#rCD1^W@CP0<uxYvsNx1@P1?zaH>-sZJfS-)G}yd32o(-MebMaJn5<L
ztKF?-39&Bl_TTN3Fj8z(bX*W0C6BnfRM6!IR7*jr1N_OBF<Vg34l;Q{&ziNxacyOS
z3Uz$DM<IE7hE9%ZuntR3YBI|5DmU`Ohhx%Lp@}@Q0ibk$ri$%w*wRIw9>2ZTfDa!&
z;6LIq20~h)XLYocef_`=k(_7hW#E~&m{yN*Tw|;mY}u<?sXi`r9;5(~O)ElQ7cK%F
zs<jd*#&tv&SFS+cSXzLJ+{M1aPr#f96gQf%W=(pZ4fD$V+!aj)?jtB1+G8yAa($TE
z?bsCIN5vch@2Fg1$@37nrkY-~ah0Im&5E@g+(@#EdW~o7Vp=R_N(MR__lUA77|qH!
z5JK^3`qwx`ROQy2b|nyRB)sc<^@S$x9ghcDdwQny0ic+Ym&T2Wz|j>)eAozfzFn*^
z>R@@bhFi8`W00A?q)$cmsBm$$rq$D_Z_pODX$~UQDy@-ny9E`fU({o!7N;ls1o#rs
zAEi0GP=bV2V+J9-2?H$QYs|5xj_TF**?1IERup7LA0#VYg#c94QEG}*e)YL(^SzPV
zK6E?BRNd2Swvi<~@O+o6@oTd4bV-aX`)Fj1oQn6@erJKSKz1-=j`Q^Zkf;)pF5<M7
zD9}>YVe$$R+O!el+r=nH1DS+g_h-6C)7^*(&ys`fNPF+jFQDy>Ge9blaCNyEdA8lZ
zulX3~Wpsg@@_n1q_3;f;`*3Tcg{2;|-qHe3#hN+f_<SuxCOrc<>JYat3p%r1G)zJo
z2%1q*fkEY2T}?8cHwV(WG*@G1JTIJ1*vZH3rBt9_@sUi8-u8B{sze({ETXlYmY1=x
zI`Nll;|WKU4@O2tX4nyx--#9Yyk^C9Z+m)rZlFdCs@+-uO$ta}d9(y)y+2Q>d>dFo
z2jsdHX+M;9g&H&AGsK+R3g6j@+OtO-S(7$MMjSkSm~4F&@}~TW%L5H*x3vfr7}|29
z`!uv2Udzi@J1Yb_UFo!RE$-2dCkGbmy#<1|bQwr9Q}v0;LS_`99JXuUf*wshX6_pj
z$98F)<F82*9^Yosk)UtQbUO~Fb(}hr+-2Tn-Zw$sUrE=%UJ2|MsKu|4Eq9WTu#X=)
zquf|0>0k2s7mm(~RX4DgF6uF)^eeE-W~0{OA4nAM+N*gVZlrG1P&gHAHsnKrf8RT(
zg}4}VuU9?w`axynki|0<eGe$D<mw`=$BaMgaK`|aEz<9BZ%O=aL6N|C?3<jv?iV83
zFjw^;G`EdQM|j9cqpkA`-{k6-EhLQV@V79fgK^yI#-*@KC$+4@6d&WpW3hx@ZfExC
zm*qpW;M--KqxE5=?#7MYcPGv+Ft<+t;d(9$uMcv=jq`Zi=i3)hWbsESaYg7Q)os3W
z?UAP=f%Ib(x0>o*FL{23*S@YxLH=s(T<2i(E9c8n<qD=Z-2lZkO8_+1jc=3Kx;qIh
zam6B5EbP!}^5=4DYuU%Qg~d6JIW~DUD5R(?Iozr)f&)W=gADgOtRfu-ZUt~{i)(Rp
z(?!rn-H#|vom+b(quZQWP;ql;*L{u&L|!_aoFAYvp3(T+DRJ8G{_eHI-XE#Q32xFv
zcN)5}9n~@3sd8W2WGNZCo;y!PdzPyNAiIA)c$&f#VbHyLZ=)M~FnBY(>wFc{X^sz@
zukxYC*6*(ETTE<s@Wnmtd0YP2bv+2(8dplfr~_<^*%dOzwqd=sr>EBBFzO(pDE9@a
z>@4$sNu~yN@g7HSrBO=`%OH^0Sn8~d*u?m5mtH(N+2>AggY)H<k;CzXSx+pWqBN1^
zJ0KP%161aLt$YQS$o-<ZHr~62&--PwWX3l*%e$}Lw|DP#?EyYk%DK%s<?vDvC7MTe
z&Nr~H^avI(FpI_XUV>vMqm{S}?IU+~UV@13TG`vf%WIbMy4-*0Ip<)W6<4BLbNi>-
zW<`1oa3!*p)g#)R20GGrMxKtl7+kBP@x)DRYwWoH&{l0=rw&lLoX7m@s}P%=z(tYv
zA3q*IDs8RbUOYrt8x?n0f!eGA;XHAMv7?8$HruDBmX@u=^1@>el4q_$glK>b<aCVk
ztLI;AZop^j9@aLUR^QrTfvKc-Z+&e``gHj57~H_l)8n{x)$fP)b;FgT1MB?AGwWt&
zsHqDllL9foN7r@#d9;JVR5Y1&gW{<deju=#ee=x3(>322(<9NrPvz5?G+N3h>B6I>
z+R&1R+lh!dV8M|hTU8(zafyypeDrj5Nh!cQD^WEnl;DFPgg-mi|3Ev~49%BSl{7gW
z$^@w7q&L=4Jeludfh3Nm?hg;@uLK4Q*33mN<(>WnrQi@=-K7HGhf^F%S*``Ie`9YO
zyCvRiJ@nyn0b+i5)-LaG(bpSX@)ocq<MTj(H*?7k#D$OBy|O*T<LuW{N!pn3YdGfu
zD6*}tqy?7Qj9gR%1-&^~`h@mnXkh=~-0;Ki>LJ9kbgp0WYD31eo<b2w{hP}pRko@h
zMH(y6naN_YjW1kMCa%!ciR9g%e;NqND<Afuoa(t_&1RDSEG-u7nm{{Q`)0KAwOS%0
zU*$z`<X52REQjcsa9Eb+jg%{WzSQPrP&xa^&?UP*R@E@JukzW-OCGRU!<%I$>M6}~
zeAmDjc{)!_1aj$Vx!jfO2G2{4>$qYSc`tVu#rMtW;J*Yaz9F<|vSnGHdP;B(sJ8EV
zT0?k8$~ekCA8i}D#QP2!Z618=q85vfxoSOXq6_VtlRsD9b&VZs?)+p>1hE{(Q@c1R
zGm~@&T+y75j!y(aC!Z1+pjc+3VbMI(u*n~BW|I!u^XwF`D%JU}$FIA>g1y0J?HkLZ
zz>-soix2b7I`hY>-|QC~dSEgQ9pVFY4N|(uuRN6Edc$b_#raMEvWX(eVMSkvGc$4y
zw{y;|_*GkWjoZ&5V~Q&?m#Z60O@Q}*dRM61BThfwSe#dh85Xf>CgEK88P0!ySs#-P
ztkzw$tbcLJad;7UP54OpRqoxTH?LIr>YC0|j4O6U&JNv((@(akx+>9@=nzW#_}GCr
z_RU`LlQrMZh+ynoA&v`@<{D+_)NjpgXx40cDNZli{Aro}{rPT>P&5(h>Von{_ch%H
z)6vDnbHKA_ji8`(?J$lyKG)B*YHgWxMsGUyP4;}V;$mLl9clW6hOdyV5fBW!JKgQx
z)_xlV<(CwHNWboM4HC6*k*CPc63YFs@^)t+|Jv3oMP}`B)fY+PHx}-+-i*^HgPZpB
z&;kNx%CIW~E-8B0pXX~QAH<<61QIq|24JP#{vFP3vFMPqfGQ-1GzTvX7vN_p(S}Y@
zA070aVm+V)*6N$wrqII>aefa2nROK{k7_|V=$SX!OiFi&_M^XHDRP(}OziDNpYP?S
zY=!stOJ<|*bl|~}#PGw9RWCXR<Got=Aqw#7>!!-a<h<7CkNlPQgdq5Lv5_HjQQobW
zdBBr0XUOynlf%!!Pp6w2{u)*6S{*KK4+9B2`<x5K|1<plc<x=yo17)Gx*t634gRNE
zV=Yp~m@`l3n;JsP(7qmstcMbAkj+&)elhpn$H_7I_m(J=`@)dJe&j$R;zUZB#n4is
zQ(gs(YA3(vWG|(qbSq?Y3knK;Q~9F(6c6|TZdaRa0sdj?gJo*(`fV<_bMLq|_G?=%
z6#5+GUb-E;u0c7ee^=q!whf%4p;1`6wfv#d=RKpinxl*Sq9Wg}@gq1wokJGfUz@f;
zM%ZI%;g6;gn2CtYx<~Jr#kfy3W>mdcP)3SW&eu2kI)^x)z5UYk9Al@J9tHrbvTS9@
z;BE&4pL>F8UK;fcRNi!|;*EuS0v5DjUK2&hz_W0f?vI$>dvb*VEq7**3az_^4Xrow
z(Tttv8Np(2Nr+wx2aa1B&eFnTpD9Wb5$y|>O9k_Oyd^8|0Q4vM=m4j4AGMvBFHSO@
z3axknd?gB;toq+R^rv-gZoH;LL=@kC4&L%u`s)XAws+Eo*CQVO(x;FJmI!|R4oFOS
z=m#N0M8@jxZJ^rr3S~`>_X^*#-6Qkbcf5ul^UYE<?4{>eLqPDz!YQH$0)bVvcF{VJ
zQQ0^XCvUMyrfH^%!ybh{cL8pFIp^v*b}K+-d#93z`F*@(ydY86)dvDRInHCFJl~xm
zI)VKZVX_uP4itWuI`g_*b!U$$-yG7yt%%1b<3F};p3%JvOz67Gu@=OZ>v3u7VUB3j
zZ6cy`e7nx$`oSvO^*7p?f-gP!{I-h@zxJt_$M1H7&&_)`o5q?_5&0_3daS=6L4O@q
zc&ML5j@MtlOIK#2X1cJY5JV(z;v@~~GKXrjuuLpfu#;upnLV)K7bOfMm&$Q|Hr2zC
z!vx%N;J6XzJT)2^+)wca81YTAN%FMe+xACrh-{@-tZAf(#f9rflEe#C3smvnlA!lf
zu>Q`a)6Yu%wHGej9rc+=B2H3FQZ#0BDqoH+SIyIrYyt3rInRs+;3dxgmZ<(N2avdi
z(VP3lw)U9B*ZHi#Jd^u<FjmpI5HD<Y;rwSWVmufEnw5{YTiY{ra+tJ;h+a=rI?XpW
zT7fFAkrOb;dK(T1%7x}S-6STGuUqIyprFiQrpoUo#jBBaIl*YV^&kv+14%_hGz(i#
z8X8&3Xa4nrQAav$!@uU?^-wu3f*h@%l`oAIffH2?*k#;I5dhlvLJ}gP=6FR5A;^~;
z=5{9WKSGV!-aT6QnGn+tSSR&-vgxtnIhZ;Dr)812_3mMq_Ph=u34{SjfR5gDe3C1c
z5Ex108_P*gph+z^kid15OV;YipV4~KU!NH&jZRAVY2GORcz3d0l^k#N0~K-Yg@FcB
zrXAp_i9GSbKmr-uDw>Rvh$veNYWAX^UDd6$N|tS2N_NuhS{xNXn{Q13r3wen!e{cF
zY`(>71v&7j5tRBQfb3F&noU2<Syoh+Vy1Hllk^{Xc8Y+lWAbD7G-I6|06sNf9mj=X
zUPRxQ1BV#%D3HV%I!h8j?kw+9AbN6uz4X^u9Q9)$thsn3<^rzja}pECv%WCOOAcRN
ztJRU9AR<cppi^=%P?cwhaX4>4L}Xc$Q9fXspo0QDP4C-#{hE_^*$M|iuS9`e!`?42
z_jVwlZqZrcxLw@|A$7|2$IquLWlqhefrDU90qZ+c-DHG?gy$!Z^Y-Y<&6+c+3g<`*
zq}5#JCoN8(Rcj;98#WvN0=NX)S)WvY!a~;MN@z|)W3lwNfcho^FIhiSLVFt<KRF3l
z3s@83No@J~osE!v^ZW*_p>=#y4e>Y0)7hw`8bkuF;Zr{Jmo{Ki!jG-{^PP2lR)K@`
zL_|U#K09wdH?lI<l2p^ap8mE$E7;&10nQ&bJnSZ}#aQ$EPceAEz5r&&;N(lWE;&#*
zQurM#=XUjk(}JIs0>mo%^ul@TxuKP7?I11Z2kkFjndpVn1j-I2imBLtC**e?pb;9R
z1(r0obIl)j=zN0tI!vrJ1#$=C<;SnegG6PVDns3LA;4T+rJK7R4cZpuFN02Wp=!@@
z-th`n(OV<hJhMqk&>+`(FRAv*RAIx)S-`3Rw4|rvE>t_t<{gyz*~UH1d(%@!*W~g~
z6JW`_W(^W^*>>H%AhvAuW097!d!2~L*UNHow6<sJ84RQryHZTZ0+vxhU1N-w!Trbr
zH;-c=*y(_5vKM4I3x?AgN@vq(%$`Y7^qtqECa;?P5*_!XvI8LhM&>hMOaQ)!)lLcV
zWK#}W09@<3`U65<J^Dp6?nxdxQK8m?{7<TB^^J{;?-suS(SLqMRs&d<HI+dquHZ0J
zr@uXS-lI0H&Y4vA4k3H~;Bd}yKB%&43Ih^O_F=?_w=JnOC+1hkvK_4KGnR=i%3UNP
zYITG5Ju+x)R3!PJpwD$eX6OFnb)9X3tIsaWJmbFRln{_WLZDwuZitku+Sl>l7KDAs
zcRs8N3~tX&^ZOGDoBi8PIUa^q{VSz@%3TaZfZd-~B10k{p9i3zv;5{#KQ~0k1SMTz
zA$kVziEKW=QXn1CQmfYR5fMG$R{i39d_89{Or>D(G{d!M7Tu~#1Xi%-c(9vvYQthY
zZ28>8d5DO(KUH;Xuar&~j;;`szxmGm^yuqFJbhSmmW2jWHwg3ra@-4H&~C#CulAP(
z7YdMo<hWCb0{9|C{3Hvw$dvls{sCMDtOH5wp$XEiBg91Omw|ksAm+`znENsLSh4NQ
z@QKzs3xK~2@C7#JnEX=}kf=!#x80Y2r?--UxARyna=76Pkf!d&{~U#VdEY*!Ovlif
zCqQ6IYtZ%1W3E~PUkeI@pLa9;fqg|SllW87G(fAqdg1Q1sIhJtMr!JjmsslyEKIWN
zD9Tl)h@W--rLeE+^PA-&^{{Mh+yrcMptErO+msgWJm<E>`$_wUR%n!5CQQXY%8v|-
z&AbUV)%?<E?Urb7^9wbh_kPzdylkj9V^It>cG=AiyY7e(vp86VE<IjQR%()To^Lsl
zboO5S)@Q&%ecVX_m_b2vK4MK8D_XWT3MLr==a3>(hB<G{+`pijby)UrjpoD8(_DwH
zSZt?;?B(~VUN&zKxEGwsnPlo5jK{|@?vX+}$FXr)rO1weDF2&alKa|;kB`vM)yg%@
zFXs`BL+{OnB-+h|j>z?Wx)#-L{Ywj}uKBEfoTBod_4zdRSe_6{1H^iCs_z44az5B}
zvJGisJTgx&3r)LD(+EK#`|6CmLMSoyvmFVtJbWpzXD;0cfqcC_UZu&cuJx7mq263H
zz<F#-d?Ti8?H7303s(nq*la}drCK#NY2oKym5s02ckT+~>GHl^bC4OwQmuVnqDy1P
zbyscg`h1Lm=bGsF15C&G7$zCC9tIMZyHuSD+nFU(*}oJMWeP(D*fXF~KVuFxuw@J|
zTu6wM`)cTT1@8Xi1FVx$rFJ7U6@5O78Aa+1BZ2!p_lC{QT|wEGEyhdsJHBo<_3apv
zInv*<uar9|ABEk#<x!nqa`6<h{98byX%P?De=2m2W4*qUve^w>!9%KyQVpTuqRVvj
zk!jht$o10O|GM#P&Of&biapaa;{Hg#Fnh%Kb=7@<psI{uFg}0XZlY;<uRXSjt}R?&
zx7Xpz{PN=GRoSLs;4Q~=#+~_YNuF^J%*u2>f9<I8>moALW_(AcPHjtqi~kHG|N2<=
zzEij+Y^o@S(+AO>pLl%CSN)|?P@ZoU?8Ap${^07kFpoM%^>BcZre@SiXsWPJB1YfA
zYnRb9*Fnwf??SD_8#}7ws~2wusE{;d3`)ejvXw4F+D>5K&+Iy={i9Jf@x}sU9RpoA
zf_2=n?fn>8_}d24Tbw1x#!cxv_2~Mky)N$+)3LD$n;)g)J6^vwH5+%u(e#!ByCa*L
z!KS|Y9xKfSk>g!CCS4JaN&VB`|B!`;=0mp_jKXY;SLXMo2XRs_<;tZQc4;(tSaf8q
z_OPU2lFkDk9u`*#($-9A@d@UM5$uDbtoDh^W1IXUtd}0!t4%uPh)ogGuGAey?)Bl0
zGOS#fk}uWl;aZZEBDT+qdc*cFA-eS@bYwdbo+cAUDXS=$OS*0^)C_ajE*j+~GDV*~
zb;t<4AhL4E!>`d2m7v88dJF-U8*A)twpc$-#ly&OAq)%_r2%u;?|pOdS}wqG4|wk~
z&U9Zqah9T&0GXRzowTes$_R-*4<aXRFnxvCzc`~BZR6?T>9tiXj{G*znU#_qh9@;J
z$@q;J%11~i4`*WovkR_Iv*hd}6}9IxB5VcfOuep$d4g-i>$bKL;KSi%j2IXEaJM07
zGqFX$Mj{os<a7e7gCQQ)Lyb72g-Vu7os7WS=>zNime5=PRNb&?9vH5F@8=-y%Lbik
zX?ZMs*avr(ho$rAe_$;|cvu>EZTA3g<-<PCE63k~LLFEG(ai<NkG3Ytv0E$~(~2jt
zXz7dP-9^TM532mqxUK9?^MF6nGF#(r)a_2zmcm-Yf18#@ygr8gx`!VUkl0{~-w1`o
zTkE%ZyFgq}O>(o%1b!=evC0}loOALXq@vH}FkiYZ#kqNv|2O$bFvMC`flnG6u@qsn
z%zxIWVtK$XTKWo|_G4ho)xrx^kLtH)yZ(EMKWTGtRuVhp#=9#T8}lh31l<Z2({-T1
z@n^XoM0gL?l^<UvQ2_V%oy#JJ1BW5GFJDWKq>O`&o*e2%zQ6OwJ!!=F07`LC=j;D@
zp)?nImeR?b;Q0X!ai4$I+}o;!F*ouviBQc(qFH5NJ1|+6Mo{p3;pj^&Cu%Dsle5Uu
zr%pJ$_XBPVz00d!>7xHtR9Q)L_k;*kEPX@sV;aLY>Tjl=nMziEUHfcXXm?ySp!T2U
z4=e!9M|>zZW=lF9zN5buCPDV6CwxAa{v#t{!Sgj&mUVD%9$wdHV+XE<$4hH@sedhs
zDw9JrUeldzd)tuFz8CG<y*k9avR)-D{g0HM<oBqku|`kw)9yb+W6_JEK4xQa>w6|U
zoNxX(A$!3hSv9{kc>HrfuxegwiC?`R9m?d|Z!ai%UFrj@Y5BIENBS!F{b;5RkmrDt
z@5&bV&BO2F_U$`L4^PO{1ajTzS3%fPwN_R32gU0_1Nte1)>9&PnGhfJe-8=X<NmtV
zjS4~8!dm5DyQ&6)0*muu20s62L*iBeT<D7#E5@Y!s&#X#`}-(99SGpZ+pH^9oHSsA
zmdM<LE}4n8g}>`-^~pgI3ass%K%df45q+D)pJZlr4M@Ge=^kc(xG6n46?XHf*ax&k
zznzO^si)X@3@-E|K0o6Jefl=1V>Sfk6&w!>K4v!iiT0b?8*f3;n*L?T-72@kM!};7
z1rh}vURv<%xC|re`oLc$V$Aye(*soEFl=;Fe^S39@Ord0F+VgQn3hs#Awj0QX(y|U
z*7>hcvSI8|)GwKuLHXCWbs(+fAQtbh2UB`K{%Xc~FtoSjtH2sw#d#5&+!CH!X)z-g
zdEoGel~-jQDrv9uKi0yZHcblg2w4E^wt-n4lBGufvA;=W7*Cn8yw;C}i6*%~kBw$^
zCMAUlbOnF<g8(La&*Eb+*_->DR%Ad=qBL+c8S1CyW%(zLs92VUZ$er>jX!B<3<D(y
zqnjwzH$VJ|Sw%07gDcm8$B8<SRSc_h)Eeq9{1RB<jeTZPzneu!|D!9=X%J1k3!x<-
zq+Bu|ohRF@o>osVdL~J&Z)`Pe-%o!0?Koh-o%WrDT#wh1s_Iwpl~!+!)j7p|C*iJ|
z)SrY6Trz{cl6>r9@-(Re-`XV<9|w<cN-q6X;OE!1{VeiRk4v_+r=B(Ycep?A7S{S#
zhi2e5RYcLWLYMj{&zBmG|5a2V2xK5B!e`BTuImC9hl40D4F0X6z{4Zq%|L%rKQ(DV
zhzB{@<D#`-je-A}y(io&OIeh)t35?Lq&0Z=cfJISCoXv<1O5xbG>K(^);cEM+N<>q
za4g6BUl2YZaVul<pN}FK?{bAv$nD}-agJXM#h;urtq7H8kF<;E;Q=@JM_A4N104~A
zWe3{#g7`nH&JHaCS%>NGWG|xa5|><byoLT>xSBu@R5k-Z|FI`{k0`MvQ|EuQeLG&*
zK=Pjl0DD9NRP+87@uLr|XCl%1((Lav`L3IcJP`T+QUVo=yy98lP4IsdBo^T!9B7DM
z`a5ZwB)c5Q?(e|oDO(@e{{3D)rGo}Mn=ScwI&1f^vhLZxBY>I3Gdd7R>HnA;X$%KR
zE|dR<07<Lpl;3|ET$Kf`HveZh=s^<tE0W~Dv5H<qkq)C^O1Dxry5_$zPE<J~`M<uT
zm{Q;i|I1<EM=1ZQMK27*$p65=&Qy*x4aKmo)c%zkLfM*mEu-;&L5@KGI}f<S|Br6}
z`w93V%|Fk8Pk({J0Qb88{dAV{&G`%e43_6>#Mk=FAmV?%B#JBo-ip+eWy>}&2^sxY
z$pJaOHBXiw^871MB<cUDDR2F+{r`&w)xXdwdi}2z|NH5GZ3>|TerfPupoCD$LtnSI
z{!77GL5LUw>Hkv}GV*I+aI6?9@$Xa&apX_@m;Xa@MKAeAvVZA$RaPFFCi<_T{~yPH
zo?Vqq+y2CO%88aGQ_yGXqfzSYZt7Nd#6fr=ZXp{XF(odu2Ge3kz>*M>>vCFA+@i~e
z?bLG*BWJu52Q6zR5GhD`@&Z_~VQ&l~uVn&3U9jZWm@!|hg412vBQudqcWLRcVHUnG
zXK%Iyd2qO^YnXB~SzO(j$qYje(Cvi6f_{Tr=sRzXBraka?leV5hxiAxE3=t=WSWb1
zn)6itVuU<KE$=cNmqsOMTJhZONT7Bc$mLEJRmF!WG1GZ?Ew$jF0|BTz+_K8wHDw_e
z9ibf4f$aQ2O+5u|9$4dRw_Z}J*yJd;KQ3nLN}|m?!yFq+ji(LhqnUkExF-Zsn{?ES
z)I%6|BgqhU-74Nu2_|d%+$>i@H|iTTWgR4@e?)&@R?e6x@}yL9Um2%&H}+(zw6Ko2
zuo@=eP~nbL>+NR5Z$XG7iX2^_@=<JrxDx!l#~qj9Wj5Q~p7CVv+Z4B4rFhh6?KNfa
zFYp}9Tb*D585MXo143|0OgOykVbfMwhatm5pO+HKU>~Wd(QT!-<#Jqj3jL0HxPCKo
zt1RSkFAq+RGKdn{s;JQ%je>yZxONG3P#)@wPZjLF7{NRb@y`jp8<oT__X6pMwzMOT
zCh|1LJqh7SeC7gNL6MME*pV2`u#lZA)D|7NO)BFPOWhZmTMxKQW<O-{xQ$-KcOUX8
zz_mT6o-25t!F!M9O3Fgqi`k#w=NZ2~Svcl6%L0~rwoNda*qwrsK=4^XS*hpB9jRJF
zN`~5s{7tRpEa4mT76eOQo1R3z3V0?X?^33_bGplXu9-Rs`}>rz=)<zes;zqjaNIAz
zWr9xOU8SNv4UDusFP+{e%U;|2?VXI^Ph0@rP?8Pv?nN|u)`=k5Jp`W6n{L~4g<AMi
zrYFNM=QO90F&WUws+1}EQ3PysF@n|}CAG61-}9Wb<j7Yg9}Kx*SHBX(Io*O1*wm`%
z)sYCcm2=W56pz;EJFjvgqY({Uc%97_06yK}k^K~_g#0``!&0uqRJ4G%zx8Xq=~U0)
z7(1lZ!4qI;w1bx#&+U=GO}6KHY2ZPuqT}ocJQTloVa<pt3(^oGNWBsT|LJa_+>yA>
z<WQy6RNUw|o0?+NA;^yRyKfaeGuV@y5HIl6CY2Y@R33IO#cy0U83CAxzD{7WSvyed
z8hKr*@!m4ykiEAioL-VP=IQfF8SHiAy9SDe;Kr9WOuwsJbl{#P&+R3Zt}VmVkL+&t
z%%u}2{(CGag%5}e%0U1eOU)`TdJ^u+u{wO;VF_d3wY47otyJhQVI62i-#LPF!e=u2
z1cmQyKKGo^*e=2RTIZH4)gX8<Z{c^^eH=j<r`O*dU0p7+6Hn0cTR;Q_T%nOb!3<Z7
z=96Dj7jry@Vcg1M*as(*MY$maE}2~ikWLqwFvwlDo$X1c2Ehrrn$`5A5W+7vt1Kn$
zguJ+hLU~BLa43U^diG3}2{N)=Z$j`J)!+DCZVK*?3Sw|~QJLGR!n2vuvZ^N%Xt<b^
zl#^v00JvK%z1{*pG8^u>6CBmlI&YEa+(B5(Sf48hd0Fulo+KHS7)>dpl}bh=q$<N5
z89^XUi%mF9qv?-50(&eCz20^u&Z+BkenmZaTfR=PSl*dD<puyQq1dYk&&=dL9v{3f
zROD*!48KBf<ErE%DAYre5N6MtktGk!VW3V)SDP`dAu~P#8J-V8zo5TPE3`a62aLKT
zj`wse^8M0}Xl}V}ug%|bmWrlNLYoFNC6x1tai}Ou^h8a6kz}XllhS%W4F2<Rac%i~
z?;Gw;8Y@vJDuhb&K_E(01i!{io9<lbUbhTXR7tP#)FS|T-@)W*1h9!26d?2gmNtN)
zUlAGRS<z#Pc{0xleEvA~@e@4{WOb8uBoiOJ)PNipdz4P{qm<#ngA>mvU~F@*K}Ls8
z800^bA=0Zz^7Q#cy$zEv!7*XB8oc;c_`*wk_jM*5P7(K{boH%}NAn3$BOmsLA=4ah
z;kD}dw)b_o=RoUwogy9;VOdsb;PM#(#>+_HTv}*y-+xF7uUvNfuK!6(f?PDR**u&1
z4j_!@Z*2M+G773yPU7Fv%&WsuCFfnL@=HpK%@fK#pfVM0hRVHsYG2W+j_(>ZOZHe<
z7EXXu`x(zGXb7#y<Rhq$nSub}tCBKJQe@h#^j~a-Q2rU-(h?egOv4cLzbgAi`U8Px
zY2e?AQ(_dxf4k&11su5B?lTjJ=NZ9xeDPB2gYr6ldEaI)Xk%6;f@iKLaLPfz|59%S
zx#JfgQ`wniNdw<-Kk#CbTJ;{YvgkNT=cX6bIUxs;j0A*8)i@}bF)4P150M>5XL5i=
zO1<Pt3~^=+ravkOPR_<D6?rwC{xJ7kt=;G=q0F=fE1dMC>^wAWALwf0p5}_c)CG6Q
zfaLZ;l=~L6qL}tXx;lq}UB6TYfAPuE2FYKp4y$i=+X;D<$l}u<HxMepc^)PAUSN}s
zNb$>0``bvHODFL`NFxdM!T}8fRaP2iRwXORbpU26kzNs(h(-UhJR$%hV$8OGbQQIt
z6NpR~-eAlnU{qu~qur1(vG<<=HK?>*7oNrp{Yj7(U;=SouUsq;NhkS7lcvpEM<x->
zywGhsezIX!@ZdyD1F5{2i*1KNQRoo^Aodc6?03)L+UEDnU@pVwgmVaAkD;fw!EJ#m
zymO}r2DjbkXzvE2ckEt5^##iJPYyglFC=V*`!0fyTL_(p3JK?%;HZk~N5UC^QJPk%
zLy0HbY5!?yTVXv6t4b$6ZZOjsHKvGNXmP{L#7)aJyk79<O`sBW10CRZh$rv@t9eo=
zF<rrc?Mtrorms~*&fygmlx1DO7b0PLv3NomvFuRVXuWey)-wC&zBBuC_4bzEW@1+J
z#2NwSf0=-?;pqbmEIMjjs4ZvAU5j0KZhdkRkfvuvI3t@o*<&$?MnhaUzIR`6w->*&
zlwOR_|E7WjtkWJ?S<S+<VSnxdoZ$h_au6K-(o1jKGO0|L@4KZMK6n=Pd<Q;%rp^6b
za2u3<eo;|;TLrvgPKYEU<io%R2wM2E)>-i@S_EPPhi30!do|Mf{k;({vVM&a7W9=G
za;f5ar@;;3d?-YSfcROZjUUwA+u0dq>&`7O<1{>}NR~4R2aa2ex=#$5@EAd4zsq@z
z_jatLiP*m^F(}IpnmNgFTH4O+dMDeT=)%z1)=9Aa{&lPB<s$|zTRiHN@#zNz&@I<p
zn+uc|l?VxFFLd_D`E@7J*u@H$XFvhTKc**e^PAaPp4ct#MgZQupWnxU@7QDaxN$3+
z)Q1%AIE@D{6jVxhW!<Kc_^$1CD5YgSS!umeW8-g}6Gft#hH9jze^8@vPfEK($_DiX
zT2z6POO<;V;`^c>#C{W)JqP1BdnW=?Hp2VTS}=omIKPtBq@~0WxJ3nE1QPicFl>D5
zq%k=O8Rv_FF5KVYGAp&PD$3#<{t%!PXl(u@9IK|Ka1N8&#_YM}il5ZJMDb8=IT-8r
zr=v?&qm)G{ETKPNMQI_L2v}s7lZn@x0ih<*n~2}ruutv%lDRa;HKvFDNLiT4ANuo*
zMY7Wo!GAxfXzWh?&Knw-!Zpc-fD9I6)vj=Wlhz*hfz#7FY_e&VQ_oU=C+`+yv7+X9
zmADDVR4CB)T6*@Y8bw4g7-<pA>gzU3OtXE1;{z_&`8X2t=MBWxkstj~5!ZC!Y1B(m
z3+0m9gIC<VQl<|JKA*6_<RP!X5PDI3oG|{0L^K3_E8>DIqu|jksjOGU3rZu1l?Vyv
zfwzVyi>M8Kd?NpwqSjs!5!yRm5YIHUh40Vyd6khz3o2^%IqlXr2-W#|W$lY8&Du}x
zYmW#pn;Ek`9+zPPy8XI%4M{oE=OqT-K5q?W5$nIT;WWqpa;>H9$lq3LFK&m?EphB5
zDLeXLCV`S(%0FG{ALzakSJf3&meXCJ|D-={P#Z`CCe6XuN$v|Sk^bJBhFxTt3)yf6
zWgKl`fj!hFBhx~OuGnk0<gvGe@wb{mmqZ|T;_C#fg#fFCF3wp1+nH`Zud)5*+#$`X
zqZ)2rS#gt{txt8I2%fd{B2kmVcTc43CgFuDc%Dc1gwB3o*X-&sD7Yu*^!)97m)+3G
z+cV;<(#&C^PICAcpBXqFY4&Q2W}+ak9BQo=WaSAzIiv&S31wE|wDJ5F5j<&rX?$cX
zO6C^Ud~8f>@beVCUTbP49zH#ZKh4>__>@$1$Z;^|4w#nE#1`Lwu`ZXX@e!zrGJ<U?
zpZxK&GU{pCfW6MH&V=*t<A>Hy+x?X=>xPW)zhg;=o+XnhNM%(<0JED-;6mcF@6K3{
z02Rcb-zQqa8BfLzDmA*17M^i<vL~DN&rR4!f_<OT^fs#+StcaN)+b)GmZtlHhZOg*
zGADjl9(tI(SuO_oqHjki((I}jAPCd7zfX)DwYFm3cbvQz@V}Yeu8%OB>OpN2l#Kqc
z7cVJ;KyB25KK-$-w%<J8C=Lz$S0j}&Y&#zJEnQ9yCaeyz55fG!QdSe^wP1KOqpiH;
zkJs|Lwu`C3+c&Qgkn5WgO%~-v*zeNl{?T9O%Lo%9<-dr!*#vZzO(jePP$meIpcf(E
zU6pMOs_Ml2ZkW=Wkr6NUVL2!{ZNzV!!f3($Tvx`YN)-sXZg`Ko^E(XMG(L4ur$Vqy
z;EJ2t_KP`kGQj%<l#!8yqZ;H31Z-#P2(i5jPMZ9^Z6M8F8Lb<insPchjLD0FpVGJ5
zo-Y2Q?d31P^Zb*-Mg6`;xv%!*47IdYx%d;^!We9IU5CI;jKX=FFI{WJSHO>~Yt&Cd
znT92EsF@7@%h~wN@1DF!BFkP0S}}UkWadnpzNG#Sn9JFRNp<W0slpopXUl^E<Y@lA
zbBNL2ZO>)6h?j3jke|rJBAi8w;zgid6BswY=WEkF$4Cq2D^Fj~Ba|YEPC2cQ{ZSdP
zzKpo1gl%3EsI%{NrI%vEe;J*HB~!BbJbXqho{(&<q@NpGF*qeWYHY}`iX0@I`l-;&
znCcMgLZW243GJR^6)IKOxvcV3LQ12!5Jcau`K_x_5y5xB@5MSS!{f(wYGS_mHOBJe
z^CAE|?#Mk{jj45usqR_o!~ScD(lsyD9#v|xNC4nnx-L84!M!eN-0dgDg739~U4(Ji
zx@Dia4mmkonU3ZJU`+bYj-_T9;#KKizP};qOsPIkS(M6TezJ;D_s(>X3XnlanNM1F
zZZ&*STn!C*S`$QojDen|_g>(ro=*o>kvjNf3tj5-^4sj_!{q7(VMwCpiR<3L;cP0%
z9=Y|N_B=wNnD!s-8UkKi1Mjba-=rHBT*K=GZ)sBb?5&KMz<LHTLNJ8a3$IIR`z1Z=
z8u8f0v`JXh-y-O?R43<$me@J%O!!nW0aHgpXh1?Tx^&>#n<r%Bx@*!rBOk+=0*Ia!
zmz_UP8K9zsPsSm?W<|{(s&8He`a6}M7(q`DsfAbG!34ds4((rsj%X+6(6K`jA3r1*
z`6dh=m9UgVs_yanq|w+AQK18yjVJBAB&;qmVRVlha)Ytsy(C^|b~%ioMaxYZ(g37p
z|KX{LsZ#UwF2vX3c}o0N{!KVMfUoohN?HVq0kVzCGzRn2eIY>rh%k|ZA!c4O_;Whi
z+bQ0JmD$)#=1W4Z^!{{5u}J9e6B_J3p9}Iq^YizCduYdg<<LmN&QtC9Fs7<wc`@~9
zaqc93oQXeKsS2lz^%S8kZ$FNP6;zlN;#qB)3s8-{mZo7*`h>ty#}9Wa4LC2D`Ka?j
zTKz)RAowcHC40}}BOQ2-M*M`uYBW^f8Q}jCxN_lrM}n{98sYF29@8~$OI=K3fRTU@
zGN;7U;X+5eZNoREQO)ESI%&w0M|!h^`^m{M@lYV6X|C>ZCkqM>Ip5kJni_`F0dQOl
zg>QDh)a5CXqqDyY{bkm5=@Y(n3xS6K2Ubfdq%GBX`GDG?NKjw)();gE8Nhirc{dhb
zb@36PCxbnfVjl|*Oy20io6W(%vfvp7l8pC1Pbq}@71K^gUi?_|hPWrqDI{4wk${u$
z2ms+xf+U#|%wG<A_q1lG&jkDG3}MkPZ*`@kB3o0Q5rp@2w??^hp6gqFr(<)&-W^&}
zRnZ#feEB95F5)KOIV()`1~w`qMb715@D8A{(lqcJwzx_+)ka{GnI&f<lr@0nCKMfZ
zwrMpU@SF@#CJ73#%63tM`<|=1t|vc-YUepIISixqD$pWaj=;J<L*YLYgk$8mlD1eC
z@CZdw0u8o#S8^b_0w@?#mnF=h5p{jQ0UG@6jOoBu$O~KbbHOTXL6n4a(+~y{9eSGV
zoW+cfEzbr+N_A6gL!hV+{w*5b0hJxg%~ywoA%z5`U$p?Q1+Bh*l3GxghJ4YH21~@o
zq|O03MkO8N_zo>02I&UJ?^$yIUl7kUYPGku>r2y2O$}5fbtUcWkg2f&fO6Y;y&Yad
zNdSBMwpwKX$V)e6A&vgMmP@=Y!gN4>Wui;Ex0@M<uW2v6)a;#k#(ElyP!G%t@aT{s
zk<I6;lP<J&GD!;qy;bd?2a<H=Go-!-4{{Mk(<!09t?_UbJ!`}cz;TX>Wlcv~qI5g2
zF3^s%k=^>X@=i?!K8?baW*W_PxG2{a2{{IEv!N9XB$@cs;s(CQ83+KK6N=iDme#;s
z#Rr}ra3V3NA*Qjh>h~Fe*Lqe$woC5tS{F%#g{rIF|5bJ6@ld{B8xay?U$TrfvXmuT
zG^H@45@i?3F3C<zDA|{>?@QUUCMsLRU=T_Yk$qoc?1SWYKO=qL_n-QFJm)$0Ip@00
zxzD}KjF{rhM$S^!UU|V0Z9Sm;+XN;TD4$n{(L*_2f=}`dG@6gely_ssnBVYx!EG+*
zTWqud`KSgqm_j3+f?VGN_vTxJjOHaHKSVc*olK@eFJNvIdx^WFj0eE6B{F5T$IKU7
zwZ&OHN?7}Gw1AV}w5A17MRD=<aVOW;O@-v<0Z8lqW`r^n=xeBfQHejd5Z*893Cm7r
zdbq9vD|V!94z?=A#?^PFcGw9M68UQ#BsyO?{&o3pMvSL@CKP5{NOkz+mT0NF1?XdR
z<sIa-wsXS-w+X?>m^Ak?njU`|{tMSuKu!sHaTDcwZei_@pq|TIr%#Ly{FhIdc~H;U
zxrMafLBT+wd<6O{+m=V#&7B?ph-BzyK=e4?QRHr`qlO!em}2N1`^wg|t;nQ?d(a9T
z4Br>oo&&uY5Q*O5T)!WgpAcJ7?UHw?3j`!V;!%;vAt>L*b!+mw!mWd#G9--X&U|Dp
zFWA0ehn&G=ca*rvcZ)Ee%h)|MAq-~s3Vob#E2Hfe%D8Thcjd9OtaUevuyzX%-i#E8
zJhi9v3`%b36a|#EVo%3sn|<;XxB`EjNWn<2mWh_l|88mkx5Cj5Am1EI)54%0Z5~#{
z74Ga~oevBTX*pc9beuCrIV5h&WtWt7#|I$o1duMS=jw|OA(7;OPd^E&o7c>CZ50K4
zjR6I2wl?DIP8#3rX+_}bpc6aPEed&|>cl5*_+IGMC?Q0z=NWzuQTE9@Bip%RFuDlW
zX4KQujDtGgu~n@Rk1wfz&R?_cv>PT6<un$cIpyY%R)l-K(5MwpPI(q$WdvSMQG4gU
zeeaM7sx1qcOooQRXe{E4OWdc<0?_5UgIQ-Eb3rM39&B{bc=n>R!O~cUaL?g94+7j@
znU!~1Zo>3-%3FGZDM;%JUTB4LD-SNKIAdWA?GzxvPTrp4xRUbJ*qLeYk%mH@NZADA
z$2yaO(4`Iw0TAHuN6Sn0H=qkAHuq4*PUE>F>r?J$(>?)Hm6V&)A|n^pp&44p2Nk!?
z87k*Fz<!`yk&m1YPyRtbqQ`IjqsDBewJ$lH{M}z|4?U-<HwwyFGH0Q(M6$ZNfq1mb
z5XYPzJxthBaYMicMwLcpKUPzt?dG3!lqbHMJd`b;G*|Xa`_1!iuG5}Cl7h*{;L|R=
z6Ek(C?o$^ORhdRju=i>bjNNox2<BHxA_8H^$3b|xLf2(Bx{7>jUxLr+-N&{(_#c69
zh3a01bN55-YlYy-IilPBPrhPEAv7IO;r5#q3Fh#7EZtq72^gKJ&tozA#eLt+ZCOOo
zaEDj9nHhT@4EES^{ctd01Pw>zTI7Cv!wT96x+=o=6zp<F*NJKQ!Qagy6bq-{cdRBk
zdK$aAJvr=R_z|kdGb7|;aIu~FZ&ij=tY-=LII#Sty#h^qZbfVLgIdA3f>vzG>xJlI
z7v{6!J5<bv$;^SE=Nrn<*t%$1bI$=BLjAr80hBcM;KD)pV~K<CiYH_F4>a6LQ@tOO
zd1>j&o$Y-)RamqjOXz6GSGE3(yJ-3Rx##t0tHMfUUch?hAb$V=etk^ZEm>#ngcMec
z&>L<bo4v4BP2*ahL!gwA4@O7Bm#!_w6xlxP*$NE^NP-H5M0Ec~Xm<-@uJ>*I1uPR6
zTjkf)<UBpmdeNE6_h1%_)<to!g+w2`mzq$MkC@X(Ew?A?gKk?3hfe}+@~lTr$t{<m
zD*;GCH&@jnk&-u=F%PjrcvWKKO5A%zBmA}p*tOyt%xAd|A&6Brxt(Yr@GD{Ar>>_(
z-O1rOL_4mkMuI^Tq^Kkp9L&vGb#9twqeHo+71^#^X{)BtlM@_pJ>xmaBIREZBqr^*
zt8lnmjd7UCLY8yyK`+Ml7HouYOgCO^sadi!Gy=>1OV_9dH4nUii&`HcQ{9bwY+LxW
ziozWCel`Umr4hOTLyM=`;nb;6I~2W%_gualu2`-BPBV9Wr9P)IKV->d$bDS#!1p3V
zDt*+zos43!zH0mNN+!HYMUNt6bUDH3H}$iVAIDiAqdY(ob^O|^a{XRx<K6NsSYGP%
zAA$uh@UI*A3<A<I%remY=Ky=(e?wfcG*sSY5GYquKt#r6*FAg`mpRBH5tFS^Hh4|z
z!a=c+TUS`pcbT1jaAg)v(u|yz6cOQ~G&D`eoIrCJj^l4gAx<F(q=3QLP{90?%OPtc
zOP6e3gYDr;H?YrCCm)+M0EGao_Bq>yH-5hT@^`%_s}RUQg)S;{=!Uiw&>YRk@Nngw
z<d>{Jwv6Mp;T_*ks2RO-Ht72_3r?lj=z6c+K2%hUfBi~PT~=?lw22R^8x%2P8-Uf(
zYxx~O1stJ;XZwzW6Xr~|$hF?Rth(9D&Ew37Rn$zSP`bBjrCT~@t_nDMOVZ5`DFMPQ
z!RQ_9&WefX46*2scMYiETzy8-KWsAYq0T>?fa;sc1YeeO?eI8D*6+?+aURq<GB4qB
zKL==&rNuz~4gD(blJ%>px@YTa1$3wx{7(Ds=|ZTWiXoJdF}lpFTh(B%SQ=q}UbFLo
zmv^cHAy%5JT3nl>?l{M|Ad}#=`m0(#%lClCq0srW&$wC~46VGQCf|WPIGL+G?OZVb
z5ZYO}R*{Fa-P#a(tBKaehF>#IlNY(>VvV#NNfSyRqRUN8V*^LsS}C#$*Epp_8o-t_
z!HzQsli~eGPona3zp!`2QlSf(A{SlLM*Em%J=_5*Jc!fl`^b*?58QlUKdEhX)JRyR
zGCu34?#_WkiC9*N*nKaf<_+!XH?OiyvAo&x3_9SIP+Iu8^n)0=gS13Ex2A@q%QuTA
zjOzM^vCBjuguq1hyOpw4X<^xmrw<Ez-7b@^0{v|~^|X2*GCpF4@|Cee-!no<0I>oS
zi$wcM!wgf|8gWJ>zf7DUJ6GQg1rd%}+oawex_(i@VJ2Y(v_=OnTmJK2!g|IYJ~po(
z-4wWHfyq7v-=}j5GQUXOzp?es0fLQS1yqjq?pnpiDHOVV&8ZaFy<Zj_{2_8@!n?&X
zQHM|={>oX%A!afq&efQ%Ny2~H4zP!qJdL#g9}jt}E5F=}YkmKr<Sik~4)so+A074H
zdGO?3zPXNFqP_qpS07%VGvinE^TV=pq*NSXFRa<RyTEZ?{b5K0UWDVIMK(Ws5^uCf
z2s}X<TPRwup()SVMRQ!s6R3zZKiWuuw6KMtM?RU(`d^?{zgThAGn^A%#Ctz>`$~B_
z0B|^rh0x*?^dyI(!%Ur{1>^J0Zo73SSIS_Ol&hwMDa#&X*xyJ&q$9+c2hl;-|C`-g
zp;I~lsSV12OrS>TiItR*5ztE!vImkwpKQkdmYQuTdMK>f*wt5^hZ85oPMGUdO%>us
zJcozgNdHq9ZI2oliY86er$jrIh?BN#rO0lyrX4hV*rN<xyN;9lvrhl`rDUVSJxSZ}
zq=9DTX-#@!=@4qW@ZTXz1uqPGzL)SC)!N}I<*#>%|9Ew6hEdY0=yXuTm~EfD4O!`6
z+C;}4744^Y=6SlF$Epc)yg=6mZIc=DQhcReS+5&?q;n0sVDUa9VR`%Z=SzYtC_fmE
z81a!DudjoW)0}?Y8EUODMmMGJZ0UQ`BxB(e`|s^BO6WNee2niFKKS8K3ti0?mR@9R
zRUhRVDxjyU$56C6>n{ii97Fk`KaTnTpjk8zVZ!OVIt6|lX;KNOU^(&Z?<hoYk#O`v
zqRH*Kc{dc#x+tY$uz;RY!OPs123Q94J|tJ%irioH-r;?xkf2YD7MRSwt$m5l%o^6^
zb!041^BiWSP+XQNp!;!BJxn9z9_!N5OM`!-jG2?+8tsGnZUhqq9)#+i7I>+vvDZ>e
z{?||#E?Na8K4kVJeWZeq7%kX}Ow3sff1WN~$+3Fy&mEWuPOBmP2TfS*@<l0noW8qL
z`BX<olZr}V$gkrBhoK?gghIwdf}!|aq*X+G6TWq-4J6n0WBkZ952H&2Z=C>fDSEJ#
z!9?k4aS~3co+&}UHQnvid>C6Obj48UiuO9aRr$xFolvg9MqMTLThB#~RE+Ue;0wwI
zu`DI&)Lx$hNfqDd8ZT|XE_Kw3wsXh+rzad5>Vdf_Ij+rT<VM`w_oh>ZMpJUtNAdlL
zRK<-e#$)V*KDaq5$m8_Spj<T;%=njtjql{tw5nEcDK`EM6P_7fz9yUW>vaX!ib0eg
zwnJSH8nLGJxP0}0`mk>xec6L+viSRN%aqF3$UKW(N6KxT%11GUX?2RymG6@NqY*|A
zFL&#$X18I`Io;ZnD8|`2<FRr>{Jn;tfIev%;XC>ifBAL{rP$+pX=CGpmBLc^6V8w3
zeXBiUTi*KpAr;o0C>-hE_?Iu><?7!DoYUUB4_wBf{aSorMZ&{xRC>h9{v(V=6E?4n
zDpb{ED(qY7KtHkKZ-%{#OH0kkQZoq8BYNsHp(=mbPE#F9ph93^G~KEKp<k*l|3EMw
z?}rc6YrZsfLX}#UmmTv2F&d6RnDZ~$&UoJaPmCDKr-FCSsHYP)+4e5@1&yvY`oO}R
z*VbI8HqKPQ|HasX6OP?}>x?SB3s7|>RYaLy2Qkh|85|6fP4WLnY1@V$jE|Kp&)JVt
z^=6!|vz8~}`ty0n529M{Ihp?>I8ye|8@;AttJh_Jnw%?doR4Q-k<Sc?{%J#Vl*l-M
zKv$sirwc0=F?2X_8u;A_XQc;rHV?H5UeNw42~krcw@gg;WlW>CzD-`N1%fg%sYc&G
z^p`yUi~iDf<wLlKyFOzgDG6+S{X0c#vz3d8@NkXF+X(6-%8^8(^;=RynO&|{3*1l(
zg~B!v2z&FQ^*eLG392Kukut(x=J&sPX$3b8-XaAdbHi8h%`@_u`G8tfJJpf!Upi@c
zX%3Cdbkl@gXz7~zh|xv4hNX6u*jTkQ9TlR><NgA=x`d}*C|9+bZndP*&X|A6^z<Wg
zPH*wsEzB9+1lRP`_NT~Op<%J5;VUl%^p319#v+G?kOucHk^UnUti-TAjoKe+v85;f
zpG*s~I7UD>;XIE6h&FLEQk$dVfl5S)nDE&%#D5uTb_T&4@VUIXgUhwK&RU#=>nR4y
z>0}VGTCGv~=gDIj=h1*DaKUX~wERsD&CS;&TuNBv`<(Ug=RcSp{VWLl&UYjwia|c<
zLNKu)uq^32>9eFFV@hWcHT;|6^j7^}1`FpB^p0wQ{xh`AluF;qz-N}UolVcrhNOyZ
z7^E?<5OuIS?%USxb|lFf3A26}IS6xJDI>ePol#EV`6X>)BI$0n%eHsg-9J~4$|hQ;
z1v&J`d}&eqQe+ny*Ll;C9tR0^zVN{6cs;$x$fcu95~qWg>y6&|kynCxnLHf)lc88n
zhQ;%XIj)ft9_TT(VY?FiFIP^F^J(MKXs{_eyiy9w3q)L%q^O^C9w^q)orB+MHyzF%
zmF%my@!~Em<YL1rnHA!~eU4NrMVoniuoV5w%+&P!KI~Fw=YNJ4PiF6ro!N3rGUae3
zf_X`zjANUlPaW5*aSJ<TXn5o|o&&zAuq9IC!(eJ`<<a5o&O4^08H{$onYmLVjdb39
zIPo_ff<OoQ&bDa5!`U>5Y;Mkq)sNirINVs=#!>Kdy4GqS{ZZy4FvuL7{98`BR+ji5
zn|?H7O35uq4pdTVY+^pcY<HWJ^AX+gr10)Rj<=jwxZ-{j5z(_jzY#E2Peb*E&KhWc
z3cFV1IjNd1=ON?rA43v0Jzjj+sSFL{MJYX{A>pbdLX=9;Tj`qI&Bf$vKK)xQ^es^w
zg$iv}&K0#Z7yQUet~;swpY%`ela?;blR5sk3Yf>^v_81i+L;b@vBXqUhl-Fxk|Q_L
zByeU9g5BwEk7US?N^BP1Q8u;#%M$%#F4###9><MS(wO_5i6A)=c!m#VyqF(pZjC1)
z;Urb0K#>+D$Cf&~9QkU&M)0+-0ZXa-!XJ2tzNcH~l-+$W&vz6!gXW<1JCO)E_dtf?
z%jCo`pnI~dA+3AqKTMM^DOS#AUM8R89#b0g=YN$~sw>!?ag=7!W+;v_Urp(uLVOl6
z!H8QI5Mb&%!rFoYzF9j$%t;s@=5+@EJgo3<t`S|lSU6&syDK{~9!BO$3%R)NHu2No
z$h=P<k(=*?-%2~`{T-e;0R5&=_~@|)3f+-4bYxn>*LD}{pH#<>+!tNA7|N*f?`cYG
zqO5nV{86bQJ4jd4Qsz8BsotbvA$<m5B}GvD<sFh4H=Z>qI!8osi1z4}rLkkKen4>Q
z5o$x~)KO))jz#7OWkpWDz<k+NLgEb9eW{*A#lC&wwvy_gF33h%aqY&<h2GJ9lkE1K
zZ3e~lY{gkY@A^zUnaS(1hS;wDGJ`P&yNpZ5*)0d#v)=o>fA$`5?d?j3ajYPJH)j1w
zx33@ZYdH4fk3wwwwrd3Q&OvVqw&8B_ZguzEqSOYL<<#c#9_5Ab()=@qY}TyLSfsd!
zyY`;0nDKXpCc{=>$vbTy7r{Ss-W{Dt_mSSmBbr}`FHm^W;<=B)XwZV3>VI(ziht~?
zQ${q=UxJN$psMEN$S-s*Db8_kc}DTi7kQ613*5Ef?-Z7nf0faIDt+{5bjv5p+NW~%
zch2W+%GV#M2G&=@`YUG5;}2+F&ze8J)E~IABP24M_s#?DPa~z!$5^st#R@8&G0Iil
zE3ikrNW-`Kg^?`7VK~hM5QU!#zill$A(pxxT+t@LzCNCPMVsW`6p1^AxE$0o7Yw?-
z6>&z0_xk#y2gbUi(;|PBkRcXEFTB_t-b7XT1H3Hc5o;GwaZ;zO+!kAJ+^xa=B>`&$
zdUAzJ@5W<k_`*!f!zn@vE!;lveYE)1^sJDyG}$3hRmU;yPT$;dRUIb6lbD}%y8_aX
z+DZ;T*D#~*hzA=%@QwKuAK0OE>lnshan3(>_Rep63HZcJ3nyTakU4%XZi8I4skn7z
zw4VijV36I;f5<ERDR{Ig^4rK@siRLY?9uwJ`R&R#v1TCKlADpnKR3;cU$v|6Z%$rX
z9QpE>ig<c>PfWp}(NJ|Zrn4#=q_!nBJk8V6Mhg4ua54x&<FxLYl)RgfLF9CW#TJ2p
zhmL0(*<X+?O=c)NOim0rUd{(sWhZQhca$kpQg`~I^wD4U1bio^RDH0^CaG_DC2*q!
zn<*5Za#(WEI*mcGlLh-WwOImMh`7Ic3yE`#z}Uu8solt!LjcON@WG1gT6;b20qYnP
zYbuMN9v%3`WGvDcGT_@(PU)ZR#F}`u!%h(!I+k6NWf(Ln-+9_u%A7%-7`8@@xbK{3
zQa=ClwF9cJsNrti-~QC#$^Oe@K{`gaKLwROzR?E0xB8wCg=bVIt})N$YVF=|R6Tx*
zVf&5JA+_7a7SlP9zpx|Lmx7YZL(=@ncTT}~xDYgwr>x>r(!QBqT3y~dWIOs~9m0@a
zXRmzQz|hjF|Dx+_f;bm<`b3@!-(oGw;7Q`&&KCQ|#MIQNY<KWD;!an1Y8$0zloQ@2
zL1C}49)?M|>lObuS^^(N+S}a{bst*T#y`E$mOfq8dJCi&!zz%ws&V6H;cV0F?$#F3
zAq_+qHZ9L3zWViE5Hi5uSvFdb?F8ViBw|g#Eo2W7zNGr7?9Y~^>|b&G?p1P{B6n*}
zc#73`zE}SH9H7rQ?dPht8y78J)&uwXl1p`v+hak0m^WOz>unV+c6+}lnGW)jU>Z^i
zqaYLSgG`Kyz!yY$k7AFjV(LnL9&5>Z?;Y~vY7FC$RuP68iFZ6-K?lC-T2468kK7;v
zje@~z*{IiRK)BD|#T#FWh#<^?B%$bAKKc)XZVJ_u$H7#j7Pr4NeibI+Vr2Dm4dwHQ
z5Ct`3<ddG2^(BJ-r;SK^>-1Aw=ifa2`IDfUj2SLbT><B)esB-g<#V(w6}pu34kMU6
zE&iUex`Kl;@R=Vu85>;mgJe~Z)uATc34a5cNpo8!Vpx_u(fBtJfA)QzR~jsc{y8;*
z`(~5~-i9-}L*ub&`j+l#hAJQZZMaa53-RNdck8p*KYX}$;|9TnlPwUz-TS%vR&1xP
zcKwul8|p{i!;5PS@DG&rIjAo+sl$IV`b?N%>aoZlBGVVX4P@bJ#Nk#mtpR?dioppK
zQB~x$G8ycHW50%KcBfl@WP2Qnw;+Khd^f~|y>p+z&bg#UF+K{_H8BVDr4{3Z3&hm4
zw7O(_PpuKU<)Cx8@hQ2&C+6r=TW^XxaJv^>`5`(ee>$d?U$u^z<Es8m=#t6{@j~9Y
zSAtUYbuE>Cc7Y5Q!T>xK_O!Zfl7@y~@&FHuy{}@R#6;^fAvapIrI#LRZ;&ldiPtHC
zfZB5ljw!{Fp{6tz;x>r0&D`HRjNDn77I8TXCoJ|X7~n76%)mQ$x)v37XeApy^Sixy
z3Q|dHi<mwZkiNV&P`2WL@32_5(Ic$3oR%I;T*dxYo$7YxXN8Ow34&Q&5<LU(XaDe|
zrbqSzF(<^z=#cGi?d>|hQoZkNw{pqfJPVhZ!HR+|BunSG+VxH!{T}@O-a@Uj%6ocB
zD50^EqrEBp?gf8-dHj%bKz2HVY+9p3B<;VZ=iVncC{Uj-U3QG-)BOZc6QebW=@}~E
z3B*%{vd2iE;;cV+k&NSe3p51pF<j$PkQ))3hS4)ZnO8gTPwDq4@VPYhTGUD&fWme>
zDha5j;eJmq>z4ig^YC-9ltW%#CE)U)%+6#q*O9_epRocYUhqkB0L$jjLhabtnx6jr
zvPY*kdi^DU(Io!pFEy|2-mTmjHu9Fw?WnJM0%8{}05JL{U@Mz#ruW|A^f&Lm+F)o6
zsIf|C$fAq+<DpZL9(EvFY^qKE9?gK`egos?bl&z=#Mlh<0ZfPI7JJ_xI|f|V_eZ}e
zVJh@~keQWgG7<E%{`A!H<lKFTR6oMdD3DEpY}9+F;OxB-BPPSw`0GAV05*zK!6PRN
z^6V1rMhA-=3;f`A3X9PSpBiVJ09eGtYS--%?`w=gp4ZnuzP%k71m3`1L}Z<-&q*mv
zFMKuF0xSDa{urXbN8+z%UR@P!c=N8uLfdq-?v>F#Wp17}Fbsbj9vQpX?XYC!j#)d+
z??#Zvaevj@u0Io9`+I>q+sp&NI?TqJWPOeT)HD&`$-{WzQQh_>Rq>j$9tJuwFS*Bv
z6@$M56hD=b^xy}Qjz1dxUZQ*@n-5x+S?sS|=6_?NQ0Vc>-bkQ=y)oEQM;Rox7SZ@d
z5s`Gt^@T;{EB?ohvDLAV0`5zn2xwaFRNXwwgv^)?5@U5TWTL}y8%iSN_Js>5=C^4j
zw;gB!V9cw#w}gt<-sm-|iceMwgQZEOsGs8wH$}1vWG344i4ddiWBCCJM`IE-fV||1
zC@UEE(gDT2Nptg49JsCLzs<pTFcsd<50IPe!Xnn6RsGmkKRQLc<Ob3GK}4~4iNwUt
zS=-+i{$+UFjGE?Tr^y`(umKk|DJOi+Tc>BvDn7A67~4J_#8Xv{_6Jawup-u`NA_3A
zRsB_C)meCa;cB(Tw5S0;w9SS<d}8f@&{-==CiR#<LfbcKww!1|1~HMTh5Y;hlX=m5
z-6JT-?U85O{^p(;&Wsk3)zcN4;Gk<eZ>5r*y7TG!{3e*1)Fc_9*u5qGDh6Irq-En&
zUs%RPEmOlp;;%i0!N)L894Z>7y0)(rQt8CVPHnX9PLE)T<$?j1%ZNZ7I7V{WW~3F{
z3R2;LtHl&u1@9Oidl_0)w#ak;xXMMF=NNm6eC)IASSq3r@D3%>e9WD0n=kiIajJW9
zv-N;LL|m#W%j8ldf@|V-Z&h6$fA);+9%I=kktBs9aEN!2m_AYASQA|x_+_4bAAK<C
z*rM#Odo;jx?VPV=UyAgDsYg%D#-}D0+01`B5k$p!R>-27Q7oSh#xZ=73_wl7t!x58
z<U7_Km6LaRGkbdx?_b{XISwpGUphW*8ovUz*Mv<Pl&Ycs4(hIu1$5q{9fLq4z1#-N
z&CA=ERMU=u@;U;2G3tBgGs~JD-*C_!8PcKTZkC2-X6_fkX;{E!n)v#j<I}ypiB0yY
zDQDzyVj93AWuoWB4!;}E-~8VBC<4nU?3jq40}p_9qUXWDMPT6x?#mMstR}o!*Za@C
zVkda*#mX(=1f!tS%KO+@UIicuW+slR%83m>PS+E&5UqeAKtLx(%q`$-eVK@Yu4l5b
z=LciSbpoEj864a@F&FB5Gt88OgZb4NVrux^pv_V%2sk=RW*#RedS*H@g_{MCA(hXF
zLP8?ulo^W$#BTy>+b|JpPY~xAh+=qo_fn!<Z!C>M(U@ZQoBDK-vgj)G_jUH@THox{
zeRjyU-(gWn<Wc^>IJWO@)u}BEguwH<5NY#zF!P_aQVMQsh)`QdP^gWzAXtzb0VPl8
zGumj=nq{-eQ&*M1ux$vxxL^ZXUc(Pb!_at)m!CH)`Z@A4(^*!`$G)ohQ42{44G^_&
z<LFqnpV4Z~EF>z_Iz`033I@s2WBfcWI9FeJW2!tZ6mnCHjfcsW!t4w)U01*IDVb$)
z4rRzWc?#QvT8^-NZsqe45f7XbwVZ^R=m613c$7(HAVqW(JiM=!AipS{(>|r<g+TnH
zs@8dxBHx^Dr-2T}PI>tFx{6wWmGzYlHagzX^94VWsc&Wzgmrmxlq;loB+B{2Yy?uH
z;=U|(s>bl}Kzfv(s$IB}M9tHI^6wq60XyZa1S*hTv9i9JC(&e2(epKRgf)Y<;uK_S
zFf&<n==tDgKZ>5ZFKRhT{vQtioIn}v`h3YsS?J?tz7k&}fkeC=2<5NVDoJ!a>>8Op
zRmaW~Tq!{)3(s7BzIU~)S#{>Jf9`F9S`<w*3dYT3+aM`&#mDZ-*K}Kpw!0TLr7%|@
zuiH@JaXCCWSC*Jw#+Qs9YdtR+bCME@P}bPJoGaQPNo+4Wr9Dpbwa1(R>;W&#X|c9z
z`m2R(!z%bT3U&nqKKRl*Z(F`L4kg$iM#bMtp-xUI#lIzc(Lb6doL?h17y_v0n!klt
zAU`MH&i#bu%3XndMRGQfdeBh3=J)8=eH6C!tTc2>=MAXZ)60`~;%g-c?`hq-2Z)tt
z;WcA%N?>PXC0X8}%4elNv)9oHyEiHt!V8gFxl;K>4n{d8UA~8-^7_Gw^Ht)P@}5a&
zCHC2^&Jfhl?XaIK$JX&Dygax~)kGvmOGj38K<+X|OJQkxHW2)}B$2wxP36)n_n!R^
D|K?L(

literal 0
HcmV?d00001

diff --git a/static/styles/portico/portico-signin.scss b/static/styles/portico/portico-signin.scss
index 8d95fbf6e4..333843fb20 100644
--- a/static/styles/portico/portico-signin.scss
+++ b/static/styles/portico/portico-signin.scss
@@ -632,6 +632,11 @@ button.login-social-button:active {
     box-shadow: 0px 1px 1px hsla(0, 0%, 0%, 0.3);
 }
 
+.saml-wrapper button.login-social-button {
+    background-image: url('/static/images/landing-page/logos/saml-icon.png');
+    width: 100%;
+}
+
 .google-wrapper button.login-social-button {
     background-image: url('/static/images/landing-page/logos/googl_e-icon.png');
     width: 100%;
diff --git a/templates/zerver/config_error.html b/templates/zerver/config_error.html
index 89c0f38333..e824a9378e 100644
--- a/templates/zerver/config_error.html
+++ b/templates/zerver/config_error.html
@@ -80,6 +80,19 @@
                         {% endif %}
                     {% endif %}
 
+                    {% if saml_error %}
+                        <p>
+                            SAML authentication is either not enabled or misconfigured. Have a look at
+                            our <a href="https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#SAML">setup guide</a>.
+                        </p>
+                        {% if development_environment %}
+                        <p>
+                            See also
+                            the <a href="https://zulip.readthedocs.io/en/latest/subsystems/auth.html#saml">SAML
+                                    guide</a> for the development environment.
+                        </p>
+                        {% endif %}
+                    {% endif %}
                     <p>After making your changes, remember to restart
                     the Zulip server.</p>
                 </div>
diff --git a/zerver/migrations/0250_saml_auth.py b/zerver/migrations/0250_saml_auth.py
new file mode 100644
index 0000000000..871450abb9
--- /dev/null
+++ b/zerver/migrations/0250_saml_auth.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.23 on 2019-09-19 00:50
+from __future__ import unicode_literals
+
+import bitfield.models
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('zerver', '0249_userprofile_role_finish'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='realm',
+            name='authentication_methods',
+            field=bitfield.models.BitField(['Google', 'Email', 'GitHub', 'LDAP', 'Dev', 'RemoteUser', 'AzureAD', 'SAML'], default=2147483647),
+        ),
+    ]
diff --git a/zerver/models.py b/zerver/models.py
index ab9767218e..fc91ffcb22 100644
--- a/zerver/models.py
+++ b/zerver/models.py
@@ -139,7 +139,8 @@ class Realm(models.Model):
     MAX_GOOGLE_HANGOUTS_DOMAIN_LENGTH = 255  # This is just the maximum domain length by RFC
     INVITES_STANDARD_REALM_DAILY_MAX = 3000
     MESSAGE_VISIBILITY_LIMITED = 10000
-    AUTHENTICATION_FLAGS = [u'Google', u'Email', u'GitHub', u'LDAP', u'Dev', u'RemoteUser', u'AzureAD']
+    AUTHENTICATION_FLAGS = [u'Google', u'Email', u'GitHub', u'LDAP', u'Dev',
+                            u'RemoteUser', u'AzureAD', u'SAML']
     SUBDOMAIN_FOR_ROOT_DOMAIN = ''
 
     # User-visible display name and description used on e.g. the organization homepage
diff --git a/zerver/tests/fixtures/saml/idp.crt b/zerver/tests/fixtures/saml/idp.crt
new file mode 100644
index 0000000000..32ecea560e
--- /dev/null
+++ b/zerver/tests/fixtures/saml/idp.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUeoIaZ6d61p7x4Zth70B0228j29AwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MjkwMTExMDFaFw0yOTA5
+MjgwMTExMDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDnmQlCXt/Lwf1moKuP3rnfWHClwH7f3R0fjAaLARR7
+3rRSbvhoCWrmQ2w8ZO7vtDh+rivqqsIW0AjPcBRoPzzzXYGTi/1S7tmEQcOV/oMP
+WciDIkQ6Nzg/3m8vvyb92/cI7/nTTChKIQI3K6uwZ1b8mvWt2MWhxvUUZyWWzyGw
+J+JvWRtRznnUaPjg7hvYfDbekAQ1avKRQ0uTxkj3x7Dt6PxgO9zG14jXi6R+vfDA
+YzLpcB+DCP48mMVWmtSWUpVEKQHrHP+EKOr7j8FyOXl0FfqkVD3xmXvirwgwv/Ny
+FMWUCcZddbBBENOMty1dKTqnU0ei7IT7IHc7aWemibb9AgMBAAGjUzBRMB0GA1Ud
+DgQWBBRdGAHn9nAevooUt1kpppwOeaC2nTAfBgNVHSMEGDAWgBRdGAHn9nAevooU
+t1kpppwOeaC2nTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCs
+sJutJ32iQO2LhEtYA9tut0BoD/GAb6JFwPUX7HXcX5iouRCNgF6fsMgCFVlyRn5V
+xyPsuz7rjumEmKIfmEbhTz/WYYBPGI8R+7MgOVCXZX+8r2+GxDnLOI9g5ypsWV6B
+nyFjGF/ldFieY+nhFL7HZ5s4AXM+PNHoguG00qE5nLcD160w1wun5rTXQRyNWyrf
+Nzoc2kTnXY8RLKVqMx7FzakPJ4CfLak/c2iiAU2ug7tEW/3OGdZeb2m56b8dl4GY
+3YStArY9y4S+DT690fagfVrlkj0zaWHsWcWdyzkLdNWFOxNWv5nVI/rkyawl0OyO
++nQdIbP+XrzXpGPVt5qL
+-----END CERTIFICATE-----
diff --git a/zerver/tests/fixtures/saml/samlresponse.txt b/zerver/tests/fixtures/saml/samlresponse.txt
new file mode 100644
index 0000000000..f99d14be98
--- /dev/null
+++ b/zerver/tests/fixtures/saml/samlresponse.txt
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="http://zulip.testserver/complete/saml/" ID="id544612569720442296425226" InResponseTo="ONELOGIN_a5fde8b09598814d7af2537f865d31c2f7aea831" IssueInstant="2019-09-25T01:02:02.120Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk1da4osrIL3Y7ip357</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id544612569720442296425226"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>P/e+Gdz179UAcrrPZW2R9hzxMlSAGwbZ+Ogksp7Rzlg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>H1eepG122h3jzIqorofI6sr636xVFFtqsN0Vj5eb9YoFN3KMDH1AqzvGbzA+XEoT/1vle/D2n1A0qMv6UrnMy0EgrZlA+Mx3MgcQDhFoIqI7lV48I2aJ+G1+FvTrzt1hhfn6SBTorhc3M2+ST9z68V8mLsNXr82GveL/Ej5J4rxbQQ0Jxaic3luAkV0EhROqiSDwC7e/45II34e3sdtQ9bbnf3feDbovklb7Daa/NIqWpWX+0Y9qhHo1zx05oPiGZFtveJHiUbFXPpjR0r1juuG3HTGkORhRHCMYnpz73NsmuBTkAgYE+G0vUr0k5Sk28efS15ZZuAyiN+XCjl6SzQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDojCCAoqgAwIBAgIGAW0svbVqMA0GCSqGSIb3DQEBCwUAMIGRMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxEjAQBgNVBAMMCXp1bGlwY2hhdDEcMBoGCSqGSIb3DQEJARYN
+aW5mb0Bva3RhLmNvbTAeFw0xOTA5MTMyMjI3MTNaFw0yOTA5MTMyMjI4MTNaMIGRMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UE
+CgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEjAQBgNVBAMMCXp1bGlwY2hhdDEcMBoGCSqG
+SIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3K
+E57ZDDVplrZO1RKpz9zFekhXZZFiPhW2TCTtoaI966sGaRCmV10cb1FCUxxI3ilcjY8G5irHYc5O
+D4S8+FeIaHb036VjtZZNCDkamE2zGZCix5wCpXhxhQrXkkPJbzO4IGW896O43FPwefGfYnPC8/Oj
+bZ0OUuR8KkNbgn2VnqwZtmb0EX5xrA+212UDyVQ7izVXOoBbvzeydLh8EWteEXjKBREKGBfCL9Kl
+x8JY7BlYrZx+13NeDQsL7bgTXMnTIp3MVP3xddRqsatwersRVGr9b/HzXxfwu/MU230swjsNlgLZ
+OXiYD43rNEkJRlFfMnlY8F3IoE1Mki2BJtMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAI8Xk13NT
+rjo417U1+wZjUKqvB7iw4zGapMqpGRVavGw9hZmSCs8/AJAkFZQKMhAR9GGqf7JHHj/4fNEQ+XVh
+YF1jCUR/X2VwUiBseDHaUKj7EZiX9tIFEI/6LVfPRjKNy1RkEXHo7Lg4RnctclZ1KU7mIZkPSk1J
+fShKIUhtvNaCYJ4OVkN+giQQ6u9HwBqoBYikOBhvgXfIlBFD5H1n7JqxOjWZNO7Rhhx+TjD/0Dmd
+BE04J2bv5zCllBWSv2e1YFi+5SBTBq6FaIMz5c8T4WRFpRlnDEvvEREeAsAbaDiYvpJlO6hOzHNj
+KVmHpmQsDhsgXP02tDsfTARf3EXhbA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="id54461256972849811250394622" IssueInstant="2019-09-25T01:02:02.120Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk1da4osrIL3Y7ip357</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id54461256972849811250394622"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>J5+QPDVShpm1VpG+dAjbU5GNrRwkEVMQ3MthoFukiH4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>RWvjlS6nr7MUm6JzSn71nD3nkM77bja8Mnfy8GZYL0tQwtLBdixgW+oUF8jSXId9/dkYKCcq1n3fxzyX1iMkAeF7YcUlmpfN56hRKECzdWmaaceCS7s15vTqN/Gy83AFWp6d/nBbyt25UnGtmOSJjU5+QmBBB/JJO2EjtCiJZlJkJy3V1nOU/PnJ5p3iutUNtn17gqVYKkWix8b95xdoOHEZLC/0w8pt6OOLePlg+HafCg0XA7jS3g4+vPagcAEhSBIEpX9rZVdaWZdpP5NxHbjtyG979n5tzx7ooVBebrEfPdneoQeZQabNU/jUeeWXBJNaQ3Rv59EidOaTI68LZA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDojCCAoqgAwIBAgIGAW0svbVqMA0GCSqGSIb3DQEBCwUAMIGRMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxEjAQBgNVBAMMCXp1bGlwY2hhdDEcMBoGCSqGSIb3DQEJARYN
+aW5mb0Bva3RhLmNvbTAeFw0xOTA5MTMyMjI3MTNaFw0yOTA5MTMyMjI4MTNaMIGRMQswCQYDVQQG
+EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UE
+CgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEjAQBgNVBAMMCXp1bGlwY2hhdDEcMBoGCSqG
+SIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3K
+E57ZDDVplrZO1RKpz9zFekhXZZFiPhW2TCTtoaI966sGaRCmV10cb1FCUxxI3ilcjY8G5irHYc5O
+D4S8+FeIaHb036VjtZZNCDkamE2zGZCix5wCpXhxhQrXkkPJbzO4IGW896O43FPwefGfYnPC8/Oj
+bZ0OUuR8KkNbgn2VnqwZtmb0EX5xrA+212UDyVQ7izVXOoBbvzeydLh8EWteEXjKBREKGBfCL9Kl
+x8JY7BlYrZx+13NeDQsL7bgTXMnTIp3MVP3xddRqsatwersRVGr9b/HzXxfwu/MU230swjsNlgLZ
+OXiYD43rNEkJRlFfMnlY8F3IoE1Mki2BJtMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAI8Xk13NT
+rjo417U1+wZjUKqvB7iw4zGapMqpGRVavGw9hZmSCs8/AJAkFZQKMhAR9GGqf7JHHj/4fNEQ+XVh
+YF1jCUR/X2VwUiBseDHaUKj7EZiX9tIFEI/6LVfPRjKNy1RkEXHo7Lg4RnctclZ1KU7mIZkPSk1J
+fShKIUhtvNaCYJ4OVkN+giQQ6u9HwBqoBYikOBhvgXfIlBFD5H1n7JqxOjWZNO7Rhhx+TjD/0Dmd
+BE04J2bv5zCllBWSv2e1YFi+5SBTBq6FaIMz5c8T4WRFpRlnDEvvEREeAsAbaDiYvpJlO6hOzHNj
+KVmHpmQsDhsgXP02tDsfTARf3EXhbA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">{email}</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="ONELOGIN_a5fde8b09598814d7af2537f865d31c2f7aea831" NotOnOrAfter="2019-09-25T01:07:02.120Z" Recipient="http://zulip.testserver/complete/saml/"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-09-25T00:57:02.120Z" NotOnOrAfter="2019-09-25T01:07:02.120Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction><saml2:Audience>http://zulip.testserver</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2019-09-25T01:01:37.741Z" SessionIndex="ONELOGIN_a5fde8b09598814d7af2537f865d31c2f7aea831" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">{first_name}</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">{last_name}</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">{email}</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
diff --git a/zerver/tests/fixtures/saml/zulip.crt b/zerver/tests/fixtures/saml/zulip.crt
new file mode 100644
index 0000000000..df94012443
--- /dev/null
+++ b/zerver/tests/fixtures/saml/zulip.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUdxMUceyfJ0JWc9+631OR8cJDxREwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA5MjQyMjAwMDFaFw0yOTA5
+MjMyMjAwMDFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDk5VXGfX6rAwkCoNYTTCsmZLcmhNW8KXbr0+giMHJ2
+1wswiFZadOevRbgEKeB6b7d/4G0JNTtcTKrq3LqBX7YiQqRsUegBMf1Ev8Gsx8c3
+LJKreOd2NdN0CKgEYtm0YAkOwoM4Idg5JUzfDHOJN6Q/ktUsUD8/LERjDzrLGTte
+A/HThow++1HIUKQCubzJXqyehC9/+gz17bCRq5XBaKB5oxjq0c8tNU6rFXnbYVZJ
+/v6OpKfzzg+BV73VVQWtfT40Aco5kBhp6gCjj3N1UQHX9KgEmtQpBHSqb9YbWGcn
+CILJ7HUgRdRVf0TEj83bT/IEmgAw0DOaDbWIjmUTsOW3AgMBAAGjUzBRMB0GA1Ud
+DgQWBBSXe/5beCNwVuyWNfQLiET1HYrjaTAfBgNVHSMEGDAWgBSXe/5beCNwVuyW
+NfQLiET1HYrjaTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQ
+n4tWLuO2pcJzN4s8xJdG19Qne+H2N1mfRgzfSOIAAHWYXuP8i2JXp+QgPRai/Jse
+54p3WRM2JWrGicjgx/XDAsDv+SyZB3uF1r5yPGdKt05VRC/wiGh3p0rosGr5+8B0
+lICHeKPgOg0pCX3k3iU15ZkT8OA+5IQmyonB3gxtAjkUKTTUjd5gnIY8KIbcfrTw
+iJMPLLumpUx1NMbEcmcB1HKT2YHwPUh93d6FA5WAr0y9swke4VhI2vXTovwnR9CU
+oXbZrHH231O6SDaccl0/qFp6FDuSogRt9oiZorw8kk1NPyx21mqfmCgZ6tAZ7SJZ
+0ppBMmyTLo1PL86rZcF9
+-----END CERTIFICATE-----
diff --git a/zerver/tests/fixtures/saml/zulip.key b/zerver/tests/fixtures/saml/zulip.key
new file mode 100644
index 0000000000..8ef2a150d0
--- /dev/null
+++ b/zerver/tests/fixtures/saml/zulip.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDk5VXGfX6rAwkC
+oNYTTCsmZLcmhNW8KXbr0+giMHJ21wswiFZadOevRbgEKeB6b7d/4G0JNTtcTKrq
+3LqBX7YiQqRsUegBMf1Ev8Gsx8c3LJKreOd2NdN0CKgEYtm0YAkOwoM4Idg5JUzf
+DHOJN6Q/ktUsUD8/LERjDzrLGTteA/HThow++1HIUKQCubzJXqyehC9/+gz17bCR
+q5XBaKB5oxjq0c8tNU6rFXnbYVZJ/v6OpKfzzg+BV73VVQWtfT40Aco5kBhp6gCj
+j3N1UQHX9KgEmtQpBHSqb9YbWGcnCILJ7HUgRdRVf0TEj83bT/IEmgAw0DOaDbWI
+jmUTsOW3AgMBAAECggEAfCCyB1X+3xZiSH6YGRbxP3zWpZjbn5KM3w6nkALdz/yG
+IOeOjLdg/Pe99uQOy9bRmBNIjfnEGyWoen0A1y/kQWgKaoNwYVWOlz219dDRA+a0
+EzEZtE00QnR/SQGiNeLuhoaNSl9wNm035q2F6h+2fpNN7x4Fbmi/HUkhBQrF2xEZ
+vK6WXb5uHiWYJ4wIEw5nc/DMY3NZ6vJgU+T6uMkj1llhlTtKFFNnRS9yrt46D0Bb
+yJEP+9RhmSkAjZyKICYNh/r7Me0CU3AOHnyAR6Tyz7KweupE91INclzPuL2HEd6R
+05TntfqC+yimwa0AY4dX+cUntr82B5KarWur94Uj4QKBgQD9az4OcIPV7qEobVwo
+eqfgJc9sN0806ESgzCxIRut/RPNykr76zE6tYPQbzAi9iQQYi+yXVkZddUWWPtht
+qTv9LIuGb0NqKLUQYx2tpyh0gFnJJHyKSmooIfoKDEkSLWyPzn2tKPrGOQ683tjX
+vMGNfUIyaHMsidRwOs58oiweswKBgQDnOibfvPjEVrSYRcimUmm8WS7tCBJFd5LL
+cL//NfHQ92SX6z33j71Qz80ezLIrHHizhjaxPTxXGny/unc8j3njM15ilZmNB9Lg
+wtTW3H+MamFF3nTI6/M1iaAM2OIY9nTwZv/UMMmBuVsNOa0mdo1FxxF9ik8MQibB
+vsO65YKe7QKBgQCamE2nKWSDoauWqgBKgWjgCLDc53DeacNUBLoO7ZTEcx/AiV0Q
+SorEohzIyFOcrHVfNB0ExZDvepcU7QnC/DaoYABN5ppNrL+oW47DXPIFADfFyQhg
+pLzV9sQ+VPhOqn9Ly0BH3nP9cNlYxump0nCRDBTSA34fcYWzYWyOA7C+mQKBgQCS
+UjpHW04Q8M1XjtFqbrx6c/U+Cd2GGCTMmIzm8zwTAHqnqDWOc2dZvCYRV3dn0JyQ
+/l2dyyJj/F709Qp/SEvZeqg/umtw04KeuKv3S5FrSeZEUIGWo7lEJ9MgTh7FrTBS
+8Nrza+wYKzNzKwxnSp4bid2Hk/5xw2rDL/SsUJBYAQKBgQDqeuuosCuynOZKF/Vy
+tMZ7ms1GQzfmnkh1uA+OdTMkxwN/DXbJJwo89EouPN+KVpdM8GlvWRZesrVtqSpO
+wK94UzIVrejv6sLUz33tTyRoMrPmkQ9r6KdpHrHwTAJzfceeqHwK1XUCEf/ht4A6
+0zaX2kWvylQBjsD293QfCerl3A==
+-----END PRIVATE KEY-----
diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py
index 0b071e1157..8fad80a35d 100644
--- a/zerver/tests/test_auth_backends.py
+++ b/zerver/tests/test_auth_backends.py
@@ -56,16 +56,19 @@ from zproject.backends import ZulipDummyBackend, EmailAuthBackend, \
     require_email_format_usernames, AUTH_BACKEND_NAME_MAP, \
     ZulipLDAPConfigurationError, ZulipLDAPExceptionOutsideDomain, \
     ZulipLDAPException, query_ldap, sync_user_from_ldap, SocialAuthMixin, \
-    PopulateUserLDAPError
+    PopulateUserLDAPError, SAMLAuthBackend, saml_auth_enabled
 
 from zerver.views.auth import (maybe_send_to_registration,
                                _subdomain_token_salt)
 from version import ZULIP_VERSION
 
+from onelogin.saml2.auth import OneLogin_Saml2_Auth
+from onelogin.saml2.response import OneLogin_Saml2_Response
 from social_core.exceptions import AuthFailed, AuthStateForbidden
 from social_django.strategy import DjangoStrategy
 from social_django.storage import BaseDjangoStorage
 
+import base64
 import json
 import urllib
 import ujson
@@ -956,6 +959,216 @@ class SocialAuthBase(ZulipTestCase):
             self.assertEqual(result.status_code, 302)
             self.assertIn('login', result.url)
 
+class SAMLAuthBackendTest(SocialAuthBase):
+    __unittest_skip__ = False
+
+    BACKEND_CLASS = SAMLAuthBackend
+    LOGIN_URL = "/accounts/login/social/saml"
+    SIGNUP_URL = "/accounts/register/social/saml"
+    AUTHORIZATION_URL = "https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"
+    AUTH_FINISH_URL = "/complete/saml/"
+    CONFIG_ERROR_URL = "/config-error/saml"
+
+    # We have to define our own social_auth_test as the flow of SAML authentication
+    # is different from the other social backends.
+    def social_auth_test(self, account_data_dict: Dict[str, str],
+                         *, subdomain: Optional[str]=None,
+                         mobile_flow_otp: Optional[str]=None,
+                         is_signup: Optional[str]=None,
+                         next: str='',
+                         multiuse_object_key: str='',
+                         **extra_data: Any) -> HttpResponse:
+        url, headers = self.prepare_login_url_and_headers(
+            subdomain, mobile_flow_otp, is_signup, next, multiuse_object_key
+        )
+
+        result = self.client_get(url, **headers)
+
+        expected_result_url_prefix = 'http://testserver/login/%s/' % (self.backend.name,)
+        if settings.SOCIAL_AUTH_SUBDOMAIN is not None:
+            expected_result_url_prefix = (
+                'http://%s.testserver/login/%s/' % (settings.SOCIAL_AUTH_SUBDOMAIN, self.backend.name)
+            )
+
+        if result.status_code != 302 or not result.url.startswith(expected_result_url_prefix):
+            return result
+
+        result = self.client_get(result.url, **headers)
+
+        self.assertEqual(result.status_code, 302)
+        assert self.AUTHORIZATION_URL in result.url
+        assert "samlrequest" in result.url.lower()
+
+        self.client.cookies = result.cookies
+        parsed_url = urllib.parse.urlparse(result.url)
+        relay_state = urllib.parse.parse_qs(parsed_url.query)['RelayState'][0]
+        # Make sure params are getting encoded into RelayState:
+        data = SAMLAuthBackend.get_data_from_redis(relay_state)
+        if next:
+            self.assertEqual(data['next'], next)
+        if is_signup:
+            self.assertEqual(data['is_signup'], is_signup)
+
+        saml_response = self.generate_saml_response(**account_data_dict)
+        post_params = {"SAMLResponse": saml_response, "RelayState": relay_state}
+        # The mock below is necessary, so that python3-saml accepts our SAMLResponse,
+        # and doesn't verify the cryptographic signatures etc., since generating
+        # a perfectly valid SAMLResponse for the purpose of these tests would be too complex,
+        # and we simply use one loaded from a fixture file.
+        with mock.patch.object(OneLogin_Saml2_Response, 'is_valid', return_value=True):
+            result = self.client_post(self.AUTH_FINISH_URL, post_params, **headers)
+
+        return result
+
+    def generate_saml_response(self, email: str, name: str) -> str:
+        """
+        The samlresponse.txt fixture has a pre-generated SAMLResponse,
+        with {email}, {first_name}, {last_name} placeholders, that can
+        be filled out with the data we want.
+        """
+        name_parts = name.split(' ')
+        first_name = name_parts[0]
+        last_name = name_parts[1]
+
+        unencoded_saml_response = self.fixture_data("samlresponse.txt", type="saml").format(
+            email=email,
+            first_name=first_name,
+            last_name=last_name
+        )
+        # SAMLResponse needs to be base64-encoded.
+        saml_response = base64.b64encode(unencoded_saml_response.encode()).decode()  # type: str
+
+        return saml_response
+
+    def get_account_data_dict(self, email: str, name: str) -> Dict[str, Any]:
+        return dict(email=email, name=name)
+
+    def test_social_auth_no_key(self) -> None:
+        """
+        Since in the case of SAML there isn't a direct equivalent of CLIENT_KEY_SETTING,
+        we override this test, to test for the case where the obligatory
+        SOCIAL_AUTH_SAML_ENABLED_IDPS isn't configured.
+        """
+        account_data_dict = self.get_account_data_dict(email=self.email, name=self.name)
+        with self.settings(SOCIAL_AUTH_SAML_ENABLED_IDPS=None):
+            result = self.social_auth_test(account_data_dict,
+                                           subdomain='zulip', next='/user_uploads/image')
+            self.assertEqual(result.status_code, 302)
+            self.assertEqual(result.url, self.CONFIG_ERROR_URL)
+
+    def test_saml_auth_works_without_private_public_keys(self) -> None:
+        with self.settings(SOCIAL_AUTH_SAML_SP_PUBLIC_CERT='', SOCIAL_AUTH_SAML_SP_PRIVATE_KEY=''):
+            self.test_social_auth_success()
+
+    def test_saml_auth_enabled(self) -> None:
+        with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.SAMLAuthBackend',)):
+            self.assertTrue(saml_auth_enabled())
+            result = self.client_get("/saml/metadata.xml")
+            self.assert_in_success_response(
+                ['entityID="{}"'.format(settings.SOCIAL_AUTH_SAML_SP_ENTITY_ID)], result
+            )
+
+    def test_social_auth_complete(self) -> None:
+        with mock.patch.object(OneLogin_Saml2_Response, 'is_valid', return_value=True):
+            with mock.patch.object(OneLogin_Saml2_Auth, 'is_authenticated', return_value=False), \
+                    mock.patch('zproject.backends.logging.info') as m:
+                # This mock causes AuthFailed to be raised.
+                saml_response = self.generate_saml_response(self.email, self.name)
+                relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
+                post_params = {"SAMLResponse": saml_response, "RelayState": relay_state}
+                result = self.client_post('/complete/saml/',  post_params)
+                self.assertEqual(result.status_code, 302)
+                self.assertIn('login', result.url)
+                m.assert_called_with("Authentication failed: SAML login failed: [] (None)")
+
+    def test_social_auth_complete_when_base_exc_is_raised(self) -> None:
+        with mock.patch.object(OneLogin_Saml2_Response, 'is_valid', return_value=True):
+            with mock.patch('social_core.backends.saml.SAMLAuth.auth_complete',
+                            side_effect=AuthStateForbidden('State forbidden')), \
+                    mock.patch('zproject.backends.logging.warning') as m:
+                saml_response = self.generate_saml_response(self.email, self.name)
+                relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
+                post_params = {"SAMLResponse": saml_response, "RelayState": relay_state}
+                result = self.client_post('/complete/saml/',  post_params)
+                self.assertEqual(result.status_code, 302)
+                self.assertIn('login', result.url)
+                m.assert_called_with("Wrong state parameter given.")
+
+    def test_social_auth_complete_bad_params(self) -> None:
+        # Simple GET for /complete/saml without the required parameters.
+        # This tests the auth_complete wrapped in our SAMLAuthBackend,
+        # ensuring it prevents this requests from causing an internal server error.
+        with mock.patch('zproject.backends.logging.info') as m:
+            result = self.client_get('/complete/saml/')
+            self.assertEqual(result.status_code, 302)
+            self.assertIn('login', result.url)
+            m.assert_called_with("SAML authentication failed: missing RelayState.")
+
+        # Check that POSTing the RelayState, but with missing SAMLResponse,
+        # doesn't cause errors either:
+        with mock.patch('zproject.backends.logging.info') as m:
+            relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
+            post_params = {"RelayState": relay_state}
+            result = self.client_post('/complete/saml/',  post_params)
+            self.assertEqual(result.status_code, 302)
+            self.assertIn('login', result.url)
+            m.assert_called_with(
+                # OneLogin_Saml2_Error exception:
+                "SAML Response not found, Only supported HTTP_POST Binding"
+            )
+
+        with mock.patch('zproject.backends.logging.info') as m:
+            relay_state = SAMLAuthBackend.put_data_in_redis({"idp": "test_idp"})
+            relay_state = relay_state[:-1]  # Break the token by removing the last character
+            post_params = {"RelayState": relay_state}
+            result = self.client_post('/complete/saml/',  post_params)
+            self.assertEqual(result.status_code, 302)
+            self.assertIn('login', result.url)
+            m.assert_called_with("SAML authentication failed: bad RelayState token.")
+
+    def test_social_auth_saml_bad_idp_param_on_login_page(self) -> None:
+        with mock.patch('zproject.backends.logging.info') as m:
+            result = self.client_get('/login/saml/')
+            self.assertEqual(result.status_code, 302)
+            self.assertEqual('/login/', result.url)
+            m.assert_called_with("/login/saml/ : Bad idp param.")
+
+        with mock.patch('zproject.backends.logging.info') as m:
+            result = self.client_get('/login/saml/?idp=bad_idp')
+            self.assertEqual(result.status_code, 302)
+            self.assertEqual('/login/', result.url)
+            m.assert_called_with("/login/saml/ : Bad idp param.")
+
+    def test_social_auth_invalid_email(self) -> None:
+        """
+        This test needs an override from the original class. For security reasons,
+        the 'next' and 'mobile_flow_otp' params don't get passed on in the session
+        if the authentication attempt failed. See SAMLAuthBackend.auth_complete for details.
+        """
+        account_data_dict = self.get_account_data_dict(email="invalid", name=self.name)
+        result = self.social_auth_test(account_data_dict,
+                                       expect_choose_email_screen=True,
+                                       subdomain='zulip', next='/user_uploads/image')
+        self.assertEqual(result.status_code, 302)
+        self.assertEqual(result.url, "/login/")
+
+    def test_social_auth_saml_multiple_idps_configured(self) -> None:
+        """
+        Using multiple IdPs is not supported right now, and having multiple configured
+        should lead to misconfiguration page.
+        """
+
+        with self.settings(SOCIAL_AUTH_SAML_ENABLED_IDPS={"test_idp1": {}, "test_idp2": {}}):
+            # We don't need to put full idp configurations in the mock settings above
+            # to trigger the error.
+            with mock.patch("zerver.views.auth.logging.error") as mock_error:
+                result = self.client_get("/accounts/login/social/saml")
+                self.assertEqual(result.status_code, 302)
+                self.assertEqual(result.url, '/config-error/saml')
+                mock_error.assert_called_once_with(
+                    "SAML misconfigured - you have specified multiple IdPs. Only one IdP is supported."
+                )
+
 class GitHubAuthBackendTest(SocialAuthBase):
     __unittest_skip__ = False
 
diff --git a/zerver/tests/test_docs.py b/zerver/tests/test_docs.py
index 1819fd0e25..97ea423003 100644
--- a/zerver/tests/test_docs.py
+++ b/zerver/tests/test_docs.py
@@ -412,6 +412,14 @@ class ConfigErrorTest(ZulipTestCase):
         self.assert_not_in_success_response(["zproject/dev_settings.py"], result)
         self.assert_not_in_success_response(["zproject/dev-secrets.conf"], result)
 
+    @override_settings(SOCIAL_AUTH_SAML_ENABLED_IDPS=None)
+    def test_saml_error(self) -> None:
+        result = self.client_get("/accounts/login/social/saml")
+        self.assertEqual(result.status_code, 302)
+        self.assertEqual(result.url, '/config-error/saml')
+        result = self.client_get(result.url)
+        self.assert_in_success_response(["SAML authentication"], result)
+
     def test_smtp_error(self) -> None:
         result = self.client_get("/config-error/smtp")
         self.assertEqual(result.status_code, 200)
diff --git a/zerver/views/auth.py b/zerver/views/auth.py
index 38244ef527..c98c7aba12 100644
--- a/zerver/views/auth.py
+++ b/zerver/views/auth.py
@@ -7,7 +7,8 @@ from django.contrib.auth.views import password_reset as django_password_reset
 from django.urls import reverse
 from zerver.decorator import require_post, \
     process_client, do_login, log_view_func
-from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
+from django.http import HttpRequest, HttpResponse, HttpResponseRedirect, \
+    HttpResponseServerError
 from django.template.response import SimpleTemplateResponse
 from django.shortcuts import redirect, render
 from django.views.decorators.csrf import csrf_exempt
@@ -37,12 +38,14 @@ from zerver.models import PreregistrationUser, UserProfile, remote_user_to_email
 from zerver.signals import email_on_new_login
 from zproject.backends import password_auth_enabled, dev_auth_enabled, \
     ldap_auth_enabled, ZulipLDAPConfigurationError, ZulipLDAPAuthBackend, \
-    AUTH_BACKEND_NAME_MAP, auth_enabled_helper
+    AUTH_BACKEND_NAME_MAP, auth_enabled_helper, saml_auth_enabled
 from version import ZULIP_VERSION
 
 import jwt
 import logging
 
+from social_django.utils import load_backend, load_strategy
+
 from two_factor.forms import BackupTokenForm
 from two_factor.views import LoginView as BaseTwoFactorLoginView
 
@@ -315,7 +318,8 @@ def remote_user_jwt(request: HttpRequest) -> HttpResponse:
     return login_or_register_remote_user(request, email, user_profile, remote_user)
 
 def oauth_redirect_to_root(request: HttpRequest, url: str,
-                           sso_type: str, is_signup: bool=False) -> HttpResponse:
+                           sso_type: str, is_signup: bool=False,
+                           extra_url_params: Dict[str, str]={}) -> HttpResponse:
     main_site_uri = settings.ROOT_DOMAIN_URI + url
     if settings.SOCIAL_AUTH_SUBDOMAIN is not None and sso_type == 'social':
         main_site_uri = (settings.EXTERNAL_URI_SCHEME +
@@ -342,23 +346,54 @@ def oauth_redirect_to_root(request: HttpRequest, url: str,
     if next:
         params['next'] = next
 
+    params = {**params, **extra_url_params}
+
     return redirect(main_site_uri + '?' + urllib.parse.urlencode(params))
 
 def start_social_login(request: HttpRequest, backend: str) -> HttpResponse:
     backend_url = reverse('social:begin', args=[backend])
+    extra_url_params = {}  # type: Dict[str, str]
+    if backend == "saml":
+        obligatory_saml_settings_list = [
+            settings.SOCIAL_AUTH_SAML_SP_ENTITY_ID,
+            settings.SOCIAL_AUTH_SAML_ORG_INFO,
+            settings.SOCIAL_AUTH_SAML_TECHNICAL_CONTACT,
+            settings.SOCIAL_AUTH_SAML_SUPPORT_CONTACT,
+            settings.SOCIAL_AUTH_SAML_ENABLED_IDPS
+        ]
+        if any(not setting for setting in obligatory_saml_settings_list):
+            return redirect_to_config_error("saml")
+
+        # This backend requires the name of the IdP (from the list of configured ones)
+        # to be passed as the parameter.
+        # Currently we support configuring only one IdP.
+        # TODO: Support multiple IdPs. python-social-auth SAML (which we use here)
+        # already supports that, so essentially only the UI for it on the login pages
+        # needs to be figured out.
+        if len(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS) != 1:
+            logging.error(
+                "SAML misconfigured - you have specified multiple IdPs. Only one IdP is supported."
+            )
+            return redirect_to_config_error("saml")
+        extra_url_params = {'idp': list(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.keys())[0]}
     if (backend == "github") and not (settings.SOCIAL_AUTH_GITHUB_KEY and
                                       settings.SOCIAL_AUTH_GITHUB_SECRET):
         return redirect_to_config_error("github")
     if (backend == "google") and not (settings.SOCIAL_AUTH_GOOGLE_KEY and
                                       settings.SOCIAL_AUTH_GOOGLE_SECRET):
         return redirect_to_config_error("google")
-    # TODO: Add a similar block of AzureAD.
+    # TODO: Add a similar block for AzureAD.
 
-    return oauth_redirect_to_root(request, backend_url, 'social')
+    return oauth_redirect_to_root(request, backend_url, 'social', extra_url_params=extra_url_params)
 
 def start_social_signup(request: HttpRequest, backend: str) -> HttpResponse:
     backend_url = reverse('social:begin', args=[backend])
-    return oauth_redirect_to_root(request, backend_url, 'social', is_signup=True)
+    extra_url_params = {}  # type: Dict[str, str]
+    if backend == "saml":
+        assert len(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS) == 1
+        extra_url_params = {'idp': list(settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.keys())[0]}
+    return oauth_redirect_to_root(request, backend_url, 'social', is_signup=True,
+                                  extra_url_params=extra_url_params)
 
 def authenticate_remote_user(realm: Realm,
                              email_address: Optional[str]) -> Optional[UserProfile]:
@@ -851,3 +886,25 @@ def password_reset(request: HttpRequest, **kwargs: Any) -> HttpResponse:
                                  template_name='zerver/reset.html',
                                  password_reset_form=ZulipPasswordResetForm,
                                  post_reset_redirect='/accounts/password/reset/done/')
+
+@csrf_exempt
+def saml_sp_metadata(request: HttpRequest, **kwargs: Any) -> HttpResponse:  # nocoverage
+    """
+    This is the view function for generating our SP metadata
+    for SAML authentication. It's meant for helping check the correctness
+    of the configuration when setting up SAML, or for obtaining the XML metadata
+    if the IdP requires it.
+    Taken from https://python-social-auth.readthedocs.io/en/latest/backends/saml.html
+    """
+    if not saml_auth_enabled():
+        return redirect_to_config_error("saml")
+
+    complete_url = reverse('social:complete', args=("saml",))
+    saml_backend = load_backend(load_strategy(request), "saml",
+                                complete_url)
+    metadata, errors = saml_backend.generate_metadata_xml()
+    if not errors:
+        return HttpResponse(content=metadata,
+                            content_type='text/xml')
+
+    return HttpResponseServerError(content=', '.join(errors))
diff --git a/zproject/backends.py b/zproject/backends.py
index 1330cb1747..f81edfa725 100644
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -15,6 +15,7 @@
 import copy
 import logging
 import magic
+import ujson
 from typing import Any, Dict, List, Optional, Set, Tuple, Union
 
 from django_auth_ldap.backend import LDAPBackend, _LDAPUser, ldap_error
@@ -28,12 +29,14 @@ from django.http import HttpResponse, HttpResponseRedirect
 from django.shortcuts import render
 from django.urls import reverse
 from requests import HTTPError
+from onelogin.saml2.errors import OneLogin_Saml2_Error
 from social_core.backends.github import GithubOAuth2, GithubOrganizationOAuth2, \
     GithubTeamOAuth2
 from social_core.backends.azuread import AzureADOAuth2
 from social_core.backends.base import BaseAuth
 from social_core.backends.google import GoogleOAuth2
 from social_core.backends.oauth import BaseOAuth2
+from social_core.backends.saml import SAMLAuth
 from social_core.pipeline.partial import partial
 from social_core.exceptions import AuthFailed, SocialAuthBaseException
 
@@ -44,11 +47,15 @@ from zerver.lib.avatar_hash import user_avatar_content_hash
 from zerver.lib.dev_ldap_directory import init_fakeldap
 from zerver.lib.request import JsonableError
 from zerver.lib.users import check_full_name, validate_user_custom_profile_field
+from zerver.lib.utils import generate_random_token
+from zerver.lib.redis_utils import get_redis_client
 from zerver.models import CustomProfileField, DisposableEmailError, DomainNotAllowedForRealmError, \
     EmailContainsPlusError, PreregistrationUser, UserProfile, Realm, custom_profile_fields_for_realm, \
     email_allowed_for_realm, get_default_stream_groups, get_user_profile_by_id, remote_user_to_email, \
     email_to_username, get_realm, get_user_by_delivery_email, supported_auth_backends
 
+redis_client = get_redis_client()
+
 # This first batch of methods is used by other code in Zulip to check
 # whether a given authentication backend is enabled for a given realm.
 # In each case, we both needs to check at the server level (via
@@ -96,6 +103,9 @@ def google_auth_enabled(realm: Optional[Realm]=None) -> bool:
 def github_auth_enabled(realm: Optional[Realm]=None) -> bool:
     return auth_enabled_helper(['GitHub'], realm)
 
+def saml_auth_enabled(realm: Optional[Realm]=None) -> bool:
+    return auth_enabled_helper(['SAML'], realm)
+
 def any_social_backend_enabled(realm: Optional[Realm]=None) -> bool:
     """Used by the login page process to determine whether to show the
     'OR' for login with Google"""
@@ -1003,6 +1013,124 @@ class GoogleAuthBackend(SocialAuthMixin, GoogleOAuth2):
             verified_emails.append(details["email"])
         return verified_emails
 
+class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
+    auth_backend_name = "SAML"
+    standard_relay_params = ["subdomain", "multiuse_object_key", "mobile_flow_otp",
+                             "next", "is_signup"]
+    REDIS_EXPIRATION_SECONDS = 60 * 15
+
+    def auth_url(self) -> str:
+        """Get the URL to which we must redirect in order to
+        authenticate the user. Overriding the original SAMLAuth.auth_url.
+        Runs when someone accesses the /login/saml/ endpoint."""
+        try:
+            idp_name = self.strategy.request_data()['idp']
+            auth = self._create_saml_auth(idp=self.get_idp(idp_name))
+        except KeyError:
+            # If the above raise KeyError, it means invalid or no idp was specified,
+            # we should log that and redirect to the login page.
+            logging.info("/login/saml/ : Bad idp param.")
+            return reverse('zerver.views.auth.login_page',
+                           kwargs = {'template_name': 'zerver/login.html'})
+
+        # This where we change things.  We need to pass some params
+        # (`mobile_flow_otp`, `next`, etc.) through RelayState, which
+        # then the IdP will pass back to us so we can read those
+        # parameters in the final part of the authentication flow, at
+        # the /complete/saml/ endpoint.
+        #
+        # To protect against network eavesdropping of these
+        # parameters, we send just a random token to the IdP in
+        # RelayState, which is used as a key into our redis data store
+        # for fetching the actual parameters after the IdP has
+        # returned a successful authentication.
+        params_to_relay = ["idp"] + self.standard_relay_params
+        request_data = self.strategy.request_data().dict()
+        data_to_relay = {
+            key: request_data[key] for key in params_to_relay if key in request_data
+        }
+        relay_state = self.put_data_in_redis(data_to_relay)
+
+        return auth.login(return_to=relay_state)
+
+    @classmethod
+    def put_data_in_redis(cls, data_to_relay: Dict[str, Any]) -> str:
+        with redis_client.pipeline() as pipeline:
+            token = generate_random_token(64)
+            key = "saml_token_{}".format(token)
+            pipeline.set(key, ujson.dumps(data_to_relay))
+            pipeline.expire(key, cls.REDIS_EXPIRATION_SECONDS)
+            pipeline.execute()
+
+        return key
+
+    @classmethod
+    def get_data_from_redis(cls, key: str) -> Optional[Dict[str, Any]]:
+        redis_data = None
+        if key.startswith('saml_token_'):
+            # Safety if statement, to not allow someone to poke around arbitrary redis keys here.
+            redis_data = redis_client.get(key)
+        if redis_data is None:
+            # TODO: We will need some sort of user-facing message
+            # about the authentication session having expired here.
+            logging.info("SAML authentication failed: bad RelayState token.")
+            return None
+
+        return ujson.loads(redis_data)
+
+    def auth_complete(self, *args: Any, **kwargs: Any) -> Optional[HttpResponse]:
+        """
+        Additional ugly wrapping on top of auth_complete in SocialAuthMixin.
+        We handle two things here:
+            1. Working around bad RelayState or SAMLResponse parameters in the request.
+            Both parameters should be present if the user came to /complete/saml/ through
+            the IdP as intended. The errors can happen if someone simply types the endpoint into
+            their browsers, or generally tries messing with it in some ways.
+
+            2. The first part of our SAML authentication flow will encode important parameters
+            into the RelayState. We need to read them and set those values in the session,
+            and then change the RelayState param to the idp_name, because that's what
+            SAMLAuth.auth_complete() expects.
+        """
+        if 'RelayState' not in self.strategy.request_data():
+            logging.info("SAML authentication failed: missing RelayState.")
+            return None
+
+        # Set the relevant params that we transported in the RelayState:
+        redis_key = self.strategy.request_data()['RelayState']
+        relayed_params = self.get_data_from_redis(redis_key)
+        if relayed_params is None:
+            return None
+
+        result = None
+        try:
+            for param, value in relayed_params.items():
+                if param in self.standard_relay_params:
+                    self.strategy.session_set(param, value)
+
+            # super().auth_complete expects to have RelayState set to the idp_name,
+            # so we need to replace this param.
+            post_params = self.strategy.request.POST.copy()
+            post_params['RelayState'] = relayed_params["idp"]
+            self.strategy.request.POST = post_params
+
+            # Call the auth_complete method of SocialAuthMixIn
+            result = super().auth_complete(*args, **kwargs)  # type: ignore # monkey-patching
+        except OneLogin_Saml2_Error as e:
+            # This will be raised if SAMLResponse is missing.
+            logging.info(str(e))
+            # Fall through to returning None.
+        finally:
+            if result is None:
+                for param in self.standard_relay_params:
+                    # If an attacker managed to eavesdrop on the RelayState token,
+                    # they may pass it here to the endpoint with an invalid SAMLResponse.
+                    # We remove these potentially sensitive parameters that we have set in the session
+                    # ealier, to avoid leaking their values.
+                    self.strategy.session_set(param, None)
+
+        return result
+
 AUTH_BACKEND_NAME_MAP = {
     'Dev': DevAuthBackend,
     'Email': EmailAuthBackend,
diff --git a/zproject/dev_settings.py b/zproject/dev_settings.py
index 24eb3b5f66..69df17cb59 100644
--- a/zproject/dev_settings.py
+++ b/zproject/dev_settings.py
@@ -45,6 +45,7 @@ AUTHENTICATION_BACKENDS = (
     'zproject.backends.EmailAuthBackend',
     'zproject.backends.GitHubAuthBackend',
     'zproject.backends.GoogleAuthBackend',
+    'zproject.backends.SAMLAuthBackend',
     # 'zproject.backends.AzureADAuthBackend',
 )
 
@@ -157,3 +158,6 @@ TERMS_OF_SERVICE = 'corporate/terms.md'
 # header.  Important for SAML authentication in the development
 # environment.
 USE_X_FORWARDED_PORT = True
+
+# Override the default SAML entity ID
+SOCIAL_AUTH_SAML_SP_ENTITY_ID = "http://localhost:9991/"
diff --git a/zproject/prod_settings_template.py b/zproject/prod_settings_template.py
index e87e106adb..8be6e64c7b 100644
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -120,6 +120,7 @@ AUTHENTICATION_BACKENDS = (
     # 'zproject.backends.GoogleAuthBackend',  # Google auth, setup below
     # 'zproject.backends.GitHubAuthBackend',  # GitHub auth, setup below
     # 'zproject.backends.AzureADAuthBackend',  # Microsoft Azure Active Directory auth, setup below
+    # 'zproject.backends.SAMLAuthBackend', # SAML, setup below
     # 'zproject.backends.ZulipLDAPAuthBackend',  # LDAP, setup below
     # 'zproject.backends.ZulipRemoteUserBackend',  # Local SSO, setup docs on readthedocs
 )  # type: Tuple[str, ...]
@@ -185,6 +186,63 @@ AUTHENTICATION_BACKENDS = (
 #
 #SOCIAL_AUTH_SUBDOMAIN = 'auth'
 
+########
+# SAML Authentication
+#
+# For SAML authentication, you will need to configure the settings
+# below using information from your SAML Identity Provider, as
+# explained in:
+#
+#     https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#saml
+#
+# You will need to modify these SAML settings:
+SOCIAL_AUTH_SAML_ORG_INFO = {
+    "en-US": {
+        "displayname": "Example Inc.",
+        "name": "example",
+        "url": "%s%s" % ('https://', EXTERNAL_HOST),
+    }
+}
+SOCIAL_AUTH_SAML_ENABLED_IDPS = {
+    # The fields are explained in detail here:
+    #     https://python-social-auth-docs.readthedocs.io/en/latest/backends/saml.html
+    "idp_name": {
+        # Configure entity_id and url according to information provided to you by your IdP:
+        "entity_id": "https://idp.testshib.org/idp/shibboleth",
+        "url": "https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO",
+        # The part below corresponds to what's likely referred to as something like
+        # "Attribute Statements" (with Okta as your IdP) or "Attribute Mapping" (with G Suite).
+        # The names on the right side need to correspond to the names under which
+        # the IdP will send the user attributes. With these defaults, it's expected
+        # that the user's email will be sent with the "email" attribute name,
+        # the first name and the last name with the "first_name", "last_name" attribute names.
+        "attr_user_permanent_id": "email",
+        "attr_first_name": "first_name",
+        "attr_last_name": "last_name",
+        "attr_username": "email",
+        "attr_email": "email",
+        # The "x509cert" attribute is automatically read from
+        # /etc/zulip/saml/idps/{idp_name}.crt; don't specify it here.
+    }
+}
+
+SOCIAL_AUTH_SAML_SECURITY_CONFIG = {
+    # If you've set up the optional private and public server keys,
+    # set this to True to enable signing of SAMLRequests using the
+    # private key.
+    "authnRequestsSigned": False,
+}
+
+# These SAML settings you likely won't need to modify.
+SOCIAL_AUTH_SAML_SP_ENTITY_ID = 'https://' + EXTERNAL_HOST
+SOCIAL_AUTH_SAML_TECHNICAL_CONTACT = {
+    "givenName": "Technical team",
+    "emailAddress": ZULIP_ADMINISTRATOR,
+}
+SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
+    "givenName": "Support team",
+    "emailAddress": ZULIP_ADMINISTRATOR,
+}
 
 ########
 # Azure Active Directory OAuth.
@@ -211,7 +269,6 @@ AUTHENTICATION_BACKENDS = (
 # SSO_APPEND_DOMAIN = "example.com")
 SSO_APPEND_DOMAIN = None  # type: Optional[str]
 
-
 ################
 # Miscellaneous settings.
 
diff --git a/zproject/settings.py b/zproject/settings.py
index ed12f50312..ed3df8d07d 100644
--- a/zproject/settings.py
+++ b/zproject/settings.py
@@ -52,6 +52,13 @@ def get_config(section: str, key: str, default_value: Optional[Any]=None) -> Opt
         return config_file.get(section, key)
     return default_value
 
+def get_from_file_if_exists(path: str) -> str:
+    if os.path.exists(path):
+        with open(path, "r") as f:
+            return f.read()
+    else:
+        return ''
+
 # Make this unique, and don't share it with anybody.
 SECRET_KEY = get_secret("secret_key")
 
@@ -160,6 +167,14 @@ DEFAULT_SETTINGS = {
     'SOCIAL_AUTH_SUBDOMAIN': None,
     'SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET': get_secret('azure_oauth2_secret'),
     'SOCIAL_AUTH_GOOGLE_KEY': get_secret('social_auth_google_key', development_only=True),
+    # SAML:
+    'SOCIAL_AUTH_SAML_SP_ENTITY_ID': None,
+    'SOCIAL_AUTH_SAML_SP_PUBLIC_CERT': '',
+    'SOCIAL_AUTH_SAML_SP_PRIVATE_KEY': '',
+    'SOCIAL_AUTH_SAML_ORG_INFO': None,
+    'SOCIAL_AUTH_SAML_TECHNICAL_CONTACT': None,
+    'SOCIAL_AUTH_SAML_SUPPORT_CONTACT': None,
+    'SOCIAL_AUTH_SAML_ENABLED_IDPS': {},
     # Historical name for SOCIAL_AUTH_GITHUB_KEY; still allowed in production.
     'GOOGLE_OAUTH2_CLIENT_ID': None,
 
@@ -1355,6 +1370,26 @@ GOOGLE_OAUTH2_CLIENT_SECRET = get_secret('google_oauth2_client_secret')
 SOCIAL_AUTH_GOOGLE_KEY = SOCIAL_AUTH_GOOGLE_KEY or GOOGLE_OAUTH2_CLIENT_ID
 SOCIAL_AUTH_GOOGLE_SECRET = SOCIAL_AUTH_GOOGLE_SECRET or GOOGLE_OAUTH2_CLIENT_SECRET
 
+if PRODUCTION:
+    SOCIAL_AUTH_SAML_SP_PUBLIC_CERT = get_from_file_if_exists("/etc/zulip/saml/zulip-cert.crt")
+    SOCIAL_AUTH_SAML_SP_PRIVATE_KEY = get_from_file_if_exists("/etc/zulip/saml/zulip-private-key.key")
+
+for idp_name, idp_dict in SOCIAL_AUTH_SAML_ENABLED_IDPS.items():
+    if DEVELOPMENT:
+        idp_dict['entity_id'] = get_secret('saml_entity_id', '')
+        idp_dict['url'] = get_secret('saml_url', '')
+        idp_dict['x509cert_path'] = 'zproject/dev_saml.cert'
+
+    # Set `x509cert` if not specified already; also support an override path.
+    if 'x509cert' in idp_dict:
+        continue
+
+    if 'x509cert_path' in idp_dict:
+        path = idp_dict['x509cert_path']
+    else:
+        path = "/etc/zulip/saml/idps/{}.crt".format(idp_name)
+    idp_dict['x509cert'] = get_from_file_if_exists(path)
+
 SOCIAL_AUTH_PIPELINE = [
     'social_core.pipeline.social_auth.social_details',
     'zproject.backends.social_auth_associate_user',
diff --git a/zproject/test_settings.py b/zproject/test_settings.py
index 8ea2a373cb..2c8abd15de 100644
--- a/zproject/test_settings.py
+++ b/zproject/test_settings.py
@@ -172,3 +172,38 @@ THUMBOR_SERVES_CAMO = True
 # Logging the emails while running the tests adds them
 # to /emails page.
 DEVELOPMENT_LOG_EMAILS = False
+
+SOCIAL_AUTH_SAML_SP_ENTITY_ID = 'http://' + EXTERNAL_HOST
+SOCIAL_AUTH_SAML_SP_PUBLIC_CERT  = get_from_file_if_exists("zerver/tests/fixtures/saml/zulip.crt")
+SOCIAL_AUTH_SAML_SP_PRIVATE_KEY = get_from_file_if_exists("zerver/tests/fixtures/saml/zulip.key")
+
+SOCIAL_AUTH_SAML_ORG_INFO = {
+    "en-US": {
+        "name": "example",
+        "displayname": "Example Inc.",
+        "url": "%s%s" % ('http://', EXTERNAL_HOST),
+    }
+}
+
+SOCIAL_AUTH_SAML_TECHNICAL_CONTACT = {
+    "givenName": "Tech Gal",
+    "emailAddress": "technical@example.com"
+}
+
+SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
+    "givenName": "Support Guy",
+    "emailAddress": "support@example.com",
+}
+
+SOCIAL_AUTH_SAML_ENABLED_IDPS = {
+    "test_idp": {
+        "entity_id": "https://idp.testshib.org/idp/shibboleth",
+        "url": "https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO",
+        "x509cert": get_from_file_if_exists("zerver/tests/fixtures/saml/idp.crt"),
+        "attr_user_permanent_id": "email",
+        "attr_first_name": "first_name",
+        "attr_last_name": "last_name",
+        "attr_username": "email",
+        "attr_email": "email",
+    }
+}
diff --git a/zproject/urls.py b/zproject/urls.py
index ed01abf2e2..5dc3db7e36 100644
--- a/zproject/urls.py
+++ b/zproject/urls.py
@@ -581,6 +581,9 @@ i18n_urls = [
         template_name='zerver/config_error.html',),
         {'dev_not_supported_error': True},
         name='dev_not_supported'),
+    url(r'^config-error/saml$', TemplateView.as_view(
+        template_name='zerver/config_error.html',),
+        {'saml_error': True},),
 ]
 
 # Make a copy of i18n_urls so that they appear without prefix for english
@@ -709,6 +712,7 @@ urls += [
 
 # Python Social Auth
 urls += [url(r'^', include('social_django.urls', namespace='social'))]
+urls += [url(r'^saml/metadata.xml$', zerver.views.auth.saml_sp_metadata)]
 
 # User documentation site
 urls += [url(r'^help/(?P<article>.*)$',