connector/saml: fix validation bug with multiple Assertion elements

Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.

When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.

cmd/example-app: fix custom CA behavior

Fix assertion fallback

examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.

connector: Connectors without a RefreshConnector should not error out

connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring

*: validate InResponseTo SAML response field and make issuer optional

glide.yaml: update goxmldsig

storage: make static storages query real storages for some actions

*: fix spelling using github.com/client9/misspell

connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider

If dex is configured with static passwords or clients, let the API
still add or modify objects in the backing storage, so long as
their IDs don't conflict with the static ones. List options now
aggregate resources from the static list and backing storage.

api: Update timestamp type for RefreshTokenRef to int64.

storage/conformance: update conformance tests with multiple entries per resource

storage/kubernetes: log INFO level if TPR already exists, not ERROR

storage/sql: add missing WHERE statement to refresh token update

update kubernetes example-app explanation

Clarify some potentially confusing issues with how to run and build the
example-app binary.

*: only use docker when releasing, update to Go 1.8, remove aci scripts

This change modifies our release process to only require Docker
when building a release and updates our released binary to use Go
1.8. It also removes our .aci scripts, which we've not been
regularly building.

A nice consequence is that OSX users can now build a release image.

*: update go-oidc and use standard library's context package