From c2702ea1c2067d310612e226c88549fbde26ac0a Mon Sep 17 00:00:00 2001
From: Ross Kinder <ross@kndr.org>
Date: Sun, 27 Dec 2020 14:51:37 -0500
Subject: [PATCH] replace testify (which is more or less unmaintained) with
 gotest.tools

---
 duration_test.go              |  13 +-
 go.mod                        |   6 +-
 go.sum                        |  26 +++
 identity_provider_test.go     | 202 ++++++++++----------
 metadata_test.go              |  11 +-
 samlidp/samlidp_test.go       |  16 +-
 samlidp/service_test.go       |  29 +--
 samlidp/session_test.go       |  47 ++---
 samlidp/shortcut_test.go      |  47 +++--
 samlidp/user_test.go          |  23 +--
 samlidp/util_test.go          |   7 +-
 samlsp/fetch_metadata_test.go |  15 +-
 samlsp/middleware_test.go     | 176 ++++++++---------
 samlsp/samlsp_test.go         |   8 +-
 samlsp/session_cookie_test.go |  12 +-
 schema_test.go                |  50 +++--
 service_provider_test.go      | 348 ++++++++++++++++------------------
 time_test.go                  |  38 ++--
 xmlenc/decrypt_test.go        |  33 ++--
 xmlenc/encrypt_test.go        |  12 +-
 xmlenc/xmlenc_test.go         |  21 +-
 21 files changed, 572 insertions(+), 568 deletions(-)

diff --git a/duration_test.go b/duration_test.go
index c452acc9..54ffa0cc 100644
--- a/duration_test.go
+++ b/duration_test.go
@@ -6,7 +6,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 var durationMarshalTests = []struct {
@@ -27,8 +28,8 @@ func TestDuration(t *testing.T) {
 	for i, testCase := range durationMarshalTests {
 		t.Run(strconv.Itoa(i), func(t *testing.T) {
 			actual, err := Duration(testCase.in).MarshalText()
-			assert.NoError(t, err)
-			assert.Equal(t, testCase.expected, actual)
+			assert.Check(t, err)
+			assert.Check(t, is.DeepEqual(testCase.expected, actual))
 		})
 	}
 }
@@ -74,11 +75,11 @@ func TestDurationUnmarshal(t *testing.T) {
 			var actual Duration
 			err := actual.UnmarshalText(testCase.in)
 			if testCase.err == nil {
-				assert.NoError(t, err)
+				assert.Check(t, err)
 			} else {
-				assert.EqualError(t, err, testCase.err.Error())
+				assert.Check(t, is.Error(err, testCase.err.Error()))
 			}
-			assert.Equal(t, Duration(testCase.expected), actual)
+			assert.Check(t, is.Equal(Duration(testCase.expected), actual))
 		})
 	}
 }
diff --git a/go.mod b/go.mod
index 31bb6cc2..c47ffe09 100644
--- a/go.mod
+++ b/go.mod
@@ -8,15 +8,17 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/google/go-cmp v0.5.4 // indirect
+	github.com/google/go-cmp v0.5.4
 	github.com/jonboulle/clockwork v0.2.1 // indirect
 	github.com/kr/pretty v0.2.1
 	github.com/mattermost/xml-roundtrip-validator v0.0.0-20201213122252-bcd7e1b9601e
 	github.com/pkg/errors v0.8.1 // indirect
 	github.com/russellhaering/goxmldsig v1.1.0
+	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/testify v1.6.1
 	github.com/zenazn/goji v0.9.1-0.20160507202103-64eb34159fe5
-	golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/tools v0.0.0-20201226215659-b1c90890d22a // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gotest.tools v2.2.0+incompatible
 )
diff --git a/go.sum b/go.sum
index 192e2922..63199bea 100644
--- a/go.sum
+++ b/go.sum
@@ -12,6 +12,9 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumC
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/gotestyourself/gotestyourself v1.4.0 h1:CDSlSIuRL/Fsc72Ln5lMybtrCvSRDddsHsDRG/nP7Rg=
+github.com/gotestyourself/gotestyourself v2.2.0+incompatible h1:AQwinXlbQR2HvPjQZOmDhRqsv5mZf+Jb1RnSLxcqZcI=
+github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY=
 github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.0 h1:J2SLSdy7HgElq8ekSl2Mxh6vrRNFxqbXGenYH2I02Vs=
@@ -33,21 +36,44 @@ github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7 h1:J4AOUc
 github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7/go.mod h1:Oz4y6ImuOQZxynhbSXk7btjEfNBtGlj2dcaOvXl2FSM=
 github.com/russellhaering/goxmldsig v1.1.0 h1:lK/zeJie2sqG52ZAlPNn1oBBqsIsEKypUUBGpYYF6lk=
 github.com/russellhaering/goxmldsig v1.1.0/go.mod h1:QK8GhXPB3+AfuCrfo0oRISa9NfzeCpWmxeGnqEpDF9o=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zenazn/goji v0.9.1-0.20160507202103-64eb34159fe5 h1:mXV20Aj/BdWrlVzIn1kXFa+Tq62INlUi0cFFlztTaK0=
 github.com/zenazn/goji v0.9.1-0.20160507202103-64eb34159fe5/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392 h1:ACG4HJsFiNMf47Y4PeRoebLNy/2lXT9EtprMuTFWt1M=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69 h1:rOhMmluY6kLMhdnrivzec6lLgaVbMHMn2ISQXJeJ5EM=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20201226215659-b1c90890d22a h1:pdfjQ7VswBeGam3EpuEJ4e8EAb7JgaubV570LO/SIQM=
+golang.org/x/tools v0.0.0-20201226215659-b1c90890d22a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/identity_provider_test.go b/identity_provider_test.go
index fcef69be..eae8abb5 100644
--- a/identity_provider_test.go
+++ b/identity_provider_test.go
@@ -10,7 +10,6 @@ import (
 	"encoding/pem"
 	"encoding/xml"
 	"fmt"
-	"gotest.tools/golden"
 	"io/ioutil"
 	"math/rand"
 	"net/http"
@@ -21,9 +20,12 @@ import (
 	"testing"
 	"time"
 
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+
 	"github.com/beevik/etree"
 	"github.com/dgrijalva/jwt-go"
-	"github.com/stretchr/testify/assert"
 
 	"github.com/crewjam/saml/logger"
 	"github.com/crewjam/saml/testsaml"
@@ -188,7 +190,7 @@ func TestIDPCanProduceMetadata(t *testing.T) {
 			},
 		},
 	}
-	assert.Equal(t, expected, test.IDP.Metadata())
+	assert.Check(t, is.DeepEqual(expected, test.IDP.Metadata()))
 }
 
 func TestIDPHTTPCanHandleMetadataRequest(t *testing.T) {
@@ -196,9 +198,9 @@ func TestIDPHTTPCanHandleMetadataRequest(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/metadata", nil)
 	test.IDP.Handler().ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "application/samlmetadata+xml", w.Header().Get("Content-type"))
-	assert.True(t, strings.HasPrefix(string(w.Body.Bytes()), "<EntityDescriptor"),
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("application/samlmetadata+xml", w.Header().Get("Content-type")))
+	assert.Check(t, strings.HasPrefix(string(w.Body.Bytes()), "<EntityDescriptor"),
 		string(w.Body.Bytes()))
 }
 
@@ -211,14 +213,14 @@ func TestIDPHTTPCanHandleSSORequest(t *testing.T) {
 	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&"+
 		"SAMLRequest="+validRequest, nil)
 	test.IDP.Handler().ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
 
 	// rejects requests that are invalid
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&"+
 		"SAMLRequest=PEF1dGhuUmVxdWVzdA%3D%3D", nil)
 	test.IDP.Handler().ServeHTTP(w, r)
-	assert.Equal(t, http.StatusBadRequest, w.Code)
+	assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
 
 	// rejects requests that contain malformed XML
 	{
@@ -237,7 +239,7 @@ func TestIDPHTTPCanHandleSSORequest(t *testing.T) {
 		r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&"+
 			"SAMLRequest="+invalidRequest, nil)
 		test.IDP.Handler().ServeHTTP(w, r)
-		assert.Equal(t, http.StatusBadRequest, w.Code)
+		assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
 	}
 
 }
@@ -255,17 +257,17 @@ func TestIDPCanHandleRequestWithNewSession(t *testing.T) {
 	w := httptest.NewRecorder()
 
 	requestURL, err := test.SP.MakeRedirectAuthenticationRequest("ThisIsTheRelayState")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(requestURL)
-	assert.NoError(t, err)
-	assert.Equal(t, string(golden.Get(t, "idp_authn_request.xml")), string(decodedRequest))
-	assert.Equal(t, "ThisIsTheRelayState", requestURL.Query().Get("RelayState"))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(golden.Get(t, "idp_authn_request.xml")), string(decodedRequest)))
+	assert.Check(t, is.Equal("ThisIsTheRelayState", requestURL.Query().Get("RelayState")))
 
 	r, _ := http.NewRequest("GET", requestURL.String(), nil)
 	test.IDP.ServeSSO(w, r)
-	assert.Equal(t, 200, w.Code)
-	golden.Assert(t, w.Body.String(), t.Name() + "_http_response_body")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_http_response_body")
 }
 
 func TestIDPCanHandleRequestWithExistingSession(t *testing.T) {
@@ -281,19 +283,16 @@ func TestIDPCanHandleRequestWithExistingSession(t *testing.T) {
 
 	w := httptest.NewRecorder()
 	requestURL, err := test.SP.MakeRedirectAuthenticationRequest("ThisIsTheRelayState")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(requestURL)
-	assert.NoError(t, err)
-	golden.Assert(t, string(decodedRequest), t.Name() + "_decodedRequest")
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decodedRequest")
 
 	r, _ := http.NewRequest("GET", requestURL.String(), nil)
 	test.IDP.ServeSSO(w, r)
-	assert.Equal(t, 200, w.Code)
-	assert.Regexp(t,
-		"^<html><form method=\"post\" action=\"https://sp\\.example\\.com/saml2/acs\" id=\"SAMLResponseForm\"><input type=\"hidden\" name=\"SAMLResponse\" value=\".*\" /><input type=\"hidden\" name=\"RelayState\" value=\"ThisIsTheRelayState\" /><input id=\"SAMLSubmitButton\" type=\"submit\" value=\"Continue\" /></form><script>document\\.getElementById\\('SAMLSubmitButton'\\)\\.style\\.visibility='hidden';</script><script>document\\.getElementById\\('SAMLResponseForm'\\)\\.submit\\(\\);</script></html>$",
-		string(w.Body.Bytes()))
-	golden.Assert(t, w.Body.String(), t.Name() + "_http_response_body")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_http_response_body")
 }
 
 func TestIDPCanHandlePostRequestWithExistingSession(t *testing.T) {
@@ -310,9 +309,9 @@ func TestIDPCanHandlePostRequestWithExistingSession(t *testing.T) {
 	w := httptest.NewRecorder()
 
 	authRequest, err := test.SP.MakeAuthenticationRequest(test.SP.GetSSOBindingLocation(HTTPRedirectBinding))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	authRequestBuf, err := xml.Marshal(authRequest)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	q := url.Values{}
 	q.Set("SAMLRequest", base64.StdEncoding.EncodeToString(authRequestBuf))
 	q.Set("RelayState", "ThisIsTheRelayState")
@@ -321,11 +320,8 @@ func TestIDPCanHandlePostRequestWithExistingSession(t *testing.T) {
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 
 	test.IDP.ServeSSO(w, r)
-	assert.Equal(t, 200, w.Code)
-	assert.Regexp(t,
-		"^<html><form method=\"post\" action=\"https://sp\\.example\\.com/saml2/acs\" id=\"SAMLResponseForm\"><input type=\"hidden\" name=\"SAMLResponse\" value=\".*\" /><input type=\"hidden\" name=\"RelayState\" value=\"ThisIsTheRelayState\" /><input id=\"SAMLSubmitButton\" type=\"submit\" value=\"Continue\" /></form><script>document\\.getElementById\\('SAMLSubmitButton'\\)\\.style\\.visibility='hidden';</script><script>document\\.getElementById\\('SAMLResponseForm'\\)\\.submit\\(\\);</script></html>$",
-		string(w.Body.Bytes()))
-	golden.Assert(t, w.Body.String(), t.Name() + "_http_response_body")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_http_response_body")
 }
 
 func TestIDPRejectsInvalidRequest(t *testing.T) {
@@ -339,38 +335,38 @@ func TestIDPRejectsInvalidRequest(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=XXX", nil)
 	test.IDP.ServeSSO(w, r)
-	assert.Equal(t, http.StatusBadRequest, w.Code)
+	assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("POST", "https://idp.example.com/saml/sso",
 		strings.NewReader("RelayState=ThisIsTheRelayState&SAMLRequest=XXX"))
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 	test.IDP.ServeSSO(w, r)
-	assert.Equal(t, http.StatusBadRequest, w.Code)
+	assert.Check(t, is.Equal(http.StatusBadRequest, w.Code))
 }
 
 func TestIDPCanParse(t *testing.T) {
 	test := NewIdentifyProviderTest(t)
 	r, _ := http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=lJJBayoxFIX%2FypC9JhnU5wszAz7lgWCLaNtFd5fMbQ1MkmnunVb%2FfUfbUqEgdhs%2BTr5zkmLW8S5s8KVD4mzvm0Cl6FIwEciRCeCRDFuznd2sTD5Upk2Ro42NyGZEmNjFMI%2BBOo9pi%2BnVWbzfrEqxY27JSEntEPfg2waHNnpJ4JtcgiWRLfoLXYBjwDfu6p%2B8JIoiWy5K4eqBUipXIzVRUwXKKtRK53qkJ3qqQVuNPUjU4TIQQ%2BBS5EqPBzofKH2ntBn%2FMervo8jWnyX%2BuVC78FwKkT1gopNKX1JUxSklXTMIfM0gsv8xeeDL%2BPGk7%2FF0Qg0GdnwQ1cW5PDLUwFDID6uquO1Dlot1bJw9%2FPLRmia%2BzRMCYyk4dSiq6205QSDXOxfy3KAq5Pkvqt4DAAD%2F%2Fw%3D%3D", nil)
 	req, err := NewIdpAuthnRequest(&test.IDP, r)
-	assert.NoError(t, err)
-	assert.NoError(t, req.Validate())
+	assert.Check(t, err)
+	assert.Check(t, req.Validate())
 
 	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	assert.EqualError(t, err, "cannot decompress request: unexpected EOF")
+	assert.Check(t, is.Error(err, "cannot decompress request: unexpected EOF"))
 
 	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=NotValidBase64", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	assert.EqualError(t, err, "cannot decode request: illegal base64 data at input byte 12")
+	assert.Check(t, is.Error(err, "cannot decode request: illegal base64 data at input byte 12"))
 
 	r, _ = http.NewRequest("GET", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=bm90IGZsYXRlIGVuY29kZWQ%3D", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	assert.EqualError(t, err, "cannot decompress request: flate: corrupt input before offset 1")
+	assert.Check(t, is.Error(err, "cannot decompress request: flate: corrupt input before offset 1"))
 
 	r, _ = http.NewRequest("FROBNICATE", "https://idp.example.com/saml/sso?RelayState=ThisIsTheRelayState&SAMLRequest=lJJBayoxFIX%2FypC9JhnU5wszAz7lgWCLaNtFd5fMbQ1MkmnunVb%2FfUfbUqEgdhs%2BTr5zkmLW8S5s8KVD4mzvm0Cl6FIwEciRCeCRDFuznd2sTD5Upk2Ro42NyGZEmNjFMI%2BBOo9pi%2BnVWbzfrEqxY27JSEntEPfg2waHNnpJ4JtcgiWRLfoLXYBjwDfu6p%2B8JIoiWy5K4eqBUipXIzVRUwXKKtRK53qkJ3qqQVuNPUjU4TIQQ%2BBS5EqPBzofKH2ntBn%2FMervo8jWnyX%2BuVC78FwKkT1gopNKX1JUxSklXTMIfM0gsv8xeeDL%2BPGk7%2FF0Qg0GdnwQ1cW5PDLUwFDID6uquO1Dlot1bJw9%2FPLRmia%2BzRMCYyk4dSiq6205QSDXOxfy3KAq5Pkvqt4DAAD%2F%2Fw%3D%3D", nil)
 	_, err = NewIdpAuthnRequest(&test.IDP, r)
-	assert.EqualError(t, err, "method not allowed")
+	assert.Check(t, is.Error(err, "method not allowed"))
 }
 
 func TestIDPCanValidate(t *testing.T) {
@@ -391,17 +387,19 @@ func TestIDPCanValidate(t *testing.T) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	assert.NoError(t, req.Validate())
-	assert.NotNil(t, req.Request)
-	assert.NotNil(t, req.ServiceProviderMetadata)
-	assert.Equal(t, &IndexedEndpoint{Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", Location: "https://sp.example.com/saml2/acs", Index: 1}, req.ACSEndpoint)
+	assert.Check(t, req.Validate())
+	assert.Check(t, req.ServiceProviderMetadata != nil)
+	assert.Check(t, is.DeepEqual(&IndexedEndpoint{
+		Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", Location: "https://sp.example.com/saml2/acs",
+		Index: 1,
+	}, req.ACSEndpoint))
 
 	req = IdpAuthnRequest{
 		Now:           TimeNow(),
 		IDP:           &test.IDP,
 		RequestBuffer: []byte("<AuthnRequest"),
 	}
-	assert.EqualError(t, req.Validate(), "XML syntax error on line 1: unexpected EOF")
+	assert.Check(t, is.Error(req.Validate(), "XML syntax error on line 1: unexpected EOF"))
 
 	req = IdpAuthnRequest{
 		Now: TimeNow(),
@@ -419,7 +417,7 @@ func TestIDPCanValidate(t *testing.T) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	assert.EqualError(t, req.Validate(), "expected destination to be \"https://idp.example.com/saml/sso\", not \"https://idp.wrongDestination.com/saml/sso\"")
+	assert.Check(t, is.Error(req.Validate(), "expected destination to be \"https://idp.example.com/saml/sso\", not \"https://idp.wrongDestination.com/saml/sso\""))
 
 	req = IdpAuthnRequest{
 		Now: TimeNow(),
@@ -437,7 +435,7 @@ func TestIDPCanValidate(t *testing.T) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	assert.EqualError(t, req.Validate(), "request expired at 2014-12-01 01:58:39 +0000 UTC")
+	assert.Check(t, is.Error(req.Validate(), "request expired at 2014-12-01 01:58:39 +0000 UTC"))
 
 	req = IdpAuthnRequest{
 		Now: TimeNow(),
@@ -455,7 +453,7 @@ func TestIDPCanValidate(t *testing.T) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	assert.EqualError(t, req.Validate(), "expected SAML request version 2.0 got 4.2")
+	assert.Check(t, is.Error(req.Validate(), "expected SAML request version 2.0 got 4.2"))
 
 	req = IdpAuthnRequest{
 		Now: TimeNow(),
@@ -473,7 +471,7 @@ func TestIDPCanValidate(t *testing.T) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	assert.EqualError(t, req.Validate(), "cannot handle request from unknown service provider https://unknownSP.example.com/saml2/metadata")
+	assert.Check(t, is.Error(req.Validate(), "cannot handle request from unknown service provider https://unknownSP.example.com/saml2/metadata"))
 
 	req = IdpAuthnRequest{
 		Now: TimeNow(),
@@ -491,7 +489,7 @@ func TestIDPCanValidate(t *testing.T) {
 			"    AllowCreate=\"true\">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDPolicy>" +
 			"</AuthnRequest>"),
 	}
-	assert.EqualError(t, req.Validate(), "cannot find assertion consumer service: file does not exist")
+	assert.Check(t, is.Error(req.Validate(), "cannot find assertion consumer service: file does not exist"))
 
 }
 
@@ -514,13 +512,13 @@ func TestIDPMakeAssertion(t *testing.T) {
 			"</AuthnRequest>"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
-	assert.NoError(t, req.Validate())
+	assert.Check(t, req.Validate())
 
 	err := DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	expected := &Assertion{
 		ID:           "id-00020406080a0c0e10121416181a1c1e20222426",
@@ -582,7 +580,7 @@ func TestIDPMakeAssertion(t *testing.T) {
 			},
 		},
 	}
-	assert.Equal(t, expected, req.Assertion)
+	assert.Check(t, is.DeepEqual(expected, req.Assertion))
 
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:             "f00df00df00d",
@@ -597,7 +595,7 @@ func TestIDPMakeAssertion(t *testing.T) {
 		UserSurname:    "Smith",
 		UserGivenName:  "Alice",
 	})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	expectedAttributes :=
 		[]Attribute{
@@ -676,7 +674,7 @@ func TestIDPMakeAssertion(t *testing.T) {
 				},
 			},
 		}
-	assert.Equal(t, expectedAttributes, req.Assertion.AttributeStatements[0].Attributes)
+	assert.Check(t, is.DeepEqual(expectedAttributes, req.Assertion.AttributeStatements[0].Attributes))
 }
 
 func TestIDPMarshalAssertion(t *testing.T) {
@@ -699,14 +697,14 @@ func TestIDPMarshalAssertion(t *testing.T) {
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err := req.Validate()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	// Compare the plaintext first
 	expectedPlaintext := "<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"id-00020406080a0c0e10121416181a1c1e20222426\" IssueInstant=\"2015-12-01T01:57:09Z\" Version=\"2.0\"><saml:Issuer Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\">https://idp.example.com/saml/metadata</saml:Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/><ds:SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\"/><ds:Reference URI=\"#id-00020406080a0c0e10121416181a1c1e20222426\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\"/><ds:DigestValue>gjE0eLUMVt+kK0rIGYvnzHV/2Ok=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Jm1rrxo2x7SYTnaS97bCdnVLQGeQuCMTjiSUvwzBkWFR+xcPr+n38dXmv0q0R68tO7L2ELhLtBdLm/dWsxruN23TMGVQyHIPMgJExdnYb7fwqx6es/NAdbDUBTbSdMX0vhIlTsHu5F0bJ0Tg0iAo9uRk9VeBdkaxtPa7+4yl1PQ=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" NameQualifier=\"https://idp.example.com/saml/metadata\" SPNameQualifier=\"https://sp.example.com/saml2/metadata\"/><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><saml:SubjectConfirmationData InResponseTo=\"id-00020406080a0c0e10121416181a1c1e\" NotOnOrAfter=\"2015-12-01T01:58:39Z\" Recipient=\"https://sp.example.com/saml2/acs\"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\"2015-12-01T01:57:09Z\" NotOnOrAfter=\"2015-12-01T01:58:39Z\"><saml:AudienceRestriction><saml:Audience>https://sp.example.com/saml2/metadata</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\"0001-01-01T00:00:00Z\"><saml:SubjectLocality/><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName=\"uid\" Name=\"urn:oid:0.9.2342.19200300.100.1.1\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\"><saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">alice</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>"
@@ -716,70 +714,70 @@ func TestIDPMarshalAssertion(t *testing.T) {
 		doc.SetRoot(req.AssertionEl)
 		el := doc.FindElement("//EncryptedAssertion/EncryptedData")
 		actualPlaintextBuf, err := xmlenc.Decrypt(test.SPKey, el)
-		assert.NoError(t, err)
+		assert.Check(t, err)
 		actualPlaintext = string(actualPlaintextBuf)
 	}
-	assert.Equal(t, expectedPlaintext, actualPlaintext)
+	assert.Check(t, is.Equal(expectedPlaintext, actualPlaintext))
 
 	doc := etree.NewDocument()
 	doc.SetRoot(req.AssertionEl)
 	assertionBuffer, err := doc.WriteToBytes()
-	assert.NoError(t, err)
-	golden.Assert(t, string(assertionBuffer), t.Name() + "_encrypted_assertion")
+	assert.Check(t, err)
+	golden.Assert(t, string(assertionBuffer), t.Name()+"_encrypted_assertion")
 }
 
 func TestIDPMakeResponse(t *testing.T) {
 	test := NewIdentifyProviderTest(t)
 	req := IdpAuthnRequest{
-		Now: TimeNow(),
-		IDP: &test.IDP,
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
 		RequestBuffer: golden.Get(t, "TestIDPMakeResponse_request_buffer"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err := req.Validate()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req.AssertionEl = etree.NewElement("this-is-an-encrypted-assertion")
 	err = req.MakeResponse()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	response := Response{}
 	err = unmarshalEtreeHack(req.ResponseEl, &response)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	doc := etree.NewDocument()
 	doc.SetRoot(req.ResponseEl)
 	doc.Indent(2)
 	responseStr, err := doc.WriteToString()
-	assert.NoError(t, err)
-	golden.Assert(t, responseStr, t.Name() + "_response.xml")
+	assert.Check(t, err)
+	golden.Assert(t, responseStr, t.Name()+"_response.xml")
 }
 
 func TestIDPWriteResponse(t *testing.T) {
 	test := NewIdentifyProviderTest(t)
 	req := IdpAuthnRequest{
-		Now:        TimeNow(),
-		IDP:        &test.IDP,
-		RelayState: "THIS_IS_THE_RELAY_STATE",
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
+		RelayState:    "THIS_IS_THE_RELAY_STATE",
 		RequestBuffer: golden.Get(t, "TestIDPWriteResponse_RequestBuffer.xml"),
-		ResponseEl: etree.NewElement("THIS_IS_THE_SAML_RESPONSE"),
+		ResponseEl:    etree.NewElement("THIS_IS_THE_SAML_RESPONSE"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err := req.Validate()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	w := httptest.NewRecorder()
 	err = req.WriteResponse(w)
-	assert.NoError(t, err)
-	assert.Equal(t, 200, w.Code)
-	golden.Assert(t, w.Body.String(),t.Name() + "response.html")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"response.html")
 }
 
 func TestIDPIDPInitiatedNewSession(t *testing.T) {
@@ -794,8 +792,8 @@ func TestIDPIDPInitiatedNewSession(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/sp/whoami", nil)
 	test.IDP.ServeIDPInitiated(w, r, test.SP.MetadataURL.String(), "ThisIsTheRelayState")
-	assert.Equal(t, 200, w.Code)
-	assert.Equal(t, "RelayState: ThisIsTheRelayState", string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(200, w.Code))
+	assert.Check(t, is.Equal("RelayState: ThisIsTheRelayState", string(w.Body.Bytes())))
 }
 
 func TestIDPIDPInitiatedExistingSession(t *testing.T) {
@@ -812,8 +810,8 @@ func TestIDPIDPInitiatedExistingSession(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/sp/whoami", nil)
 	test.IDP.ServeIDPInitiated(w, r, test.SP.MetadataURL.String(), "ThisIsTheRelayState")
-	assert.Equal(t, 200, w.Code)
-	golden.Assert(t, w.Body.String(), t.Name() + "_response")
+	assert.Check(t, is.Equal(200, w.Code))
+	golden.Assert(t, w.Body.String(), t.Name()+"_response")
 }
 
 func TestIDPIDPInitiatedBadServiceProvider(t *testing.T) {
@@ -830,7 +828,7 @@ func TestIDPIDPInitiatedBadServiceProvider(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/sp/whoami", nil)
 	test.IDP.ServeIDPInitiated(w, r, "https://wrong.url/metadata", "ThisIsTheRelayState")
-	assert.Equal(t, http.StatusNotFound, w.Code)
+	assert.Check(t, is.Equal(http.StatusNotFound, w.Code))
 }
 
 func TestIDPCanHandleUnencryptedResponse(t *testing.T) {
@@ -845,7 +843,7 @@ func TestIDPCanHandleUnencryptedResponse(t *testing.T) {
 	err := xml.Unmarshal(
 		golden.Get(t, "TestIDPCanHandleUnencryptedResponse_idp_metadata.xml"),
 		&metadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	test.IDP.ServiceProviderProvider = &mockServiceProviderProvider{
 		GetServiceProviderFunc: func(r *http.Request, serviceProviderID string) (*EntityDescriptor, error) {
 			if serviceProviderID == "https://gitlab.example.com/users/saml/metadata" {
@@ -856,46 +854,46 @@ func TestIDPCanHandleUnencryptedResponse(t *testing.T) {
 	}
 
 	req := IdpAuthnRequest{
-		Now: TimeNow(),
-		IDP: &test.IDP,
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
 		RequestBuffer: golden.Get(t, "TestIDPCanHandleUnencryptedResponse_request"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err = req.Validate()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	err = req.MakeResponse()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	doc := etree.NewDocument()
 	doc.SetRoot(req.ResponseEl)
 	doc.Indent(2)
 	responseStr, _ := doc.WriteToString()
-	golden.Assert(t, responseStr, t.Name() + "_response")
+	golden.Assert(t, responseStr, t.Name()+"_response")
 }
 
 func TestIDPRequestedAttributes(t *testing.T) {
 	test := NewIdentifyProviderTest(t)
 	metadata := EntityDescriptor{}
 	err := xml.Unmarshal(golden.Get(t, "TestIDPRequestedAttributes_idp_metadata.xml"), &metadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	requestURL, err := test.SP.MakeRedirectAuthenticationRequest("ThisIsTheRelayState")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	r, _ := http.NewRequest("GET", requestURL.String(), nil)
 	req, err := NewIdpAuthnRequest(&test.IDP, r)
 	req.ServiceProviderMetadata = &metadata
 	req.ACSEndpoint = &metadata.SPSSODescriptors[0].AssertionConsumerServices[0]
 	req.SPSSODescriptor = &metadata.SPSSODescriptors[0]
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(req, &Session{
 		ID:             "f00df00df00d",
 		UserName:       "alice",
@@ -904,7 +902,7 @@ func TestIDPRequestedAttributes(t *testing.T) {
 		UserSurname:    "Smith",
 		UserCommonName: "Alice Smith",
 	})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	expectedAttributes := []AttributeStatement{{
 		Attributes: []Attribute{
@@ -1008,7 +1006,7 @@ func TestIDPRequestedAttributes(t *testing.T) {
 				},
 			},
 		}}}
-	assert.Equal(t, expectedAttributes, req.Assertion.AttributeStatements)
+	assert.Check(t, is.DeepEqual(expectedAttributes, req.Assertion.AttributeStatements))
 }
 
 func TestIDPNoDestination(t *testing.T) {
@@ -1021,7 +1019,7 @@ func TestIDPNoDestination(t *testing.T) {
 
 	metadata := EntityDescriptor{}
 	err := xml.Unmarshal(golden.Get(t, "TestIDPNoDestination_idp_metadata.xml"), &metadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	test.IDP.ServiceProviderProvider = &mockServiceProviderProvider{
 		GetServiceProviderFunc: func(r *http.Request, serviceProviderID string) (*EntityDescriptor, error) {
 			if serviceProviderID == "https://gitlab.example.com/users/saml/metadata" {
@@ -1032,21 +1030,21 @@ func TestIDPNoDestination(t *testing.T) {
 	}
 
 	req := IdpAuthnRequest{
-		Now: TimeNow(),
-		IDP: &test.IDP,
+		Now:           TimeNow(),
+		IDP:           &test.IDP,
 		RequestBuffer: golden.Get(t, "TestIDPNoDestination_request"),
 	}
 	req.HTTPRequest, _ = http.NewRequest("POST", "http://idp.example.com/saml/sso", nil)
 	err = req.Validate()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = DefaultAssertionMaker{}.MakeAssertion(&req, &Session{
 		ID:       "f00df00df00d",
 		UserName: "alice",
 	})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	err = req.MakeAssertionEl()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	err = req.MakeResponse()
-	assert.NoError(t, err)
+	assert.Check(t, err)
 }
diff --git a/metadata_test.go b/metadata_test.go
index 6880fa53..8ac1091b 100644
--- a/metadata_test.go
+++ b/metadata_test.go
@@ -2,11 +2,12 @@ package saml
 
 import (
 	"encoding/xml"
-	"gotest.tools/golden"
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 )
 
 func TestCanParseMetadata(t *testing.T) {
@@ -14,7 +15,7 @@ func TestCanParseMetadata(t *testing.T) {
 
 	metadata := EntityDescriptor{}
 	err := xml.Unmarshal(buf, &metadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	var False = false
 	var True = true
@@ -82,7 +83,7 @@ func TestCanParseMetadata(t *testing.T) {
 			},
 		},
 	}
-	assert.Equal(t, expected, metadata)
+	assert.Check(t, is.DeepEqual(expected, metadata))
 
 }
 
@@ -149,6 +150,6 @@ cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==`,
 	}
 
 	buf, err := xml.MarshalIndent(metadata, "", "  ")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	golden.Assert(t, string(buf), "TestCanProduceSPMetadata_expected")
 }
diff --git a/samlidp/samlidp_test.go b/samlidp/samlidp_test.go
index 593932c8..b1e3db95 100644
--- a/samlidp/samlidp_test.go
+++ b/samlidp/samlidp_test.go
@@ -5,7 +5,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"gotest.tools/golden"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -13,8 +12,11 @@ import (
 	"testing"
 	"time"
 
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+
 	"github.com/dgrijalva/jwt-go"
-	"github.com/stretchr/testify/assert"
 
 	"github.com/crewjam/saml"
 	"github.com/crewjam/saml/logger"
@@ -120,8 +122,8 @@ func TestHTTPCanHandleMetadataRequest(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/metadata", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.True(t,
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t,
 		strings.HasPrefix(string(w.Body.Bytes()), "<EntityDescriptor"),
 		string(w.Body.Bytes()))
 	golden.Assert(t, w.Body.String(), "http_metadata_response.html")
@@ -130,13 +132,13 @@ func TestHTTPCanHandleMetadataRequest(t *testing.T) {
 func TestHTTPCanSSORequest(t *testing.T) {
 	test := NewServerTest(t)
 	u, err := test.SP.MakeRedirectAuthenticationRequest("frob")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", u.String(), nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.True(t,
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t,
 		strings.HasPrefix(string(w.Body.Bytes()), "<html><p></p><form method=\"post\" action=\"https://idp.example.com/sso\">"),
 		string(w.Body.Bytes()))
 	golden.Assert(t, w.Body.String(), "http_sso_response.html")
diff --git a/samlidp/service_test.go b/samlidp/service_test.go
index e0f7bdce..cb2628e6 100644
--- a/samlidp/service_test.go
+++ b/samlidp/service_test.go
@@ -2,12 +2,13 @@ package samlidp
 
 import (
 	"bytes"
-	"gotest.tools/golden"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
 )
 
 func TestServicesCrud(t *testing.T) {
@@ -16,38 +17,38 @@ func TestServicesCrud(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/services/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "{\"services\":[]}\n", string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"services\":[]}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/services/sp",
 		bytes.NewReader(golden.Get(t, "sp_metadata.xml")))
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/services/sp", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, w.Body.String(), string(golden.Get(t, "sp_metadata.xml")))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal(w.Body.String(), string(golden.Get(t, "sp_metadata.xml"))))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/services/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "{\"services\":[\"sp\"]}\n", string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"services\":[\"sp\"]}\n", string(w.Body.Bytes())))
 
-	assert.Len(t, test.Server.serviceProviders, 2)
+	assert.Check(t, is.Len(test.Server.serviceProviders, 2))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/services/sp", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/services/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "{\"services\":[]}\n", string(w.Body.Bytes()))
-	assert.Len(t, test.Server.serviceProviders, 1)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"services\":[]}\n", string(w.Body.Bytes())))
+	assert.Check(t, is.Len(test.Server.serviceProviders, 1))
 }
diff --git a/samlidp/session_test.go b/samlidp/session_test.go
index ff71a597..d24684f3 100644
--- a/samlidp/session_test.go
+++ b/samlidp/session_test.go
@@ -6,7 +6,8 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestSessionsCrud(t *testing.T) {
@@ -14,58 +15,52 @@ func TestSessionsCrud(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/sessions/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"sessions\":[]}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"sessions\":[]}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/users/alice",
 		strings.NewReader(`{"name": "alice", "password": "hunter2"}`+"\n"))
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("POST", "https://idp.example.com/login",
 		strings.NewReader("user=alice&password=hunter2"))
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=; Path=/; Max-Age=3600; HttpOnly; Secure",
-		w.Header().Get("Set-Cookie"))
-	assert.Equal(t,
-		"{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=; Path=/; Max-Age=3600; HttpOnly; Secure",
+		w.Header().Get("Set-Cookie")))
+	assert.Check(t, is.Equal("{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/login", nil)
 	r.Header.Set("Cookie", "session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=")
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/sessions/AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"ID\":\"AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=\",\"CreateTime\":\"2015-12-01T01:57:09Z\",\"ExpireTime\":\"2015-12-01T02:57:09Z\",\"Index\":\"40424446484a4c4e50525456585a5c5e60626466686a6c6e70727476787a7c7e\",\"NameID\":\"\",\"Groups\":null,\"UserName\":\"alice\",\"UserEmail\":\"\",\"UserCommonName\":\"\",\"UserSurname\":\"\",\"UserGivenName\":\"\",\"UserScopedAffiliation\":\"\",\"CustomAttributes\":null}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/sessions/AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/sessions/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"sessions\":[]}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"sessions\":[]}\n",
+		string(w.Body.Bytes())))
 
 }
diff --git a/samlidp/shortcut_test.go b/samlidp/shortcut_test.go
index 09743a45..7a15f148 100644
--- a/samlidp/shortcut_test.go
+++ b/samlidp/shortcut_test.go
@@ -6,7 +6,8 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestShortcutsCrud(t *testing.T) {
@@ -14,45 +15,41 @@ func TestShortcutsCrud(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/shortcuts/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"shortcuts\":[]}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"shortcuts\":[]}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/shortcuts/bob",
 		strings.NewReader("{\"url_suffix_as_relay_state\": true, \"service_provider\": \"https://example.com/saml2/metadata\"}"))
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/shortcuts/bob", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"name\":\"bob\",\"service_provider\":\"https://example.com/saml2/metadata\",\"url_suffix_as_relay_state\":true}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"name\":\"bob\",\"service_provider\":\"https://example.com/saml2/metadata\",\"url_suffix_as_relay_state\":true}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/shortcuts/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"shortcuts\":[\"bob\"]}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"shortcuts\":[\"bob\"]}\n",
+		string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/shortcuts/bob", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/shortcuts/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t,
-		"{\"shortcuts\":[]}\n",
-		string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"shortcuts\":[]}\n",
+		string(w.Body.Bytes())))
 }
 
 func TestShortcut(t *testing.T) {
@@ -61,32 +58,32 @@ func TestShortcut(t *testing.T) {
 	r, _ := http.NewRequest("PUT", "https://idp.example.com/shortcuts/bob",
 		strings.NewReader("{\"url_suffix_as_relay_state\": true, \"service_provider\": \"https://sp.example.com/saml2/metadata\"}"))
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/users/alice",
 		strings.NewReader(`{"name": "alice", "password": "hunter2"}`+"\n"))
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("POST", "https://idp.example.com/login",
 		strings.NewReader("user=alice&password=hunter2"))
 	r.Header.Set("Content-type", "application/x-www-form-urlencoded")
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/login/bob/whoami", nil)
 	r.Header.Set("Cookie", "session=AAIEBggKDA4QEhQWGBocHiAiJCYoKiwuMDI0Njg6PD4=")
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
 	body := string(w.Body.Bytes())
 
-	assert.True(t, strings.Contains(body,
+	assert.Check(t, strings.Contains(body,
 		"<input type=\"hidden\" name=\"RelayState\" value=\"/whoami\" />"),
 		body)
-	assert.True(t, strings.Contains(body,
+	assert.Check(t, strings.Contains(body,
 		"<script>document.getElementById('SAMLResponseForm').submit();</script>"),
 		body)
 }
diff --git a/samlidp/user_test.go b/samlidp/user_test.go
index 5104eef8..ecac3459 100644
--- a/samlidp/user_test.go
+++ b/samlidp/user_test.go
@@ -6,7 +6,8 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestUsersCrud(t *testing.T) {
@@ -14,35 +15,35 @@ func TestUsersCrud(t *testing.T) {
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest("GET", "https://idp.example.com/users/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "{\"users\":[]}\n", string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"users\":[]}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("PUT", "https://idp.example.com/users/alice",
 		strings.NewReader(`{"name": "alice", "password": "hunter2"}`+"\n"))
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/users/alice", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "{\"name\":\"alice\"}\n", string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"name\":\"alice\"}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/users/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "{\"users\":[\"alice\"]}\n", string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"users\":[\"alice\"]}\n", string(w.Body.Bytes())))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("DELETE", "https://idp.example.com/users/alice", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusNoContent, w.Code)
+	assert.Check(t, is.Equal(http.StatusNoContent, w.Code))
 
 	w = httptest.NewRecorder()
 	r, _ = http.NewRequest("GET", "https://idp.example.com/users/", nil)
 	test.Server.ServeHTTP(w, r)
-	assert.Equal(t, http.StatusOK, w.Code)
-	assert.Equal(t, "{\"users\":[]}\n", string(w.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t, is.Equal("{\"users\":[]}\n", string(w.Body.Bytes())))
 }
diff --git a/samlidp/util_test.go b/samlidp/util_test.go
index 4590c0d1..4bc25a8a 100644
--- a/samlidp/util_test.go
+++ b/samlidp/util_test.go
@@ -4,7 +4,8 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestGetSPMetadata(t *testing.T) {
@@ -12,11 +13,11 @@ func TestGetSPMetadata(t *testing.T) {
 		"<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2013-03-10T00:32:19.104Z\" cacheDuration=\"PT1H\" entityID=\"http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/\">\n" +
 		"</EntityDescriptor>"
 	_, err := getSPMetadata(strings.NewReader(good))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	bad := "" +
 		"<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" ::attr=\"foo\" validUntil=\"2013-03-10T00:32:19.104Z\" cacheDuration=\"PT1H\" entityID=\"http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/\">\n" +
 		"</EntityDescriptor>"
 	_, err = getSPMetadata(strings.NewReader(bad))
-	assert.EqualError(t, err, "validator: in token starting at 1:1: roundtrip error: expected {{ EntityDescriptor} [{{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{ :attr} foo} {{ validUntil} 2013-03-10T00:32:19.104Z} {{ cacheDuration} PT1H} {{ entityID} http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/}]}, observed {{ EntityDescriptor} [{{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{ attr} foo} {{ validUntil} 2013-03-10T00:32:19.104Z} {{ cacheDuration} PT1H} {{ entityID} http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/}]}")
+	assert.Check(t, is.Error(err, "validator: in token starting at 1:1: roundtrip error: expected {{ EntityDescriptor} [{{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{ :attr} foo} {{ validUntil} 2013-03-10T00:32:19.104Z} {{ cacheDuration} PT1H} {{ entityID} http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/}]}, observed {{ EntityDescriptor} [{{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{ attr} foo} {{ validUntil} 2013-03-10T00:32:19.104Z} {{ cacheDuration} PT1H} {{ entityID} http://localhost:5000/e087a985171710fb9fb30f30f41384f9/saml2/metadata/}]}"))
 }
diff --git a/samlsp/fetch_metadata_test.go b/samlsp/fetch_metadata_test.go
index eb8e25cf..eb642b12 100644
--- a/samlsp/fetch_metadata_test.go
+++ b/samlsp/fetch_metadata_test.go
@@ -9,22 +9,23 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestFetchMetadata(t *testing.T) {
 	test := NewMiddlewareTest(t)
 
 	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, "/metadata", r.URL.String())
+		assert.Check(t, is.Equal("/metadata", r.URL.String()))
 		fmt.Fprint(w, test.IDPMetadata)
 	}))
 
 	fmt.Println(testServer.URL + "/metadata")
 	u, _ := url.Parse(testServer.URL + "/metadata")
 	md, err := FetchMetadata(context.Background(), testServer.Client(), *u)
-	assert.NoError(t, err)
-	assert.Equal(t, "https://idp.testshib.org/idp/shibboleth", md.EntityID)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("https://idp.testshib.org/idp/shibboleth", md.EntityID))
 }
 
 func TestFetchMetadataRejectsInvalid(t *testing.T) {
@@ -32,13 +33,13 @@ func TestFetchMetadataRejectsInvalid(t *testing.T) {
 	test.IDPMetadata = strings.Replace(test.IDPMetadata, "<EntityDescriptor ", "<EntityDescriptor ::foo=\"bar\"", -1)
 
 	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, "/metadata", r.URL.String())
+		assert.Check(t, is.Equal("/metadata", r.URL.String()))
 		fmt.Fprint(w, test.IDPMetadata)
 	}))
 
 	fmt.Println(testServer.URL + "/metadata")
 	u, _ := url.Parse(testServer.URL + "/metadata")
 	md, err := FetchMetadata(context.Background(), testServer.Client(), *u)
-	assert.EqualError(t, err, "validator: in token starting at 2:1: roundtrip error: expected {{ EntityDescriptor} [{{ :foo} bar} {{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{xmlns ds} http://www.w3.org/2000/09/xmldsig#} {{xmlns mdalg} urn:oasis:names:tc:SAML:metadata:algsupport} {{xmlns mdui} urn:oasis:names:tc:SAML:metadata:ui} {{xmlns shibmd} urn:mace:shibboleth:metadata:1.0} {{xmlns xsi} http://www.w3.org/2001/XMLSchema-instance} {{ Name} urn:mace:shibboleth:testshib:two} {{ entityID} https://idp.testshib.org/idp/shibboleth}]}, observed {{ EntityDescriptor} [{{ foo} bar} {{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{xmlns ds} http://www.w3.org/2000/09/xmldsig#} {{xmlns mdalg} urn:oasis:names:tc:SAML:metadata:algsupport} {{xmlns mdui} urn:oasis:names:tc:SAML:metadata:ui} {{xmlns shibmd} urn:mace:shibboleth:metadata:1.0} {{xmlns xsi} http://www.w3.org/2001/XMLSchema-instance} {{ Name} urn:mace:shibboleth:testshib:two} {{ entityID} https://idp.testshib.org/idp/shibboleth} {{ entityID} https://idp.testshib.org/idp/shibboleth}]}")
-	assert.Nil(t, md)
+	assert.Check(t, is.Error(err, "validator: in token starting at 2:1: roundtrip error: expected {{ EntityDescriptor} [{{ :foo} bar} {{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{xmlns ds} http://www.w3.org/2000/09/xmldsig#} {{xmlns mdalg} urn:oasis:names:tc:SAML:metadata:algsupport} {{xmlns mdui} urn:oasis:names:tc:SAML:metadata:ui} {{xmlns shibmd} urn:mace:shibboleth:metadata:1.0} {{xmlns xsi} http://www.w3.org/2001/XMLSchema-instance} {{ Name} urn:mace:shibboleth:testshib:two} {{ entityID} https://idp.testshib.org/idp/shibboleth}]}, observed {{ EntityDescriptor} [{{ foo} bar} {{ xmlns} urn:oasis:names:tc:SAML:2.0:metadata} {{xmlns ds} http://www.w3.org/2000/09/xmldsig#} {{xmlns mdalg} urn:oasis:names:tc:SAML:metadata:algsupport} {{xmlns mdui} urn:oasis:names:tc:SAML:metadata:ui} {{xmlns shibmd} urn:mace:shibboleth:metadata:1.0} {{xmlns xsi} http://www.w3.org/2001/XMLSchema-instance} {{ Name} urn:mace:shibboleth:testshib:two} {{ entityID} https://idp.testshib.org/idp/shibboleth} {{ entityID} https://idp.testshib.org/idp/shibboleth}]}"))
+	assert.Check(t, is.Nil(md))
 }
diff --git a/samlsp/middleware_test.go b/samlsp/middleware_test.go
index 9b882040..a34314ab 100644
--- a/samlsp/middleware_test.go
+++ b/samlsp/middleware_test.go
@@ -19,7 +19,8 @@ import (
 
 	"github.com/dgrijalva/jwt-go"
 	dsig "github.com/russellhaering/goxmldsig"
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 	"gotest.tools/golden"
 
 	"github.com/crewjam/saml"
@@ -127,12 +128,11 @@ func TestMiddlewareCanProduceMetadata(t *testing.T) {
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	assert.Equal(t, http.StatusOK, resp.Code)
-	assert.Equal(t,
-		"application/samlmetadata+xml",
-		resp.Header().Get("Content-type"))
-	assert.Equal(t, string(golden.Get(t, "expected_middleware_metadata.xml")),
-		resp.Body.String())
+	assert.Check(t, is.Equal(http.StatusOK, resp.Code))
+	assert.Check(t, is.Equal("application/samlmetadata+xml",
+		resp.Header().Get("Content-type")))
+	assert.Check(t, is.Equal(string(golden.Get(t, "expected_middleware_metadata.xml")),
+		resp.Body.String()))
 }
 
 func TestMiddlewareFourOhFour(t *testing.T) {
@@ -141,9 +141,9 @@ func TestMiddlewareFourOhFour(t *testing.T) {
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	assert.Equal(t, http.StatusNotFound, resp.Code)
+	assert.Check(t, is.Equal(http.StatusNotFound, resp.Code))
 	respBuf, _ := ioutil.ReadAll(resp.Body)
-	assert.Equal(t, "404 page not found\n", string(respBuf))
+	assert.Check(t, is.Equal("404 page not found\n", string(respBuf)))
 }
 
 func TestMiddlewareRequireAccountNoCreds(t *testing.T) {
@@ -159,19 +159,17 @@ func TestMiddlewareRequireAccountNoCreds(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusFound, resp.Code)
-	assert.Equal(t,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
-			test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly",
-		resp.Header().Get("Set-Cookie"))
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+
+		test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly",
+		resp.Header().Get("Set-Cookie")))
 
 	redirectURL, err := url.Parse(resp.Header().Get("Location"))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		string(golden.Get(t, "expected_authn_request.xml")),
-		string(decodedRequest))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(golden.Get(t, "expected_authn_request.xml")),
+		string(decodedRequest)))
 }
 
 func TestMiddlewareRequireAccountNoCredsSecure(t *testing.T) {
@@ -186,25 +184,23 @@ func TestMiddlewareRequireAccountNoCredsSecure(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusFound, resp.Code)
-	assert.Equal(t,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
-		resp.Header().Get("Set-Cookie"))
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
 
 	redirectURL, err := url.Parse(resp.Header().Get("Location"))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		string(golden.Get(t, "expected_authn_request_secure.xml")),
-		string(decodedRequest))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(golden.Get(t, "expected_authn_request_secure.xml")),
+		string(decodedRequest)))
 }
 
 func TestMiddlewareRequireAccountNoCredsPostBinding(t *testing.T) {
 	test := NewMiddlewareTest(t)
 	test.Middleware.ServiceProvider.IDPMetadata.IDPSSODescriptors[0].SingleSignOnServices = test.Middleware.ServiceProvider.IDPMetadata.IDPSSODescriptors[0].SingleSignOnServices[1:2]
-	assert.Equal(t, "",
-		test.Middleware.ServiceProvider.GetSSOBindingLocation(saml.HTTPRedirectBinding))
+	assert.Check(t, is.Equal("",
+		test.Middleware.ServiceProvider.GetSSOBindingLocation(saml.HTTPRedirectBinding)))
 
 	handler := test.Middleware.RequireAccount(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -215,22 +211,20 @@ func TestMiddlewareRequireAccountNoCredsPostBinding(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusOK, resp.Code)
-	assert.Equal(t,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
-		resp.Header().Get("Set-Cookie"))
-	assert.Equal(t, string(golden.Get(t, "expected_post_binding_response.html")),
-		string(resp.Body.Bytes()))
+	assert.Check(t, is.Equal(http.StatusOK, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
+	assert.Check(t, is.Equal(string(golden.Get(t, "expected_post_binding_response.html")),
+		string(resp.Body.Bytes())))
 
 	// check that the CSP script hash is set correctly
 	scriptContent := "document.getElementById('SAMLSubmitButton').style.visibility=\"hidden\";document.getElementById('SAMLRequestForm').submit();"
 	scriptSum := sha256.Sum256([]byte(scriptContent))
 	scriptHash := base64.StdEncoding.EncodeToString(scriptSum[:])
-	assert.Equal(t,
-		"default-src; script-src 'sha256-"+scriptHash+"'; reflected-xss block; referrer no-referrer;",
-		resp.Header().Get("Content-Security-Policy"))
+	assert.Check(t, is.Equal("default-src; script-src 'sha256-"+scriptHash+"'; reflected-xss block; referrer no-referrer;",
+		resp.Header().Get("Content-Security-Policy")))
 
-	assert.Equal(t, "text/html", resp.Header().Get("Content-type"))
+	assert.Check(t, is.Equal("text/html", resp.Header().Get("Content-type")))
 }
 
 func TestMiddlewareRequireAccountCreds(t *testing.T) {
@@ -239,16 +233,16 @@ func TestMiddlewareRequireAccountCreds(t *testing.T) {
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			genericSession := SessionFromContext(r.Context())
 			jwtSession := genericSession.(JWTSessionClaims)
-			assert.Equal(t, "555-5555", jwtSession.Attributes.Get("telephoneNumber"))
-			assert.Equal(t, "And I", jwtSession.Attributes.Get("sn"))
-			assert.Equal(t, "urn:mace:dir:entitlement:common-lib-terms", jwtSession.Attributes.Get("eduPersonEntitlement"))
-			assert.Equal(t, "", jwtSession.Attributes.Get("eduPersonTargetedID"))
-			assert.Equal(t, "Me Myself", jwtSession.Attributes.Get("givenName"))
-			assert.Equal(t, "Me Myself And I", jwtSession.Attributes.Get("cn"))
-			assert.Equal(t, "myself", jwtSession.Attributes.Get("uid"))
-			assert.Equal(t, "myself@testshib.org", jwtSession.Attributes.Get("eduPersonPrincipalName"))
-			assert.Equal(t, []string{"Member@testshib.org", "Staff@testshib.org"}, jwtSession.Attributes["eduPersonScopedAffiliation"])
-			assert.Equal(t, []string{"Member", "Staff"}, jwtSession.Attributes["eduPersonAffiliation"])
+			assert.Check(t, is.Equal("555-5555", jwtSession.Attributes.Get("telephoneNumber")))
+			assert.Check(t, is.Equal("And I", jwtSession.Attributes.Get("sn")))
+			assert.Check(t, is.Equal("urn:mace:dir:entitlement:common-lib-terms", jwtSession.Attributes.Get("eduPersonEntitlement")))
+			assert.Check(t, is.Equal("", jwtSession.Attributes.Get("eduPersonTargetedID")))
+			assert.Check(t, is.Equal("Me Myself", jwtSession.Attributes.Get("givenName")))
+			assert.Check(t, is.Equal("Me Myself And I", jwtSession.Attributes.Get("cn")))
+			assert.Check(t, is.Equal("myself", jwtSession.Attributes.Get("uid")))
+			assert.Check(t, is.Equal("myself@testshib.org", jwtSession.Attributes.Get("eduPersonPrincipalName")))
+			assert.Check(t, is.DeepEqual([]string{"Member@testshib.org", "Staff@testshib.org"}, jwtSession.Attributes["eduPersonScopedAffiliation"]))
+			assert.Check(t, is.DeepEqual([]string{"Member", "Staff"}, jwtSession.Attributes["eduPersonAffiliation"]))
 			w.WriteHeader(http.StatusTeapot)
 		}))
 
@@ -259,7 +253,7 @@ func TestMiddlewareRequireAccountCreds(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusTeapot, resp.Code)
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
 }
 
 func TestMiddlewareRequireAccountBadCreds(t *testing.T) {
@@ -276,19 +270,17 @@ func TestMiddlewareRequireAccountBadCreds(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusFound, resp.Code)
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
 
-	assert.Equal(t,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
-		resp.Header().Get("Set-Cookie"))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
 
 	redirectURL, err := url.Parse(resp.Header().Get("Location"))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		string(golden.Get(t, "expected_authn_request_secure.xml")),
-		string(decodedRequest))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(golden.Get(t, "expected_authn_request_secure.xml")),
+		string(decodedRequest)))
 }
 
 func TestMiddlewareRequireAccountExpiredCreds(t *testing.T) {
@@ -310,18 +302,16 @@ func TestMiddlewareRequireAccountExpiredCreds(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusFound, resp.Code)
-	assert.Equal(t,
-		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
-		resp.Header().Get("Set-Cookie"))
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
+	assert.Check(t, is.Equal("saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6="+test.makeTrackedRequest("id-00020406080a0c0e10121416181a1c1e20222426")+"; Path=/saml2/acs; Max-Age=90; HttpOnly; Secure",
+		resp.Header().Get("Set-Cookie")))
 
 	redirectURL, err := url.Parse(resp.Header().Get("Location"))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		string(golden.Get(t, "expected_authn_request_secure.xml")),
-		string(decodedRequest))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(golden.Get(t, "expected_authn_request_secure.xml")),
+		string(decodedRequest)))
 }
 
 func TestMiddlewareRequireAccountPanicOnRequestToACS(t *testing.T) {
@@ -334,9 +324,7 @@ func TestMiddlewareRequireAccountPanicOnRequestToACS(t *testing.T) {
 	req, _ := http.NewRequest("POST", "https://15661444.ngrok.io/saml2/acs", nil)
 	resp := httptest.NewRecorder()
 
-	assert.PanicsWithValue(t,
-		"don't wrap Middleware with RequireAccount",
-		func() { handler.ServeHTTP(resp, req) })
+	assert.Check(t, is.Panics(func() { handler.ServeHTTP(resp, req) }))
 }
 
 func TestMiddlewareRequireAttribute(t *testing.T) {
@@ -354,7 +342,7 @@ func TestMiddlewareRequireAttribute(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusTeapot, resp.Code)
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
 }
 
 func TestMiddlewareRequireAttributeWrongValue(t *testing.T) {
@@ -372,7 +360,7 @@ func TestMiddlewareRequireAttributeWrongValue(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusForbidden, resp.Code)
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
 }
 
 func TestMiddlewareRequireAttributeNotPresent(t *testing.T) {
@@ -390,7 +378,7 @@ func TestMiddlewareRequireAttributeNotPresent(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusForbidden, resp.Code)
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
 }
 
 func TestMiddlewareRequireAttributeMissingAccount(t *testing.T) {
@@ -407,7 +395,7 @@ func TestMiddlewareRequireAttributeMissingAccount(t *testing.T) {
 	resp := httptest.NewRecorder()
 	handler.ServeHTTP(resp, req)
 
-	assert.Equal(t, http.StatusForbidden, resp.Code)
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
 }
 
 func TestMiddlewareCanParseResponse(t *testing.T) {
@@ -422,14 +410,14 @@ func TestMiddlewareCanParseResponse(t *testing.T) {
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	assert.Equal(t, http.StatusFound, resp.Code)
+	assert.Check(t, is.Equal(http.StatusFound, resp.Code))
 
-	assert.Equal(t, "/frob", resp.Header().Get("Location"))
-	assert.Equal(t, []string{
+	assert.Check(t, is.Equal("/frob", resp.Header().Get("Location")))
+	assert.Check(t, is.DeepEqual([]string{
 		"saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT",
 		"ttt=" + test.expectedSessionCookie + "; " +
 			"Path=/; Domain=15661444.ngrok.io; Max-Age=7200; HttpOnly; Secure"},
-		resp.Header()["Set-Cookie"])
+		resp.Header()["Set-Cookie"]))
 }
 
 func TestMiddlewareDefaultCookieDomainIPv4(t *testing.T) {
@@ -445,7 +433,7 @@ func TestMiddlewareDefaultCookieDomainIPv4(t *testing.T) {
 	resp := httptest.NewRecorder()
 	sp.CreateSession(resp, req, &saml.Assertion{})
 
-	assert.True(t,
+	assert.Check(t,
 		strings.Contains(resp.Header().Get("Set-Cookie"), "Domain=127.0.0.1;"),
 		"Cookie domain must not contain a port or the cookie cannot be set properly: %v", resp.Header().Get("Set-Cookie"))
 }
@@ -464,7 +452,7 @@ func TestMiddlewareDefaultCookieDomainIPv6(t *testing.T) {
 	resp := httptest.NewRecorder()
 	sp.CreateSession(resp, req, &saml.Assertion{})
 
-	assert.True(t,
+	assert.Check(t,
 		strings.Contains(resp.Header().Get("Set-Cookie"), "Domain=::1;"),
 		"Cookie domain must not contain a port or the cookie cannot be set properly: %v", resp.Header().Get("Set-Cookie"))
 }
@@ -473,7 +461,7 @@ func TestMiddlewareRejectsInvalidRelayState(t *testing.T) {
 	test := NewMiddlewareTest(t)
 
 	test.Middleware.OnError = func(w http.ResponseWriter, r *http.Request, err error) {
-		assert.EqualError(t, err, http.ErrNoCookie.Error())
+		assert.Check(t, is.Error(err, http.ErrNoCookie.Error()))
 		http.Error(w, "forbidden", http.StatusTeapot)
 	}
 
@@ -487,16 +475,16 @@ func TestMiddlewareRejectsInvalidRelayState(t *testing.T) {
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	assert.Equal(t, http.StatusTeapot, resp.Code)
-	assert.Equal(t, "", resp.Header().Get("Location"))
-	assert.Equal(t, "", resp.Header().Get("Set-Cookie"))
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
+	assert.Check(t, is.Equal("", resp.Header().Get("Location")))
+	assert.Check(t, is.Equal("", resp.Header().Get("Set-Cookie")))
 }
 
 func TestMiddlewareRejectsInvalidCookie(t *testing.T) {
 	test := NewMiddlewareTest(t)
 
 	test.Middleware.OnError = func(w http.ResponseWriter, r *http.Request, err error) {
-		assert.EqualError(t, err, "Authentication failed")
+		assert.Check(t, is.Error(err, "Authentication failed"))
 		http.Error(w, "forbidden", http.StatusTeapot)
 	}
 
@@ -510,9 +498,9 @@ func TestMiddlewareRejectsInvalidCookie(t *testing.T) {
 
 	resp := httptest.NewRecorder()
 	test.Middleware.ServeHTTP(resp, req)
-	assert.Equal(t, http.StatusTeapot, resp.Code)
-	assert.Equal(t, "", resp.Header().Get("Location"))
-	assert.Equal(t, "", resp.Header().Get("Set-Cookie"))
+	assert.Check(t, is.Equal(http.StatusTeapot, resp.Code))
+	assert.Check(t, is.Equal("", resp.Header().Get("Location")))
+	assert.Check(t, is.Equal("", resp.Header().Get("Set-Cookie")))
 }
 
 func TestMiddlewareHandlesInvalidResponse(t *testing.T) {
@@ -532,9 +520,9 @@ func TestMiddlewareHandlesInvalidResponse(t *testing.T) {
 	// note: it is important that when presented with an invalid request,
 	// the ACS handles DOES NOT reveal detailed error information in the
 	// HTTP response.
-	assert.Equal(t, http.StatusForbidden, resp.Code)
+	assert.Check(t, is.Equal(http.StatusForbidden, resp.Code))
 	respBody, _ := ioutil.ReadAll(resp.Body)
-	assert.Equal(t, "Forbidden\n", string(respBody))
-	assert.Equal(t, "", resp.Header().Get("Location"))
-	assert.Equal(t, "", resp.Header().Get("Set-Cookie"))
+	assert.Check(t, is.Equal("Forbidden\n", string(respBody)))
+	assert.Check(t, is.Equal("", resp.Header().Get("Location")))
+	assert.Check(t, is.Equal("", resp.Header().Get("Set-Cookie")))
 }
diff --git a/samlsp/samlsp_test.go b/samlsp/samlsp_test.go
index 63d560b5..13f8831c 100644
--- a/samlsp/samlsp_test.go
+++ b/samlsp/samlsp_test.go
@@ -6,13 +6,13 @@ import (
 	"crypto"
 	"crypto/x509"
 	"encoding/pem"
-	"gotest.tools/golden"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
 )
 
 type mockTransport func(req *http.Request) (*http.Response, error)
@@ -69,5 +69,5 @@ func TestCanParseTestshibMetadata(t *testing.T) {
 	_, err := FetchMetadata(context.Background(),
 		&httpClient,
 		mustParseURL("https://ipa.example.com/idp/saml2/metadata"))
-	assert.NoError(t, err)
-}
\ No newline at end of file
+	assert.Check(t, err)
+}
diff --git a/samlsp/session_cookie_test.go b/samlsp/session_cookie_test.go
index f1a1e057..d3e8b2e4 100644
--- a/samlsp/session_cookie_test.go
+++ b/samlsp/session_cookie_test.go
@@ -5,9 +5,9 @@ import (
 	"net/http/httptest"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
-
 	"github.com/crewjam/saml"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestCookieSameSite(t *testing.T) {
@@ -25,22 +25,22 @@ func TestCookieSameSite(t *testing.T) {
 		resp := httptest.NewRecorder()
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		err := csp.CreateSession(resp, req, &saml.Assertion{})
-		assert.NoError(t, err)
+		assert.Check(t, err)
 
 		cookies := resp.Result().Cookies()
-		assert.Len(t, cookies, 1, "Expected to have a cookie set")
+		assert.Check(t, is.Len(cookies, 1), "Expected to have a cookie set")
 
 		return cookies[0]
 	}
 
 	t.Run("no same site", func(t *testing.T) {
 		cookie := getSessionCookie(t)
-		assert.EqualValues(t, http.SameSite(0), cookie.SameSite)
+		assert.Check(t, is.Equal(http.SameSite(0), cookie.SameSite))
 	})
 
 	t.Run("with same site", func(t *testing.T) {
 		csp.SameSite = http.SameSiteStrictMode
 		cookie := getSessionCookie(t)
-		assert.EqualValues(t, http.SameSiteStrictMode, cookie.SameSite)
+		assert.Check(t, is.Equal(http.SameSiteStrictMode, cookie.SameSite))
 	})
 }
diff --git a/schema_test.go b/schema_test.go
index e526fff2..22e58793 100644
--- a/schema_test.go
+++ b/schema_test.go
@@ -6,7 +6,8 @@ import (
 	"time"
 
 	"github.com/beevik/etree"
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestAttributeXMLRoundTrip(t *testing.T) {
@@ -23,15 +24,14 @@ func TestAttributeXMLRoundTrip(t *testing.T) {
 	doc := etree.NewDocument()
 	doc.SetRoot(expected.Element())
 	x, err := doc.WriteToBytes()
-	assert.NoError(t, err)
-	assert.Equal(t,
-		"<saml:Attribute FriendlyName=\"TestFriendlyName\" Name=\"TestName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"><saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xsi:type=\"xs:string\">test</saml:AttributeValue></saml:Attribute>",
-		string(x))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("<saml:Attribute FriendlyName=\"TestFriendlyName\" Name=\"TestName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"><saml:AttributeValue xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xsi:type=\"xs:string\">test</saml:AttributeValue></saml:Attribute>",
+		string(x)))
 
 	var actual Attribute
 	err = xml.Unmarshal(x, &actual)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, actual)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(expected, actual))
 }
 
 func TestNameIDFormat(t *testing.T) {
@@ -42,10 +42,9 @@ func TestNameIDFormat(t *testing.T) {
 	doc := etree.NewDocument()
 	doc.SetRoot(el.Element())
 	x, err := doc.WriteToBytes()
-	assert.NoError(t, err)
-	assert.Equal(t,
-		"<samlp:NameIDPolicy/>",
-		string(x))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("<samlp:NameIDPolicy/>",
+		string(x)))
 }
 
 func TestAuthnStatementXMLRoundTrip(t *testing.T) {
@@ -60,21 +59,19 @@ func TestAuthnStatementXMLRoundTrip(t *testing.T) {
 	doc := etree.NewDocument()
 	doc.SetRoot(expected.Element())
 	x, err := doc.WriteToBytes()
-	assert.NoError(t, err)
-	assert.Equal(t,
-		`<saml:AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index" SessionNotOnOrAfter="2020-07-22T15:00:00Z"><saml:AuthnContext/></saml:AuthnStatement>`,
-		string(x))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(`<saml:AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index" SessionNotOnOrAfter="2020-07-22T15:00:00Z"><saml:AuthnContext/></saml:AuthnStatement>`,
+		string(x)))
 
 	var actual AuthnStatement
 	err = xml.Unmarshal(x, &actual)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, actual)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(expected, actual))
 
 	x, err = xml.Marshal(expected)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		`<AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index" SessionNotOnOrAfter="2020-07-22T15:00:00Z"><AuthnContext></AuthnContext></AuthnStatement>`,
-		string(x))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(`<AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index" SessionNotOnOrAfter="2020-07-22T15:00:00Z"><AuthnContext></AuthnContext></AuthnStatement>`,
+		string(x)))
 }
 
 func TestAuthnStatementMarshalWithoutSessionNotOnOrAfter(t *testing.T) {
@@ -88,13 +85,12 @@ func TestAuthnStatementMarshalWithoutSessionNotOnOrAfter(t *testing.T) {
 	doc := etree.NewDocument()
 	doc.SetRoot(expected.Element())
 	x, err := doc.WriteToBytes()
-	assert.NoError(t, err)
-	assert.Equal(t,
-		`<saml:AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index"><saml:AuthnContext/></saml:AuthnStatement>`,
-		string(x))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(`<saml:AuthnStatement AuthnInstant="2020-07-21T12:30:45Z" SessionIndex="index"><saml:AuthnContext/></saml:AuthnStatement>`,
+		string(x)))
 
 	var actual AuthnStatement
 	err = xml.Unmarshal(x, &actual)
-	assert.NoError(t, err)
-	assert.Equal(t, expected, actual)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(expected, actual))
 }
diff --git a/service_provider_test.go b/service_provider_test.go
index f12f93da..f60a2a8b 100644
--- a/service_provider_test.go
+++ b/service_provider_test.go
@@ -5,16 +5,18 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/xml"
-	"gotest.tools/golden"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
 
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+
 	"github.com/beevik/etree"
 	dsig "github.com/russellhaering/goxmldsig"
-	"github.com/stretchr/testify/assert"
 
 	"github.com/crewjam/saml/testsaml"
 )
@@ -77,26 +79,26 @@ func TestSPCanSetAuthenticationNameIDFormat(t *testing.T) {
 
 	// defaults to "transient"
 	req, err := s.MakeAuthenticationRequest("")
-	assert.NoError(t, err)
-	assert.Equal(t, string(TransientNameIDFormat), *req.NameIDPolicy.Format)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(TransientNameIDFormat), *req.NameIDPolicy.Format))
 
 	// explicitly set to "transient"
 	s.AuthnNameIDFormat = TransientNameIDFormat
 	req, err = s.MakeAuthenticationRequest("")
-	assert.NoError(t, err)
-	assert.Equal(t, string(TransientNameIDFormat), *req.NameIDPolicy.Format)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(TransientNameIDFormat), *req.NameIDPolicy.Format))
 
 	// explicitly set to "unspecified"
 	s.AuthnNameIDFormat = UnspecifiedNameIDFormat
 	req, err = s.MakeAuthenticationRequest("")
-	assert.NoError(t, err)
-	assert.Equal(t, "", *req.NameIDPolicy.Format)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("", *req.NameIDPolicy.Format))
 
 	// explicitly set to "emailAddress"
 	s.AuthnNameIDFormat = EmailAddressNameIDFormat
 	req, err = s.MakeAuthenticationRequest("")
-	assert.NoError(t, err)
-	assert.Equal(t, string(EmailAddressNameIDFormat), *req.NameIDPolicy.Format)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(EmailAddressNameIDFormat), *req.NameIDPolicy.Format))
 }
 
 func TestSPCanProduceMetadataWithEncryptionCert(t *testing.T) {
@@ -110,11 +112,11 @@ func TestSPCanProduceMetadataWithEncryptionCert(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
-	assert.NoError(t, err)
-	golden.Assert(t, string(spMetadata), t.Name() + "_metadata")
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
 }
 
 func TestSPCanProduceMetadataWithBothCerts(t *testing.T) {
@@ -129,11 +131,11 @@ func TestSPCanProduceMetadataWithBothCerts(t *testing.T) {
 		SignatureMethod: "not-empty",
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
-	assert.NoError(t, err)
-	golden.Assert(t, string(spMetadata), t.Name() + "_metadata")
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
 
 }
 
@@ -145,11 +147,11 @@ func TestCanProduceMetadataNoCerts(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
-	assert.NoError(t, err)
-	golden.Assert(t, string(spMetadata), t.Name() + "_metadata")
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
 }
 
 func TestCanProduceMetadataEntityID(t *testing.T) {
@@ -161,11 +163,11 @@ func TestCanProduceMetadataEntityID(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	spMetadata, err := xml.MarshalIndent(s.Metadata(), "", "  ")
-	assert.NoError(t, err)
-	golden.Assert(t, string(spMetadata), t.Name() + "_metadata")
+	assert.Check(t, err)
+	golden.Assert(t, string(spMetadata), t.Name()+"_metadata")
 }
 
 func TestSPCanProduceRedirectRequest(t *testing.T) {
@@ -183,20 +185,18 @@ func TestSPCanProduceRedirectRequest(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	redirectURL, err := s.MakeRedirectAuthenticationRequest("relayState")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		"idp.testshib.org",
-		redirectURL.Host)
-	assert.Equal(t,
-		"/idp/profile/SAML2/Redirect/SSO",
-		redirectURL.Path)
-	golden.Assert(t, string(decodedRequest), t.Name() + "_decoded_request")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("idp.testshib.org",
+		redirectURL.Host))
+	assert.Check(t, is.Equal("/idp/profile/SAML2/Redirect/SSO",
+		redirectURL.Path))
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decoded_request")
 }
 
 func TestSPCanProducePostRequest(t *testing.T) {
@@ -213,11 +213,11 @@ func TestSPCanProducePostRequest(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	form, err := s.MakePostAuthenticationRequest("relayState")
-	assert.NoError(t, err)
-	golden.Assert(t, string(form), t.Name() + "_form")
+	assert.Check(t, err)
+	golden.Assert(t, string(form), t.Name()+"_form")
 }
 
 func TestSPCanProduceSignedRequest(t *testing.T) {
@@ -236,20 +236,18 @@ func TestSPCanProduceSignedRequest(t *testing.T) {
 		SignatureMethod: dsig.RSASHA1SignatureMethod,
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	redirectURL, err := s.MakeRedirectAuthenticationRequest("relayState")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		"idp.testshib.org",
-		redirectURL.Host)
-	assert.Equal(t,
-		"/idp/profile/SAML2/Redirect/SSO",
-		redirectURL.Path)
-	golden.Assert(t, string(decodedRequest), t.Name() + "_decodedRequest")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("idp.testshib.org",
+		redirectURL.Host))
+	assert.Check(t, is.Equal("/idp/profile/SAML2/Redirect/SSO",
+		redirectURL.Path))
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decodedRequest")
 }
 
 func TestSPFailToProduceSignedRequestWithBogusSignatureMethod(t *testing.T) {
@@ -268,10 +266,10 @@ func TestSPFailToProduceSignedRequestWithBogusSignatureMethod(t *testing.T) {
 		SignatureMethod: "bogus",
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	_, err = s.MakeRedirectAuthenticationRequest("relayState")
-	assert.Errorf(t, err, "invalid signing method bogus")
+	assert.Check(t, is.ErrorContains(err, ""), "invalid signing method bogus")
 }
 
 func TestSPCanProducePostLogoutRequest(t *testing.T) {
@@ -288,11 +286,11 @@ func TestSPCanProducePostLogoutRequest(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	form, err := s.MakePostLogoutRequest("ros@octolabs.io", "relayState")
-	assert.NoError(t, err)
-	golden.Assert(t, string(form), t.Name() + "_form")
+	assert.Check(t, err)
+	golden.Assert(t, string(form), t.Name()+"_form")
 }
 
 func TestSPCanProduceRedirectLogoutRequest(t *testing.T) {
@@ -310,20 +308,18 @@ func TestSPCanProduceRedirectLogoutRequest(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	redirectURL, err := s.MakeRedirectLogoutRequest("ross@octolabs.io", "relayState")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	decodedRequest, err := testsaml.ParseRedirectRequest(redirectURL)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		"idp.testshib.org",
-		redirectURL.Host)
-	assert.Equal(t,
-		"/idp/profile/SAML2/Redirect/SLO",
-		redirectURL.Path)
-	golden.Assert(t, string(decodedRequest), t.Name() + "_decodedRequest")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("idp.testshib.org",
+		redirectURL.Host))
+	assert.Check(t, is.Equal("/idp/profile/SAML2/Redirect/SLO",
+		redirectURL.Path))
+	golden.Assert(t, string(decodedRequest), t.Name()+"_decodedRequest")
 }
 
 func TestSPCanProducePostLogoutResponse(t *testing.T) {
@@ -340,11 +336,11 @@ func TestSPCanProducePostLogoutResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	form, err := s.MakePostLogoutResponse("id-d40c15c104b52691eccf0a2a5c8a15595be75423", "relayState")
-	assert.NoError(t, err)
-	golden.Assert(t, string(form), t.Name() + "_form")
+	assert.Check(t, err)
+	golden.Assert(t, string(form), t.Name()+"_form")
 }
 
 func TestSPCanProduceRedirectLogoutResponse(t *testing.T) {
@@ -362,14 +358,14 @@ func TestSPCanProduceRedirectLogoutResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	redirectURL, err := s.MakeRedirectLogoutResponse("id-d40c15c104b52691eccf0a2a5c8a15595be75423", "relayState")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	decodedResponse, err := testsaml.ParseRedirectResponse(redirectURL)
-	assert.NoError(t, err)
-	golden.Assert(t, string(decodedResponse), t.Name() + "_decodedResponse")
+	assert.Check(t, err)
+	golden.Assert(t, string(decodedResponse), t.Name()+"_decodedResponse")
 }
 
 func TestSPCanHandleOneloginResponse(t *testing.T) {
@@ -392,15 +388,15 @@ func TestSPCanHandleOneloginResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", SamlResponse)
 	assertion, err := s.ParseResponse(&req, []string{"id-d40c15c104b52691eccf0a2a5c8a15595be75423"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
-	assert.Equal(t, "ross@kndr.org", assertion.Subject.NameID.Value)
-	assert.Equal(t, []Attribute{
+	assert.Check(t, is.Equal("ross@kndr.org", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:       "User.email",
 			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
@@ -452,7 +448,7 @@ func TestSPCanHandleOneloginResponse(t *testing.T) {
 			},
 		},
 	},
-		assertion.AttributeStatements[0].Attributes)
+		assertion.AttributeStatements[0].Attributes))
 }
 
 func TestSPCanHandleOktaSignedResponseEncryptedAssertion(t *testing.T) {
@@ -473,15 +469,15 @@ func TestSPCanHandleOktaSignedResponseEncryptedAssertion(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", SamlResponse)
 	assertion, err := s.ParseResponse(&req, []string{"id-a7364d1e4432aa9085a7a8bd824ea2fa8fa8f684"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
-	assert.Equal(t, "testuser@testrsc.com", assertion.Subject.NameID.Value)
-	assert.Equal(t, []Attribute{
+	assert.Check(t, is.Equal("testuser@testrsc.com", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:       "Username",
 			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
@@ -492,7 +488,7 @@ func TestSPCanHandleOktaSignedResponseEncryptedAssertion(t *testing.T) {
 				},
 			},
 		},
-	}, assertion.AttributeStatements[0].Attributes)
+	}, assertion.AttributeStatements[0].Attributes))
 }
 
 func TestSPCanHandleOktaResponseEncryptedSignedAssertion(t *testing.T) {
@@ -514,15 +510,15 @@ func TestSPCanHandleOktaResponseEncryptedSignedAssertion(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", SamlResponse)
 	assertion, err := s.ParseResponse(&req, []string{"id-6d976cdde8e76df5df0a8ff58148fc0b7ec6796d"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
-	assert.Equal(t, "testuser@testrsc.com", assertion.Subject.NameID.Value)
-	assert.Equal(t, []Attribute{
+	assert.Check(t, is.Equal("testuser@testrsc.com", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:       "Username",
 			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
@@ -533,7 +529,7 @@ func TestSPCanHandleOktaResponseEncryptedSignedAssertion(t *testing.T) {
 				},
 			},
 		},
-	}, assertion.AttributeStatements[0].Attributes)
+	}, assertion.AttributeStatements[0].Attributes))
 }
 
 func TestSPCanHandleOktaResponseEncryptedAssertionBothSigned(t *testing.T) {
@@ -555,15 +551,15 @@ func TestSPCanHandleOktaResponseEncryptedAssertionBothSigned(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", SamlResponse)
 	assertion, err := s.ParseResponse(&req, []string{"id-953d4cab69ff475c5901d12e585b0bb15a7b85fe"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
-	assert.Equal(t, "testuser@testrsc.com", assertion.Subject.NameID.Value)
-	assert.Equal(t, []Attribute{
+	assert.Check(t, is.Equal("testuser@testrsc.com", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:       "Username",
 			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
@@ -574,7 +570,7 @@ func TestSPCanHandleOktaResponseEncryptedAssertionBothSigned(t *testing.T) {
 				},
 			},
 		},
-	}, assertion.AttributeStatements[0].Attributes)
+	}, assertion.AttributeStatements[0].Attributes))
 }
 
 func TestSPCanHandlePlaintextResponse(t *testing.T) {
@@ -596,15 +592,15 @@ func TestSPCanHandlePlaintextResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", SamlResponse)
 	assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
-	assert.Equal(t, "ross@octolabs.io", assertion.Subject.NameID.Value)
-	assert.Equal(t, []Attribute{
+	assert.Check(t, is.Equal("ross@octolabs.io", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:   "phone",
 			Values: nil,
@@ -635,7 +631,7 @@ func TestSPCanHandlePlaintextResponse(t *testing.T) {
 				},
 			},
 		},
-	}, assertion.AttributeStatements[0].Attributes)
+	}, assertion.AttributeStatements[0].Attributes))
 }
 
 func TestSPRejectsInjectedComment(t *testing.T) {
@@ -658,15 +654,15 @@ func TestSPRejectsInjectedComment(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	// this is a valid response
 	{
 		req := http.Request{PostForm: url.Values{}}
 		req.PostForm.Set("SAMLResponse", SamlResponse)
 		assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
-		assert.NoError(t, err)
-		assert.Equal(t, "ross@octolabs.io", assertion.Subject.NameID.Value)
+		assert.Check(t, err)
+		assert.Check(t, is.Equal("ross@octolabs.io", assertion.Subject.NameID.Value))
 	}
 
 	// this is a valid response but with a comment injected
@@ -684,9 +680,8 @@ func TestSPRejectsInjectedComment(t *testing.T) {
 		// the signature, perhaps because xml-c18n isn't being implemented correctly by
 		// dsig.
 		if err == nil {
-			assert.Equal(t,
-				"ross@octolabs.io",
-				assertion.Subject.NameID.Value)
+			assert.Check(t, is.Equal("ross@octolabs.io",
+				assertion.Subject.NameID.Value))
 		}
 	}
 
@@ -701,11 +696,11 @@ func TestSPRejectsInjectedComment(t *testing.T) {
 		req := http.Request{PostForm: url.Values{}}
 		req.PostForm.Set("SAMLResponse", SamlResponse)
 		_, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
-		assert.NotNil(t, err)
+		assert.Check(t, err != nil)
 
 		realErr := err.(*InvalidResponseError).PrivateErr
-		assert.EqualError(t, realErr,
-			"cannot validate signature on Response: Signature could not be verified")
+		assert.Check(t, is.Error(realErr,
+			"cannot validate signature on Response: Signature could not be verified"))
 	}
 }
 
@@ -728,15 +723,15 @@ func TestSPRejectsMalformedResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	// this is a valid response
 	{
 		req := http.Request{PostForm: url.Values{}}
 		req.PostForm.Set("SAMLResponse", SamlResponse)
 		assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
-		assert.NoError(t, err)
-		assert.Equal(t, "ross@octolabs.io", assertion.Subject.NameID.Value)
+		assert.Check(t, err)
+		assert.Check(t, is.Equal("ross@octolabs.io", assertion.Subject.NameID.Value))
 	}
 
 	// this is a valid response but with a comment injected
@@ -748,9 +743,9 @@ func TestSPRejectsMalformedResponse(t *testing.T) {
 		req := http.Request{PostForm: url.Values{}}
 		req.PostForm.Set("SAMLResponse", SamlResponse)
 		assertion, err := s.ParseResponse(&req, []string{"id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6"})
-		assert.EqualError(t, err.(*InvalidResponseError).PrivateErr,
-			"invalid xml: validator: in token starting at 1:55: roundtrip error: expected {{saml2p Response} [{{ :foo} bar} {{xmlns saml2p} urn:oasis:names:tc:SAML:2.0:protocol} {{ Destination} https://29ee6d2e.ngrok.io/saml/acs} {{ ID} _fc141db284eb3098605351bde4d9be59} {{ InResponseTo} id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6} {{ IssueInstant} 2016-01-05T16:55:39.348Z} {{ Version} 2.0}]}, observed {{ Response} [{{ xmlns} saml2p} {{ foo} bar} {{xmlns saml2p} urn:oasis:names:tc:SAML:2.0:protocol} {{ Destination} https://29ee6d2e.ngrok.io/saml/acs} {{ ID} _fc141db284eb3098605351bde4d9be59} {{ InResponseTo} id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6} {{ IssueInstant} 2016-01-05T16:55:39.348Z} {{ Version} 2.0} {{ Version} 2.0}]}")
-		assert.Nil(t, assertion)
+		assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+			"invalid xml: validator: in token starting at 1:55: roundtrip error: expected {{saml2p Response} [{{ :foo} bar} {{xmlns saml2p} urn:oasis:names:tc:SAML:2.0:protocol} {{ Destination} https://29ee6d2e.ngrok.io/saml/acs} {{ ID} _fc141db284eb3098605351bde4d9be59} {{ InResponseTo} id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6} {{ IssueInstant} 2016-01-05T16:55:39.348Z} {{ Version} 2.0}]}, observed {{ Response} [{{ xmlns} saml2p} {{ foo} bar} {{xmlns saml2p} urn:oasis:names:tc:SAML:2.0:protocol} {{ Destination} https://29ee6d2e.ngrok.io/saml/acs} {{ ID} _fc141db284eb3098605351bde4d9be59} {{ InResponseTo} id-fd419a5ab0472645427f8e07d87a3a5dd0b2e9a6} {{ IssueInstant} 2016-01-05T16:55:39.348Z} {{ Version} 2.0} {{ Version} 2.0}]}"))
+		assert.Check(t, is.Nil(assertion))
 	}
 }
 
@@ -764,14 +759,14 @@ func TestSPCanParseResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	assertion, err := s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
-	assert.Equal(t, []Attribute{
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			FriendlyName: "uid",
 			Name:         "urn:oid:0.9.2342.19200300.100.1.1",
@@ -889,7 +884,7 @@ func TestSPCanParseResponse(t *testing.T) {
 				},
 			},
 		},
-	}, assertion.AttributeStatements[0].Attributes)
+	}, assertion.AttributeStatements[0].Attributes))
 }
 
 func (test *ServiceProviderTest) replaceDestination(newDestination string) {
@@ -910,13 +905,13 @@ func TestSPCanProcessResponseWithoutDestination(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	test.replaceDestination("")
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 }
 
 func (test *ServiceProviderTest) responseDom() (doc *etree.Document) {
@@ -949,15 +944,15 @@ func TestServiceProviderMismatchedDestinationsWithSignaturePresent(t *testing.T)
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	s.AcsURL = mustParseURL("https://wrong/saml2/acs")
 	bytes, _ := addSignatureToDocument(test.responseDom()).WriteToBytes()
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t, err.(*InvalidResponseError).PrivateErr,
-		"`Destination` does not match AcsURL (expected \"https://wrong/saml2/acs\", actual \"https://15661444.ngrok.io/saml2/acs\")")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://wrong/saml2/acs\", actual \"https://15661444.ngrok.io/saml2/acs\")"))
 }
 
 func TestServiceProviderMissingDestinationWithSignaturePresent(t *testing.T) {
@@ -970,14 +965,14 @@ func TestServiceProviderMissingDestinationWithSignaturePresent(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	bytes, _ := removeDestinationFromDocument(addSignatureToDocument(test.responseDom())).WriteToBytes()
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t, err.(*InvalidResponseError).PrivateErr,
-		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"\")")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"\")"))
 }
 
 func TestSPMismatchedDestinationsWithSignaturePresent(t *testing.T) {
@@ -990,16 +985,15 @@ func TestSPMismatchedDestinationsWithSignaturePresent(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	test.replaceDestination("https://wrong/saml2/acs")
 	bytes, _ := addSignatureToDocument(test.responseDom()).WriteToBytes()
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"https://wrong/saml2/acs\")")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"https://wrong/saml2/acs\")"))
 }
 
 func TestSPMismatchedDestinationsWithNoSignaturePresent(t *testing.T) {
@@ -1012,16 +1006,15 @@ func TestSPMismatchedDestinationsWithNoSignaturePresent(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	test.replaceDestination("https://wrong/saml2/acs")
 	bytes, _ := test.responseDom().WriteToBytes()
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"https://wrong/saml2/acs\")")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"https://wrong/saml2/acs\")"))
 }
 
 func TestSPMissingDestinationWithSignaturePresent(t *testing.T) {
@@ -1034,16 +1027,15 @@ func TestSPMissingDestinationWithSignaturePresent(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	test.replaceDestination("")
 	bytes, _ := addSignatureToDocument(test.responseDom()).WriteToBytes()
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString(bytes))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"\")")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`Destination` does not match AcsURL (expected \"https://15661444.ngrok.io/saml2/acs\", actual \"\")"))
 }
 
 func TestSPInvalidResponses(t *testing.T) {
@@ -1056,26 +1048,23 @@ func TestSPInvalidResponses(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", "???")
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"cannot parse base64: illegal base64 data at input byte 0")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot parse base64: illegal base64 data at input byte 0"))
 
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte("<hello>World!</hello>")))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"cannot unmarshal response: expected element type <Response> but have <hello>")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot unmarshal response: expected element type <Response> but have <hello>"))
 
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	_, err = s.ParseResponse(&req, []string{"wrongRequestID"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"`InResponseTo` does not match any of the possible request IDs (expected [wrongRequestID])")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"`InResponseTo` does not match any of the possible request IDs (expected [wrongRequestID])"))
 
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Nov 30 20:57:09 UTC 2016")
@@ -1084,9 +1073,8 @@ func TestSPInvalidResponses(t *testing.T) {
 	Clock = dsig.NewFakeClockAt(TimeNow())
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"response IssueInstant expired at 2015-12-01 01:57:51.375 +0000 UTC")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"response IssueInstant expired at 2015-12-01 01:57:51.375 +0000 UTC"))
 	TimeNow = func() time.Time {
 		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
 		return rv
@@ -1096,34 +1084,30 @@ func TestSPInvalidResponses(t *testing.T) {
 	s.IDPMetadata.EntityID = "http://snakeoil.com"
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"response Issuer does not match the IDP metadata (expected \"http://snakeoil.com\")")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"response Issuer does not match the IDP metadata (expected \"http://snakeoil.com\")"))
 	s.IDPMetadata.EntityID = "https://idp.testshib.org/idp/shibboleth"
 
 	oldSpStatusSuccess := StatusSuccess
 	StatusSuccess = "not:the:success:value"
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"urn:oasis:names:tc:SAML:2.0:status:Success")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"urn:oasis:names:tc:SAML:2.0:status:Success"))
 	StatusSuccess = oldSpStatusSuccess
 
 	s.IDPMetadata.IDPSSODescriptors[0].KeyDescriptors[0].KeyInfo.Certificate = "invalid"
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"cannot validate signature on Response: cannot parse certificate: illegal base64 data at input byte 4")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: cannot parse certificate: illegal base64 data at input byte 4"))
 
 	s.IDPMetadata.IDPSSODescriptors[0].KeyDescriptors[0].KeyInfo.Certificate = "aW52YWxpZA=="
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
 
-	assert.EqualError(t,
-		err.(*InvalidResponseError).PrivateErr,
-		"cannot validate signature on Response: asn1: structure error: tags don't match (16 vs {class:1 tag:9 length:110 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificate @2")
+	assert.Check(t, is.Error(err.(*InvalidResponseError).PrivateErr,
+		"cannot validate signature on Response: asn1: structure error: tags don't match (16 vs {class:1 tag:9 length:110 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificate @2"))
 }
 
 func TestSPInvalidAssertions(t *testing.T) {
@@ -1136,7 +1120,7 @@ func TestSPInvalidAssertions(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(test.SamlResponse)))
@@ -1146,66 +1130,66 @@ func TestSPInvalidAssertions(t *testing.T) {
 
 	assertion := Assertion{}
 	err = xml.Unmarshal(assertionBuf, &assertion)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow().Add(time.Hour))
-	assert.EqualError(t, err, "expired on 2015-12-01 01:57:51.375 +0000 UTC")
+	assert.Check(t, is.Error(err, "expired on 2015-12-01 01:57:51.375 +0000 UTC"))
 
 	assertion.Issuer.Value = "bob"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.EqualError(t, err, "issuer is not \"https://idp.testshib.org/idp/shibboleth\"")
+	assert.Check(t, is.Error(err, "issuer is not \"https://idp.testshib.org/idp/shibboleth\""))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Subject.NameID.NameQualifier = "bob"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.NoError(t, err) // not verified
+	assert.Check(t, err) // not verified
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Subject.NameID.SPNameQualifier = "bob"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.NoError(t, err) // not verified
+	assert.Check(t, err) // not verified
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	err = s.validateAssertion(&assertion, []string{"any request id"}, TimeNow())
-	assert.EqualError(t, err, "assertion SubjectConfirmation one of the possible request IDs ([any request id])")
+	assert.Check(t, is.Error(err, "assertion SubjectConfirmation one of the possible request IDs ([any request id])"))
 
 	assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData.Recipient = "wrong/acs/url"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.EqualError(t, err, "assertion SubjectConfirmation Recipient is not https://15661444.ngrok.io/saml2/acs")
+	assert.Check(t, is.Error(err, "assertion SubjectConfirmation Recipient is not https://15661444.ngrok.io/saml2/acs"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Subject.SubjectConfirmations[0].SubjectConfirmationData.NotOnOrAfter = TimeNow().Add(-1 * time.Hour)
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.EqualError(t, err, "assertion SubjectConfirmationData is expired")
+	assert.Check(t, is.Error(err, "assertion SubjectConfirmationData is expired"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Conditions.NotBefore = TimeNow().Add(time.Hour)
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.EqualError(t, err, "assertion Conditions is not yet valid")
+	assert.Check(t, is.Error(err, "assertion Conditions is not yet valid"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Conditions.NotOnOrAfter = TimeNow().Add(-1 * time.Hour)
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.EqualError(t, err, "assertion Conditions is expired")
+	assert.Check(t, is.Error(err, "assertion Conditions is expired"))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	assertion.Conditions.AudienceRestrictions[0].Audience.Value = "not/our/metadata/url"
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.EqualError(t, err, "assertion Conditions AudienceRestriction does not contain \"https://15661444.ngrok.io/saml2/metadata\"")
+	assert.Check(t, is.Error(err, "assertion Conditions AudienceRestriction does not contain \"https://15661444.ngrok.io/saml2/metadata\""))
 	assertion = Assertion{}
 	xml.Unmarshal(assertionBuf, &assertion)
 
 	// Not having an audience is not an error
 	assertion.Conditions.AudienceRestrictions = []AudienceRestriction{}
 	err = s.validateAssertion(&assertion, []string{"id-9e61753d64e928af5a7a341a97f420c9"}, TimeNow())
-	assert.NoError(t, err)
+	assert.Check(t, err)
 }
 
 func TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert(t *testing.T) {
@@ -1225,15 +1209,15 @@ func TestSPRealWorldKeyInfoHasRSAPublicKeyNotX509Cert(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(idpMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(respStr)))
 	_, err = s.ParseResponse(&req, []string{"id-3992f74e652d89c3cf1efd6c7e472abaac9bc917"})
 	if err != nil {
-		assert.NoError(t, err.(*InvalidResponseError).PrivateErr)
+		assert.Check(t, err.(*InvalidResponseError).PrivateErr)
 	}
-	assert.NoError(t, err)
+	assert.Check(t, err)
 }
 
 func TestSPRealWorldAssertionSignedNotResponse(t *testing.T) {
@@ -1256,15 +1240,15 @@ func TestSPRealWorldAssertionSignedNotResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(idpMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(respStr)))
 	_, err = s.ParseResponse(&req, []string{"id-3992f74e652d89c3cf1efd6c7e472abaac9bc917"})
 	if err != nil {
-		assert.NoError(t, err.(*InvalidResponseError).PrivateErr)
+		assert.Check(t, err.(*InvalidResponseError).PrivateErr)
 	}
-	assert.NoError(t, err)
+	assert.Check(t, err)
 }
 
 func TestServiceProviderCanHandleSignedAssertionsResponse(t *testing.T) {
@@ -1295,7 +1279,7 @@ func TestServiceProviderCanHandleSignedAssertionsResponse(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 	req.PostForm.Set("SAMLResponse", SamlResponse)
@@ -1303,10 +1287,10 @@ func TestServiceProviderCanHandleSignedAssertionsResponse(t *testing.T) {
 	if err != nil {
 		t.Logf("%s", err.(*InvalidResponseError).PrivateErr)
 	}
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
-	assert.Equal(t, "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7", assertion.Subject.NameID.Value)
-	assert.Equal(t, []Attribute{
+	assert.Check(t, is.Equal("_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7", assertion.Subject.NameID.Value))
+	assert.Check(t, is.DeepEqual([]Attribute{
 		{
 			Name:       "uid",
 			NameFormat: "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
@@ -1341,7 +1325,7 @@ func TestServiceProviderCanHandleSignedAssertionsResponse(t *testing.T) {
 				},
 			},
 		},
-	}, assertion.AttributeStatements[0].Attributes)
+	}, assertion.AttributeStatements[0].Attributes))
 }
 
 func TestSPResponseWithNoIssuer(t *testing.T) {
@@ -1358,7 +1342,7 @@ func TestSPResponseWithNoIssuer(t *testing.T) {
 		IDPMetadata: &EntityDescriptor{},
 	}
 	err := xml.Unmarshal([]byte(test.IDPMetadata), &s.IDPMetadata)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	req := http.Request{PostForm: url.Values{}}
 
@@ -1366,5 +1350,5 @@ func TestSPResponseWithNoIssuer(t *testing.T) {
 	samlResponse := string(golden.Get(t, "TestSPResponseWithNoIssuer_response"))
 	req.PostForm.Set("SAMLResponse", base64.StdEncoding.EncodeToString([]byte(samlResponse)))
 	_, err = s.ParseResponse(&req, []string{"id-9e61753d64e928af5a7a341a97f420c9"})
-	assert.NoError(t, err)
+	assert.Check(t, err)
 }
diff --git a/time_test.go b/time_test.go
index 2a8779d3..15e2c9a9 100644
--- a/time_test.go
+++ b/time_test.go
@@ -1,54 +1,60 @@
 package saml
 
 import (
+	"github.com/google/go-cmp/cmp"
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestRelaxedTimeFormat(t *testing.T) {
 	rt := time.Date(1981, 02, 03, 14, 15, 16, 17, time.UTC)
-	assert.Equal(t, "1981-02-03T14:15:16Z", RelaxedTime(rt).String())
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", RelaxedTime(rt).String()))
 
 	buf, err := RelaxedTime(rt).MarshalText()
-	assert.NoError(t, err)
-	assert.Equal(t, "1981-02-03T14:15:16Z", string(buf))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", string(buf)))
 
 	loc, err := time.LoadLocation("America/New_York")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 	rt = time.Date(1981, 02, 03, 9, 15, 16, 17, loc)
 
-	assert.Equal(t, "1981-02-03T14:15:16Z", RelaxedTime(rt).String())
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", RelaxedTime(rt).String()))
 	buf, err = RelaxedTime(rt).MarshalText()
-	assert.NoError(t, err)
-	assert.Equal(t, "1981-02-03T14:15:16Z", string(buf))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("1981-02-03T14:15:16Z", string(buf)))
 }
 
 func TestRelaxedTimeParse(t *testing.T) {
 	{
 		var rt RelaxedTime
 		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16Z"))
-		assert.NoError(t, err)
-		assert.Equal(t, RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 0, time.UTC)), rt)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(
+			RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 0, time.UTC)),
+			rt, cmp.AllowUnexported(RelaxedTime{})))
 	}
 
 	{
 		var rt RelaxedTime
 		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16.178901234Z"))
-		assert.NoError(t, err)
-		assert.Equal(t, RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 179000000, time.UTC)), rt)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 179000000, time.UTC)),
+			rt, cmp.AllowUnexported(RelaxedTime{})))
 	}
 	{
 		var rt RelaxedTime
 		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16.1717Z"))
-		assert.NoError(t, err)
-		assert.Equal(t, RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 172000000, time.UTC)), rt)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(RelaxedTime(time.Date(1981, 02, 03, 14, 15, 16, 172000000, time.UTC)),
+			rt, cmp.AllowUnexported(RelaxedTime{})))
 	}
 	{
 		var rt RelaxedTime
 		err := rt.UnmarshalText([]byte("1981-02-03T14:15:16Z04:00"))
-		assert.EqualError(t, err,
-			"parsing time \"1981-02-03T14:15:16Z04:00\": extra text: \"04:00\"")
+		assert.Check(t, is.Error(err,
+			"parsing time \"1981-02-03T14:15:16Z04:00\": extra text: \"04:00\""))
 	}
 }
diff --git a/xmlenc/decrypt_test.go b/xmlenc/decrypt_test.go
index 8b7141b7..65652bd6 100644
--- a/xmlenc/decrypt_test.go
+++ b/xmlenc/decrypt_test.go
@@ -3,40 +3,41 @@ package xmlenc
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"gotest.tools/golden"
 	"testing"
 
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+
 	"github.com/beevik/etree"
-	"github.com/stretchr/testify/assert"
 )
 
 func TestCanDecrypt(t *testing.T) {
 	doc := etree.NewDocument()
 	err := doc.ReadFromString(string(golden.Get(t, "input.xml")))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	keyPEM := "-----BEGIN RSA PRIVATE KEY-----\nMIICXgIBAAKBgQDU8wdiaFmPfTyRYuFlVPi866WrH/2JubkHzp89bBQopDaLXYxi\n3PTu3O6Q/KaKxMOFBqrInwqpv/omOGZ4ycQ51O9I+Yc7ybVlW94lTo2gpGf+Y/8E\nPsVbnZaFutRctJ4dVIp9aQ2TpLiGT0xX1OzBO/JEgq9GzDRf+B+eqSuglwIDAQAB\nAoGBAMuy1eN6cgFiCOgBsB3gVDdTKpww87Qk5ivjqEt28SmXO13A1KNVPS6oQ8SJ\nCT5Azc6X/BIAoJCURVL+LHdqebogKljhH/3yIel1kH19vr4E2kTM/tYH+qj8afUS\nJEmArUzsmmK8ccuNqBcllqdwCZjxL4CHDUmyRudFcHVX9oyhAkEA/OV1OkjM3CLU\nN3sqELdMmHq5QZCUihBmk3/N5OvGdqAFGBlEeewlepEVxkh7JnaNXAXrKHRVu/f/\nfbCQxH+qrwJBANeQERF97b9Sibp9xgolb749UWNlAdqmEpmlvmS202TdcaaT1msU\n4rRLiQN3X9O9mq4LZMSVethrQAdX1whawpkCQQDk1yGf7xZpMJ8F4U5sN+F4rLyM\nRq8Sy8p2OBTwzCUXXK+fYeXjybsUUMr6VMYTRP2fQr/LKJIX+E5ZxvcIyFmDAkEA\nyfjNVUNVaIbQTzEbRlRvT6MqR+PTCefC072NF9aJWR93JimspGZMR7viY6IM4lrr\nvBkm0F5yXKaYtoiiDMzlOQJADqmEwXl0D72ZG/2KDg8b4QZEmC9i5gidpQwJXUc6\nhU+IVQoLxRq0fBib/36K9tcrrO5Ba4iEvDcNY+D8yGbUtA==\n-----END RSA PRIVATE KEY-----\n"
 	b, _ := pem.Decode([]byte(keyPEM))
 	key, err := x509.ParsePKCS1PrivateKey(b.Bytes)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	el := doc.Root().FindElement("//EncryptedKey")
 	buf, err := Decrypt(key, el)
-	assert.NoError(t, err)
-	assert.Equal(t,
-		[]byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9},
-		buf)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual([]byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9},
+		buf))
 
 	el = doc.Root().FindElement("//EncryptedData")
 	buf, err = Decrypt(key, el)
-	assert.NoError(t, err)
-	assert.Equal(t, string(golden.Get(t, "plaintext.xml")), string(buf))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(golden.Get(t, "plaintext.xml")), string(buf)))
 }
 
 func TestCanDecryptWithoutCertificate(t *testing.T) {
 	doc := etree.NewDocument()
 	err := doc.ReadFromString(string(golden.Get(t, "input.xml")))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	el := doc.FindElement("//ds:X509Certificate")
 	el.Parent().RemoveChild(el)
@@ -44,15 +45,15 @@ func TestCanDecryptWithoutCertificate(t *testing.T) {
 	keyPEM := golden.Get(t, "key.pem")
 	b, _ := pem.Decode(keyPEM)
 	key, err := x509.ParsePKCS1PrivateKey(b.Bytes)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	el = doc.Root().FindElement("//EncryptedKey")
 	buf, err := Decrypt(key, el)
-	assert.NoError(t, err)
-	assert.Equal(t, []byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9}, buf)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual([]byte{0xc, 0x70, 0xa2, 0xc8, 0x15, 0x74, 0x89, 0x3f, 0x36, 0xd2, 0x7c, 0x14, 0x2a, 0x9b, 0xaa, 0xd9}, buf))
 
 	el = doc.Root().FindElement("//EncryptedData")
 	buf, err = Decrypt(key, el)
-	assert.NoError(t, err)
-	assert.Equal(t, string(golden.Get(t, "plaintext.xml")), string(buf))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(golden.Get(t, "plaintext.xml")), string(buf)))
 }
diff --git a/xmlenc/encrypt_test.go b/xmlenc/encrypt_test.go
index 361dfce8..2480fe23 100644
--- a/xmlenc/encrypt_test.go
+++ b/xmlenc/encrypt_test.go
@@ -3,12 +3,14 @@ package xmlenc
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"gotest.tools/golden"
 	"math/rand"
 	"testing"
 
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+
 	"github.com/beevik/etree"
-	"github.com/stretchr/testify/assert"
 )
 
 func TestCanEncryptOAEP(t *testing.T) {
@@ -16,19 +18,19 @@ func TestCanEncryptOAEP(t *testing.T) {
 
 	pemBlock, _ := pem.Decode([]byte(golden.Get(t, "cert.pem")))
 	certificate, err := x509.ParseCertificate(pemBlock.Bytes)
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	e := OAEP()
 	e.BlockCipher = AES128CBC
 	e.DigestMethod = &SHA1
 
 	el, err := e.Encrypt(certificate, golden.Get(t, "plaintext.xml"))
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	doc := etree.NewDocument()
 	doc.SetRoot(el)
 	doc.IndentTabs()
 	ciphertext, _ := doc.WriteToString()
 
-	assert.Equal(t, ciphertext,  string(golden.Get(t, "ciphertext.xml")))
+	assert.Check(t, is.Equal(ciphertext, string(golden.Get(t, "ciphertext.xml"))))
 }
diff --git a/xmlenc/xmlenc_test.go b/xmlenc/xmlenc_test.go
index bd44bb12..d95def4c 100644
--- a/xmlenc/xmlenc_test.go
+++ b/xmlenc/xmlenc_test.go
@@ -6,48 +6,49 @@ import (
 	"testing"
 
 	"github.com/beevik/etree"
-	"github.com/stretchr/testify/assert"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
 )
 
 func TestDataAES128CBC(t *testing.T) {
 	RandReader = rand.New(rand.NewSource(0)) // deterministic random numbers for tests
 	plaintext, err := ioutil.ReadFile("testdata/encrypt-data-aes128-cbc.data")
-	assert.NoError(t, err)
+	assert.Check(t, err)
 
 	var ciphertext string
 	{
 		encrypter := AES128CBC
 		cipherEl, encErr := encrypter.Encrypt([]byte("abcdefghijklmnop"), []byte(plaintext))
-		assert.NoError(t, encErr)
+		assert.Check(t, encErr)
 
 		doc := etree.NewDocument()
 		doc.SetRoot(cipherEl)
 		doc.IndentTabs()
 		ciphertext, err = doc.WriteToString()
-		assert.NoError(t, err)
+		assert.Check(t, err)
 	}
 
 	{
 		decrypter := AES128CBC
 		doc := etree.NewDocument()
 		err = doc.ReadFromString(ciphertext)
-		assert.NoError(t, err)
+		assert.Check(t, err)
 
 		actualPlaintext, err := decrypter.Decrypt(
 			[]byte("abcdefghijklmnop"), doc.Root())
-		assert.NoError(t, err)
-		assert.Equal(t, plaintext, actualPlaintext)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(plaintext, actualPlaintext))
 	}
 
 	{
 		decrypter := AES128CBC
 		doc := etree.NewDocument()
 		err := doc.ReadFromFile("testdata/encrypt-data-aes128-cbc.xml")
-		assert.NoError(t, err)
+		assert.Check(t, err)
 
 		actualPlaintext, err := decrypter.Decrypt([]byte("abcdefghijklmnop"), doc.Root())
-		assert.NoError(t, err)
-		assert.Equal(t, plaintext, actualPlaintext)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(plaintext, actualPlaintext))
 	}
 }