diff options
author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2021-01-20 14:33:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-20 14:33:19 +0200 |
commit | 46578df0695269a16f1c94171f1429873f90ed99 (patch) | |
tree | 1b1a68bc74347cb5dea7d3c83cdc4e019b2158e2 | |
parent | aaf6c54c9a8c6b7fc891a6ffada481dd688d9e26 (diff) | |
parent | 751dbf50a51131b13d55989395f9b115045f9737 (diff) | |
download | pysaml2-46578df0695269a16f1c94171f1429873f90ed99.tar.gz |
Merge pull request from GHSA-5p3x-r448-pc62
Restrict the key data that xmlsec1 accepts to only x509 certs
-rw-r--r-- | src/saml2/sigver.py | 1 | ||||
-rw-r--r-- | tests/test_xmlsec1_key_data.py | 81 | ||||
-rw-r--r-- | tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml | 47 | ||||
-rw-r--r-- | tests/xmlsec1-keydata/signed-assertion-with-hmac.xml | 49 | ||||
-rw-r--r-- | tests/xmlsec1-keydata/signed-response-with-hmac.xml | 49 |
5 files changed, 227 insertions, 0 deletions
diff --git a/src/saml2/sigver.py b/src/saml2/sigver.py index 0e8f1942..dae6900d 100644 --- a/src/saml2/sigver.py +++ b/src/saml2/sigver.py @@ -869,6 +869,7 @@ class CryptoBackendXmlSec1(CryptoBackend): self.xmlsec, '--verify', '--enabled-reference-uris', 'empty,same-doc', + '--enabled-key-data', 'raw-x509-cert', '--pubkey-cert-{type}'.format(type=cert_type), cert_file, '--id-attr:ID', node_name, ] diff --git a/tests/test_xmlsec1_key_data.py b/tests/test_xmlsec1_key_data.py new file mode 100644 index 00000000..2149659f --- /dev/null +++ b/tests/test_xmlsec1_key_data.py @@ -0,0 +1,81 @@ +from datetime import datetime +from dateutil import parser +from unittest.mock import Mock +from unittest.mock import patch + +from pytest import raises + +from saml2.config import config_factory +from saml2.response import authn_response +from saml2.sigver import SignatureError + +from pathutils import dotname +from pathutils import full_path + + +SIGNED_RESPONSE_HMAC = full_path("xmlsec1-keydata/signed-response-with-hmac.xml") +SIGNED_ASSERTION_HMAC = full_path("xmlsec1-keydata/signed-assertion-with-hmac.xml") +SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT = full_path("xmlsec1-keydata/signed-assertion-random-embedded-cert.xml") + + +class TestAuthnResponse: + @patch('saml2.response.validate_on_or_after', return_value=True) + def test_signed_response_with_hmac_should_fail(self, mock_validate_on_or_after): + conf = config_factory("sp", dotname("server_conf")) + ar = authn_response(conf, return_addrs="https://example.org/acs/post") + ar.issue_instant_ok = Mock(return_value=True) + + with open(SIGNED_RESPONSE_HMAC) as fp: + xml_response = fp.read() + + ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"} + ar.timeslack = 10000 + + # .loads checks the response signature + with raises(SignatureError): + ar.loads(xml_response, decode=False) + + assert ar.ava is None + assert ar.name_id is None + + @patch('saml2.response.validate_on_or_after', return_value=True) + def test_signed_assertion_with_hmac_should_fail(self, mock_validate_on_or_after): + conf = config_factory("sp", dotname("server_conf")) + ar = authn_response(conf, return_addrs="https://example.org/acs/post") + ar.issue_instant_ok = Mock(return_value=True) + + with open(SIGNED_ASSERTION_HMAC) as fp: + xml_response = fp.read() + + ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"} + ar.timeslack = 10000 + + # .loads does not check the assertion, only the response signature + # use .verify to verify the contents of the response + assert ar.loads(xml_response, decode=False) + with raises(SignatureError): + ar.verify() + + assert ar.ava is None + assert ar.name_id is None + + @patch('saml2.response.validate_on_or_after', return_value=True) + def test_signed_assertion_with_random_embedded_cert_should_be_ignored(self, mock_validate_on_or_after): + """ + if the embedded cert is not ignored then verification will fail + """ + + conf = config_factory("sp", dotname("server_conf")) + ar = authn_response(conf, return_addrs="https://51.15.251.81.xip.io/acs/post") + ar.issue_instant_ok = Mock(return_value=True) + + with open(SIGNED_ASSERTION_RANDOM_EMBEDDED_CERT) as fp: + xml_response = fp.read() + + ar.outstanding_queries = {"id-abc": "http://localhost:8088/sso"} + ar.timeslack = 10000 + + # .loads does not check the assertion, only the response signature + # use .verify to verify the contents of the response + assert ar.loads(xml_response, decode=False) + assert ar.verify() diff --git a/tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml b/tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml new file mode 100644 index 00000000..3db22337 --- /dev/null +++ b/tests/xmlsec1-keydata/signed-assertion-random-embedded-cert.xml @@ -0,0 +1,47 @@ +<?xml version="1.0"?> +<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="the-response-id" IssueInstant="2020-12-04T07:48:09.700Z" InResponseTo="id-abc" Destination="https://51.15.251.81.xip.io/acs/post"> + <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer> + <samlp:Status> + <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> + </samlp:Status> + <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="the-assertion-id" IssueInstant="2020-12-04T07:48:09.600Z"> + <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> + <ds:Reference URI="#the-assertion-id"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>NHB0WhPWj5OyRz9N52fZrEBWK3dXT2pVVT54f4kg1tM=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>Mo4ZheAEDvdPQwWvT5SOYZZ2IBELwtmBpdsn+Th+IvsanychWQ6JHYKTI8hl+3DigbqQwdsqet8n9sfdvr+D+Q7XozjVaFPdzUGC9d96Mn/vrc+JIP/ESoDjDUQEsoSBhUFlrbu7tPJDJehPgd/maIwd/GqEHWXFlm1ZWVCmaH8=</ds:SignatureValue> + <ds:KeyInfo> + <ds:X509Data> + <ds:X509Certificate>MIIFLDCCBBSgAwIBAgISA3UxXAgBWRS1D74GOLiAjky6MA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTAxMTcyMDIxNTNaFw0yMTA0MTcyMDIxNTNaMB4xHDAaBgNVBAMTEzUxLjE1LjI1MS44MS54aXAuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkjSN9vZDOwE1m7g1vyiwBsKBKNItyy05BcHUkM8fabBcsavugT8uE4wYz5aeZrnKb5dbDLHaZe6Dl5GHgRO8s7REwSJ/BHT3/eMaEakLwIGE5/6QSWuBjOawPfmYarW5IqoITjSt/o/jxu3haouqbr7XYf1WOuZmc6iwGnEgm0+cVB4CA0VGnnLYfsjp9iMt3pFI8a8ipdwp5lfzZU+j8JMVEn6SZhNjjTAjcakBQmZv4Q5/yU6yqfGjG47DO62xB/PPbDy78hDorER2v8UkoDTGV4aZrZaNltHBUxNohIiQnkhuakMmbf0NhA2ExBJw6KTCCxfYkyUX3CgYzaAnxAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHD7gcF0sNITPqhwcUlFyOBrkxRFMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMB4GA1UdEQQXMBWCEzUxLjE1LjI1MS44MS54aXAuaW8wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXcSOcqvAAAEAwBGMEQCIFhvPWYY+2VO55bHO1Sa9zJQk7B1kvCi7sfDCxAYp7mEAiBTKx6XD0GkfNGhji0LGuelvfD7gZOUSzURlJW1ahYcgQB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABdxI5yq4AAAQDAEgwRgIhAONNwcNZ66IxsWcUNDS0B9KV8Kk4VS9b/wUFNBHAQl3SAiEAxO5GwgaK3glL/6L/J7qpiedJBAs3h5406MWC0v4uYZ8wDQYJKoZIhvcNAQELBQADggEBAAZgbgfOb4+uI9kMGF4fMiompHeUFDXGyIND6y4FsfWHJG4Fn3aG+VQN/UtHeO8UusjS13/2yw3O+PeNTstBl+q6Ssega8zTYx2j3h3RFqM9JR8SWa83B0UTgyaxX3PTmfegV4/RZxC7KQ8pqjcLwKJSTgZF6W40Jo16tKVoi0VQY/2Gre6E9D1tPVw//mDGJST/5IcbFvtr79uft76IA+T674qNgAriBKxWncSbGzE42w2QsYsGMHHJn3vKbNl7alll9eJBqvdi1Q7ay86oI7NDQ0PPwjnB0/i4BOO0qQBcBSUIPPEChcrooEqN9PwM20aoyIjje0rtDGSxnEQRrg0=</ds:X509Certificate> + <ds:X509Certificate>MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFowMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMTAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1RoYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kHejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfLqjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9pO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2TwUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml:Subject> + <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID> + <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> + <saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://51.15.251.81.xip.io/acs/post" InResponseTo="id-abc"/> + </saml:SubjectConfirmation> + </saml:Subject> + <saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z"> + <saml:AudienceRestriction> + <saml:Audience>urn:mace:example.com:saml:roland:sp</saml:Audience> + </saml:AudienceRestriction> + </saml:Conditions> + <saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="_samling_8227405_474676521"> + <saml:AuthnContext> + <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> + </saml:AuthnContext> + </saml:AuthnStatement> + </saml:Assertion> +</samlp:Response> diff --git a/tests/xmlsec1-keydata/signed-assertion-with-hmac.xml b/tests/xmlsec1-keydata/signed-assertion-with-hmac.xml new file mode 100644 index 00000000..e6a28c03 --- /dev/null +++ b/tests/xmlsec1-keydata/signed-assertion-with-hmac.xml @@ -0,0 +1,49 @@ +<?xml version="1.0"?> +<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theresponse" IssueInstant="2020-12-04T07:48:09.700Z" InResponseTo="id-abc" Destination="https://example.org/acs/post"> + <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer> + <samlp:Status> + <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> + </samlp:Status> + <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theassertion" IssueInstant="2020-12-04T07:48:09.600Z"> + <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> + <ds:Reference URI="#theassertion"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>3eSifM9ENDpX4ore08DbmBaW3WrqLZMv57QMk0ACEPk=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>8v8fec9UyJ5g/GcZmkrG3gQT/eI=</ds:SignatureValue> + <ds:KeyInfo> + <ds:KeyValue> + <HMACKeyValue xmlns="http://www.aleksey.com/xmlsec/2002">Rk9PCg==</HMACKeyValue> + </ds:KeyValue> + <ds:X509Data> + <ds:X509Certificate>MIICXgIBAAKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABAoGBAKD2emW6ssmyhfQ9ztYFuJ4FlwiJf5icKuf7L4BsMRgjoHawUvt/k69l9aPKxZNrB7BycV+7lOqU57FaOf1MWGeWzsU5bYUVpFzOVwsY4umtsO78QGKLZe+91Z+ktOlmL3scAymAgE88Jmr0g8FC46Vv4Sam7zMCtmOvA9fYog1ZAkEA8lAe+XihSuZI6IZcdRdB6QJ5cgAJoZdWKKtUovb5Ah2w4D/ebkfpsQJK44aSR5GbnrnqSaMeLJMRz++Td0edHwJBANTlUBzoo3ihcBOZ0VzGYgDIG8foCTEf3jDBYNYaY9RH/c4P50GkDa4PBqtf1f+VORwAsC2NTeY6HUEWMpvfXyUCQQChQ3FZ1k6B6oDbP5CI3NGgoWTx2dSPFojgyCWrz3IpVllA5UDDZFjC1SPCCO2Rc/Z9zH2ARG7we3B/UpJx79dBAkEAiPc6sk6NFQevpjyYcDqFRIF5NgQ3Ha6l8PIITdZOkXz7cX3Txuw3jNrH7KtMbxDe3AApWDUHf+21cnFIf/WWLQJAeG0KKBfZw1iRu9vlcYakGWRUSga78QDy08uHDtxQLXxOfSvm/y8N1KrEsXf/cJzHUGQJrqk8nLzR5mTRqnAZWA==</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <saml:Subject> + <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID> + <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> + <saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://example.org/acs/post" InResponseTo="id-abc"/> + </saml:SubjectConfirmation> + </saml:Subject> + <saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z"> + <saml:AudienceRestriction> + <saml:Audience>https://example.org/sp.xml</saml:Audience> + </saml:AudienceRestriction> + </saml:Conditions> + <saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="_samling_8227405_474676521"> + <saml:AuthnContext> + <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> + </saml:AuthnContext> + </saml:AuthnStatement> + </saml:Assertion> +</samlp:Response> diff --git a/tests/xmlsec1-keydata/signed-response-with-hmac.xml b/tests/xmlsec1-keydata/signed-response-with-hmac.xml new file mode 100644 index 00000000..51068a04 --- /dev/null +++ b/tests/xmlsec1-keydata/signed-response-with-hmac.xml @@ -0,0 +1,49 @@ +<?xml version="1.0"?> +<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theresponse" IssueInstant="2020-12-04T07:48:09.700Z" InResponseTo="id-abc" Destination="https://example.org/acs/post"> + <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer> + <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <ds:SignedInfo> + <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> + <ds:Reference URI="#theresponse"> + <ds:Transforms> + <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> + <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> + </ds:Transforms> + <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> + <ds:DigestValue>/tLLJtWfBNGVGkPWs09wGxvKL/rPVWt5maNs9DWbHfQ=</ds:DigestValue> + </ds:Reference> + </ds:SignedInfo> + <ds:SignatureValue>iInSCge8AdweKTwZ9Z8P6e8Kb24=</ds:SignatureValue> + <ds:KeyInfo> + <ds:KeyValue> + <HMACKeyValue xmlns="http://www.aleksey.com/xmlsec/2002">Rk9PCg==</HMACKeyValue> + </ds:KeyValue> + <ds:X509Data> + <ds:X509Certificate>MIICXgIBAAKBgQDJg2cms7MqjniT8Fi/XkNHZNPbNVQyMUMXE9tXOdqwYCA1cc8vQdzkihscQMXy3iPw2cMggBu6gjMTOSOxECkuvX5ZCclKr8pXAJM5cY6gVOaVO2PdTZcvDBKGbiaNefiEw5hnoZomqZGp8wHNLAUkwtH9vjqqvxyS/vclc6k2ewIDAQABAoGBAKD2emW6ssmyhfQ9ztYFuJ4FlwiJf5icKuf7L4BsMRgjoHawUvt/k69l9aPKxZNrB7BycV+7lOqU57FaOf1MWGeWzsU5bYUVpFzOVwsY4umtsO78QGKLZe+91Z+ktOlmL3scAymAgE88Jmr0g8FC46Vv4Sam7zMCtmOvA9fYog1ZAkEA8lAe+XihSuZI6IZcdRdB6QJ5cgAJoZdWKKtUovb5Ah2w4D/ebkfpsQJK44aSR5GbnrnqSaMeLJMRz++Td0edHwJBANTlUBzoo3ihcBOZ0VzGYgDIG8foCTEf3jDBYNYaY9RH/c4P50GkDa4PBqtf1f+VORwAsC2NTeY6HUEWMpvfXyUCQQChQ3FZ1k6B6oDbP5CI3NGgoWTx2dSPFojgyCWrz3IpVllA5UDDZFjC1SPCCO2Rc/Z9zH2ARG7we3B/UpJx79dBAkEAiPc6sk6NFQevpjyYcDqFRIF5NgQ3Ha6l8PIITdZOkXz7cX3Txuw3jNrH7KtMbxDe3AApWDUHf+21cnFIf/WWLQJAeG0KKBfZw1iRu9vlcYakGWRUSga78QDy08uHDtxQLXxOfSvm/y8N1KrEsXf/cJzHUGQJrqk8nLzR5mTRqnAZWA==</ds:X509Certificate> + </ds:X509Data> + </ds:KeyInfo> + </ds:Signature> + <samlp:Status> + <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> + </samlp:Status> + <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="theassertion" IssueInstant="2020-12-04T07:48:09.600Z"> + <saml:Issuer>urn:mace:example.com:saml:roland:idp</saml:Issuer> + <saml:Subject> + <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">attack-name-id</saml:NameID> + <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> + <saml:SubjectConfirmationData NotOnOrAfter="2020-12-04T07:58:09.600Z" Recipient="https://example.org/acs/post" InResponseTo="id-abc"/> + </saml:SubjectConfirmation> + </saml:Subject> + <saml:Conditions NotBefore="2020-12-04T07:48:09.600Z" NotOnOrAfter="2020-12-04T07:58:09.600Z"> + <saml:AudienceRestriction> + <saml:Audience>https://example.org/sp.xml</saml:Audience> + </saml:AudienceRestriction> + </saml:Conditions> + <saml:AuthnStatement AuthnInstant="2020-12-04T07:48:09.600Z" SessionNotOnOrAfter="2020-12-04T07:58:09.600Z" SessionIndex="_samling_8227405_474676521"> + <saml:AuthnContext> + <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> + </saml:AuthnContext> + </saml:AuthnStatement> + </saml:Assertion> +</samlp:Response> |