Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature verfication failed - invalid document format -- QName-awareness of attribute values and lxml #921

Open
tyctor opened this issue Jul 26, 2023 · 14 comments
Open

Signature verfication failed - invalid document format -- QName-awareness of attribute values and lxml #921

tyctor opened this issue Jul 26, 2023 · 14 comments

Comments

@tyctor
Copy link

tyctor commented Jul 26, 2023
edited

hi

i am getting error in AuthnReponse validation:

{'message': 'Signature verification failed. Invalid document format.', 'error': "global xs:simpleType/xs:complexType 'tn:PersonIdentifierType' not found"}

Code Version

pysaml2-7.4.2

Expected Behavior

validation should success

Current Behavior

validation fails, so user cannot login

Possible Solution

as temporary solution aj have set self.do_not_verify = True in StatusResponse class

Steps to Reproduce

try to verify this response:

<samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_5040626886ed420f9624b53a1a567ca4" InResponseTo="id-3CQSSqiis5eyXHxRG" Version="2.0" IssueInstant="2023-07-26T08:48:51Z" Destination="http://localhost:8000/saml2/acs">
    <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_5040626886ed420f9624b53a1a567ca4">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>TArwpfXayAca3dWsViIVBIoFWPOwcT7edGMh+3d687U=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>SIeUI2Jee90EmRAe3C/fx/U4eFaz6pORnBIOPj+7si/6/O5DrUFMvGoU3z+0J7KzvbWQiMkzhr9MXtTVmZ8q7Eb335i6TQoF8c9e4f7EMBJphPRjm0HQInobtWbvs9sJvy1xDH4/MdBFS1kX91I6IXFo8SrtAKthQ+Qx20lH0396CFZktbz+N6SbPobb3VswA2sF+Tr8MQk679vA0s7oVVYjBUiw4WpsBixM0jWrCMRls4fy/2amVc0841OzXCdrcyugH3z3jVd6lPib+W8abunVK4ZOaTgoiZJ2ka1SDR4zBpRN79CwZ6DaBxEajkGd8JpK3l1VJjd1Px766YlPrA==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion Version="2.0" ID="_7413e3b9-5f7c-4aef-ac94-f3ed7220c631" IssueInstant="2023-07-26T08:48:51.444Z">
        <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
        <ds:Signature>
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_7413e3b9-5f7c-4aef-ac94-f3ed7220c631">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>+xQXVThsk++RgKO3QGpUfV+eLCFRi2z71n7DjV/0bG4=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>dg0Sx5WqPjlOKdKeB7EogjgRTSeuN873ZXYbhdN/BKh2F53LMYvIQthtAG8TqSmUsLxMRifa3GFAqUyXHqiWJjzajrDKu3ZTD82TAqVtbciKwLpVsXoB+jfYqevPlzpxUkyS7I6FEWJrvvxlzAuEZn18/LQxCThBWsSO1YiKrgiLwga7f/0w+ADxPryV+2koPbVUuO8f1kNNa5aFlWd8ElUDPlq7Tt8C51d8Yu5+9OaZmEsGS56HX1bnc9aomeKXtkGus6l4yKGUgltgeNdQF9sIDdQ4WOeeYG9cyThisRueugSzOxuR/t8nz76Y1HipS+/ZEXGXg0YeO5EXBUsN+Q==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2023-07-26T09:48:51.444Z" Recipient="http://localhost:8000/saml2/acs" InResponseTo="id-3CQSSqiis5eyXHxRG" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2023-07-26T08:48:51.444Z" NotOnOrAfter="2023-07-26T09:48:51.444Z">
            <saml:AudienceRestriction>
                <saml:Audience>app:mysp</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2023-07-26T08:48:51.444Z" SessionIndex="_21ff5691c11045bb8e2330bb9e86d599">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" ns3:OriginalIssuer="urn:microsoft:cgg2010:fpsts">
                <saml:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

it is microsoft implementation of Identity provider
have anyone some hints about this error?
thanks
@tyctor
Copy link
Author

tyctor commented Jul 26, 2023

it seems that problem is how pysaml2 creates Response class from xml string

this is xml from IdP and it validates well with same command used in saml2

from saml2.xml.schema import validate as validate_doc_with_schema
validate_doc_with_schema(xml)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_22e2bc6256974246a8244d658c2242bd" Version="2.0" IssueInstant="2023-07-26T14:59:19Z" Destination="http://localhost:8000/saml2/acs" InResponseTo="id-dhocshTiDHSNqmfKq">
    <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <Reference URI="#_22e2bc6256974246a8244d658c2242bd">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>bXv9NeLmFN0oo5FyNZyF+ngmICpEKstJ+Wa1CC1O2uI=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>ejVw5J3R9w0/QSBF/IuVbp1LOpBESoskcYMUlneb6qek7SGsBz4j5dutOBKoDxVigssriMeE5SRVkhTRt+EKY5AEBsR0a4cZk6tcvshOnkWHs8yEzqwyyxGKTM2AFno2eVGMN2yRo+E01CIyrKrUMpAH5UdHVgnt6kTlpMu2EWGncMjM5oLR0dEZVcuiXRJcxazEBkgaZlX1mtNkylKzB2r6+iEXG4d7KaDXgwsXqgykrO8eX4F+Ng7Zy+pR186vs3JXo4Q3mYyIeGvTbxdKaoHFzDdSB/uM8URkK8x2awZppTCVoO/54vZDSF4gnsanfLSDQSNxZCgHI7PMTtbyVA==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_c5729fa0-84f1-44b2-b4e1-87f409a70b33" IssueInstant="2023-07-26T14:59:19.109Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>urn:microsoft:cgg2010:fpsts</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <Reference URI="#_c5729fa0-84f1-44b2-b4e1-87f409a70b33">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>6l79Ufg7F88fyZlV7sTI3lG+PCqbvgQk7pZfP1HQf6I=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>AU0W9wIU+DrErUF9G/CBFSUB+CSCcAn4fSYv0sIliJoJjIec7bloORqCBpiTYMLGK/qpjRB/uO+wKvMXEXJ0tb4dvRHuFZHyQ0tDleF8VvX7NjlRdeWQazZDi5UAYqeCKptHQSl1bmB4HyhIjLeWYlLMlh4TMlWcLbdGachtJfmAEl88iyCCkt+a5AmhZdM4XbPxmdq0guk4B+Y6imIoZXzSA5w2Wz/7Kbwq4fQhDCv26UYdd4Su49b46khe+wL4a97u6TdoFtiZAmM43euMMrWRZ3bO800EHn0NiveMEsHxtYwyrUkE5cU0Upg3BGHyVKG6VREoiSQfEFd2UK7CMQ==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="id-dhocshTiDHSNqmfKq" NotOnOrAfter="2023-07-26T15:59:19.109Z" Recipient="http://localhost:8000/saml2/acs" />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2023-07-26T14:59:19.109Z" NotOnOrAfter="2023-07-26T15:59:19.109Z">
            <AudienceRestriction>
                <Audience>app:test.cz</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" a:OriginalIssuer="urn:microsoft:cgg2010:fpsts" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2023-07-26T14:59:19.109Z" SessionIndex="_f5fd9f3e7f844cc48f31fafdee0bfe17">
            <SubjectLocality Address="89.16.7.239" />
            <AuthnContext>
                <AuthnContextClassRef>http://eidas.europa.eu/LoA/low</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

@tyctor
Copy link
Author

tyctor commented Jul 26, 2023

and here is Reponse created by saml2.response_from_string(xml)
which is later send for validation

<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_22e2bc6256974246a8244d658c2242bd" InResponseTo="id-dhocshTiDHSNqmfKq" Version="2.0" IssueInstant="2023-07-26T14:59:19Z" Destination="http://localhost:8000/saml2/acs">
    <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer>
    <ns2:Signature>
        <ns2:SignedInfo>
            <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ns2:Reference URI="#_22e2bc6256974246a8244d658c2242bd">
                <ns2:Transforms>
                    <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ns2:Transforms>
                <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ns2:DigestValue>bXv9NeLmFN0oo5FyNZyF+ngmICpEKstJ+Wa1CC1O2uI=</ns2:DigestValue>
            </ns2:Reference>
        </ns2:SignedInfo>
        <ns2:SignatureValue>ejVw5J3R9w0/QSBF/IuVbp1LOpBESoskcYMUlneb6qek7SGsBz4j5dutOBKoDxVigssriMeE5SRVkhTRt+EKY5AEBsR0a4cZk6tcvshOnkWHs8yEzqwyyxGKTM2AFno2eVGMN2yRo+E01CIyrKrUMpAH5UdHVgnt6kTlpMu2EWGncMjM5oLR0dEZVcuiXRJcxazEBkgaZlX1mtNkylKzB2r6+iEXG4d7KaDXgwsXqgykrO8eX4F+Ng7Zy+pR186vs3JXo4Q3mYyIeGvTbxdKaoHFzDdSB/uM8URkK8x2awZppTCVoO/54vZDSF4gnsanfLSDQSNxZCgHI7PMTtbyVA==</ns2:SignatureValue>
        <ns2:KeyInfo>
            <ns2:X509Data>
                <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate>
            </ns2:X509Data>
        </ns2:KeyInfo>
    </ns2:Signature>
    <ns0:Status>
        <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </ns0:Status>
    <ns1:Assertion Version="2.0" ID="_c5729fa0-84f1-44b2-b4e1-87f409a70b33" IssueInstant="2023-07-26T14:59:19.109Z">
        <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer>
        <ns2:Signature>
            <ns2:SignedInfo>
                <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ns2:Reference URI="#_c5729fa0-84f1-44b2-b4e1-87f409a70b33">
                    <ns2:Transforms>
                        <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ns2:Transforms>
                    <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ns2:DigestValue>6l79Ufg7F88fyZlV7sTI3lG+PCqbvgQk7pZfP1HQf6I=</ns2:DigestValue>
                </ns2:Reference>
            </ns2:SignedInfo>
            <ns2:SignatureValue>AU0W9wIU+DrErUF9G/CBFSUB+CSCcAn4fSYv0sIliJoJjIec7bloORqCBpiTYMLGK/qpjRB/uO+wKvMXEXJ0tb4dvRHuFZHyQ0tDleF8VvX7NjlRdeWQazZDi5UAYqeCKptHQSl1bmB4HyhIjLeWYlLMlh4TMlWcLbdGachtJfmAEl88iyCCkt+a5AmhZdM4XbPxmdq0guk4B+Y6imIoZXzSA5w2Wz/7Kbwq4fQhDCv26UYdd4Su49b46khe+wL4a97u6TdoFtiZAmM43euMMrWRZ3bO800EHn0NiveMEsHxtYwyrUkE5cU0Upg3BGHyVKG6VREoiSQfEFd2UK7CMQ==</ns2:SignatureValue>
            <ns2:KeyInfo>
                <ns2:X509Data>
                    <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate>
                </ns2:X509Data>
            </ns2:KeyInfo>
        </ns2:Signature>
        <ns1:Subject>
            <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:NameID>
            <ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <ns1:SubjectConfirmationData NotOnOrAfter="2023-07-26T15:59:19.109Z" Recipient="http://localhost:8000/saml2/acs" InResponseTo="id-dhocshTiDHSNqmfKq" />
            </ns1:SubjectConfirmation>
        </ns1:Subject>
        <ns1:Conditions NotBefore="2023-07-26T14:59:19.109Z" NotOnOrAfter="2023-07-26T15:59:19.109Z">
            <ns1:AudienceRestriction>
                <ns1:Audience>app:test.cz</ns1:Audience>
            </ns1:AudienceRestriction>
        </ns1:Conditions>
        <ns1:AuthnStatement AuthnInstant="2023-07-26T14:59:19.109Z" SessionIndex="_f5fd9f3e7f844cc48f31fafdee0bfe17">
            <ns1:SubjectLocality Address="89.16.7.239" />
            <ns1:AuthnContext>
                <ns1:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</ns1:AuthnContextClassRef>
            </ns1:AuthnContext>
        </ns1:AuthnStatement>
        <ns1:AttributeStatement>
            <ns1:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" ns3:OriginalIssuer="urn:microsoft:cgg2010:fpsts">
                <ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue>
            </ns1:Attribute>
        </ns1:AttributeStatement>
    </ns1:Assertion>
</ns0:Response>

@tyctor
Copy link
Author

tyctor commented Jul 26, 2023 

from saml2.xml.schema import validate as validate_doc_with_schema
validate_doc_with_schema(xml)

raises XMLSchemaError:

{'doc': '<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_22e2bc6256974246a8244d658c2242bd" InResponseTo="id-dhocshTiDHSNqmfKq" Version="2.0" IssueInstant="2023-07-26T14:59:19Z" Destination="http://localhost:8000/saml2/acs">\n    <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer><ns2:Signature>\n        <ns2:SignedInfo>\n            <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#_22e2bc6256974246a8244d658c2242bd">\n                <ns2:Transforms>\n                    <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue>bXv9NeLmFN0oo5FyNZyF+ngmICpEKstJ+Wa1CC1O2uI=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>ejVw5J3R9w0/QSBF/IuVbp1LOpBESoskcYMUlneb6qek7SGsBz4j5dutOBKoDxVigssriMeE5SRVkhTRt+EKY5AEBsR0a4cZk6tcvshOnkWHs8yEzqwyyxGKTM2AFno2eVGMN2yRo+E01CIyrKrUMpAH5UdHVgnt6kTlpMu2EWGncMjM5oLR0dEZVcuiXRJcxazEBkgaZlX1mtNkylKzB2r6+iEXG4d7KaDXgwsXqgykrO8eX4F+Ng7Zy+pR186vs3JXo4Q3mYyIeGvTbxdKaoHFzDdSB/uM8URkK8x2awZppTCVoO/54vZDSF4gnsanfLSDQSNxZCgHI7PMTtbyVA==</ns2:SignatureValue><ns2:KeyInfo>\n            <ns2:X509Data>\n                <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns0:Status>\n        <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></ns0:Status><ns1:Assertion Version="2.0" ID="_c5729fa0-84f1-44b2-b4e1-87f409a70b33" IssueInstant="2023-07-26T14:59:19.109Z">\n        <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer><ns2:Signature>\n            <ns2:SignedInfo>\n                <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#_c5729fa0-84f1-44b2-b4e1-87f409a70b33">\n                    <ns2:Transforms>\n                        <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue>6l79Ufg7F88fyZlV7sTI3lG+PCqbvgQk7pZfP1HQf6I=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>AU0W9wIU+DrErUF9G/CBFSUB+CSCcAn4fSYv0sIliJoJjIec7bloORqCBpiTYMLGK/qpjRB/uO+wKvMXEXJ0tb4dvRHuFZHyQ0tDleF8VvX7NjlRdeWQazZDi5UAYqeCKptHQSl1bmB4HyhIjLeWYlLMlh4TMlWcLbdGachtJfmAEl88iyCCkt+a5AmhZdM4XbPxmdq0guk4B+Y6imIoZXzSA5w2Wz/7Kbwq4fQhDCv26UYdd4Su49b46khe+wL4a97u6TdoFtiZAmM43euMMrWRZ3bO800EHn0NiveMEsHxtYwyrUkE5cU0Upg3BGHyVKG6VREoiSQfEFd2UK7CMQ==</ns2:SignatureValue><ns2:KeyInfo>\n                <ns2:X509Data>\n                    <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject>\n            <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">\n                <ns1:SubjectConfirmationData NotOnOrAfter="2023-07-26T15:59:19.109Z" Recipient="http://localhost:8000/saml2/acs" InResponseTo="id-dhocshTiDHSNqmfKq" /></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2023-07-26T14:59:19.109Z" NotOnOrAfter="2023-07-26T15:59:19.109Z">\n            <ns1:AudienceRestriction>\n                <ns1:Audience>app:humpo.cz</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2023-07-26T14:59:19.109Z" SessionIndex="_f5fd9f3e7f844cc48f31fafdee0bfe17">\n            <ns1:SubjectLocality Address="89.176.87.239" /><ns1:AuthnContext>\n                <ns1:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</ns1:AuthnContextClassRef></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement>\n            <ns1:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" ns3:OriginalIssuer="urn:microsoft:cgg2010:fpsts">\n                <ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion></ns0:Response>', 'error': '"global xs:simpleType/xs:complexType \'tn:PersonIdentifierType\' not found"'}

@tyctor
Copy link
Author

tyctor commented Jul 26, 2023
edited

it seems problem is that this:

<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>

is converted to this:

<ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue>

so xmlns:tn is missing

@c00kiemon5ter
Copy link
Member

Correct. This is due to the namespace prefix being embedded within the string value of the type XML attribute.

We could setup a mechanism to process namespaces with specified prefix names, but what do you do when one instance returns type="tn:PersonIdentifierType" and another type="eidas:PersonIdentifierType"?
I am not sure how this can be solved..

lxml preserves the namespace-prefixes by default (iirc) and that might be helpful here, but ties us to lxml and a dependency with C-bindings.

@vladimir-mencl-eresearch
Copy link
Contributor

Ideally, the solution here should be independent of the exact prefix names used.

The parser should be aware that xsi:type values are fully-qualified XML names and should adjust the prefix name used in the type name when serialising with a different assignment of prefix names to namespaces.

I don't know enough about the underlying implementation, but I think it should support the above.

Hmm, wondering whether it would help if the environment doing the processing (parsing + serialising) loaded the schema definitions (XSD files) for the namespaces it's dealing with (so have the definition of the PersonIdentifierType)

@c00kiemon5ter
Copy link
Member

The XSD files are there and loaded; and they include the PersonIdentifierType. This is part of the eIDAS XSD files, here:
https://github.com/IdentityPython/pysaml2/blob/14c649a/src/saml2/data/schemas/eidas-schema-attribute-naturalperson.xsd#L5

The parser should be aware that xsi:type values are fully-qualified XML names and should adjust the prefix name used in the type name when serialising with a different assignment of prefix names to namespaces.

The original XML snippet is

<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>

When parsed it returns

import xml.etree.ElementTree as et

xmlstr = """<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>"""

el = et.fromstring(xmlstr)
et.tostring(el)
<ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue>

You can see that

  • the namespace-prefixes are reassigned, but the value of the xsi:type attribute does not change
  • the tn prefix is actually removed, as it is not seen as something that is used

@c00kiemon5ter
Copy link
Member

Doing the same with lxml, preserves the prefixes

import lxml.etree as let

xmlstr = """<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>"""

el = let.fromstring(xmlstr)
let.tostring(el)
<AttributeValue xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance" b:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>

@vladimir-mencl-eresearch
Copy link
Contributor

So it looks like an issue with the xml library implementation - not being aware that xsi:type values are QNames.

I get the same result when I just shorten this to the canonicalize call:

import xml.etree.ElementTree as et
et.canonicalize(b'<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>')

'<AttributeValue xmlns:b="http://www.w3.org/2001/XMLSchema-instance" b:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>'

However, I do get the correct result when I explicit list xsi:type as a "QName aware" attribute:

et.canonicalize(b'<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>', rewrite_prefixes=True, qname_aware_attrs=[et.QName('{http://www.w3.org/2001/XMLSchema-instance}type')])

'<n0:AttributeValue xmlns:n0="" xmlns:n1="http://eidas.europa.eu/attributes/naturalperson" xmlns:n2="http://www.w3.org/2001/XMLSchema-instance" n2:type="n1:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</n0:AttributeValue>'

I still could not find how to configure a parser the same way, and I'd expect xsi:type so core to XML that it should not be necessary to declare it as "QName aware" - but maybe that's what needs to be done?

@melanger
Copy link

melanger commented Nov 1, 2023

@c00kiemon5ter Hi, is there any progress on this? It is blocking us from using SATOSA for eIDAS.

@c00kiemon5ter
Copy link
Member

@melanger I do not see a way to configure the builtin XML parser

  • to stop removing the namespace-prefixes it does not recognize as referenced
  • or, to consider certain attributes as QName aware (as Vlad reported)

The only solution would be to switch to lxml which is not trivial.

@c00kiemon5ter c00kiemon5ter changed the title Signature verfication failed. Invalid document format Signature verfication failed - invalid document format -- QName-awareness of attribute values and lxml Nov 7, 2023
@c00kiemon5ter
Copy link
Member

I did some work to hack the code and use lxml with pysaml2. Have a look at #940

This of course needs a lot more work; not all tests pass, the code needs to be reorganized, etc. But it is a sketch on how things would look like if we go that direction.

@melanger
Copy link

melanger commented Nov 8, 2023

@c00kiemon5ter, I understand, it's a bit unfortunate but we will pick up the PR and try to finish it

@c00kiemon5ter
Copy link
Member

Give it a try first, to ensure it can work for you. I had a minimal test case there just to get things started.

Ideally this can become a configurable choice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c00kiemon5ter @vladimir-mencl-eresearch @melanger @tyctor