Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR with ADFS #15

Closed
alberto-coolshop opened this issue Feb 11, 2016 · 12 comments
Closed

ERROR with ADFS #15

alberto-coolshop opened this issue Feb 11, 2016 · 12 comments

Comments

@alberto-coolshop
Copy link

Hi all!
I'm trying to integrate lightsaml with adfs, but here is the stack of the exception I have.
I think there is a problem with signature...
Hope it helps...

I'm using as dependencies:
"symfony/symfony": "2.7.*",
"lightsaml/sp-bundle": "^1.0"

Error: Call to a member function removeChild() on a non-object
500 Internal Server Error - FatalErrorException

Stack Trace (Plain Text)   -
[1] Symfony\Component\Debug\Exception\FatalErrorException: Error: Call to a member function removeChild() on a non-object
    at n/a
        in /var/www/cnh_pbo-cms/vendor/robrichards/xmlseclibs/src/XMLSecurityDSig.php line 489

    at RobRichards\XMLSecLibs\XMLSecurityDSig->validateReference()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Model/XmlDSig/SignatureXmlReader.php line 76

    at LightSaml\Model\XmlDSig\SignatureXmlReader->validate()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Model/XmlDSig/AbstractSignatureReader.php line 62

    at LightSaml\Model\XmlDSig\AbstractSignatureReader->validateMulti()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Validator/Model/Signature/SignatureValidator.php line 58

    at LightSaml\Validator\Model\Signature\SignatureValidator->validate()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Assertion/Inbound/AssertionSignatureValidatorAction.php line 56

    at LightSaml\Action\Assertion\Inbound\AssertionSignatureValidatorAction->doExecute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Assertion/AbstractAssertionAction.php line 39

    at LightSaml\Action\Assertion\AbstractAssertionAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/CompositeAction.php line 74

    at LightSaml\Action\CompositeAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/Inbound/Response/AssertionAction.php line 54

    at LightSaml\Action\Profile\Inbound\Response\AssertionAction->doExecute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/Profile/AbstractProfileAction.php line 41

    at LightSaml\Action\Profile\AbstractProfileAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/lightsaml/src/LightSaml/Action/CompositeAction.php line 74

    at LightSaml\Action\CompositeAction->execute()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Firewall/LightSamlSpListener.php line 67

    at LightSaml\SpBundle\Security\Firewall\LightSamlSpListener->receiveSamlResponse()
        in /var/www/cnh_pbo-cms/vendor/lightsaml/sp-bundle/src/LightSaml/SpBundle/Security/Firewall/LightSamlSpListener.php line 50

    at LightSaml\SpBundle\Security\Firewall\LightSamlSpListener->attemptAuthentication()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php line 146

    at Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->handle()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 2574

    at Symfony\Component\Security\Http\Firewall->onKernelRequest()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 61

    at call_user_func()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php line 61

    at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1834

    at call_user_func()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1834

    at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch()
        in /var/www/cnh_pbo-cms/app/cache/dev/classes.php line 1763

    at Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
        in /var/www/cnh_pbo-cms/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/TraceableEventDispatcher.php line 124

    at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3099

    at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3072

    at Symfony\Component\HttpKernel\HttpKernel->handle()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 3223

    at Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle()
        in /var/www/cnh_pbo-cms/app/bootstrap.php.cache line 2442

    at Symfony\Component\HttpKernel\Kernel->handle()
        in /var/www/cnh_pbo-cms/web/app_dev.php line 28

    at {main}()
        in /var/www/cnh_pbo-cms/web/app_dev.php line 0
@tmilos
Copy link
Member

tmilos commented Feb 11, 2016

Could you search in the log for

app.INFO: Received message {"profile_id":"sso_sp_receive_response" ...

and paste that line here in comment (escaped with triple backticks so xml is readable), so I can see the XML of the message.

Also, please provide IDP metadata file, I would most probably need it to get the certificate and be able to reproduce the error

@alberto-coolshop
Copy link
Author

Here is the log:

 {
     "profile_id": "sso_sp_receive_response",
     "own_role": "sp",
     "action": "LightSaml\\Action\\Profile\\Inbound\\Message\\ReceiveMessageAction",
     "top_context_id": "00000000758000a300007f6809624961",
     "message": "*"
 }

xml contained into message field:

<?xml version=\"1.0\"?>\n
    <samlp:Response xmlns:samlp=\ "urn:oasis:names:tc:SAML:2.0:protocol\" ID=\ "_78e2f8e0-0ef5-4e75-a62b-ebf782172475\" Version=\ "2.0\" IssueInstant=\ "2016-02-11T10:30:37.486Z\" Destination=\ "https://cnh-pbo.localhost/app_dev.php/saml/login_check\" Consent=\ "urn:oasis:names:tc:SAML:2.0:consent:unspecified\" InResponseTo=\ "_038ce01e899f17c5f6307f668cba44a51adbb334cb\">
        <Issuer xmlns=\ "urn:oasis:names:tc:SAML:2.0:assertion\">http://WIN-H88N3PGBC9H.adds.coolshop.it/adfs/services/trust</Issuer>
        <samlp:Status>
            <samlp:StatusCode Value=\ "urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status>
        <EncryptedAssertion xmlns=\ "urn:oasis:names:tc:SAML:2.0:assertion\">
            <xenc:EncryptedData xmlns:xenc=\ "http://www.w3.org/2001/04/xmlenc#\" Type=\ "http://www.w3.org/2001/04/xmlenc#Element\">
                <xenc:EncryptionMethod Algorithm=\ "http://www.w3.org/2001/04/xmlenc#aes256-cbc\"/>
                <KeyInfo xmlns=\ "http://www.w3.org/2000/09/xmldsig#\">
                    <e:EncryptedKey xmlns:e=\ "http://www.w3.org/2001/04/xmlenc#\">
                        <e:EncryptionMethod Algorithm=\ "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\">
                            <DigestMethod Algorithm=\ "http://www.w3.org/2000/09/xmldsig#sha1\"/>
                        </e:EncryptionMethod>
                        <KeyInfo>
                            <ds:X509Data xmlns:ds=\ "http://www.w3.org/2000/09/xmldsig#\">
                                <ds:X509IssuerSerial>
                                    <ds:X509IssuerName>CN=CMDW, O=Coolshop, L=Turin, S=Italy, C=IT</ds:X509IssuerName>
                                    <ds:X509SerialNumber>9524921770752454112</ds:X509SerialNumber>
                                </ds:X509IssuerSerial>
                            </ds:X509Data>
                        </KeyInfo>
                        <e:CipherData>
                            <e:CipherValue>TPwVINnf2WSwLh4x1hj/t8SoWy8uMLnsx+N08iKJzboyt9kgH9gr0Z6Kz2ojDejPK+emFDXGB1DoqvOlPEtwzZvpWON0dM0w+xoKfgcdby5pkctEUt1+95IMhXTcrB2wPdsv/7L2hqXrsiX62PFMY1hhu6mWVCN96U3eIr7dPOehckwb0r4Uvya+p8jakTFTJttIwWdBWHdXmpJu6OZgu5dK+la3/sDoWZIilPQiF9FDoLRN4XBP/0V5eET/JoABSZT63oKhtBXPeRIPpmsl+NWhnmUPRiV0EiAGtwQ06GBA0PuKZlCNtLRbKP/4l1VHNqtuwpa22zBHZyVept6Ygg==</e:CipherValue>
                        </e:CipherData>
                    </e:EncryptedKey>
                </KeyInfo>
                <xenc:CipherData>
                    `<xenc:CipherValue>8CFeyIgvyNMt6y896ygjsQq/kPkg5hzyfPU18+4V3Xe9SGB2c3Dv4heaAiQZL9RcqgH6FP7RpZ1Ed1KBZDYRdE6WXVEvIr7z8LtHmLgwceeTz602/YesnvEsoPYppskqHp/T4F6fxBOtBkLC5AcuJtc366sdt7Wm0UBrDwhtkVuhRjUllb5Gz2DNlosgM873fJTQJzwxQOUJTB43vKfxKlbdWvaaZ/cI1NWUNbsnRuPUAU6AeMu0Ox+slBrVTKothEohHVC7Xtd+jTNPCBWHGBWKliIMkqTpji9yawnexQv+yGDifhcaAIbm4KOvWDw82CW6Az2dnDRMpciUHCyEHewo9eQjQqBhSmHDKcMFylknobbQMe2TiUlXICouEKsviEAZgXa8NLfXwOf+VsJT3spnih/DZH7njTvHQLl5n3Ha0FrbV9IL76eJULyeTBgXQZCHoUPyDXnyqqf0JEWdXf3UFjPttRia5E7ndkWcZCahywcWuGXOSp5e0chFjM/mpkPg9/nbp0Ydk27Y7v2KgigzFempMSmfzRmNiH1Gpvjc4LFJCC/CGImFaaDHidC1j5fExwzOYmXjK4O6tIXoePRsYrR7Y9njKXgy7yBx3imAKL6mYW2Qk98v6dI57eF1yFRyMJkui/Eb6APt7LspPRjaXsZPOz5uoJAyRmE7AlMiWlTJ+p7nivDdVV/FJdJ2mb6s8FGTnBkxV2inzxkkUbLTYIBBF/5QEiv8/y1iSOKfMEtKOcydiXR7UtpgFjpwtUgkT71tkh9/HttGDJ1pzKRoO4QpPBBUX+8X0tIWY5WJihAjJhBxcc5aZfUTpfXpORaDaIiO7hREzn8OvnTLTE3BTGUUGS4cfuO7ZUULm7YXsiM5t+FWhCRmkOc7isuO3p43wDdppoBBIiUTtzU2tVQcGreu1cES/jpTCi/9Rz4R3N7P/TF/em93fpmYCmm/aoH1GdwIex++qiInUnWtHJ27mMP2aatshGUnjk8j7KN0CyQpdfYbVHswKK5xg9KtvToP7Bwrc67jE+3ZTsxJwGfr8JlxhEPEBdi8in6sKMrcoflGCsTFFuNOmKAv0VPacFVq9etlDeUqrO5tNWA2sP19NOVf+6gQpoKQH25qskhBwwBUXtUz3/eakb+r1H7tJoImU8DFs4CzFj45tSxbMaVSi2Hy20M5BS9eK+ZyAChgTRYSkBQ+xrjIN6Ctj73XaZhh7tsTx+9BtpBjspcvJc3p8C3+jq1eF6k7M+oDzZVR4r+nEpbfmXR4KymTJP1ZgtB3P+7huaXJV5s+m9w5eaPIaadj7vNJGSjLmwW74EgcEyko1bmmJEGEvb7G3oEipIMRWMMA+c6X7tpoPvTeK7DyDJj4U6jeYbcxSyDWFk5W0VJLi/0QjMh3rEmrRbvZ734lxWGa2s74qviZcYktoYZYR9DdB3ZnUg1SDNEDisN2iGRnVvj418HFpK3z/RkzNEcSNBqrBYCKNBq3X+AKqGvYwe9nhkj4DERCwzlSKXJIQTriHAYZstD17KSmXEXKhZjVfXllo0UvM0zLjVS2qrzLnLL7xMSNEENXHXnazZqVgpBvvFkJC1/lma38gpNom5V1RTGJ0ajZOW6EsBd9Hxe4cpjYu/EkLoRRJ0amFkScu5bvoF3F8AsBwxfEtClN1mFplG6OW/v+tkLL6UiSbYvyk0l3kxhV6OLkpbdUAU/v1WtWuFEJSE9p8ziESrEYITZ+nxX4YEHLxUdQzY7eZt6EgfZA5ySMk5QIfbHzbG4NoSDb+o7yBhtijpGtfBt5FZGwYzJtJ5xYexknC7RNzPxRnfbVYYpS5f5KHO9e2Nl+a3397rTmZRZAojfFiOBLZ6+BOb6dt2XUKTokK81mdJ/W7HOPKOhbbrbO53uLlOkSPUCGqhGIX9a0Y2UT/7jJ3945zYWR1bLBY6hEpvtMjBUqlWXw7Nvte9uZknKMS9dHtqW51yipkMcoZMkiexeCJur7lAY+1TKCKa5KcpslFcsJaqD4CCoVXHIMPrbvxLwC9H8iCS97dNg/cbynT0r3uUGSz7JTEWYQ2bNycg+rMGkQ05k7zw76/R36/5f58XK7yW7zMDElHnojWIL4Gfb7lTOPDyqvgupj2w70G2vTXmhJuwV3cjSlEabuRszdiVKbuhwWuiwKqtsmG1x78aqs6YzFmpn1TLzUMQXju/dKv3uW1kcbMyijSx30xVZLPVoUjpHyigp98fIkcR/u27yYX9xChefeRGSHyyQ7VlSLjOmSEPGVdWn2x8rRwYeD+RcQO+m3BRNgRu2FuzjOjqtPXcmkv6rBe4XtTzPWdGoogJlgZxvDojpROZQR9IALFjNBU1ZmERO7t+c8HVFvaSw+vTFoztEKWXtnMdNKBbVyq/XsPaF+OYXDnWMhjcVMflkGN2gtC4cvqwbWOTWfccyEoaQtKe0Kk1CmTseKL4jXNM9KV2ScpDjYl0sFfmGHO/xYwi7ZzZK6k1s+cmG8jUDDG5eyHeZDJh0q4cAtmnoI2wK+f/FEwUovZp+ytf6ZhRIJLc9PcDRq/zwhjeYob66g9JP/jlgpD/E2buX42LRZPDG2xg6DqIGM2y7SRFKFC9uu+1sxZ66iygjilDizJKtXams4DyWZUd/0vKjH8ru34/EehKvkWr39BLBWxJa9zv9nydrtZbaemGKDUswPYXa5suJi94JzK0BxTxY5pPHifaVZV4jPh0j4THYnt+7vUOrpusPbs2AGLNEL4aLHgncNG7OqaUPlRV9VsiFvepkBNcRvPrMtR4aYYmeF9nkkExtDt3uCRnKCevQStcTpKuFBxNG9ZuvKuhkd8yEp9ZA0JBz5OYwD4s1RgH9pFAKC+q1XDNpr6W18Gq7X/A5Vm8fFpdcF77CanZtdn1yI4GbaHVmwUw95mDQsRiisblQdXfdePoqKNPfF2Q4VzcqjPX5GFqYqQyZdkKyT1dg8xjtPmAZNE4IUKzdwpAaVWzGrmgaDYQo1I1NeJBhrOcsCXug50q8SRFMUDNrmcwhvKmu7Xb6DrrMWD2kyG0FcMNKbvpz9l0uUkeJWnXv/yoX0irwQIrulI7NcxFcGHq0J4q+7bJBfDTz+WI171VqlxR47HvPxf5jBL0EoTPloNdVopId1UqKR1D+Ivnd9iCsKv6S4mJu4Yt2h3uuKusk7MPpibbxfrRXOhQMpguUV6LsxxPz8XtCtinVgAigEoIofQetRpA2fbt8kPdGNVQoIQNZvJN9NbEz16aAWTHsX3plLz4F8Fk+OgOKgK4gWtcJtKUm1leeD//yW7nhzItNXLge46DZDy1McnoIH0R+UQPYTGW1X8GzYtfi5YI3kzPzjt0pwMlZBp5xXJDInIKsiWknzJBAKT9eFLV2yfH9qvaqLxpK3M5+fS4R67n/xmqP7D7EcRTC0fN90AUK0FHK9sTq7PYSmOrrH6W8Wb6RrzkBPNeD1ZboRqR3D8hlDJxJ4zXh7C8+ywgRrJ97sJk2lTfMXDEsWz1q8CSCfnYJfyQx6x6NqeaU/MlxTTWWvQm4GrFapESWxtMwwfHwxp4HojhNdkch4gjyitKK346g+fhdWGTFyXeBNU50oS+cAB5UNUNYWD9e+GHZYW6tl3kdCgvfceirnXM450WH3zglPNqZL4hajdN+g9+qxMDQAF41j92+lPQVmG/3Y+ayH+qUD1gGKEP8x/9tuRdNHbkame0LCHUryMc0hvlRBMj5e2ZecFRNhHftOIfYkukPyMt+gi2v1ziNBp/leYI8vjFVIU2EDCgjLBhWCZ5mvHtU5Jn2v+orNf1Q3QbDMWOXbOhgh8swhOKi0chumlLb12NdCV0+NKm3I8y5ryIm/9JSZ2CIcbRM+q7MpPphCdBd+Chg895pzpP/WgeGLG4qVLhKYV2ibbpxYLEaqubSA6Ut7E2+zMVYPtUDgr3X/wiBIugd8mWml5wdfdpsgxgemCrajdNetYc/OcIIzIweDqxKACMDoKkWPNJviFHpIGsMR7HPOn0zPFxICXbs4RcNJ6PdOaXWo6MjrITn+KImEPPSwXyQwOJzwISJnThKi9zos3jt3/G4zO+/8DdlDftpcKa8V2RXDRFQDsDY+UnwY32lw7iYTJY+9wo6O4U+8KsPvQwiUeMROi2EJYLIBV0whUgcP29hAjo41SyS1Pzm1fQ7CTH9GrG4Bpj9aTpNc5Z9e0apkqNtcZvMl9mZog+sow4OVfezB00QNIbAvmhsuumQR46sA+HuCFnqkd4mBk0ReIK3CPQOXj3DdUDS7FeBt60U30yfW2BzLJ6CzHOEWBlKe6q05npAUWE76bVck9cxnBMCLrLz7VxESTQ7Nk1xs/cZ+1WKxflXS5xrHUyi8/bR4VE6uf1Ftx3Gojyri6rZJ952pYqN8egypsu8Ft6Db3Q767hbRCdoCUhnOWpnA7V3IMcvHYCZ64J+W2aC3LXK+ASuc/WRjbXOg0srOWDGqzjJaObxk+I2brvmHF7ANcRUGWFs5joxg6v4zfGUVOrPWJT0Y8ZLiCTmFmK6oxxpWtcGKiUn0q9i8THSU+2Z4wgP79zL3GpHbZfr88c5Fhza2LEKD8FygGuCagk8JZ08H5zk0JIXCPxDrV+oGkQc3iGjuKnn6Yw+tYlGF4qIyyRsLCbOvXTm17JqrfK6Q+CO3lmB+GSh5XVHbWwnkPyV9vicxgil3wqg8R0UnfW8RqU7ZrvuV/XklX48FHImy1hdIB1Ni6z2yH9UrOddo4f85/eGk4eklEMSYZ42NGm7uraFmYH18VL2rJp71PKik7J3mVIrQ5rQm/5xm</xenc:CipherValue>`
                </xenc:CipherData>
            </xenc:EncryptedData>
        </EncryptedAssertion>
    </samlp:Response>\n

idp metadata:

<EntityDescriptor ID="_c5cc0de0-4b99-4ddc-a900-af0b0945d4c5" entityID="http://WIN-H88N3PGBC9H.adds.coolshop.it/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_c5cc0de0-4b99-4ddc-a900-af0b0945d4c5">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>eQ6TOTzfmVXCrLU1N4PZ0DHuAuD87uifXBxUQT+8JkQ=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>rVp67mYKWhHZSX416kwu5dRxoHxJcniaVH28qF62bTR5R4E6QfnTz52FjwUdVzsRenjuM19U1s349qcp2C6Ks7AzTAJPRxGenCx3WKPBZM7UV3UdemiArvhZxH93kuKZDG3m9soNbTZEdKv569iMI/WzJk3IShZzav4VvZU/MbywvGfWVvp/TcT/1X8vdW5znC2Hei3NDYT2/iKSJ38JF0qJc+jeAAnAx+8r8bvfqZ/NjtBmaqHTz0Tg2zy72ABFRnYqcv8q6ZUsm8lhY9mYguwBy24v/L+v52/evQ8hI5lGinCyrmXzkI3tW+/GzAsb1UefMNJuVWJ6uYRnABNwqA==</ds:SignatureValue>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
                <X509Certificate>MIIC/DCCAeSgAwIBAgIQXsoV+QdZwptO13bhEotj3DANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNTAxMzAxNDM1NTdaFw0xNjAxMzAxNDM1NTdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzbYWP8UCQ3UZylYY/wwN2eEMAMMb1TSnxK06NMtClNZDsVoFRhK1iFIBAmzXDGsazkSmbzMf2Vvte5nGLWotH0tHunD2fX9gAYioMQ5lVYxbNAPUMmkR0IbwioNeC09nn0UaA48PzZtLO/vlc7yHMAgtWra7ShdR1VFxIVUrungrnb2E709c8QXctMBwl670otk8C7frYDCfVebqOI21zI+c45GaQZy8pWCVFy33OtnpqjiRNRTyAJKS24Xt+5SyUnsxGZ9GGzyC1B16A4JWD5BcRKGpr3pkS+4JrcfXqSgCz2WFRai5d+VyGGajV4OrFB9XvQn0kl/gTUg4WCcwdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCp4OGlPO2E+7lX3vBJhzt0ZO3HKWT14ONifk/HrK+hEdof2yXgRb8HTw6a0xLmtP3mzSeJopOzWbojOE7F1yBn149fkCmEXEzZH+pMrfpdJPCwwn/a74mHO1EKqqgZ40sjE9dqJTXbeor6soukPEzpO5ft2MYqXKbI/fQdr4sux72d6VnANFxR7mqsUtGiNGoBR7jF0W2t9XVi8Pmt4ogH5qJrXw7502tkW8V85v5xAyr06mk8OX4e4Qsy8l8a4Pv9UhRi8UV3DX7D0pJRrqR9VOEugs2x6WPLk/h9zigZ298Z9rnarlxjL8S/h66i2VOtBBQv+GMn1QapOSEGisjk</X509Certificate>
            </X509Data>
        </KeyInfo>
    </ds:Signature>
    <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="Coolshop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
        <KeyDescriptor use="encryption">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIDAjCCAeqgAwIBAgIQNKdekA/14LlCm3n+V95laDANBgkqhkiG9w0BAQsFADA9MTswOQYDVQQDEzJBREZTIEVuY3J5cHRpb24gLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNTAxMzAxNDM1NTdaFw0xNjAxMzAxNDM1NTdaMD0xOzA5BgNVBAMTMkFERlMgRW5jcnlwdGlvbiAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hVrjPkRLb9b4DwVA/VrjLJQlckICGS7CssAuM+uSaZ4HT6oQWzPolT5Gy3sl5qbbjGMuu/LkZGoht/a5qZCE6klDrMjo1wVIu5zXSLI0isCpX3Dp8C8b03XJKv3qwnn//+2p1dZC60vo29uTp8O06O4YeyGN11MabXDeMpFXj+z2Y2M/Zbp1NexjUyo2ijaPvOhOph7weMwIw1XgZQuVCOkNGNVp9vG4A8id9FsWkaP8GcSPMl6xrGf3hteulP8PIlGAlr5DRU5+9lhiOnimsnaSaVkynoPbx83bb27NZxP48MuGaUwi+VVAFn0ol0OlEStzkYO5uj7j7Ey+Jpr7wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCq7UlZ3INrbS4jJtDd+x50zsORBi2zqS/GfTEPoNCbEMxK7UFp+ILwoIbVRrLFHSKqO7qzFShk/GFgudlWWOmD7wzZs+ehbNkTI0APlpyY7xffgIn1YMgXsCnB+j2T26MOliIQXZpcrC5Gl4ZTIXNnxWaikYuzkLiLPvrIiS36LuOPvHzz9WzfvAZxJtU6UciLIO7P/b6B5NhjR/FvWNhWrxzXSIXrG/OYofc2xeM4j7iz6m6HqlD1C0djs+SQwm3lhsNIQd9kz0/MDrJ0rSslDUSHO+un4BxNP5qHVm/7ako0yDqb/JMi77scfdWQgPH0ilK5yttOkfpD6+sfx3vO</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <fed:ClaimTypesRequested>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>E-Mail Address</auth:DisplayName>
                <auth:Description>The e-mail address of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Given Name</auth:DisplayName>
                <auth:Description>The given name of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Name</auth:DisplayName>
                <auth:Description>The unique name of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>UPN</auth:DisplayName>
                <auth:Description>The user principal name (UPN) of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Common Name</auth:DisplayName>
                <auth:Description>The common name of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>
                <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or AD FS 1.0</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Group</auth:DisplayName>
                <auth:Description>A group that the user is a member of</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>
                <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Role</auth:DisplayName>
                <auth:Description>A role that the user has</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Surname</auth:DisplayName>
                <auth:Description>The surname of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>PPID</auth:DisplayName>
                <auth:Description>The private identifier of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Name ID</auth:DisplayName>
                <auth:Description>The SAML name identifier of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication time stamp</auth:DisplayName>
                <auth:Description>Used to display the time and date that the user was authenticated</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication method</auth:DisplayName>
                <auth:Description>The method used to authenticate the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Deny only group SID</auth:DisplayName>
                <auth:Description>The deny-only group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Deny only primary SID</auth:DisplayName>
                <auth:Description>The deny-only primary SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Deny only primary group SID</auth:DisplayName>
                <auth:Description>The deny-only primary group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Group SID</auth:DisplayName>
                <auth:Description>The group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Primary group SID</auth:DisplayName>
                <auth:Description>The primary group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Primary SID</auth:DisplayName>
                <auth:Description>The primary SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Windows account name</auth:DisplayName>
                <auth:Description>The domain account name of the user in the form of domain\user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Is Registered User</auth:DisplayName>
                <auth:Description>User is registered to use this device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device Identifier</auth:DisplayName>
                <auth:Description>Identifier of the device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device Registration Identifier</auth:DisplayName>
                <auth:Description>Identifier for Device Registration</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device Registration DisplayName</auth:DisplayName>
                <auth:Description>Display name of Device Registration</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device OS type</auth:DisplayName>
                <auth:Description>OS type of the device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device OS Version</auth:DisplayName>
                <auth:Description>OS version of the device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Is Managed Device</auth:DisplayName>
                <auth:Description>Device is managed by a management service</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Forwarded Client IP</auth:DisplayName>
                <auth:Description>IP address of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client Application</auth:DisplayName>
                <auth:Description>Type of the Client Application</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client User Agent</auth:DisplayName>
                <auth:Description>Device type the client is using to access the application</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client IP</auth:DisplayName>
                <auth:Description>IP address of the client</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Endpoint Path</auth:DisplayName>
                <auth:Description>Absolute Endpoint path which can be used to determine active versus passive clients</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Proxy</auth:DisplayName>
                <auth:Description>DNS name of the federation server proxy that passed the request</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Application Identifier</auth:DisplayName>
                <auth:Description>Identifier for the Relying Party</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Application policies</auth:DisplayName>
                <auth:Description>Application policies of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authority Key Identifier</auth:DisplayName>
                <auth:Description>The Authority Key Identifier extension of the certificate that signed an issued certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Basic Constraint</auth:DisplayName>
                <auth:Description>One of the basic constraints of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Enhanced Key Usage</auth:DisplayName>
                <auth:Description>Describes one of the enhanced key usages of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Issuer</auth:DisplayName>
                <auth:Description>The name of the certificate authority that issued the X.509 certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Issuer Name</auth:DisplayName>
                <auth:Description>The distinguished name of the certificate issuer</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Key Usage</auth:DisplayName>
                <auth:Description>One of the key usages of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Not After</auth:DisplayName>
                <auth:Description>Date in local time after which a certificate is no longer valid</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Not Before</auth:DisplayName>
                <auth:Description>The date in local time on which a certificate becomes valid</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Certificate Policies</auth:DisplayName>
                <auth:Description>The policies under which the certificate has been issued</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Public Key</auth:DisplayName>
                <auth:Description>Public Key of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Certificate Raw Data</auth:DisplayName>
                <auth:Description>The raw data of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject Alternative Name</auth:DisplayName>
                <auth:Description>One of the alternative names of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Serial Number</auth:DisplayName>
                <auth:Description>The serial number of a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Signature Algorithm</auth:DisplayName>
                <auth:Description>The algorithm used to create the signature of a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject</auth:DisplayName>
                <auth:Description>The subject from the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject Key Identifier</auth:DisplayName>
                <auth:Description>Describes the subject key identifier of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject Name</auth:DisplayName>
                <auth:Description>The subject distinguished name from a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>V2 Template Name</auth:DisplayName>
                <auth:Description>The name of the version 2 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>V1 Template Name</auth:DisplayName>
                <auth:Description>The name of the version 1 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Thumbprint</auth:DisplayName>
                <auth:Description>Thumbprint of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>X.509 Version</auth:DisplayName>
                <auth:Description>The X.509 format version of a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Inside Corporate Network</auth:DisplayName>
                <auth:Description>Used to indicate if a request originated inside corporate network</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Password Expiration Time</auth:DisplayName>
                <auth:Description>Used to display the time when the password expires</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Password Expiration Days</auth:DisplayName>
                <auth:Description>Used to display the number of days to password expiry</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Update Password URL</auth:DisplayName>
                <auth:Description>Used to display the web address of update password service</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/claims/authnmethodsreferences" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication Methods References</auth:DisplayName>
                <auth:Description>Used to indicate all authentication methods used to authenticate the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client Request ID</auth:DisplayName>
                <auth:Description>Identifier for a user session</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2013/11/alternateloginid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Alternate Login ID</auth:DisplayName>
                <auth:Description>Alternate login ID of the user</auth:Description>
            </auth:ClaimType>
        </fed:ClaimTypesRequested>
        <fed:TargetScopes>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
            </EndpointReference>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address>
            </EndpointReference>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address>
            </EndpointReference>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address>
            </EndpointReference>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/</Address>
            </EndpointReference>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust</Address>
            </EndpointReference>
        </fed:TargetScopes>
        <fed:ApplicationServiceEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
            </EndpointReference>
        </fed:ApplicationServiceEndpoint>
        <fed:PassiveRequestorEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/</Address>
            </EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
    <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="Coolshop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC/DCCAeSgAwIBAgIQXsoV+QdZwptO13bhEotj3DANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNTAxMzAxNDM1NTdaFw0xNjAxMzAxNDM1NTdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzbYWP8UCQ3UZylYY/wwN2eEMAMMb1TSnxK06NMtClNZDsVoFRhK1iFIBAmzXDGsazkSmbzMf2Vvte5nGLWotH0tHunD2fX9gAYioMQ5lVYxbNAPUMmkR0IbwioNeC09nn0UaA48PzZtLO/vlc7yHMAgtWra7ShdR1VFxIVUrungrnb2E709c8QXctMBwl670otk8C7frYDCfVebqOI21zI+c45GaQZy8pWCVFy33OtnpqjiRNRTyAJKS24Xt+5SyUnsxGZ9GGzyC1B16A4JWD5BcRKGpr3pkS+4JrcfXqSgCz2WFRai5d+VyGGajV4OrFB9XvQn0kl/gTUg4WCcwdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCp4OGlPO2E+7lX3vBJhzt0ZO3HKWT14ONifk/HrK+hEdof2yXgRb8HTw6a0xLmtP3mzSeJopOzWbojOE7F1yBn149fkCmEXEzZH+pMrfpdJPCwwn/a74mHO1EKqqgZ40sjE9dqJTXbeor6soukPEzpO5ft2MYqXKbI/fQdr4sux72d6VnANFxR7mqsUtGiNGoBR7jF0W2t9XVi8Pmt4ogH5qJrXw7502tkW8V85v5xAyr06mk8OX4e4Qsy8l8a4Pv9UhRi8UV3DX7D0pJRrqR9VOEugs2x6WPLk/h9zigZ298Z9rnarlxjL8S/h66i2VOtBBQv+GMn1QapOSEGisjk</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC/DCCAeSgAwIBAgIQNZPgoCKakLhGW8jNQpweNDANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNjAxMjcxNjM5MzdaFw0xNzAxMjYxNjM5MzdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps5zxPHuEbvdufytptsR/fFAjIqOMv3ttHaD6eL3mVn5FX8LEFDBWtX7NhCn4g++XTeqN8bLZJB0AFMNzd0aBQFNJeU4bP3yA8aQIuPPMYfuJSLcNGiLNhJzh0xCFVMvHoVedgCQdAEyXuk3UoI8C4ciru668HfXtz03zswkL4HmEv3tSLxQSX+EL02efhsfHaebY+svBF5838d0eA0RoWkyAHKtarldrxDcZPhcl/nxGGS66VYEjEzIW0PZCToHI4k5kKirgDlfQ+8N1ovZl3Z9JWf09Ii28K8/WSHFIhQdiTL4As1Lr28rcCksoAN/QswWP90JTOdsMAilC3yNPQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB3nrB+PVvga07QUUzssUZQmQKWUM7z/i01+2imRfGUonQsJOtnnJnwARyDsTFbY9EgPJ2zK0+xIWzHRKdDN+0h0YZVQhLTe8b2vCOiJdaQBo8CuWNnfDCjAsedMT04ywsujqZO0IHyVELLVwi+RYpeEpYfd1aC8X17wP3N0YhqmzjwQ5I4rVNi6Wa5X4SI+MqbO8XN861HNu6ObM/TcoSHNXSbEq6Goo6jtOmrL2yXg0Wh7AflwCEOzH3xoR7SpqZeWUKs2CfMuo5NslcaR4baKU5ZloGI/FdpFRR9PdJd0LpECdS/j4zFFsmWlorPEcH9+HeZKH+HgA/0ZQEPpHpk</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <fed:TokenTypesOffered>
            <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion" />
            <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion" /></fed:TokenTypesOffered>
        <fed:ClaimTypesOffered>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>E-Mail Address</auth:DisplayName>
                <auth:Description>The e-mail address of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Given Name</auth:DisplayName>
                <auth:Description>The given name of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Name</auth:DisplayName>
                <auth:Description>The unique name of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>UPN</auth:DisplayName>
                <auth:Description>The user principal name (UPN) of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Common Name</auth:DisplayName>
                <auth:Description>The common name of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>
                <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or AD FS 1.0</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Group</auth:DisplayName>
                <auth:Description>A group that the user is a member of</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>
                <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Role</auth:DisplayName>
                <auth:Description>A role that the user has</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Surname</auth:DisplayName>
                <auth:Description>The surname of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>PPID</auth:DisplayName>
                <auth:Description>The private identifier of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Name ID</auth:DisplayName>
                <auth:Description>The SAML name identifier of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication time stamp</auth:DisplayName>
                <auth:Description>Used to display the time and date that the user was authenticated</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication method</auth:DisplayName>
                <auth:Description>The method used to authenticate the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Deny only group SID</auth:DisplayName>
                <auth:Description>The deny-only group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Deny only primary SID</auth:DisplayName>
                <auth:Description>The deny-only primary SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Deny only primary group SID</auth:DisplayName>
                <auth:Description>The deny-only primary group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Group SID</auth:DisplayName>
                <auth:Description>The group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Primary group SID</auth:DisplayName>
                <auth:Description>The primary group SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Primary SID</auth:DisplayName>
                <auth:Description>The primary SID of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Windows account name</auth:DisplayName>
                <auth:Description>The domain account name of the user in the form of domain\user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Is Registered User</auth:DisplayName>
                <auth:Description>User is registered to use this device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device Identifier</auth:DisplayName>
                <auth:Description>Identifier of the device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device Registration Identifier</auth:DisplayName>
                <auth:Description>Identifier for Device Registration</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device Registration DisplayName</auth:DisplayName>
                <auth:Description>Display name of Device Registration</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device OS type</auth:DisplayName>
                <auth:Description>OS type of the device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Device OS Version</auth:DisplayName>
                <auth:Description>OS version of the device</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Is Managed Device</auth:DisplayName>
                <auth:Description>Device is managed by a management service</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Forwarded Client IP</auth:DisplayName>
                <auth:Description>IP address of the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client Application</auth:DisplayName>
                <auth:Description>Type of the Client Application</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client User Agent</auth:DisplayName>
                <auth:Description>Device type the client is using to access the application</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client IP</auth:DisplayName>
                <auth:Description>IP address of the client</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Endpoint Path</auth:DisplayName>
                <auth:Description>Absolute Endpoint path which can be used to determine active versus passive clients</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Proxy</auth:DisplayName>
                <auth:Description>DNS name of the federation server proxy that passed the request</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Application Identifier</auth:DisplayName>
                <auth:Description>Identifier for the Relying Party</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Application policies</auth:DisplayName>
                <auth:Description>Application policies of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authority Key Identifier</auth:DisplayName>
                <auth:Description>The Authority Key Identifier extension of the certificate that signed an issued certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Basic Constraint</auth:DisplayName>
                <auth:Description>One of the basic constraints of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Enhanced Key Usage</auth:DisplayName>
                <auth:Description>Describes one of the enhanced key usages of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Issuer</auth:DisplayName>
                <auth:Description>The name of the certificate authority that issued the X.509 certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Issuer Name</auth:DisplayName>
                <auth:Description>The distinguished name of the certificate issuer</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Key Usage</auth:DisplayName>
                <auth:Description>One of the key usages of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Not After</auth:DisplayName>
                <auth:Description>Date in local time after which a certificate is no longer valid</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Not Before</auth:DisplayName>
                <auth:Description>The date in local time on which a certificate becomes valid</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Certificate Policies</auth:DisplayName>
                <auth:Description>The policies under which the certificate has been issued</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Public Key</auth:DisplayName>
                <auth:Description>Public Key of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Certificate Raw Data</auth:DisplayName>
                <auth:Description>The raw data of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject Alternative Name</auth:DisplayName>
                <auth:Description>One of the alternative names of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Serial Number</auth:DisplayName>
                <auth:Description>The serial number of a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Signature Algorithm</auth:DisplayName>
                <auth:Description>The algorithm used to create the signature of a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject</auth:DisplayName>
                <auth:Description>The subject from the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject Key Identifier</auth:DisplayName>
                <auth:Description>Describes the subject key identifier of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Subject Name</auth:DisplayName>
                <auth:Description>The subject distinguished name from a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>V2 Template Name</auth:DisplayName>
                <auth:Description>The name of the version 2 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>V1 Template Name</auth:DisplayName>
                <auth:Description>The name of the version 1 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Thumbprint</auth:DisplayName>
                <auth:Description>Thumbprint of the certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>X.509 Version</auth:DisplayName>
                <auth:Description>The X.509 format version of a certificate</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Inside Corporate Network</auth:DisplayName>
                <auth:Description>Used to indicate if a request originated inside corporate network</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Password Expiration Time</auth:DisplayName>
                <auth:Description>Used to display the time when the password expires</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Password Expiration Days</auth:DisplayName>
                <auth:Description>Used to display the number of days to password expiry</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Update Password URL</auth:DisplayName>
                <auth:Description>Used to display the web address of update password service</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/claims/authnmethodsreferences" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Authentication Methods References</auth:DisplayName>
                <auth:Description>Used to indicate all authentication methods used to authenticate the user</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Client Request ID</auth:DisplayName>
                <auth:Description>Identifier for a user session</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2013/11/alternateloginid" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
                <auth:DisplayName>Alternate Login ID</auth:DisplayName>
                <auth:Description>Alternate login ID of the user</auth:Description>
            </auth:ClaimType>
        </fed:ClaimTypesOffered>
        <fed:SecurityTokenServiceEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust/2005/certificatemixed</Address>
                <Metadata>
                    <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
                        <wsx:MetadataSection Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns="">
                            <wsx:MetadataReference>
                                <Address xmlns="http://www.w3.org/2005/08/addressing">https://win-h88n3pgbc9h.adds.coolshop.it/adfs/services/trust/mex</Address>
                            </wsx:MetadataReference>
                        </wsx:MetadataSection>
                    </Metadata>
                </Metadata>
            </EndpointReference>
        </fed:SecurityTokenServiceEndpoint>
        <fed:PassiveRequestorEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/</Address>
            </EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
    <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="encryption">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIDAjCCAeqgAwIBAgIQNKdekA/14LlCm3n+V95laDANBgkqhkiG9w0BAQsFADA9MTswOQYDVQQDEzJBREZTIEVuY3J5cHRpb24gLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNTAxMzAxNDM1NTdaFw0xNjAxMzAxNDM1NTdaMD0xOzA5BgNVBAMTMkFERlMgRW5jcnlwdGlvbiAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hVrjPkRLb9b4DwVA/VrjLJQlckICGS7CssAuM+uSaZ4HT6oQWzPolT5Gy3sl5qbbjGMuu/LkZGoht/a5qZCE6klDrMjo1wVIu5zXSLI0isCpX3Dp8C8b03XJKv3qwnn//+2p1dZC60vo29uTp8O06O4YeyGN11MabXDeMpFXj+z2Y2M/Zbp1NexjUyo2ijaPvOhOph7weMwIw1XgZQuVCOkNGNVp9vG4A8id9FsWkaP8GcSPMl6xrGf3hteulP8PIlGAlr5DRU5+9lhiOnimsnaSaVkynoPbx83bb27NZxP48MuGaUwi+VVAFn0ol0OlEStzkYO5uj7j7Ey+Jpr7wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCq7UlZ3INrbS4jJtDd+x50zsORBi2zqS/GfTEPoNCbEMxK7UFp+ILwoIbVRrLFHSKqO7qzFShk/GFgudlWWOmD7wzZs+ehbNkTI0APlpyY7xffgIn1YMgXsCnB+j2T26MOliIQXZpcrC5Gl4ZTIXNnxWaikYuzkLiLPvrIiS36LuOPvHzz9WzfvAZxJtU6UciLIO7P/b6B5NhjR/FvWNhWrxzXSIXrG/OYofc2xeM4j7iz6m6HqlD1C0djs+SQwm3lhsNIQd9kz0/MDrJ0rSslDUSHO+un4BxNP5qHVm/7ako0yDqb/JMi77scfdWQgPH0ilK5yttOkfpD6+sfx3vO</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC/DCCAeSgAwIBAgIQXsoV+QdZwptO13bhEotj3DANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNTAxMzAxNDM1NTdaFw0xNjAxMzAxNDM1NTdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzbYWP8UCQ3UZylYY/wwN2eEMAMMb1TSnxK06NMtClNZDsVoFRhK1iFIBAmzXDGsazkSmbzMf2Vvte5nGLWotH0tHunD2fX9gAYioMQ5lVYxbNAPUMmkR0IbwioNeC09nn0UaA48PzZtLO/vlc7yHMAgtWra7ShdR1VFxIVUrungrnb2E709c8QXctMBwl670otk8C7frYDCfVebqOI21zI+c45GaQZy8pWCVFy33OtnpqjiRNRTyAJKS24Xt+5SyUnsxGZ9GGzyC1B16A4JWD5BcRKGpr3pkS+4JrcfXqSgCz2WFRai5d+VyGGajV4OrFB9XvQn0kl/gTUg4WCcwdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCp4OGlPO2E+7lX3vBJhzt0ZO3HKWT14ONifk/HrK+hEdof2yXgRb8HTw6a0xLmtP3mzSeJopOzWbojOE7F1yBn149fkCmEXEzZH+pMrfpdJPCwwn/a74mHO1EKqqgZ40sjE9dqJTXbeor6soukPEzpO5ft2MYqXKbI/fQdr4sux72d6VnANFxR7mqsUtGiNGoBR7jF0W2t9XVi8Pmt4ogH5qJrXw7502tkW8V85v5xAyr06mk8OX4e4Qsy8l8a4Pv9UhRi8UV3DX7D0pJRrqR9VOEugs2x6WPLk/h9zigZ298Z9rnarlxjL8S/h66i2VOtBBQv+GMn1QapOSEGisjk</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC/DCCAeSgAwIBAgIQNZPgoCKakLhGW8jNQpweNDANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNjAxMjcxNjM5MzdaFw0xNzAxMjYxNjM5MzdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps5zxPHuEbvdufytptsR/fFAjIqOMv3ttHaD6eL3mVn5FX8LEFDBWtX7NhCn4g++XTeqN8bLZJB0AFMNzd0aBQFNJeU4bP3yA8aQIuPPMYfuJSLcNGiLNhJzh0xCFVMvHoVedgCQdAEyXuk3UoI8C4ciru668HfXtz03zswkL4HmEv3tSLxQSX+EL02efhsfHaebY+svBF5838d0eA0RoWkyAHKtarldrxDcZPhcl/nxGGS66VYEjEzIW0PZCToHI4k5kKirgDlfQ+8N1ovZl3Z9JWf09Ii28K8/WSHFIhQdiTL4As1Lr28rcCksoAN/QswWP90JTOdsMAilC3yNPQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB3nrB+PVvga07QUUzssUZQmQKWUM7z/i01+2imRfGUonQsJOtnnJnwARyDsTFbY9EgPJ2zK0+xIWzHRKdDN+0h0YZVQhLTe8b2vCOiJdaQBo8CuWNnfDCjAsedMT04ywsujqZO0IHyVELLVwi+RYpeEpYfd1aC8X17wP3N0YhqmzjwQ5I4rVNi6Wa5X4SI+MqbO8XN861HNu6ObM/TcoSHNXSbEq6Goo6jtOmrL2yXg0Wh7AflwCEOzH3xoR7SpqZeWUKs2CfMuo5NslcaR4baKU5ZloGI/FdpFRR9PdJd0LpECdS/j4zFFsmWlorPEcH9+HeZKH+HgA/0ZQEPpHpk</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" />
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" />
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" index="0" isDefault="true" />
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" index="1" />
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" index="2" />
    </SPSSODescriptor>
    <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="encryption">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIDAjCCAeqgAwIBAgIQNKdekA/14LlCm3n+V95laDANBgkqhkiG9w0BAQsFADA9MTswOQYDVQQDEzJBREZTIEVuY3J5cHRpb24gLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNTAxMzAxNDM1NTdaFw0xNjAxMzAxNDM1NTdaMD0xOzA5BgNVBAMTMkFERlMgRW5jcnlwdGlvbiAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hVrjPkRLb9b4DwVA/VrjLJQlckICGS7CssAuM+uSaZ4HT6oQWzPolT5Gy3sl5qbbjGMuu/LkZGoht/a5qZCE6klDrMjo1wVIu5zXSLI0isCpX3Dp8C8b03XJKv3qwnn//+2p1dZC60vo29uTp8O06O4YeyGN11MabXDeMpFXj+z2Y2M/Zbp1NexjUyo2ijaPvOhOph7weMwIw1XgZQuVCOkNGNVp9vG4A8id9FsWkaP8GcSPMl6xrGf3hteulP8PIlGAlr5DRU5+9lhiOnimsnaSaVkynoPbx83bb27NZxP48MuGaUwi+VVAFn0ol0OlEStzkYO5uj7j7Ey+Jpr7wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCq7UlZ3INrbS4jJtDd+x50zsORBi2zqS/GfTEPoNCbEMxK7UFp+ILwoIbVRrLFHSKqO7qzFShk/GFgudlWWOmD7wzZs+ehbNkTI0APlpyY7xffgIn1YMgXsCnB+j2T26MOliIQXZpcrC5Gl4ZTIXNnxWaikYuzkLiLPvrIiS36LuOPvHzz9WzfvAZxJtU6UciLIO7P/b6B5NhjR/FvWNhWrxzXSIXrG/OYofc2xeM4j7iz6m6HqlD1C0djs+SQwm3lhsNIQd9kz0/MDrJ0rSslDUSHO+un4BxNP5qHVm/7ako0yDqb/JMi77scfdWQgPH0ilK5yttOkfpD6+sfx3vO</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC/DCCAeSgAwIBAgIQXsoV+QdZwptO13bhEotj3DANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNTAxMzAxNDM1NTdaFw0xNjAxMzAxNDM1NTdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzbYWP8UCQ3UZylYY/wwN2eEMAMMb1TSnxK06NMtClNZDsVoFRhK1iFIBAmzXDGsazkSmbzMf2Vvte5nGLWotH0tHunD2fX9gAYioMQ5lVYxbNAPUMmkR0IbwioNeC09nn0UaA48PzZtLO/vlc7yHMAgtWra7ShdR1VFxIVUrungrnb2E709c8QXctMBwl670otk8C7frYDCfVebqOI21zI+c45GaQZy8pWCVFy33OtnpqjiRNRTyAJKS24Xt+5SyUnsxGZ9GGzyC1B16A4JWD5BcRKGpr3pkS+4JrcfXqSgCz2WFRai5d+VyGGajV4OrFB9XvQn0kl/gTUg4WCcwdQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCp4OGlPO2E+7lX3vBJhzt0ZO3HKWT14ONifk/HrK+hEdof2yXgRb8HTw6a0xLmtP3mzSeJopOzWbojOE7F1yBn149fkCmEXEzZH+pMrfpdJPCwwn/a74mHO1EKqqgZ40sjE9dqJTXbeor6soukPEzpO5ft2MYqXKbI/fQdr4sux72d6VnANFxR7mqsUtGiNGoBR7jF0W2t9XVi8Pmt4ogH5qJrXw7502tkW8V85v5xAyr06mk8OX4e4Qsy8l8a4Pv9UhRi8UV3DX7D0pJRrqR9VOEugs2x6WPLk/h9zigZ298Z9rnarlxjL8S/h66i2VOtBBQv+GMn1QapOSEGisjk</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIC/DCCAeSgAwIBAgIQNZPgoCKakLhGW8jNQpweNDANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNjAxMjcxNjM5MzdaFw0xNzAxMjYxNjM5MzdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps5zxPHuEbvdufytptsR/fFAjIqOMv3ttHaD6eL3mVn5FX8LEFDBWtX7NhCn4g++XTeqN8bLZJB0AFMNzd0aBQFNJeU4bP3yA8aQIuPPMYfuJSLcNGiLNhJzh0xCFVMvHoVedgCQdAEyXuk3UoI8C4ciru668HfXtz03zswkL4HmEv3tSLxQSX+EL02efhsfHaebY+svBF5838d0eA0RoWkyAHKtarldrxDcZPhcl/nxGGS66VYEjEzIW0PZCToHI4k5kKirgDlfQ+8N1ovZl3Z9JWf09Ii28K8/WSHFIhQdiTL4As1Lr28rcCksoAN/QswWP90JTOdsMAilC3yNPQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB3nrB+PVvga07QUUzssUZQmQKWUM7z/i01+2imRfGUonQsJOtnnJnwARyDsTFbY9EgPJ2zK0+xIWzHRKdDN+0h0YZVQhLTe8b2vCOiJdaQBo8CuWNnfDCjAsedMT04ywsujqZO0IHyVELLVwi+RYpeEpYfd1aC8X17wP3N0YhqmzjwQ5I4rVNi6Wa5X4SI+MqbO8XN861HNu6ObM/TcoSHNXSbEq6Goo6jtOmrL2yXg0Wh7AflwCEOzH3xoR7SpqZeWUKs2CfMuo5NslcaR4baKU5ZloGI/FdpFRR9PdJd0LpECdS/j4zFFsmWlorPEcH9+HeZKH+HgA/0ZQEPpHpk</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" />
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" />
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" />
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://win-h88n3pgbc9h.adds.coolshop.it/adfs/ls/" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPN" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/claims/EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPN" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Role" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication time stamp" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication method" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only group SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary group SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Is Registered User" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device Identifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device Registration Identifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device Registration DisplayName" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device OS type" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Device OS Version" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Is Managed Device" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Forwarded Client IP" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client Application" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client User Agent" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client IP" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Endpoint Path" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Proxy" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Application Identifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Application policies" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authority Key Identifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Basic Constraint" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Enhanced Key Usage" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Issuer" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Issuer Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Key Usage" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Not After" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Not Before" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Certificate Policies" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Public Key" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Certificate Raw Data" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Subject Alternative Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Serial Number" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Signature Algorithm" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Subject" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Subject Key Identifier" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Subject Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="V2 Template Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="V1 Template Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Thumbprint" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="X.509 Version" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Inside Corporate Network" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Password Expiration Time" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Password Expiration Days" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Update Password URL" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication Methods References" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Client Request ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
        <Attribute Name="http://schemas.microsoft.com/ws/2013/11/alternateloginid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Alternate Login ID" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" />
    </IDPSSODescriptor>
</EntityDescriptor>

@tmilos
Copy link
Member

tmilos commented Feb 11, 2016

The assertion in the saml Response is encrypted... I can not decrypt it w/out your private key... Please search for log entry starting with

app.INFO: Assertion decrypted {"profile_id":"sso_sp_receive_response"

and paste that line, so I see the content of decrypted assertion, since signature is validated on it. It would be best not to format the line, since it might corrupt the signed data... just paste the whole line like this

[2016-02-11 12:27:49] app.INFO: Assertion decrypted {"profile_id":"sso_sp_receive_response","own_role":"sp"... etc

ofc if you're not concerned about assertion confidentiality

@alberto-coolshop
Copy link
Author

No concerns.. This is a test server...
Thank you for your time 👍

{"profile_id":"sso_sp_receive_response","own_role":"sp","action":"LightSaml\\Action\\Profile\\Inbound\\Response\\DecryptAssertionsAction","top_context_id":"00000000758000a300007f6809624961","assertion":"<?xml version=\"1.0\"?>\n<root xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_9f026518-bf13-4e6c-9e4f-3e5ff54425e0\" IssueInstant=\"2016-02-11T10:30:37.485Z\" Version=\"2.0\"><Issuer>http://WIN-H88N3PGBC9H.adds.coolshop.it/adfs/services/trust</Issuer><ds:Signature xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/><ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/><ds:Reference URI=\"#_9f026518-bf13-4e6c-9e4f-3e5ff54425e0\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>VNSzFx96HuAp9q0ecpunZBsIoRZD0hqd8mDe846lZoU=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hVfXgDbLmHBNP5/aLvlXu9r+BG9S/vJvl4Dl2r/3r7ECIGjd4YWcZNCDjXKOAprNgmbBiBN5Hs9khzUevseWZ7zeznNIjlVOFyUQu3enjRDyDONKU6KQqmAHbgT2OIpfH0IZhnrXdG88ksqhoWW32Z8/d/pV9CUeVTn/q6hbW0+CUSBRxZkjNShe9bcZxRIuZeLAEiGJbx+p7N395UEGwXQWxc1ZSxESlv3RohhetHYI2J5omsSLGFgimEJzIHk4/fsuVi5cCNxMmnlA3WALsIU53gIY0dt0AyakRJv2XgBCdJTH1CWssU+8OvV2ldyHZW36ByUJvylgljlSLxbawQ==</ds:SignatureValue><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIIC/DCCAeSgAwIBAgIQNZPgoCKakLhGW8jNQpweNDANBgkqhkiG9w0BAQsFADA6MTgwNgYDVQQDEy9BREZTIFNpZ25pbmcgLSBXSU4tSDg4TjNQR0JDOUguYWRkcy5jb29sc2hvcC5pdDAeFw0xNjAxMjcxNjM5MzdaFw0xNzAxMjYxNjM5MzdaMDoxODA2BgNVBAMTL0FERlMgU2lnbmluZyAtIFdJTi1IODhOM1BHQkM5SC5hZGRzLmNvb2xzaG9wLml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAps5zxPHuEbvdufytptsR/fFAjIqOMv3ttHaD6eL3mVn5FX8LEFDBWtX7NhCn4g++XTeqN8bLZJB0AFMNzd0aBQFNJeU4bP3yA8aQIuPPMYfuJSLcNGiLNhJzh0xCFVMvHoVedgCQdAEyXuk3UoI8C4ciru668HfXtz03zswkL4HmEv3tSLxQSX+EL02efhsfHaebY+svBF5838d0eA0RoWkyAHKtarldrxDcZPhcl/nxGGS66VYEjEzIW0PZCToHI4k5kKirgDlfQ+8N1ovZl3Z9JWf09Ii28K8/WSHFIhQdiTL4As1Lr28rcCksoAN/QswWP90JTOdsMAilC3yNPQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB3nrB+PVvga07QUUzssUZQmQKWUM7z/i01+2imRfGUonQsJOtnnJnwARyDsTFbY9EgPJ2zK0+xIWzHRKdDN+0h0YZVQhLTe8b2vCOiJdaQBo8CuWNnfDCjAsedMT04ywsujqZO0IHyVELLVwi+RYpeEpYfd1aC8X17wP3N0YhqmzjwQ5I4rVNi6Wa5X4SI+MqbO8XN861HNu6ObM/TcoSHNXSbEq6Goo6jtOmrL2yXg0Wh7AflwCEOzH3xoR7SpqZeWUKs2CfMuo5NslcaR4baKU5ZloGI/FdpFRR9PdJd0LpECdS/j4zFFsmWlorPEcH9+HeZKH+HgA/0ZQEPpHpk</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID>pbo-demo1@adds.coolshop.it</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"_038ce01e899f17c5f6307f668cba44a51adbb334cb\" NotOnOrAfter=\"2016-02-11T10:35:37.486Z\" Recipient=\"https://cnh-pbo.localhost/app_dev.php/saml/login_check\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2016-02-11T10:30:37.473Z\" NotOnOrAfter=\"2016-02-11T11:30:37.473Z\"><AudienceRestriction><Audience>http://localhost/lightsaml/demosp</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"><AttributeValue>pbo-demo1</AttributeValue></Attribute><Attribute Name=\"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername\"><AttributeValue>pbo-demo1</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2016-02-11T09:49:30.577Z\" SessionIndex=\"_9f026518-bf13-4e6c-9e4f-3e5ff54425e0\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></root>\n"}

@gawpertron
Copy link

gawpertron commented Apr 22, 2016
edited
Loading

I'm getting a similar error with an ADFS response
PHP Fatal error: Call to a member function removeChild() on null in /vendor/robrichard /xmlseclibs/src/XMLSecurityDSig.php on line 489, referer: https://ipd.server.com

below is the structure of the response

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="" Version="2.0" IssueInstant="2016-04-20T08:00:09.114Z" Destination="" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"></Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
               <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               </e:EncryptionMethod>
               <KeyInfo>
                  <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                     <ds:X509IssuerSerial>
                        <ds:X509IssuerName></ds:X509IssuerName>
                        <ds:X509SerialNumber></ds:X509SerialNumber>
                     </ds:X509IssuerSerial>
                  </ds:X509Data>
               </KeyInfo>
               <e:CipherData>
                  <e:CipherValue></e:CipherValue>
               </e:CipherData>
            </e:EncryptedKey>
         </KeyInfo>
         <xenc:CipherData>
            <xenc:CipherValue></xenc:CipherValue>
         </xenc:CipherData>
      </xenc:EncryptedData>
   </EncryptedAssertion>
</samlp:Response>

When I adding && isset($this->sigNode->parentNode) to line 488 in XMLSecurityDSig.php does not seem to solve the issue.

if (! $docElem->isSameNode($this->sigNode) && isset($this->sigNode->parentNode)) {
    $this->sigNode->parentNode->removeChild($this->sigNode);
}

I'm using version Light SAML 2.0 and "robrichards/xmlseclibs 2.0

@tmilos tmilos mentioned this issue May 19, 2016
Closed
@tmilos
Copy link
Member

tmilos commented May 19, 2016

@alberto-coolshop
I was not able to reproduce the same removeChild() on a non-object error, but I noticed that IDP certificate was expired since it's valid to 2016-01-30 14:35:57 which was past time at the moment you reported this at Feb 11, same as the encryption certificate. And I'm getting LightSamlSecurityException 'Unable to verify Signature' thrown from SignatureXmlReader at line 83. Guess the reason of failed signature validation I got is expired IDP certificate.

I can not see a reason for that removeChild() on a non-object error, but eventually I may get it if I reproduce the whole flow starting from the received SAML Response, and in order to do that, I would need all unmodified log rows from that http request (to get the original SAML Response message) and your private key the assertion in encrypted for (so I'm able to decrypt it).

@falkorhein
Copy link

You could take a look on this issue:
robrichards/xmlseclibs#108

@tmilos
Copy link
Member

tmilos commented Aug 17, 2016

Guys, in order to be able to fix it, we (@lightSAML or @robrichards) need to be able to reproduce it, so please provide all necessary data needed to reproduce the error... I think that includes:

  • unmodified received XML of the Response - if you format it, won't be able to decrypt/verify signature
  • your key par - private key and certificate
  • IDP metadata

Ideally, provide a link to a code (repo or gist) that can be downloaded/cloned and the error reproduced.

Beside, the full log (again unmodified), from the start of the ACS http request to the end of it, would be very helpful.

As mentioned above, I was not able to reproduce it on un-encrypted response.

Propositions to add additional check robrichards/xmlseclibs#108 does not tell how to handle the response itself in that case and how to verify signature... Anyway, in order to be able to make correct decision and fix it properly... again... we must be able to reproduce it.

@tmilos tmilos mentioned this issue Aug 17, 2016
Closed
@tmilos tmilos mentioned this issue Sep 20, 2016
Closed
@tmilos
Copy link
Member

tmilos commented Nov 2, 2016
edited
Loading

Finally have managed to reproduce. It happens if one same signature is verified for the second time

@tmilos
Copy link
Member

tmilos commented Nov 2, 2016

Made fix in robrichards/xmlseclibs#113 ... waiting to be merged

@tmilos
Copy link
Member

tmilos commented Nov 2, 2016
edited
Loading

In the meanwhile lightSAML/lightSAML#60 was done to try to reduce number of credential candidates and eventually avoid multiple validations of the one same signature. Upgrade to lightsaml version 1.1.2 and try, there's a change it will work for you. Otherwise, you would have to wait for robrichards/xmlseclibs#113 to be merged and tagged.

@alberto-coolshop
Copy link
Author

Thank you Milos! I currently maintain 2 project with a SSO auth methods. For the most recent of the two I noticed the new release and the implementation went without trouble!

You could consider this issue closed for me ;)

@tmilos tmilos closed this as completed Mar 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@falkorhein @gawpertron @tmilos @alberto-coolshop