From b7016dd69a9c599b0752aa84a9615d2135845dec Mon Sep 17 00:00:00 2001
From: Fumiaki Kinoshita <fumiaki.kinoshita@herp.co.jp>
Date: Mon, 1 Aug 2022 09:53:36 +0900
Subject: [PATCH 1/4] add golden tests

---
 package.yaml                     | 15 ++++++
 tests/data/keycloak.xml          | 50 +++++++++++++++++++
 tests/data/keycloak.xml.expected | 57 +++++++++++++++++++++
 tests/data/okta.xml              | 85 ++++++++++++++++++++++++++++++++
 tests/data/okta.xml.expected     | 63 +++++++++++++++++++++++
 tests/parser.hs                  | 28 +++++++++++
 wai-saml2.cabal                  | 39 ++++++++++++++-
 7 files changed, 336 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/keycloak.xml
 create mode 100644 tests/data/keycloak.xml.expected
 create mode 100644 tests/data/okta.xml
 create mode 100644 tests/data/okta.xml.expected
 create mode 100644 tests/parser.hs

diff --git a/package.yaml b/package.yaml
index 4ab6759..654b341 100644
--- a/package.yaml
+++ b/package.yaml
@@ -43,3 +43,18 @@ library:
     ghc-options:
     - -W
 
+tests:
+  parser:
+    main: parser.hs
+    source-dirs: tests
+    ghc-options: -Wall -Wcompat
+    language: Haskell2010
+    dependencies:
+    - base
+    - bytestring
+    - filepath
+    - pretty-show
+    - tasty
+    - tasty-golden
+    - wai-saml2
+    - xml-conduit
diff --git a/tests/data/keycloak.xml b/tests/data/keycloak.xml
new file mode 100644
index 0000000..b2fbb3c
--- /dev/null
+++ b/tests/data/keycloak.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="http://loopback.ja-sore.de:3000/auth/page/saml2/login" ID="ID_5b1d000b-3a5e-4dfe-aa4e-b7bf1e3efbfd" IssueInstant="2022-08-01T00:32:49.365Z" Version="2.0">
+  <saml:Issuer>http://localhost:8080/realms/HERP</saml:Issuer>
+  <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+    <dsig:SignedInfo>
+      <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <dsig:Reference URI="#ID_5b1d000b-3a5e-4dfe-aa4e-b7bf1e3efbfd">
+        <dsig:Transforms>
+          <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </dsig:Transforms>
+        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <dsig:DigestValue>/U47P3hsUf+tUyyglYF8M1u6lbVnHimCthtxusju4mo=</dsig:DigestValue>
+      </dsig:Reference>
+    </dsig:SignedInfo>
+    <dsig:SignatureValue>b9vgIBQ1yNvUYgNmfAyuQJXOJ68PMfRvNAZEa93tnzZXHPEsf7/F49xI6/mlYI/T9pDxYnFcfl7kPMxgz4ssvMjwUEgAR3G3ZrNv4gPMUPmbZnXe0KG8yU9AskK90ya/T11kQfI21cSlA8FrLPTGP2X97yErR10mIDvEJ/m5dWra95cGLx/ntjaSIqNJpVgpHhRxieS4Lw+zeWe/nVuznXQnb8VRhCq18ikL/u23+YhYT3ws3iXQssJ2BosX9JJt0O+X31sIHJIWHsxbI69NLJ782bVDDkI1PNF8MKoa8gSEiLsNSmp3SyXtMPzaRIBguksl9xbnmYmsJDQg6kFVlQ==</dsig:SignatureValue>
+    <dsig:KeyInfo>
+      <dsig:KeyName>r5t3lmdd-nE1F0SMgE-VTIrwlAl76ARtcLg6HY3eNIA</dsig:KeyName>
+      <dsig:X509Data>
+        <dsig:X509Certificate>MIIClzCCAX8CBgGB3QMSRDANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARIRVJQMB4XDTIyMDcwODA4NTExNFoXDTMyMDcwODA4NTI1NFowDzENMAsGA1UEAwwESEVSUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIQY3ijqgQakSjRGbiu9DmQANm9ofSUmIQm53aDajriWr0rC4Q3XhxrDvYBVEutyA/z5htZiWtl6aPTFwj7Y6dF8Kl+5NZMU7U02O2jnQbDFPmdRCtEPm58uWVU0PKRsVX3s2KFW67x7S+fwHOOaipF6i9P6dhfSI2UBJR+gUJBD51/Eya/fx0Jpdmd4W4GgjZAy/H5WohcFrfU6DWL5fvj9Dy/KGBxvS3rI8/xC5oIq4LHp3lAqefNUixUKTMJgnDsozewSpC8d5DnLj9AGW/tuOX+CIOeC8z5pe81JuQMODVmN6xNRRM9kdqoyU+MTVObZ+L1IjqYDhbRLk/SZaDECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADbJbqk8h7mpPWhAMURRZ7KZqoaoI1fe63HnWXFYVnBQlQFJ1RfH2Zau7Gge5nrfP1w9z7V1p6C/Y9nHxpQdTI4vXNUgnVQ1NPXjXGQW1k+cJrT6eKxXLyVo8qks/RWpV9lpGmdf/K7NdWsT8lliX6NYZtIeeldxQFA7dyZ60DDX7QG0KOxVWt4nAZB65p94Grt3Qq2PDXgHkYLWIpxK5xUBtRbiGfJTc3KYK6ZWPwWxHkMooPYRo4D3nSpPRu4uowAlul/bjw16w1OeoJUUzinX5/YL5sj/eWYo4++FKz1Lhc0AyoZVehyQXfH+cREg788wRpl9Ar2bMl9oeDTVRLQ==</dsig:X509Certificate>
+      </dsig:X509Data>
+      <dsig:KeyValue>
+        <dsig:RSAKeyValue>
+          <dsig:Modulus>hBjeKOqBBqRKNEZuK70OZAA2b2h9JSYhCbndoNqOuJavSsLhDdeHGsO9gFUS63ID/PmG1mJa2Xpo9MXCPtjp0XwqX7k1kxTtTTY7aOdBsMU+Z1EK0Q+bny5ZVTQ8pGxVfezYoVbrvHtL5/Ac45qKkXqL0/p2F9IjZQElH6BQkEPnX8TJr9/HQml2Z3hbgaCNkDL8flaiFwWt9ToNYvl++P0PL8oYHG9Lesjz/ELmgirgseneUCp581SLFQpMwmCcOyjN7BKkLx3kOcuP0AZb+245f4Ig54LzPml7zUm5Aw4NWY3rE1FEz2R2qjJT4xNU5tn4vUiOpgOFtEuT9JloMQ==</dsig:Modulus>
+          <dsig:Exponent>AQAB</dsig:Exponent>
+        </dsig:RSAKeyValue>
+      </dsig:KeyValue>
+    </dsig:KeyInfo>
+  </dsig:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:EncryptedAssertion>
+    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <xenc:EncryptedKey>
+          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+          <xenc:CipherData>
+            <xenc:CipherValue>lpbo7DUIyBBVk57bZTQNMiRclHbPFw/ETEPpVA94UdVedgKhFD0muHsdahj4EKMRVkaRqw7c6anprpmI0WLy5Jx8ndvB8cjpOutxSdCnI3MDyhyR81Rsv4QfsxHlOUnaB6360HcQqUj1kdRNyRdAOP44C/qNd5Y20gOFxrQFAdlNP0fLWRdY6Xippv0BwsC7Thwuz7acPkYCG+5Mk1Up8GNK24MzG27gpafuSmKcnrPG2aoBiOmXwOx4aBX7FtzOjAZtbtdx7lenIJtM6p7Tq8T2iD5rfv0hW8szeOhzpe0idY240vHK3IY5Zy27fkNqQC9KvZLW49m/1TszbIb21w==</xenc:CipherValue>
+          </xenc:CipherData>
+        </xenc:EncryptedKey>
+      </ds:KeyInfo>
+      <xenc:CipherData>
+        <xenc:CipherValue>KnQUayhWa+RmYTejQviqx0zlWO/9wlnolTZSe/yf8QkBWZiG0W1Zj4Saw7D1SOMKPVekYtBWNmtlBtnhQuMjwOHMXXTG51Hb+U55uGQZUoCMmIc5dchBfmTi7CkVzhR11zEo279w49WkQiQmcqkup1hy6M7BPJScixbWWGVX6NzWbFL7FHr2DyuDhFcB4YkEEEDYbiYi5qJBV5lO+3Yj4zQ2yPogJS3bnfTNqgj/MeZG+R8Y5Zfvk5slwo1q6BiQFLiB5kW4sj0HzC3YwTTCUBrNfqjiPCKRm5bGcyESwyr+NB03Hco25mcxjFf5HfZz9igPHqbeCEOBu5h0IgVEFy4xYUBAFXH6+1QH5WO2D+oE7ati7qGM56uXDd1DlwgK+gW9yKfbCDeJbXSk9alWl6iZHQsqeRjE2j7jcXwsbELPHAMpfjoT70usXVf7u1wf87QfUlZLfg60kc7snCpYMnSbTWlS22hxU4RvE0D9omu09Z0sxgAJrb1F3frsupxcnAR2/wmQPz64ZVAECMIh+ZdQtohlwMkJyk0FlIZtQkPHLpYf5yxUV3+GA1TjnaRljHP9mCcU7ic6NRy8wLUxX9crNhBp+3zB7w1PT7aZ7hAP6JAbaVJJwgxpJVCdjcoLENTAo9xoNUimGOgkjTcDhoaH3tMIp3JkVA+TdG9+speTjrIeermcf6xt6yom9NA4TYaznm8zQTECp/Q3qJmrDp/NwHQnKnYS8/g1ulmwjfMS+wc959VvqZ1E566x+R+V+p6pEbiiZEhqnnEpP+bwWNsa/17AogCUKB55nLeWlw2llEUph3B40DgHwkBWysoaum3ZOxr0JYBaq6h4p4h4y1OpAq5YvPF4pgj/o9d6g6kZGPDmKYnwhc5qBARSd3Ld1i4+k+4viduUoKXN8TZ7248S4zgqsv1pXgqSe67exr8lYDZDM26GBJNoMnBcS2WA7Oysow+jffB5orsHkTiJLPuSq9uhVsTC7vq1AcZMzn4Sv2SuJGsP8wTEoVnPy1NLJ81Av5cA2rFFukQsoacQLN8aN9PG3PYABvpo+a5hdqWZ45w1sZd50UgGM4M6XNQseDFXEpFC7zoTynsC+qLWhAK9HkP97l+3l7GGhZ1nHaMKA/rqhYO328UQzhDnYT/guhfBhVktfWpeeelVN0/l7JWEbRoCcogEjdCGCgRyDZFSyvX43e06Voh2DGlcwbmHj4H2PJ3N83SDjsap8ffKXNcQ3+MUM7tt+lVqFUR9kAu9ClX25eMQt90N5Vzwz+SLlHtW0UBVMB/aokh24/7b92LyW3zmy2Sr9bdSg1aow8bC45Hprq2v51gjpobAQMIhKgyuY7K6rsoPNokwmj899XKQgTHa8zTiaBBZroWCbUF7Yprqz2vEVBESgNADDSEWbTUT1onj6exhtl7lHw0+Nqm0rDUj3uHdzObGvtgXafqKZfQTjsWOWquhE1nmWlKiKPD75OeOFBStQv/SXQa05Bbxl5HvQAKsVl2Y/yy3/Qe3XZWvXo4iWgpbNbPFla2M5olL431uGr8cFYkJORClkHif+j6QbSpRZ5Q9Cz4q0rP5W3e/ubmUZDF1ethBSOojeAOhbR5s0cGTCpAuv7MAZgMVx85bLmVbrE4Q4ut9yHazm3xtWH+xgpDNSxENqvJp/kkJAIxerh2QmRRjn4AbQaTCMGVp6n2nBxC3K6KqxNbKjJlXWs4Av2Wsu3eU967fFpsxGBUp75ktQg1v89lOjGgpbLXVxHO0OGTZV2EhQk4FTesBhnhBQmvZmByCsjbMmOFXkdE6mO/v+yFRfhw4rIGeu0qbbm9bUbK7+tesNqq4ZUvlB0OF722Cbge7DNST0wit8CpDJ1S/jq+4Pbb8DmTLu1FmG91B0ylFh4r3OhiKdNkihzXjO78w7/s4vYClu7yUkg1+TiEDeiwITXbCBfatQP/5FusUXAkYcZASiE0ZjmK6+mYMEvcaFv5ILB9MuRgWLVncRwYCrlQgzRLXUOvkq+d2Z+/Sq8nIaJ4n7U6uTDpGNl6oHW7L3/fNpcxdNEF1O6GrcH0WbXlHgAeukJUzxADs91GiMr/xoOYJVLPHoXh2HbJabLx03JKQnY1L6DA03ha/T1rWBhVp1DCFGK1Vvqnf3yKx01s73HG+afAKBuiyWbbqzEZtPKk2qmIZz5MbXkYNmFfM0eGC153IXNk0Ix5xgIIDRkjCr/D0xN1caOHibelvjaxhgQT27qThYHVGeimXHUaEjPYqLjaJUlPoN1M/nS78ybt+P/eXOBRr7fggySRhwmPvtoodFKRl840IwUrfm5YYBbEPp4UVEGwRiwV25KYWJqSUEYbCQOKGshlbLDDycyrrPQ9e+ZSZQpkx5U5fBFzqJDibjwjWXJSIFmPVBQTnUrcTGd3Btxj6lSrNrEL3mL9lmgGcky1klcY5YzCGS7AUE5SofYAhL0WyMdQyXsPZRfTyVpogLMMuCXZETlfxB6nBC+MDyFlUO6RgaBW9AP3WGNM5qcbWdotDLhk3Z7cFdDM/FoShQkBrekBoqXc2687ik+3jMDDoGLZaWAwV0RGeATdcbqh1E6NObcpG/kN2its0t9aFAqgN2TKQllSBneZ7GS3Be+ZCW0Wmd8AWbRA3pPiHW1JvstdiyAggCk7+l0Gw0+utJrkJv207+hTM7Jg3WUTKAT7LhW/l9C0MZQqvDCRE/Nd2aGZAGqjfGkbyg7sfp4KCN4MQAaIv3vwK8TvdWDaey0lD90iWus54xsxlSMOBPd82gW5CY2w0vo8/LfbRIP89phlTX9KoXZJy8ACcZcywIk6mI0DAuezDDs/gyfYD7+8/+t5dZBv1+jLqmDVFRBmo/fi6AaBXyEabKTeLjTjJxxiBkTCWqHlKAo4euO7bTJHSZLD/szKLjazeyPkTX9HHnOSl30lL/iQ7hnXWNHVBe9ZPPcnshV63kp736ugEmHsRgtR+728vpD3TwqLtHJp3lwAvZYoOGSLyOqH+lsbqt72vn6HLO2OphgLeBQ7eFegsmMFqd3mU/e9BwKNwp826T85O4IypngpJmo4c3I5gEurRV021Oew9t8sjDUizMRLOkvoAtwKj/vaj4nQhvJByYObTFyAqxJ2r9tVXJdhbmGek9P+ZuRW2EzN1oN6Tl7h9nwk/x0W00B81/SQMt/5FsX8KvUt1PY3Z8MWVA3lJ5J66ZyckubLidUVKhSR/ebcya1dWA/nYycBQlCl5KHc2G6vmnFVgqpkUebqvZEQfT7y23G8Hr9VU6FNw+u5luJWfbM/dxKqhsPmPaV0BzjM+n5dZT4ZageeahAT8hAJ2dqIYqe78A1CNYCFSb2ew0iNNBVm9rwRKhEFEEKmfx/KIo7GgSRDRMFvPLDCSb3n1i9Qj/+yNkpC1lcMbR6BlQ7aJ7vNIurVs1T1pIOeuhafLctYTAZ1Xj+jKCXpnQ50WEHDEi5ohxrKRTkbes8M3dMTWMSC1PD5sMqM52s90fB0bP/bvLNrBTn2PfutRS3SoQRUWndZ3HpqZEIZfeBOwvyk2oP+41NtvBC5sQGQg+4oMes5uQdlyxWee+st8S2SyWHalsBFQeP2OOoiS0WFS4X/YMKZAOViKTGQLi/FtD64Gu1jw4CIpfA8UVRDzs7zPDeNo9/5nOk1PuKlFbmQpPuam9jHHScMXRnjfDVZ4cyFXUS/8K2XnFk4qjYh7lbAmnlZdIoLIU8QiKRPKDMq0bKqhCnX0Fp4Mo8IkppHOZvKSZ6geVKzzaEi7gOGwTnah0eKhKXk+28Pq9hxGqBJS6htyo9IXJYN3yMxh1uC/yqCPRslWVyt6WJLeClJRKdvnyWMeQlW11JGXhcYh5Dhnnw6KeYwea3+e+b5M4ZSVPTwbOwwpaXWC00MQ196y04VNyaJv+dpXaVLkgJJcQA1BkhDTyxhEgNg6fwdDPS33F3QjJTMHrPII+aJcHjTGhEVLQ8Swkcc6XWb1Xxsvqh9RnoWTwI6doUTMiD7+qF0pHzkNPyERxvUAx/sTcxIPcEG9c5bvogNC+y0qPi6DRCJshpH34NSmBUAeLbdpFI/PAyXi4G1ECEq9z43X7SyRIzfN43xy</xenc:CipherValue>
+      </xenc:CipherData>
+    </xenc:EncryptedData>
+  </saml:EncryptedAssertion>
+</samlp:Response>
diff --git a/tests/data/keycloak.xml.expected b/tests/data/keycloak.xml.expected
new file mode 100644
index 0000000..2b61ad3
--- /dev/null
+++ b/tests/data/keycloak.xml.expected
@@ -0,0 +1,57 @@
+Response
+  { responseDestination =
+      "http://loopback.ja-sore.de:3000/auth/page/saml2/login"
+  , responseId = "ID_5b1d000b-3a5e-4dfe-aa4e-b7bf1e3efbfd"
+  , responseIssueInstant = 2022-08-01 00:32:49.365 UTC
+  , responseVersion = "2.0"
+  , responseIssuer = "http://localhost:8080/realms/HERP"
+  , responseStatusCode = Success
+  , responseSignature =
+      Signature
+        { signatureInfo =
+            SignedInfo
+              { signedInfoCanonicalisationMethod = C14N_EXC_1_0
+              , signedInfoSignatureMethod = RSA_SHA256
+              , signedInfoReference =
+                  Reference
+                    { referenceURI = "ID_5b1d000b-3a5e-4dfe-aa4e-b7bf1e3efbfd"
+                    , referenceDigestMethod = DigestSHA256
+                    , referenceDigestValue =
+                        "/U47P3hsUf+tUyyglYF8M1u6lbVnHimCthtxusju4mo="
+                    }
+              }
+        , signatureValue =
+            "b9vgIBQ1yNvUYgNmfAyuQJXOJ68PMfRvNAZEa93tnzZXHPEsf7/F49xI6/mlYI/T9pDxYnFcfl7kPMxgz4ssvMjwUEgAR3G3ZrNv4gPMUPmbZnXe0KG8yU9AskK90ya/T11kQfI21cSlA8FrLPTGP2X97yErR10mIDvEJ/m5dWra95cGLx/ntjaSIqNJpVgpHhRxieS4Lw+zeWe/nVuznXQnb8VRhCq18ikL/u23+YhYT3ws3iXQssJ2BosX9JJt0O+X31sIHJIWHsxbI69NLJ782bVDDkI1PNF8MKoa8gSEiLsNSmp3SyXtMPzaRIBguksl9xbnmYmsJDQg6kFVlQ=="
+        }
+  , responseEncryptedAssertion =
+      EncryptedAssertion
+        { encryptedAssertionAlgorithm =
+            EncryptionMethod
+              { encryptionMethodAlgorithm =
+                  "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
+              , encryptionMethodDigestAlgorithm = Nothing
+              }
+        , encryptedAssertionKey =
+            EncryptedKey
+              { encryptedKeyId = ""
+              , encryptedKeyRecipient = ""
+              , encryptedKeyMethod =
+                  EncryptionMethod
+                    { encryptionMethodAlgorithm =
+                        "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
+                    , encryptionMethodDigestAlgorithm = Nothing
+                    }
+              , encryptedKeyData = Nothing
+              , encryptedKeyCipher =
+                  CipherData
+                    { cipherValue =
+                        "lpbo7DUIyBBVk57bZTQNMiRclHbPFw/ETEPpVA94UdVedgKhFD0muHsdahj4EKMRVkaRqw7c6anprpmI0WLy5Jx8ndvB8cjpOutxSdCnI3MDyhyR81Rsv4QfsxHlOUnaB6360HcQqUj1kdRNyRdAOP44C/qNd5Y20gOFxrQFAdlNP0fLWRdY6Xippv0BwsC7Thwuz7acPkYCG+5Mk1Up8GNK24MzG27gpafuSmKcnrPG2aoBiOmXwOx4aBX7FtzOjAZtbtdx7lenIJtM6p7Tq8T2iD5rfv0hW8szeOhzpe0idY240vHK3IY5Zy27fkNqQC9KvZLW49m/1TszbIb21w=="
+                    }
+              }
+        , encryptedAssertionCipher =
+            CipherData
+              { cipherValue =
+                  "KnQUayhWa+RmYTejQviqx0zlWO/9wlnolTZSe/yf8QkBWZiG0W1Zj4Saw7D1SOMKPVekYtBWNmtlBtnhQuMjwOHMXXTG51Hb+U55uGQZUoCMmIc5dchBfmTi7CkVzhR11zEo279w49WkQiQmcqkup1hy6M7BPJScixbWWGVX6NzWbFL7FHr2DyuDhFcB4YkEEEDYbiYi5qJBV5lO+3Yj4zQ2yPogJS3bnfTNqgj/MeZG+R8Y5Zfvk5slwo1q6BiQFLiB5kW4sj0HzC3YwTTCUBrNfqjiPCKRm5bGcyESwyr+NB03Hco25mcxjFf5HfZz9igPHqbeCEOBu5h0IgVEFy4xYUBAFXH6+1QH5WO2D+oE7ati7qGM56uXDd1DlwgK+gW9yKfbCDeJbXSk9alWl6iZHQsqeRjE2j7jcXwsbELPHAMpfjoT70usXVf7u1wf87QfUlZLfg60kc7snCpYMnSbTWlS22hxU4RvE0D9omu09Z0sxgAJrb1F3frsupxcnAR2/wmQPz64ZVAECMIh+ZdQtohlwMkJyk0FlIZtQkPHLpYf5yxUV3+GA1TjnaRljHP9mCcU7ic6NRy8wLUxX9crNhBp+3zB7w1PT7aZ7hAP6JAbaVJJwgxpJVCdjcoLENTAo9xoNUimGOgkjTcDhoaH3tMIp3JkVA+TdG9+speTjrIeermcf6xt6yom9NA4TYaznm8zQTECp/Q3qJmrDp/NwHQnKnYS8/g1ulmwjfMS+wc959VvqZ1E566x+R+V+p6pEbiiZEhqnnEpP+bwWNsa/17AogCUKB55nLeWlw2llEUph3B40DgHwkBWysoaum3ZOxr0JYBaq6h4p4h4y1OpAq5YvPF4pgj/o9d6g6kZGPDmKYnwhc5qBARSd3Ld1i4+k+4viduUoKXN8TZ7248S4zgqsv1pXgqSe67exr8lYDZDM26GBJNoMnBcS2WA7Oysow+jffB5orsHkTiJLPuSq9uhVsTC7vq1AcZMzn4Sv2SuJGsP8wTEoVnPy1NLJ81Av5cA2rFFukQsoacQLN8aN9PG3PYABvpo+a5hdqWZ45w1sZd50UgGM4M6XNQseDFXEpFC7zoTynsC+qLWhAK9HkP97l+3l7GGhZ1nHaMKA/rqhYO328UQzhDnYT/guhfBhVktfWpeeelVN0/l7JWEbRoCcogEjdCGCgRyDZFSyvX43e06Voh2DGlcwbmHj4H2PJ3N83SDjsap8ffKXNcQ3+MUM7tt+lVqFUR9kAu9ClX25eMQt90N5Vzwz+SLlHtW0UBVMB/aokh24/7b92LyW3zmy2Sr9bdSg1aow8bC45Hprq2v51gjpobAQMIhKgyuY7K6rsoPNokwmj899XKQgTHa8zTiaBBZroWCbUF7Yprqz2vEVBESgNADDSEWbTUT1onj6exhtl7lHw0+Nqm0rDUj3uHdzObGvtgXafqKZfQTjsWOWquhE1nmWlKiKPD75OeOFBStQv/SXQa05Bbxl5HvQAKsVl2Y/yy3/Qe3XZWvXo4iWgpbNbPFla2M5olL431uGr8cFYkJORClkHif+j6QbSpRZ5Q9Cz4q0rP5W3e/ubmUZDF1ethBSOojeAOhbR5s0cGTCpAuv7MAZgMVx85bLmVbrE4Q4ut9yHazm3xtWH+xgpDNSxENqvJp/kkJAIxerh2QmRRjn4AbQaTCMGVp6n2nBxC3K6KqxNbKjJlXWs4Av2Wsu3eU967fFpsxGBUp75ktQg1v89lOjGgpbLXVxHO0OGTZV2EhQk4FTesBhnhBQmvZmByCsjbMmOFXkdE6mO/v+yFRfhw4rIGeu0qbbm9bUbK7+tesNqq4ZUvlB0OF722Cbge7DNST0wit8CpDJ1S/jq+4Pbb8DmTLu1FmG91B0ylFh4r3OhiKdNkihzXjO78w7/s4vYClu7yUkg1+TiEDeiwITXbCBfatQP/5FusUXAkYcZASiE0ZjmK6+mYMEvcaFv5ILB9MuRgWLVncRwYCrlQgzRLXUOvkq+d2Z+/Sq8nIaJ4n7U6uTDpGNl6oHW7L3/fNpcxdNEF1O6GrcH0WbXlHgAeukJUzxADs91GiMr/xoOYJVLPHoXh2HbJabLx03JKQnY1L6DA03ha/T1rWBhVp1DCFGK1Vvqnf3yKx01s73HG+afAKBuiyWbbqzEZtPKk2qmIZz5MbXkYNmFfM0eGC153IXNk0Ix5xgIIDRkjCr/D0xN1caOHibelvjaxhgQT27qThYHVGeimXHUaEjPYqLjaJUlPoN1M/nS78ybt+P/eXOBRr7fggySRhwmPvtoodFKRl840IwUrfm5YYBbEPp4UVEGwRiwV25KYWJqSUEYbCQOKGshlbLDDycyrrPQ9e+ZSZQpkx5U5fBFzqJDibjwjWXJSIFmPVBQTnUrcTGd3Btxj6lSrNrEL3mL9lmgGcky1klcY5YzCGS7AUE5SofYAhL0WyMdQyXsPZRfTyVpogLMMuCXZETlfxB6nBC+MDyFlUO6RgaBW9AP3WGNM5qcbWdotDLhk3Z7cFdDM/FoShQkBrekBoqXc2687ik+3jMDDoGLZaWAwV0RGeATdcbqh1E6NObcpG/kN2its0t9aFAqgN2TKQllSBneZ7GS3Be+ZCW0Wmd8AWbRA3pPiHW1JvstdiyAggCk7+l0Gw0+utJrkJv207+hTM7Jg3WUTKAT7LhW/l9C0MZQqvDCRE/Nd2aGZAGqjfGkbyg7sfp4KCN4MQAaIv3vwK8TvdWDaey0lD90iWus54xsxlSMOBPd82gW5CY2w0vo8/LfbRIP89phlTX9KoXZJy8ACcZcywIk6mI0DAuezDDs/gyfYD7+8/+t5dZBv1+jLqmDVFRBmo/fi6AaBXyEabKTeLjTjJxxiBkTCWqHlKAo4euO7bTJHSZLD/szKLjazeyPkTX9HHnOSl30lL/iQ7hnXWNHVBe9ZPPcnshV63kp736ugEmHsRgtR+728vpD3TwqLtHJp3lwAvZYoOGSLyOqH+lsbqt72vn6HLO2OphgLeBQ7eFegsmMFqd3mU/e9BwKNwp826T85O4IypngpJmo4c3I5gEurRV021Oew9t8sjDUizMRLOkvoAtwKj/vaj4nQhvJByYObTFyAqxJ2r9tVXJdhbmGek9P+ZuRW2EzN1oN6Tl7h9nwk/x0W00B81/SQMt/5FsX8KvUt1PY3Z8MWVA3lJ5J66ZyckubLidUVKhSR/ebcya1dWA/nYycBQlCl5KHc2G6vmnFVgqpkUebqvZEQfT7y23G8Hr9VU6FNw+u5luJWfbM/dxKqhsPmPaV0BzjM+n5dZT4ZageeahAT8hAJ2dqIYqe78A1CNYCFSb2ew0iNNBVm9rwRKhEFEEKmfx/KIo7GgSRDRMFvPLDCSb3n1i9Qj/+yNkpC1lcMbR6BlQ7aJ7vNIurVs1T1pIOeuhafLctYTAZ1Xj+jKCXpnQ50WEHDEi5ohxrKRTkbes8M3dMTWMSC1PD5sMqM52s90fB0bP/bvLNrBTn2PfutRS3SoQRUWndZ3HpqZEIZfeBOwvyk2oP+41NtvBC5sQGQg+4oMes5uQdlyxWee+st8S2SyWHalsBFQeP2OOoiS0WFS4X/YMKZAOViKTGQLi/FtD64Gu1jw4CIpfA8UVRDzs7zPDeNo9/5nOk1PuKlFbmQpPuam9jHHScMXRnjfDVZ4cyFXUS/8K2XnFk4qjYh7lbAmnlZdIoLIU8QiKRPKDMq0bKqhCnX0Fp4Mo8IkppHOZvKSZ6geVKzzaEi7gOGwTnah0eKhKXk+28Pq9hxGqBJS6htyo9IXJYN3yMxh1uC/yqCPRslWVyt6WJLeClJRKdvnyWMeQlW11JGXhcYh5Dhnnw6KeYwea3+e+b5M4ZSVPTwbOwwpaXWC00MQ196y04VNyaJv+dpXaVLkgJJcQA1BkhDTyxhEgNg6fwdDPS33F3QjJTMHrPII+aJcHjTGhEVLQ8Swkcc6XWb1Xxsvqh9RnoWTwI6doUTMiD7+qF0pHzkNPyERxvUAx/sTcxIPcEG9c5bvogNC+y0qPi6DRCJshpH34NSmBUAeLbdpFI/PAyXi4G1ECEq9z43X7SyRIzfN43xy"
+              }
+        }
+  }
\ No newline at end of file
diff --git a/tests/data/okta.xml b/tests/data/okta.xml
new file mode 100644
index 0000000..de92e6e
--- /dev/null
+++ b/tests/data/okta.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://loopback.ja-sore.de:3000/auth/page/saml2/login" ID="id36905492230634463108368061" IssueInstant="2022-07-28T13:53:54.059Z" Version="2.0">
+  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk1s7jqodj4muVTl697</saml2:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#id36905492230634463108368061">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>i300U58mYoywmpgMkq7AHOplar4B6ZwW++Ri3PUvGlc=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>eKymDiZIxFd+oJCIhdHQpI+s2nQYFBVH7TBoZaqXizJdNnNPpNlKM5wds33zP6a72GWOL/2n8WRtW+xSnPTmw5PumEuUhWbO2EizfU/SdBL4HKxxJt0nntkDRhdIoHBi+9Gy80So4NGr82B2clnhpj74GW0Ko8A0bt2sHzdQ9NaJ5ru4Qvx0Fk/UCBAGAYobryjAc9Tb5qxxgHGMmPUHG5CprRYTINKZlGF1Jl88VSdTbOYmGjJ4b6GY8pLR2qLt4LErVPUSI4vEUuPFU2f/9/i8D39hzWtJOCzuaUZ5tdKU3Fyjsgoa7ooDfZVzb4howWhQ9zPUgwjZEd9tbW2EwA==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAYI0Fe0pMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDXRyaWFsLTI0MzI1OTkxHDAaBgkqhkiG9w0B
+CQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwNzI1MDYzOTI4WhcNMzIwNzI1MDY0MDI4WjCBlTELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
+BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA10cmlhbC0yNDMyNTk5
+MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA6LstMPCuzpF3zeg8kZikmLusmsS8yrTpWXpqEzBurQJq6cMdMbg/zUfI6kc2SFNhPUWr
+iDCH62KbimhVCj9DcJtQv+mbNGYPw1WO7qU3egu9E8fvorpyfgCTl1hxrBFjP+QMETeb7AMcXsrp
+8xWR0FhD3L0hfIs9fXUfP7ApTXvavgj/8cQLg2Lv8aihSHX3ywqKAcGqS0NjEndmQWAZsc/aa1uH
+CydQhGWFFPzaY1RVmnirolWNA2yE4xhw5Y9RSSoJ9pJDWdPM+tPKCliyLx5Ttsj2nVWbDgL/76YG
+VYX/OBHAIispzJeDXjYzOrqFijbAPnX2x7Jk7sDGOqug+wIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQBRnIpl+v5ky/OFEhad9dlJcb9JH7z+hezNg7a23k2Ql2LDP/IQ3rmp5qxLfwaicyYV79Jru0Hy
+JZsDmAEbGdIMop8Xm1+BQkwdmkiuTYP74YqKl8NSH4c3BTZgsQNX50n2wy3SPJ/rar/HWVsbTUa6
+xviJvuQJRZZdflLoP1zSMHgCTiMzzZCK1E+5bH0cIDymckCBc9YxPVOC6vnA7y/jnl1CKuRNcdx3
+0Rd3/JEdkAZxpHWbWaHmELSib6teCMEAimlIzLBtFuLd2iKx8qhGICtnqECe9HFY/XiCR1p+tmmD
+0q18E0v3+fcXVVpi60oLG9bzW2+j8GnE2tDmoGSI</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
+    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </saml2p:Status>
+  <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
+    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_a3cb5a702e9fe804781ffc3b5e637462" Type="http://www.w3.org/2001/04/xmlenc#Element">
+      <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_7e060a182b19459d857d25b5fc5117be"/>
+      </ds:KeyInfo>
+      <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+        <xenc:CipherValue>Urn6LlXmbGkiNFKke9o4q2FIVYx8DbHyjP1NWvdhyMThQlXBHYRdFmQMcTU5gyYDLFuBWvs8XwFg+NWZ000tjXTFy5tbWqrtIqcMgtyme/GuX25rWApfByM99OAARyWfPkUhCjTxf4sJ7Q3WvYXymwToyb5mCznkoIq6gJ71xtAm3gsjxwzkpfgIkVTr1/5+KYmEi6hwTGkvAbuoQqew9V7Huaazq7XwgHuwDjB69f8FEBLzH7hhMOjQGYLmgDorAv+dZ8+YKQ5X22pAI7dU3iBrOpe/6hRUVa+6Z+GRh+i9rQNaLneCx1uP1svEuAgJMdwJz8z1QT3c7HaswDpurYIQUdqemb2EkXYjG+sJLJJYzS/MolcPZBqoC89T5ci67uAKnh4d8do1BHjdstHNXBfz05W05hJzazkz82hOgWa4Cq2xKLtPU/THpcQpCrxqmBoc9ZlSuii4UVuCzJaal/fU/1shLCmfma81dKIN54KnOU0T/pDDlwy9lRh4b4nPm24QOLpyH1g44ovtdhwOuvDZs0ZoTqCxqFEzCE6k2fjbHftfJaLw1RS9jqQE09hxx5s3IqlzoYKAIrFDW8otE3yWsxkL43qaxAW8IJWIMnyLnVekz03bfx/QEDsSfgAy/oIgB1/bQ5weRR4CYPQP0ogCT0/BLBfVjYuu14pJOZ/PXDUOXKX1Do+vIZ8ZrVYJse7BZUqPsvwiZfFIyLqEjSkEsIKd7C5bFLyq47ot5FfzfZx8dkgO/n/eEqCI3sQxLSeIogicYMMy6lh40ZuljoxhjIb2QTmP1ZpGhx47xHtZNhh+snfuu00uqCrplru+sB/iY37EKyv3Uz2M8eZjpFXtQgCo6u9WN9+sbwo7CjhoZIz5P5ZoO1oiFIiDaEF/orrsVaFslK1Qr/uzmr8AxwDzTQQ7nn/ywRyZEPg5hnbFLFxkJvZsX9xehcdQy1e8N92bLsYbAwes0xFCymayFmSeVyXUQjOyDp9eKx8ALreFoIkKBLAZ9T8xcbw8MgJQjBVr1MCkNeesPx6vbRi7YFOitTeLFoF9uBSiSwWnv5vVbRbWIAB8BTJ6CgpxSDfIJauvvmpWuo3zaQtYR0+G3ofa4l1psE+QVGwZBuwxDruZDAOLX6L00IdK303OtLZ1z5pPzzt9ToW6415c+AHCZ5X7eBFbebLUpp3cb5bAThAAxkhVkspBBO6sAS7G64uODNY2QhkI/fPbkLHPu379YsuLITTEDZj3c0CgErTuWtjJJ18jF/1tmzzIzr7JnG5gp3oAEsNJ1J0iWj/9syiqOZoDXLL7PlCWLCJtMvGR5NwXTN3/VKPkKMVkEqiNtrmGia/iXVSPikHckqhil1++YdbOQCd4+oDrPrpmd/wRZ3JWbT1CPBAi4FxkfDZ7eXe+6EdyQZWTCAjc/dlDLuYmcLtc3/g5GvIfBFTdbJKD4K9I8VmouO4OmDb29I0oR1fbGgxNGEaopMklxP6Yn5cOmjINVNh+lu73FdCKKvW4GNkDGcOLcdw4XicK7kPLt6RovuEFMnWMUZvPLrmB7Cwpm+zddEwUFfxhL/RQ4hJWS42U526UOmU+Y70StJ5psYgf7IKBhz6+a82+N+sNjICQwfEcoJBPIStHSGG+CYPVofsJJk4ZQ8+XYEhnTTR6lD+/uIBeWj4y6GpRKWscz8DDXbUUQUpkVrLF4RGUErUeNAJXJfSXbU2rK22CjIj3m7M/c1rUgOuuCLPKwjcCPOvDev96RThmFi6eR4YdE5boRgHtXnZlrFAPLeDFoclX3tZOhE3rkJREAxr96VOwqizsay0t3FtgppHaINCfabkVLXOuCdOJmu51GPtvZDpUNIeYXSnCO/t8dznTmUVK4wgpz697eHu1fVYHH90GJrW1Hb9i7C8nmKln9PrXkhyXSJuNaCaT1AXKILVx5iGtBc+ZWJsNrvTe3svPbwgD/JqB8wSwF3nleEIhaVjf3FbwgQrVJusFqY/onObjMgG4Ow8Eo9FSgnDQCD4UprnQrtx1QJN5EimItH97yam9NVEtnxwpgVfLVwCj2FE5peZnTrUUliGm68cZ9d8dqLKQt1+akAtkBQ7XwBNQ2fxjLEo/6ktTeSqGfhl7XluiGGJWWaFV9krj2B1Vy9+qgt5/jTcGQydD2PBYallVIi/065/bguv5fomMOEM537w91U4x1FZQOROQ3Ee+8Oaofiq3vFKtl5k4Gj3re5dsgUAoAITKIbRb0R/RsT8EN1lrIxZ2UXuyn57oTMM8IyhgJlbVwe9GAHzsYOsI4s6mN7mTwsKCUdgzPYtuUhXu+UYg3mKjluuMpgu8BPuPt87HOAGIAzjK9Cz24oxfAhGpKXp/KfUOXWgj3GDrepLHwajhPfubzf+sSLKMAdBigSiQF/ugwAx5eWAiWCJI3O6BA8vbE84ZJek5WFh5ocjaJIwY7U+W7qZ3lYBVt2piKGvYCApD6PAC0b/OWHvZkYtv2ioETsDvixTm+BknI9qMIIp77WFvAKaS0PR1i54iN8sr3NZlDxVOACbv6TD+hIdPE/7DqqOv9M7BWIDRS+4q2j0jNszE2BcQoIf34j28unnRNzpb8eUeU2iDoeJ8Q9sP80cPWnc+WW0Fwr7miqgHXxAeOvJjWgRbbwT9189S/lRv+x5Y2PlntfEh61N8F756tNbnOxHU5tU+UkswfExfEKNH1FjoKIZHdJTRqxeyT5kO5Wgim8AZAx4YcfSVAySnUr/qrgopGGxAzpVMerZlUNUVY0p8VF8elpmLofSR8MRl8jcI/p0tUS3HM5V4O2EOr8Ifr8bjv45gfG6NmfOFJgdyBweyL3j+gi1GYs3DFC9sGupB6g5MRN6+OP32A6eRFH3XMuouHUaGHblFFB3bLRQL/IPUE2FFKeM03kTSwf1urH7/vqrvQabd7p/WRKClH1UtuOwCyIbTSloK44RkezqeVum8Le6OIi9PViwOossle1NEj08Trm/saqUBdinz23IFw/piy3Jar3KDX0NNji9TDwEVpm1JNvXeBocwPJLF0YVqD4GIg6xCLPhu0d0k2FKgWoJ4ItFD54mxLrqElb/b+YQMclC5mcsKRnFQbnhMC0ezKgBnfES0/nNbxZfd0Dr5wG0Z49kqXoPme4YpUwUEAzB/OAfy2z/d4WcIW2PUo8sFmOJx3QMXZ+4PfY1Oo/id9loDdX8QGBxqeFDbN4HBMKYJIOS25ICeGoKGEDxKH2PKliyCi/k/A4qldFDdMVvGIkMjVzRFVT+kB3o/8yqkhspAPlkVyr+6TqnQhVDRzcPmqquTR56QuSo9YbBj7I7VoD/MQwb51Gqe4rJ+KAMrhSFGwh5BQrq1PVvKFmbySGkZ3bFOzhM2OvxW67TQ85QdGRT9GTVkAjIgN1powGMGxPdSMBiGb3G5RS5jYPwBEsZBHhrSaY0cyYTn4V4tadKHh7AM8SRWmK8dlRk3tVQClDZQPxL6q9sqjN/07FBKnv8N9Yqo2ewyh9Fz7lItXy62k/5JN1I96bBKjPJ+M9n25+f+9bpT1rOXBUmrxDz2R710uqnk9ZsUM1yVZxkU5qHFOtid+tpQWN2pYAshD0UUTT+pSiG8hlN4cerKCMYd5S5dilULTx3wPTNsMvCZ0V0TslIhGq669erVTPUCgOMk7kSgfuxBocQ0vh8DP9WacIuyZdB6TNdOEwqfIRgnSevBMyZKI0pTjIoW7fuDThITI3xLSGbRNcLkqXHWntHIE8wXm9s8fUdBWzYI4lwCxD+iLpeq2AQaDZG+ObSDQREZ1RaZb7fPCdSpr2E0yj5t08xKsKyIeICofrEOsRXg/xhwUXPOqy/VA1DSpasGbzu0heBp2o477y5+l9m04qkR3WQ9ppgscLr/ZK6LdVcBPAusmi9p6QDZy8O/WW/o6mm60Ot6V2ba0s68wkgNeAcTTzBO/TH5KYBHIjDH7cdHWmXeP54OZtIbbYbmjOw3l9ulMmVuA5R+klSBdFqqBHC9OL0vqkLreAfTM7EU91cKsDhNYw/8KA5PhR23gSFKR+wc23vKUweXEAF+i0VNEljgVKc3E7UZ5B4hijNrmczZwdplO4KtKJKc7LW3YA/wA2xDRY5sMl7Tif0yxFUynwPatrz5g3GkT91v0bUl4R12JEWAnmjUamvMPLYFzsBz5G/LfEh9UWrqeGbsOKMb0J1qg4rH8xty+ALttN0qcAk9s+0SJTtjZVx4Q0z+SBcTgLa3uQr7H0NqTZuy7YQ3nMgxXKCOEQeoOFmCpoTwdbfQv516WwHnPLsCwQ+SGZEiRLW9bRKzQ8S+ZetdyMIxFqgEYIrKGIscQWq4gNwnJqStcVRUtJvOEZCRyz0zXTL1WFkpKsZzZC6QNSgPFtAj4/nAeLySBKO3cjGv3BBJHLJVknbM6ByKS3BpJOpJgTDLYl+MvljgttzHcL/W+qwdJb1u3Q2HHhJjKIsGOUKxg2ly0P683urtP8wFkGDHUFHzWSQGi+qbQ06AcmvafHhLwaqmlqBaCL2bsYhMujfPKc+t+kvshtdSNsVGbkGSM4YONmmmIBf4esBB2AjymNSKH/K4NUbFkaWB2iJBHTaR3+taHmvQMLKwzvS1R1LKOQkX5AFyYSbcaKBskLffsW+a2OU6AdOItGJi/VvKgOFfLZ1EcFI0EwYsjenpfbhZu2FxKSQ+GV1v+h1Qv4h+BP20pLCZWT/ocFlM5aK2zUq1uFhds1gusCQUdAWbqjKJB+Y4vc+pBco518WCdUnIo639EtA7NBD0lmOETi7CbnBekRH+vaOjapntF3LRk6KX0XWaBUC9Nn5ipJ7t7uEoU//9XviNlcEGDAEVlHwtObrFE3op7285nB3kQrjGDaj14H2Q4ahpe+8uAagOOnRnZLWDMDiRzOIiL2IVpjfJVN3E+ms38keuqt7ZzSxBkuLjZwLU/Lwife/wiBx9xXyijOl3msheDTdjHB9BxQrrqCMZ7xf1L7ZPSYOHzNagPb65UWFUFPKkCQ4D/6Bx+t25aa3/HqJYg2Urt7FZ6AR+2p4d1RQzBwU6ICJwIFQkgK89C3LQ1eTa6LMciKya2JKrkNdzlRYW0T/D9LexfjRZkVed+WS7Zr0CKEE8kYpwhelJlWBM2Shhv3OelZFvsVASXGIIHTfvd+bUtw9pLsrCDWdccB6XfxwbmVyhIfO4D5qskTU1yCbaDt6w2sNOvzYQe3gLCkiOhJQwId6DF5lUdR9O/4Teohy9bF8EjfzF</xenc:CipherValue>
+      </xenc:CipherData>
+    </xenc:EncryptedData>
+    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_7e060a182b19459d857d25b5fc5117be">
+      <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
+        <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+      </xenc:EncryptionMethod>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDZDCCAkwCCQCxU2RvdbbDijANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJKUDEOMAwGA1UE
+CAwFVG9reW8xEDAOBgNVBAcMB0dvdGFuZGExEzARBgNVBAoMCkhFUlAsIEluYy4xFjAUBgNVBAsM
+DUlUIERlcGFydG1lbnQxFjAUBgNVBAMMDXYxLmhlcnAuY2xvdWQwHhcNMjIwNzI4MTIwNTEwWhcN
+MzIwNjA1MTIwNTEwWjB0MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0dv
+dGFuZGExEzARBgNVBAoMCkhFUlAsIEluYy4xFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxFjAUBgNV
+BAMMDXYxLmhlcnAuY2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiX1XfOukm
+SEe7b3r9OtbBYXfcJ4o6pg5ASSCfLJaaIFfUk3sbaR9WYyzzcYd7UtfBooFpVZu+Bqek5FdnYSXF
+xs0lyFFGizQfE1jcUQ3gAacD1pMyG/4hdCqEGSAAcjqjv4jNpScUkG+oTmdYpdfIUGHkVdcINw5W
+dPpV+timnRYa32z6paRpNNUSJ3ZYEfxvB3pdy3WRy3GNgnZ9xiWSgNUrliJjYJ2U8RfMNneKI9+g
+fmXyVZI6xAqKu7d7rq52zH8tDpUxWTbItvr2g40L8XUV/3D9D2c9wemI9IaJRHua9bJfBPSsKiA7
+PhdWCuHrglm/Sky4IH294o7WVS8rAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAM/XNOGB9PYxUA9Y
+g5iOMt/UgLSpA4ahjZFQO0TbUxM9OfwtACTQ3tyTp19IhOa8o52uqUP2O7l5+lN8Xn16AlKHSYRE
+XAe0AQJykPkSGiaZg+lEEECaV7C3BSYNzH3EHjPGG5B9e3oaNbl1/BUr1c6mSFJuy0sGYQH7cxTv
++qCT7u+WhcVuKbR4DuIVcei30qD9dyc4QzIWMqJ77yjgB1c+4UZOZdol0BF4HyCycck4XlUd9A35
+/W4idya7HIVZjEc3ENUwvQCOF6TB8mJVAz795KIam3kvOcvHIEaKL3Y+byVbP1GOLwvuyAnDG7ly
+IDFXtXbrQVFhGxhpW+gM+5c=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+      <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+        <xenc:CipherValue>SNRV9HQlcViYCbDPPn5NHUb6h9sel8pqHVwcKmz59JDA4PFiiFYeEEyQbksAmtgB7nuHptgOpSYodDjLnABUnVb2uqs+P2kRA+1NTkYT7TNf5g1dHpO49GFmp/YpvRaQ8Ld+X186rKrGMgvYKkFWRMpZ7Fg+f19KFgoVmngfoHe1MKma/eiESgEwj/YlrbUc2UhJcxgrPwyTXUCiB55tE8CRhOFFpUWfzrrklqf4BSXdQQKqUkDVbwlmShMXDEb3mmJkNKd8deshKejr0ASAhXQ54PSvc8+7qwFw8bser/sojaJzbS8Cc7b0EDukR4HMbXjR5iMVl3BL6QRy4FxS+g==</xenc:CipherValue>
+      </xenc:CipherData>
+      <xenc:ReferenceList>
+        <xenc:DataReference URI="#_a3cb5a702e9fe804781ffc3b5e637462"/>
+      </xenc:ReferenceList>
+    </xenc:EncryptedKey>
+  </saml2:EncryptedAssertion>
+</saml2p:Response>
diff --git a/tests/data/okta.xml.expected b/tests/data/okta.xml.expected
new file mode 100644
index 0000000..58936f0
--- /dev/null
+++ b/tests/data/okta.xml.expected
@@ -0,0 +1,63 @@
+Response
+  { responseDestination =
+      "http://loopback.ja-sore.de:3000/auth/page/saml2/login"
+  , responseId = "id36905492230634463108368061"
+  , responseIssueInstant = 2022-07-28 13:53:54.059 UTC
+  , responseVersion = "2.0"
+  , responseIssuer = "http://www.okta.com/exk1s7jqodj4muVTl697"
+  , responseStatusCode = Success
+  , responseSignature =
+      Signature
+        { signatureInfo =
+            SignedInfo
+              { signedInfoCanonicalisationMethod = C14N_EXC_1_0
+              , signedInfoSignatureMethod = RSA_SHA256
+              , signedInfoReference =
+                  Reference
+                    { referenceURI = "id36905492230634463108368061"
+                    , referenceDigestMethod = DigestSHA256
+                    , referenceDigestValue =
+                        "i300U58mYoywmpgMkq7AHOplar4B6ZwW++Ri3PUvGlc="
+                    }
+              }
+        , signatureValue =
+            "eKymDiZIxFd+oJCIhdHQpI+s2nQYFBVH7TBoZaqXizJdNnNPpNlKM5wds33zP6a72GWOL/2n8WRtW+xSnPTmw5PumEuUhWbO2EizfU/SdBL4HKxxJt0nntkDRhdIoHBi+9Gy80So4NGr82B2clnhpj74GW0Ko8A0bt2sHzdQ9NaJ5ru4Qvx0Fk/UCBAGAYobryjAc9Tb5qxxgHGMmPUHG5CprRYTINKZlGF1Jl88VSdTbOYmGjJ4b6GY8pLR2qLt4LErVPUSI4vEUuPFU2f/9/i8D39hzWtJOCzuaUZ5tdKU3Fyjsgoa7ooDfZVzb4howWhQ9zPUgwjZEd9tbW2EwA=="
+        }
+  , responseEncryptedAssertion =
+      EncryptedAssertion
+        { encryptedAssertionAlgorithm =
+            EncryptionMethod
+              { encryptionMethodAlgorithm =
+                  "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
+              , encryptionMethodDigestAlgorithm = Nothing
+              }
+        , encryptedAssertionKey =
+            EncryptedKey
+              { encryptedKeyId = "_7e060a182b19459d857d25b5fc5117be"
+              , encryptedKeyRecipient = ""
+              , encryptedKeyMethod =
+                  EncryptionMethod
+                    { encryptionMethodAlgorithm =
+                        "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
+                    , encryptionMethodDigestAlgorithm =
+                        Just "http://www.w3.org/2000/09/xmldsig#sha1"
+                    }
+              , encryptedKeyData =
+                  Just
+                    KeyInfo
+                      { keyInfoCertificate =
+                          "MIIDZDCCAkwCCQCxU2RvdbbDijANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xEDAOBgNVBAcMB0dvdGFuZGExEzARBgNVBAoMCkhFUlAsIEluYy4xFjAUBgNVBAsM\nDUlUIERlcGFydG1lbnQxFjAUBgNVBAMMDXYxLmhlcnAuY2xvdWQwHhcNMjIwNzI4MTIwNTEwWhcN\nMzIwNjA1MTIwNTEwWjB0MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0dv\ndGFuZGExEzARBgNVBAoMCkhFUlAsIEluYy4xFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxFjAUBgNV\nBAMMDXYxLmhlcnAuY2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiX1XfOukm\nSEe7b3r9OtbBYXfcJ4o6pg5ASSCfLJaaIFfUk3sbaR9WYyzzcYd7UtfBooFpVZu+Bqek5FdnYSXF\nxs0lyFFGizQfE1jcUQ3gAacD1pMyG/4hdCqEGSAAcjqjv4jNpScUkG+oTmdYpdfIUGHkVdcINw5W\ndPpV+timnRYa32z6paRpNNUSJ3ZYEfxvB3pdy3WRy3GNgnZ9xiWSgNUrliJjYJ2U8RfMNneKI9+g\nfmXyVZI6xAqKu7d7rq52zH8tDpUxWTbItvr2g40L8XUV/3D9D2c9wemI9IaJRHua9bJfBPSsKiA7\nPhdWCuHrglm/Sky4IH294o7WVS8rAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAM/XNOGB9PYxUA9Y\ng5iOMt/UgLSpA4ahjZFQO0TbUxM9OfwtACTQ3tyTp19IhOa8o52uqUP2O7l5+lN8Xn16AlKHSYRE\nXAe0AQJykPkSGiaZg+lEEECaV7C3BSYNzH3EHjPGG5B9e3oaNbl1/BUr1c6mSFJuy0sGYQH7cxTv\n+qCT7u+WhcVuKbR4DuIVcei30qD9dyc4QzIWMqJ77yjgB1c+4UZOZdol0BF4HyCycck4XlUd9A35\n/W4idya7HIVZjEc3ENUwvQCOF6TB8mJVAz795KIam3kvOcvHIEaKL3Y+byVbP1GOLwvuyAnDG7ly\nIDFXtXbrQVFhGxhpW+gM+5c="
+                      }
+              , encryptedKeyCipher =
+                  CipherData
+                    { cipherValue =
+                        "SNRV9HQlcViYCbDPPn5NHUb6h9sel8pqHVwcKmz59JDA4PFiiFYeEEyQbksAmtgB7nuHptgOpSYodDjLnABUnVb2uqs+P2kRA+1NTkYT7TNf5g1dHpO49GFmp/YpvRaQ8Ld+X186rKrGMgvYKkFWRMpZ7Fg+f19KFgoVmngfoHe1MKma/eiESgEwj/YlrbUc2UhJcxgrPwyTXUCiB55tE8CRhOFFpUWfzrrklqf4BSXdQQKqUkDVbwlmShMXDEb3mmJkNKd8deshKejr0ASAhXQ54PSvc8+7qwFw8bser/sojaJzbS8Cc7b0EDukR4HMbXjR5iMVl3BL6QRy4FxS+g=="
+                    }
+              }
+        , encryptedAssertionCipher =
+            CipherData
+              { cipherValue =
+                  "Urn6LlXmbGkiNFKke9o4q2FIVYx8DbHyjP1NWvdhyMThQlXBHYRdFmQMcTU5gyYDLFuBWvs8XwFg+NWZ000tjXTFy5tbWqrtIqcMgtyme/GuX25rWApfByM99OAARyWfPkUhCjTxf4sJ7Q3WvYXymwToyb5mCznkoIq6gJ71xtAm3gsjxwzkpfgIkVTr1/5+KYmEi6hwTGkvAbuoQqew9V7Huaazq7XwgHuwDjB69f8FEBLzH7hhMOjQGYLmgDorAv+dZ8+YKQ5X22pAI7dU3iBrOpe/6hRUVa+6Z+GRh+i9rQNaLneCx1uP1svEuAgJMdwJz8z1QT3c7HaswDpurYIQUdqemb2EkXYjG+sJLJJYzS/MolcPZBqoC89T5ci67uAKnh4d8do1BHjdstHNXBfz05W05hJzazkz82hOgWa4Cq2xKLtPU/THpcQpCrxqmBoc9ZlSuii4UVuCzJaal/fU/1shLCmfma81dKIN54KnOU0T/pDDlwy9lRh4b4nPm24QOLpyH1g44ovtdhwOuvDZs0ZoTqCxqFEzCE6k2fjbHftfJaLw1RS9jqQE09hxx5s3IqlzoYKAIrFDW8otE3yWsxkL43qaxAW8IJWIMnyLnVekz03bfx/QEDsSfgAy/oIgB1/bQ5weRR4CYPQP0ogCT0/BLBfVjYuu14pJOZ/PXDUOXKX1Do+vIZ8ZrVYJse7BZUqPsvwiZfFIyLqEjSkEsIKd7C5bFLyq47ot5FfzfZx8dkgO/n/eEqCI3sQxLSeIogicYMMy6lh40ZuljoxhjIb2QTmP1ZpGhx47xHtZNhh+snfuu00uqCrplru+sB/iY37EKyv3Uz2M8eZjpFXtQgCo6u9WN9+sbwo7CjhoZIz5P5ZoO1oiFIiDaEF/orrsVaFslK1Qr/uzmr8AxwDzTQQ7nn/ywRyZEPg5hnbFLFxkJvZsX9xehcdQy1e8N92bLsYbAwes0xFCymayFmSeVyXUQjOyDp9eKx8ALreFoIkKBLAZ9T8xcbw8MgJQjBVr1MCkNeesPx6vbRi7YFOitTeLFoF9uBSiSwWnv5vVbRbWIAB8BTJ6CgpxSDfIJauvvmpWuo3zaQtYR0+G3ofa4l1psE+QVGwZBuwxDruZDAOLX6L00IdK303OtLZ1z5pPzzt9ToW6415c+AHCZ5X7eBFbebLUpp3cb5bAThAAxkhVkspBBO6sAS7G64uODNY2QhkI/fPbkLHPu379YsuLITTEDZj3c0CgErTuWtjJJ18jF/1tmzzIzr7JnG5gp3oAEsNJ1J0iWj/9syiqOZoDXLL7PlCWLCJtMvGR5NwXTN3/VKPkKMVkEqiNtrmGia/iXVSPikHckqhil1++YdbOQCd4+oDrPrpmd/wRZ3JWbT1CPBAi4FxkfDZ7eXe+6EdyQZWTCAjc/dlDLuYmcLtc3/g5GvIfBFTdbJKD4K9I8VmouO4OmDb29I0oR1fbGgxNGEaopMklxP6Yn5cOmjINVNh+lu73FdCKKvW4GNkDGcOLcdw4XicK7kPLt6RovuEFMnWMUZvPLrmB7Cwpm+zddEwUFfxhL/RQ4hJWS42U526UOmU+Y70StJ5psYgf7IKBhz6+a82+N+sNjICQwfEcoJBPIStHSGG+CYPVofsJJk4ZQ8+XYEhnTTR6lD+/uIBeWj4y6GpRKWscz8DDXbUUQUpkVrLF4RGUErUeNAJXJfSXbU2rK22CjIj3m7M/c1rUgOuuCLPKwjcCPOvDev96RThmFi6eR4YdE5boRgHtXnZlrFAPLeDFoclX3tZOhE3rkJREAxr96VOwqizsay0t3FtgppHaINCfabkVLXOuCdOJmu51GPtvZDpUNIeYXSnCO/t8dznTmUVK4wgpz697eHu1fVYHH90GJrW1Hb9i7C8nmKln9PrXkhyXSJuNaCaT1AXKILVx5iGtBc+ZWJsNrvTe3svPbwgD/JqB8wSwF3nleEIhaVjf3FbwgQrVJusFqY/onObjMgG4Ow8Eo9FSgnDQCD4UprnQrtx1QJN5EimItH97yam9NVEtnxwpgVfLVwCj2FE5peZnTrUUliGm68cZ9d8dqLKQt1+akAtkBQ7XwBNQ2fxjLEo/6ktTeSqGfhl7XluiGGJWWaFV9krj2B1Vy9+qgt5/jTcGQydD2PBYallVIi/065/bguv5fomMOEM537w91U4x1FZQOROQ3Ee+8Oaofiq3vFKtl5k4Gj3re5dsgUAoAITKIbRb0R/RsT8EN1lrIxZ2UXuyn57oTMM8IyhgJlbVwe9GAHzsYOsI4s6mN7mTwsKCUdgzPYtuUhXu+UYg3mKjluuMpgu8BPuPt87HOAGIAzjK9Cz24oxfAhGpKXp/KfUOXWgj3GDrepLHwajhPfubzf+sSLKMAdBigSiQF/ugwAx5eWAiWCJI3O6BA8vbE84ZJek5WFh5ocjaJIwY7U+W7qZ3lYBVt2piKGvYCApD6PAC0b/OWHvZkYtv2ioETsDvixTm+BknI9qMIIp77WFvAKaS0PR1i54iN8sr3NZlDxVOACbv6TD+hIdPE/7DqqOv9M7BWIDRS+4q2j0jNszE2BcQoIf34j28unnRNzpb8eUeU2iDoeJ8Q9sP80cPWnc+WW0Fwr7miqgHXxAeOvJjWgRbbwT9189S/lRv+x5Y2PlntfEh61N8F756tNbnOxHU5tU+UkswfExfEKNH1FjoKIZHdJTRqxeyT5kO5Wgim8AZAx4YcfSVAySnUr/qrgopGGxAzpVMerZlUNUVY0p8VF8elpmLofSR8MRl8jcI/p0tUS3HM5V4O2EOr8Ifr8bjv45gfG6NmfOFJgdyBweyL3j+gi1GYs3DFC9sGupB6g5MRN6+OP32A6eRFH3XMuouHUaGHblFFB3bLRQL/IPUE2FFKeM03kTSwf1urH7/vqrvQabd7p/WRKClH1UtuOwCyIbTSloK44RkezqeVum8Le6OIi9PViwOossle1NEj08Trm/saqUBdinz23IFw/piy3Jar3KDX0NNji9TDwEVpm1JNvXeBocwPJLF0YVqD4GIg6xCLPhu0d0k2FKgWoJ4ItFD54mxLrqElb/b+YQMclC5mcsKRnFQbnhMC0ezKgBnfES0/nNbxZfd0Dr5wG0Z49kqXoPme4YpUwUEAzB/OAfy2z/d4WcIW2PUo8sFmOJx3QMXZ+4PfY1Oo/id9loDdX8QGBxqeFDbN4HBMKYJIOS25ICeGoKGEDxKH2PKliyCi/k/A4qldFDdMVvGIkMjVzRFVT+kB3o/8yqkhspAPlkVyr+6TqnQhVDRzcPmqquTR56QuSo9YbBj7I7VoD/MQwb51Gqe4rJ+KAMrhSFGwh5BQrq1PVvKFmbySGkZ3bFOzhM2OvxW67TQ85QdGRT9GTVkAjIgN1powGMGxPdSMBiGb3G5RS5jYPwBEsZBHhrSaY0cyYTn4V4tadKHh7AM8SRWmK8dlRk3tVQClDZQPxL6q9sqjN/07FBKnv8N9Yqo2ewyh9Fz7lItXy62k/5JN1I96bBKjPJ+M9n25+f+9bpT1rOXBUmrxDz2R710uqnk9ZsUM1yVZxkU5qHFOtid+tpQWN2pYAshD0UUTT+pSiG8hlN4cerKCMYd5S5dilULTx3wPTNsMvCZ0V0TslIhGq669erVTPUCgOMk7kSgfuxBocQ0vh8DP9WacIuyZdB6TNdOEwqfIRgnSevBMyZKI0pTjIoW7fuDThITI3xLSGbRNcLkqXHWntHIE8wXm9s8fUdBWzYI4lwCxD+iLpeq2AQaDZG+ObSDQREZ1RaZb7fPCdSpr2E0yj5t08xKsKyIeICofrEOsRXg/xhwUXPOqy/VA1DSpasGbzu0heBp2o477y5+l9m04qkR3WQ9ppgscLr/ZK6LdVcBPAusmi9p6QDZy8O/WW/o6mm60Ot6V2ba0s68wkgNeAcTTzBO/TH5KYBHIjDH7cdHWmXeP54OZtIbbYbmjOw3l9ulMmVuA5R+klSBdFqqBHC9OL0vqkLreAfTM7EU91cKsDhNYw/8KA5PhR23gSFKR+wc23vKUweXEAF+i0VNEljgVKc3E7UZ5B4hijNrmczZwdplO4KtKJKc7LW3YA/wA2xDRY5sMl7Tif0yxFUynwPatrz5g3GkT91v0bUl4R12JEWAnmjUamvMPLYFzsBz5G/LfEh9UWrqeGbsOKMb0J1qg4rH8xty+ALttN0qcAk9s+0SJTtjZVx4Q0z+SBcTgLa3uQr7H0NqTZuy7YQ3nMgxXKCOEQeoOFmCpoTwdbfQv516WwHnPLsCwQ+SGZEiRLW9bRKzQ8S+ZetdyMIxFqgEYIrKGIscQWq4gNwnJqStcVRUtJvOEZCRyz0zXTL1WFkpKsZzZC6QNSgPFtAj4/nAeLySBKO3cjGv3BBJHLJVknbM6ByKS3BpJOpJgTDLYl+MvljgttzHcL/W+qwdJb1u3Q2HHhJjKIsGOUKxg2ly0P683urtP8wFkGDHUFHzWSQGi+qbQ06AcmvafHhLwaqmlqBaCL2bsYhMujfPKc+t+kvshtdSNsVGbkGSM4YONmmmIBf4esBB2AjymNSKH/K4NUbFkaWB2iJBHTaR3+taHmvQMLKwzvS1R1LKOQkX5AFyYSbcaKBskLffsW+a2OU6AdOItGJi/VvKgOFfLZ1EcFI0EwYsjenpfbhZu2FxKSQ+GV1v+h1Qv4h+BP20pLCZWT/ocFlM5aK2zUq1uFhds1gusCQUdAWbqjKJB+Y4vc+pBco518WCdUnIo639EtA7NBD0lmOETi7CbnBekRH+vaOjapntF3LRk6KX0XWaBUC9Nn5ipJ7t7uEoU//9XviNlcEGDAEVlHwtObrFE3op7285nB3kQrjGDaj14H2Q4ahpe+8uAagOOnRnZLWDMDiRzOIiL2IVpjfJVN3E+ms38keuqt7ZzSxBkuLjZwLU/Lwife/wiBx9xXyijOl3msheDTdjHB9BxQrrqCMZ7xf1L7ZPSYOHzNagPb65UWFUFPKkCQ4D/6Bx+t25aa3/HqJYg2Urt7FZ6AR+2p4d1RQzBwU6ICJwIFQkgK89C3LQ1eTa6LMciKya2JKrkNdzlRYW0T/D9LexfjRZkVed+WS7Zr0CKEE8kYpwhelJlWBM2Shhv3OelZFvsVASXGIIHTfvd+bUtw9pLsrCDWdccB6XfxwbmVyhIfO4D5qskTU1yCbaDt6w2sNOvzYQe3gLCkiOhJQwId6DF5lUdR9O/4Teohy9bF8EjfzF"
+              }
+        }
+  }
\ No newline at end of file
diff --git a/tests/parser.hs b/tests/parser.hs
new file mode 100644
index 0000000..34a7849
--- /dev/null
+++ b/tests/parser.hs
@@ -0,0 +1,28 @@
+import Network.Wai.SAML2.Response
+import Network.Wai.SAML2.XML
+import System.FilePath
+import Test.Tasty
+import Test.Tasty.Golden
+import Text.Show.Pretty
+import Text.XML.Cursor
+import qualified Data.ByteString.Lazy.Char8 as BC
+import qualified Text.XML as XML
+
+run :: FilePath -> IO BC.ByteString
+run src = do
+    doc <- XML.readFile XML.def src
+    resp <- parseXML (fromDocument doc)
+    pure $ BC.pack $ ppShow (resp :: Response)
+
+main :: IO ()
+main = defaultMain $ testGroup "Parse SAML2 response"
+    [ mkGolden $ prefix </> "keycloak.xml"
+    , mkGolden $ prefix </> "okta.xml"
+    ]
+    where
+        prefix = "tests/data"
+        mkGolden path = goldenVsStringDiff
+                (takeBaseName path)
+                (\ref new -> ["diff", "-u", ref, new])
+                (path <.> "expected")
+                (run path)
diff --git a/wai-saml2.cabal b/wai-saml2.cabal
index 020f22a..168585e 100644
--- a/wai-saml2.cabal
+++ b/wai-saml2.cabal
@@ -1,6 +1,6 @@
 cabal-version: 1.12
 
--- This file has been generated from package.yaml by hpack version 0.34.4.
+-- This file has been generated from package.yaml by hpack version 0.35.0.
 --
 -- see: https://github.com/sol/hpack
 
@@ -67,3 +67,40 @@ library
     , x509-store <2
     , xml-conduit <2
   default-language: Haskell2010
+
+test-suite parser
+  type: exitcode-stdio-1.0
+  main-is: parser.hs
+  other-modules:
+      Paths_wai_saml2
+  hs-source-dirs:
+      tests
+  default-extensions:
+      OverloadedStrings
+      MultiWayIf
+      RecordWildCards
+      FlexibleInstances
+  ghc-options: -Wall -Wcompat
+  build-depends:
+      base
+    , base64-bytestring >=0.1 && <2
+    , bytestring
+    , c14n >=0.1.0.1 && <1
+    , cryptonite <1
+    , data-default-class <1
+    , filepath
+    , http-types <1
+    , mtl >=2.2.1 && <3
+    , pretty-show
+    , tasty
+    , tasty-golden
+    , text <2
+    , time >=1.9 && <2
+    , vault >=0.3 && <1
+    , wai >=3.0 && <4
+    , wai-extra >=3.0 && <4
+    , wai-saml2
+    , x509 <2
+    , x509-store <2
+    , xml-conduit
+  default-language: Haskell2010

From 3e60bb578c2f6bdb5d52f106b9f4132d37487bc7 Mon Sep 17 00:00:00 2001
From: Fumiaki Kinoshita <fumiaki.kinoshita@herp.co.jp>
Date: Mon, 1 Aug 2022 12:18:35 +0900
Subject: [PATCH 2/4] Support Okta's response format

---
 src/Network/Wai/SAML2/Response.hs      | 35 +++++++++++++-------------
 src/Network/Wai/SAML2/XML/Encrypted.hs | 28 +++++++++++++--------
 2 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/src/Network/Wai/SAML2/Response.hs b/src/Network/Wai/SAML2/Response.hs
index c061ef2..0c7446c 100644
--- a/src/Network/Wai/SAML2/Response.hs
+++ b/src/Network/Wai/SAML2/Response.hs
@@ -15,7 +15,7 @@ module Network.Wai.SAML2.Response (
     -- * Re-exports
     module Network.Wai.SAML2.StatusCode,
     module Network.Wai.SAML2.Signature
-) where 
+) where
 
 --------------------------------------------------------------------------------
 
@@ -52,20 +52,19 @@ data Response = Response {
     responseEncryptedAssertion :: !EncryptedAssertion
 } deriving (Eq, Show)
 
-instance FromXML Response where 
+instance FromXML Response where
     parseXML cursor = do
-        issueInstant <- parseUTCTime 
-                      $ T.concat 
+        issueInstant <- parseUTCTime
+                      $ T.concat
                       $ attribute "IssueInstant" cursor
 
         statusCode <- case parseXML cursor of
             Nothing -> fail "Invalid status code"
             Just sc -> pure sc
 
-        encAssertion <- oneOrFail "EncryptedAssertion is required" 
+        encAssertion <- oneOrFail "EncryptedAssertion is required"
                     (   cursor
                     $/  element (saml2Name "EncryptedAssertion")
-                    &/  element (xencName "EncryptedData")
                     ) >>= parseXML
 
         signature <- oneOrFail "Signature is required" (
@@ -76,39 +75,39 @@ instance FromXML Response where
             responseId = T.concat $ attribute "ID" cursor,
             responseIssueInstant = issueInstant,
             responseVersion = T.concat $ attribute "Version" cursor,
-            responseIssuer = T.concat $ 
+            responseIssuer = T.concat $
                 cursor $/ element (saml2Name "Issuer") &/ content,
             responseStatusCode = statusCode,
             responseSignature = signature,
             responseEncryptedAssertion = encAssertion
         }
-    
+
 --------------------------------------------------------------------------------
 
 -- | Returns 'True' if the argument is not a @<Signature>@ element.
-isNotSignature :: Node -> Bool 
-isNotSignature (NodeElement e) = elementName e /= dsName "Signature" 
+isNotSignature :: Node -> Bool
+isNotSignature (NodeElement e) = elementName e /= dsName "Signature"
 isNotSignature _ = True
 
 -- | 'removeSignature' @document@ removes all @<Signature>@ elements from
 -- @document@ and returns the resulting document.
 removeSignature :: Document -> Document
-removeSignature (Document prologue root misc) = 
+removeSignature (Document prologue root misc) =
     let Element n attr ns = root
     in Document prologue (Element n attr (filter isNotSignature ns)) misc
-          
+
 -- | Returns all nodes at @cursor@.
 nodes :: MonadFail m => Cursor -> m Node
-nodes = pure . node 
+nodes = pure . node
 
--- | 'extractSignedInfo' @cursor@ extracts the SignedInfo element from the 
+-- | 'extractSignedInfo' @cursor@ extracts the SignedInfo element from the
 -- document reprsented by @cursor@.
 extractSignedInfo :: MonadFail m => Cursor -> m Element
-extractSignedInfo cursor = do 
-    NodeElement signedInfo <- oneOrFail "SignedInfo is required" 
+extractSignedInfo cursor = do
+    NodeElement signedInfo <- oneOrFail "SignedInfo is required"
                             ( cursor
-                           $/ element (dsName "Signature") 
-                           &/ element (dsName "SignedInfo") 
+                           $/ element (dsName "Signature")
+                           &/ element (dsName "SignedInfo")
                           ) >>= nodes
     pure signedInfo
 
diff --git a/src/Network/Wai/SAML2/XML/Encrypted.hs b/src/Network/Wai/SAML2/XML/Encrypted.hs
index 93e8efd..c10ec21 100644
--- a/src/Network/Wai/SAML2/XML/Encrypted.hs
+++ b/src/Network/Wai/SAML2/XML/Encrypted.hs
@@ -113,19 +113,27 @@ data EncryptedAssertion = EncryptedAssertion {
 
 instance FromXML EncryptedAssertion where
     parseXML cursor = do
-        algorithm <- oneOrFail "Algorithm is required"
-                 (   cursor
-                 $/  element (xencName "EncryptionMethod")
-                 ) >>= parseXML
+        encryptedData <- oneOrFail "EncryptedData is required"
+            $   cursor
+            $/  element (xencName "EncryptedData")
 
-        keyInfo <- oneOrFail "KeyInfo is required"
-               (   cursor
-               $/  element (dsName "KeyInfo")
-               &/  element (xencName "EncryptedKey")
-               ) >>= parseXML
+        algorithm <- oneOrFail "Algorithm is required"
+            $   encryptedData
+            $/  element (xencName "EncryptionMethod")
+            >=> parseXML
+
+        keyInfo <- oneOrFail "EncryptedKey is required" $ mconcat
+            [ cursor $/ element (xencName "EncryptedKey")
+            >=> parseXML
+            , cursor
+                $/ element (xencName "EncryptedData")
+                &/ element (dsName "KeyInfo")
+                &/ element (xencName "EncryptedKey")
+            >=> parseXML
+            ]
 
         cipher <- oneOrFail "CipherData is required"
-               (  cursor
+               (  encryptedData
               $/  element (xencName "CipherData")
               ) >>= parseXML
 

From d64cbfdd5e1d36ab88b182a30f2c68712e332026 Mon Sep 17 00:00:00 2001
From: Fumiaki Kinoshita <fumiaki.kinoshita@herp.co.jp>
Date: Fri, 19 Aug 2022 10:35:33 +0900
Subject: [PATCH 3/4] add a test step to haskell ci

---
 .github/workflows/haskell.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/haskell.yml b/.github/workflows/haskell.yml
index 40363d2..2fe0585 100644
--- a/.github/workflows/haskell.yml
+++ b/.github/workflows/haskell.yml
@@ -51,3 +51,6 @@ jobs:
 
       - name: Build
         run: stack --stack-yaml=${{ matrix.resolver }}.yaml --no-terminal build --fast
+
+      - name: Test
+        run: stack --stack-yaml=${{ matrix.resolver }}.yaml --no-terminal test --fast

From 7d7c9366741a7de86d7441fc04c4b807b256748b Mon Sep 17 00:00:00 2001
From: Fumiaki Kinoshita <fumiaki.kinoshita@herp.co.jp>
Date: Fri, 19 Aug 2022 10:41:10 +0900
Subject: [PATCH 4/4] rename parser.hs to Parser.hs

---
 package.yaml                   | 3 +--
 tests/{parser.hs => Parser.hs} | 0
 wai-saml2.cabal                | 2 +-
 3 files changed, 2 insertions(+), 3 deletions(-)
 rename tests/{parser.hs => Parser.hs} (100%)

diff --git a/package.yaml b/package.yaml
index 654b341..7f83236 100644
--- a/package.yaml
+++ b/package.yaml
@@ -45,10 +45,9 @@ library:
 
 tests:
   parser:
-    main: parser.hs
+    main: Parser.hs
     source-dirs: tests
     ghc-options: -Wall -Wcompat
-    language: Haskell2010
     dependencies:
     - base
     - bytestring
diff --git a/tests/parser.hs b/tests/Parser.hs
similarity index 100%
rename from tests/parser.hs
rename to tests/Parser.hs
diff --git a/wai-saml2.cabal b/wai-saml2.cabal
index 168585e..e0fa859 100644
--- a/wai-saml2.cabal
+++ b/wai-saml2.cabal
@@ -70,7 +70,7 @@ library
 
 test-suite parser
   type: exitcode-stdio-1.0
-  main-is: parser.hs
+  main-is: Parser.hs
   other-modules:
       Paths_wai_saml2
   hs-source-dirs: