Skip to content

Commit

Permalink
Add WantAssertionsSigned (#536)
Browse files Browse the repository at this point in the history 
Add tests for WantAssertionsSigned

Co-authored-by: Chris Barth <chrisjbarth@hotmail.com>
  • Loading branch information
@HendrikJan @cjbarth
HendrikJan and cjbarth committed Mar 22, 2021
1 parent 3a486db commit 5634945
Show file tree
Hide file tree
Showing 8 changed files with 164 additions and 6 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ type Profile = {
- `additionalParams`: dictionary of additional query params to add to all requests; if an object with this key is passed to `authenticate`, the dictionary of additional query params will be appended to those present on the returned URL, overriding any specified by initialization options' additional parameters (`additionalParams`, `additionalAuthorizeParams`, and `additionalLogoutParams`)
- `additionalAuthorizeParams`: dictionary of additional query params to add to 'authorize' requests
- `identifierFormat`: optional name identifier format to request from identity provider (default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
- `wantAssertionsSigned`: if truthy, add `WantAssertionsSigned="true"` to the metadata, to specify that the IdP should always sign the assertions.
- `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps. Setting to `-1` will disable checking these conditions entirely. Default is `0`.
- `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
- `disableRequestedAuthnContext`: if truthy, do not request a specific authentication context. This is [known to help when authenticating against Active Directory](https://github.com/node-saml/passport-saml/issues/226) (AD FS) servers.
Expand Down
12 changes: 10 additions & 2 deletions src/passport-saml/saml.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ class SAML {
ctorOptions.identifierFormat === undefined
? "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
: ctorOptions.identifierFormat,
wantAssertionsSigned: ctorOptions.wantAssertionsSigned ?? false,
authnContext: ctorOptions.authnContext ?? [
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
],
Expand Down Expand Up @@ -789,7 +790,10 @@ class SAML {
}

if (assertions.length == 1) {
if (!validSignature && !this.validateSignature(xml, assertions[0], certs)) {
if (
(this.options.wantAssertionsSigned || !validSignature) &&
!this.validateSignature(xml, assertions[0], certs)
) {
throw new Error("Invalid signature");
}
return await this.processValidlySignedAssertionAsync(
Expand Down Expand Up @@ -820,7 +824,7 @@ class SAML {
if (decryptedAssertions.length != 1) throw new Error("Invalid EncryptedAssertion content");

if (
!validSignature &&
(this.options.wantAssertionsSigned || !validSignature) &&
!this.validateSignature(decryptedXml, decryptedAssertions[0], certs)
) {
throw new Error("Invalid signature from encrypted assertion");
Expand Down Expand Up @@ -1423,6 +1427,10 @@ class SAML {
metadata.EntityDescriptor.SPSSODescriptor.NameIDFormat = this.options.identifierFormat;
}

if (this.options.wantAssertionsSigned) {
metadata.EntityDescriptor.SPSSODescriptor["@WantAssertionsSigned"] = true;
}

metadata.EntityDescriptor.SPSSODescriptor.AssertionConsumerService = {
"@index": "1",
"@isDefault": "true",
Expand Down
1 change: 1 addition & 0 deletions src/passport-saml/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ export interface SamlOptions extends SamlSigningOptions, MandatorySamlOptions {
idpIssuer?: string;
audience?: string;
scoping?: SamlScopingConfig;
wantAssertionsSigned?: boolean;

// InResponseTo Validation
validateInResponseTo: boolean;
Expand Down
16 changes: 16 additions & 0 deletions test/static/signatures/invalid/response.root-signed.assertion-invalidly-signed-encrypted.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfxc5aaa9b4-68a3-ca0b-cd8d-73cfbdb53932" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
<saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfxc5aaa9b4-68a3-ca0b-cd8d-73cfbdb53932"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>xa3vNTi+LNOhWxNoA+Hew8cIAqY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>OZ6gxjp+ERiPkH34WBz+mZXuBQWFdb9cjG92QQ0x0ukgP033ULcbyBHm+ksLOTdoyeVxIAVFhxnaR2Ljq/VxdqCn5dyq6HFkaduO7LV/gknx2eVc7ViAoGWoMZ17CXSrLV66+Ulk7Cg2uURZn2911QOqjvKsuJHEcgZHmu3J4ECJv+PyHvC4Vb1KPzCyxtWzSPXdaPFGWzIVgcmRy298Yl2oXVo5EV5vB8yw/tO5uR/PEngvPYw3mpB59e33fg3rgrxN/r7McgK+eFJuiaAmCKrWr95OJwApo3D0wje9FUHB7tURNlWNDe0Zw7D+3j/pg2MQNfFB0CQhPUjSz9FAPg==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>

<saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>qGv4G2j4JTPBLHU6WvFzVSAYS/1GWkmFp2sGcilTemFhiVxvgNZcYY5xTqdiac86VVFeEP++stEcl15zvY20HN5KDgtqJUWrntiW0LFxPDLIAAvd5ABX2NpSS0Y0UxAp8zOOk0ooCXKIiMulbEWc4B4Xw1E3CyA+3pUWcCqgYObfCDc2xVqY0n4i/23GS+W5UWlZzXzwDg4Y5Z7YLm/+eKiQxzu4TkB9mdRvNbooNRe7LHZ87xZF1VNHCwCBiYjDmr18FnkuVvvd1x6gWe+aaVfoPL3+7KUTcZX2laeZ6g5RuHTNwNGPON9FO33WFRxId1IGDAOB8NO5vBC2EIqLDYgbWbyiKF+GDwwHx0u3TbiWpO/VqHqr8wKuBPfy/kJhiqRk/TiOBwSCH+mT07jzImGr5KE8aDGj2365o0wLA3YGmMu3Y2XkUu3PgyQhAW3qHhnkF5l5Rlo7MAusTA1M9Dw0QNjV2JXzKQG+rGK/kW/5qREjy3Fm9aVlMrbEvLn3r+0pBNw2bESIArJa0Zwu+wqR1cr7Ym9b5WdfY8IKdKOIDEiER7bbW9r5IgfdSd4+QLWjZ99+rZcB6b3J1kCd8F3NzAZlzpTgQo7ZxIlgIH7pYjrbI+A02nremC2H0ehG6rMGghImWg+WJAroxYs8CWC9FBzI42HIxXTf6vj4x3E=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>lj1iUwsOUPutFeZkYL1XcP1oZl2/M5rxANWqoGbD8QLWkjWIAXh7Etndy5Mk0yOaBGU0F10jdsxeSfLKqHoW7AWkngdKtRcP7y6qp80pMGvM+NDvnI54MKternTsB+AjaC/LW9ls6dGgGovXNZ5VtE1H+1bEUBQFC2TC+44mZSDHrZ5O1yAKvOKD6gyq8gBgZeLimst71jVEGHoJFXGVcPsU5xhVgEKtzYqgRUOZ6NF5L4mqz4lGZPV4o8ql8lWizqSdOpzTPbN52YAQ/FSw+uLfMu53MRPdJPAHSVvsUjxG2M1FE3BqG731OveV/RsExp8+39YwjqZyEkLMrO9NGmq7GV15sUqzXLxilcd/epQ5vkin7LemejRYJCowL9kJOBXxkm43DfCqISLX5zntxXGhsWMwjv+khFX3RsLhM2JBNda9lscMsNaUqdVnHjDA9VRBXxK5xQDYJwxtp+f+hKm91+jhXRH8YKbgIu0fhkzaHmJenktFKtmlVwR6IeR/2khJB7wcvze4aqCaY3QG1RqcOqhX9N1an5Ha4hjtSTx0Q2uNL7nnj7u+LIEwWmjuMQWvGvD7MX5IypW/1kJgLQAwN0CCzZsuyRKg3sZa5SuW+KwHbPwR0wJtIh2RfnQuIa9bsYDMmiK4lzXP9IMd+2bjJdxJ7PZHN5tnU0g1u6aSKVE0sH8m9NDXaZ20Gd9PMvxBuIByneYTdMhMj3FPdkAALAHsOvWDria2vfVoEvvg7Hzq0PO8bcdfCWk9TBQsePNune7wJ7mZC7aM0gfZ8aLjk31fPiHj+kwuFpAkkxDP9tAp1Tl6PqWjy+z4PNP9Q42SP0q0e+EBy688e2W9HGSKGFNw6SBklRPhQTG/FbPia5O+pENN0QxawGyfULmMyGjkbW7Eodmn6FxONcZxEKyWbWGuhkj/gh2DwYVJ9YYKGOPs9oGALu8yXXGVZzvb1zUaiX0OxmYT19iCbgIeN7jOyp1EgswXK1P87tQC16e3a9B29mw/RtnOsDThXwcU6Y1UKBISXmJR8BQUq3LaOkzTbMKqkgZm7pgbqOVppZwtWH4LomfFyk6fBwvYACLknqumY4XLpO6E6OoD1FmxdVaq0NCmpzH3J/xDUvPxrhK7aTnahg/dRjWJrso7HY1wXtqzSre18+qV9zGl5vq8YHx0bcnDgCD81vbO1CMWoxfWJ8CIz5yOfO3agrUBHlD9e6ASsQhagmbE8mJ1XmlAqWIZvqGnwVo4dYxq7wQrUeb7lIWaQ6RQ7ksR4MRaSdA3jKDDlzfdG+xfsathpLSSNxARQ8sGXEwcdt9KaDA7SIvfm/DEOUGyaaE5lmbv7HUsHIwrfVdSBbFbrXR+K/WWsRFSs/N6XZse2NvGiIjmQcBqz09e+4mqNZbYRmSXb4U1wYJfP/KYak9lpFpNTpEw7yFxg7NiJwwaCOpmov/MU4fE0aLc2uELK9YVqkQML0UVlkXmnK4tTsC4XijWbaYGO2su8tZcQ/lD5qNJdAWpGpqTAiCmVYxQGbx3KWwO2CGI2FG18+Wgtzxwf3nUDIH7fpgmpKGtY51H0R1ffOLbbjCOek82y9Tr/qb7vFpdT5XwV0pwJ1gSCBWgTpdDn0xfwmD47B1fn9ZOXj6Swl9LjspGGtPv/86fij7hSxg/sSs3rQk+5RvfqCY/nV3vI7+E6HlytBeo6vEqre1x7xyTKf+yg3GkzDFmH3GDIlX1+Tw9QcW8M/RUdTQzvKpp9ZiTwCKIRErJ7FaEXI1Yt75QhKvtSOA173JNu4YtQs5S4Dn8ZhOfPIRAEIqVT+RguPLdHrDgQNKmlAsC2Q0sL8L3rtIG92/af3KVxnBNBm4tIGeCH9iUQFSe6lmZPou9TZ163M1fRlEJJnro2fslJ1umalxchADp5gicP+0p/nGrT7KfuFIir+S28TYLvafNGw8C3o77HPo9Xmkch7CxGXct3BVY7ToLILaqZ/GhWA+iMT/E7/eD/VxiUTwPOhbQBSDFnnAUJNwnQTnpdQHvfMyfQhncNMlVsb0FUw6aGRmngDXYTuuXlbA2NLHfe/J1D5FvL1VO1bJpotH8b4ndmle7LcLqrN6C4SXT5KKjOlLjQMkfiJahC1CoifAmLcnd8u8hFx5s//iKijMuZ3fLvSlkW8omtOvMjF0IXZ6VzbSV9N0HqBjvsGJvzp/9o8pFNkU9hDaZtSuoJrgCTbIbwRY9Ci8+f1jH/AuNcztSbxrolGKYqWbOnBJOg5KbAJFheNBDLe6dR+7vQSAt43GA3OhGc5Uwz2l8fVe8YPcWAPxZO6Rty+H1SOcurApvpP+Gh4WFCfEqvZC5o2PVG++dEVsWaMzZoe+CIz6acHxVM2avKyYQVrBdoAhhKHPCPrWNEQOAXpX3Y5iVr03lEHWtP8JIGl1qUKVjWlyq+JpDk8WCeJmjVBGjJ0W+WhKLpoWocy+oS41H1GABVPePlWi1PIoDudzp8K2JhcWJnwApDsrY5GGy9O8xgRSnQUUlbadKDi6ouGzlql8O0uS4sqzaMVIHhhHYKmzbYDeb/BKgjPKxFTTUPQchWK7I2PzJf+9WWj8CdnfEMk821t0xQaqK7BsAlLpF075X181vvQFktYWUcTD2LHlrxUKOJLyzpGi3FiZi+YObGyl+HNynw0S7ioHbMweiZ5unnc8jDoDTsSdRDIiOquNteMxk/s2MwaYLZCxjUqW57VZKf+ji8eUq7lAtrfgWjKYkVZJXHjjU6KQirW/tL9psULSTNl4FSSdqiKxKTCNj43nhR4suiCBrSCt/3oNUjVD9IqtUziz6+TtSY3t3tfYe7MuqnkPcg11k4VszULWYROKgP7DpoETOKtn5G4xDQwT+NXro//asrEczoGzArxlgoKph2+QBite95XGofLzPseKDjCdNgE3cwg9xoPG9d3I6OPWwVxuigt5Tp6TnMcfrG8EAVtAdGtuyCHXl1aR5MRuSDEtErzP+WwUttk8reL9YDJ3V8SJUyibz+o5yXDYlwsNbQXEJCUJIU1qaWBp7dMd5cIqi21OjxPI6tsp/jQ9f8+mpMpXSx+3gK8JUSvU4VWjEFpEXku04lmroSqqp0mxfp3qhfZN+eUeCZMRx+N0bNbVYRlxjnThONAQV7pJ8f4h4Q7WSFwyS7yGMZ6FkRWdN1yDDbqkTPNNU29TxtfwAz3mAXNdUU88m1Dz+0nFGzIjPdKX6TmBHnmn+8ZSxDacZqhcbTXDMJZkjvtu8ZQVSqEfZ+MB1ac93nfMkiO2LjXG0oBQVpqvhQe7FTXssMO1PK+C9IL31mDpwOdMn+MjPSX8zuTkO2CkMZIf5V2nFC521FbIlkU+K23z3IGvBWKG3fMeq6GGtBcwPp3aRcE6cXC5/7ifQgC7T0IgLQ3qn4z4l4fuIkjSK8VFihh4XKo+G4VouDbghFSQnwA1kUUQ5ogk5NRxpeAxMdWHEa69CaEnQbLEwWAZvTS8fFvE+OhHhDtcHKK/MKOzRr7r4RIVMrzs3cxzf6rnQjJcLmTcScSNr0jqxhoLl1K2VndZ31U7c0PthIup+NjdnbXWRcOhSwl6eWwQUjeZXJVhj1XOty1IjdI33D8pMPH6i9SQ32LuEt8XFUNU82NzPX/Ydx1gTU6F6+DPKarbjCUhrHsESQ7fK7gHOtMdcfi+S+S1jG4fxCRGQoTnaKb4K1TTq3WtLmcRzEUcBpSFLbzcgM03jMWl2pgx/dApzGSbGpHuTDXeW3B6LI7Ylgtu0pgTXBBap/9mdNB6hz5ro/gt9M+IfS/oG+slPUzS4E3Ql6qIgA5b7NxmoP9nvfA4y11gECYZ283vrD+YkERrInmqiN25p6A93vO4XckWFLYU2E/tPDlLygkX8vW0Rc+Qq2hHIs2pZjeFxpUL7hPVfX8qCeR8qs2cR4rGa/JWp3p51y/bBsVHsJ8JaAmEzcuRb/cCtmnP/5MgeF0Rsrk10bHVVQro0LqTphnjPLOhVaMhKpg/EKUFQJ3qidiP6LKUSKD7+qxBYjtS2f9yUJaTZD8D8p5b3ni079YWeAXsa9blTCwrcQM6taCCwOazWqjtjBvtKjd4P1YtUWlFGfRooBaM8d+nSwPwyne19rUEyJNLKaGGfv0R/gn+AvdFnQ+aj+fDQl1OlLRRpWYA7BQjGSRde8XmUQiCGJgK4aaKxF63l4WBd3HfQjNwwI9jccjArjCOGrQjZiMgAV780Igb9FpxLzg0THoBdP/5BrCTRT8yjJ3K/X755X9kMni1hk5yuPLlKlB5MyWE5OzCWluIq+RUu</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData></saml:EncryptedAssertion></samlp:Response>
47 changes: 47 additions & 0 deletions test/static/signatures/invalid/response.root-signed.assertion-invalidly-signed.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfx85d4517d-90a6-6399-2c74-ff79f5e42947" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
<saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx85d4517d-90a6-6399-2c74-ff79f5e42947"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>BbH821SAM/jagHd7Pql43JU71Do=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>W+ALJZHsfn7ZXGBx9wqgFsO8lAi80+908NddeL32g0hknAM9bDLmEXzGacscbs9g4XeIZyO+wPC28Y2MA0VXv/E13VOm54MxJdXiqF1wqfHnYHFP1TsyAR6CIJuux8yhijopoh1cJXWTzbUWRDDcgmTnUwA6ZBKl491hxuhWvN4dsLg3M0n0R2hPuZf1ywCVBR9vo4w7Hssw4hfSEDTyGDw0WTDnh8Xzaw6dzrKFbsIlVKRDWwG2FKpIdMJhoyMf4/947JhIWPE4T0EB73+/Mv7/LmJlimQTK2kbMSainQtZrdsVXYH7ErxMsYmRPiaXd33YrxOVaK7IML8PI9xe1Q==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="pfx3f74e8d8-a8ee-6812-18f4-94daf3308ae4" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
<saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx3f74e8d8-a8ee-6812-18f4-94daf3308ae4"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>frcmIha8lU6d04GedZS99GMSZr0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Cc6ARuJvTbrP9/3JieRPQD0I5bj2WGzSByswheohtwEjQxCviMBLIqfAL92E+BMi3DRqbFFL0upuFpSXbZiLUyrAWaGCs0yvHEF1w7q9i/EdCRND33IbyJCluCBkNmOmduP1hF3+Duf/MduL2FShV3INsynl5awW1aLNYZo1sBk0dFuJVTLjJIhoqihhD6yqXSZhmyI7lWWBnrUyXR0SKyrmrLfgjhZsNobibC8xqHTgeXsDiWJeHGHyaU0uRk3P0vUAJsjy0RA9J5rEkpLhMQ3T0G/0QODVhf+IPImwR6Aasw7kUXYL4v/iO2RQEM0i+l/UrM2mj55oDyrky5jRYw==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@hacker-corp.com
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://hacker-corp.madness.com/sso/callback"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
<saml:AuthnStatement AuthnInstant="2020-09-25T16:00:00+00:00" SessionIndex="_9e315bdf7b1b6732be33c377cf6f5c4f">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="evil-corp.egroupid">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
vincent.vega@evil-corp.com
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="evilcorp.givenname">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Vincent
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="evilcorp.sn">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VEGA
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

0 comments on commit 5634945

Please sign in to comment.