Fails to validate responses from TrustLogin

package.yaml

@@ -49,8 +49,8 @@ library:
     - -W
 
 tests:
-  parser:
-    main: Parser.hs
+  wai-saml2-test:
+    main: spec.hs
     source-dirs: tests
     ghc-options: -Wall -Wcompat
     dependencies:
@@ -59,6 +59,9 @@ tests:
       - filepath
       - pretty-show
       - tasty
+      - tasty-expected-failure
       - tasty-golden
+      - tasty-hunit
+      - transformers
       - wai-saml2
       - xml-conduit

src/Network/Wai/SAML2/Response.hs

@@ -116,8 +116,9 @@ isNotSignature _ = True
 -- @document@ and returns the resulting document.
 removeSignature :: Document -> Document
 removeSignature (Document prologue root misc) =
-    let Element n attr ns = root
-    in Document prologue (Element n attr (filter isNotSignature ns)) misc
+    Document prologue (go root) misc
+    where
+        go (Element n attr ns) = Element n attr (filter isNotSignature ns)
 
 -- | Returns all nodes at @cursor@.
 nodes :: MonadFail m => Cursor -> m Node

src/Network/Wai/SAML2/Validation.hs

@@ -45,6 +45,8 @@ import Network.Wai.SAML2.Assertion
 import qualified Text.XML as XML
 import qualified Text.XML.Cursor as XML
 
+import Debug.Trace
+
 --------------------------------------------------------------------------------
 
 -- | 'validateResponse' @cfg responseData@ validates a SAML2 response contained
@@ -93,7 +95,6 @@ validateSAMLResponse :: SAML2Config
                      -> UTCTime
                      -> ExceptT SAML2Error IO Assertion
 validateSAMLResponse cfg responseXmlDoc samlResponse now = do
-
     -- check that the response indicates success
     case statusCodeValue $ responseStatusCode samlResponse of
         Success -> pure ()
@@ -182,7 +183,7 @@ validateSAMLResponse cfg responseXmlDoc samlResponse now = do
                       $ signedInfoReference
                       $ signatureInfo
                       $ responseSignature samlResponse
-
+    traceShowM (documentHash, referenceHash, Just documentHash == referenceHash)
     if Just documentHash /= referenceHash
     then throwError InvalidDigest
     else pure ()

stack-lts-16.1.yaml

@@ -3,4 +3,4 @@ packages:
 - .
 
 extra-deps:
-- c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+- c14n-0.1.0.3

stack-lts-16.1.yaml.lock

@@ -5,15 +5,15 @@
 
 packages:
 - completed:
-    hackage: c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+    hackage: c14n-0.1.0.3@sha256:71d230741cbe6023e3b3ef43c4acf79d18cc3631d956b2261e4a170302baaebc,1163
     pantry-tree:
+      sha256: 86277e6f592859bb078ebac3fa6d71880f0079858c1f1ca64c38885586e1b4f8
       size: 285
-      sha256: 67187305166a25d10cb133378ae89c3d76d51ee756edd757a84f71f176eb61e7
   original:
-    hackage: c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+    hackage: c14n-0.1.0.3
 snapshots:
 - completed:
+    sha256: 954b6b14b0c8130732cf4773f7ebb4efc9a44600d1a5265d142868bf93462bc6
     size: 531237
     url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/16/1.yaml
-    sha256: 954b6b14b0c8130732cf4773f7ebb4efc9a44600d1a5265d142868bf93462bc6
   original: lts-16.1

stack-lts-17.14.yaml

@@ -1,7 +1,3 @@
 resolver: lts-17.14
-compiler: ghc-8.10.7
-packages:
-- .
-
 extra-deps:
-- c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+- c14n-0.1.0.3

stack-lts-17.14.yaml.lock

@@ -5,15 +5,15 @@
 
 packages:
 - completed:
-    hackage: c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+    hackage: c14n-0.1.0.3@sha256:71d230741cbe6023e3b3ef43c4acf79d18cc3631d956b2261e4a170302baaebc,1163
     pantry-tree:
+      sha256: 86277e6f592859bb078ebac3fa6d71880f0079858c1f1ca64c38885586e1b4f8
       size: 285
-      sha256: 67187305166a25d10cb133378ae89c3d76d51ee756edd757a84f71f176eb61e7
   original:
-    hackage: c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+    hackage: c14n-0.1.0.3
 snapshots:
 - completed:
+    sha256: 3740f22286bf5e6e3d82f88125e1c708b6e27847211f956b530aa5d83cf39383
     size: 567677
     url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/17/14.yaml
-    sha256: 3740f22286bf5e6e3d82f88125e1c708b6e27847211f956b530aa5d83cf39383
   original: lts-17.14

stack-lts-18.yaml

@@ -1 +1,3 @@
 resolver: lts-18.28
+extra-deps:
+- c14n-0.1.0.3

stack-lts-18.yaml.lock

@@ -0,0 +1,19 @@
+# This file was autogenerated by Stack.
+# You should not edit this file by hand.
+# For more information, please see the documentation at:
+#   https://docs.haskellstack.org/en/stable/lock_files
+
+packages:
+- completed:
+    hackage: c14n-0.1.0.3@sha256:71d230741cbe6023e3b3ef43c4acf79d18cc3631d956b2261e4a170302baaebc,1163
+    pantry-tree:
+      sha256: 86277e6f592859bb078ebac3fa6d71880f0079858c1f1ca64c38885586e1b4f8
+      size: 285
+  original:
+    hackage: c14n-0.1.0.3
+snapshots:
+- completed:
+    sha256: 428ec8d5ce932190d3cbe266b9eb3c175cd81e984babf876b64019e2cbe4ea68
+    size: 590100
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/18/28.yaml
+  original: lts-18.28

stack-lts-19.yaml

@@ -1 +1,3 @@
 resolver: lts-19.33
+extra-deps:
+- c14n-0.1.0.3

stack-lts-19.yaml.lock

@@ -0,0 +1,19 @@
+# This file was autogenerated by Stack.
+# You should not edit this file by hand.
+# For more information, please see the documentation at:
+#   https://docs.haskellstack.org/en/stable/lock_files
+
+packages:
+- completed:
+    hackage: c14n-0.1.0.3@sha256:71d230741cbe6023e3b3ef43c4acf79d18cc3631d956b2261e4a170302baaebc,1163
+    pantry-tree:
+      sha256: 86277e6f592859bb078ebac3fa6d71880f0079858c1f1ca64c38885586e1b4f8
+      size: 285
+  original:
+    hackage: c14n-0.1.0.3
+snapshots:
+- completed:
+    sha256: 6d1532d40621957a25bad5195bfca7938e8a06d923c91bc52aa0f3c41181f2d4
+    size: 619204
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/19/33.yaml
+  original: lts-19.33

stack-lts-20.yaml

@@ -1 +1,3 @@
 resolver: lts-20.2
+extra-deps:
+- c14n-0.1.0.3

stack-lts-20.yaml.lock

@@ -0,0 +1,19 @@
+# This file was autogenerated by Stack.
+# You should not edit this file by hand.
+# For more information, please see the documentation at:
+#   https://docs.haskellstack.org/en/stable/lock_files
+
+packages:
+- completed:
+    hackage: c14n-0.1.0.3@sha256:71d230741cbe6023e3b3ef43c4acf79d18cc3631d956b2261e4a170302baaebc,1163
+    pantry-tree:
+      sha256: 86277e6f592859bb078ebac3fa6d71880f0079858c1f1ca64c38885586e1b4f8
+      size: 285
+  original:
+    hackage: c14n-0.1.0.3
+snapshots:
+- completed:
+    sha256: fc39d8afc97531d53d87b10abdef593bce503c0c1e46c2e9a84ebcbc78bf8470
+    size: 648432
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/20/2.yaml
+  original: lts-20.2

stack.yaml.lock

@@ -5,15 +5,15 @@
 
 packages:
 - completed:
-    hackage: c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+    hackage: c14n-0.1.0.3@sha256:71d230741cbe6023e3b3ef43c4acf79d18cc3631d956b2261e4a170302baaebc,1163
     pantry-tree:
+      sha256: 86277e6f592859bb078ebac3fa6d71880f0079858c1f1ca64c38885586e1b4f8
       size: 285
-      sha256: 67187305166a25d10cb133378ae89c3d76d51ee756edd757a84f71f176eb61e7
   original:
-    hackage: c14n-0.1.0.1@sha256:c56a513c1363d126ee704656b59d2e2af1cfe878587a97cb69ab0122b82e2d4d,1371
+    hackage: c14n-0.1.0.3
 snapshots:
 - completed:
+    sha256: 3740f22286bf5e6e3d82f88125e1c708b6e27847211f956b530aa5d83cf39383
     size: 567677
     url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/17/14.yaml
-    sha256: 3740f22286bf5e6e3d82f88125e1c708b6e27847211f956b530aa5d83cf39383
   original: lts-17.14

tests/Parser.hs

@@ -1,6 +1,9 @@
 {-# LANGUAGE ScopedTypeVariables #-}
 {-# LANGUAGE AllowAmbiguousTypes #-}
 {-# LANGUAGE TypeApplications #-}
+
+module Parser where
+
 import Network.Wai.SAML2.EntityDescriptor
 import Network.Wai.SAML2.Response
 import Network.Wai.SAML2.XML
@@ -18,8 +21,8 @@ run src = do
     resp <- parseXML (fromDocument doc)
     pure $ BC.pack $ ppShow (resp :: t)
 
-main :: IO ()
-main = defaultMain $ testGroup "Parse SAML2 response"
+tests :: TestTree
+tests = testGroup "Parse SAML2 response"
     [ mkGolden @Response $ prefix </> "keycloak.xml"
     , mkGolden @Response $ prefix </> "okta.xml"
     , mkGolden @Response $ prefix </> "google.xml"

tests/Validation.hs

@@ -0,0 +1,55 @@
+module Validation where
+
+import Control.Monad.Trans.Except
+import Crypto.PubKey.RSA (PublicKey)
+import qualified Data.ByteString as B
+import qualified Data.ByteString.Base64 as Base64
+import Data.Time.Format.ISO8601
+import qualified Data.X509 as X509
+import qualified Data.X509.Memory as X509
+import Network.Wai.SAML2
+import Network.Wai.SAML2.Validation
+import System.FilePath
+import Test.Tasty
+import Test.Tasty.ExpectedFailure
+import Test.Tasty.HUnit
+
+-- | Get a public key from a X.509 certificate
+parseCertificate :: B.ByteString -> PublicKey
+parseCertificate certificate = case X509.readSignedObjectFromMemory certificate of
+    [signedCert] -> case X509.certPubKey $ X509.signedObject $ X509.getSigned signedCert of
+        X509.PubKeyRSA key -> key
+        other -> error $ "Expected PubKeyRSA, but got " <> show other
+    xs -> error $ show xs
+
+run :: FilePath -> String -> FilePath -> IO ()
+run certPath timestamp respPath = do
+    cert <- B.readFile $ prefix </> certPath
+    xml <- B.readFile $ prefix </> respPath
+    now <- iso8601ParseM timestamp
+
+    let pub = parseCertificate cert
+        cfg = saml2ConfigNoEncryption pub
+
+    assertion <- runExceptT $ do
+        (responseXmlDoc, samlResponse) <- decodeResponse $ Base64.encode xml
+        validateSAMLResponse cfg responseXmlDoc samlResponse now
+
+    case assertion of
+        Left err -> assertFailure $ show err
+        Right _ -> pure ()
+
+prefix :: FilePath
+prefix = "tests/data"
+
+tests :: TestTree
+tests = testGroup "Validate SAML2 Response"
+    [ testCase "AzureAD signed response"
+        $ run "azuread.crt" "2023-05-10T01:20:00Z" "azuread-signed-response.xml"
+    , expectFail $ testCase "AzureAD signed assertion"
+        $ run "azuread.crt" "2023-05-09T16:00:00Z" "azuread-signed-assertion.xml"
+    , testCase "Okta with AttributeStatement"
+        $ run "okta.crt" "2023-06-16T06:43:00.000Z" "okta-attributes.xml"
+    , testCase "TrustLogin"
+        $ run "trustlogin.crt" "2023-07-21T08:30:00.000Z" "trustlogin.xml"
+    ]

tests/data/azuread-signed-assertion.xml

@@ -0,0 +1 @@
+<samlp:Response ID="_c082940d-31cf-40a2-a581-2a7af122e7e5" Version="2.0" IssueInstant="2023-05-09T15:45:24.293Z" Destination="https://loopback.ja-sore.de:3443/auth/page/saml2/login" InResponseTo="id23dffd06a31f7ad10975c9c893bf8668" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_7dd71b79-0320-4c6b-b524-72f6993d8100" IssueInstant="2023-05-09T15:45:24.288Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_7dd71b79-0320-4c6b-b524-72f6993d8100"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SkxHylilOD37KOxJT4V0YLIsL3W3AYHWM+iIZHmbukc=</DigestValue></Reference></SignedInfo><SignatureValue>EIg22vtTqnEhiwE3HYruwnWOTKQjs57aQSqeq4gnLV7yoqQw0jjPWkkGTto2/0TeHWomX58Gj2MDNCRjlwid2jQuy6jZQW2+wDBurElVAO7trcxrX48EaKnG9ZPh/1++40O1l970zVzSRwknFvnOHpghWQsib9NadrRWB6/ZbmwpVhCfYYAcfu8z/o8TdQQtE66I2dr6YD8kAPbBe/vEeHBVPycaZj+8fqia5sIpGBUnH7rTvaTnzBHol1zg1YYyK8O53p7baQaQQ8WEZ4agBNjtHeJGbo2bP8uvO14FnoVoUQqDATJKkDHq5rM+6tQ0RvZgSP6jjKoiw5pfchedpQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQafqoqGZ3HoxNh23cdsDACjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEwMjQwNDM3MzJaFw0yNTEwMjQwNDM3MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIrXrPws5kjzFTAJbXa/pitQ2hZTs9CMOv48iFXJLRRr90GaIUikqbU0X4CL3bewMC0XVBlBQwTGpRIIWbYreZ6lfQYaP/ACGysQ96m2aknH8cUQdlUFCEo94LlzTLqkDf+JWfdBT6AWDS9aLjS/r25HZRUR7xBcdSYOfSEE2UcO8QBH9BvoOD/xBBwAvSo4rjOwr9ZaKAG3Axu7Dh/T2AAE5ZHbCIQEeMEEkofQbexitiTYt0c2CyWdAFoR6MlxEPhWE8sIko62PhDMBMuGu67ZCbBINIVj2CcDr1kBx6OVdgvZYum/A09RRzBTMuFMP2+WG3yCjaUMA3Gn5lpv2QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAO0/TzTx1OQYUTPGwafh2mHzVpc9Hk2LIY+YvV4bbVsUwnuV6HKVr2Sn3uLIUiSE/JjTdjy7KE/1LBN2KNMe7vs67gOIjOODf/LMQJMHqu7oJtZdt1omrpxJH6DkA/YmPGyUOcX7ADLbaw4cf2lTt8Pk97HP+EvAM31ZfjLtgyGDlREeWa/y2wWOHOdeO1CGwvK1BKz9Sdg7bAs7lBSX/1Qp8pnnOJb/2wNuc9vw6p5UCEFvlAzGyRRLPZfDiazDzTznTyYDPupzJ5pic3rcogzCGQGUWW5dGG7c6lM6EAYDKNAZ+cv4wWrMA4sAo+DdNkzs8sDSv8Jw1AXGRuOTzQ</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">fumieval@herpdev.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id23dffd06a31f7ad10975c9c893bf8668" NotOnOrAfter="2023-05-09T16:45:24.198Z" Recipient="https://loopback.ja-sore.de:3443/auth/page/saml2/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2023-05-09T15:40:24.198Z" NotOnOrAfter="2023-05-09T16:45:24.198Z"><AudienceRestriction><Audience>https://loopback.ja-sore.de:3443/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>b0a63ade-3ec7-4d8b-991f-87eb4336274a</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>552200d7-3516-4d81-8ea1-a87b429f07ef</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>fumieval</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>fumieval@herpdev.onmicrosoft.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2023-05-09T06:21:17.599Z" SessionIndex="_7dd71b79-0320-4c6b-b524-72f6993d8100"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

tests/data/azuread-signed-response.xml

@@ -0,0 +1 @@
+<samlp:Response ID="_3276aca6-caa4-4e08-843a-f03eeafde126" Version="2.0" IssueInstant="2023-05-10T01:17:32.634Z" Destination="https://loopback.ja-sore.de:3443/auth/page/saml2/login" InResponseTo="id63a9912a51445aa4d4ec3dbf2aada166" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_3276aca6-caa4-4e08-843a-f03eeafde126"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>smKor6LEHK0P+AlWTo7tPay67uUlbAe+ab0i9SrP6l8=</DigestValue></Reference></SignedInfo><SignatureValue>naCN4lVR8RyqmLg4k0xjV2iM3mauBfBvswhJC/y2ikUf/i61WnOzmwI6+71yM8KSWCwiclQeUdgQf1ZHlNUlqub/ovaHQw6h5PN5wNSxDXp1O/YJ7Mh+JgcIAqKS5lQyes0LO1KAIukEShcla1ml4CnnzEjVQl7dBDsmwu3hRmkYSOeLCh1Ln0kCclG1W5IFJiDd2IJLoomUGvUq3Ei5sS/dFCRgPizu8IdFYjAvo51WwFDJGMVJLFnfo/xf+FctUt9MWMtOJ4X0J2RefLgyAVyT9NFzQWMOEBPXHinHfmWp9bI1DtQz4UZJnwJW1IizNlKpdE0Yt8j0FqvmAFHwOA==</SignatureValue><KeyInfo><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Certificate>MIIC8DCCAdigAwIBAgIQafqoqGZ3HoxNh23cdsDACjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEwMjQwNDM3MzJaFw0yNTEwMjQwNDM3MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIrXrPws5kjzFTAJbXa/pitQ2hZTs9CMOv48iFXJLRRr90GaIUikqbU0X4CL3bewMC0XVBlBQwTGpRIIWbYreZ6lfQYaP/ACGysQ96m2aknH8cUQdlUFCEo94LlzTLqkDf+JWfdBT6AWDS9aLjS/r25HZRUR7xBcdSYOfSEE2UcO8QBH9BvoOD/xBBwAvSo4rjOwr9ZaKAG3Axu7Dh/T2AAE5ZHbCIQEeMEEkofQbexitiTYt0c2CyWdAFoR6MlxEPhWE8sIko62PhDMBMuGu67ZCbBINIVj2CcDr1kBx6OVdgvZYum/A09RRzBTMuFMP2+WG3yCjaUMA3Gn5lpv2QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAO0/TzTx1OQYUTPGwafh2mHzVpc9Hk2LIY+YvV4bbVsUwnuV6HKVr2Sn3uLIUiSE/JjTdjy7KE/1LBN2KNMe7vs67gOIjOODf/LMQJMHqu7oJtZdt1omrpxJH6DkA/YmPGyUOcX7ADLbaw4cf2lTt8Pk97HP+EvAM31ZfjLtgyGDlREeWa/y2wWOHOdeO1CGwvK1BKz9Sdg7bAs7lBSX/1Qp8pnnOJb/2wNuc9vw6p5UCEFvlAzGyRRLPZfDiazDzTznTyYDPupzJ5pic3rcogzCGQGUWW5dGG7c6lM6EAYDKNAZ+cv4wWrMA4sAo+DdNkzs8sDSv8Jw1AXGRuOTzQ</ds:X509Certificate></ds:X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_f28f92be-9cc4-44df-bfa0-4245434f9d00" IssueInstant="2023-05-10T01:17:32.632Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">fumieval@herpdev.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id63a9912a51445aa4d4ec3dbf2aada166" NotOnOrAfter="2023-05-10T02:17:32.563Z" Recipient="https://loopback.ja-sore.de:3443/auth/page/saml2/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2023-05-10T01:12:32.563Z" NotOnOrAfter="2023-05-10T02:17:32.563Z"><AudienceRestriction><Audience>https://loopback.ja-sore.de:3443/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>b0a63ade-3ec7-4d8b-991f-87eb4336274a</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>552200d7-3516-4d81-8ea1-a87b429f07ef</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>fumieval</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>fumieval@herpdev.onmicrosoft.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2023-05-09T06:21:17.599Z" SessionIndex="_f28f92be-9cc4-44df-bfa0-4245434f9d00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>