Add validation test, including a failing example

mbg · Jul 17, 2024 · f50b4d4 · f50b4d4
1 parent e837904
commit f50b4d4
Show file tree

Hide file tree

Showing 10 changed files with 128 additions and 6 deletions.
diff --git a/package.yaml b/package.yaml
@@ -49,8 +49,8 @@ library:
     - -W
 
 tests:
-  parser:
-    main: Parser.hs
+  wai-saml2-test:
+    main: spec.hs
     source-dirs: tests
     ghc-options: -Wall -Wcompat
     dependencies:
@@ -59,6 +59,9 @@ tests:
       - filepath
       - pretty-show
       - tasty
+      - tasty-expected-failure
       - tasty-golden
+      - tasty-hunit
+      - transformers
       - wai-saml2
       - xml-conduit
diff --git a/tests/Parser.hs b/tests/Parser.hs
@@ -1,6 +1,9 @@
 {-# LANGUAGE ScopedTypeVariables #-}
 {-# LANGUAGE AllowAmbiguousTypes #-}
 {-# LANGUAGE TypeApplications #-}
+
+module Parser where
+
 import Network.Wai.SAML2.EntityDescriptor
 import Network.Wai.SAML2.Response
 import Network.Wai.SAML2.XML
@@ -18,8 +21,8 @@ run src = do
     resp <- parseXML (fromDocument doc)
     pure $ BC.pack $ ppShow (resp :: t)
 
-main :: IO ()
-main = defaultMain $ testGroup "Parse SAML2 response"
+tests :: TestTree
+tests = testGroup "Parse SAML2 response"
     [ mkGolden @Response $ prefix </> "keycloak.xml"
     , mkGolden @Response $ prefix </> "okta.xml"
     , mkGolden @Response $ prefix </> "google.xml"

diff --git a/tests/Validation.hs b/tests/Validation.hs
@@ -0,0 +1,53 @@
+module Validation where
+
+import Control.Monad.Trans.Except
+import Crypto.PubKey.RSA (PublicKey)
+import qualified Data.ByteString as B
+import qualified Data.ByteString.Base64 as Base64
+import Data.Time.Format.ISO8601
+import qualified Data.X509 as X509
+import qualified Data.X509.Memory as X509
+import Network.Wai.SAML2
+import Network.Wai.SAML2.Validation
+import System.FilePath
+import Test.Tasty
+import Test.Tasty.ExpectedFailure
+import Test.Tasty.HUnit
+
+-- | Get a public key from a X.509 certificate
+parseCertificate :: B.ByteString -> PublicKey
+parseCertificate certificate = case X509.readSignedObjectFromMemory certificate of
+    [signedCert] -> case X509.certPubKey $ X509.signedObject $ X509.getSigned signedCert of
+        X509.PubKeyRSA key -> key
+        other -> error $ "Expected PubKeyRSA, but got " <> show other
+    xs -> error $ show xs
+
+run :: FilePath -> String -> FilePath -> IO ()
+run certPath timestamp respPath = do
+    cert <- B.readFile $ prefix </> certPath
+    xml <- B.readFile $ prefix </> respPath
+    now <- iso8601ParseM timestamp
+
+    let pub = parseCertificate cert
+        cfg = saml2ConfigNoEncryption pub
+
+    assertion <- runExceptT $ do
+        (responseXmlDoc, samlResponse) <- decodeResponse $ Base64.encode xml
+        validateSAMLResponse cfg responseXmlDoc samlResponse now
+
+    case assertion of
+        Left err -> assertFailure $ show err
+        Right _ -> pure ()
+
+prefix :: FilePath
+prefix = "tests/data"
+
+tests :: TestTree
+tests = testGroup "Validate SAML2 Response"
+    [ testCase "AzureAD signed response"
+        $ run "azuread.crt" "2023-05-10T01:20:00Z" "azuread-signed-response.xml"
+    , expectFail $ testCase "AzureAD signed assertion"
+        $ run "azuread.crt" "2023-05-09T16:00:00Z" "azuread-signed-assertion.xml"
+    , testCase "Okta with AttributeStatement"
+        $ run "okta.crt" "2023-06-16T06:43:00.000Z" "okta-attributes.xml"
+    ]
diff --git a/tests/data/azuread-signed-assertion.xml b/tests/data/azuread-signed-assertion.xml
@@ -0,0 +1 @@
+<samlp:Response ID="_c082940d-31cf-40a2-a581-2a7af122e7e5" Version="2.0" IssueInstant="2023-05-09T15:45:24.293Z" Destination="https://loopback.ja-sore.de:3443/auth/page/saml2/login" InResponseTo="id23dffd06a31f7ad10975c9c893bf8668" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_7dd71b79-0320-4c6b-b524-72f6993d8100" IssueInstant="2023-05-09T15:45:24.288Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_7dd71b79-0320-4c6b-b524-72f6993d8100"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SkxHylilOD37KOxJT4V0YLIsL3W3AYHWM+iIZHmbukc=</DigestValue></Reference></SignedInfo><SignatureValue>EIg22vtTqnEhiwE3HYruwnWOTKQjs57aQSqeq4gnLV7yoqQw0jjPWkkGTto2/0TeHWomX58Gj2MDNCRjlwid2jQuy6jZQW2+wDBurElVAO7trcxrX48EaKnG9ZPh/1++40O1l970zVzSRwknFvnOHpghWQsib9NadrRWB6/ZbmwpVhCfYYAcfu8z/o8TdQQtE66I2dr6YD8kAPbBe/vEeHBVPycaZj+8fqia5sIpGBUnH7rTvaTnzBHol1zg1YYyK8O53p7baQaQQ8WEZ4agBNjtHeJGbo2bP8uvO14FnoVoUQqDATJKkDHq5rM+6tQ0RvZgSP6jjKoiw5pfchedpQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQafqoqGZ3HoxNh23cdsDACjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEwMjQwNDM3MzJaFw0yNTEwMjQwNDM3MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIrXrPws5kjzFTAJbXa/pitQ2hZTs9CMOv48iFXJLRRr90GaIUikqbU0X4CL3bewMC0XVBlBQwTGpRIIWbYreZ6lfQYaP/ACGysQ96m2aknH8cUQdlUFCEo94LlzTLqkDf+JWfdBT6AWDS9aLjS/r25HZRUR7xBcdSYOfSEE2UcO8QBH9BvoOD/xBBwAvSo4rjOwr9ZaKAG3Axu7Dh/T2AAE5ZHbCIQEeMEEkofQbexitiTYt0c2CyWdAFoR6MlxEPhWE8sIko62PhDMBMuGu67ZCbBINIVj2CcDr1kBx6OVdgvZYum/A09RRzBTMuFMP2+WG3yCjaUMA3Gn5lpv2QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAO0/TzTx1OQYUTPGwafh2mHzVpc9Hk2LIY+YvV4bbVsUwnuV6HKVr2Sn3uLIUiSE/JjTdjy7KE/1LBN2KNMe7vs67gOIjOODf/LMQJMHqu7oJtZdt1omrpxJH6DkA/YmPGyUOcX7ADLbaw4cf2lTt8Pk97HP+EvAM31ZfjLtgyGDlREeWa/y2wWOHOdeO1CGwvK1BKz9Sdg7bAs7lBSX/1Qp8pnnOJb/2wNuc9vw6p5UCEFvlAzGyRRLPZfDiazDzTznTyYDPupzJ5pic3rcogzCGQGUWW5dGG7c6lM6EAYDKNAZ+cv4wWrMA4sAo+DdNkzs8sDSv8Jw1AXGRuOTzQ</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">fumieval@herpdev.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id23dffd06a31f7ad10975c9c893bf8668" NotOnOrAfter="2023-05-09T16:45:24.198Z" Recipient="https://loopback.ja-sore.de:3443/auth/page/saml2/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2023-05-09T15:40:24.198Z" NotOnOrAfter="2023-05-09T16:45:24.198Z"><AudienceRestriction><Audience>https://loopback.ja-sore.de:3443/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>b0a63ade-3ec7-4d8b-991f-87eb4336274a</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>552200d7-3516-4d81-8ea1-a87b429f07ef</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>fumieval</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>fumieval@herpdev.onmicrosoft.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2023-05-09T06:21:17.599Z" SessionIndex="_7dd71b79-0320-4c6b-b524-72f6993d8100"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
diff --git a/tests/data/azuread-signed-response.xml b/tests/data/azuread-signed-response.xml
@@ -0,0 +1 @@
+<samlp:Response ID="_3276aca6-caa4-4e08-843a-f03eeafde126" Version="2.0" IssueInstant="2023-05-10T01:17:32.634Z" Destination="https://loopback.ja-sore.de:3443/auth/page/saml2/login" InResponseTo="id63a9912a51445aa4d4ec3dbf2aada166" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_3276aca6-caa4-4e08-843a-f03eeafde126"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>smKor6LEHK0P+AlWTo7tPay67uUlbAe+ab0i9SrP6l8=</DigestValue></Reference></SignedInfo><SignatureValue>naCN4lVR8RyqmLg4k0xjV2iM3mauBfBvswhJC/y2ikUf/i61WnOzmwI6+71yM8KSWCwiclQeUdgQf1ZHlNUlqub/ovaHQw6h5PN5wNSxDXp1O/YJ7Mh+JgcIAqKS5lQyes0LO1KAIukEShcla1ml4CnnzEjVQl7dBDsmwu3hRmkYSOeLCh1Ln0kCclG1W5IFJiDd2IJLoomUGvUq3Ei5sS/dFCRgPizu8IdFYjAvo51WwFDJGMVJLFnfo/xf+FctUt9MWMtOJ4X0J2RefLgyAVyT9NFzQWMOEBPXHinHfmWp9bI1DtQz4UZJnwJW1IizNlKpdE0Yt8j0FqvmAFHwOA==</SignatureValue><KeyInfo><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Certificate>MIIC8DCCAdigAwIBAgIQafqoqGZ3HoxNh23cdsDACjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEwMjQwNDM3MzJaFw0yNTEwMjQwNDM3MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIrXrPws5kjzFTAJbXa/pitQ2hZTs9CMOv48iFXJLRRr90GaIUikqbU0X4CL3bewMC0XVBlBQwTGpRIIWbYreZ6lfQYaP/ACGysQ96m2aknH8cUQdlUFCEo94LlzTLqkDf+JWfdBT6AWDS9aLjS/r25HZRUR7xBcdSYOfSEE2UcO8QBH9BvoOD/xBBwAvSo4rjOwr9ZaKAG3Axu7Dh/T2AAE5ZHbCIQEeMEEkofQbexitiTYt0c2CyWdAFoR6MlxEPhWE8sIko62PhDMBMuGu67ZCbBINIVj2CcDr1kBx6OVdgvZYum/A09RRzBTMuFMP2+WG3yCjaUMA3Gn5lpv2QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAO0/TzTx1OQYUTPGwafh2mHzVpc9Hk2LIY+YvV4bbVsUwnuV6HKVr2Sn3uLIUiSE/JjTdjy7KE/1LBN2KNMe7vs67gOIjOODf/LMQJMHqu7oJtZdt1omrpxJH6DkA/YmPGyUOcX7ADLbaw4cf2lTt8Pk97HP+EvAM31ZfjLtgyGDlREeWa/y2wWOHOdeO1CGwvK1BKz9Sdg7bAs7lBSX/1Qp8pnnOJb/2wNuc9vw6p5UCEFvlAzGyRRLPZfDiazDzTznTyYDPupzJ5pic3rcogzCGQGUWW5dGG7c6lM6EAYDKNAZ+cv4wWrMA4sAo+DdNkzs8sDSv8Jw1AXGRuOTzQ</ds:X509Certificate></ds:X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_f28f92be-9cc4-44df-bfa0-4245434f9d00" IssueInstant="2023-05-10T01:17:32.632Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">fumieval@herpdev.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id63a9912a51445aa4d4ec3dbf2aada166" NotOnOrAfter="2023-05-10T02:17:32.563Z" Recipient="https://loopback.ja-sore.de:3443/auth/page/saml2/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2023-05-10T01:12:32.563Z" NotOnOrAfter="2023-05-10T02:17:32.563Z"><AudienceRestriction><Audience>https://loopback.ja-sore.de:3443/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>b0a63ade-3ec7-4d8b-991f-87eb4336274a</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>552200d7-3516-4d81-8ea1-a87b429f07ef</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>fumieval</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>fumieval@herpdev.onmicrosoft.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2023-05-09T06:21:17.599Z" SessionIndex="_f28f92be-9cc4-44df-bfa0-4245434f9d00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
diff --git a/tests/data/azuread.crt b/tests/data/azuread.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIC8DCCAdigAwIBAgIQafqoqGZ3HoxNh23cdsDACjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEwMjQwNDM3MzJaFw0yNTEwMjQwNDM3MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIrXrPws5kjzFTAJbXa/pitQ2hZTs9CMOv48iFXJLRRr90GaIUikqbU0X4CL3bewMC0XVBlBQwTGpRIIWbYreZ6lfQYaP/ACGysQ96m2aknH8cUQdlUFCEo94LlzTLqkDf+JWfdBT6AWDS9aLjS/r25HZRUR7xBcdSYOfSEE2UcO8QBH9BvoOD/xBBwAvSo4rjOwr9ZaKAG3Axu7Dh/T2AAE5ZHbCIQEeMEEkofQbexitiTYt0c2CyWdAFoR6MlxEPhWE8sIko62PhDMBMuGu67ZCbBINIVj2CcDr1kBx6OVdgvZYum/A09RRzBTMuFMP2+WG3yCjaUMA3Gn5lpv2QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAO0/TzTx1OQYUTPGwafh2mHzVpc9Hk2LIY+YvV4bbVsUwnuV6HKVr2Sn3uLIUiSE/JjTdjy7KE/1LBN2KNMe7vs67gOIjOODf/LMQJMHqu7oJtZdt1omrpxJH6DkA/YmPGyUOcX7ADLbaw4cf2lTt8Pk97HP+EvAM31ZfjLtgyGDlREeWa/y2wWOHOdeO1CGwvK1BKz9Sdg7bAs7lBSX/1Qp8pnnOJb/2wNuc9vw6p5UCEFvlAzGyRRLPZfDiazDzTznTyYDPupzJ5pic3rcogzCGQGUWW5dGG7c6lM6EAYDKNAZ+cv4wWrMA4sAo+DdNkzs8sDSv8Jw1AXGRuOTzQ
+-----END CERTIFICATE-----
diff --git a/tests/data/okta-attributes.xml b/tests/data/okta-attributes.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://panemagi.beta.ja-sore.de/authn/sso" ID="id92549195330378941022989346" IssueInstant="2023-06-16T06:42:44.371Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk5qcxp4hc3aXlST697</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id92549195330378941022989346"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>yE2k0Ez50kHpdaFnQdGIYs/fT18JtldMOhsgMfdBQ7c=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PNuTkyHJKBlO0ZE53J/CicLGmSmDQK4RfIkMZyzDJHdtN2FOrLaMKYUIZIMt5dZsUGlRNe+p5b8TsMLzp+LQyf72JkrAtfoqin3TQXWJlxffW+ZkloWsyVxG/Prvox7PhgHgZDZDDCAdTPPLsLosCaptuC3m06DvEuSq7+p5UPtRqbkBaFEb27fe3NKGoGnOcBFZ/Le/ExJQ7thvB3RyvZk5RwVQ1R2M2jCLuZ5jlsc4FogRJ9V0tqj/PVxPK5fhhgnZbsZr3yNS8nWJNAIWwRt6sHEUKi5CrWUG5TuN9Hp/+kSbR7b0Ge1JKV1jZAUodeqzZ06luXipwIqBwV0Y2g==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDoDCCAoigAwIBAgIGAYiKK3aGMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxETAPBgNVBAMMCGhlcnAtaW5jMRwwGgYJKoZIhvcNAQkBFg1p
+bmZvQG9rdGEuY29tMB4XDTIzMDYwNTA2MDcwNFoXDTMzMDYwNTA2MDgwNFowgZAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK
+DARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjERMA8GA1UEAwwIaGVycC1pbmMxHDAaBgkqhkiG
+9w0BCQEWDWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2YKQa
+PDrssVNqBokKyT77wYUlXKkTnHNtbD1rdXhiIGTszmxmF/NuzLfS1TMvzqiMnpbAwswTnNMF6sx2
+M/gl9tWpL6OF4MvCQf78LvzyTOKvghojJkpE65XbkB4HETpOKYlXhvwwbCG4rskMqtFEosM2dxY6
+KWUPAJyL0Z9hpqavvq6Ct8nAjZxHCKFQGcYfCfMXxI55/+xYuetHHo4BTj417FGLvHBgJkgYsc//
+KRPzC1rPkTjIGn8hlmnGfkZ7srp+UGrewhlPvj6rZVkrgQdL6PTqXvwbe7XHOKjt79vPfGZBp/jq
+FRwKTO1fbvGWzF2/vIJFuR90p4a90x6pAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGOKuxgCynAU
+YU5oX19FiXrITcj3/XmdWZ2yTF72T0a4edhiKM0E0adcywxplllihSQV75k90Z+fmVREHFU+WacC
+s9X8WdBkuZFH94Mgd1o2yXvFoZsbu4U1awNsgVpzKMsE7tSNScp2adz0JoU7oXqojiX90ED7m0bW
+veEoVep+q6qc1kymA+mw9N42vEUOAN0i7ZD7SFtx2F9/yQGZt9egdr1NtLh6/pRw+wjyCjWQAGqW
+dR4LKvZeoxejw3h3NOPt/lcImoEOPzrmNgZe6PXaTVG5NB9RmUuhM28DlofFP5z+8LraE4zvVxNn
+Kw4QKKQWq+GelzAysM/94owvTA0=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="id92549195332235481708587333" IssueInstant="2023-06-16T06:42:44.371Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk5qcxp4hc3aXlST697</saml2:Issuer><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">hiroqn@herp.co.jp</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2023-06-16T06:47:44.372Z" Recipient="https://panemagi.beta.ja-sore.de/authn/sso"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2023-06-16T06:37:44.372Z" NotOnOrAfter="2023-06-16T06:47:44.372Z"><saml2:AudienceRestriction><saml2:Audience>panemagi.beta.ja-sore.de</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2023-06-16T05:44:30.782Z" SessionIndex="id1686897764193.2050463806"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">netwalk</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">hiroqn</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">hiroqn@herp.co.jp</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">panemagi_access</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<samlp:Response ID="_c082940d-31cf-40a2-a581-2a7af122e7e5" Version="2.0" IssueInstant="2023-05-09T15:45:24.293Z" Destination="https://loopback.ja-sore.de:3443/auth/page/saml2/login" InResponseTo="id23dffd06a31f7ad10975c9c893bf8668" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_7dd71b79-0320-4c6b-b524-72f6993d8100" IssueInstant="2023-05-09T15:45:24.288Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_7dd71b79-0320-4c6b-b524-72f6993d8100"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SkxHylilOD37KOxJT4V0YLIsL3W3AYHWM+iIZHmbukc=</DigestValue></Reference></SignedInfo><SignatureValue>EIg22vtTqnEhiwE3HYruwnWOTKQjs57aQSqeq4gnLV7yoqQw0jjPWkkGTto2/0TeHWomX58Gj2MDNCRjlwid2jQuy6jZQW2+wDBurElVAO7trcxrX48EaKnG9ZPh/1++40O1l970zVzSRwknFvnOHpghWQsib9NadrRWB6/ZbmwpVhCfYYAcfu8z/o8TdQQtE66I2dr6YD8kAPbBe/vEeHBVPycaZj+8fqia5sIpGBUnH7rTvaTnzBHol1zg1YYyK8O53p7baQaQQ8WEZ4agBNjtHeJGbo2bP8uvO14FnoVoUQqDATJKkDHq5rM+6tQ0RvZgSP6jjKoiw5pfchedpQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQafqoqGZ3HoxNh23cdsDACjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEwMjQwNDM3MzJaFw0yNTEwMjQwNDM3MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIrXrPws5kjzFTAJbXa/pitQ2hZTs9CMOv48iFXJLRRr90GaIUikqbU0X4CL3bewMC0XVBlBQwTGpRIIWbYreZ6lfQYaP/ACGysQ96m2aknH8cUQdlUFCEo94LlzTLqkDf+JWfdBT6AWDS9aLjS/r25HZRUR7xBcdSYOfSEE2UcO8QBH9BvoOD/xBBwAvSo4rjOwr9ZaKAG3Axu7Dh/T2AAE5ZHbCIQEeMEEkofQbexitiTYt0c2CyWdAFoR6MlxEPhWE8sIko62PhDMBMuGu67ZCbBINIVj2CcDr1kBx6OVdgvZYum/A09RRzBTMuFMP2+WG3yCjaUMA3Gn5lpv2QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAO0/TzTx1OQYUTPGwafh2mHzVpc9Hk2LIY+YvV4bbVsUwnuV6HKVr2Sn3uLIUiSE/JjTdjy7KE/1LBN2KNMe7vs67gOIjOODf/LMQJMHqu7oJtZdt1omrpxJH6DkA/YmPGyUOcX7ADLbaw4cf2lTt8Pk97HP+EvAM31ZfjLtgyGDlREeWa/y2wWOHOdeO1CGwvK1BKz9Sdg7bAs7lBSX/1Qp8pnnOJb/2wNuc9vw6p5UCEFvlAzGyRRLPZfDiazDzTznTyYDPupzJ5pic3rcogzCGQGUWW5dGG7c6lM6EAYDKNAZ+cv4wWrMA4sAo+DdNkzs8sDSv8Jw1AXGRuOTzQ</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">fumieval@herpdev.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id23dffd06a31f7ad10975c9c893bf8668" NotOnOrAfter="2023-05-09T16:45:24.198Z" Recipient="https://loopback.ja-sore.de:3443/auth/page/saml2/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2023-05-09T15:40:24.198Z" NotOnOrAfter="2023-05-09T16:45:24.198Z"><AudienceRestriction><Audience>https://loopback.ja-sore.de:3443/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>b0a63ade-3ec7-4d8b-991f-87eb4336274a</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>552200d7-3516-4d81-8ea1-a87b429f07ef</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>fumieval</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>fumieval@herpdev.onmicrosoft.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2023-05-09T06:21:17.599Z" SessionIndex="_7dd71b79-0320-4c6b-b524-72f6993d8100"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<samlp:Response ID="_3276aca6-caa4-4e08-843a-f03eeafde126" Version="2.0" IssueInstant="2023-05-10T01:17:32.634Z" Destination="https://loopback.ja-sore.de:3443/auth/page/saml2/login" InResponseTo="id63a9912a51445aa4d4ec3dbf2aada166" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_3276aca6-caa4-4e08-843a-f03eeafde126"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>smKor6LEHK0P+AlWTo7tPay67uUlbAe+ab0i9SrP6l8=</DigestValue></Reference></SignedInfo><SignatureValue>naCN4lVR8RyqmLg4k0xjV2iM3mauBfBvswhJC/y2ikUf/i61WnOzmwI6+71yM8KSWCwiclQeUdgQf1ZHlNUlqub/ovaHQw6h5PN5wNSxDXp1O/YJ7Mh+JgcIAqKS5lQyes0LO1KAIukEShcla1ml4CnnzEjVQl7dBDsmwu3hRmkYSOeLCh1Ln0kCclG1W5IFJiDd2IJLoomUGvUq3Ei5sS/dFCRgPizu8IdFYjAvo51WwFDJGMVJLFnfo/xf+FctUt9MWMtOJ4X0J2RefLgyAVyT9NFzQWMOEBPXHinHfmWp9bI1DtQz4UZJnwJW1IizNlKpdE0Yt8j0FqvmAFHwOA==</SignatureValue><KeyInfo><ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Certificate>MIIC8DCCAdigAwIBAgIQafqoqGZ3HoxNh23cdsDACjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMjEwMjQwNDM3MzJaFw0yNTEwMjQwNDM3MzJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuIrXrPws5kjzFTAJbXa/pitQ2hZTs9CMOv48iFXJLRRr90GaIUikqbU0X4CL3bewMC0XVBlBQwTGpRIIWbYreZ6lfQYaP/ACGysQ96m2aknH8cUQdlUFCEo94LlzTLqkDf+JWfdBT6AWDS9aLjS/r25HZRUR7xBcdSYOfSEE2UcO8QBH9BvoOD/xBBwAvSo4rjOwr9ZaKAG3Axu7Dh/T2AAE5ZHbCIQEeMEEkofQbexitiTYt0c2CyWdAFoR6MlxEPhWE8sIko62PhDMBMuGu67ZCbBINIVj2CcDr1kBx6OVdgvZYum/A09RRzBTMuFMP2+WG3yCjaUMA3Gn5lpv2QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAO0/TzTx1OQYUTPGwafh2mHzVpc9Hk2LIY+YvV4bbVsUwnuV6HKVr2Sn3uLIUiSE/JjTdjy7KE/1LBN2KNMe7vs67gOIjOODf/LMQJMHqu7oJtZdt1omrpxJH6DkA/YmPGyUOcX7ADLbaw4cf2lTt8Pk97HP+EvAM31ZfjLtgyGDlREeWa/y2wWOHOdeO1CGwvK1BKz9Sdg7bAs7lBSX/1Qp8pnnOJb/2wNuc9vw6p5UCEFvlAzGyRRLPZfDiazDzTznTyYDPupzJ5pic3rcogzCGQGUWW5dGG7c6lM6EAYDKNAZ+cv4wWrMA4sAo+DdNkzs8sDSv8Jw1AXGRuOTzQ</ds:X509Certificate></ds:X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="_f28f92be-9cc4-44df-bfa0-4245434f9d00" IssueInstant="2023-05-10T01:17:32.632Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">fumieval@herpdev.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="id63a9912a51445aa4d4ec3dbf2aada166" NotOnOrAfter="2023-05-10T02:17:32.563Z" Recipient="https://loopback.ja-sore.de:3443/auth/page/saml2/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2023-05-10T01:12:32.563Z" NotOnOrAfter="2023-05-10T02:17:32.563Z"><AudienceRestriction><Audience>https://loopback.ja-sore.de:3443/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>b0a63ade-3ec7-4d8b-991f-87eb4336274a</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>552200d7-3516-4d81-8ea1-a87b429f07ef</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>fumieval</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/b0a63ade-3ec7-4d8b-991f-87eb4336274a/</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>fumieval@herpdev.onmicrosoft.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2023-05-09T06:21:17.599Z" SessionIndex="_f28f92be-9cc4-44df-bfa0-4245434f9d00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>