ruby-saml 1.4.2 → 1.4.3

data/test/settings_test.rb

@@ -11,8 +11,9 @@ class SettingsTest < Minitest::Test
 
     it "should provide getters and settings" do
       accessors = [
-        :idp_entity_id, :idp_sso_target_url, :idp_slo_target_url, :idp_cert, :idp_cert_fingerprint, :idp_cert_fingerprint_algorithm, :idp_attribute_names,
-        :issuer, :assertion_consumer_service_url, :assertion_consumer_service_binding,
+        :idp_entity_id, :idp_sso_target_url, :idp_slo_target_url,
+        :idp_cert, :idp_cert_fingerprint, :idp_cert_fingerprint_algorithm, :idp_cert_multi,
+        :idp_attribute_names, :issuer, :assertion_consumer_service_url, :assertion_consumer_service_binding,
         :single_logout_service_url, :single_logout_service_binding,
         :sp_name_qualifier, :name_identifier_format, :name_identifier_value,
         :sessionindex, :attributes_index, :passive, :force_authn,
@@ -52,7 +53,6 @@ class SettingsTest < Minitest::Test
     end
 
     it "configure attribute service attributes correctly" do
-      @settings = OneLogin::RubySaml::Settings.new
       @settings.attribute_consuming_service.configure do
         service_name "Test Service"
         add_attribute :name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name"
@@ -79,37 +79,34 @@ class SettingsTest < Minitest::Test
 
     describe "#single_logout_service_url" do
       it "when single_logout_service_url is nil but assertion_consumer_logout_service_url returns its value" do
-        settings.single_logout_service_url = nil
-        settings.assertion_consumer_logout_service_url = "http://app.muda.no/sls"
+        @settings.single_logout_service_url = nil
+        @settings.assertion_consumer_logout_service_url = "http://app.muda.no/sls"
 
-        assert_equal "http://app.muda.no/sls", settings.single_logout_service_url
+        assert_equal "http://app.muda.no/sls", @settings.single_logout_service_url
       end
     end
 
     describe "#single_logout_service_binding" do
       it "when single_logout_service_binding is nil but assertion_consumer_logout_service_binding returns its value" do
-        settings.single_logout_service_binding = nil
-        settings.assertion_consumer_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        @settings.single_logout_service_binding = nil
+        @settings.assertion_consumer_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
-        assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", settings.single_logout_service_binding
+        assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.single_logout_service_binding
       end
     end    
 
     describe "#get_idp_cert" do
       it "returns nil when the cert is an empty string" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert = ""
         assert_nil @settings.get_idp_cert
       end
 
       it "returns nil when the cert is nil" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert = nil
         assert_nil @settings.get_idp_cert
       end
 
       it "returns the certificate when it is valid" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert = ruby_saml_cert_text
         assert @settings.get_idp_cert.kind_of? OpenSSL::X509::Certificate
       end
@@ -123,21 +120,88 @@ class SettingsTest < Minitest::Test
       end
     end
 
+    describe "#get_idp_cert_multi" do
+      it "returns nil when the value is empty" do
+        @settings.idp_cert = {}
+        assert_nil @settings.get_idp_cert_multi
+      end
+
+      it "returns nil when the idp_cert_multi is nil or empty" do
+        @settings.idp_cert_multi = nil
+        assert_nil @settings.get_idp_cert_multi
+      end
+
+      it "returns partial hash when contains some values" do
+        empty_multi = {
+          :signing => [],
+          :encryption => []
+        }
+
+        @settings.idp_cert_multi = {
+          :signing => []
+        }
+        assert_equal empty_multi, @settings.get_idp_cert_multi
+
+        @settings.idp_cert_multi = {
+          :encryption => []
+        }
+        assert_equal empty_multi, @settings.get_idp_cert_multi
+
+        @settings.idp_cert_multi = {
+          :signing => [],
+          :encryption => []
+        }
+        assert_equal empty_multi, @settings.get_idp_cert_multi
+
+        @settings.idp_cert_multi = {
+          :yyy => [],
+          :zzz => []
+        }
+        assert_equal empty_multi, @settings.get_idp_cert_multi
+      end
+
+      it "returns the hash with certificates when values were valid" do
+        certificates = ruby_saml_cert_text
+        @settings.idp_cert_multi = {
+          :signing => [ruby_saml_cert_text],
+          :encryption => [ruby_saml_cert_text],
+        }
+
+        assert @settings.get_idp_cert_multi.kind_of? Hash
+        assert @settings.get_idp_cert_multi[:signing].kind_of? Array
+        assert @settings.get_idp_cert_multi[:encryption].kind_of? Array        
+        assert @settings.get_idp_cert_multi[:signing][0].kind_of? OpenSSL::X509::Certificate
+        assert @settings.get_idp_cert_multi[:encryption][0].kind_of? OpenSSL::X509::Certificate
+      end
+
+      it "raises when there is a cert in idp_cert_multi not valid" do
+        certificate = read_certificate("formatted_certificate")
+
+        @settings.idp_cert_multi = {
+          :signing => [],
+          :encryption => []
+        }
+        @settings.idp_cert_multi[:signing].push(certificate)
+        @settings.idp_cert_multi[:encryption].push(certificate)
+
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_idp_cert_multi
+        }
+      end
+    end
+
     describe "#get_sp_cert" do
       it "returns nil when the cert is an empty string" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.certificate = ""
         assert_nil @settings.get_sp_cert
       end
 
       it "returns nil when the cert is nil" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.certificate = nil
         assert_nil @settings.get_sp_cert
       end
 
       it "returns the certificate when it is valid" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.certificate = ruby_saml_cert_text
         assert @settings.get_sp_cert.kind_of? OpenSSL::X509::Certificate
       end
@@ -152,21 +216,44 @@ class SettingsTest < Minitest::Test
 
     end
 
+    describe "#get_sp_cert_new" do
+      it "returns nil when the cert is an empty string" do
+        @settings.certificate_new = ""
+        assert_nil @settings.get_sp_cert_new
+      end
+
+      it "returns nil when the cert is nil" do
+        @settings.certificate_new = nil
+        assert_nil @settings.get_sp_cert_new
+      end
+
+      it "returns the certificate when it is valid" do
+        @settings.certificate_new = ruby_saml_cert_text
+        assert @settings.get_sp_cert_new.kind_of? OpenSSL::X509::Certificate
+      end
+
+      it "raises when the certificate is not valid" do
+        # formatted but invalid cert
+        @settings.certificate_new = read_certificate("formatted_certificate")
+        assert_raises(OpenSSL::X509::CertificateError) {
+          @settings.get_sp_cert_new
+        }
+      end
+
+    end
+
     describe "#get_sp_key" do
       it "returns nil when the private key is an empty string" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.private_key = ""
         assert_nil @settings.get_sp_key
       end
 
       it "returns nil when the private key is nil" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.private_key = nil
         assert_nil @settings.get_sp_key
       end
 
       it "returns the private key when it is valid" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.private_key = ruby_saml_key_text
         assert @settings.get_sp_key.kind_of? OpenSSL::PKey::RSA
       end
@@ -183,7 +270,6 @@ class SettingsTest < Minitest::Test
 
     describe "#get_fingerprint" do
       it "get the fingerprint value when cert and fingerprint in settings are nil" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert_fingerprint = nil
         @settings.idp_cert = nil
         fingerprint = @settings.get_fingerprint
@@ -191,7 +277,6 @@ class SettingsTest < Minitest::Test
       end
 
       it "get the fingerprint value when there is a cert at the settings" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert_fingerprint = nil
         @settings.idp_cert = ruby_saml_cert_text
         fingerprint = @settings.get_fingerprint
@@ -199,7 +284,6 @@ class SettingsTest < Minitest::Test
       end
 
       it "get the fingerprint value when there is a fingerprint at the settings" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
         @settings.idp_cert = nil
         fingerprint = @settings.get_fingerprint
@@ -207,7 +291,6 @@ class SettingsTest < Minitest::Test
       end
 
       it "get the fingerprint value when there are cert and fingerprint at the settings" do
-        @settings = OneLogin::RubySaml::Settings.new
         @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
         @settings.idp_cert = ruby_saml_cert_text
         fingerprint = @settings.get_fingerprint

data/test/slo_logoutrequest_test.rb

@@ -247,6 +247,31 @@ class RubySamlTest < Minitest::Test
         settings.idp_cert = ruby_saml_cert_text
       end
 
+      it "return true when no idp_cert is provided and option :relax_signature_validation is present" do
+        settings.idp_cert = nil
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params['RelayState'] = params[:RelayState]
+        options = {}
+        options[:get_params] = params
+        options[:relax_signature_validation] = true
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        logout_request_sign_test.settings = settings
+        assert logout_request_sign_test.send(:validate_signature)
+      end
+
+      it "return false when no idp_cert is provided and no option :relax_signature_validation is present" do
+        settings.idp_cert = nil
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params['RelayState'] = params[:RelayState]
+        options = {}
+        options[:get_params] = params
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        logout_request_sign_test.settings = settings
+        assert !logout_request_sign_test.send(:validate_signature)
+      end
+
       it "return true when valid RSA_SHA1 Signature" do
         settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
         params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
@@ -298,5 +323,46 @@ class RubySamlTest < Minitest::Test
         end
       end
     end
+
+    describe "#validate_signature with multiple idp certs" do
+      before do
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+        settings.idp_cert = nil
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = false
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+      end
+
+      it "return true when at least a idp_cert is valid" do
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params['RelayState'] = params[:RelayState]
+        options = {}
+        options[:get_params] = params
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        settings.idp_cert_multi = {
+          :signing => [ruby_saml_cert_text2, ruby_saml_cert_text],
+          :encryption => []
+        }
+        logout_request_sign_test.settings = settings
+        assert logout_request_sign_test.send(:validate_signature)
+      end
+
+      it "return false when none cert on idp_cert_multi is valid" do
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params['RelayState'] = params[:RelayState]
+        options = {}
+        options[:get_params] = params
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
+        settings.idp_cert_multi = {
+          :signing => [ruby_saml_cert_text2, ruby_saml_cert_text2],
+          :encryption => []
+        }
+        logout_request_sign_test.settings = settings
+        assert !logout_request_sign_test.send(:validate_signature)
+      end
+    end
   end
 end

data/test/test_helper.rb

@@ -129,7 +129,7 @@ class Minitest::Test
   end
 
   def unsigned_message_encrypted_unsigned_assertion
-    @unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))    
+    @unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))
   end
 
   def response_document_encrypted_attrs
@@ -150,8 +150,20 @@ class Minitest::Test
     @certificate_without_head_foot ||= read_certificate("certificate_without_head_foot")
   end
 
-  def idp_metadata
-    @idp_metadata ||= read_response("idp_descriptor.xml")
+  def idp_metadata_descriptor
+    @idp_metadata_descriptor ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor.xml'))
+  end
+
+  def idp_metadata_descriptor2
+    @idp_metadata_descriptor2 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_2.xml'))
+  end
+
+  def idp_metadata_descriptor3
+    @idp_metadata_descriptor3 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_3.xml'))
+  end
+
+  def idp_metadata_multiple_descriptors
+    @idp_metadata_multiple_descriptors ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_multiple_descriptors.xml'))
   end
 
   def logout_request_document
@@ -188,6 +200,10 @@ class Minitest::Test
     @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
   end
 
+  def ruby_saml_cert2
+    @ruby_saml_cert2 ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text2)
+  end
+
   def ruby_saml_cert_fingerprint
     @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
   end
@@ -196,6 +212,10 @@ class Minitest::Test
     read_certificate("ruby-saml.crt")
   end
 
+  def ruby_saml_cert_text2
+    read_certificate("ruby-saml-2.crt")
+  end
+
   def ruby_saml_key
     @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.4.3
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-11 00:00:00.000000000 Z
+date: 2017-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -201,6 +201,7 @@ files:
 - test/certificates/invalid_rsa_private_key1
 - test/certificates/invalid_rsa_private_key2
 - test/certificates/invalid_rsa_private_key3
+- test/certificates/ruby-saml-2.crt
 - test/certificates/ruby-saml.crt
 - test/certificates/ruby-saml.key
 - test/idp_metadata_parser_test.rb
@@ -213,6 +214,10 @@ files:
 - test/logout_responses/logoutresponse_fixtures.rb
 - test/logoutrequest_test.rb
 - test/logoutresponse_test.rb
+- test/metadata/idp_descriptor.xml
+- test/metadata/idp_descriptor_2.xml
+- test/metadata/idp_descriptor_3.xml
+- test/metadata/idp_multiple_descriptors.xml
 - test/metadata_test.rb
 - test/request_test.rb
 - test/response_test.rb
@@ -222,7 +227,6 @@ files:
 - test/responses/adfs_response_sha512.xml
 - test/responses/adfs_response_xmlns.xml
 - test/responses/attackxee.xml
-- test/responses/idp_descriptor.xml
 - test/responses/invalids/duplicated_attributes.xml.base64
 - test/responses/invalids/empty_destination.xml.base64
 - test/responses/invalids/empty_nameid.xml.base64
@@ -323,7 +327,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.2.2
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
@@ -342,6 +346,7 @@ test_files:
 - test/certificates/invalid_rsa_private_key1
 - test/certificates/invalid_rsa_private_key2
 - test/certificates/invalid_rsa_private_key3
+- test/certificates/ruby-saml-2.crt
 - test/certificates/ruby-saml.crt
 - test/certificates/ruby-saml.key
 - test/idp_metadata_parser_test.rb
@@ -354,6 +359,10 @@ test_files:
 - test/logout_responses/logoutresponse_fixtures.rb
 - test/logoutrequest_test.rb
 - test/logoutresponse_test.rb
+- test/metadata/idp_descriptor.xml
+- test/metadata/idp_descriptor_2.xml
+- test/metadata/idp_descriptor_3.xml
+- test/metadata/idp_multiple_descriptors.xml
 - test/metadata_test.rb
 - test/request_test.rb
 - test/response_test.rb
@@ -363,7 +372,6 @@ test_files:
 - test/responses/adfs_response_sha512.xml
 - test/responses/adfs_response_xmlns.xml
 - test/responses/attackxee.xml
-- test/responses/idp_descriptor.xml
 - test/responses/invalids/duplicated_attributes.xml.base64
 - test/responses/invalids/empty_destination.xml.base64
 - test/responses/invalids/empty_nameid.xml.base64

data/test/responses/idp_descriptor.xml

@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<md:EntityDescriptor entityID="https://example.hello.com/access/saml/idp.xml" validUntil="2014-04-17T18:02:33.910Z" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/logout" ResponseLocation="https://example.hello.com/access/saml/logout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/login"/><saml:Attribute Name="AuthToken" NameFormat="urn:oasis:names:tc:SAML:2.0:att rname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute Name="SSOStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/></md:IDPSSODescriptor></md:EntityDescriptor>