ruby-saml 1.4.2 → 1.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

@@ -11,8 +11,9 @@ class SettingsTest < Minitest::Test
11
11
 
12
12
  it "should provide getters and settings" do
13
13
  accessors = [
14
- :idp_entity_id, :idp_sso_target_url, :idp_slo_target_url, :idp_cert, :idp_cert_fingerprint, :idp_cert_fingerprint_algorithm, :idp_attribute_names,
15
- :issuer, :assertion_consumer_service_url, :assertion_consumer_service_binding,
14
+ :idp_entity_id, :idp_sso_target_url, :idp_slo_target_url,
15
+ :idp_cert, :idp_cert_fingerprint, :idp_cert_fingerprint_algorithm, :idp_cert_multi,
16
+ :idp_attribute_names, :issuer, :assertion_consumer_service_url, :assertion_consumer_service_binding,
16
17
  :single_logout_service_url, :single_logout_service_binding,
17
18
  :sp_name_qualifier, :name_identifier_format, :name_identifier_value,
18
19
  :sessionindex, :attributes_index, :passive, :force_authn,
@@ -52,7 +53,6 @@ class SettingsTest < Minitest::Test
52
53
  end
53
54
 
54
55
  it "configure attribute service attributes correctly" do
55
- @settings = OneLogin::RubySaml::Settings.new
56
56
  @settings.attribute_consuming_service.configure do
57
57
  service_name "Test Service"
58
58
  add_attribute :name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name"
@@ -79,37 +79,34 @@ class SettingsTest < Minitest::Test
79
79
 
80
80
  describe "#single_logout_service_url" do
81
81
  it "when single_logout_service_url is nil but assertion_consumer_logout_service_url returns its value" do
82
- settings.single_logout_service_url = nil
83
- settings.assertion_consumer_logout_service_url = "http://app.muda.no/sls"
82
+ @settings.single_logout_service_url = nil
83
+ @settings.assertion_consumer_logout_service_url = "http://app.muda.no/sls"
84
84
 
85
- assert_equal "http://app.muda.no/sls", settings.single_logout_service_url
85
+ assert_equal "http://app.muda.no/sls", @settings.single_logout_service_url
86
86
  end
87
87
  end
88
88
 
89
89
  describe "#single_logout_service_binding" do
90
90
  it "when single_logout_service_binding is nil but assertion_consumer_logout_service_binding returns its value" do
91
- settings.single_logout_service_binding = nil
92
- settings.assertion_consumer_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
91
+ @settings.single_logout_service_binding = nil
92
+ @settings.assertion_consumer_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
93
93
 
94
- assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", settings.single_logout_service_binding
94
+ assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.single_logout_service_binding
95
95
  end
96
96
  end
97
97
 
98
98
  describe "#get_idp_cert" do
99
99
  it "returns nil when the cert is an empty string" do
100
- @settings = OneLogin::RubySaml::Settings.new
101
100
  @settings.idp_cert = ""
102
101
  assert_nil @settings.get_idp_cert
103
102
  end
104
103
 
105
104
  it "returns nil when the cert is nil" do
106
- @settings = OneLogin::RubySaml::Settings.new
107
105
  @settings.idp_cert = nil
108
106
  assert_nil @settings.get_idp_cert
109
107
  end
110
108
 
111
109
  it "returns the certificate when it is valid" do
112
- @settings = OneLogin::RubySaml::Settings.new
113
110
  @settings.idp_cert = ruby_saml_cert_text
114
111
  assert @settings.get_idp_cert.kind_of? OpenSSL::X509::Certificate
115
112
  end
@@ -123,21 +120,88 @@ class SettingsTest < Minitest::Test
123
120
  end
124
121
  end
125
122
 
123
+ describe "#get_idp_cert_multi" do
124
+ it "returns nil when the value is empty" do
125
+ @settings.idp_cert = {}
126
+ assert_nil @settings.get_idp_cert_multi
127
+ end
128
+
129
+ it "returns nil when the idp_cert_multi is nil or empty" do
130
+ @settings.idp_cert_multi = nil
131
+ assert_nil @settings.get_idp_cert_multi
132
+ end
133
+
134
+ it "returns partial hash when contains some values" do
135
+ empty_multi = {
136
+ :signing => [],
137
+ :encryption => []
138
+ }
139
+
140
+ @settings.idp_cert_multi = {
141
+ :signing => []
142
+ }
143
+ assert_equal empty_multi, @settings.get_idp_cert_multi
144
+
145
+ @settings.idp_cert_multi = {
146
+ :encryption => []
147
+ }
148
+ assert_equal empty_multi, @settings.get_idp_cert_multi
149
+
150
+ @settings.idp_cert_multi = {
151
+ :signing => [],
152
+ :encryption => []
153
+ }
154
+ assert_equal empty_multi, @settings.get_idp_cert_multi
155
+
156
+ @settings.idp_cert_multi = {
157
+ :yyy => [],
158
+ :zzz => []
159
+ }
160
+ assert_equal empty_multi, @settings.get_idp_cert_multi
161
+ end
162
+
163
+ it "returns the hash with certificates when values were valid" do
164
+ certificates = ruby_saml_cert_text
165
+ @settings.idp_cert_multi = {
166
+ :signing => [ruby_saml_cert_text],
167
+ :encryption => [ruby_saml_cert_text],
168
+ }
169
+
170
+ assert @settings.get_idp_cert_multi.kind_of? Hash
171
+ assert @settings.get_idp_cert_multi[:signing].kind_of? Array
172
+ assert @settings.get_idp_cert_multi[:encryption].kind_of? Array
173
+ assert @settings.get_idp_cert_multi[:signing][0].kind_of? OpenSSL::X509::Certificate
174
+ assert @settings.get_idp_cert_multi[:encryption][0].kind_of? OpenSSL::X509::Certificate
175
+ end
176
+
177
+ it "raises when there is a cert in idp_cert_multi not valid" do
178
+ certificate = read_certificate("formatted_certificate")
179
+
180
+ @settings.idp_cert_multi = {
181
+ :signing => [],
182
+ :encryption => []
183
+ }
184
+ @settings.idp_cert_multi[:signing].push(certificate)
185
+ @settings.idp_cert_multi[:encryption].push(certificate)
186
+
187
+ assert_raises(OpenSSL::X509::CertificateError) {
188
+ @settings.get_idp_cert_multi
189
+ }
190
+ end
191
+ end
192
+
126
193
  describe "#get_sp_cert" do
127
194
  it "returns nil when the cert is an empty string" do
128
- @settings = OneLogin::RubySaml::Settings.new
129
195
  @settings.certificate = ""
130
196
  assert_nil @settings.get_sp_cert
131
197
  end
132
198
 
133
199
  it "returns nil when the cert is nil" do
134
- @settings = OneLogin::RubySaml::Settings.new
135
200
  @settings.certificate = nil
136
201
  assert_nil @settings.get_sp_cert
137
202
  end
138
203
 
139
204
  it "returns the certificate when it is valid" do
140
- @settings = OneLogin::RubySaml::Settings.new
141
205
  @settings.certificate = ruby_saml_cert_text
142
206
  assert @settings.get_sp_cert.kind_of? OpenSSL::X509::Certificate
143
207
  end
@@ -152,21 +216,44 @@ class SettingsTest < Minitest::Test
152
216
 
153
217
  end
154
218
 
219
+ describe "#get_sp_cert_new" do
220
+ it "returns nil when the cert is an empty string" do
221
+ @settings.certificate_new = ""
222
+ assert_nil @settings.get_sp_cert_new
223
+ end
224
+
225
+ it "returns nil when the cert is nil" do
226
+ @settings.certificate_new = nil
227
+ assert_nil @settings.get_sp_cert_new
228
+ end
229
+
230
+ it "returns the certificate when it is valid" do
231
+ @settings.certificate_new = ruby_saml_cert_text
232
+ assert @settings.get_sp_cert_new.kind_of? OpenSSL::X509::Certificate
233
+ end
234
+
235
+ it "raises when the certificate is not valid" do
236
+ # formatted but invalid cert
237
+ @settings.certificate_new = read_certificate("formatted_certificate")
238
+ assert_raises(OpenSSL::X509::CertificateError) {
239
+ @settings.get_sp_cert_new
240
+ }
241
+ end
242
+
243
+ end
244
+
155
245
  describe "#get_sp_key" do
156
246
  it "returns nil when the private key is an empty string" do
157
- @settings = OneLogin::RubySaml::Settings.new
158
247
  @settings.private_key = ""
159
248
  assert_nil @settings.get_sp_key
160
249
  end
161
250
 
162
251
  it "returns nil when the private key is nil" do
163
- @settings = OneLogin::RubySaml::Settings.new
164
252
  @settings.private_key = nil
165
253
  assert_nil @settings.get_sp_key
166
254
  end
167
255
 
168
256
  it "returns the private key when it is valid" do
169
- @settings = OneLogin::RubySaml::Settings.new
170
257
  @settings.private_key = ruby_saml_key_text
171
258
  assert @settings.get_sp_key.kind_of? OpenSSL::PKey::RSA
172
259
  end
@@ -183,7 +270,6 @@ class SettingsTest < Minitest::Test
183
270
 
184
271
  describe "#get_fingerprint" do
185
272
  it "get the fingerprint value when cert and fingerprint in settings are nil" do
186
- @settings = OneLogin::RubySaml::Settings.new
187
273
  @settings.idp_cert_fingerprint = nil
188
274
  @settings.idp_cert = nil
189
275
  fingerprint = @settings.get_fingerprint
@@ -191,7 +277,6 @@ class SettingsTest < Minitest::Test
191
277
  end
192
278
 
193
279
  it "get the fingerprint value when there is a cert at the settings" do
194
- @settings = OneLogin::RubySaml::Settings.new
195
280
  @settings.idp_cert_fingerprint = nil
196
281
  @settings.idp_cert = ruby_saml_cert_text
197
282
  fingerprint = @settings.get_fingerprint
@@ -199,7 +284,6 @@ class SettingsTest < Minitest::Test
199
284
  end
200
285
 
201
286
  it "get the fingerprint value when there is a fingerprint at the settings" do
202
- @settings = OneLogin::RubySaml::Settings.new
203
287
  @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
204
288
  @settings.idp_cert = nil
205
289
  fingerprint = @settings.get_fingerprint
@@ -207,7 +291,6 @@ class SettingsTest < Minitest::Test
207
291
  end
208
292
 
209
293
  it "get the fingerprint value when there are cert and fingerprint at the settings" do
210
- @settings = OneLogin::RubySaml::Settings.new
211
294
  @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
212
295
  @settings.idp_cert = ruby_saml_cert_text
213
296
  fingerprint = @settings.get_fingerprint
@@ -247,6 +247,31 @@ class RubySamlTest < Minitest::Test
247
247
  settings.idp_cert = ruby_saml_cert_text
248
248
  end
249
249
 
250
+ it "return true when no idp_cert is provided and option :relax_signature_validation is present" do
251
+ settings.idp_cert = nil
252
+ settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
253
+ params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
254
+ params['RelayState'] = params[:RelayState]
255
+ options = {}
256
+ options[:get_params] = params
257
+ options[:relax_signature_validation] = true
258
+ logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
259
+ logout_request_sign_test.settings = settings
260
+ assert logout_request_sign_test.send(:validate_signature)
261
+ end
262
+
263
+ it "return false when no idp_cert is provided and no option :relax_signature_validation is present" do
264
+ settings.idp_cert = nil
265
+ settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
266
+ params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
267
+ params['RelayState'] = params[:RelayState]
268
+ options = {}
269
+ options[:get_params] = params
270
+ logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
271
+ logout_request_sign_test.settings = settings
272
+ assert !logout_request_sign_test.send(:validate_signature)
273
+ end
274
+
250
275
  it "return true when valid RSA_SHA1 Signature" do
251
276
  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
252
277
  params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
@@ -298,5 +323,46 @@ class RubySamlTest < Minitest::Test
298
323
  end
299
324
  end
300
325
  end
326
+
327
+ describe "#validate_signature with multiple idp certs" do
328
+ before do
329
+ settings.idp_slo_target_url = "http://example.com?field=value"
330
+ settings.certificate = ruby_saml_cert_text
331
+ settings.private_key = ruby_saml_key_text
332
+ settings.idp_cert = nil
333
+ settings.security[:logout_requests_signed] = true
334
+ settings.security[:embed_sign] = false
335
+ settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
336
+ end
337
+
338
+ it "return true when at least a idp_cert is valid" do
339
+ params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
340
+ params['RelayState'] = params[:RelayState]
341
+ options = {}
342
+ options[:get_params] = params
343
+ logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
344
+ settings.idp_cert_multi = {
345
+ :signing => [ruby_saml_cert_text2, ruby_saml_cert_text],
346
+ :encryption => []
347
+ }
348
+ logout_request_sign_test.settings = settings
349
+ assert logout_request_sign_test.send(:validate_signature)
350
+ end
351
+
352
+ it "return false when none cert on idp_cert_multi is valid" do
353
+ params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
354
+ params['RelayState'] = params[:RelayState]
355
+ options = {}
356
+ options[:get_params] = params
357
+ logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
358
+ settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint
359
+ settings.idp_cert_multi = {
360
+ :signing => [ruby_saml_cert_text2, ruby_saml_cert_text2],
361
+ :encryption => []
362
+ }
363
+ logout_request_sign_test.settings = settings
364
+ assert !logout_request_sign_test.send(:validate_signature)
365
+ end
366
+ end
301
367
  end
302
368
  end
@@ -129,7 +129,7 @@ class Minitest::Test
129
129
  end
130
130
 
131
131
  def unsigned_message_encrypted_unsigned_assertion
132
- @unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))
132
+ @unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))
133
133
  end
134
134
 
135
135
  def response_document_encrypted_attrs
@@ -150,8 +150,20 @@ class Minitest::Test
150
150
  @certificate_without_head_foot ||= read_certificate("certificate_without_head_foot")
151
151
  end
152
152
 
153
- def idp_metadata
154
- @idp_metadata ||= read_response("idp_descriptor.xml")
153
+ def idp_metadata_descriptor
154
+ @idp_metadata_descriptor ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor.xml'))
155
+ end
156
+
157
+ def idp_metadata_descriptor2
158
+ @idp_metadata_descriptor2 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_2.xml'))
159
+ end
160
+
161
+ def idp_metadata_descriptor3
162
+ @idp_metadata_descriptor3 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_3.xml'))
163
+ end
164
+
165
+ def idp_metadata_multiple_descriptors
166
+ @idp_metadata_multiple_descriptors ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_multiple_descriptors.xml'))
155
167
  end
156
168
 
157
169
  def logout_request_document
@@ -188,6 +200,10 @@ class Minitest::Test
188
200
  @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
189
201
  end
190
202
 
203
+ def ruby_saml_cert2
204
+ @ruby_saml_cert2 ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text2)
205
+ end
206
+
191
207
  def ruby_saml_cert_fingerprint
192
208
  @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
193
209
  end
@@ -196,6 +212,10 @@ class Minitest::Test
196
212
  read_certificate("ruby-saml.crt")
197
213
  end
198
214
 
215
+ def ruby_saml_cert_text2
216
+ read_certificate("ruby-saml-2.crt")
217
+ end
218
+
199
219
  def ruby_saml_key
200
220
  @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
201
221
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.2
4
+ version: 1.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-01-11 00:00:00.000000000 Z
11
+ date: 2017-05-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -201,6 +201,7 @@ files:
201
201
  - test/certificates/invalid_rsa_private_key1
202
202
  - test/certificates/invalid_rsa_private_key2
203
203
  - test/certificates/invalid_rsa_private_key3
204
+ - test/certificates/ruby-saml-2.crt
204
205
  - test/certificates/ruby-saml.crt
205
206
  - test/certificates/ruby-saml.key
206
207
  - test/idp_metadata_parser_test.rb
@@ -213,6 +214,10 @@ files:
213
214
  - test/logout_responses/logoutresponse_fixtures.rb
214
215
  - test/logoutrequest_test.rb
215
216
  - test/logoutresponse_test.rb
217
+ - test/metadata/idp_descriptor.xml
218
+ - test/metadata/idp_descriptor_2.xml
219
+ - test/metadata/idp_descriptor_3.xml
220
+ - test/metadata/idp_multiple_descriptors.xml
216
221
  - test/metadata_test.rb
217
222
  - test/request_test.rb
218
223
  - test/response_test.rb
@@ -222,7 +227,6 @@ files:
222
227
  - test/responses/adfs_response_sha512.xml
223
228
  - test/responses/adfs_response_xmlns.xml
224
229
  - test/responses/attackxee.xml
225
- - test/responses/idp_descriptor.xml
226
230
  - test/responses/invalids/duplicated_attributes.xml.base64
227
231
  - test/responses/invalids/empty_destination.xml.base64
228
232
  - test/responses/invalids/empty_nameid.xml.base64
@@ -323,7 +327,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
323
327
  version: '0'
324
328
  requirements: []
325
329
  rubyforge_project: http://www.rubygems.org/gems/ruby-saml
326
- rubygems_version: 2.2.2
330
+ rubygems_version: 2.4.8
327
331
  signing_key:
328
332
  specification_version: 4
329
333
  summary: SAML Ruby Tookit
@@ -342,6 +346,7 @@ test_files:
342
346
  - test/certificates/invalid_rsa_private_key1
343
347
  - test/certificates/invalid_rsa_private_key2
344
348
  - test/certificates/invalid_rsa_private_key3
349
+ - test/certificates/ruby-saml-2.crt
345
350
  - test/certificates/ruby-saml.crt
346
351
  - test/certificates/ruby-saml.key
347
352
  - test/idp_metadata_parser_test.rb
@@ -354,6 +359,10 @@ test_files:
354
359
  - test/logout_responses/logoutresponse_fixtures.rb
355
360
  - test/logoutrequest_test.rb
356
361
  - test/logoutresponse_test.rb
362
+ - test/metadata/idp_descriptor.xml
363
+ - test/metadata/idp_descriptor_2.xml
364
+ - test/metadata/idp_descriptor_3.xml
365
+ - test/metadata/idp_multiple_descriptors.xml
357
366
  - test/metadata_test.rb
358
367
  - test/request_test.rb
359
368
  - test/response_test.rb
@@ -363,7 +372,6 @@ test_files:
363
372
  - test/responses/adfs_response_sha512.xml
364
373
  - test/responses/adfs_response_xmlns.xml
365
374
  - test/responses/attackxee.xml
366
- - test/responses/idp_descriptor.xml
367
375
  - test/responses/invalids/duplicated_attributes.xml.base64
368
376
  - test/responses/invalids/empty_destination.xml.base64
369
377
  - test/responses/invalids/empty_nameid.xml.base64
@@ -1,3 +0,0 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <md:EntityDescriptor entityID="https://example.hello.com/access/saml/idp.xml" validUntil="2014-04-17T18:02:33.910Z" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
3
- </ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/logout" ResponseLocation="https://example.hello.com/access/saml/logout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/login"/><saml:Attribute Name="AuthToken" NameFormat="urn:oasis:names:tc:SAML:2.0:att rname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute Name="SSOStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/></md:IDPSSODescriptor></md:EntityDescriptor>