Merge pull request #297 from flant/key_info_retrieval_method

Implement EncryptedKey RetrievalMethod support

Author: pitbulk

lib/onelogin/ruby-saml/utils.rb

@@ -122,15 +122,21 @@ def self.decrypt_data(encrypted_node, private_key)
       # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
       # @return [String] The symmetric key
       def self.retrieve_symmetric_key(encrypt_data, private_key)
-        encrypted_symmetric_key_element = REXML::XPath.first(
+        encrypted_key = REXML::XPath.first(
           encrypt_data,
-          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue",
+          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey or \
+           //xenc:EncryptedKey[@Id=substring-after(//xenc:EncryptedData/ds:KeyInfo/ds:RetrievalMethod/@URI, '#')]",
+          { "ds" => DSIG, "xenc" => XENC }
+        )
+        encrypted_symmetric_key_element = REXML::XPath.first(
+          encrypted_key,
+          "./xenc:CipherData/xenc:CipherValue",
           { "ds" => DSIG, "xenc" => XENC }
         )
         cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
         encrypt_method = REXML::XPath.first(
-          encrypt_data,
-          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:EncryptionMethod",
+          encrypted_key,
+          "./xenc:EncryptionMethod",
           {"ds" => DSIG,  "xenc" => XENC }
         )
         algorithm = encrypt_method.attributes['Algorithm']

test/response_test.rb

@@ -668,7 +668,7 @@ class RubySamlTest < Minitest::Test
         assert !response.send(:validate_session_expiration)
         assert_includes response.errors, "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response"
       end
-      
+
       it "returns true when the session has expired, but is still within the allowed_clock_drift" do
         drift = (Time.now - Time.parse("2010-11-19T21:57:37Z")) * 60 # seconds ago that this assertion expired
         drift += 10 # add a buffer of 10 seconds to make sure the test passes
@@ -734,7 +734,7 @@ class RubySamlTest < Minitest::Test
         settings.idp_cert = signature_1
         response_valid_signed_without_x509certificate.settings = settings
         assert !response_valid_signed_without_x509certificate.send(:validate_signature)
-        assert_includes response_valid_signed_without_x509certificate.errors, "Invalid Signature on SAML Response"        
+        assert_includes response_valid_signed_without_x509certificate.errors, "Invalid Signature on SAML Response"
       end
 
       it "return true when no X509Certificate and the cert provided at settings matches" do
@@ -1152,6 +1152,28 @@ class RubySamlTest < Minitest::Test
         assert decrypted.name, "Assertion"
       end
 
+      it "is possible to decrypt the assertion if private key provided and EncryptedKey RetrievalMethod presents in response" do
+        settings.private_key = ruby_saml_key_text
+        resp = read_response('response_with_retrieval_method.xml')
+        response = OneLogin::RubySaml::Response.new(resp, :settings => settings)
+
+        encrypted_assertion_node = REXML::XPath.first(
+          response.document,
+          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+          { "p" => "urn:oasis:names:tc:SAML:2.0:protocol", "a" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        )
+        decrypted = response.send(:decrypt_assertion, encrypted_assertion_node)
+
+        encrypted_assertion_node2 = REXML::XPath.first(
+          decrypted,
+          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+          { "p" => "urn:oasis:names:tc:SAML:2.0:protocol", "a" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        )
+
+        assert_nil encrypted_assertion_node2
+        assert decrypted.name, "Assertion"
+      end
+
       it "is possible to decrypt the assertion if private key but no saml namespace on the Assertion Element that is inside the EncryptedAssertion" do
         unsigned_message_encrypted_assertion_without_saml_namespace = read_response('unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64')
         response = OneLogin::RubySaml::Response.new(unsigned_message_encrypted_assertion_without_saml_namespace, :settings => settings)

test/responses/response_with_retrieval_method.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://sp.example.com/saml/acs" ID="id24448663616025051347254621" InResponseTo="_a20019d0-ccdb-0133-0c29-3888e3304166" IssueInstant="2016-03-15T12:59:11.520Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk4jkh2xxJIrTmGP0x7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id24448663616025051347254621"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>48q4xnELjn82APp25kO4+wAdOCLN3BdNvZP7IGP2yW8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IisXGT9N0ewlZfvkrfNqqhXHnFkfXG8Z9zIybYIBrJ2WtkBh2gJiEmLGFwnaMyJmDhvrk42jlied6UrxpbZK9jwugJoVsj1CFJ7VHYkqX21yYXs0fwW7xKUvYyMDD0BS6FN96mdM8PD4RUNoxh6UymRs/akwPXCNYZqur2Sz/imEnRjP5SGA8RIpSYpva2vVqzwsDSRMRe2P18LH0fegDxOa81OEClYucSfvtZwgHopsSL3d+KsOH5zvnVngL7UxjxT2L8fEzy5LQl2kM28P6eZ/QccP8ACtUdVYZz0xGUF8I7IwV0HmouMjj1BYfiXVWLaiSZ5C1J4AA4KK1t2hGg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDmjCCAoKgAwIBAgIGAVH33Q1VMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBWZsYW50MRwwGgYJKoZIhvcNAQkBFg1pbmZv
+QG9rdGEuY29tMB4XDTE1MTIzMTExNDYxN1oXDTI1MTIzMTExNDcxN1owgY0xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP
+a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFZmxhbnQxHDAaBgkqhkiG9w0BCQEW
+DWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCLjrnxEq1yqaEk
+JPgqWeVxicFC9PnXCmrDtoOnhz/9AJbks5/cDRYFGMRYrS2a8EX8I4FAa2DPrKwjyk6YqzzR9jY/
+Il3x6PTSUEQh5cvCE/Vb9C7iJAInazZ4MTI5xdEwtNt3UD/aVaAfW8k64DquTZnWK4Wtg9igS2ne
+pzYbmAma015O1oxggs4wv3JVgl5vCLdlMLj/kvBjx8XCXKOtVJVpHkJEI/pAE3s+XeVP3WBWbgEK
+NAcjRnWJ3igXlNir3O2ee1+dcDkoVmpXILBmClMu/JEdQWvIfnXYZOYv9GUzS/EODQIbOYm8wsan
++ErfrVDAAr30zDa7pG823JwFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAHTU2NZ3tgIcZNtx8QP8
+WMtJ0038nzGmttx+oBc3zFu1+z8XBGRGW27ISL3vncWSAxeuFFzFWjWpBmMU2piM6MFvOYciI3vu
+iM6fpGCUKCojvKCfwZ/pQKP5RIk92vWlDl5USSr48NH4BUjC4qTIvQSaWrvZu+qlJ1h/JISPVy1J
+ftZSshAYaZTChmnqp/KtKQq7DOPVc14HR3gBkyoakQKjtQ9TBHAENJV3N1FOPJ3/D/Y85EzecLdT
+3fiT0RZZ7W/HsG2LLIQsTnsnBP018KEG2aqLFLxO67dVy2UchrxvwBjiyvoHVAdUdditoL5WKhAc
+KhT/MUKMlzqzYa17eww=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_3b5e1926678d4654409a579b245af8c5" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_86dc490e2ef641df2302e7e214b1a333"/></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>xgq5YG2k+6fI0+DeqrWlEHcxl3C+ujuFwMVD2th9d6H5bIvtAy52fFuKcYGAtGD9C/MqJkhA6L+EmpOhn1wUgA/lujmb9Od1ZkfMiI54WaX4gflahQ21YpXqvH5Ucp+XmG0AEiO++pSQ1tMf0L4SHMH60MXVGbKF4WPXNgHvGSvny5MTstoeYqM0jOpya9SrBjW29/DnjSw6VDIwZC89ZibIjLsxNY4aYGK2b0IwBRpo9YHtaD39CYQY8GMBtUNQFi6K8VPIGMihvrbyVNd1VMK3DD2iZTgF/wS2914K9WAZaGNCaeLuJD9rs4Sz7OIOYIrXQSOhfgI4O9azHpfUHRmrKor3AV6uL+8VkyMQQELXtrbWehs8O79qlZs2tfJuqSohkRDx0Z0MFvRw6YWqa4fF1AR7Ng/Z90FWNZJ0mzrVdztxdUnwa9t4bm07GNJtlhEELI1l0D1dzJLhdyVVVgJnm/Y8tv6EXz5lfUvfOj3XZcfuH51iYRaKD0LUxXwGIgIV7PoEanR0zSFC+wlYsYpqZuUSyFeAafKLEyE+Gmo7up/YXHSDhYyJx1UxUjyqr2lxVm36QWIdAhsQ7I/9Ew94IopuUydDD4lI0FezuRsphklv5wMxHon+49BEP8ZN3zK8E3csuxHXH0kESue0nkodTH9dJskpDUDtF68BxmVyLDTyq/9JOV++H5tHOXatWRfu74k+GUQvvRgRx/5dr8NO2QQ3r2pVtP19hScuZLVGpf9DV8RQRI/icyxJBz/OnmMGJoOU+t6tyvu5q2kSPZi/9Ipz4cFO6m11YFa5Kernuey6PGL6J0y9yFGtEs4nR0msYM6M8gBn1XRLvYCMVUcaUHXFiLZcvsOTNuLjiaes4gj6ONBfAcX98IZYPVLq1McQI+Izt0dNquU9yiMBG1GjJ0RUF4VR0naQezTixafugGNovgs2awDrRY5QJL2ffVzlxG3DZFRrcs2qGXQ7Gm9eja/j08xRfIs7wYqusCSFfmgqXcGQ41NkSszu91HOt49c5S35jvySU95aPcEhmN86O2NFZOpGKwnPbBAf2e1vglUcRZkljzw0mbUja26RULKog0IJlSe43yPBC4aof1Eher6x587YZ6vwmibN/aZLxRGe2ybm8HEDPt0VphG8Z17Kw9z5b1Uc0UjsWYYW9cEh/lRs3DdE40onwYgjggM6/cieSigEMw2kqoAYeVNd4O9nq1Uek9ejGEuuIpuiPdCnOufejmsIqVC3x6xHMdVkbojD/l7pESo48Qvqa1/bpzh58Law8VWByFnPpmM+dIK/FPy/0KjaXzcs8T4x/spH/hmNPO5tUTIt+dZIQtGrQQda7mnZ1SLOnNX3lLoQcaXDuXqG5OgXRC9zSXtFl6/0h7nHwP5vOCDKahlcu2Cm5L03WCGxcwqGb/rcZeFHjJhNkbqWvYAW+ouWz/aEQVbHc9Gf7OAxX6Xs/y5LTwW/TpySmGDZBlgmX6JE7yaQYORuhglXFiQkMAemzthrj8FWf+XejleSfbVZcM+rWd6sbzy2eXo665Q1gO+8S4jQfWwz/GP5N08ESdTbH2XhclWAYbEKP2JtO+rQAjFgWVraV2tnNKquVcEITDn3BqzHxkShfafpPpccYbnYFfSVRcy3laU1hRM+TbQz0KsmwjjaT8uJUj4A94eaxpPuUFxnh0TQjyIJKzcfa1KW8Hb155eUuYsjJG4fFliyFQweZEcn88RusCeXqQlmEkUNRl8qf2UwrdnCuMQpLSnMZvLClvJ5zTKQ2MevvCBTb8mXejyYfvdoF/9hjiXWOvARWiFHMhleaNV3ti2calnQh4XVO7PyogFoqp/ou98KRsyHdSp6ISTk08hOd2cinc1r8N0HUMrhl/14FItwky0MzRJeNomMRX7ggdpZr10Ytc1PrN7PYqslMRXqTe6U9mRteUYSxZqt1VwzPWDEe02sS+t2RIWwWvUU/TMId2mvNmBGUGNuBp7sIU0Y6OLSyPn9E3w/d2t8QcJcD1xFDehfOQshl+de/dx9VwwCJxQQ1px8fephOPvOatdW4FCPM9+gMKzCoiZvyc3uD7VOawV54+nMeL/5iTLLsVsCDSOKCh0RTZbg9aTOSK8E2UV9JVJ/BxtqR3I72Kl6B1CJFbQCPmjftCEK3oJpF6Hj7lcbYCRwF6dnhML7oJS92P8byznuKNqybAxGLqv4ijhuLvhN96Nr3TcH2rBaw0JXZlUVnSBrvHnqmfFnJBl/o5XrZux0sKHdaQBJXuFC3hquKTomCczlBMQcNaq1t79NYY2EiA/Q/zslUOcfIu9QEZCA8LpwTRAxIjjH3ebRn7rxyyqomnOXC4JI5WkJCwhFMEAexGLvqtBM7pWoNcEPn5J46El7TjRFuO7ypKpH388PkLGWrMPdD8I1EZM7pe0p4FIxLrIY9n5YH6iN0QPyZ2nCjl+ffCSwcxOBPxeFmkbZOZOGrSWiRUnBeK8Yf7+TVV4m7iOrLVazCqngcscFoax1O5kOitVbMO6biHtxNHTYccd6TsrnmGuOifpx2JMm4kiG562u259Bu4eld1MqmUt8vKk/3aVf3/8QqKqjDOFrcnF3JiXzEkbxstpiSG2ZW+a4GW+KKinFDq7AQsyTP74m2NonxHgt+ETLYjcPIiTL0iH5YaVAZfrDo+R1bXl0WYpo5Xd6yihKRZiR7mCt4zTFXpZLppTpJvngwT5qoyBgBmXFeh1zz75aEgibwQ8NimWSm3x4F+w7caiax/CUsBH8dxwGBFnuS3yxZ/8pNBgmZC5ZT2tLdSKydRXkWRcl4/BLmwuMQ9DiKaGbk9+3AbmoE3avFHcrtQZPDw+Xu0j7M93Lq6wPcku7KJnB9EboGcQZ0Iw4TPIFmNayrklXAMZRKRCFrQ/lYhftF5KgLq6/um8ult1ufodYMRnVKegR6I9q+RD4zmfEzmo7EPkY+47NzM+h0H1a9N64bUsYIHo170KO61zQlg1eqVTeiKqK227CK06Fqp8Hyuq3eZbac+6fST2sMVfgAzfNnFyQ7gOyo/7RMZzlYAcacPMNXgcqxCnBN+3dH8wmPstAB7lhNZRz9o/n2X4DI+o2RP/n4riy2TTOOrEuWxpSKcjtOj0PnDVBrsUcv+qXPO9oxbAfLCcieYwzWZOPKlVd4hqint4sHlrtX55Ga00fgVAHxbEEkDCRUgE09YVn4d590r/Pr5W3tyOBAc3qqgJMVqDT//huGuyfqCDvYqrMhcyKiLBNlzkUWTOqywrmp6CTGq6WZZ5lmK5ISrcyNrkPEWN7Uwm4XGUGYbfUicN1IEK1XcxWjRwo1Y8U4ooj7SHN8xu+6+3k+5zi5ZitgDWao+e7n/yHhADdJukdYGMe7H0IiKK8XpjYpcQ/DoEdqB6VV6Agu/4C8cBvzSi8/K/9tuyvPnLD1qMG6ajKpnP0885TxBEajx4/JZ+tNt39H0cOxPT7tAEBxMj0V4+IXaG3+35uxxUN7ZqqGZb9BWGNKF5xHfcM4G6mLSUHcdyJD1yfHT6sv/TpF9rhDxebirZYEkkUMZDu8v4Yy21lVg9GqRNJdqmn647xGT/8GF4fNV1uldQAXL9wi++hCCqNmfz24dMm2GfOr/0Zc1l9SCrbOQPi+YHgnWENzViqB4MZZzuinlHY8xu7CT/J5PjSCxzfMUHBEjKCd+/Wov3eSWiIX2tLA3W97OTzBpPS87/lLUzSY61Psh2pWUpmiaoiIGwer/YliigQEhNC2UVLj08aNiEkPge1a8HlrqyO/fO2Z1tv6eaMGoCdq7jAibgkPVeu9jKk0SQrQFlfkG8vRKhQ4s6pGVwNzdMFYUqZnccwz1rbiiKXGUfNdiZ5urtwXV3N2Ow3bt+EG/Qzu67njazYTVg6QVN1DwXw/DVNxnYLphwT+6CnO90J4dAu/OoiJGqVb6GaarAuedakEVKpMu8ZoifezZ9l3/xHbnHnck2ucvbeqAEaUPCG8f6/DD0Lga1ThG1Lbkfoqo4jXXARQZVF8nRWJtslZzQ39iAPS1dQS5kwd5GA/g0JFLDBQz+DNOERg5OqErMGcXmq8U68VAt5zhoo+m/GY44nqorILIkuS6H7vr8YSmd3QefPsptTjdKWXigU4+2U7Hgpj8LnG866ya0ZYLkybCGWlHt3QhrABsTQms9Yuw2GY/PALG08UTTYs+CHbjYTVAqz3evd+VMXN6iFeVOU3pwBCbGUY/WqtTmeBoeThWd/JfhbRss0cPLBiOwu2OFiXyKebiDbrW9FuoY9mpHcle9MeB2Ny7e3ht+PuKxlDsqqejEdRAszVrXAgz/ktstviLJRPGixxJfDqhJBOOSLEehRs9EmHEWZ2N+UQYRFGbzgk5uRALhX7M76twJR2APlkTqXB1UGaEjlKkWDuIu7NLV2ss9OhO7LmjXe6ETl76/ZeMDvA6V7MVXpI6nwwTRD649DJlkMtNeA8k39Jel3W9mWXlhlNGrlSUsfI/NeDqNW8DP8mmPWvoSrf6k4lu2TTAoxZ/esVN2xRhiRxMxpKPEn6AOOwL3RftcOOjRWdxsDBA4sjdiAJC1gADVJwIu8XOSLL5wc8HekHcgGzHoT60CJ+yhcI+ztQPDqtt7Pb9Oe1V9sKACQ1ymNzHLLnBawEN/VvL0WedGW0cTiO4Ydv8IfS/F8Clk6Bhyswg6hKQ8VHSwh8NrXK3FE3dM+gGQDAEJtWkL0XPGFNDdJvu/qE7MuHSqaad3uD3RUnkJB3KybnC3wBjJHSfC6cTf0z6vPQd3LKe8B4GdSZ2IQ0vGrwN1C9+qf63DQ45tpEoUp78JJaX/J1ag2QP2jYhbPMxGTxiAFo68NZaTjS+eR2FRTlbankQhs+u78oksenPo19d9Hz8GzAgU4Yk61VK2RqM0LsiSzjrFO5J3IkR78sSaai/93VFCPqw5rP8n0G40mpb8vYSFaFIy0MwudKrJRDBluNGVAmp9QAQDEt+ygzsifaO+SoY+AuL+LTXv53GAYB0W/C6yNDDuL0gvgp0VAnWw1sp66RLHKEy3L667NZzkSamxdxWaYu7+Lq8R2KiXSgiORo6FO3xFeXPbbNnDAzP25/4Lk0pY8buLWWctzgG8jfLikQRttj47AzAnfsxUDqes4/ln1D/HJZd8TpcjCbnqfXzkZRVezw5lP6k+R48CUHlZpVzS5o+BvCE585eS+CHPcQZ7G8qVlCryp17MCjWuvAm5oJFvH2QyAVe008tVgzn5LU11hjMsSXQ0xBHeSObIaVMKiyeKhETB1gLA/l7E9SOCoJ2e6Lo1WLOmy6l0k52WVIgC0alueeFBsYQ2n/7SWx25FIGUPlWea11mmcCwsmNeQvr4pgCSi7/n/cSFNKb/SdZgptfvXWdi3uJGNBclfktru4Nz8PxKrxyyP71XcLMN2gaEAFCLlpRGI+ow0s54BY8YxiqOHn6uUc8RZe8hjfLqKd5neWerFmswK0JH0JsmLfyrkFi7L8KeEjp8+UYOJD6wpR6ZCJETucI9pM37FP6zro4GD77Kt8QLoEvaUiIKve7dv9rMFzQxgvdyl7iyydNi09GxOnEaikasZ7xYMftCsKWOhnyUcwPjuStsQLME5vJbvsQh5eK44J+cHgw6lWk54r1ZyUxMPRbrBVojhTHBxXbz/MOgRipWdQo6UbPwBMNovD+MeWeORjZjbuDJVna29JEbaNMzkp60xV7BhKKTbus1yHItwKjYtAYQohFdAJJboMZnMqBZl62M1FnrqXODJMcW5amBXURHy56PZrkigCNeZXs4Uf+j0Bn2+rcoORgJmLS8+wt5NC/P+ug6xxxXpI3jzns9yp7rZpjeGQ6n6aCTcQbkMkhj2aeE7kZWntC9RoS6/52td7/h1VrUBY9o5GSD+Hiepd++ugyLssoCaafVbBw5vI7h4XaeFwfgugKTWXev2unFqaGW8zdi4b1d8L0Wx6BgdzOUBY6NBwVU2EN1JGmnEqyipTc8VIURJ/UjwepjWtuX4+Q6govcXvvJM3g3VRbO4Adsp6ozARg9smGx3bEHJqRsFpHfbFwJRqe51PN1lD3F5AjF37eYDViWm2NZVMUQqnekLL1HWhmSSFUzyxKrygdGO8CzrqmrxnSuXClGziCceHv6N0jiix6DwWYW+LsJkP7rdl1ttJFw+JlCthtu+oTQ2TBsDcGGnCU4fIoBCWyCsHh4sNfsIH9TJdeIovrEZQyxjK5YopbDxeGJ5RayfRdLQ428xNro1ZK9zrr3cneWvcgfVP+rScp+xRiRnxa+kH6I/FBZmpUNk2tUPTZKe3GQBEqGKco2noT+ukYFaBqDEc+1P6bhN6IGY8ZMKoLJVCYLYFnH/zUVu9bfj3MdYAhoyJS6hDYIgt4fdXAyIOlHlcPYk4qD9R0Cs/nM68UJQEK4eGVOjowMbeP2K1A==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_86dc490e2ef641df2302e7e214b1a333"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/></xenc:EncryptionMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzELMAkGA1UE
+CBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMIT25lTG9naW4xDDAKBgNVBAsT
+A0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMxODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYD
+VQQIEwJJTjEVMBMGA1UEBxMMSW5kaWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UE
+CxMDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5
+PckwsNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MP
+dyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQABMA0G
+CSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zdqHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZF
+hdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUS
+XxnzQxwcm/9PwAqrQaA3QpQkH57ybF/OoryPe+2h</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>uP8XSbkSQsgkyq9Gu52VifiVDD1z5Utof7Tytz36ObJNb6DQCaKMbKSq9aIVF9LUn0JMkTFnTaLSq749P76XBmiZRuD1OZOlUYt1vXAviiQ6+6fgIt7tpfDl8MxVPoMAV53c7mhIgxHSalONunVlKVnk0P2XaGHKK2EZloXK408=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#_3b5e1926678d4654409a579b245af8c5"/></xenc:ReferenceList></xenc:EncryptedKey></saml2:EncryptedAssertion></saml2p:Response>