Skip to content

sources/saml: move SAML Response signature verification before decryption #18176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ikob wants to merge 30 commits into
base: main
Choose a base branch
from
Open

sources/saml: move SAML Response signature verification before decryption #18176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
6d1c7f9
release: 2025.10.0-rc1
authentik-automation[bot] Oct 20, 2025
78d270b
release: 2025.10.0-rc2
authentik-automation[bot] Oct 21, 2025
d4a7758
website: fix active menu link background overlap (cherry-pick #17607 …
authentik-automation[bot] Oct 21, 2025
1422c3a
core, web: update translations (cherry-pick #17605 to version-2025.10…
authentik-automation[bot] Oct 21, 2025
c1bc2a4
ci: use forked release action to deal with large release notes (cherr…
authentik-automation[bot] Oct 21, 2025
b7d3039
release: 2025.10.0-rc3
authentik-automation[bot] Oct 21, 2025
ecba1ff
enterprise: add prometheus metrics for license usage and expiry (cher…
authentik-automation[bot] Oct 21, 2025
0bcd1c2
website/docs: rel notes 2025.10: add 3 more integration guides (cherr…
authentik-automation[bot] Oct 22, 2025
aeb4e10
providers/proxy: drop headers with underscores (cherry-pick #17650 to…
authentik-automation[bot] Oct 22, 2025
343506d
website/docs: add note about invite link not bound (cherry-pick #1765…
authentik-automation[bot] Oct 24, 2025
1ef83f3
website/docs: eap add info about custom validation (cherry-pick #1764…
authentik-automation[bot] Oct 24, 2025
b9b16db
website/docs: release notes: Add Zot integration (cherry-pick #17700 …
authentik-automation[bot] Oct 25, 2025
01406d3
website/docs: add short-lived certificate recommendation (cherry-pick…
authentik-automation[bot] Oct 25, 2025
0e12642
website/docs: blueprints: add a bit more info (cherry-pick #17704 to …
authentik-automation[bot] Oct 26, 2025
06a6d45
enterprise: handle cached naive timezone (cherry-pick #17695 to versi…
authentik-automation[bot] Oct 27, 2025
f056c08
website/docs: update flow context ref (cherry-pick #17723 to version-…
authentik-automation[bot] Oct 27, 2025
f48a91f
website/docs: finalise 2025.10 release notes (cherry-pick #17728 to v…
authentik-automation[bot] Oct 27, 2025
f2805b9
release: 2025.10.0
authentik-automation[bot] Oct 27, 2025
95b1e66
sources/SAML: fix signed responce verification
ikob Nov 1, 2025
7b90325
fix 405 errors in case of missing verification cert
ikob Nov 15, 2025
d9d96e5
Merge branch 'main' into fix-SAML-signed-res-verify
ikob Nov 16, 2025
03f467d
revert package-lock.json
ikob Nov 16, 2025
c961233
Merge branch 'main' into fix-SAML-signed-res-verify
ikob Nov 22, 2025
ddef6dc
Update authentik/sources/saml/tests/test_response.py
ikob Dec 4, 2025
cb187ed
Fix to refer the correct verifier result.
ikob Dec 5, 2025
8f7f35b
Fix to test with encryption key.
ikob Dec 5, 2025
bd287d4
Fix nits
ikob Dec 5, 2025
292b121
apply lint-fix
ikob Dec 5, 2025
897cb22
core, web: update translations (cherry-pick #17605 to version-2025.10…
authentik-automation[bot] Oct 21, 2025
5a34eb4
Merge branch 'main' into fix-SAML-signed-res-verify
ikob Dec 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 53 additions & 40 deletions authentik/sources/saml/processors/response.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,35 @@ def parse(self):
self._root_xml = b64decode(raw_response.encode())
self._root = fromstring(self._root_xml)

sig_errors = []
if self._source.verification_kp and self._source.signed_response:
resp_error = self._verify_signed("/samlp:Response")
if resp_error == "":
self.response_signature_verified = True
else:
self.response_signature_verified = False
sig_errors.append(resp_error)

if self._source.encryption_kp:
self._decrypt_response()

if self._source.verification_kp:
self._verify_signed()
if self._source.verification_kp and self._source.signed_assertion:
assert_error = self._verify_signed("/samlp:Response/saml:Assertion")
if assert_error != "":
raise InvalidSignature(f"Assertion signature invalid: {assert_error}")

if self._source.verification_kp and self._source.signed_response:
if self.response_signature_verified is False:
post_error = self._verify_signed("/samlp:Response")
if post_error == "":
self.response_signature_verified = True
else:
self.response_signature_verified = False
sig_errors.append(post_error)
raise InvalidSignature(
f"SAML Response signature invalid: {'; '.join(sig_errors)}"
)

self._verify_request_id()
self._verify_status()

Expand Down Expand Up @@ -114,45 +138,34 @@ def _decrypt_response(self):
decrypted_assertion,
)

def _verify_signed(self):
def _verify_signed(self, xpath: str) -> str:
"""Verify SAML Response's Signature"""
signatures = []

if self._source.signed_response:
signature_nodes = self._root.xpath("/samlp:Response/ds:Signature", namespaces=NS_MAP)

if len(signature_nodes) != 1:
raise InvalidSignature("No Signature exists in the Response element.")
signatures.extend(signature_nodes)

if self._source.signed_assertion:
signature_nodes = self._root.xpath(
"/samlp:Response/saml:Assertion/ds:Signature", namespaces=NS_MAP
)

if len(signature_nodes) != 1:
raise InvalidSignature("No Signature exists in the Assertion element.")
signatures.extend(signature_nodes)

if len(signatures) == 0:
raise InvalidSignature()

for signature_node in signatures:
xmlsec.tree.add_ids(self._root, ["ID"])

ctx = xmlsec.SignatureContext()
key = xmlsec.Key.from_memory(
self._source.verification_kp.certificate_data,
xmlsec.constants.KeyDataFormatCertPem,
)
ctx.key = key

ctx.set_enabled_key_data([xmlsec.constants.KeyDataX509])
try:
ctx.verify(signature_node)
except xmlsec.Error as exc:
raise InvalidSignature() from exc
LOGGER.debug("Successfully verified signature")
nodes = self._root.xpath(xpath, namespaces=NS_MAP)
if len(nodes) != 1:
return f"no-node:{xpath}"
node = nodes[0]
sigs = node.findall("ds:Signature", namespaces=NS_MAP)
if not sigs:
return f"{xpath}: no-signature"
if len(sigs) > 1:
return f"{xpath}: multiple-signatures ({len(sigs)})"
sig = sigs[0]

xmlsec.tree.add_ids(self._root, ["ID"])
ctx = xmlsec.SignatureContext()
key = xmlsec.Key.from_memory(
self._source.verification_kp.certificate_data,
xmlsec.constants.KeyDataFormatCertPem,
)
ctx.key = key
try:
ctx.verify(sig)
return "" # OK
except xmlsec.Error as exc:
tag = node.tag.split("}", 1)[-1]
ref_uri = sig.xpath("ds:SignedInfo/ds:Reference/@URI", namespaces=NS_MAP)
ref_uri = ref_uri[0] if ref_uri else "N/A"
return f"{tag}:ref={ref_uri}: {exc}"

def _verify_request_id(self):
if self._source.allow_idp_initiated:
Expand Down
51 changes: 51 additions & 0 deletions authentik/sources/saml/tests/fixtures/encrypted-key2.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAm+G+glvebsyo//7WeYENv2YH7zd+1M+WMhrwvu1Z5AtnmDLb
b1BbB2j53LnGgpelJtqdOmpfCVQDTWu8wITbymYjyJmhhkCFRjNjqVGyQPSnxOJQ
bmUl8xaz1gJ6OIu89UsG6Y5WAKrQUWOXi38jI6iYp5xYo3ICakIbjamJUKzIi/dJ
hOSvSt1VoPOsbUnw5bVFSHNW16m2G++9ZGC3oQzVsFFHEY0B1a+CqZg93gKApsmH
okQdBYYTysMmadPVFON1FT9gSJmqbKVZak1gIKg+ZpFDC8xUOpyTCAsd4p7N5Zmf
NbJ7fpV4d1KJVLrbwtugjQyUsJYdI6KquUEqeXf//MUuj+pNwheq8ljFgcwI0Fmm
70K9gPBEFO6tzbMb6EhkP0yPUVoc4W7PZsJlz1DRE6g2EigRgBOtvptTfpUWUh/6
VMu/u0MPQM4Dy9M9qsyfewCOXRDkek4ESE4piQ3pBmCzK7YX5ySzEg9bu74feMDG
8r7Tv7CrT6WHC3bvEuRa0QNki4Hkb40v8weYiRDMoTM5KC6fmUB8f3s0ohRSkWDL
pLYXBHSSWf1nxWmQIoYmT4Qj79D7iEwxmxHzArXWYJuoMdFzLLrqdeKY4DnVT2Nf
NO62edmRIrzqvqB9AWwrhY7SYMF9R7T1U7xsF+y1OUVOznVkOWvthsavTZ0CAwEA
AQKCAgAVA4PV2XIdIChZKD677vaOOoAv0pydriVKeGDDcEY5rILo3NRBh4TZ9SAX
zhBxauV33SksZooMvR9b2L3/evmRKZ9By9ofOcPtoIBbIzkDMigKrdKXaznIMSOJ
olhdFpNgwt457nbwDJbcHe+gPcGcLT50++nkELq8HdDOklABSOWZHrsxt81cq4U/
VxIDwp+/q6XdHDVVCdsTnYg7x6EBjDQjWnWY61gXuRsFZ1FRxCcZNNo8uO9rnvU8
lH2xbv3O3NHcDSja6KI1lr28y5T9mgiddZAi/0bMhu54O11qPyu0+7ZffAHTYO12
MnFyc2UsOcTFNvC1dGsVsnhO1HbX5rqM1x19QHR+xx7xnc6hanQD6t+oSfdRHPJY
kTZX9O+gMtr2mTSkSbHZ3sHsvPnlyQvk+NaktykgN893j0ca5TPVymdORIDHUOQf
5y3uS1BK4YvbUv+AqtZcHc13dJRUc+wYPS3zRejTz3wIW/93h91kihZ16IVFbNa9
GTdcFcamQZaAR6IBzz5iOO4iX9Eywd7xgRyUOXCIk80AH0Rrpbmyc79gL0tbyX+h
oLDOfK/K3sQgNOGWr7rhe6quSSMYQeRB8qpqQGhZFZoP6wcfieB69l11D7GP69vZ
ZumqwnZAt8w3I+035kRf+myauGEUyc343zEMRStdaDbri5aMsQKCAQEA0B1Wdvct
VtLvNp6yV90iomzQxyWFRJfhnMUoN/HyEIL5gaUAnxPJBnSEr/p1VEYeeEnOlVzR
knqWihhxBh4lSkVA1Hiv3hliOchL/qNpnj02s6PtMuwG+Rr6HfC+gugVPd1qIac4
A0rrIjT4gAT1oKsfOpTVRuTd2GzFgspGd4d57sJ3vEgWoDXmyCKI2c/l1QM7B2Ro
de/Gpi2zF9B9HpNIavGT41FCOPzS0uLeixKHl8zl213+UqIqNZnByF2FOvZLgsJq
FPKEB1D3weG1qH1fxu5QTk/uXMNp9Rm1FjBY2i+lDzavn0TazGMqcbuiKopyDbgn
G/DXwllKxhIaMQKCAQEAv7+3aylbZ/FUsLzVRMVNwKMFiZQe8oRfiLZZWintbt85
zAmt9Pt4nJ3OQ9FuCCxf+zcc8u19pLohI04rZ71Q4VIzkw+hnbWnEn5QiJd9i+gv
8xbH9L4vZkMLP5zQamLiEXGjnOOH98pzKMSPiWsV6BxqhPxqIFbZ9bzUAzZRMHDK
EypX5cN6i+Qrs+F4aF9BV3t/23Zc3hwV58vBJRVQ+m5xVV0BUr7yZy575GQF2jc7
8caeX+Gt2muAKckLhCYdZs8FGOMWelMbsjnn6xfjSvdgYoMXqg2rsJ7Ft9sSl3Yv
Dk83EZ/xKFsAcrTqFld/URfjPWpDSY2eE3qGU6wjLQKCAQAhtU7G8Bw43ut+BlBO
qPOuKT/bsbkXNh6F3O05uoeBoyU0mXwzR+ockIzZUBDm+ICA7Tt3t9P+DLsLXRAZ
dJKHqBXrFC0wJR5iy417jg5SYgnVKO0HfXFXscXnSZIh8+NU5OMG1mXdKqpRHRFO
8v6x6mWhgG/XDsTcBCotmAO34oqeYIMyTN7VTkW2DtnppaHNUbui4+GDkLW1Ptuu
NMe/Rw3IvJ4+iG/YeSLQo4x2LCcoMDjewieqTLfXfLMFeBhXR4NNh53VDL7TzIqE
rcFVrBDyULFTLeEmx0QHPgW1tVj+5g6vGyVw/58M0dcTGtgWWdxFWpmDDgx0XzAc
StxRAoIBACpjn5C5G9PmrepEVIFXfNDROTAo5o6GZPg8F5SvICYagxRwL1yxGwDE
ggzMB58W8EEA9g1eIyB/ZUQAy+erGm41VeF02y2aMs0Lz5Hiq4Z6Vd9PcfTQ9nmM
6LevWwOpyIBCtwC/7BcDUmH40iJ24ejmH0Y25t8vVA/XJqdvIpOq24FRIw1QIY87
ac3iUlQAetl0G9fQWsdfPhh4GsKv667xK2zLmrdILx5QUGM1GXYcL8xLNEfOBDj8
+uBB6aHVKzrHGUFfMmDobn7//h0issSn207r3Bdj3ki1UNBMRdfl8JEhQfNLgGyD
cZ3qELXPsf2jYkD5dNaV0BROSdPFgiECggEAavxb0WTosdQ/FhbhuOS9bAd2FdgR
FRCEMD9AUC4O+TnOkU+iJTKxKhzQxeJIm341YooodeahiHbeWcP1c1bNFuMK1xEc
nMIZLd/mkRziWTXmg0CBrEFR5z0c7Cic2Dr6++ukMxZWwWwx5DVPuRgIkIsSWfV5
q2Ynv4AIl1dQ/O4yrtcMqrHJ1xDI+JnNGFtFmkOkk6GEw8+y0fVNHOLrJozX19DZ
vKLe4Kvzu8kuIzxYkobpglyVVPg3VFhyrgapqxMEkSZqMUw/VD71GjXt4jI2bFJL
HiSmgIHoD3PtyTNyAUP0BwUzTBk6W/TUEIrDtMlb1VbDgWO9iE9q8eXwjA==
-----END RSA PRIVATE KEY-----
9 changes: 9 additions & 0 deletions authentik/sources/saml/tests/fixtures/response_encrypted_signed.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx6fa54702-0078-1485-2811-314e5865aac0" Version="2.0" IssueInstant="2014-03-30T20:48:44Z" Destination="https://pitbulk.no-ip.org/newonelogin/demo1/index.php?acs" InResponseTo="ONELOGIN_6bffb4ef837600e0676cb21f4f0aa4bad94dd962"><saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#pfx6fa54702-0078-1485-2811-314e5865aac0"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>KX0IuftI6uj+8bCW4GnGFbd+ahw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Zl7N2vcE3N6+KeTXfEcsZ3qQ/AQXiHwotEbIdgn5Ce6Sc/FZLXiU1C8DQmiaZMGX2Bmn2rcCXknCgPZ9kVSTC1PmFwRBQlj3HLFoakLz+RBTnBI2laI4+we5eT8ee7aZgxmnv1S7YWlKrV6Kd6uyMXSWPC61iOXuCRn2g5dyhgU=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>sACaXsz9JG3dTzKY6+GEapKfdWI8LrMqyuwQHp3n+fTbgfjvFPkg2HMIX0A0otAVKnkDiLDRFPDhAjqFNF1sr1GQjqWv/xwcwLvMCZ+25LXPcvNkkNkffwWLUuP8AE7do8XynvYj0pA6xxv/ikseuqRmj2y3lTJngu+DLwiKJuI=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>rTRT6c07B5JgwXvvOaD9/cPgIaaJrgB9B6KGYi+vEXLGi6AYr4z5fY5q1tvup7yFGM+peWFw4oCSv/Rqw/GKzUgM7R3MfpsUMPhDqKlSOz5H8lI+vz5RZ/SePzxe1+Cy4gdRUQGwL3TusUKFxqeIIVscuUcj5ogFtbkHKnFnLgfYMmeBlXH7sglVHpXets4Mi4BP0olHeXWh779ckJLlTmypPiu8ULambT+2XbkLVhvoTEDgQxNZTBVO9nRw6pA53fCXf3SBN75nEjqNT9zQyD1PLAOTUOwSRM3gxXSkLp3CFZeEOKuifjxUFlAi7XCePS8tWCqGRn6yGrhvTmaZzNrPDAOBe+MZS60jQ9r0lKiY5gyq2I3IFMb1LED67kpDw5gvcGLnrVQvCZU0Khw7EfvAG5cBeCVLcDq80fIkBTY5co9Gu/25qTR86LWGd/18X+d1Xz7JB59jzxiDcNpFYJSscAEvZfOltOO7M7tRgilZKmknFXcLhJomInWzh4OZHIjp4ekleYUvXuqDhCTQ727CeVIgFME8TjVBlZjQn+8//bInwfOp1PB4+sWEG99tVa4PwLj1MtUsWq3lh/F4yIfIaQQqfpfoD1VrtrOpiHo23CAHgCj5pUnpllGL2/SyZG32lKckjV2nJn1shJWCTY6kghgoZL9BP7xXx6O+RDjGuBfnbvNeFNT2/Q9aOTvU1owrJak2JmkeYo+Kf5H3oJx5VE1LmyWvXPVpqSf0GzFQmyx9P07YVNLgEH1a3SZ49T77WIJWHWXmb0PfZs+A1gaeVDr+4lwNMX8P+4DAtX9ONTTJMHgPb18ZL18pfQP6q0wCX6avkIw8voYhdPQHlanid/wr7B18o3TFmOzSnSGpAXPzP3qhu14/SUBTqXaOzoID6muo44IGqlUmJxCQP9d4T62SiYeeWbTn96HaSl7QhbB2ShQj1N4en4HMA6dGaKkGvpomjhSlavOShTYJZPdNvBybT4aTtpOTaIXoL/Yjve+NOZ0fhf91fvt52Mmkm6Lg7uR+wIrGPR9to2MBH0cY8B5zFKyz/y1tnMxFBFNi1o5yPmfrKq2ICiTtOXQJ30S2CDx4uiOipzFTAIx/lLh1PHHt/OVXUJILrgQGqBVc9oPYAtF02IXpumMRuYTkEP0jqyMRTyqD3ANHHpysiCPbubINX+eYYBAoAjzFWSF1L7u+BqKH+W7HitiauRm/qkOQcWOQ9lcYOib9P/QD/QaaYC8h0okgZOoA2KOpgq4psntkyrS30J59tqSXNEunAupyDKJEmgzh+bVM4PUz9SziL2w8wJW7+oxysfiEzMdxED8LkqdN0ITLxUQA3uxzS1Ptzj6mrfXgzFUrTdVHQL4ggSz9ba03dAHd6DXQVzPZKK/NpZ5F9S4qPlRDz9fc8d8LJVHl1omC0P5emIdSEy4lKpyzLOH0o6+X9qzqthfMAGW8gJOBl5IC9026c8A5NRERt1r2t53AZcRz2HZ10tfzqfxR4AsAb3GEvLikSvT4HejQqYjd7wu5R+ewbn7hPHc3OPm4LBrLH7CMw+e82c6l+Tigk/FIKtrsU7aHD6CjgEQfsdXskFdD9V6E80857Z0UXqox6n+7BNDl7Zsr/OeryBfeU949uRcRJslneZ+FVj/Ty8K8Mxw/6+pnmqIpQHXGqd+GJeVod6i+xht7sML4EHJnw5EN3mDKwoNcOQTNy8s7DG18zy5xDPi/+VqTL9m1me1lJYKIXpYpwQ+R4uOyINX2n3ca7DQcydr+WChcLG6F1EEhA+E86hJLU8ULRn+Q5MdCuY8kuWH+i9NOttaNIF7gLn/bwWC9r6cnwjSwtrapXBTVHlW5sXZeZR7B26SfOpHXpERPRId2kaSdsNVUxgT0iz/hxpZ91h+Ghnb85umn94RjJU44THUmvbvSZlfIF/U7FPajLtLSvO3oRQHS7QiXQzXm0VhXGXyQwqK51xWYly/1fhLWM0unC++RvvXQPT/UXhxd/UWTWZZUx8PqMeY86/4l+v7K8FUm7AMq0KE3vl/IIl5wY3KsND6cIBIIxCCq0Kjw83wd6B0yvBwX91ggK7tx3/Zu4SROv0v3xxBYxKOCgRIdRXohSVR8F6TSFz5B6l8V0s2IqP2gCNze+Ryy/XB3szfn/m1nwG860tiXx0+uw82Fvul769M+xsOH6yWDr/ZM+geQw95844qAJ5E6QehAE5XzFPmeLdQ7kkILvUsgLUCM36mhhn1zHh9Bu/g8deaFHM+j6SneaNBA7V/sxa4EuSuArC239RyHlOn8hQWkcTQ8TY1+kbB2bN9x6B/E67qXsDzu55ooK8UcVRkRtgk9kdwRKxv4zHvYLOUxMAfrBWLgkuTXXFR+YmcpsK8Ri+JHYQGzSA0cBsgeoKLjCxhZhh2QzBfq51V9a4FnNnBXtR1OnIM7kUTW1VYAKxKg4Qk93gPrN/Ca53Fb3W3EGasXakrW4Q9mpf61qVRP7y5Yh3fdkSklShaF+f4lkyPzU9JM6RD+IhG99fcTrRya26nPqGDA7qOV6ajbOnUF4C+anSioKRWAb2P0gNhFsbyyzBAwiOir8StyLAAskpNTYTFXLxP8/23ml9AaU8SXFxkl3DjGhAcat2/2fqAHDjY8FhmH5UmgKutCXMnr6RsPYWhAyaMov8HXyz6hT+o+Ika/IcEOC+03YZ/s9VuCSV36kkKYb5JNxBVi7YYK0Ee9Yp1jYTkYd+Z8afmyeSdlp5j+AQBPqlmPQEcCnoGvofathcSSXXt6eUAMgqBb7GMdu73V4BlYG9xOfkGmo+8OCTpa+ra2yKBSU+hMPVcAOAF9TazXaL3ETpFNfSjTFYTJeOHvEyvCvpDJEWOzun7csydigT6LU6poPtxpjA2UYfA3IJnCx+gBGyP0xnMkiAEU0Yh4sDNpVeGhx79iHcJ9MLBvJFCUiD4jxg1q6NWY5T8rMGhky7cIuJSidqh0W3uS0aAjscwyLtO6PVnV7enUFlvJADHUsFDzrpKkvnEwuIf7tpsjEnnsmmVO8wbuedP/FMRVpo2gQyYaDVrAgRiLHBdNzZ2/eRsx93xs9ADA7bNw3Awq5meuOevCM4MXvYYNqs6+W3Wkj+uatqQ4+Q7jV3kE+LAOycpvuvEuqXdlIDET4t9OEXbbDo/UqpfEaLwroRr5s5RdtiVt5NX6pqyD7mBLDpTNidETpvF5ISZ3fyfI5hrXkwWIOxQVc/iS7KGa4samTCWW3ZOI25AerPWTJXfyM/yrMJp4aTRTQHLR+F35o8jxvcUqBgTtgUHvS7y1YKYaE9KblTpeaQPXqmh/ARcE+/SqZSHchejCtdtg5yyFFeh03hGtSO4QX+3hyDGyQP/yVQ63I3k2z46v9C34dc7AR5AwH39b3+kx0DRx2hp1hxfYNBX+W7qcul65u2LWbS38N1x3JEIcGRmyP4XPWaTLpdrc5z/XJuhdz1as10gv5eKCp1s2BXgVRT7wgTrQsh6qxIxRGAapEaf9AQcDYmbQD9KkmNeDKahWUvooe2ooobHaQtUeyhIOB6ONwTJyFF/uMl76HWaww0XLetJot6WPGbzSrUx+XIw1cmy4AP9o4mv+ZF99p4Be+scyhsKyq22D8JqpsJV/sbbfdb571F4a8QovKJph14/1ugueGOfSEMAZvQfb7Chxs5CupKFmxlQn1z1F0H34JAHtqTjzM/smtSINyZkPkWPzUezbwqvRwc0z47X7aKXEVrB29BHuogZvrjJWKuCc/phMGACNAA92Of0iSSmIKIlZFEDOalag6wLo0w6RUG+4znuzxeQnd6l4lf2XjSAQvz7VMhlkd0KgJLsRPsqcNIwutQzLop+k8oLycoWvNhKeLB1cfF5mJXCpD6FF1jFOuKGD8wKzymETFq7tFBX1ec0Cg0nbTAPrUXos0fDKh4ntvb/u37dWcjpswRZ67vC4/qRo/DwX+jnWt5Ew4cB44yj0+luXJw+iRZNIapuakAztxC9ahZaxy4oOwqlrS0xu/F372MNnA8PFb+gzslVk1pYkh5nZ7EslPza1BHDJPit3jaD65Ug51oTPfxdIbd+vItwtq+PQCNWGIBtBMJ1nU5jWLPZSTAhzpP6zzHU8915fYzbFROkfXGc8EdsGFbgLvxBYBAUdoxIRGJBMfrNUuad/FHFF7aZGWMYJUBZcS9isMU2w3CWJyt5jaEoJiEpN4GPouLsgPg90N7yMfwXzn15wrKrQsZQgCkZl1rS6AMGNbQINLTzYnOawdhs7k1P5qxajuiuT9gwtCjlG5DfmX97ljepXcbZnEM3oWPolHxdy9T/ztTLbdXz8Vyk67RQT8IcfvRewFp1xBR1y8sXOgZIRe6oPdP7p+vxeVdGbYS5KLaQpDRyHLnDl75d1ydJLzBuGm3o+i+2E+uWodUwO6xII89VmXhUAC07JiMA1JzbXaqKZQdA/68ytcNmaJcak1TbNeL/sywYEQkFRNFZbRdLWBYSygQaYNCUrHt1S0LZ05xiS7llNVfE5HvqkrXZKzEkKV0Z17pcX06vN7yMMYOfuDGRGppfPs5uAWjr7IJGr13uMFrz11mASNB5aq5X5xTtjtViFetC7QUwcIhC4+YoBJXBXROYrO5iZHncviKiioflYddpUHEr+OHUC0cLGQNPhCplR6aEt8e12IEYb0hMDsveal88bL/SiRPh9Z1Ymt5VvdWCq1oXEnuFSf995Js9BEhV+QjKbJ8B5/xCSdyc/JM3eZhy8fLQ/7kvaLG5bFkeJ2s4Qq1VcVFEsdEFxdqXbdjPA0V9dafxLafZWGr7QDaNnyLt/PSVGCDxf+gh9fZ4HIuv9kWcvwry/PmDw9rCyyR5Dh6vX18PHO0wLmFYHR+nscdNBS34lnjQSCGwdffae1Mypa2a/vahkl0n6Pub7/2pPysWNZXhClvzCIC4xRKEDxbbxj+/vZ+vROf6wPitZR62JpoyuPhzIt8ZuT2lOl4EaHfbEleVa/CSVo7JdNjEY452tZrWkpv7Gg+kjfNQ6t3A5XoBIWhaQJ3y2ca+ix4YpW1YW/vvyZQ5MQOvoNdpEcXjcWx0KLVTTvv4IEOEKP36D/wqykDjg5jJVry/kTbL9ZIdmlRL/QBX3jGqLbjxpmT7ug2ENdQemGz/oWTjPzm/eU0q6elyb6+CztFnWdme4ba8OVXuWxMblt5Twsq9zBg76DlCif+KXvJU3EGW0T9Zu+E2lhD0C+38iI2khbmAYnjeyGO14VJHPaFy/xjfJ838b2JiT5BrLdLxWSb5zkskjHTARnoO8tI+uU/mK8CIVF0HbdHGb+pnahNurMzjy7bRm3qF/vGURga7L2qY5He4ke6E+dP3isTSpeeDinWd8yj7FkUd9p2NVKW6lfDkjZE4wrSOtiJbpkWdQ67wUK17MbgegxVqOvgtOgwRGAcS5XREQS4zT+ySgVscocGjr0f+YpCYxxxbx9SuZNj0gYl6UpWNoxPwd6KxiabXgw60+H3/Fn+h9X9ropd2B1uKzUHUF6aFkvTH7vLe8hcRnlNs5jr0z3OnbAjhpCmNkzh8mE2lMduAooMpYdAxw7tfmxqVQ2Uhj9T0zaxcXbHj+S80XhLsjbvR/gqpbg1EO28nGB75CKe5m4BCZq4UM/+1HQ5g7aVfyOoW3bIsEBQ==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData></saml:EncryptedAssertion></samlp:Response>
Loading
Loading