[keycloak-dev] Keycloak's SAML AuthnResponse uses wrong binding

Fri Apr 15 23:58:33 EDT 2016

On 04/15/2016 06:55 PM, Pedro Igor Silva wrote:
> What I tried to say is that ACSI and ProtocolBinding are mutually
> exclusive. And usually, ProtocolBinding is used with ACSURL.

> And that is why we always recommend POST (and also because the
> assertion is not exposed) and the usage of that "Force Post Binding".
> Which is enabled by default ...

>> 1) Since nothing was specified use a default (HTTP-Post). The spec
>> seems to be silent on what the default should be but HTTP-Post
>> seems like the best choice.
>
> See above. We do that. And, AFAIK, we don't support Artifact.

> Considering that we don't support Artifact. We would always choose
> POST.

> The ACSURL is always checked against the valid URLs you specified in
> your client configuration.

> We already choose the ACSURL based on the client configuration.

> I think the point is, can you live with ProtocolBinding and ACSURL ?
> Or do you really need full spec support (ACSI, etc) at this regard ?

It's not a question if I can live with ProtcolBinding and ACSURL, I have 
no control over what an SP sends. If a SP sends only an ACSURL Keycloak 
needs to perform a POST with the AuthnResponse. You've said multiple 
times above that Keycloak will do a POST with the AuthnResponse but 
that's not what Keycloak is doing, instead it's causing a GET on the 
ACSURL using the HTTP-Redirect binding. So we need to figure out why 
Keycloak is not behaving as you believe it should be.

I've attached the protocol exchange with annotations as a text file (so 
the mailer won't mangle it). Maybe I've stared at this too long and can 
no longer see what's in front of me (a good chance) but it sure looks to 
me like Keycloak is behaving differently than expected.

Many thanks in advance for your help Pedro!

-- 
John
-------------- next part --------------
The SP is "jdennis_test.example.com"

The IdP is "ipa.jdennis.oslab.test:8180"

The Keycloak realm is "jrd"

The SP metadata has these AssertionConsumerService definitions:

<AssertionConsumerService
  index="0"
  isDefault="true"
  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  Location="https://jdennis_test.example.com/mellon/postResponse" />
<AssertionConsumerService
  index="1"
  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
  Location="https://jdennis_test.example.com/mellon/artifactResponse" />
<AssertionConsumerService
  index="2"
  Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
  Location="https://jdennis_test.example.com/mellon/paosResponse" />

These are the sequence of operations and protocol content as recorded by SAMLTracer (headers and cookies omitted for brevity).

1) SP Sends AuthnRequest (HTTP-Redirect) using GET Method to Keycloak IdP

"http://ipa.jdennis.oslab.test:8180/auth/realms/jrd/protocol/saml?SAMLRequest=jZJPT%2BMwEMW%2FSuR746Rk2dRqK5VkI1ViESqwBy7IpIMw8p%2BsZ8LCt2ecAmIvwMnSeJ7f%2Bz15idrZQW1Guvc7%2BDsCUvbkrEc1XazEGL0KGg0qrx2gol5dbH6fqnleqCEGCn2w4oPkc4VGhEgmeJFt25W4OVnUm7I%2BqhZdVdZdWTddM5837a%2B2btui%2B7kQ2R%2BIyPsrwXIWIY6w9UjaE4%2BK8nhWVLOyuixrVc3Vj%2BNrkbXMYLymSXVPNCgpzaDzhz14bzAPaPVtTryl6rIupGZ2GUFbh%2FIh7uUblUw4ImuCR0hun3H1hyXVjzHyOTNusKY3JLIuxB6melfiTluEBHHOPZhHeJ9s3mpJZqODeAHx0fRwtTs9ICAzvOa%2FSclzeNJsAXkfnHRgbfByCEg7wCFFEetlSq%2BmvuL6u084IL3XpJfyo3p5%2BCNnTL1tzwODPScsp78oJU3MfnY3rSqK2qPhchiXzf41XDlxBRRHEHJ9sPz%2FJ65fAA%3D%3D&RelayState=https%3A%2F%2Fjdennis_test.example.com%2Fprotected.html&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=e0igBOxNYr6Lu4nVUoyhfhD4zznUMjhiULqk4DpLG16puOJsbam%2FJ1vtxGF1rTki%2FZEztLnciFHCEfgNx4RkPY7gFxOGsfol9PirZ7lcrSqNalt3rFA8eAAVnX%2F3TeuZPtKBqSCkUFl8%2FSKj%2FIkxbWNw0WrBV2HnBG%2BAnjWVyTlI0UHNR5LXiBxo1MRyP04Z6TdPvKbmVUxgi163yIli96nFMb1E5uBqEsjwEHE5ucZKIMRuxevPEaf7D3ODpH0jH13AlgHYvNIWU%2BN%2FTVOO75%2FvzMytrpwQh6j49fyhy0CMLW6Jmlgopo7%2Fmca6iIYp0dNjKGCpd0DfR4joRKHBZA%3D%3D"

Decoding the above HTTP-Redirect yields this:

"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_B98A18349F418F18CFC22CDED8DD0F79\" Version=\"2.0\" IssueInstant=\"2016-04-14T18:42:56Z\" Destination=\"http://ipa.jdennis.oslab.test:8180/auth/realms/jrd/protocol/saml\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:current-implicit\" ForceAuthn=\"false\" IsPassive=\"false\" AssertionConsumerServiceURL=\"https://jdennis_test.example.com/mellon/postResponse\"><saml:Issuer>https://jdennis_test.example.com/mellon/metadata</saml:Issuer><samlp:NameIDPolicy Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" AllowCreate=\"true\"/></samlp:AuthnRequest>",

2) Keycloak IdP Authenticates User

[IdP authentication protocol omitted for brevity]

3) Keycloak IdP responds with a 302 redirect with this location header
causing a GET operation on the SP ACSURL (which is only expecting a
POST). Note, "https://jdennis_test.example.com/mellon/postResponse" is
the default ACS in the SP metadata with a HTTP-POST binding. Note also
this is the AssertionConsumerServiceURL in the above AuthnRequest.

This is an HTTP-Redirect binding using GET. This is *not* an HTTP-Post.

"https://jdennis_test.example.com/mellon/postResponse?SAMLResponse=rVjXruRGkv2Vxp1HopveXagF0HtW0RXNi8Ci954s8uu3uiVhRrs7A2GxjxkZJzJOnGAGyV%2BWuGvHTztbxqFfsi%2Bvru2Xz5%2FG7x%2Fb3H8O8VItn33cZcvnmnw6jKF%2FIt%2Bgz3Ee1iEZ2o9%2FgfxnRLws2bxWQ%2F%2Fxhc%2BWterjH4vvH%2BW6jssnCNZp1vfV8tv63vyWveJubLNvydCBXda2Qw%2BOw7L%2BmefHF4X%2F%2FqHwvyUwRcUYmX5FiSz9ilE0%2FJVCaOorkqcQDWV0%2BqTgt3P%2FJ9Advn%2F8xtIUA1MoRosYTIkwxYkcgnC8wFM8D4kk%2FQYsy5Yp%2FbLG%2Ffr9A4Fg4iuEfYUxF6Y%2BMfQTwb7BMBF9fHlk8%2FKTxJvgx6%2B%2F%2FCjC50%2Fs%2FOsPWm9W1Rh%2F%2B4PZt2Fp4%2Be3H%2Fw%2BKZiCwHhbS3DO4rZbwHpOfwH%2FFf%2FL78o4a7xuy19X3JBmXx5xu2X%2FueLLT%2B9PZ0uSbFk%2BwF9%2FP%2BGvQT%2BFPpnPcc1S5k%2BBfv3llfXJPzf4eI3%2FkPnHxu%2BSvbkdx%2FHtQL8NcwEiEASDEAa%2Bvd4e%2F%2Fj44p5j9jcchTbrsn79%2BOuR7xyMbC2H9AvTFsNcrWX3N2LF2QIj1Nfkmfygmi6fWnYqfT78kXq6%2FJsYEAjRP2KkS1X84%2BO%2Fk38H%2Bf9Ibl7ir%2FBv%2BI%2FMfgbjqrHM5h%2BV%2FYvhp6q%2Fjrp1X1bANtcHbcdR0PtbpD0p3lDB0IuZerQLpRS0oLQi68aUHRLgOOjhNzfVpevKyEnMzGNOW%2FN5dmHNnmRObffXvhdgJdkZO1F0SecRYcNCAluqiA6vYPJfV1B4TguYW183p5ILlK3fIid9Dox8ydJEJ1v%2BAhc7hLokNti7g7l8IRuPTbFidwtkaknA%2FVlqUKIsFkgnvPbwyFBbYvCVeQxhHRok2qI%2Brx2d1g5r4CtiYhuYStg2ODyqpuJTNTWjgEOV031RAYSTzgiU42a77Po6LOsx9%2Bu6oBVDB1YJew1%2BzV01TLfZgvrFKuzoxlPIqp%2FoVbfmwC5sJLA6fUJGMDJexnz%2F%2Fgv4P0r9F9PvcoD%2FSwOA%2F2ynvyMgp4oy0y3JBCTUpkKlle3tQsLp1W2WQwWDs78mlHyKGzWzRnYpsChYYEluMvNg%2BQLERgtGmKTKb%2Bjjug6gd2heTIo4jtbqGQMUA3kWLsiWIANQXgmbtqkWjdxL0qsTNRpxXH8UHcKMTxMDnvNN42lR2eVRW%2FlV1ZxQfV%2BnPh%2BWb13jPivIsif86ZJS3kWU53AgDZ8baZtJKn5vnmg3BeBuj71hp9mtVR%2BlL0O5AL4FhcNdt3ul1nLPoLhhk5VWK%2FIHiWM9zmgrY0q%2BKTBkhVM0BhJBczef3ZZVg2TnwCoAvWU%2BKhDCHeW8pavuYetOIU4OAwMb5eKAT2LTYOBC2BcwUOveIa5j4SVsJQIG3SMgyYPlIeAE5c1ajlgBBML87LIBiUURS5mxz0%2FxInBWnbs3%2F1ZiL5nnJP2iK6qOBexBnDcuKHOBdDUx4PKop3qe9SREGgHw3cwsw7bw03pm7RNLMf6e0KKQBXVr9xmFRNN%2BH5hA0jppFDAtLIuV05V%2Bm63pCC7iiEZPYzqBAxXvJtd2qHCXMrE45DeYTHU%2BwzFbEfpQcsS0OGBM415iZS%2BZpdGZyENRJydnjMqpY%2BPzED14RzE2L5%2FyVqVfecjOAHYRHiHQtRXcDUNXLNaFsvxO1B0ws4nTuNqZIHqZu3hTEOsmJt54lCqen%2FfSZUzQXxWZfKSZy%2BQHaCLc86JSIfUT5gaZ%2BRwqZ9%2B2%2BRjrnjBUM9FsQgi76lQFgDQ%2BR5qM32Mwu7ykS4AbquG7ugvKDTwB4g5GPrN0rMrX92llOHgHskAYiqUf1MRrsYlp2lavItJCjzBw8aE4BgQ65Aplp43F6IgB62uQMSO0CPJi1xKN0rJzRXro4%2Fkt9IvYObVPhMGUoLNcbUAy4OcEnKnmCHhKKlvQ5RmHiDA%2BdxAODJJndEP55DAk6LtSIJB7lz46t9569EVUw4qBwpG7fddMD01l8aFvri42%2BYE3HzLTyrz%2BssSQLSshD4G1iGJqsA63pCsn81hJASQcXBK85YNNVEImI804fUQoetvyRO24w2xYWk0sH4%2BNmWkxh%2BHnVzMWp9wBjm3pr8hvFkLTZljf2XnlqHgMMAmrVlZik5ACu1iUO%2FblGmoFssBAEqGatAmuzw6FH2d3I8mOiC7zeZP6HPBqGohzr5bOh%2BnRreHSm2LvF1YZVieogHaT7RXcIxA1n%2B2aBwGlaVgsgKRJoJCcLYolCUzSEaNXBgkaQQ%2FBYO6oIJNjyDIvVSWdHeUBUhfctAoHh0OBAdZoXbDuT9tAmknIC92%2F41Xmn%2BDkPEHyAK901u0QZ1aT4Sf3Jvk6xbkQbd1lk%2Btn1F1S9mbaUQ5ORx226Zn5MINuzMnMriG7FfZY3nXW17ErkO7ZjU%2FhTZO1xxYogsoLTUurXc5MeHEc16RaLbzd2VXZy5bJwvLQFJtdIiqSdhDoaaOVUitNLuAWRpFojibR3WdRt2ofbairmaxHL8tsJr9HpZc%2FVgRFxfX0GLhSr%2BwC3yMo9GH9wco7w4ZaIDkAKGK392UWRnZn2dtRN7zm9sqFeLR9NIWt5adsPmsei%2FtwmzHaZBJx97d1Ax95rx9QdNt4qe6sXmy1s06sCrXeE%2BsqgX112yDEXqEQPSJHxSEoWKwnzA6J%2F1BwU2UXnfO8PNFOZEFN9cLB%2BxzeYSLu6BOV2q6A0kh44OwhFLwKe9DjgRHEyFFO6%2BtoZ3HDvgOOaHOJDuC37DB1RSfDZJldxrmHQNvPk1IeUavUqUPy3bMYG9RmHeiaqFsAtRPRcKgJ%2BZafIq3gyqPer0d%2Fz2DpcdPc%2BvBtonhoONhfrzOq6lRDjwnX4WPczsiVdodvozJTQvbM6GRfTv4pZlNalEcTJps0PcD5hmItgcYd5heM5KaXGVdbGGUjbhXPwYB27GItQ%2BMBRrFUs5nyjRsW4gUcAoteU%2BHOLyoklK4FM2sSEUXmz0IJ4YY6yysAFQApK1S5qg4DKXC7jTvuFZweaxAJCAhTDXMsukVUpbkqHsnIAtmM5y0RYaKbGbGP46qxgU8yCxFZebHV2RNLZ1MPLD4LOjTbsQcBzjjvHQhjcNPDRSCZTSm9kjS8ErqNDyUnD9xCXhFwvzUbNnJ%2BJfANNdswSwdTjEl7xAgSOU6KhGaZIfZ6Mi0YxL%2BenpDfYyVJrqy9E6czmREFqRyJEo3LO%2FO60tJNptT0WRsXgO2XLretzbQbsO%2B8R7uH1AdB1%2FP6yGEwYvWvlIlkPAtwqgEXL5ooVQ5l2GpSgXNvoZC%2FlKQu2ltYiMucqoiK3PpZwScZO%2BetFRQ5UQMMGamCsi9xVTroJUv1GNpMpGPmaizsxNqS3YxOHzUzPdGhcwsec2Hfc0E6yNH0NsS9JS3NukJbpBIcS0U8cObK9duZMj6okdwwgCCinymvkLTEkvtGPC5473vhfcGcPLFPeYQRvaYUs3VEPOhbkSNFxUhIae9IekOQvDqxiug%2BM4nfMXKlKMLues0FqtCb5BoOzwXDlXILixcziOBLr3C58GCltqOVlnc%2Fmc0XFDnoRY6DXgeLg%2Bz%2BaNz3rWpSj2hDCUVq7o2RdRwjVucVsreB4u8poQ66sbn%2BPX%2B6zhUgiPGg6Kl7phTD2Y9XqxfKzEDNYhVeGnv8NYckGzEdpNIy6%2BumtlFYoZFiZRj0%2FcWvzs5LGlSw0IjZ6R53W5vR2EmLGsElrqFA7P3yPPH9RAzQew4Ron8DzeLqDT2dguOCbWpuDGOYFZMY8B4OlorVrMmIGRTNy%2BjxbIlTh52tj%2Ffm%2F%2FZS%2FIfx335Agn%2F9r%2FDrfwE%3D&RelayState=https%3A%2F%2Fjdennis_test.example.com%2Fprotected.html&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=LMExafl6qj8rm13lPnprTYzYlMcurgFcYDOS57av7BULmYByJZnggTn0lrKeBgfctheDv53jtJnGweyVoAiT9LpQvv9w80gYYVKA103e%2FQbhpL%2F9%2B5FbGMGBxe%2Fei6w1fqAujcGqidSVjecszeCtkrIXbbPLI7ZMgciUAH01A0S0nqOKxZc%2FF8RDTVLSqiytGiPXV2e96RKfMq%2FHCC%2FGZI%2BqNj1kE5WefreMY3IMPYAwRrhyZDTo%2FG5yzI5BMCx%2Fn78ljRah9AWlxK6BHcxW8y5pgCdJORwC4H8PQdpKVkMF6GSox6U2evA1Rhzyrv6dYTm0KBQY7MnyW4gIhK1EnA%3D%3D"

Decoding the above HTTP-Redirect yields this:

<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" Destination=\"https://jdennis_test.example.com/mellon/postResponse\" ID=\"ID_c188a47d-36ed-4891-8298-2fd090e9db81\" InResponseTo=\"_B98A18349F418F18CFC22CDED8DD0F79\" IssueInstant=\"2016-04-14T18:43:24.116Z\" Version=\"2.0\"><saml:Issuer>http://ipa.jdennis.oslab.test:8180/auth/realms/jrd</saml:Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><saml:EncryptedAssertion><xenc:EncryptedData xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"/><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-1_5\"/><xenc:CipherData><xenc:CipherValue>pLQPst+RNtV9RaZXnWuZKb8DMJ/YUaAjpRgIhEKXhQZQOAhm2X55/U5OTdLGzze7qFeNwrdlNbymYjBy7f8uPxvvg/iGReBq89h9fZ6R1Ec1QJF3oxXqWxzXgUSl+NunjkyIfE8RLOZSdboAHzHGq9cufx/sRY0mcaMBPS4TDgHMVuIQaTuXH8sc/vbhK0cIsQ/9cDKVU7YKsa/xeUA6QwK0FRFLrtm9djSBM5t2N4u/dG4uoSD3JdFbJNKMg1YJCLWFI+Ey9e63CCrRhmnjYhjpfWjjg9IML+tG4xoWjCzj19les3WgtEv3uD82tLy3zjlNoBsBZEBL9y0MXpAUeA==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>CJFHAmscq+c8uJ0hQevls71dzmuQS8XoSvxq37bFu8rBMezI1FEQ/h7uHAVBDg/4pQ12AcifO3Vzzw+nS9DFcgaaZtiba+8A0UQ5EHQEH+0fiEuKuJQ92Ph7UjcJZp55LVgm2ApbN4+brOKD9FIvHpKtDtJKSYJlonWDYhAHzaneg7hn6WqzGdDT2Ibow2kDfMdleGJ5Pkb3mqX/vRpnMRdeOlJVhWH0fE/6Qw1YvLRnIjKfUM8CouHIlKgfV754n5AKtANGWNEA7i5894/6XkPNbmueioGRf+tE+nQNVi/05SIyOdtLU4tv82Sf1+oBZfFo5qFkk4/s6Rz+o8tvm2TSQ5h1QcE40PZ+cfXsVE568UrKf2QX0/1DrTBX74ZZB8NaWDqasECQjfTOWOh4xHDCGLz9i8jaE4V6yOCXhfE7TKFXCfZn8nDBUG2Gp+/XH8BABl1bQbelb4d4DPc9FEeXjlRne82ZqvPoAXGKmGpE4KYhgtCLInurQqwXz6wZpUKAmEC/IUOHjRYICzIqB50Wk4H8mWACAugYW0cwa9Fo4AkTzFiRseQK9eFD0ZmHcya3HdSR5roZVDSIMuUfqflJ9xfYBr+4z6U6E9jQXPMMLIQBT0efP6jm+rBcSkTKyc2LhfT5kg6tuFcUpwhJ5fyPhTAN/WtIH7VdeTAfw/N2Cbz8dEdWcAO0NfrYIynllfpaLUEoir6kuEY1TJqiX+Gpbp97a14TezUcmc+O3K5vJvEIO/y+6P/ZWAsmBJDjPqtAC1v+eXEogsnoJcUl4qAkllLiZ7Q3wYXT5ogwo20wHi3BquB49ZA/jzoH4MYQ67zBth3ZdhmTF9onarE56x6vCJncEoNG0yhtR+GM1bq+ydKSE5d7IuXmfeC2F15rm05+oGUMmohbC42XnmhE62PmdVmTjun3x6iot4/EwfTnmkqVKJB5onkzmaNDoDNVHAlHDLxQFYBhiEfY+tgZa8oQwTh9iSeUBGI+G5/sc5lDXuFIYAe7NadVZ33OufcJmCwNkB9JcQW5aMrAl4SADrxkpgyHm+SRQLxZWks6KKr1LvBrtC8apX4G4itBGBcY8/maFHmBxTMJi/B+o76YJclc5LrS85wymO77m6ZzNbOGnf+Uj9+afUjGyVNU9lMT9uIRvz4iMQmEJ+KOHRt/vZ/3NbltfXX8KK4aE/7N630HesIQGEAcm6pUhXc3Z0VEMAP3EH7pYBAxJJ7Sv3D+7LETdiYoSC3+o1K9LEQPbRM2kqEfgLWP5ieWy/qSb/7w/zdrLRY5AtNADqTOGWL8CT09QPHNCnr3TsdBONRZf/qwjYldyeW1A3uAyArTMHTi4Vs9iSLtpmg2mbmpbEGnfBRpl+gXiUYNQKjTCNcDFpptcitQ5lvBtIvhlAeYhwKIRBsZ8ZGv/+n9MlGdQdcz+OYZZFNpN6mPrFLQjW3k8zkqQVnHHBeHymYUfVt233FtyUA1iJzez/9e6YW1LVBHvABYKXGS+/F4OXkPYZRmQRuwjkDKTnIz2U9RwkgRKfyHNbjD4anYur49NAcFvWutu/VfnLw0ZOuDGjmQnFlKyjcQi3Qy3zzh+vtTlXY4xYEZVZSJ500XsQb1BocWVI5NJBsLCUUfcKy2s3NJz5/PrYP16am9y3Glmg0dZEV5BwEgDJ1U0VV466pC8SlWL3mQCovv+SFRCcL+5OewNLIL7YcsrTASPY+lnrqIhwZlIjdS7Dmbgpk3RBS0zq8OX0lq6kC3N0WQWd2lETHpLntwnPe1GVOKTjwWR6gVK5/nzxyZijdK3wq5L1wpuyZTGvSDlZheIYBye9cvsyDbFeqdghwkYcuGqV/rO34l63am4WgAGTdzNaiuYZep5QgboM0v4zBQMKD+AIQJNkqfuCos6x+wEB3zqgTrx8Y6Iml/eQqF2IHDygIY1k8yhzX/I+2hi3Izim4/8/uOpv5UgCLaK07+E2AioraFTgZidfJFwcpB+er5fl6Z4FTeMaW55JMu/b7eY2HIxBiyn6smR8V4ayg9YNlpn/+CMyPm/141kn1gXGNkhGxcdYzc9lawIf7w5Q2xZ+POku4pCWiEDk8rR1B9Xqa4GvZAEG7pqIG3eeMFnLcqs40DxbUEfPaIcczelP6ySqNZ80JC736kTDSrtt9GOH8JdbjMz+4vzLHllRAlu+vvDU9TwGnXXmnDLpC412QnxdAZH5eX58k/sUZq8JHYH1QkdECTOYEfxIcjglOYgFsrdJ2J2OnrI5qH4yrulEIHcJX42p8g8RzFtIm0xHGjpYRAZL4NtMsBqBRGRkpSnZkr9q9YSOXVrgRPfEGw7pNUu2TOcl9BTElgdG1aGgaoCNtCnuydAW/K7Coo//2LydDI79GB7vu6Vz1vnnEWP5yD6vqfZ46nKIgrQwZD/WQZSGZgp6GdnSGLk67DJqBIFTbeGDv47t886RmnKT+iYUqHj1Yys45IhuYgxAoF/xLi5HgU1IjRZt9HvWcrNx0ZS3z7poLjXsS2vWpMPvuikdU6lYG32jCi5HHL546tSxYBOo8DPd6JoLMuTWPfbTSzX22MV89qmbd8ACRVxlLgIrA0ksQgUdaUDzrY7BZAm0J9HBWLNKu84gK7FiMM9PxDtSvDGK0gB0p4Rdvamule94y9FK6CcTMI0BPzUUFzBQo0G5/6FWO/NgznMLdqXwz1R8rkMMorIN6o5n1XsiBKQqMaA33fhZVbl6yL1Sunavk=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml:EncryptedAssertion></samlp:Response>"