Merge pull request handnot2#31 from DubberSoftware/feature/retrieval-method

Find encrypted key referenced using RetrievalMethod

Author: superhawk610

.travis.yml

@@ -3,5 +3,4 @@ otp_release:
   - 21.0
   - 20.3
   - 19.3
-  - 18.3
 script: rebar3 do compile, eunit

rebar

@@ -299,19 +299,53 @@ decrypt_assertion(Xml, #esaml_sp{key = PrivateKey}) ->
     [EncryptedData] = xmerl_xpath:string("./xenc:EncryptedData", Xml, [{namespace, XencNs}]),
     [#xmlText{value = CipherValue64}] = xmerl_xpath:string("xenc:CipherData/xenc:CipherValue/text()", EncryptedData, [{namespace, XencNs}]),
     CipherValue = base64:decode(CipherValue64),
-    SymmetricKey = decrypt_key_info(EncryptedData, PrivateKey),
+    EncryptedKey = get_encrypted_key(EncryptedData, Xml),
+    SymmetricKey = decrypt_key(EncryptedKey, PrivateKey),
     [#xmlAttribute{value = Algorithm}] = xmerl_xpath:string("./xenc:EncryptionMethod/@Algorithm", EncryptedData, [{namespace, XencNs}]),
     AssertionXml = block_decrypt(Algorithm, SymmetricKey, CipherValue),
     {Assertion, _} = xmerl_scan:string(AssertionXml, [{namespace_conformant, true}]),
     Assertion.
 
 
-decrypt_key_info(EncryptedData, Key) ->
-    DsNs = [{"ds", 'http://www.w3.org/2000/09/xmldsig#'}],
+get_encrypted_key(EncryptedData, Xml) ->
+    Ns = [{namespace, [
+            {"ds", 'http://www.w3.org/2000/09/xmldsig#'},
+            {"xenc", 'http://www.w3.org/2001/04/xmlenc#'}
+        ]}],
+    [KeyInfo] = xmerl_xpath:string("./ds:KeyInfo", EncryptedData, Ns),
+    case xmerl_xpath:string("./xenc:EncryptedKey", KeyInfo, Ns) of
+        [EncryptedKey] ->
+            EncryptedKey;
+        [] ->
+            retrieve_encrypted_key(KeyInfo, Xml, Ns)
+    end.
+
+
+retrieve_encrypted_key(KeyInfo, Xml, Ns) ->
+    [#xmlAttribute{value = URI}] = xmerl_xpath:string("./ds:RetrievalMethod/@URI", KeyInfo, Ns),
+    case URI of
+        "#" ++ Id ->
+            [EncryptedKey] = xmerl_xpath:string("//xenc:EncryptedKey[@Id='" ++ Id ++ "']", Xml, Ns),
+            EncryptedKey;
+        _ ->
+            case application:get_env(esaml, retrieve_remote_key, fun default_retrieve_remote_key/1) of
+                Fun when is_function(Fun, 1) ->
+                    Fun(URI);
+
+                {M, F, A} ->
+                    erlang:apply(M, F, [URI | A])
+            end
+    end.
+
+
+default_retrieve_remote_key(_URI) ->
+    error("Retrieval of remote encrypted keys is not configured").
+
+
+decrypt_key(EncryptedKey, Key) ->
     XencNs = [{"xenc", 'http://www.w3.org/2001/04/xmlenc#'}],
-    [KeyInfo] = xmerl_xpath:string("./ds:KeyInfo", EncryptedData, [{namespace, DsNs}]),
-    [#xmlAttribute{value = Algorithm}] = xmerl_xpath:string("./xenc:EncryptedKey/xenc:EncryptionMethod/@Algorithm", KeyInfo, [{namespace, XencNs}]),
-    [#xmlText{value = CipherValue64}] = xmerl_xpath:string("./xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue/text()", KeyInfo, [{namespace, XencNs}]),
+    [#xmlAttribute{value = Algorithm}] = xmerl_xpath:string("./xenc:EncryptionMethod/@Algorithm", EncryptedKey, [{namespace, XencNs}]),
+    [#xmlText{value = CipherValue64}] = xmerl_xpath:string("./xenc:CipherData/xenc:CipherValue/text()", EncryptedKey, [{namespace, XencNs}]),
     CipherValue = base64:decode(CipherValue64),
     decrypt(CipherValue, Algorithm, Key).
 

rebar3

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEpDCCAowCCQCSdHd01QFuCDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
+b2NhbGhvc3QwHhcNMjAwMjI1MDA0OTIxWhcNMzAwMjIyMDA0OTIxWjAUMRIwEAYD
+VQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7
+b8IfFHfFveaO0OWOzt7xCMqIAhtB8RDuesmTlQLP6rIysz3jUXr/1VLjl2y5/YCJ
+83Nl3DUSkQLNuksdBnuQyDD6AsOyS9iU6yzrcPCalRSzOeDXthklX5hvkbPykM0v
+AvFUvjO7Vbjsp9UsuLhCVn9djSRxyaDCBZsLUXrDamIlpltqG+/3kltUp76gr8S7
++0Htjnwh1X+oCzfpCkQBjDJlszAilyZChZhHDR3o9QHeAfno7eMy+XT/DaXt4ERS
+ypij0m1RZjB55ceKjOqT6CtfPXsFWzPwcC1Kh0kQbdi8YY/pNSxZhiqcA50f+iut
+7Pm6+CpntrZ3VWlC6tcU7pVf4XZZpjRU8eb7L9OTsnnaDONT6h4jc6WMiIyrf2cU
+7gBCrOlRT0TOeWbuvrtCy9PZg/pZwDUJlgwFhKMFN3XuVkDWrNwxdNIXrwwc04Bf
+sQAztqBaAkD1HqMmQZq4GrGGA1+cS4QFZCiyifUo+3T12DdCICSXMtvpgUGMgVDP
+u5c7MaSWNVYD4oSJv1kPQQexG1SrP8qymg1lwXf3smcgxmBF01zY+fhapr817kvl
+oE+SwVq1hwSFRaPgIG7+8WhTSYilwXoFBK3ZaM5NzOu7T7zp24C/73M43NR8p5AA
+rD9Qb5YmeyuQrs0UXhWBkaFDCmE5C/E+kMN3pmt6KQIDAQABMA0GCSqGSIb3DQEB
+CwUAA4ICAQBmmqqHl5DwnlcNabYjNQYuCcRE0s9FX5xy1pY/JkG6H85/pWTuxBDa
+CWTtYXpXg+LRv6o2Y6mRLFNNZsyo+Ypuis0hvu5j5NmjDHvhuUjLyw3HtMOvlEqu
+tcBpdTczLOAXe5ntzL76Tf5IdnvPItqjIjfzbJJfx9pV77SJbtusILIrJEFTHTcO
+cC5Yg8nJP1Zhy7J8rAZdSCrKxaDjcEet79QMJfE0wx7gM0yASCHMGb9v/eT2iugb
+ZNj0R5CuTQXbILCo3dvd3T0eqmnsjkbRLN/pVYCPEbtQGcA7k3wAMarlHGcIfH1i
+DqB3up/cH0W4N1XYpWYSxwDOPR6gURyZarGAlSqBk9b3rc80UTetiZX9D9F4r83z
+rwjD4oiIBSKchpPTn2sEv//4DeKLRa/Q1QvLdMHInf5iPmsA12r0VywNLXGw/c55
+M29z/m9QqCfeZ/SvFZhqvHS5lRMuzIbPE+kpNerBOjXI7YHE5+TkTOfjsDhNim8B
+o1UDCnpdNJzK5COJ+zJW0AtCVsIWqgCaUA3TeWk7V9o8FGx5OueiGJbVF4rXaUhW
+s94wDvnv/fgvGcJtzSrDorLN0lT4AMQvajoSzeaxkNSSykl2Un1J9HmJdiwYAx24
+Mf7cpkaGeVa/zoFDd78YQdheuV8w7kHzmZmYodQ9Va7ASsDMe8chLA==
+-----END CERTIFICATE-----

src/esaml_sp.erl

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEAu2/CHxR3xb3mjtDljs7e8QjKiAIbQfEQ7nrJk5UCz+qyMrM9
+41F6/9VS45dsuf2AifNzZdw1EpECzbpLHQZ7kMgw+gLDskvYlOss63DwmpUUszng
+17YZJV+Yb5Gz8pDNLwLxVL4zu1W47KfVLLi4QlZ/XY0kccmgwgWbC1F6w2piJaZb
+ahvv95JbVKe+oK/Eu/tB7Y58IdV/qAs36QpEAYwyZbMwIpcmQoWYRw0d6PUB3gH5
+6O3jMvl0/w2l7eBEUsqYo9JtUWYweeXHiozqk+grXz17BVsz8HAtSodJEG3YvGGP
+6TUsWYYqnAOdH/orrez5uvgqZ7a2d1VpQurXFO6VX+F2WaY0VPHm+y/Tk7J52gzj
+U+oeI3OljIiMq39nFO4AQqzpUU9Eznlm7r67QsvT2YP6WcA1CZYMBYSjBTd17lZA
+1qzcMXTSF68MHNOAX7EAM7agWgJA9R6jJkGauBqxhgNfnEuEBWQoson1KPt09dg3
+QiAklzLb6YFBjIFQz7uXOzGkljVWA+KEib9ZD0EHsRtUqz/KspoNZcF397JnIMZg
+RdNc2Pn4Wqa/Ne5L5aBPksFatYcEhUWj4CBu/vFoU0mIpcF6BQSt2WjOTczru0+8
+6duAv+9zONzUfKeQAKw/UG+WJnsrkK7NFF4VgZGhQwphOQvxPpDDd6ZreikCAwEA
+AQKCAgBxpTlWDtrwEkwQm6gUBmo2StZB0MUmHjvd3KULznV+Cxcwlm0XvveM1pMD
+W3SY8JNXET0OrY2gTDwe8K1KU/vntPm9HJ/7IvGWmWEK/9diYrHCWX1yTP7CIkwS
+mY05rYI61tXsQ8ap9zfAhaJDE1zlG/ztg/5s34uRGEUBf82nXoFTwqH6nCXLPfoS
+QgLa+reWIqm+l328Je7YvLSRn5/MMGz+LL8queqAuu+xZMqVzLftG9Wi3Vm8NnQx
+kNzide/3Is+ZxKRzjjomLqPl5br1IvfpLyXAAaRkTB+p6IzsYS3gSmcvRwY04ZxE
+LAzArrZ9Jgnky0MqzyWjBS5lXG47PzkGKXWOuLN+0PB9PbCFdQalv716U8BltZPM
+nKbbPAAPf9hn5zDaF9aH8yrULt9DxIXEz2THZ4uVL5GjX3U7IUQNLIBe6cavADdT
+hA42gmv5bhR11mCeBBRRrvkBG0bxz/O7VXkNnBCAiRE/+DZqH/ivY7o94JcJBtNj
+IQ+f42IV0KnAI58fwYklefYeNEQQl9pG8Ztun1WReEEKKIY00+iB4y3COYjxKAM7
+J3ALMYXo20EhHhYDtRbx1rAvmh5d3k6WCubU3ntvyqe7AnudZgcylVtX9fWoX+OU
+vsbUisCZkyQR0Z9V6qLCi9YK0qkHfvhye+aBjYG8jt7Oltf2YQKCAQEA9zpE4QnP
+arTGlbH1p6yCV12cssMXqELzkd86kF0nvPTnuINu40y61x3Dp6dvP7FpASQBxLeZ
+q89PBrsKlsM2JkR9el16FquXAjif4QYzNH13Fn7bbzxQQAO0wbg/kcoa5OCRxhGo
+ZWjL3bBvBMTFdVSOA2oD/DiHDfYi9uMZTVqXBTSoby68BfqpX8UVRDh/pd/BEZfF
+6EQYpZbQ6KSpWPPPRnz6tApK8M/3JPVafA1+MCLPaRNdKAbBmzuyZs8BPN9HCf3N
+Hnmm4ZBayux8I9Ah4dG0fMZ6XcSTzZgOMzLirMQHBLQA/xZ0Z44aO/fuUp0/jK9i
+igBIDw2T9QOIdwKCAQEAwhZeJHpnMkIfkmFbnZuUcDcgMNJLF8goyE3bUjQ0oILn
+lCrhSy3EpRdtTThqWpPOiBZLyEUg/7XlD2a2EIFe37hHrL6koEFzslBcKE9xoazq
+MCPTY9nUpGHpL/UN1Gh4XblhCHKT8xtMU8tW/jc6giPPtTJ1EFtT7ugVDx5hJQCf
++zGoEAh2WPGmqsV78F3Pl/5aPL9RGDUcd/pAQm3J+wvJ0nUeB32S0qbL287+iPdD
+Z3Ond3dRSkFJ8WqPe2Cl9CijxEdHT45SCZsc7xEVA1M1DSPD6/aIbrZlwMTWPwm/
+tPg9XzpVqXwoS9RMLkESjOSq9/EK5ehyC2d2L25aXwKCAQBNRrxi7xMTUoBEKEUV
+7Rksv8kMI2kQoiTKMtF2cHfMW2zWwtZ1W/WG6fnPPMnMSeL9hUi8OXtiNcGI5AwS
+ReB2I7BpADD6RxZDjnmC99InlRQVRv/GDD81UzM73iCYrGito/hMxhYx5IjcuZpq
+Dit+WjitnoSyYOTuG0KgkynEgQ11hhkj76K757brhYn5MgPMUF1j52HoEOj3UWXp
+YhbBBCyE5uniPtlf3lFtDvgCkKEh4K+eM3xJ15rKr+U6t3e2lD/7QobMANCF7v5C
+MZs4AoWktUzKN6vmBV0BxYaiwEQUJo3fDXjGQzmNaOCQYBXxYs+LZQLTCfV8Jw1Z
+Z4pPAoIBACJqXvUu8z+ZNAn704gF/3NKgx3FHGWyK3EhRSO1eCOCMtg2Jk7zZaw0
+lEAeIdW/4d6FvZhckbZmJaDugJg6qH0ZKzR5da2pDX/v+fd35tlZVQmGQMSy6p7f
+cb78QCCLCdTsu0UJNCzmiUlOhDV9y5UqDnm94b4tw5tYceuFYopyKuwa6Qc2yO2K
+pBgh/pEnwVjdVFjzP8kAGfU4Xc6psygd9gKom9OOM8vAoeNvN/lHhx9ABdEMSlDV
+dOwnDhw9jg/WaPuz+/Qic2+anq3RpJ07UuvqjKI5zAV9uFtPTAJPkzvezNsm9+ue
+xXJ0ybFl/okXPy3KAzmzVw2ooe9VLRcCggEAJ8z3IxZ6HKDcf5No8hkFr6SN2nqg
+hs0Hnfr6rkGeuJLFbpkfwMZmK+Qj4E8xkU+zfKNueE0UjzWI4i+xTyUfDK17G5w7
+Oyi9HXlfzPLNnuLQ7yQ+iCtxFIl3EMunEuhwHxgbj284mxSPrvuJNssWIuTXSXQu
+w4MFqwUv/PIHW/cWRCfQc6GTLmOAeUs+d87BAeYP7/m1owCs+sCCgzppNS4cN3n4
+jFRcM2VE6NIBu3AigRI7tAzeb+YOz++I125NfD4tQbrB0LWeYjFhrYHQ36axuiW3
+oI4Cbn7hbCARCNmjO5+EDi3t25A7O4mqTwbXXalrJqiKsVyR9Mi3JYbn8Q==
+-----END RSA PRIVATE KEY-----

test/esaml_sp.crt

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:Response Destination="http://localhost:4000/saml/login" ID="_74f0a3184047cf2037be010cf38454fc" IssueInstant="2020-02-25T01:09:03.329Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://samltest.id/saml/idp</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_74f0a3184047cf2037be010cf38454fc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>mURbTZO31uJb7DfS3NA6e1p1uvrCX8ciXW9bZ5Ps3Pk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>MQinOSz4Xe6IgZsN+7wfn5bSNnc/Gm0hX6HOm6pZG6C7ObmzH2qYdKHZe3D/OvDH7CcdOlCfPthQ/a5+m6em4HTJzhcIAqdFaPDQsfq3rp9eAVjm/Qcp95vkYgEK4TgbFZdZn0aLzX+htG0cUk0G++Ol5HpkGOFPB6HKVAagSS82nZ/4uDxToFgjOXxIpViFLFLTa9PlTvolMTtzlyTTh69tm1o7IzQqK/Bj8gz/wiRLo7Psn3NixJOenqJek/zwok2aDf2aMNb3NUyidIpYrwdV33sbHW7Wc5HKnCSEQSQrc5sacUFlIpxWeyHCm4ttSDkkq2053qvaMaWHSwLDDQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEBCwUAMBYxFDAS
+BgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4MDgyNDIxMTQwOVowFjEUMBIG
+A1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFK
+s71ufbQwoQoW7qkNAJRIANGA4iM0ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyj
+xj0uJ4lArgkr4AOEjj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVN
+c1klbN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF/cL5fOpd
+Va54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8nspXiH/MZW8o2cqWRkrw3
+MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0GA1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE
+4k2ZNTA0BgNVHREELTArggtzYW1sdGVzdC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lk
+cDANBgkqhkiG9w0BAQsFAAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3
+YaMb2RSn7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHTTNiL
+ArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nblD1JJKSQ3AdhxK/we
+P3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcUZOpx4swtgGdeoSpeRyrtMvRwdcci
+NBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Id="_b4e8deed9347c9ceda8d6fe0286315ae" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_5c3e7464681ddd8280ab5a09aac34924" Recipient="urn:f5156378-6d88-44b0-a38a-31219f1af162" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEpDCCAowCCQCSdHd01QFuCDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
+HhcNMjAwMjI1MDA0OTIxWhcNMzAwMjIyMDA0OTIxWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7b8IfFHfFveaO0OWOzt7xCMqIAhtB8RDuesmT
+lQLP6rIysz3jUXr/1VLjl2y5/YCJ83Nl3DUSkQLNuksdBnuQyDD6AsOyS9iU6yzrcPCalRSzOeDX
+thklX5hvkbPykM0vAvFUvjO7Vbjsp9UsuLhCVn9djSRxyaDCBZsLUXrDamIlpltqG+/3kltUp76g
+r8S7+0Htjnwh1X+oCzfpCkQBjDJlszAilyZChZhHDR3o9QHeAfno7eMy+XT/DaXt4ERSypij0m1R
+ZjB55ceKjOqT6CtfPXsFWzPwcC1Kh0kQbdi8YY/pNSxZhiqcA50f+iut7Pm6+CpntrZ3VWlC6tcU
+7pVf4XZZpjRU8eb7L9OTsnnaDONT6h4jc6WMiIyrf2cU7gBCrOlRT0TOeWbuvrtCy9PZg/pZwDUJ
+lgwFhKMFN3XuVkDWrNwxdNIXrwwc04BfsQAztqBaAkD1HqMmQZq4GrGGA1+cS4QFZCiyifUo+3T1
+2DdCICSXMtvpgUGMgVDPu5c7MaSWNVYD4oSJv1kPQQexG1SrP8qymg1lwXf3smcgxmBF01zY+fha
+pr817kvloE+SwVq1hwSFRaPgIG7+8WhTSYilwXoFBK3ZaM5NzOu7T7zp24C/73M43NR8p5AArD9Q
+b5YmeyuQrs0UXhWBkaFDCmE5C/E+kMN3pmt6KQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQBmmqqH
+l5DwnlcNabYjNQYuCcRE0s9FX5xy1pY/JkG6H85/pWTuxBDaCWTtYXpXg+LRv6o2Y6mRLFNNZsyo
++Ypuis0hvu5j5NmjDHvhuUjLyw3HtMOvlEqutcBpdTczLOAXe5ntzL76Tf5IdnvPItqjIjfzbJJf
+x9pV77SJbtusILIrJEFTHTcOcC5Yg8nJP1Zhy7J8rAZdSCrKxaDjcEet79QMJfE0wx7gM0yASCHM
+Gb9v/eT2iugbZNj0R5CuTQXbILCo3dvd3T0eqmnsjkbRLN/pVYCPEbtQGcA7k3wAMarlHGcIfH1i
+DqB3up/cH0W4N1XYpWYSxwDOPR6gURyZarGAlSqBk9b3rc80UTetiZX9D9F4r83zrwjD4oiIBSKc
+hpPTn2sEv//4DeKLRa/Q1QvLdMHInf5iPmsA12r0VywNLXGw/c55M29z/m9QqCfeZ/SvFZhqvHS5
+lRMuzIbPE+kpNerBOjXI7YHE5+TkTOfjsDhNim8Bo1UDCnpdNJzK5COJ+zJW0AtCVsIWqgCaUA3T
+eWk7V9o8FGx5OueiGJbVF4rXaUhWs94wDvnv/fgvGcJtzSrDorLN0lT4AMQvajoSzeaxkNSSykl2
+Un1J9HmJdiwYAx24Mf7cpkaGeVa/zoFDd78YQdheuV8w7kHzmZmYodQ9Va7ASsDMe8chLA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>t2+VYQubBDCmjv48EVdnChQT2dfNLHY+yPeBa82gVTd2eVo27N+/JjB8dV0skOMJVnfevx+sJ591CvtQYBx3TuUGnwDoEDh0aP/9uBL0Zm76yvKLL+LCwMUmqZkmHYXBRXqFVIRpwoAjbK2K+EjuJPzTuKaf7KNO3ED9tuLEOI/dMqR2MoMjYjcK7IUnJlIMLj2zWMrS7ENCpkfRuamKde/LPhnpO5rE9msXUoyPj0+zORnCjAw7yJI26C8uMZ41fYVq1zCN+Qd/4Q6UV8vmEUjlggiRPe3WcmHSrhkoLzNGEO55eZ5sFeh9wurcWhXVuaSgV8eVNv5stu2y3k0fQ+CemuZIGpdDUDkYA3mXV4iRAdTiMhpPLYvPMLBmDZ44JOyDH49ZKOyL9UFMpcO2vPHxYgCRnp1J7w6wxcvrkGtXGmPMQi/X1Zaaf+ed/qeFe0kzTQACyAyJTeaFC/jQ4kmxlTyfY/YzNb3sYEsulbRAiIFgEvICAqU3wzc9xKBPDnJ9iv5X/i4lsCLocBGBU1tmwr2JRGUCP4720LRcU+0nyC1FRIFpcNgc0/Nc4eP8NLepNEeLPik2/ralQdozswQCc2FjkHiAwRtrjmkA5VBeebYIZDafgSXTl9rwXVLiiFSLEJCO4PNxj/EO27mw/3WMyjHscn7p4zKTrvfdd7A=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>ZCru0qp3lXKOIx015VWRaIn9fogaRYOzZOLZ1Clwkyjfk1Q/Gly6FBKDB1blLtI+iQkq7RYBBUY+50ASgKxMjDneHv/CmWURID3UIPlu7SNVPEEmj802BIwgb69TekaXFyVTqXtY/ZPbrYhepartV7erRK2fR5KZO5PvOcqP2csYJiOGWT0Y02o76PH2ga9AsctnVsDTlMy7vptvyKZU4DZ/89fNwure3BYcobMNWF7Mwd8iCwRODkubGKO6UA31wlswuNJ2NCjHIthwAj6j3QStkpCPpuQVE+XbSXcZl4RVuYIpQjyxeww5LLPqV4UUZiwKxT5RppleeodiZcZRrC5DlCDrmSYdquFAE0y4M/StpZDSWrD1QTxG4wJICkYtYa9Z6gd5qRVjdS6g5p9ChueDshC54klDryRbRq5dSaem/iv4vK8zixFKoQENdGK9c8Aw3I0uxQxAuswNlsXN9ht8R8ZyygaaUlfe1xIIpqJb7KgS75IFt7GgpG737uDZwT7MelY2cWu80JtWYb54dvjBwsjlWPFxt9s+5FuXLaMzwC5telotq5q5J16daRLKlwKFZGhHomKEyFu3KJ5wqGhiArPkpkNqm1EPwg1EJdh5Ya9KT1/fKHUEmMrR+Iv9FcUEPOT4TnjmzBR7JAnirqlYEyjRiX5eeoP/DrfIsPudjOdOc+4WYQDNLluBEwZt/ul70IXy4E0WjW/MDwF/lkkSVIoo/UwgjofkyOVvB6vv+qmgv/xTy+G0+Era/g6T3Wb4k8CFaPc9Jy6Q9/xPdaso4m0W2/9X1Tqa/VIDK4Z+m1kz/pbltA+kKM8/8FrNLNhE7VMWMTixZDs3MY1FODPbjoAuT9hdr/DoahC6bXxOz4xOXbL18Coihjtpy2uFDTZdW/3rtkKMnrRIcoxvH22zsBX5rp8w0N8/bEKxRdvWA5MKdU30SrDat3P/uABc2mQO45fw6HIrWvM8VGSLLfdfWCYly/6WzcFUyq9k8E7fBKcLQyxrlhTjwt7hLZMs7fOxabfRymcX3AV+ZhMcYB6uMdR6jEaayPTYMgA64QohVjvHEEr3tKBw0BaMSMUeanSigGrWl9KVP1fbrmQpJ5BHUFi49FMGJsJsEwyHBNyeRlVjERcYXi5xEL4v2snkOXIpkS4I/ZjD8iVwlvM7VXhQM2YFR7Gt3p2TEYGGp5AxwYYjrTeIjsgKCAdJH31IsktDYC1KiVVMNe0krDfJ/3EvomQob0PRqwS13WCbBl0VeUxyJVxeHmOk7qV0+/Gw+HzMzEn8Ogmnn2z1VmTd3EmF4EAZGM5rtYacjACw9fv89UYqJ6kVO+orXDa+1wLh36psclvwUInpP9pRVVM/g+UecQ+dbYCugxpY3zfL3e/lVM0U3P9YdLZ93OWhxAEnByWE8tVwwl5QgD6A6KuzTM8IXHOgC7L5NSrS1lmRFaFp28FjX5C9kdVzNW8UOFCcuy56v7kHIGRU0x2+NYqmDhh6+4Fey+dcBcQ+TAv8uMQpBpmRE8XinPzNNIG5XMOLJ0lOT0jBrIS07+e75vF/DHfdYDrdY6JdQUn61IDdu2Dv4ernwEqR4KXyc5IAbOJT9GdaVoo3Ihz4ZDp822aa6Uss2aKLpAo4hvJXqNGT/9lCbfeDrzG8Ial7s0Hn1jsBZQrvnuUDskRvaTBzn6o3SuYLujeI7fxSXncG41G3ZX5iPFNhh1rt6LT9tLo5+4okBolStkWoJF/4VDvtvgCoJ1iwmzS/0R/9VfalsH50slioqYXTtH3YlzTiDQD9Z9lM0BkKAFDiYsKiMJb/hQoOYMsqZQheasSrsjVrnGhU5IDC8Xkhh7PFyfNpK6Zz1Mu7qWxLkoGTMEyXIdJ+MddroSwroDjsbebcBEzGAGCMJHk8Rfi4lbPsKsmdRm9F6xcEs8Xbkh5ZVjWaVyyrLHgR6Idu6NYTHdMOiE/DY4IwNrf4a+li8HQp3vv8+eZ4GhfcgMkXFmRa6jN2OrE+aOSpMLGbV1yuKWx7QQlsh+cjQmRczw8QAeY6ktEYAsJQcmDx5hU2a6t87qJ/TjQFN7aBO1+NQMdkkTSEmIsu2SgSQTLmSHjd93lgb8NYRwbsW/DaaG034cuEkMkhuvGGBdHZQLXcKS6Zq+m0b+JO+YuZwksx6Ws9yVaaI3KWNB6waSz+62vmPFgAipnqUY1cBlB5lSacBgcHCnPLKFYMe0roAMFEFFvlLwO98NoWSYS9zVUl+rrgKmkkf69XqHYILd/IqrWxpqRtmnEtQRFMqLHt7YXPxVTgYkpeOPQwOh2hWVYIBV9uTqaK3+2/JY9mjrtNAa7eu1vjl2CcZMHo0oqZNGlzGeGd1nZG/kogkl1vAKYDnvQ7lbTaVV2ffYMJ1PB4RArXm7wz6OS3Oez3+Vw3+kx+Kor99QjMzH9SIo8Ojm/yOe/mHpi52XUtc90j39IK6tZ7IRxOP7xh0lvmxzIcn1gZ/ZTui8dCfz3mmPvI6zpfHFaZm8IZdOuqOXyhS8KABXEHv4mh9uLCk643uFTOsSZyKskoUnX2A3cnY4cMSasSc4nxzQ3B50fitaDRu/O7P7uWHwm2ALSc2vEaDOQiCDKTuUIksk5ABxCNoucMD5EGAROurTiyeVDH4weRcuKXjfDceoQnwdLuNOj8x0twz1fy33OE637jy7VVuziYcrvq/A7s8z08kEV87JfcO67KG9IKbfPARuDt3PbC6AbaqV68E2pB6kpZljll4L8Z44H9QZudsirZ3eI5GW87IJ/Mvnjj5lTtFtRTSx/0aqvVM+8VqLfMI6Q7qM/kgtxwhg0fhJBgREeLQ85Hl7VhUnRv24kHd1Gm0NzBmSQ2o84qWqWgvEmxBWtFtR93BQAk9sMnC/e0XYE53ISO3xMOdQ/nrmD+kj8QfU384tgXbEVyH0NNRW4ZcI2JUiTucjbI60C28NpyemAQt/WZW0Km1uPXg40RSMtZ1tPGn7xzXQ0OHRUzW8A+DxfAvRVlS1k7ftJim1oMtJYBJhkme38C5vdRxce/gUBDpUSbnwgylXgDauvSG/yuOVduxK9PH2uFMccDBgflKzKQlaRscjdn7zIabenRJ8F/8eJ75sJ716jDrXVhTNHfEmcmm9nwmZs2DQRHwksjBoW29XPNEaY9tUkQOzG1VskEkUPcgcoByacxctkBh+UTMgF0gbUJLxt4jMO31QiCM8xT+7P7nNaBv961Kg5YIB5kCBcMoS1QJ6J0KPtiTQIMyVF2+kAZMCPMyldIsdb6yaJC+yajEhUTFdmBKdjivQWTnhqFCFfxYA+vzNr9GUC3KEmpBtUmC4XpEB7jB/Bn4ITg+JX914ZB0qLeqchnM1Vmqr+Ct7vcYe6e7tc44tilYytMWLOI9Aq2sE9qqraJZTwI4dbj5V8cBxm+gwL/6eYLh+sBdA7JXMOA4KbycphQSDISM3G1Xm/MlijQx+bLyT+h10nr64fGK3X7/Em9O+njQ1BrYTakcRua7W+Q+z56PAzlZVIzPc5iXCNEfGmqbKQUprP14wgnV9g7SNiL6a5RqRpJOuMF18Ron7XFBd2mwN56pKXEuYrorpkDYLj0eUAMqR+om+XchIyrFtGA5tjuqZZYUdpAkAf6jgr76NmsWn6RUG3+gxA74TTrfIxe17/i33i/3jg0P8dAQlk6BQGmONaofPbqSj31rsPEHGK93ySYAzM7F3LVppUsXytevyutyPSu91SYxBvwIo6CQ6gMQ0MMLRlVhEzLtu1bKFqw+KAvbhGy00vgBGM3ymwJpGE1vaCHSGu9/MGnDe5iOqFBrREFIhQ0RAaz1AwBhQpmun2esPYuPF99I2DjjiZCfxtGfwwSZwerr41SJDA8o48tTadt0jTvbNZnQvYPqvu6+RucaTisCOi6sVemmuyiLt4TwFZD79iOod0+0f0UJSiOvFqV4mM5oYJ8xiSTo5HXGa0rA6Lw+/B/mz1pcfPjVf5hJApj8lU33oVhFHBEVoGz4SB9qhlt52RQzc98Zj7Ni9j7O/+NC1DZDwVqtOyH7ZSrcaIz/XaE4WgYOAeLyjyAl9SnUFCI5AMB9vB+/GR+YBVSLgbjYMw/KIYSsSbg32mObZZkz9NMZXWw4dkPh4gYBhXopmAegWJtE1TQ8veeg6vXhkGlKTAK0XqPqLWul6Tmkk6saz49vWtiDTMp726JGLgH8Mz7c9aRehPhQZNztcEx6gLheci3NKlnemnm2hJ3wSvX4fxP6HVtSXAqsz/xET0lqA3m1I4E5e04XYYNwy+eReJ5SoANTEjIbLgmV643b9Z4cks2TE2hEVFVnpfQ2gQ0s6q252DPCkl64tXq+N04+gBW/y5wBS0MeseaH8k/J7Ch0KwZq5vgkiN/s1XW5s5o+GGSea8JzBLofrkgnTO0WUQGstDsEeSRVlQB5i/94f64XLDFy28a9v4HfEhevqffanGD+0XlGZYJLXcVE0nWNoDvM+P5rzLoj94NySFfD2F1UXrOQYZCfrUlh2tlurgo5FzsiAaUZOs5noJ2+oCWDltKjSB/+UJH85KecuHAbp/Qlouo4RccYaRbBFTB4D9+RlcKaZhFEIPFfqLn3xgKKE9hzsLbnSWyEC9GzBLsusJDF49LvuqgHmSQ6ElSprCPj5eO2+vS458ktrf1rbRJ0yt0fmNyOi3Y0eElsJiSrOCfZozebsASOGul1e1rQgmg2WnuNaJbuiV2pecjP/n2vgdeS3gnMo8J</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response>