Properly normalize documents

Author: tvdijen

src/XML/EncryptedElementTrait.php

@@ -35,14 +35,14 @@ trait EncryptedElementTrait
      */
     final public function __construct(
         protected EncryptedData $encryptedData,
-        array $encryptedKey = [],
+        protected array $decryptionKeys = [],
     ) {
-        Assert::allIsInstanceOf($encryptedKey, EncryptedKey::class, ProtocolViolationException::class);
-        $this->encryptedKey = $encryptedKey;
+        Assert::allIsInstanceOf($decryptionKeys, EncryptedKey::class, ProtocolViolationException::class);
 
         /**
          * 6.2: The <EncryptedData> element's Type attribute SHOULD be used and, if it is
          * present, MUST have the value http://www.w3.org/2001/04/xmlenc#Element.
+         *
          */
         Assert::nullOrSame($encryptedData->getType()->getValue(), C::XMLENC_ELEMENT);
 
@@ -75,9 +75,9 @@ public function getEncryptionBackend(): ?EncryptionBackend
     }
 
 
-    public function getEncryptedKeys(): array
+    public function getDecryptionKeys(): array
     {
-        return $this->encryptedKey;
+        return $this->decryptionKeys;
     }
 
 
@@ -118,10 +118,13 @@ public static function fromXML(DOMElement $xml): static
     public function toXML(?DOMElement $parent = null): DOMElement
     {
         $e = $this->instantiateParentElement($parent);
+
         $this->encryptedData->toXML($e);
-        foreach ($this->getEncryptedKeys() as $key) {
+
+        foreach ($this->getDecryptionKeys() as $key) {
             $key->toXML($e);
         }
+
         return $e;
     }
 }

tests/SAML2/XML/saml/SubjectTest.php

@@ -330,13 +330,14 @@ public function testManyNameIDThrowsException(): void
      */
     public function testMultipleIdentifiers(): void
     {
+        $dsNamespace = KeyInfo::NS;
         $samlNamespace = Subject::NS;
         $xsiNamespace = C_XSI::NS_XSI;
 
         $document = DOMDocumentFactory::fromString(
             <<<XML
-<saml:Subject xmlns:saml="{$samlNamespace}">
-  <saml:BaseID xmlns:ssp="urn:x-simplesamlphp:namespace" xmlns:xsi="{$xsiNamespace}" xsi:type="ssp:CustomBaseIDType">
+<saml:Subject xmlns:ds="{$dsNamespace}" xmlns:saml="{$samlNamespace}" xmlns:ssp="urn:x-simplesamlphp:namespace" xmlns:test="urn:test:something" xmlns:xsi="{$xsiNamespace}">
+  <saml:BaseID xsi:type="ssp:CustomBaseIDType">
     <saml:Audience>urn:some:audience</saml:Audience>
   </saml:BaseID>
   <saml:NameID

tests/resources/xml/saml_EncryptedID.xml

@@ -1,7 +1,7 @@
-<saml:EncryptedID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
-  <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+<saml:EncryptedID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
     <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009xmlenc11#aes256-gcm"/>
-    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:KeyInfo>
       <xenc:EncryptedKey>
         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
         <xenc:CipherData>
@@ -13,10 +13,14 @@
       <xenc:CipherValue>720FAxwOXcv8ast9YvQutUoue+YA2FgLLNaD/FZrWiNexTkPyZ8CWrcf2zZj2zrOwTjQ9KJvzvCuzq4fM51sU1boOakLpz05NonDdMgeWW/eWcOJJfOZs0tYvYc5qZ/R+BzRnJsGG6w2ZmipEi88X/8uA85c</xenc:CipherValue>
     </xenc:CipherData>
   </xenc:EncryptedData>
-  <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="Encrypted_KEY_ID" Recipient="https://simplesamlphp.org/sp/metadata">
+  <xenc:EncryptedKey Id="Encrypted_KEY_ID" Recipient="https://simplesamlphp.org/sp/metadata">
     <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
     <xenc:CipherData>
       <xenc:CipherValue>he5ZBjtfp/1/Y3PgE/CWspDPADig9vuZ7yZyYXDQ1wA/HBTPCldtL/p6UT5RCAFYUwN6kp3jnHkhK1yMjrI1SMw0n5NEc2wO9N5inQIeQOZ8XD9yD9M5fHvWz2ByNMGlB35RWMnBRHzDi1PRV7Irwcs9WoiODh3i6j2vYXP7cAo=</xenc:CipherValue>
     </xenc:CipherData>
+    <xenc:ReferenceList>
+      <xenc:DataReference URI="#Encrypted_DATA_ID"/>
+    </xenc:ReferenceList>
+    <xenc:CarriedKeyName>Name of the key</xenc:CarriedKeyName>
   </xenc:EncryptedKey>
 </saml:EncryptedID>

tests/resources/xml/saml_Evidence.xml

@@ -1,4 +1,4 @@
-<saml:Evidence xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+<saml:Evidence xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <saml:AssertionIDRef>_Test</saml:AssertionIDRef>
   <saml:AssertionURIRef>urn:x-simplesamlphp:reference</saml:AssertionURIRef>
   <saml:Assertion Version="2.0" ID="_93af655219464fb403b34436cfb0c5cb1d9a5502" IssueInstant="1970-01-01T01:33:31Z">
@@ -23,20 +23,20 @@
     </saml:AuthnStatement>
     <saml:AttributeStatement>
       <saml:Attribute Name="urn:test:ServiceID">
-        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:integer">1</saml:AttributeValue>
+        <saml:AttributeValue xsi:type="xs:integer">1</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:test:EntityConcernedID">
-        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:integer">1</saml:AttributeValue>
+        <saml:AttributeValue xsi:type="xs:integer">1</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="urn:test:EntityConcernedSubID">
-        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:integer">1</saml:AttributeValue>
+        <saml:AttributeValue xsi:type="xs:integer">1</saml:AttributeValue>
       </saml:Attribute>
     </saml:AttributeStatement>
   </saml:Assertion>
   <saml:EncryptedAssertion>
-    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element">
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009xmlenc11#aes256-gcm"/>
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:KeyInfo>
         <xenc:EncryptedKey>
           <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
           <xenc:CipherData>
@@ -48,7 +48,7 @@
         <xenc:CipherValue>mlo++g0c4lTsVbL7ArhQh5/xu6t9EuNoRZXF8dqYIq0hARzKiZC5OhTZtHpQlwVd5f4N/lDsur2hhFAu5dxGVdWF+xN4wGMVoQDcyqipwH00w4lO5GNPD16mb1I5l3v3LJf9jKm+090Mv54BPsSOhSYvPBGbv2Uj6LzRE6z0l9zTWtyj2Z7lShrOYR6ZgG254HoltAA6veBXROEdPBBax0ezvoKmOBUcN1RX15Bfj0fVOX1FzS27SX+GCWYgCr0xPnhNBxaMhvU/2ayW6S8A5HWHWb1K2h/VVx6eumXaKzUFoEO5MxfC3Kxni3R3jyaGXmAZ4LhzcpWxJvz9LCpq5+9ovjnRNhheMrtQr/eZ6kWQ12pzKlHCfuFESB0IK2V2NbBDSe6C4n6TAS9mia9tT7CaKsRhVKlNMfkMKC+B6AOkTvlt6Rma5iz/QKL0A7t4LufQ/17YSb3eNOesmV/l3T8bEFqTRHiO8CwiT28ctfDjd0OKB4q1gh0PSidZL/yuaFTG/WXDpnpIV9qZELUgLVjFzW5+Rb/Alv2U7tE68c8oXv7xqmBUhkFQhYBy84cwHrCeKqn2iiJkh19aXYdgAZxys9Dp2+B2wX86coLU2CDJlyyCEohkXn5w8TkU0zNDZnh8J1oz5iawSx1d0aPy+uLNYVUMmx2hcrb3PlWdUApnyts38DcNwTkTy2/uxZmBU/4VGi3JzdnQ7KbW7EUXe3veExb63mRlU+cWl8LMRgP1FExg3CKT6HhW3roTu9GI51ofHpjPCPi41xQvoRrUo2VytBV/IZi4ArD4Y9d2tIcK2O0ZblUNjpRsNhPsVuCDLH23Fx42/5eGVkeTLPOt+Mr6IfY2d1NJGzqz9vJ4/h3L5PelDBQiD/o+5ZvgS5I5HL0bVbGXkT+v6k2GhHQDKNE3qJviXLRPjWv+Eaq+wJhukmcivA1z75/IydZhSPBZfhgORe6n5coiCf2mqiaZpI1YEZRR2g77NXf7I8qAuR7umkEpLC1ciLUpwZjaLNb7ojmC7cogXv8FmcWOk1xWdr7+kY3FXaWWwhUgxO4CSUYGdcOvydybcvAFTnf09+lR0RKVTGgnuukgYROyl8ulY2hoAFm+/jy9qcGqE/7JBlm6qx0B815TZY0aC3ulgwYDvUhdk9Sxq7Dp44h7BMBQezY2o4PBsY6nJNbCAkSULQ1rMY1nZViAAtZntTeHsnlFYm3pJo7MEhrGLYE/nSVcEHuP0z4WpwSb4CW2eOFBmrHcJfqBmDTnFtRwBQZfhQvcSyLy9Vyy//Hj7oDpC6GKmC3m9QTH+9T95sVxhHYkHN10YfHHQhn2pouNzo95QKVVtF98UGMEqrpIbtgGd+CE4icDjq8Qm8iQzJD/DB1YIjpwS0ftoD5+n/YlFYCbbOedN7uxsh9a3Q4NhbkYhNwYQN+/nkr90j6X9PS6uon04TS5GfxpX9gGczxMfeUKHh93in+UksVdzWqgrGxtdXGg7eataR2AcWoTIzsOTWC1sUIi/cOD1N2WR7dMBajNI1vZEsc2+DF3JgfYMigT0sa804LwZNeuopjcgP6qUxL+N+uFO+mobnMZAWK2zBmVwG60psV5zkOShGxq+l+AuobD0pKl0PH4qwhOIUbTc72F2snuKEAJvnpaW2kWymATnbuYsUrpUwoWUmAT4l9o6mD4XGAaYG6YUjD0JJDSJrHKgWy7j5Dqb6ocEMubzOAzpFT6H+BPd09ZraBDLELjX+yYow/adGsGw3sOwDZYfHwM+2f78j8xqCbWgaCME02umAfbkXGbIZ1l7cQv3w0QIDPKreePjI6vMHKJtSsOz9yMwb7RqMf53+m4e+HTlBZEV1m5Dd99qp3ESUYvUEg8rHmx+GeY1KyjZz14AXyxxvepQ4TZFPbROcNvL6EUm4gV7MV+MdkyRznA3nMro5vuGteuEAmqyFGuK/mmTGboA5FDBGnvRGzMt87eJtwWyeaPca7YZttaZJRv2Gbko9T7YNU9bdcJ41m9XC3BApUNQ3nQwWoallQrGX3r862to2Cl7z3MegrSt3GBDCI7RgmBPuEaVAFQQz0Rgr50zBtG834r7/RJ4gQtD0VksO1NoJoM/aifqWjKgRpawOnn2UkztqXEAkTwry04nNkMdLHCegDtl8cqdEAI5kzXMUf7fNxO19eOa+Yc4LYlNIPLOUIw3bGdCjZhhRuP9WR6UpQc69u6zK38e5Sxe+ff+XAdDB9OoH7We+9lRVvrmu4LbtbshctbX5Xz+sIq2xNmQy01xF3UHLUy3hQU1pglo9l5fLD5Nd/1xOs2hu9gaGJFI0efzJvNSHaPuXAvESvT5YBhONh6PfbjHEYuIYXL0ZVtF3cTpW29VXeyA8Uvx9PAxjSbyR/BlF1lTaCotAYCzI2keg6RTK3NCmo3co4t43hNemXPffCwykv4ShU8jdennk167W/6JTmTX7ppmseXimMP9DHnXZEomakUIZComiXxqlnTvw/Xdh9GGWA+6qgS5k68a3hdr2cD1gAKX1T53QCrXbNzpcZ9ab4CaCTv8iFtZaGXOBJjwOXAWZEf3k0I9XQZ3FCeg1Gqs8NgULwfWQTv78208kbsiLOGeu9mGEXgXNyK0yO/U4AWJb+HEfPpfeN3tpHFigzmALzt8RztCKcRv+gKm3RyVEW5</xenc:CipherValue>
       </xenc:CipherData>
     </xenc:EncryptedData>
-    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+    <xenc:EncryptedKey>
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
       <xenc:CipherData>
         <xenc:CipherValue>sNLWjwyj/R0oPwSgNnqowahiOwM0YU3YaH3jsH0t2YUDcHkcgouvW5x6YbNdgvGq0ImsNrkjI//0hrL4HvrOX33+DkhCo2FX5+a7UCdftfBfSjvt0houF8z3Zq/XOm6HxBUbWt5MULYpMKMZ9iAY6+raydxk2tFWgnAyHaBfzvU=</xenc:CipherValue>

tests/resources/xml/saml_Subject.xml

@@ -1,9 +1,9 @@
-<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:test="urn:test:something" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <saml:NameID SPNameQualifier="https://sp.example.org/authentication/sp/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">SomeNameIDValue</saml:NameID>
   <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
     <saml:NameID SPNameQualifier="https://sp.example.org/authentication/sp/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">SomeOtherNameIDValue</saml:NameID>
-    <saml:SubjectConfirmationData xmlns:test="urn:test:something" NotBefore="2001-04-19T04:25:21Z" NotOnOrAfter="2009-02-13T23:31:30Z" Recipient="https://simplesamlphp.org/sp/metadata" InResponseTo="SomeRequestID" Address="127.0.0.1" test:attr1="testval1" test:attr2="testval2">
-      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <saml:SubjectConfirmationData NotBefore="2001-04-19T04:25:21Z" NotOnOrAfter="2009-02-13T23:31:30Z" Recipient="https://simplesamlphp.org/sp/metadata" InResponseTo="SomeRequestID" Address="127.0.0.1" test:attr1="testval1" test:attr2="testval2">
+      <ds:KeyInfo>
         <ds:KeyName>SomeKey</ds:KeyName>
       </ds:KeyInfo>
       <some>Arbitrary Element</some>

tests/resources/xml/saml_SubjectConfirmation.xml

@@ -1,7 +1,7 @@
-<saml:SubjectConfirmation xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+<saml:SubjectConfirmation xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:test="urn:test:something" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
   <saml:NameID SPNameQualifier="https://sp.example.org/authentication/sp/metadata" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">SomeNameIDValue</saml:NameID>
   <saml:SubjectConfirmationData NotBefore="2001-04-19T04:25:21Z" NotOnOrAfter="2009-02-13T23:31:30Z" Recipient="https://simplesamlphp.org/sp/metadata" InResponseTo="SomeRequestID" Address="127.0.0.1" test:attr1="testval1" test:attr2="testval2" xmlns:test="urn:test:something">
-    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:KeyInfo>
       <ds:KeyName>SomeKey</ds:KeyName>
     </ds:KeyInfo>
     <some>Arbitrary Element</some>

tests/resources/xml/saml_SubjectConfirmationData.xml

@@ -1,5 +1,5 @@
-<saml:SubjectConfirmationData xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2001-04-19T04:25:21Z" NotOnOrAfter="2009-02-13T23:31:30Z" Recipient="https://simplesamlphp.org/sp/metadata" InResponseTo="SomeRequestID" Address="127.0.0.1" test:attr1="testval1" test:attr2="testval2" xmlns:test="urn:test:something">
-  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<saml:SubjectConfirmationData xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:test="urn:test:something" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" NotBefore="2001-04-19T04:25:21Z" NotOnOrAfter="2009-02-13T23:31:30Z" Recipient="https://simplesamlphp.org/sp/metadata" InResponseTo="SomeRequestID" Address="127.0.0.1" test:attr1="testval1" test:attr2="testval2">
+  <ds:KeyInfo>
     <ds:KeyName>SomeKey</ds:KeyName>
   </ds:KeyInfo>
   <some>Arbitrary Element</some>

tests/resources/xml/samlp_ArtifactResolve.xml

@@ -1,4 +1,4 @@
-<samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="_6c3a4f8b9c2d" IssueInstant="2004-01-21T19:00:49Z">
-  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://ServiceProvider.com/SAML</saml:Issuer>
+<samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_6c3a4f8b9c2d" IssueInstant="2004-01-21T19:00:49Z">
+  <saml:Issuer>https://ServiceProvider.com/SAML</saml:Issuer>
   <samlp:Artifact>AAQAADWNEw5VT47wcO4zX/iEzMmFQvGknDfws2ZtqSGdkNSbsW1cmVR0bzU=</samlp:Artifact>
 </samlp:ArtifactResolve>

tests/resources/xml/samlp_ArtifactResponse.xml

@@ -1,10 +1,10 @@
-<samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="_d84a49e5958803dedcff4c984c2b0d95" IssueInstant="2004-12-05T09:21:59Z" InResponseTo="_cce4ee769ed970b501d680f697989d14">
-  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.example.com/SAML2</saml:Issuer>
+<samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_d84a49e5958803dedcff4c984c2b0d95" IssueInstant="2004-12-05T09:21:59Z" InResponseTo="_cce4ee769ed970b501d680f697989d14">
+  <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
   <samlp:Status>
     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </samlp:Status>
   <samlp:AuthnRequest Version="2.0" ID="_306f8ec5b618f361c70b6ffb1480eade" IssueInstant="2004-12-05T09:21:59Z" Destination="https://idp.example.org/SAML2/SSO/Artifact" AssertionConsumerServiceURL="https://sp.example.com/SAML2/SSO/Artifact" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
-    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:example:other</saml:Issuer>
+    <saml:Issuer>urn:example:other</saml:Issuer>
     <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="false"/>
   </samlp:AuthnRequest>
 </samlp:ArtifactResponse>

tests/resources/xml/samlp_AssertionIDRequest.xml

@@ -1,5 +1,5 @@
-<samlp:AssertionIDRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="_2b0226190ca1c22de6f66e85f5c95158" IssueInstant="2014-09-22T13:42:00Z" Destination="https://tiqr.stepup.org/idp/profile/saml2/Redirect/SSO">
-  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://gateway.stepup.org/saml20/sp/metadata</saml:Issuer>
-  <saml:AssertionIDRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">_abc123</saml:AssertionIDRef>
-  <saml:AssertionIDRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">_def456</saml:AssertionIDRef>
+<samlp:AssertionIDRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_2b0226190ca1c22de6f66e85f5c95158" IssueInstant="2014-09-22T13:42:00Z" Destination="https://tiqr.stepup.org/idp/profile/saml2/Redirect/SSO">
+  <saml:Issuer>https://gateway.stepup.org/saml20/sp/metadata</saml:Issuer>
+  <saml:AssertionIDRef>_abc123</saml:AssertionIDRef>
+  <saml:AssertionIDRef>_def456</saml:AssertionIDRef>
 </samlp:AssertionIDRequest>