Takto vypadá XML podoba odpovědi NIA IdP
Odpověď by měla být podepsána známým certifikátem IdP z metadat nebo z jiného ověřeného zdroje
Odpověď taktéž obsahuje šifrovanou identitu uživatele v elementu saml:EncryptedAssertion
Hlavička saml:Response také obsahuje informace, které můžete použít k validaci odpovědi nebo implementaci přihlášení uživatele
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d76fbc928ea44d10a52221c52c525d5a" Version="2.0" IssueInstant="2019-11-18T12:25:02Z" Destination="https://nia.otevrenamesta.cz/ExternalLogin" InResponseTo="_9654756a-c7b0-4d1c-a857-0f1f766b79bf">
<saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_d76fbc928ea44d10a52221c52c525d5a">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>B+Lvh8/FoS9Tbk4qyhK83K/+2DKcYKqSamXYF2F/oAs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WvOstRRPtcbsIFWPw8rXxAJcXiKcvrsqh7EL/mfE5Is1SQYQHbH5M0YdLuZToth0oz2fZuTecO533pQw1SkedQ/qiLuu8EVOJW+Kb+xJTJ2PjkvRwzm8nH9OzWUunJuxLlOw+tZlVnHE7yJp99cb1xinDEJ64AVO58mxu9z5qZdt6IysZh0vtReItH7KZ5VPvbVt4VUVdRnzMQix0q2wVxK5UgyTz1pK6Gtxhr1KAIMqJOyukva+0yJepc4yRc7z5jt2oiOD73Gmo+AVLLU/ujPAGNjH0x360eP6c7rGAxGVylvN+MgGWTghoi5cQZ86bqjcHIK7bINQuQW5QQOC+A==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIHSTCCBjGgAwIBAgIDTMtQMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBvxaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEiMCAGA1UEAxMZUG9zdFNpZ251bSBRdWFsaWZpZWQgQ0EgMzAeFw0xOTAyMDcwODE0MDBaFw0yMDAyMjcwODE0MDBaMIGIMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNzIwNTQ1MDYxNjA0BgNVBAoMLVNwcsOhdmEgesOha2xhZG7DrWNoIHJlZ2lzdHLFryBbScSMIDcyMDU0NTA2XTEWMBQGA1UEAwwNR0dfRlBTVFNfVEVTVDEQMA4GA1UEBRMHUzI3NTczMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOMUgr5xxTIUWwIRUaTSBOhmdVGsnor30KE/vX2IaOzczQpQUiYNUYsOwt8F4FHFXTV/ccA13Bd235qAtLMXTqzlD+DuPcJpx9eui3toQ1iHjjtuIBnsy8cO4Alzj1mzVs5NNtWMs7vPRgh/sTY4veDAO3MpXvaXg8APAPwv9b4zZecsRu6osu/KpsI6NX0yLsQWbZXAKa8FgEkx7qWcythfPGNgGUJa2saBuchTjmERSV7xLoxihsjgBcMjWX8SOAAQEOjgzmY0AXUVbYE174hjM4oWo9iDvpqqApx5W4oRKnrt2Vo/nKIySw/MDpPOwpBAXkmeFEA4zEaJVObjCOcCAwEAAaOCA+IwggPeMBQGA1UdEQQNMAugCQYDVQQNoAITADCCASUGA1UdIASCARwwggEYMIIBCQYIZ4EGAQQBEngwgfwwgdMGCCsGAQUFBwICMIHGGoHDVGVudG8ga3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0IHBybyBlbGVrdHJvbmlja291IHBlY2V0IGJ5bCB2eWRhbiB2IHNvdWxhZHUgcyBuYXJpemVuaW0gRVUgYy4gOTEwLzIwMTQuVGhpcyBpcyBhIHF1YWxpZmllZCBjZXJ0aWZpY2F0ZSBmb3IgZWxlY3Ryb25pYyBzZWFsIGFjY29yZGluZyB0byBSZWd1bGF0aW9uIChFVSkgTm8gOTEwLzIwMTQuMCQGCCsGAQUFBwIBFhhodHRwOi8vd3d3LnBvc3RzaWdudW0uY3owCQYHBACL7EABATCBmwYIKwYBBQUHAQMEgY4wgYswCAYGBACORgEBMGoGBgQAjkYBBTBgMC4WKGh0dHBzOi8vd3d3LnBvc3RzaWdudW0uY3ovcGRzL3Bkc19lbi5wZGYTAmVuMC4WKGh0dHBzOi8vd3d3LnBvc3RzaWdudW0uY3ovcGRzL3Bkc19jcy5wZGYTAmNzMBMGBgQAjkYBBjAJBgcEAI5GAQYCMIH6BggrBgEFBQcBAQSB7TCB6jA7BggrBgEFBQcwAoYvaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NydC9wc3F1YWxpZmllZGNhMy5jcnQwPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cyLnBvc3RzaWdudW0uY3ovY3J0L3BzcXVhbGlmaWVkY2EzLmNydDA7BggrBgEFBQcwAoYvaHR0cDovL3Bvc3RzaWdudW0udHRjLmN6L2NydC9wc3F1YWxpZmllZGNhMy5jcnQwMAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLnBvc3RzaWdudW0uY3ovT0NTUC9RQ0EzLzAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgwFoAU8vjMKldh2isXM1nlgi3sBhyKT0owgbEGA1UdHwSBqTCBpjA1oDOgMYYvaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhMy5jcmwwNqA0oDKGMGh0dHA6Ly93d3cyLnBvc3RzaWdudW0uY3ovY3JsL3BzcXVhbGlmaWVkY2EzLmNybDA1oDOgMYYvaHR0cDovL3Bvc3RzaWdudW0udHRjLmN6L2NybC9wc3F1YWxpZmllZGNhMy5jcmwwHQYDVR0OBBYEFBKPDkyFzQEpVZr7QC19lahjYcRUMA0GCSqGSIb3DQEBCwUAA4IBAQA8VcUDtRLwPZMdDuAYqZMPKJwo+WwCb9IXwJ8wYBPT2WNzocQGGnYlws45zLHzUrwEGlhNEpFmORqvaTL9E256aNqOkto7K44MEPZriV9vXw4mtI0AF1emFrhJcLZVp7S5uWVibo+SiXufqGC4vaF4I/WZaXwd7eKt7C/bT0cDN5HmU1oVaJNpDYbox7wLNLmL205KUHCvCE5gMhyEPyqPRinYowQgYOP8P3dvLV5mbEiv6gb7kmCyfxEyFdrGBayKKqoMQRKBLK5h+lNJeZJ6QiyiVhSG5xkz56StwFsz+LuTv/ZoVfbvYUX9FPD0VhPomj/weoUtipqMKfgbeePU</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=https://otevrenamesta.cz/</X509IssuerName>
<X509SerialNumber>339515564547102863359567045846017369340</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>N2oqZ23WEPaEMsT42asVlWZ72gTikFvb6CNsrmDYfrQaKeo7k2FypvtdXwZlwOPSUrc9cXblZnZn55VBIRLoQ2wwEGAT+3g+vE9aMrZOr2AYvR9Ztn7r1bskvnqH91h9kVWPHLLr1G9F1PFvk56BDXL3keqHefZ4Eah/HH0cyNLAJjK6F8Yo/HfY8JnQgvmgJYJ8nypUiQyCsTqPY6cGXZCRdPML/DDZ0WIbYrYVwQQtjSKEo0XEEmc7wcrwY75Evin2vy7P+OEMVl5Th5M0DaQyDefQ+j+/XoiAUi0MRSWTZKZdNpySjurYeM/zgnYLwn22VS9mxNshvonrgliVRQ==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>HcHblPy2qniesUDewUNjnP2ANkhJ8F0yYOozT+81Vpa+DmjvLDhHkKOMa1D0P3bjkjBxACWQj8DEdztx4vLwiBiZijeRmOrXv2JULNoSrCUQaYa8vJ9wZ3bL5sbA9ikf0SzbRzLO9QteNEvauBTPkNo8rQA4jSPESYxiRwDriRQVtZzhUwX69tfJp/tHwZ7/MIW2bV6wEvGdgbNhEtWJkvotA0XvPDMgZ+bFiSDb5z762vJ40Ae+2Zn45pJno85zQ8NST4ZYsyGhf43cWnftE3kUTZp2dRC4PyzWxU9LycYbvWwXhwG/j3xKDESV9BTwZWPdLIgydXI65/cdjSwp2oG5rBeARtLGMFvHHkFHZwL3utGTpNyumykUO/eXC8IoKwkH3c/hL00hyBbeJm2xZ7qUrF275srLvMvKf87RdXk/dyDFMih3xV0AaNo3u0UikNkrnEK/jKDeTgTxDeYZIta5J7OPJBn+F9JAyHhH1vuQiVSenro9jw4qUGOWgJQqQ5NqsGEc+8QMxPeNjYou4lTIeZzQd9K/8ZMQ5Ur0kGR78MRB+FbsQ9GdI57wXe17nlGSe/uqJODKt5Z+Rm8g4ZWUKEsKQIEt5iZzUzfFHfygvxqTsor2D/YRAsRX+G9PUpB+odfGMt9bNcbPY8KoPl+HNKUN5Zon9IUG4yqv/drYWTjXuXen5fgNhFdxPY6usrZ33Qkahyt1Nlh5L3tLmFjAC6/JMX8jFqgKgIdkdM/qvuolKvJOB4Z75oA3GUJL6l5vWsT4OS9KvX8Ie+ssF00DWnF7IWXUf4wDEGykbucCSYBMxRLss0RvnPoALJ3YjKtNHVb5EL2nQ+MTHK7XPfle85/Fj/JVi+IoRByoQFf8r+WdlDg5iVciS7Y/cTAhCe5H0FhvODT1lHI7/2sqkIDGJLyl7ZV0tBXuV07umjBx2IgGlQCUt2blCP3zQdGNksMTR/GrUWi3X9IOCbII8W6/u3RjKGve6mF/sRQg8wvcsKFlc7R5Ni3M3enp96Qq2H3madv8Brbuw1SOBONoOnZ/RUg1U6n8/KDqqN4lTLED75ik9dlEXwUxknJzSuaMao3t52rOxF5uH3JZRc/G1wt6c16z07BML4AuR54FZzzeLCbJqr9AcQk0ZeEs/KJ+r16msvfvKiOadBFeZe/drziI5kgx/1yxqWc3/DdNzIQBfbmbTJIjJuSZnT1dRwoR4K4IYipbyxWG8kZaUkguwt9CHE1zXY0MxSO4q6ZI/IqyNuWtCk1RyqLEBUvvvjoj2Y5v8mQWQq7dh6H9qRIYpZLFLK0gLngyJKebMlabkFylch1KEwLzG/lXujHtq6ijp8AHMjZUpJwCtqGA6GGMS2/VsAwwu9UinzswpmPP/+Ual+f+7zuPR5rmGnSk+cpkc/HRGxiMUHR2kx9HxEJR7LFgHOwRnLiLwE5auG0hp04z8FVLPp4T74gt90rEaUCUwZBn/veJFZ3AIhFEX9brUxFJE24hNSXkivDAkC1+qrWIls7yHeeyKyEyLpEy47X3yT0Kl+Wj5QkSuNPbsx7JIb07W1w2GFO5BuFMSoJZV5SpWCNmCvvZy9FAup7IVWQ+cyFNU6Tpd23+WpPO7je0wMAWzsqLzfw+fuyIVVMM1Naope6xKcsKEgQM0S53Dj+OsH8rUO0/GZi3zKMePq47NE51ySivzR2842Qk38XO7yIkreRZE9oJXHs9oXl8KcEdykwYa0hmdFBB2mPGfiTW9mgalnttBIIMJz+RGYSKKu6tjIRYEvEFaMbpGCFHAo5b9CpWj/QmPSNms1VYAADbU+XYJ1BPvS91pu+tLSOzpe+p2vdTXXqcYSCBX+TiLdR/pfmDncxHN7FV1CwWz7E6Ynj40ibOUoVMpvR/aDr50wU+K0lUkEDRDFWr9VqEEH7UOfSiNhjyCmnzaqWA+8rP/bv2/AklZrp3DC3B1nL8xIj2zBGxyWAQZS+Ct22xHxfjrZ4Yzlh9JfIIB6YKfuP59GPmkMPXon+akiCZi9uiOyXPKUccaFX3CAGqI71jWtPueC3+99PVYn65Y5iA3VljWEDovunJ68Vjq6Gko2VPUjzJwrAjskTfJYxNGp+FzyNsJue1Q15/SWuYtR4El/PVGPVCiDn/es9hOlsrMQLhJw5FgWu3skIV0JPoxFIfazS3rzvWOFFwta5xBcIJtK2jM0sUo1dxABHQeiAtJjOLvhfwfjOG0dDIHwHEbol91YYDmSOzuLKOb5Adnqn3Tx2sa1UfaINZpNYHmlxtBdjGrr+/sSFd62Lk7CpaKd+VoPCRsk7wErLvTl+qf4U7XqdEBp1TZ9jQDPg16N426Yb3HzHn8JfbeDx+urVby/IYOTHVPn4xvcloHBkIzNjRVI+KQ6Q38PiQHqqijjuV87vyCZ6keRXuVT9RMoLuknnroNhKjmhtbNn+rvNDBl7FOqX7MYJq9PwFRqApy4Zqm+1+/JUFb4dokHZaYaklW+zHCYHrEhSfLcnstypNv5ZLhGH6gBlPBQfRbSyZ/jwBIkwkrbfZyqJxZoSASTBQYP9jd0uGihpYfBU8CHKLR3kglM5gVV2/ZVvh6OilKVtNglIdE8kXvLH3rP2aUxREm8xEFeVhClyb7a6Ph6qtoM10Iwi3U1Q1oT3tAkE39KsjOggxxh68Fv6FwUy8JHCFY89LovPqVDpjKqSM8FMq4yhrBjW0T9NdMG181cFYA/0x7sZDGhRrD13E6XHHA1RAN2Qxkv5bBAWgfoiTkM3gp2ihYLtaE/e1fvDGIRhB/vdUNX9JB7CpC/6S9isct273G/fghDzsJuMG0qZWInJsUpyEYMHj9bqjGhyY23Q3hcUXQtpBeTmfl7BCDhL+tk5BNt5D3EqITmItlTbTxR22OxnW4bJruZ5ZSJmOsWjzCKmHnoXD7t3n8y4qNfzBxg6vfanO5NEE+P8FraWhPW9nHqmxuxBzWmKWC5s8MoUhPDDOCmoqF0xVJoWTYR9dTKokEBzDFl5PAus1sXyNmSrKbcSnKuS2MasZi0pUpIbKyYkKmgpyCLmAZLyFROCCIEYYWgefWXMre/u89jETUdBbcMes9X0eQXRlb/ubLELr/ABTJOG/IB5VWx5hZp7aBD8ukyNp0FKIXx6YY/Dn1FgDfbdrcCsWYqPJ4lwfAMiokNDBvqHtiRev/y411V8G1J8T/a7KilQ7bmC0laaS3espvaLTxmq13cQ3GsJt04No8DNx0EsFbmLETQH/vFvY1CYP4UapslK8xCZ7PswUBTB/3p0ve8VbxkjpS33s6Kh5quLQqUHURpNnZV188kdlNyrWu8msuai+Q1nDrSKb0DrCmscuhZQO9RuwvO0kGoYwZ4Ud4TR50O8Mdy+u8XU9VEDeLRCgFFYtucxnZQC9z3pc2UwizBtNdo9KGg90yYPZ2iBuw3thL9Bpo/jKhS13U7naEG3rG0aPp960autVW2/Dfm1KcHG93gJiKldLrYozZrNoSevwqKZAQMA4uKTGVPSvnIyX5mK/e+B3+HcpS4VHv7irVh44ClmdduFY/qzbLlXnGHxqouB9jKjk8MGymc0936yt9DprRMW5+4USpbFx3L8flU1CxoLXi5vU6fLhFiDaqMa5pHMhF5tyit8EpZ0wAJdKVlAGj4ezg+o1Ii3TRFcbKGOVldBQEe6XLNzhBF3UaFoif4n23nGdYP18tsALwukMfooBuUlnEU17GDmUcPVVaWrRIYcICmk26zIjIfg5fxJEI7Dcfg7X0hqNgtecpEJLMfR51EuhGnfrjmpldInQFuRTGH8FVHDS7HGa0U6MWPVZ9DC9e1sgNjS/2K81wRuGlkbGlISAWGgGWAHSL7G6nQB2Enkwpf32gctGyZ/PglrBYm08B2IFfDsdxpNUQheK5aW+GTyLWDq7SWvoWhMEPqZIqijQyOosv2rA9TZkx29i8+CcZ9D9mh6y9uO/lyCbzMve8SND390Dk0y8QyN32gtYviFGEyhVzEOz3Umi5SgpmRi+MlC3XRjTfGY03bGzBD4xM/e73uLwWTAfTLdlGS4Th14I5TKrSdRLluct4ogrZKUr41Sc/0qKFNBVHIo3VA9TjDfbWjtjX8K/5WoiSj12comoFOFk4jVvZ+cx6pEbm7qZ555UCvVXsdd46EzMwTn1+Bx06DbFMNxuf6G1XG8tDEDm3W/HPPz2KvBlrrjFoJIsJOfyKcBWvVyP6Jqm85fC+YWQJMPp4cTZjkyjfQntdFsQybTW9xToDnELgZe+yTAbZlqj19NHO5t8JKxPs9IxNU4gkR2zA0NAMGpQuziKhn64C43JgfzUzHvdwHVGfjULhjXMaxC1EN+6nRKrXhfkqAvFM3WzKZUdsEwsLd09EIX3mVZntc+96y293DVr9v+P9AWQ1PihuWQFAqKdzIg87a8AA1z+Gfa3KJNvv4EtK7RFRmlFIoqwUnDfPumnTC5vl6Ialm1+AJ/iggaB9qTCen9MrQjKwrAmW3maQlB9ERgaGTJC0XM+JxVzsE5Ll71YlsUfbhLH1SgrrYLm13OhTa8r3K7cVog91vOeqKe9+dHLui/1aB2J3ufEB7uwF+fccpMsnUqYHUypLcYxgeAHuyFEMbhv5zTxtca9S/7HxBJs+DgXy7XYkv6bM08OH6IthkJItrcOTQHSazICvOJQiL6upjWQG5sODwUKxL3ewrVmKul8gyR6LD6+ks/WtgENSA4dJfMJKxr7fo2LkBQxk1IyPoiZUuOFn5Qncusa9m3QsXuBvUay4KY58do/LajgnRx+IxYvjh7vvmUkYb94NRsc918MS3HIbExWPl+kBpP6K3WjQ9CZi1p9ZsVz0oBBtf1/4NLqJXCewtI4M9nAT1F0hqTtXel/o8pGVYtidnT9OGZrPh44DXJ5/HUiDAktG1qp5263zV1vXjae+bHItCC4z+xSAAEkl/ZMFio7JP4fwVkgFkyz/b3EiLwGHG37uz1gnlL5cIUV4X2xik4MACnKs+mUEXpZgkkMP/rs0l/5gm80Al7bcats9b9zfSz7T3QZrAOsLE1y2PdVXkQHpw4bQA/sVgmcG8iY4/4HVGm9P9hctK6hD15WlY7L5xHrSru6vFQXUFJxqb/+F9XOP6krFn6G3FMI1S069SFEi4GNsHdGgGTlzgq/Ql/sJRfIP2rMzmNy02oddEPerzCDMkkKrpz9nM3yKGhE1tkbg5hPxL54KThLlpG+1n2tc9dhQ3sz0TjpCVZ0cbcRmdwfRJ9haMNoDRrWjgn35AdqFOJkNp/i8/2jsQi8XD6MXD76HDf8fv1iGUqnHjND0cgUBYq93AulJha15bfYITNAybot9pCVqlfSqA689hcIbgxUMxcSa684lP+9uamAAqBL7VwjWd3CgL9M7sICayIbLq2ufeLWTZ68w8p91pJITd0OuBJYkshVDAvIhBHm9BMEcF8ZDmdoknSDns71iz1lRMnOy//I7hdIyMhVjEINSsAMtzxtlXxa+YeoJzPJa/BEvLERV7StpuJQpSGIYe6YHb7exHbP1AKfjntvx2rXJf2AFhVcTfvllOiBjMZEa+cGXGRIkJs8pFf+FqId/qpqYRwIWWNe5Mh2app7VblQN0hz5aqH+eQ2Cj2y4SrcGTiR6Fms1VD+SyHyfR38Fay5QqetmjaNImWaChgLc1eKSGp6ne8sQVBjV+o0cSAWuLjqLXc/EBzI1ssjqs18K1vUmIHuZoihnT3AFOgYK5F1OvSKWjLS6KYEFq6EgJ/kj6APHJR0WXeGpGikHN8Vk8qGf3l2/ZFDubUTyKYLKzJh8V6fQH9qmM3R2ANRuqcVKp1H2qS5kW0GAQ7vfHQSDVgreuhuhWbEcayte96DH30pOqbOD9mL4oVRPMO7X5esvhyYI+CcZrlGikf48oU84Q7lOlkh+/3/P7+BMgG9Ie6xG5MUA2nXENWBpvQZlbu5PIa/FUkPIKL/5A5IQuT9ABTEciYQ1PzJFu1N+O6msbj67rEKWClQ5gFCO7ELnyuWre+c6d/niD7GvMe+kXQ8sQypJVWPHPVmaIr42ypXaEqaNqAs0mmWuSI8Ktq7W/BoWKOy5i4gbYEHzTAZzplXXDeTQIvKgIeGve5eiMxkxczjUAOk4yC8/XQ8zn+c1YvLfSGxXVNVR2suamcxzKOwvQoVKUkeUPIdoU43/+WDQBSdrWsyXWzKngS/QLY+IhjqRa8cmL9DvDW1kF/iHBwMJYbCvEpO3+v23xrnQh+bCQbY5T8K4KWd2Squ66h6M+DulsL53factgrbVqa/F+HDIdFD3LNwi3GYgOZyQ7IQtookC8wqZvv/vepJzTE+Cwuwm6bhWWWaBWBuLBoD5wfUujQkNDwv2MiKXJX52tjy+hEUGbGDATqb/+TPzV5yE7/2PLzerFFFCMKmuwtD8IpLaM52ZROwpPSsq7/n927e5r3btJoR+LH1SwPdYe8wd6of+0TdafJRa2Bg/ssfdylGJYECSQLXHPRacr4v4KRuIrdXpeQnrKmPbL0Ouwn0FhY7FX6BG0+orYNceP+oW0aSiGdCQy92BqPHzEaqucbz99PXwumTBTrU4ME9Wh7pa3zdZO4Lf6zu1opAYViWlJlV5GLlyA==</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
</samlp:Response>
XML odpověď (saml:Response) je od NIA přítomna v HTTP POST datech (poslední krok u NIA je odeslání klasického formuláře)
Tato odpověď je v POST klíči SAMLResponse a je enkódována base64
Následující kód představuje (a v komentářích vysevětluje) jednotlivé kroky při získání a ověření odpovědi
use SAML2\DOMDocumentFactory;
use RobRichards\XMLSecLibs\XMLSecurityKey;
// můžete použít soubor https://github.com/otevrenamesta/eidentita-example/blob/master/webroot/tnia.crt
$tnia_public_key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'public']);
$tnia_public_key->loadKey(file_get_contents('tnia.crt'), false, true);
// pokud není přítomna odpověď
if (!$_POST['SAMLResponse']) { exit("Chybí odpověď v POST datech"); }
// získání z POST dat
$post_raw = $_POST['SAMLResponse'];
// dekódování
$post_raw = base64_decode($post_raw, true /* striktní validace base64 */);
// pokud data nejsou platně dekódována base64
if ($post_raw === false) { exit("Data nejsou validní Base64"); }
try {
$post_dom = DOMDocumentFactory::fromString($post_raw);
} catch (\Exception $e) {
// UnparseableXmlException pokud data nejsou kompletní nebo nejsou validní XML
// RuntimeException pokud je v datech neočekávaný obsah
exit("Data nejsou platným XML");
}
$response = new Response($saml_response_dom->documentElement);
try {
if (!$response->validate($tnia_public_key)) {
// false je pokud není žádný dostupný validátor
exit("Není možné zkontrolovat podpis odpovědi");
}
} catch (\Exception $e) {
// vyjímka bude první vyjímkou z potenciálně mnoha, která popisuje, proč podpis dokumentu není validní dle
// daného veřejného klíče
exit("Neplatný XML podpis");
}
// konstanta RSA_OAEP_MGF1P definuje algoritmus, který NIA využívá při XML přenosu šifrované odpovědi
$local_private_key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, ['type' => 'private']);
// načtení privátního klíči k certifikátu, kterým byla podesaná žádost o autorizaci (saml:AuthnRequest)
$local_private_key->loadKey(file_get_contents('private.key'), false, false);
// získání přítomných autorizací
$assertions = $response->getAssertions();
$encrypted_assertion = false;
try {
foreach ($assertions as $a) {
if ($a instanceof EncryptedAssertion) {
// získání dešifrované Assertion z objektu EncryptedAssertion
$encrypted_assertion = $a->getAssertion($local_private_key);
}
}
} catch (\Exception $e) {
exit("Nastala chyba při dešifrování XML")
}
// pokud nebyla nalezena žádná uživatelská identifikace
if (!$encrypted_assertion) {
exit("V datech chybí identifikace uživatele");
}
<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_fd081217-efdd-49a5-83f1-7af7f8e25810" Version="2.0" IssueInstant="2019-11-18T12:25:02Z">
<saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">_acd39cb2d51048e191aa44b0f3d2f386</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2019-11-18T13:25:02Z" Recipient="https://nia.otevrenamesta.cz/ExternalLogin" InResponseTo="_9654756a-c7b0-4d1c-a857-0f1f766b79bf"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2019-11-18T12:25:02Z" NotOnOrAfter="2019-11-18T13:25:02Z">
<saml:AudienceRestriction>
<saml:Audience>https://nia.otevrenamesta.cz/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2019-11-18T12:25:02Z" SessionIndex="_0536bdac4fb64eec90b8194904e4a19a">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="urn:oasis:names:tc:SAML:2.0:protocol/statuscode" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">urn:oasis:names:tc:SAML:2.0:status:AuthnFailed</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Přihlášení uživatele je pak na základě poskytnutých a ověřených informací od IdP plně v kompetenci vaší aplikace
Pro odhlášení uživatele je nutné si uložit (např. v databázi, session nebo cookie) obsah atributů SessionIndex elementu saml:AuthnStatement a obsah elementu saml:NameID
Odhlášení uživatele provedeme vytvořením XML požadavku typu samlp:LogoutRequest a vytvořením URL pro odhlášení, stejným způsobem jako jsme vytvářeli URL pro přihlášení
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="bf1d5aea-269c-445f-8712-52a7c5e70ec0" Version="2.0" IssueInstant="2025-01-29T02:41:46Z" Destination="https://tnia.identita.gov.cz/FPSTS/saml2/basic">
<saml:Issuer>https://nia.otevrenamesta.cz/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#bf1d5aea-269c-445f-8712-52a7c5e70ec0"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>6FSelAcAQdYKv5Fhxh9ErTHIhin8hznayKgmLHNdI94=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>j6spiYcopyRO+5KRiqjkvYkT0K5zutNOEm4ZUYgW0DgEoW37zW9fD0K/WLsrST6YnSlIyrFcMOl2LX+PGbORKi4KT+/1HW3F2C0tiDG/F1teJSd28fwonwILH75XaRHNhY49L882cb1FwANeZtiaD6sg4cdkve0cgSabsNhhK9gZztCLZMkBU0Y0uHpfqztBHNZ+dp+ZpDkTMeQEe403dtEwol3GRbgIF+FhAnKPmhblQnknhznyubvod283UumqbGG6Mk78GDjzR4BdhCkhOljLYgVSWvFgeM3vSOtUGzFJ+r6hC/R8rMPMmM99Jpj4D9HV0u2sqUDMeSxEeCt4jw==</ds:SignatureValue>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">_acd39cb2d51048e191aa44b0f3d2f386</saml:NameID>
<samlp:SessionIndex>_0536bdac4fb64eec90b8194904e4a19a</samlp:SessionIndex>
</samlp:LogoutRequest>
kompresí (gzdeflate), enkódováním (base64) a urlenkódováním (urlencode) daného XML, získáme následující textový řetězec
lVXfc5pMFH3PX%2BGQRwdZYEFhoh0jokTRRDRWXzoLLD8Udwm7aOJfX9QmTdJ%2B%2FdrHvdxz7rlndw43X553WW2PC5ZS0hbkBhC%2BdK5uGNpluTmmMS35DD%2BVmPFa1UiYef7SFsqCmBSxlJkE7TAzeWB6XXdsKg1g5gXlNKCZ8A7yZwRiDBe8UiDUHKst%2BJEcaggjUdGNQIRQi8RWU1ZETUHNQMNNgAMg1B5fRVcMFY6xEjuEcUR4VQKKJgJZVIw5UEwom1BfCzWrWiMliJ9RCec5MyWJkxQ10hATnnLUiOm%2BERwl%2B96be9JJuCL5lehA6FzVamdbzPOkovOKP8Epx%2FsCn%2FeqOCr8jfS%2B9QQNmemlcTW8LPAPX0J2UVGRHA6HxkFt0CKWFACABAyp6glZGl8L7%2BE4dEhEO6djDxFK0gBl6fG8kYt5QsNaN4tpkfJk9x%2FcsiSDE7eInwMxkCG5FqTThE8S%2F5oNwFel4o4W%2BLpgSGQJUjT9wntineEIV%2FYEuLaYOW3h%2Bq%2Fu97zkvECERbTYsY%2FH%2FxX2wUJM9jijOQ5F9rpfJe7fCH%2Fr2430q0YrjatX8I%2F%2BVeZcv7n2k%2BURZSXu6LaHs27QfQhXo71mJ8%2BJ0S%2FmQydJSSs5EvQyinfj4SR0DNg%2BK3oPPhfeLuBy%2FPSS3i79gtjoLE9XAc1fZtO6NpqlT5vtfrWdg5F2LPlk2t%2FB9WIVL4EV9%2BlSbR6XRmSBkbQcs8Kb6yviZc5LYQfuNFPGX%2Bv3A386G6VwNK9L8nCp2koP8NQaSLbM8Z0XKq3oQMnBGQ%2Bb2lc0G06SFTTGrZYS%2BLJ96E7wmqfI0lkMg3C7xyCIPeSzSZKMjHh95L3x2t3eLsAKlMM8ejry2%2BFkXQ%2Fz%2Bjq3tnMXP%2FQxBGrI%2BweaqYOZHzt23U66ZHS%2FS%2FzsgWxJZeFL6e9ppURdlLsnfzDQ3W2zNbA2xxm8DZPeNplmm%2FEqfvSWezvGrrr3pnwxONp39UJPetKsVbj37s41jLt8Ay1j%2BAhKhT0tLBd7z33c43BzaLffrH%2Fn9dXH4s%2BQmVRZ4lg1u3pWiP85PE%2BVNBSjc6uZn1KR8SrOhM43FISqEfhKqMkAtrBsyAhB6INIDZVIbek%2FYuoy7G14bnqYnaLVISF%2B7nwDmqr7IQpg5OsQ48AAfks2oAEghkg20IXlE%2BrqtfrhJ9K5%2Bg4%3D
Ten následně spojíme s URL adresou z metadat IdP (SingleLogoutService s binding HTTP-REDIRECT), abychom dostali výslednou URL, kam uživatele přesměrovat