Implementace(3) - Zpracování výsledku autorizace

Postup

  • Získání a ověření odpovědi
  • Rozšifrování EncryptedAssertion
  • Získání informací o uživateli
  • Přihlášení uživatele
  • Odhlášení uživatele

Odpověď IdP (saml:Response)

Takto vypadá XML podoba odpovědi NIA IdP

Odpověď by měla být podepsána známým certifikátem IdP z metadat nebo z jiného ověřeného zdroje

Odpověď taktéž obsahuje šifrovanou identitu uživatele v elementu saml:EncryptedAssertion

Hlavička saml:Response také obsahuje informace, které můžete použít k validaci odpovědi nebo implementaci přihlášení uživatele

    
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_88d526fe63dd417ba4c776951bf04a9c" Version="2.0" IssueInstant="2019-11-28T15:41:05Z" Destination="https://nia.otevrenamesta.cz/ExternalLogin" InResponseTo="_4e1c9abc-74d6-4827-946d-83de8adf6a55">
  <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <Reference URI="#_88d526fe63dd417ba4c776951bf04a9c">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>D4S7pdbfP3yZVUyIhS4kSI6tw4gAELJf1/s9AoDy6Mo=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>kWMjjpd1gkZ+tZPFKBQI1Op9eIPel0vvwoUVnojqANfyhrLBYDwSf2QTz9KN/gfJj4O9/PsEhPx6zETAqA3weCpvrdToygiHAifxyyH5xPd0MS06E56b1svTPHkyhTn6OJFkizGxR0/v/k2yMoWsRRgRWIdu0LliZOLfPgKIcq+sToqFICr/IURBjyjSXXjmcu0ycPJKdMWaLh+9qVpUK4zWIcn5WZt34yPbpnBEqGJNnoyvCiyWDRfPObIWturEPpnwe6kjtWfagNrMhc/sZLaNHuT33G4qrq02mkWMEEfuFa4V2m9zxYzSou/+Ov0d3O7kLFMIsqaJ6nbbCct1zQ==</SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate>MIIHSTCCBjGgAwIBAgIDTMtQMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBvxaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEiMCAGA1UEAxMZUG9zdFNpZ251bSBRdWFsaWZpZWQgQ0EgMzAeFw0xOTAyMDcwODE0MDBaFw0yMDAyMjcwODE0MDBaMIGIMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNzIwNTQ1MDYxNjA0BgNVBAoMLVNwcsOhdmEgesOha2xhZG7DrWNoIHJlZ2lzdHLFryBbScSMIDcyMDU0NTA2XTEWMBQGA1UEAwwNR0dfRlBTVFNfVEVTVDEQMA4GA1UEBRMHUzI3NTczMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOMUgr5xxTIUWwIRUaTSBOhmdVGsnor30KE/vX2IaOzczQpQUiYNUYsOwt8F4FHFXTV/ccA13Bd235qAtLMXTqzlD+DuPcJpx9eui3toQ1iHjjtuIBnsy8cO4Alzj1mzVs5NNtWMs7vPRgh/sTY4veDAO3MpXvaXg8APAPwv9b4zZecsRu6osu/KpsI6NX0yLsQWbZXAKa8FgEkx7qWcythfPGNgGUJa2saBuchTjmERSV7xLoxihsjgBcMjWX8SOAAQEOjgzmY0AXUVbYE174hjM4oWo9iDvpqqApx5W4oRKnrt2Vo/nKIySw/MDpPOwpBAXkmeFEA4zEaJVObjCOcCAwEAAaOCA+IwggPeMBQGA1UdEQQNMAugCQYDVQQNoAITADCCASUGA1UdIASCARwwggEYMIIBCQYIZ4EGAQQBEngwgfwwgdMGCCsGAQUFBwICMIHGGoHDVGVudG8ga3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0IHBybyBlbGVrdHJvbmlja291IHBlY2V0IGJ5bCB2eWRhbiB2IHNvdWxhZHUgcyBuYXJpemVuaW0gRVUgYy4gOTEwLzIwMTQuVGhpcyBpcyBhIHF1YWxpZmllZCBjZXJ0aWZpY2F0ZSBmb3IgZWxlY3Ryb25pYyBzZWFsIGFjY29yZGluZyB0byBSZWd1bGF0aW9uIChFVSkgTm8gOTEwLzIwMTQuMCQGCCsGAQUFBwIBFhhodHRwOi8vd3d3LnBvc3RzaWdudW0uY3owCQYHBACL7EABATCBmwYIKwYBBQUHAQMEgY4wgYswCAYGBACORgEBMGoGBgQAjkYBBTBgMC4WKGh0dHBzOi8vd3d3LnBvc3RzaWdudW0uY3ovcGRzL3Bkc19lbi5wZGYTAmVuMC4WKGh0dHBzOi8vd3d3LnBvc3RzaWdudW0uY3ovcGRzL3Bkc19jcy5wZGYTAmNzMBMGBgQAjkYBBjAJBgcEAI5GAQYCMIH6BggrBgEFBQcBAQSB7TCB6jA7BggrBgEFBQcwAoYvaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NydC9wc3F1YWxpZmllZGNhMy5jcnQwPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cyLnBvc3RzaWdudW0uY3ovY3J0L3BzcXVhbGlmaWVkY2EzLmNydDA7BggrBgEFBQcwAoYvaHR0cDovL3Bvc3RzaWdudW0udHRjLmN6L2NydC9wc3F1YWxpZmllZGNhMy5jcnQwMAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLnBvc3RzaWdudW0uY3ovT0NTUC9RQ0EzLzAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgwFoAU8vjMKldh2isXM1nlgi3sBhyKT0owgbEGA1UdHwSBqTCBpjA1oDOgMYYvaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhMy5jcmwwNqA0oDKGMGh0dHA6Ly93d3cyLnBvc3RzaWdudW0uY3ovY3JsL3BzcXVhbGlmaWVkY2EzLmNybDA1oDOgMYYvaHR0cDovL3Bvc3RzaWdudW0udHRjLmN6L2NybC9wc3F1YWxpZmllZGNhMy5jcmwwHQYDVR0OBBYEFBKPDkyFzQEpVZr7QC19lahjYcRUMA0GCSqGSIb3DQEBCwUAA4IBAQA8VcUDtRLwPZMdDuAYqZMPKJwo+WwCb9IXwJ8wYBPT2WNzocQGGnYlws45zLHzUrwEGlhNEpFmORqvaTL9E256aNqOkto7K44MEPZriV9vXw4mtI0AF1emFrhJcLZVp7S5uWVibo+SiXufqGC4vaF4I/WZaXwd7eKt7C/bT0cDN5HmU1oVaJNpDYbox7wLNLmL205KUHCvCE5gMhyEPyqPRinYowQgYOP8P3dvLV5mbEiv6gb7kmCyfxEyFdrGBayKKqoMQRKBLK5h+lNJeZJ6QiyiVhSG5xkz56StwFsz+LuTv/ZoVfbvYUX9FPD0VhPomj/weoUtipqMKfgbeePU</X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
          <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          </e:EncryptionMethod>
          <KeyInfo>
            <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
              <X509Data>
                <X509IssuerSerial>
                  <X509IssuerName>CN=https://otevrenamesta.cz/</X509IssuerName>
                  <X509SerialNumber>339515564547102863359567045846017369340</X509SerialNumber>
                </X509IssuerSerial>
              </X509Data>
            </o:SecurityTokenReference>
          </KeyInfo>
          <e:CipherData>
            <e:CipherValue>EjzSzCXoMYigHJSHBxnKZwHfUKVfl9lmku8XW5L0Jlfaja2E10BglcdIeH5R8nyBB3cl8/wRVX7NhYJpIG2p83QkBPN6Y+ecWvwydtXL2Y5iVD/wB2l5YM1LU8QsudD9lcm3mZCMBkJqVflz1dPWa5nGr6A0moWZ2j9DXxYrC0B7uIEv1C/LojhkdTgvT47pjYxjQdUzmcjduV8VVZ7YxhHX3eokcMyoX0RmHvoRreilpbqjzF6SnaZWHuqXCPHaeWBQ3Lzyoo2+pQqiL44AGme/HwGM/Ic5+dL/u67MJNWmgaAnzLsWBQa6fO1vY333jtdGc9BoXyOE9qqreDanug==</e:CipherValue>
          </e:CipherData>
        </e:EncryptedKey>
      </KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>pbWpjBMTRWEFw/dNroIUm7KgJg6ztj57tlSQdw4AOiXausrDYamlajEjdt/nLm4v+yc+gw8M3XWU8ucswW3TlrJ+6NWZExpcyN/1f3cZGBeCDrIdhiWLccajlnrpTQ1eft+bbLqZJB4lPc0Fwyy6Y8KoNUWbsiJpLNWeT9jhwuOmogGnCI+HA0VON94Zqetzi2pfclvpiMI6tHecf8Tcsji4NVQa1+NOjqlvEO9Z/VtmJOG2ajN3Hx4XUX2lAu21UdE4CEQaoN/y2kb3WtxLOcS6BTqMReiwMhBnK0YFuKXnPyH4Dtmdt33JCahAhvn22dLFn2RC/xsomlB+wHDJPsdPJv18L+MWd6OhGbo+f5dKId261wnqhbDlb5aaoDFr1DWKOAW54QixWlgKQ9/xk8TvpMvMg/OymV3wLj8WKEovpqRov6d7Pq6D/tL/UPekKv9vTtLWwJjkhWojDHgw1piBfpPpwo+hcWjgdsjOmuAyIT9fF5COuquNLuvwMmuHAH42gcPa0A3dGVqBm/IhE5BzUZ7nQfSiioH+LXBVKXrgFNALrUE1s7xWgqM92RzU962be8DCGvNXk2Wwsn17n19uuxgs+vWW5pUvxgJdCsXzfboM5QQZvg3G+fiM1DJQmhYTOtQXpd+yiJDQSIA6mDusrf6+qGbOHRVy9ZqHolMO7LcSi8Ide+UBhHvd9BJQidp5Rub0LlTC/47UkeWiBkAppzViIkjfNtuKOa8Qm80LkanAM4FafLwHgdaDQPaB74zYElBSZjg4dG2IvcrWcNpOMQuB3Hal+IDpRTequXTwX+QHQ8DUBlPfBycs1aujAIPDohUK8/zpk+y0yhxNfHLadgJSnPAOdGxc9ZxaZ0KrEDhCKS6u5ocMQH3YbFuolTxV6/v2dSgs+IGHmA/8Anv1NrydrinDnnaspxLhZgWchg2w91sjsuGxWfmhMaFC8DjY+/coRSvzsZXWKugD94xdqzZgTjC9wZLQKfn/A1qdFt3qpRIQHK0KvV7qHukvxaF6UErv9arLs7BZ96a9Vg78XjbJCJAj/Mi9+9ILf/J+oInD0oSrL4OPeaXYiWsg03Y9ggVIhXpufBvkHAd8IqssZ4jK5tZFshNKMM0zrvz0yiseRnubrfVLtbCltppxk+RwZCVJYSvjLC9ZMAQVooyEmW05MXOjtdQ6d2UMcVrdVlDKyT4FiSKyDFq9mtzsTvZPp9L/LFnnpZcUz4VZy/AHiBWYcKcrre7CvBg69I04H4G4Tdtxxv5niQ3Ba/gCni52H3GemZlzHWXHv4TWXwwDTYSOsoMpwbmKEF1aGA/+/DKeP6HiZ7TgmENpWtkovi5YpyQpaHGgFCEgmu9gjXHj3w7+gFGHElbtW1I4G7FUNfFC4l7L5xCV/y6ABeBDFsviAyi1BOn2qhHFz1zsCLk4kZOUeIFSbgQXFrUsEAEBEsBmK3IPeFCM8SZG/6fWaqfg2R9qASPMYz3n3DFMbrN+PQ3bQ+GOQkImGnX/szvUxa9EopbicyNEvoufO9baorkly/4PtJoT9v6CMRFk0Ez9MdSIfOh0rzf6M2IK37faAU55WBElQ+29GZU/8M8Rwj3PRQxO+nnM/pjycO0T1XN9rfaKa6OeaaJZhJzxD117oYoKfaPU5u+qSRUUxUW5+Dewfb6VTIZBXKyovEcX9pmjBfrd331KaD7kBP/ap8mZyOQj0fc36APh1z0miqlKczcml6M2us0t8ZDS9blA720q/INqXQwMj0BAB9atDatrl4mzcS7ZLdbE3Y5vBjW0E9lUYvex4WGNc3rhxgGxeoyh7r1CcGKB6RWgASC9x46s9YKIzF7jFVoa4ozYNB2HbmA54lLsEUwfLl/DH2/nLA1shQYwzOlt0c1RkqoiJkIVsWPnYPw99IGhlad6GVDSF5EPLl2a6JIkhmDWeL30LnqByUlY+TWTdzKTLM4Ff81LQb/df6mjPdzyLjmOdfdnYipUGMsa/mql1VNRisTi3PvUuTpxP8Jql5Qhp/bO5g0Z+l4+YPQ1kiZN3QRV48oaCVwSlq6M7XE/XCnjSlNeoaxF0/Fd9BQsnNDzHIGOnfb7z3Z2cLjGJG0vIVdg/Yk33dYkPFtWu1qQr1lxyFGSfvpINPi3UpPQwB1C6lCDafWgBx90RohGT+jKEVllSfVI4P90/6cLIqjADcKAieQAysEfVFR9ibxgti7ItgKN58MHAqkqNZkNRRA4q4PMn5f9nZQqBh6J22+jUVIyOyoxxQCUaND9QfjO+B86rzeSJ9qNPzvSrJ9mCzU4C4cnQQ1ZNqHNDyWj3h6QZdu/x57zoYIWbyjVPcijFz/pyPjnOxs9+cWzqp3XR2SyczHvcEGkZUv8CV8zglT1ZiVf2tUva3e4sI82Cvlog0GJOmb2eDXhvn8yf0uldlmZLDGgL9rAK9/za6AWz2K3mN2/A44cS7khA/OLCtmNRXD4SP8Qz9OvdVVcaWLAe2PlUawMgGGnntEN+Ji7z/s0H0RTpSfHa7Z2hWxBzKAPcnazeMBaisDUWfb/lqkxfE7Qa0rjTIJQVC9pOwCwhrq4MA0o+dbNbksXYBiErj+f2/VQnzBryiyH4az/q7AQx0NdG18TIS9XcWAHMpUGGABdCpsJ1TqpOeNGuVAHF8vMhKcnN7p/b/I8WNs/dLcIw71PQ3tJeJ1PnCQ7PV2TyvUCYQf/RaunP+Ft7L2S6X/MwgLKJ1nBaSQG1NcM4p8jk6wXcOp+Gf6FLmyxRBz+3PJhn69a6zXBYDM16QZxxA9jAviwCzFjeUbcIgLuupc+gSlStpBMfw2cMZO/K6w6DjlPnASkfSMqUygHUNY3PaLnLxAVxi6+JDDwwtUfdPPMXGV0vlHqUSiqyw1gcCmhqrt9+L65tmd5QpgF3nZze+qSN7Gh8T7ELPmN/8nj7X3VIVVK9Cwt/Yy5GtPvnirN95ev+Ws4oj4RqYv3a8xdl9/iPiQLJLlbGuUlJKOltirBmqgNMX0jS65uHyKETLv+IXgECoZS0CdV4eCw5gqyEKIHXdrGA+jcySkkXiSFP0Bgxw/2Ezu+wIv27VXKqA1PzfFnrLj/GL+79yArzGYjkZ4xsTmYFLA9ILM0diLR/362e5lfg+lwmfjH8syXJDtCBmJHQDAsf2w0UO7uEdho0ID0ubWu2vLCkznDp001GxhrGhwXAE8pMMbg5I/NIATn60qbrIBCADSR60yN/KwrH9pAKrBwGWSgFJzSPlay1gtBF38L/8vyFbLjj21VI7Vg6Z9285+xxKpTO+rm0uNBmk4BtDOSoEfaMeHdSjU/CPgBqXeCgzdVgGceI+ZM24DgF2mi6OxvCAh0InIChfVD8bLzae6TslNSDaKLV1gH1ReedmgrFtIKSpj6+FpzQMw1Vncjb9+b5sxV2elYX5dFh24qrIoDAzkr8UyQNEX59O5c4DaelAJy5IefremF+N2bjvfn8rm35EZwjbQm2zV8w7gxnBIWo+zl9pmyzU0JxrOCDrqyOS40+RFTC7ho5kxW1SaKPYBEyB4+vQr/g5fhx0LwTPdNKhqFnqU8uohjwddOpkxo6+C285TukZF4jDbH/PSfKpEEZlwGcCkbN2sniKvmjrh+Z4dLSsmJDFoZfHttQfiew+j92E15o/eBoUaedVloZPqAsX+FlHjxEa8IG62sMziP0D65g0Fd1hfG+28GJO+HKXC/e1VujsrGJZcJrTnHQBW5VKc9nFhy45mOdrGzTk6LDjlC+bdKooGgdBNizBVHIFz/85fVf6XB7zSvjbVOOt3hS0dvczkzh2yO6aLUOrwqcit5hytlzSeVBjhIS/37nQ6aZjgstSmEvjmFJMhr/H9XMCSXqcLBjxWq27PM9jBbmwLV2IrCUJcpTRGUgF6PjjzxCbJ1lhn4KM73kserfa3RHyOvvRkmOa4WFtg9//K8VqrFvITFrQRlQysrc4p+FB/M/isEYxQouC/yfWoORRFs/wK6fNawoo0vQsr7vNVnTehgsA7HPUuZ+SA4MVXXxodjpZMTc2tKL6HbXz6b29gL6PrTHF/CtYf34d5vUmvdbV5Lom/v/Kt/e0uCQWPmePLQS4FZZIedWKTt4pYpXhCVRsd8SHNZ1lVyGwc6VEU4ABD3muCZR9JGUlaTDrc83KA6xuOOsCL/Hny3O/yhuHwK9DifqKTVLynZWQBkqSdCBGbhlcllJwQHOOqv5uTxGkTnR/JUHTQo+bgfpeW/iD1GpOZ5JlmeINSxkTgmAq/1um3/jo1++WZcsRNV7lEhNaBVuYi32sUMsUIblbsUmVNGsjgN9qNausutV7TsVh2rLc3RTvb30Zmdb23T//5dI6n/dzTaAEPOPkVZsWmbGTFi/xRKdWYChoMbH1sWXY25GdPFig/H0MxI0TzWf9XMVeTz/4zL+CbcSfIKLbSGoyLn0Mz2GyRMYcheEXWnvJrT+u0r1zsrxYVK1UFX4xnwWGTlT1W43UjZ9TkRHtyiInCOak+JDreFtVWkJwf8fMVObH+mPr2os0gnbsLemm/OQRR3PymU0y8vzjra7LbDBuZWDODPFNPmOb7QBjvQ7RZB9aVM8M2GEgfSmYAk/bpE9LqCjoXogyesdPx88eM/ExiZVgjXQjeqWUDogjjD1XagGogJ63UIsxJghRDZ7LDLCYWzM/nD00rIlBAosw2Kfx9LLMH9r1ZrUzniGbB1SFMr6q7W+o81uITy54ToPrjfK66lNMFgxcLFK8xrEH26EPqPnPWAVrsXvPmN/VjOLr+sbtol9zQx/KtBJvCWa/m5rwCmTBYzcPMVKxE6FWLDnix62n9jTMObMlcb8nyeLtf3xM7gzC1siKlafdpjAo3OLh9H/AFYJ4bqRk6ovhmEJWcDh8X3C55b1dmhqH1WLT9yGHrGTwxIVgvnqZo5pMXWuiajPyo7s4LGk1TAR2wQw7619ilnrNtgVk1IXoMB06ojXh8Gqg8SAZlcWXH1DALfCnhRhFD+pxEZObV1pUhLkWYTB3BrKD/waEi84OSY29JsEBobyActUAwfuIRgO+Rp01+Y4n7kxX+Ob7kqLe+YqutkiTh8CBVXkUgaJHD4LGj1LycWWjmXJDWJ9S2bZ8O0T82bzsrue+IcyycQVcSn7a/5y0URVfIJSg2nFQZPw3xSrbVrGNLUzAdaFw7Pjratdd0uD6nRcHW5tgW1wt3cqY2jyDU1mZS+nEGZbcXTGc69nGNsP4vZeicBKanzZxUwY8tnhG3TjAgWHRUsKoepOY9f/XUSaLsO+uAi+5x/AvFfebL3Nms07TTgL4dCWs62ahKSXUFuULLWchtbLgQyz6jQjdTJilJradqYG/P5nTEUJaOH2fTCPTqNzQp7MJbz8ytjLFe+Nci8IOymq4+gOiwADL2hNKYhjBv13K+mbu/w62wMXRJ/D/rw3aaZF2E2yjJNkE6QWNt/Zk2fKfj4kb4STIkkob8PxPISRQbEwsse0Bh0aHPxajwwXAeNeRR7/97EM7gCTIDQIUzQi+t6dkAtdtxNpaVy1xE93E0Cn6QqL5QEh/6KM+Qlow8Wnc7tq4ghhjgTKNogPC/X4NKRd/rBYmNZW9eSFU0V2SMvfueu8bJPUzN2ZaB/1YU7PwZ++sgLI9GMh7F5dz9Bn8Oz/C1WQ/jlANkX+3homZQI8w1eG0LtzXGwGA7xWrtUDOcal/pv8l3GO3ijI9qPag1E2nJ0xhPDjKAXO71RIo0umb9nhI7caH6PV+196h0hwjGYm7MCp3r1p1LF5RVNParDdKiZL1zJOYvEBBvVumjKP1+PWeo1s3WBu2kFohiAwTmBtLyBDKlWCwRhyUnB6s3Xn66hi8yI5XNQGDb4BUuJY+ouZvfLDS7CdJ3BzdqukRUX5n8vW9rRXuGxajX2hkWqtH3d1mKZ4g6eEVeidBxCUtB1zeLGOnB3C1Xj2EL8mvfxiU+A6cTL6N8KOYDZAupWb+srTpc9p0r2hLBq10jrZWy7LiRhcz9hH42hSnpVsjzjI2YycGYlDdI2+fIW2OlaAZEtOkRO3LxMkAgTbg2y3GotvcBJeFugg9RRrG73RT1hVrtYmdArGVc3YkQ8XbJZKJP+yWvFJV0jFru9LIQvWmas+yMaAT34hcVoN3EVPsi0jxoOyhJI5Jm9cjc+G02Fte8d64LeEqwhK1WJXXjTO/Sa3YZ50PSoLKL5+gvhfWwVi++f4O/byXyh8lk7fCXZZTQ7L1uGeUVfaSU8ax2lAw4mGFQcGmv3ZOLRxgycOuePc4OBWcwBzRnkOBEVst383BB/A/jYLVVJme4L12shpUzL5hTOeNn1ZT15Bc2vfygT//AxRjBX4OjMDsw6MbjVzuPtm6/JqYH6QDOK9yLkyNXWnnPMAp681ScSHJ4cfBdzMWoOgLZPF9kkdA0ZqkYfJW3TnttjqWlXdsprDnCrKyv/1at03Hh6d4JpMThrq3MfX3OJ6MkcASTnQKa3BVEuPFPPpkE+co/y0JOJioEPWqtOt56k3nQYcufjZP4kkgv/Qp9vcYJT/SVKuaVdgXetcpCre2vIYfiaduZubdP+qxGLwcofYdOiy6V22U0Rp1r3AnXwnIRFsr6BMTluRX10yQJUZtcEtYvKb74wjdQwOJI5XKIIRt/mCS2y5qyzg1ddDGv1+fBkVfA2JPkU/pD6pSERVKjOHx9I2yKcumCl9Jp9G2wJVGFrU7ciep7AKTDRMoRCKd0hO6s/0Da7XxdO8ZQgXbOoixlPOF01Mi5jds7SScwDl8VIt/1SLuxkOGYcs1nzFiSVyi4gLxjVZuAfmxS/4QK66LYH+gmzSxef31jf8SZI1AgpD81TrfScp7yLLcHYzbCWXFx/AGxouGQbAaVLiuAM9lY6Bnl01S1tIxF2R8TQVeWaIGLFA7dxM9lko9BSU6IQgiqk3cc+o84QTf79xkWSXlu9/WpOWatT3ViecsK6naTZxfohitCzk7Y7yD58Treg3+Qag+NoSDqZMVadF7SWbLLFiy0sgeu2cFSgPB1I3s99Hjn1j7kscdPJvJ8u0SAgxey4exyunOFEdPiT5Br9Sx/33qgqzXoGZxRFd/MV8FkocGWqhJzwCi35xSrMoSE0cozRwL/+nOEty33/eavLxwhxa7GhJYB6kTqcxdElCTBamBep06cFAMrAh7JeyjlPCSgyR3thxgTpXWYyfjnnwIsvN7T0/7kQ8w42ugF8V8d72RAL9hidByNq9ZyUzgvQXW88b0OPSxwdL5WLeK+kGSpEh0KpIgsSsXCWAEIP90bM0Aa0HvVR2Ak/bVb5HSqeE7yFKU/xQ+yOLaOFLcBywKMPLXVXYNw0tESd3f9D03yyGAW35yxnxAAaUdsYX680gUSq80BHVDto3N5U/5cc2HTTPoWvxxSsw2HN5gLUV195kGGRlm8FzZO+MdC7ttEuLySU0peT42ZWW3X5AqnaPucZ3YaAEEdN1SHTNGkzKPId8ojGexZsqrK2du4WmtZ4S2wmdjUELcvJ5FlyZ8Y4hYr0Xw+7r1VfumkjXmiCL6VSatRA+Qpl3YA7xSVAJ0Voc1KEFr/NH0S4mxJAZQrRJkGZZhbGCP4bzQBC88XqTq7BfMMgGdFjYDunRA0flox9R31JFfJ9uXzEylZy2SXrLXaPx0iYkDcmr8vgt4vzP55hL4Bcu7AiGEYKe3/YNn5+qu1gAFpV2zKvg1J947IkM7E+FX1B2Cj6NHa7Ct2/YCE5+xVJV6jMew9GI/t7k5mFNhMhk8MVFEuqMNDnqUMaM7X4lfBZIgJDqWXoHcIg+7IVHmzk4fhzl/gJfChNHc2irVDs/BISaArWBMJCrtCdiM7yHYbge5ED1cvbFnAtNeEoEGv+kPF8kr3pONgjVxc+LjW6IpzABCXY9PHzzkupESu+UyII0jNZpzeiJIQTcCYo7T/lvA4GnU3rcL2xKVdpAjGHndr8KaBRI5QY3U79KxMsOcQSDun3R4uv5MlC4fEQIY5i/C9UBW1T7F6nTxpKfUw+gpCLR7LKwnQpAnSYpLiHqWdpTiWfWz69sFaBrjy34lsf8cNlUZ2RPL6JthmxW+nGlRb03JIT73t4lQViVbJ2VUXXw8282fMWDeeAfIboFFmLfgn+RJSVnQXGLy+TKwUMKszxUN9drPftjqDRcu4DpWI5Q/QgY/LMoaQxDZvzGh3tmmE28NICHzK7VhvsLE5gZ2xQQi728FFCDPoFJj8iB+wuTOr+ZqPyZXNpnBz2qZIISq6aUpSl1SU1kIJraRfxySK5D0kII+XOI3qVgK2gygFaPBsQOcV+Sm3qa4WZ52D8ygKmuEOv7pyKALLd9CEKy8PlZCPBC4/aE6Hl/XTmYmQhaaxX6knv+GprXMazPadAM48c0zPXiXGkM6XYlbMGdGmo6T2NCs6RJXceEDEeLLCaNubKq7+zLwUh/3lsffC+c+HEc/CNFq1G4llOPhtFNlulmyDnm5w/jkp09P0BWkOifplrFyw+yzr9xUn3HHVdd+AzuJKbHfs2kLM/j3a1RzEcXEBNoMDVpGl3zVpfecUgfHlTh5vnq5I4QGsynFUAl1qvRDkbcaRdc/pstyseNQNhBm6moWASfZ5XHRqbgQAvfzITl24WvAvM5Bi4jEXCmhdHCU0fnDsDjosp9szq00FX48s5EdFbmHaYC7T4KEo5Xys9RELEBbw4lAQjAFmDuFcLVycFwuj5xKRxWDJjD80yEQppK23OkdAEInrmDRgdpEsRBg0A5Bb86A6pGpRJ4VAOZAqmTPu3uj/1VrOaLUH20qapvO4zN3khb6mCvTP37b7MPXsWizbFwp2zOCsZUrCZ6QKs4whC24Lhdf6wvYuvKBdmaXL+UDO2VofwjgoNX8uYVO3aaP90LzsZDwZqFbEg+g/OFdk7OHDihd3kyA2Jm1Xa5nYZxahui22YvLIFf/6phjwade2MCdUx9eWDMmXU8peZbCu+SU1G0Hzf9FSkTIJak3ga8Kkek6CnB4RsLoMwnDlQzxvuuqWpqtWaCxg4yDEL4I/mnK+BI+XQN5KntVoKIAdF3QhM0unxTfSIde6zm/r6cEAj1GEu1dFFsLtIFr5HjxAK+FnpN54OR3ExApUdrlvXKA7HjC3/vsi9uNmpjAXSBm3uwhi9ayVMVbAvcsaR13gHgZyFEzNbDs8q7iV/2dHdJG6FtZSeZvr9XCbHc9cpT2ZZdS5pOQ4W6id9c7CgdAEJI32DA9Vq8oEFklZ6g6Ts5kbY/LFxmb5GM2eqXegoFPVvVK7nQmjQ1h8BdawC6ZuMmIRLSSaAqKT6PnxsYgbj92I392ANJEnSaMgOpg7rEy7SujVF5HRByGpYbppB7Y6I+owvoexoYVyyNJ5RrQ5V3FWXaTqBQKABirtWJltkP/oyQmH89yLV5/EgGERDLuP6BBNuRKO4nvRn9GAIhoLCQj/Cx/1JtZN4C5TSrjwiRGzwzIUQI0373lasvGqqI4EopXiiuS4WZj27OTvK6VxRrs9NAa2j64+YR9PX09qlsNErbToHguIsBDHcEDbSu15cUOnHcDYCu2gA0Ybrh8fUPMJvDxjPsKFQr8bTN47zZRdUYMl2qmRtbq5mFKKGg8OQmA/3of/HRGid8xlsH2xIgcqc1v+ajDRUko6iIvB5ADxBVO5AOiJWjntZjGQg/MQ391aszdU1iEl5Od81q3YLEf1iFgSmm9+heq8B9HZMOEoj9xryOXjX1S9H8oeKjQjYUIGcATRkk+FReWot6cSn/wkA8lDG3LNqKgz6rh0jUPsOadqQj8kJTpznPMXJGnpCHPBpsr0NWMimVF3r0/13XY5H52pXLPgOH47TMfcEfdcPMqqMhB5VtacMMwxK/e3NO89cVg7Da2RjfYlvBf9Y4KgdYWmJhIPpVefVCKGL7Bu7M24sZp829clwFKUyid43g3A6vnVXSIP2xrTFw/mUWeHPkgAZkvbRtPyZjT9GS3B6quXt3aryd0rDia3G64eyUAgOmhzZTiTF7EYVaV017nEobM3ZK6a2E3HeLnbdbLaPOebjxH+oCnPwUBCLwppVAPOWVh7/heIkfulVaaAVtPaU/d83wa7jhiSs9iLAWKFhksPZYQKmiQ1LCbq8D2ExYGvU4nVUR32L7qfhvDte1Y/+ZUggyQU9odh6FJq0KWBY6xtbOcZ+F6dFE0/CbzqLVWgZkMdthFQE15to8Zu38XW7HdnLp6QCeMDzfSwV9wH+4SKPz0er+W/0shHvgKbMHOwO8k/3bFDPwsIuB4nu9fHENCU3fhppHKKjfJdQG5PC7XRxkxP7ZSTj3SjHV7HEj2+qVwJmkG46zSnz/epAWoqQOM1QjMomBTVAmaGa4uGIgx05PABLAVRESY/JoRqe9dLWeK95+aMXZxi5D2i7QMCimpvErWG5t1ZhtaZS76kQFI225LLXwqVUwx9J57TldmlHHg6WV1TFpEPGOKo9PKBmGpYzlHnkJW0udC0Qw8BIlAnyQiCpNvnRiwRa31Ulbc+LJbzHdSUDKVfRW5W/eotqe2eZj7de0FvsoBTBZuYJ0iESUjsTJWyJHavnBi56/9onxxBAA9Qf8WW0wdpamOog5MGuRcjENuAqffvY8wS56kLoTa8cSi+BpGFHx9pG98dNwUBfcTr+vsAvP1IbO9sFOxxF6WGZSx7Iw7NiBgV7UmGUFS/+HjwpaJaaDKiVmC+acU5xqyxf3mRpLasNdojPpkcBFROqfbc4w9n6kmx3pw2vMpoKEvaosG5865emFd3rI56gykC1pxcr9/aKxosyrL0rmNsz1DvpFgtCGo1JdL5je56GJjSsEVGGrxt2fGl2jbsdT34PDsi/HUJxWcpOyXLVvrzvkKSicboG2ewY4siK7qzPY/b9Hbj37DyksVtdOGLha3rtiyhdfD2X7hGDyhlwu7CctFVqkU6BCTTSUcRZIOHEX5pKKyNNtvpxa7vz79MRoJB/vgw6EYGhNFxKRUH2mK0NulMcGAtoldOFpvXQpXB2rCdgEdYWdp7EFJCLmRR/pfufPgxL2GLlJMDovWYdQ0LDtLt+dJjw2L7c73CN8UpSgwWksSpPx88LJVxaY89SfsuPQn8+yMZzO92m1B77lXE6CO9rJ2m5e+ecC2E9NvpQXYQjCcPtvdAYkWz9P7EqPyafFt8xq1YHxWMP9Dh6a3U0nLHIgD6WAqcnSjEe05Ylxn13slQtWKK4FkALzJHtRG9wOkt5GApFRigSTze4VpZ4kJ7uoZbpPZ5Z34nf3yBuT40KNYtYTdGeyyDqPXOxmpelfLTB42Y9RinQY5RZaOsQZhf0+92geBFsJTUv7qqcZ4V62q/+2XMZIql8YkWLVgQCrGR2d53jNxnQy7u0wXfrropU68IR9I5dtwxRbdRV/WbnZK2L7NdG40b5hMTYBfXa0usq5tMVR5pZpYPs5okHTcR0+3QACuRKWnCMBEmPsjQsQH69TwyMifJzKIJjAKJ8MGOUWZS6wnWC+7Zl0s3vqPJFMnnyDKEvtjqABG0ieYku9HxbP2G6rv94SkC7EIO7OabELwQG+CSsmN8iGaVYVAbCfSpzjcNJ6fJV7gAUzxB6SnifoNaCTk+lOxjLSPHIUwmzJFozySuk3A9ss0pbKPxQfhGJSxyEQ0Y3NbnxzAk5YKV8JLlT46GyqWd7+mR2cWC+cwZoBQgffmsceLGxWimpQizBg3HgeGmUoU+lxqs46yzcJQKX6BC4d5oaVNxtFRf66HBAILhNXwP1XQLxTT4VCExCpuDpCaTVv3yPpAK9TIPdWNAHckjOdoj7ig4ovRAN+Lf2hMJA9HCZ7xv+g7YeL0Qdj0djFZKPnQGbwYhXen38e5vrMuUh5X7CNF31ZBi+2oIBdk724Fy27eXsvH0VWUsyVaIwWxD3L8JF+7LUTmUp8TmUMdrlkUqTDW5ldSqjpfBGmhc55TE9S6pDGBzCbl04GcLUiQoCzYLKaA5UhPVetuTyeF72CxowFAcGu+UVWUOl2EguCq6HbO5tbtV1dgPBzukpJR6yrYYkbmCVTxT3L4o4rNXtODikx3+sCgssvp0q7iptFXOuSHOqXzx5YIdE7Nj+p/wQQMF6jLs5C/7bcbCNLb48EcgEoWL4XPSSQvLB/3CBmpD8lP4i7TOZ8J/mZBGbVccdNlNS0Vl4S1Q/yZ/Eec32YKQgpw9eea7QkWAJ2BjZBXATQ1sygHM1a7vzC0Z9N4zwB8XwcmIxN8csWiJG06nuIjLhpji9R0wki1TKNsqhfe4aBfUujd7MTqleJhlGc3mbACRe92Pczi+ZmCSul45izXwSbcspns2csRRwdUSr9f70EafxHEXupnhpSmbS/XFRckOKpxS+Y3FnfbEMrGTNW4LfbYPqzfsMd1f060hd0ygpZg32iUtcPrRnSsitbRiMVHs8PEW2rbKi/wYQ95OTz9rV6njLQg6a6lR/pfQwF4SHmplug0lRg8/tkdm9SXDXXMX31J7qFJNVejT7a7lNnAQcOV+ZFizg0JITyfNYVqr2HkSFAsmejuYYpcRm1PVWUZygYkvz5dXcaBbWYnx48e4IiDoaFjmnVVWUiowBwM9wG2KKwzx2LASGy0dWqqekuBO/9+3gyRvm6cFILtzAgyaIbvOukOOZhCCVVRqemJLQ+M17HnZFLWbKcDu6kxK2KemcGuyMNoLhcFAYZAkh3pO81Q9Iz6FvESXOmdlzhsioVTmVmCoNJXs3dqsxyr983sLbSnSCIf52TcDkMuj9PEWFZhGqqEeB/F3M3ttnLFEjkaVQH0hxDo1VoeXwI7PngTWfsvg5bDp8DJR8UpRCD9iiMrBv+8rvWBqWFGSw3fkdNDiG77CddgLL5FAJPkL/j5M0VVDoQTW2mrkTKJg1KY1yH+OMUt+60G+d1OMFyk3s78d14dyJkypUd0cOdgIld4h052q0iZhIDvV32PUzfIMOeTEjADOzMFqEcWdr6vb6N2iNi86puImNiosMaKdAr47GTAsPgXklt9+ILIhkFucL3mjGoFwkjmQOWKAH/Oh1RliXpd8MVU8C0pqHAmE8lp7T6PtYNzdLvaTWS8yn</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </EncryptedAssertion>
</samlp:Response>    

Získání a ověření odpovědi

XML odpověď (saml:Response) je od NIA přítomna v HTTP POST datech (poslední krok u NIA je odeslání klasického formuláře)

Tato odpověď je v POST klíči SAMLResponse a je enkódována base64

Následující kód představuje (a v komentářích vysevětluje) jednotlivé kroky při získání a ověření odpovědi

    
        use SAML2\DOMDocumentFactory;
        use RobRichards\XMLSecLibs\XMLSecurityKey;

        // můžete použít soubor https://github.com/otevrenamesta/eidentita-example/blob/master/webroot/tnia.crt
        $tnia_public_key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'public']);
        $tnia_public_key->loadKey(file_get_contents('tnia.crt'), false, true);

        // pokud není přítomna odpověď
        if (!$_POST['SAMLResponse']) { exit("Chybí odpověď v POST datech"); }

        // získání z POST dat
        $post_raw = $_POST['SAMLResponse'];
        // dekódování
        $post_raw = base64_decode($post_raw, true /* striktní validace base64 */);

        // pokud data nejsou platně dekódována base64
        if ($post_raw === false) { exit("Data nejsou validní Base64"); }

        try {
          $post_dom = DOMDocumentFactory::fromString($post_raw);
        } catch (\Exception $e) {
          // UnparseableXmlException pokud data nejsou kompletní nebo nejsou validní XML
          // RuntimeException pokud je v datech neočekávaný obsah
          exit("Data nejsou platným XML");
        }

        $response = new Response($saml_response_dom->documentElement);
        try {
          if (!$response->validate($tnia_public_key)) {
            // false je pokud není žádný dostupný validátor
            exit("Není možné zkontrolovat podpis odpovědi");
          }
        } catch (\Exception $e) {
          // vyjímka bude první vyjímkou z potenciálně mnoha, která popisuje, proč podpis dokumentu není validní dle
          // daného veřejného klíče
          exit("Neplatný XML podpis");
        }
    

Dešifrování poskytnutých uživatelských identit (saml:Assertion)

    
        // konstanta RSA_OAEP_MGF1P definuje algoritmus, který NIA využívá při XML přenosu šifrované odpovědi
        $local_private_key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, ['type' => 'private']);
        // načtení privátního klíči k certifikátu, kterým byla podesaná žádost o autorizaci (saml:AuthnRequest)
        $local_private_key->loadKey(file_get_contents('private.key'), false, false);

        // získání přítomných autorizací
        $assertions = $response->getAssertions();
        $encrypted_assertion = false;
        try {
          foreach ($assertions as $a) {
            if ($a instanceof EncryptedAssertion) {
              // získání dešifrované Assertion z objektu EncryptedAssertion
              $encrypted_assertion = $a->getAssertion($local_private_key);
            }
          }
        } catch (\Exception $e) {
          exit("Nastala chyba při dešifrování XML")
        }

        // pokud nebyla nalezena žádná uživatelská identifikace
        if (!$encrypted_assertion) {
          exit("V datech chybí identifikace uživatele");
        }


    

Takto pak vypadá Assertion element v XML

    
<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_0c392a8c-07ab-4780-9bb4-0cee63dca609" Version="2.0" IssueInstant="2019-11-28T15:41:05Z">
  <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/225171f6-4662-4f04-a889-5e9b1870f608</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData NotOnOrAfter="2019-11-28T16:41:05Z" Recipient="https://nia.otevrenamesta.cz/ExternalLogin" InResponseTo="_4e1c9abc-74d6-4827-946d-83de8adf6a55"/>
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2019-11-28T15:41:05Z" NotOnOrAfter="2019-11-28T16:41:05Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://nia.otevrenamesta.cz/</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2019-11-28T15:41:05Z" SessionIndex="_139703d8173a40e180636c52448ca2a3">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>http://eidas.europa.eu/LoA/substantial</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
    <saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="tn:CurrentFamilyNameType">DVOŘÁKOVÁ</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="tn:CurrentGivenNameType">PAVLA</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/DateOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="tn:DateOfBirthType">1955-06-07</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/CurrentAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="tn:CurrentAddressType">PGVpZGFzOkxvY2F0b3JEZXNpZ25hdG9yPjEzMTwvZWlkYXM6TG9jYXRvckRlc2lnbmF0b3I+DQo8ZWlkYXM6VGhvcm91Z2hmYXJlPjwvZWlkYXM6VGhvcm91Z2hmYXJlPg0KPGVpZGFzOlBvc3ROYW1lPkFybm9sdGljZSB1IETEm8SNw61uYTwvZWlkYXM6UG9zdE5hbWU+DQo8ZWlkYXM6UG9zdENvZGU+NDA3MTQ8L2VpZGFzOlBvc3RDb2RlPg0KPGVpZGFzOkN2YWRkcmVzc0FyZWE+QXJub2x0aWNlPC9laWRhczpDdmFkZHJlc3NBcmVhPg0K</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://www.stork.gov.eu/1.0/isAgeOver" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="xs:string">True</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://www.stork.gov.eu/1.0/age" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="xs:string">64</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://www.stork.gov.eu/1.0/countryCodeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="xs:string">CZ</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://schemas.eidentita.cz/moris/2016/identity/claims/tradresaid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="xs:string">PFRSYWRyZXNhSUQgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLmVpZGVudGl0YS5jei9tb3Jpcy8yMDE2L2lkZW50aXR5L2NsYWltcy90cmFkcmVzYWlkIj4NCiAgPG9rcmVzS29kPjM1MDI8L29rcmVzS29kPg0KICA8b2JlY0tvZD41NjIzNDM8L29iZWNLb2Q+DQogIDxjYXN0T2JjZUtvZD40MzQ8L2Nhc3RPYmNlS29kPg0KICA8dWxpY2VLb2Q+PC91bGljZUtvZD4NCiAgPHBvc3RhS29kPjQwNzE0PC9wb3N0YUtvZD4NCiAgPHN0YXZlYm5pT2JqZWt0S29kPjE4MTM8L3N0YXZlYm5pT2JqZWt0S29kPg0KICA8YWRyZXNuaU1pc3RvS29kPjE4MTM8L2FkcmVzbmlNaXN0b0tvZD4NCiAgPGNpc2xvRG9tb3ZuaT4xMzE8L2Npc2xvRG9tb3ZuaT4NCiAgPGNpc2xvT3JpZW50YWNuaT48L2Npc2xvT3JpZW50YWNuaT4NCiAgPGNpc2xvT3JpZW50YWNuaVBpc21lbm8+PC9jaXNsb09yaWVudGFjbmlQaXNtZW5vPg0KPC9UUmFkcmVzYUlEPg==</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://www.stork.gov.eu/1.0/eMail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="tn:string">info@mawis.eu</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/225171f6-4662-4f04-a889-5e9b1870f608</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>
    

Obsah netriviálních atributů

Výše je vidět, že pro většinu požadovaných údajů nám byla poskytnuta odpověď, některé elementy však neobsahují triviální obsah (text, číslo, identifikátor)

Obsah těchto elementů je Base64 enkódovaná podoba XML obsahu, který by měl být validní podle XSD schématů uvedených v příručce SeP sekce 8.4

např. CurrentAddress (typ CurrentAddressType) (XSD)

<eidas:LocatorDesignator>131</eidas:LocatorDesignator>
<eidas:Thoroughfare></eidas:Thoroughfare>
<eidas:PostName>Arnoltice u Děčína</eidas:PostName>
<eidas:PostCode>40714</eidas:PostCode>
<eidas:CvaddressArea>Arnoltice</eidas:CvaddressArea>

např. TRadresaID (typ TRadresaIDType) (XSD)

<TRadresaID xmlns="http://schemas.eidentita.cz/moris/2016/identity/claims/tradresaid">
  <okresKod>3502</okresKod>
  <obecKod>562343</obecKod>
  <castObceKod>434</castObceKod>
  <uliceKod></uliceKod>
  <postaKod>40714</postaKod>
  <stavebniObjektKod>1813</stavebniObjektKod>
  <adresniMistoKod>1813</adresniMistoKod>
  <cisloDomovni>131</cisloDomovni>
  <cisloOrientacni></cisloOrientacni>
  <cisloOrientacniPismeno></cisloOrientacniPismeno>
</TRadresaID>

Přihlášení uživatele

Přihlášení uživatele je pak na základě poskytnutých a ověřených informací od IdP plně v kompetenci vaší aplikace

Pro odhlášení uživatele je nutné si uložit (např. v databázi, session nebo cookie) obsah atributů SessionIndex elementu saml:AuthnStatement a obsah elementu saml:NameID

Odhlášení uživatele

Odhlášení uživatele provedeme vytvořením XML požadavku typu samlp:LogoutRequest a vytvořením URL pro odhlášení, stejným způsobem jako jsme vytvářeli URL pro přihlášení

Obsah LogoutRequest

<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="913965b3-06f6-4933-b56f-750dbfc9ac02" Version="2.0" IssueInstant="2020-08-03T17:34:56Z" Destination="https://tnia.eidentita.cz/FPSTS/saml2/basic">
  <saml:Issuer>https://nia.otevrenamesta.cz/</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <ds:Reference URI="#913965b3-06f6-4933-b56f-750dbfc9ac02"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>3DOV8Qlc21LzO2NEtDMMNnV4GQwqUQ5lHejwD6J5hGI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>inDxRa43Tv1gVzVgRzZcJ8J2+fd506QdGhQyoTXlNrfCdiKfIoK5h49YD9c4J8TNt4LgtAsRKgAKtD0qdXH55D6J6UqEbOZtP6yGjQNZZukwMV2Q6DwoBeCXSUPi1vDg9uGbuLS4P53WF7WTK0Ri/jgpIj0PhJgCAsdL8BSioDIyfu614et53/ymN0mIdZFknPo/KR7kvO4/uDCPQupC/bGBUBjJDIys3FN1hHgIyke/OqhdRHRNHB0NE1peIvuhJT0B/owe4Jb3X/E3lRNa+ZPIjZDHVz++2h07qYaChegCU/AxSSavnHFZE7bx8t0DRCo9Bip4MKgKNQV+B0S8Ng==</ds:SignatureValue>
</ds:Signature>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/225171f6-4662-4f04-a889-5e9b1870f608</saml:NameID>
  <samlp:SessionIndex>_139703d8173a40e180636c52448ca2a3</samlp:SessionIndex>
</samlp:LogoutRequest>

kompresí (gzdeflate), enkódováním (base64) a urlenkódováním (urlencode) daného XML, získáme následující textový řetězec

lVXbcto6FH3PVzDOY8ZIvmJ7Ah3AAczFARtoyssZYcsXYiywZCB8%2FZGhSZOctqed8Yu291p77SVp6%2F7LaZvVDrigKcmbglSHwpfWzT1F22xnjUlMSubhfYkpq%2FHEnFqXP02hLHKLIJpSK0dbTC0WWH57MrbkOrR2BWEkIJnwDvJ7BKIUF4wrEGqO3RRMSTF1ba2IUI90UTUVRVxreiQ2NBiuo8BEAZSF2vJVNGfgOEpL7OSUoZzxEJShCA0RKnOpYSmqpekroWbzNtIcsQsqYWxHLQBYnqI6TkOcs5ShenAGvak%2F90GlWgZrrjgQWje12sUT61KmaL2CKyxh%2BFDgS1NX%2FD14n1pBQ2r5acwrlwX%2BbkpIrxI4yfF4rB%2BVOiliIEMIATQBzwlpGt8K7%2BE4dPKItKplF%2BUkTwOUpedLOxPMEhLW2llMipQl219wS0CCFbeIT4EYSGp%2BK4CqwieJf8wG1Vel4pYU%2BLagSKQJkjX9yluxejjC3J4A1xae0xRu%2F2hzL03OC5TTiBRb%2BnH5v8I%2BWIjzA87IDocife2Pi%2Fs7wp%2F6dg%2F%2Bq9FOY34K%2FtI%2Fbs7tm2s%2FWJYoK3FLsR%2BXxiwLZGl8fpTdB2ZPJm6%2BVPuz434x07IB3hxtfaglfad5UfQefAm8bcB1%2BekkvW36FZHm9slDqjI%2FSPHyvIy98yoYGkP5Lgo1qM%2FCfjJ7IfOnzC2ibpiOIoeMtEQ1v9lmoA6NucvUccza1BvF7RGz4T58Gmga16cv9g%2FrxxWb6i%2F9zcxdrcrn42Qpz3T7SDq4%2B%2BQvpql0sGOz7K%2FLsa9ONeVrr%2FF1PoJeCjbxztnAaTKMu20ajo2OnxLbeYlKXVIx0xTwsnXh1glXved8SsDIazwfHlVQ2t3prNx1wbrfWXQ2Qw6hSs%2BVkkHsvDxj8LhPQm%2FguYMOdB%2BkHXYOZTKcww4gR6wO18oTeFAyz0V3q6mzWdmD5fnuTk5gY%2F8NdRMcdxegffJ9dMgHvdVDY30yGLS9LjE76U6djOKRO1vedaBvuHGz%2BWb9O69vPgZ%2FDBmXzxLHrvX4sULs95OziqShGF1SrV01Einjo0xodVeAf7KsSQ2pumi6LotqBFURGYYpathcS0YDRjo0vs%2Bra9U3FTvLx7QasE4e4lPrH35tG1AJDamhIBViyYC6ogearKpGgGSkXFk%2BoW5eox%2BektbNvw%3D%3D

Ten následně spojíme s URL adresou z metadat IdP (SingleLogoutService s binding HTTP-REDIRECT), abychom dostali výslednou URL, kam uživatele přesměrovat

Krok 4 - Zpracování výsledku odhlášení