Takto vypadá XML podoba odpovědi NIA IdP
Odpověď by měla být podepsána známým certifikátem IdP z metadat nebo z jiného ověřeného zdroje
Odpověď taktéž obsahuje šifrovanou identitu uživatele v elementu saml:EncryptedAssertion
Hlavička saml:Response také obsahuje informace, které můžete použít k validaci odpovědi nebo implementaci přihlášení uživatele
<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_88d526fe63dd417ba4c776951bf04a9c" Version="2.0" IssueInstant="2019-11-28T15:41:05Z" Destination="https://nia.otevrenamesta.cz/ExternalLogin" InResponseTo="_4e1c9abc-74d6-4827-946d-83de8adf6a55">
<saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_88d526fe63dd417ba4c776951bf04a9c">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>D4S7pdbfP3yZVUyIhS4kSI6tw4gAELJf1/s9AoDy6Mo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>kWMjjpd1gkZ+tZPFKBQI1Op9eIPel0vvwoUVnojqANfyhrLBYDwSf2QTz9KN/gfJj4O9/PsEhPx6zETAqA3weCpvrdToygiHAifxyyH5xPd0MS06E56b1svTPHkyhTn6OJFkizGxR0/v/k2yMoWsRRgRWIdu0LliZOLfPgKIcq+sToqFICr/IURBjyjSXXjmcu0ycPJKdMWaLh+9qVpUK4zWIcn5WZt34yPbpnBEqGJNnoyvCiyWDRfPObIWturEPpnwe6kjtWfagNrMhc/sZLaNHuT33G4qrq02mkWMEEfuFa4V2m9zxYzSou/+Ov0d3O7kLFMIsqaJ6nbbCct1zQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIHSTCCBjGgAwIBAgIDTMtQMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNVBAYTAkNaMSwwKgYDVQQKDCPEjGVza8OhIHBvxaF0YSwgcy5wLiBbScSMIDQ3MTE0OTgzXTEiMCAGA1UEAxMZUG9zdFNpZ251bSBRdWFsaWZpZWQgQ0EgMzAeFw0xOTAyMDcwODE0MDBaFw0yMDAyMjcwODE0MDBaMIGIMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNzIwNTQ1MDYxNjA0BgNVBAoMLVNwcsOhdmEgesOha2xhZG7DrWNoIHJlZ2lzdHLFryBbScSMIDcyMDU0NTA2XTEWMBQGA1UEAwwNR0dfRlBTVFNfVEVTVDEQMA4GA1UEBRMHUzI3NTczMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOMUgr5xxTIUWwIRUaTSBOhmdVGsnor30KE/vX2IaOzczQpQUiYNUYsOwt8F4FHFXTV/ccA13Bd235qAtLMXTqzlD+DuPcJpx9eui3toQ1iHjjtuIBnsy8cO4Alzj1mzVs5NNtWMs7vPRgh/sTY4veDAO3MpXvaXg8APAPwv9b4zZecsRu6osu/KpsI6NX0yLsQWbZXAKa8FgEkx7qWcythfPGNgGUJa2saBuchTjmERSV7xLoxihsjgBcMjWX8SOAAQEOjgzmY0AXUVbYE174hjM4oWo9iDvpqqApx5W4oRKnrt2Vo/nKIySw/MDpPOwpBAXkmeFEA4zEaJVObjCOcCAwEAAaOCA+IwggPeMBQGA1UdEQQNMAugCQYDVQQNoAITADCCASUGA1UdIASCARwwggEYMIIBCQYIZ4EGAQQBEngwgfwwgdMGCCsGAQUFBwICMIHGGoHDVGVudG8ga3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0IHBybyBlbGVrdHJvbmlja291IHBlY2V0IGJ5bCB2eWRhbiB2IHNvdWxhZHUgcyBuYXJpemVuaW0gRVUgYy4gOTEwLzIwMTQuVGhpcyBpcyBhIHF1YWxpZmllZCBjZXJ0aWZpY2F0ZSBmb3IgZWxlY3Ryb25pYyBzZWFsIGFjY29yZGluZyB0byBSZWd1bGF0aW9uIChFVSkgTm8gOTEwLzIwMTQuMCQGCCsGAQUFBwIBFhhodHRwOi8vd3d3LnBvc3RzaWdudW0uY3owCQYHBACL7EABATCBmwYIKwYBBQUHAQMEgY4wgYswCAYGBACORgEBMGoGBgQAjkYBBTBgMC4WKGh0dHBzOi8vd3d3LnBvc3RzaWdudW0uY3ovcGRzL3Bkc19lbi5wZGYTAmVuMC4WKGh0dHBzOi8vd3d3LnBvc3RzaWdudW0uY3ovcGRzL3Bkc19jcy5wZGYTAmNzMBMGBgQAjkYBBjAJBgcEAI5GAQYCMIH6BggrBgEFBQcBAQSB7TCB6jA7BggrBgEFBQcwAoYvaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NydC9wc3F1YWxpZmllZGNhMy5jcnQwPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cyLnBvc3RzaWdudW0uY3ovY3J0L3BzcXVhbGlmaWVkY2EzLmNydDA7BggrBgEFBQcwAoYvaHR0cDovL3Bvc3RzaWdudW0udHRjLmN6L2NydC9wc3F1YWxpZmllZGNhMy5jcnQwMAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLnBvc3RzaWdudW0uY3ovT0NTUC9RQ0EzLzAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgwFoAU8vjMKldh2isXM1nlgi3sBhyKT0owgbEGA1UdHwSBqTCBpjA1oDOgMYYvaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhMy5jcmwwNqA0oDKGMGh0dHA6Ly93d3cyLnBvc3RzaWdudW0uY3ovY3JsL3BzcXVhbGlmaWVkY2EzLmNybDA1oDOgMYYvaHR0cDovL3Bvc3RzaWdudW0udHRjLmN6L2NybC9wc3F1YWxpZmllZGNhMy5jcmwwHQYDVR0OBBYEFBKPDkyFzQEpVZr7QC19lahjYcRUMA0GCSqGSIb3DQEBCwUAA4IBAQA8VcUDtRLwPZMdDuAYqZMPKJwo+WwCb9IXwJ8wYBPT2WNzocQGGnYlws45zLHzUrwEGlhNEpFmORqvaTL9E256aNqOkto7K44MEPZriV9vXw4mtI0AF1emFrhJcLZVp7S5uWVibo+SiXufqGC4vaF4I/WZaXwd7eKt7C/bT0cDN5HmU1oVaJNpDYbox7wLNLmL205KUHCvCE5gMhyEPyqPRinYowQgYOP8P3dvLV5mbEiv6gb7kmCyfxEyFdrGBayKKqoMQRKBLK5h+lNJeZJ6QiyiVhSG5xkz56StwFsz+LuTv/ZoVfbvYUX9FPD0VhPomj/weoUtipqMKfgbeePU</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=https://otevrenamesta.cz/</X509IssuerName>
<X509SerialNumber>339515564547102863359567045846017369340</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>EjzSzCXoMYigHJSHBxnKZwHfUKVfl9lmku8XW5L0Jlfaja2E10BglcdIeH5R8nyBB3cl8/wRVX7NhYJpIG2p83QkBPN6Y+ecWvwydtXL2Y5iVD/wB2l5YM1LU8QsudD9lcm3mZCMBkJqVflz1dPWa5nGr6A0moWZ2j9DXxYrC0B7uIEv1C/LojhkdTgvT47pjYxjQdUzmcjduV8VVZ7YxhHX3eokcMyoX0RmHvoRreilpbqjzF6SnaZWHuqXCPHaeWBQ3Lzyoo2+pQqiL44AGme/HwGM/Ic5+dL/u67MJNWmgaAnzLsWBQa6fO1vY333jtdGc9BoXyOE9qqreDanug==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>pbWpjBMTRWEFw/dNroIUm7KgJg6ztj57tlSQdw4AOiXausrDYamlajEjdt/nLm4v+yc+gw8M3XWU8ucswW3TlrJ+6NWZExpcyN/1f3cZGBeCDrIdhiWLccajlnrpTQ1eft+bbLqZJB4lPc0Fwyy6Y8KoNUWbsiJpLNWeT9jhwuOmogGnCI+HA0VON94Zqetzi2pfclvpiMI6tHecf8Tcsji4NVQa1+NOjqlvEO9Z/VtmJOG2ajN3Hx4XUX2lAu21UdE4CEQaoN/y2kb3WtxLOcS6BTqMReiwMhBnK0YFuKXnPyH4Dtmdt33JCahAhvn22dLFn2RC/xsomlB+wHDJPsdPJv18L+MWd6OhGbo+f5dKId261wnqhbDlb5aaoDFr1DWKOAW54QixWlgKQ9/xk8TvpMvMg/OymV3wLj8WKEovpqRov6d7Pq6D/tL/UPekKv9vTtLWwJjkhWojDHgw1piBfpPpwo+hcWjgdsjOmuAyIT9fF5COuquNLuvwMmuHAH42gcPa0A3dGVqBm/IhE5BzUZ7nQfSiioH+LXBVKXrgFNALrUE1s7xWgqM92RzU962be8DCGvNXk2Wwsn17n19uuxgs+vWW5pUvxgJdCsXzfboM5QQZvg3G+fiM1DJQmhYTOtQXpd+yiJDQSIA6mDusrf6+qGbOHRVy9ZqHolMO7LcSi8Ide+UBhHvd9BJQidp5Rub0LlTC/47UkeWiBkAppzViIkjfNtuKOa8Qm80LkanAM4FafLwHgdaDQPaB74zYElBSZjg4dG2IvcrWcNpOMQuB3Hal+IDpRTequXTwX+QHQ8DUBlPfBycs1aujAIPDohUK8/zpk+y0yhxNfHLadgJSnPAOdGxc9ZxaZ0KrEDhCKS6u5ocMQH3YbFuolTxV6/v2dSgs+IGHmA/8Anv1NrydrinDnnaspxLhZgWchg2w91sjsuGxWfmhMaFC8DjY+/coRSvzsZXWKugD94xdqzZgTjC9wZLQKfn/A1qdFt3qpRIQHK0KvV7qHukvxaF6UErv9arLs7BZ96a9Vg78XjbJCJAj/Mi9+9ILf/J+oInD0oSrL4OPeaXYiWsg03Y9ggVIhXpufBvkHAd8IqssZ4jK5tZFshNKMM0zrvz0yiseRnubrfVLtbCltppxk+RwZCVJYSvjLC9ZMAQVooyEmW05MXOjtdQ6d2UMcVrdVlDKyT4FiSKyDFq9mtzsTvZPp9L/LFnnpZcUz4VZy/AHiBWYcKcrre7CvBg69I04H4G4Tdtxxv5niQ3Ba/gCni52H3GemZlzHWXHv4TWXwwDTYSOsoMpwbmKEF1aGA/+/DKeP6HiZ7TgmENpWtkovi5YpyQpaHGgFCEgmu9gjXHj3w7+gFGHElbtW1I4G7FUNfFC4l7L5xCV/y6ABeBDFsviAyi1BOn2qhHFz1zsCLk4kZOUeIFSbgQXFrUsEAEBEsBmK3IPeFCM8SZG/6fWaqfg2R9qASPMYz3n3DFMbrN+PQ3bQ+GOQkImGnX/szvUxa9EopbicyNEvoufO9baorkly/4PtJoT9v6CMRFk0Ez9MdSIfOh0rzf6M2IK37faAU55WBElQ+29GZU/8M8Rwj3PRQxO+nnM/pjycO0T1XN9rfaKa6OeaaJZhJzxD117oYoKfaPU5u+qSRUUxUW5+Dewfb6VTIZBXKyovEcX9pmjBfrd331KaD7kBP/ap8mZyOQj0fc36APh1z0miqlKczcml6M2us0t8ZDS9blA720q/INqXQwMj0BAB9atDatrl4mzcS7ZLdbE3Y5vBjW0E9lUYvex4WGNc3rhxgGxeoyh7r1CcGKB6RWgASC9x46s9YKIzF7jFVoa4ozYNB2HbmA54lLsEUwfLl/DH2/nLA1shQYwzOlt0c1RkqoiJkIVsWPnYPw99IGhlad6GVDSF5EPLl2a6JIkhmDWeL30LnqByUlY+TWTdzKTLM4Ff81LQb/df6mjPdzyLjmOdfdnYipUGMsa/mql1VNRisTi3PvUuTpxP8Jql5Qhp/bO5g0Z+l4+YPQ1kiZN3QRV48oaCVwSlq6M7XE/XCnjSlNeoaxF0/Fd9BQsnNDzHIGOnfb7z3Z2cLjGJG0vIVdg/Yk33dYkPFtWu1qQr1lxyFGSfvpINPi3UpPQwB1C6lCDafWgBx90RohGT+jKEVllSfVI4P90/6cLIqjADcKAieQAysEfVFR9ibxgti7ItgKN58MHAqkqNZkNRRA4q4PMn5f9nZQqBh6J22+jUVIyOyoxxQCUaND9QfjO+B86rzeSJ9qNPzvSrJ9mCzU4C4cnQQ1ZNqHNDyWj3h6QZdu/x57zoYIWbyjVPcijFz/pyPjnOxs9+cWzqp3XR2SyczHvcEGkZUv8CV8zglT1ZiVf2tUva3e4sI82Cvlog0GJOmb2eDXhvn8yf0uldlmZLDGgL9rAK9/za6AWz2K3mN2/A44cS7khA/OLCtmNRXD4SP8Qz9OvdVVcaWLAe2PlUawMgGGnntEN+Ji7z/s0H0RTpSfHa7Z2hWxBzKAPcnazeMBaisDUWfb/lqkxfE7Qa0rjTIJQVC9pOwCwhrq4MA0o+dbNbksXYBiErj+f2/VQnzBryiyH4az/q7AQx0NdG18TIS9XcWAHMpUGGABdCpsJ1TqpOeNGuVAHF8vMhKcnN7p/b/I8WNs/dLcIw71PQ3tJeJ1PnCQ7PV2TyvUCYQf/RaunP+Ft7L2S6X/MwgLKJ1nBaSQG1NcM4p8jk6wXcOp+Gf6FLmyxRBz+3PJhn69a6zXBYDM16QZxxA9jAviwCzFjeUbcIgLuupc+gSlStpBMfw2cMZO/K6w6DjlPnASkfSMqUygHUNY3PaLnLxAVxi6+JDDwwtUfdPPMXGV0vlHqUSiqyw1gcCmhqrt9+L65tmd5QpgF3nZze+qSN7Gh8T7ELPmN/8nj7X3VIVVK9Cwt/Yy5GtPvnirN95ev+Ws4oj4RqYv3a8xdl9/iPiQLJLlbGuUlJKOltirBmqgNMX0jS65uHyKETLv+IXgECoZS0CdV4eCw5gqyEKIHXdrGA+jcySkkXiSFP0Bgxw/2Ezu+wIv27VXKqA1PzfFnrLj/GL+79yArzGYjkZ4xsTmYFLA9ILM0diLR/362e5lfg+lwmfjH8syXJDtCBmJHQDAsf2w0UO7uEdho0ID0ubWu2vLCkznDp001GxhrGhwXAE8pMMbg5I/NIATn60qbrIBCADSR60yN/KwrH9pAKrBwGWSgFJzSPlay1gtBF38L/8vyFbLjj21VI7Vg6Z9285+xxKpTO+rm0uNBmk4BtDOSoEfaMeHdSjU/CPgBqXeCgzdVgGceI+ZM24DgF2mi6OxvCAh0InIChfVD8bLzae6TslNSDaKLV1gH1ReedmgrFtIKSpj6+FpzQMw1Vncjb9+b5sxV2elYX5dFh24qrIoDAzkr8UyQNEX59O5c4DaelAJy5IefremF+N2bjvfn8rm35EZwjbQm2zV8w7gxnBIWo+zl9pmyzU0JxrOCDrqyOS40+RFTC7ho5kxW1SaKPYBEyB4+vQr/g5fhx0LwTPdNKhqFnqU8uohjwddOpkxo6+C285TukZF4jDbH/PSfKpEEZlwGcCkbN2sniKvmjrh+Z4dLSsmJDFoZfHttQfiew+j92E15o/eBoUaedVloZPqAsX+FlHjxEa8IG62sMziP0D65g0Fd1hfG+28GJO+HKXC/e1VujsrGJZcJrTnHQBW5VKc9nFhy45mOdrGzTk6LDjlC+bdKooGgdBNizBVHIFz/85fVf6XB7zSvjbVOOt3hS0dvczkzh2yO6aLUOrwqcit5hytlzSeVBjhIS/37nQ6aZjgstSmEvjmFJMhr/H9XMCSXqcLBjxWq27PM9jBbmwLV2IrCUJcpTRGUgF6PjjzxCbJ1lhn4KM73kserfa3RHyOvvRkmOa4WFtg9//K8VqrFvITFrQRlQysrc4p+FB/M/isEYxQouC/yfWoORRFs/wK6fNawoo0vQsr7vNVnTehgsA7HPUuZ+SA4MVXXxodjpZMTc2tKL6HbXz6b29gL6PrTHF/CtYf34d5vUmvdbV5Lom/v/Kt/e0uCQWPmePLQS4FZZIedWKTt4pYpXhCVRsd8SHNZ1lVyGwc6VEU4ABD3muCZR9JGUlaTDrc83KA6xuOOsCL/Hny3O/yhuHwK9DifqKTVLynZWQBkqSdCBGbhlcllJwQHOOqv5uTxGkTnR/JUHTQo+bgfpeW/iD1GpOZ5JlmeINSxkTgmAq/1um3/jo1++WZcsRNV7lEhNaBVuYi32sUMsUIblbsUmVNGsjgN9qNausutV7TsVh2rLc3RTvb30Zmdb23T//5dI6n/dzTaAEPOPkVZsWmbGTFi/xRKdWYChoMbH1sWXY25GdPFig/H0MxI0TzWf9XMVeTz/4zL+CbcSfIKLbSGoyLn0Mz2GyRMYcheEXWnvJrT+u0r1zsrxYVK1UFX4xnwWGTlT1W43UjZ9TkRHtyiInCOak+JDreFtVWkJwf8fMVObH+mPr2os0gnbsLemm/OQRR3PymU0y8vzjra7LbDBuZWDODPFNPmOb7QBjvQ7RZB9aVM8M2GEgfSmYAk/bpE9LqCjoXogyesdPx88eM/ExiZVgjXQjeqWUDogjjD1XagGogJ63UIsxJghRDZ7LDLCYWzM/nD00rIlBAosw2Kfx9LLMH9r1ZrUzniGbB1SFMr6q7W+o81uITy54ToPrjfK66lNMFgxcLFK8xrEH26EPqPnPWAVrsXvPmN/VjOLr+sbtol9zQx/KtBJvCWa/m5rwCmTBYzcPMVKxE6FWLDnix62n9jTMObMlcb8nyeLtf3xM7gzC1siKlafdpjAo3OLh9H/AFYJ4bqRk6ovhmEJWcDh8X3C55b1dmhqH1WLT9yGHrGTwxIVgvnqZo5pMXWuiajPyo7s4LGk1TAR2wQw7619ilnrNtgVk1IXoMB06ojXh8Gqg8SAZlcWXH1DALfCnhRhFD+pxEZObV1pUhLkWYTB3BrKD/waEi84OSY29JsEBobyActUAwfuIRgO+Rp01+Y4n7kxX+Ob7kqLe+YqutkiTh8CBVXkUgaJHD4LGj1LycWWjmXJDWJ9S2bZ8O0T82bzsrue+IcyycQVcSn7a/5y0URVfIJSg2nFQZPw3xSrbVrGNLUzAdaFw7Pjratdd0uD6nRcHW5tgW1wt3cqY2jyDU1mZS+nEGZbcXTGc69nGNsP4vZeicBKanzZxUwY8tnhG3TjAgWHRUsKoepOY9f/XUSaLsO+uAi+5x/AvFfebL3Nms07TTgL4dCWs62ahKSXUFuULLWchtbLgQyz6jQjdTJilJradqYG/P5nTEUJaOH2fTCPTqNzQp7MJbz8ytjLFe+Nci8IOymq4+gOiwADL2hNKYhjBv13K+mbu/w62wMXRJ/D/rw3aaZF2E2yjJNkE6QWNt/Zk2fKfj4kb4STIkkob8PxPISRQbEwsse0Bh0aHPxajwwXAeNeRR7/97EM7gCTIDQIUzQi+t6dkAtdtxNpaVy1xE93E0Cn6QqL5QEh/6KM+Qlow8Wnc7tq4ghhjgTKNogPC/X4NKRd/rBYmNZW9eSFU0V2SMvfueu8bJPUzN2ZaB/1YU7PwZ++sgLI9GMh7F5dz9Bn8Oz/C1WQ/jlANkX+3homZQI8w1eG0LtzXGwGA7xWrtUDOcal/pv8l3GO3ijI9qPag1E2nJ0xhPDjKAXO71RIo0umb9nhI7caH6PV+196h0hwjGYm7MCp3r1p1LF5RVNParDdKiZL1zJOYvEBBvVumjKP1+PWeo1s3WBu2kFohiAwTmBtLyBDKlWCwRhyUnB6s3Xn66hi8yI5XNQGDb4BUuJY+ouZvfLDS7CdJ3BzdqukRUX5n8vW9rRXuGxajX2hkWqtH3d1mKZ4g6eEVeidBxCUtB1zeLGOnB3C1Xj2EL8mvfxiU+A6cTL6N8KOYDZAupWb+srTpc9p0r2hLBq10jrZWy7LiRhcz9hH42hSnpVsjzjI2YycGYlDdI2+fIW2OlaAZEtOkRO3LxMkAgTbg2y3GotvcBJeFugg9RRrG73RT1hVrtYmdArGVc3YkQ8XbJZKJP+yWvFJV0jFru9LIQvWmas+yMaAT34hcVoN3EVPsi0jxoOyhJI5Jm9cjc+G02Fte8d64LeEqwhK1WJXXjTO/Sa3YZ50PSoLKL5+gvhfWwVi++f4O/byXyh8lk7fCXZZTQ7L1uGeUVfaSU8ax2lAw4mGFQcGmv3ZOLRxgycOuePc4OBWcwBzRnkOBEVst383BB/A/jYLVVJme4L12shpUzL5hTOeNn1ZT15Bc2vfygT//AxRjBX4OjMDsw6MbjVzuPtm6/JqYH6QDOK9yLkyNXWnnPMAp681ScSHJ4cfBdzMWoOgLZPF9kkdA0ZqkYfJW3TnttjqWlXdsprDnCrKyv/1at03Hh6d4JpMThrq3MfX3OJ6MkcASTnQKa3BVEuPFPPpkE+co/y0JOJioEPWqtOt56k3nQYcufjZP4kkgv/Qp9vcYJT/SVKuaVdgXetcpCre2vIYfiaduZubdP+qxGLwcofYdOiy6V22U0Rp1r3AnXwnIRFsr6BMTluRX10yQJUZtcEtYvKb74wjdQwOJI5XKIIRt/mCS2y5qyzg1ddDGv1+fBkVfA2JPkU/pD6pSERVKjOHx9I2yKcumCl9Jp9G2wJVGFrU7ciep7AKTDRMoRCKd0hO6s/0Da7XxdO8ZQgXbOoixlPOF01Mi5jds7SScwDl8VIt/1SLuxkOGYcs1nzFiSVyi4gLxjVZuAfmxS/4QK66LYH+gmzSxef31jf8SZI1AgpD81TrfScp7yLLcHYzbCWXFx/AGxouGQbAaVLiuAM9lY6Bnl01S1tIxF2R8TQVeWaIGLFA7dxM9lko9BSU6IQgiqk3cc+o84QTf79xkWSXlu9/WpOWatT3ViecsK6naTZxfohitCzk7Y7yD58Treg3+Qag+NoSDqZMVadF7SWbLLFiy0sgeu2cFSgPB1I3s99Hjn1j7kscdPJvJ8u0SAgxey4exyunOFEdPiT5Br9Sx/33qgqzXoGZxRFd/MV8FkocGWqhJzwCi35xSrMoSE0cozRwL/+nOEty33/eavLxwhxa7GhJYB6kTqcxdElCTBamBep06cFAMrAh7JeyjlPCSgyR3thxgTpXWYyfjnnwIsvN7T0/7kQ8w42ugF8V8d72RAL9hidByNq9ZyUzgvQXW88b0OPSxwdL5WLeK+kGSpEh0KpIgsSsXCWAEIP90bM0Aa0HvVR2Ak/bVb5HSqeE7yFKU/xQ+yOLaOFLcBywKMPLXVXYNw0tESd3f9D03yyGAW35yxnxAAaUdsYX680gUSq80BHVDto3N5U/5cc2HTTPoWvxxSsw2HN5gLUV195kGGRlm8FzZO+MdC7ttEuLySU0peT42ZWW3X5AqnaPucZ3YaAEEdN1SHTNGkzKPId8ojGexZsqrK2du4WmtZ4S2wmdjUELcvJ5FlyZ8Y4hYr0Xw+7r1VfumkjXmiCL6VSatRA+Qpl3YA7xSVAJ0Voc1KEFr/NH0S4mxJAZQrRJkGZZhbGCP4bzQBC88XqTq7BfMMgGdFjYDunRA0flox9R31JFfJ9uXzEylZy2SXrLXaPx0iYkDcmr8vgt4vzP55hL4Bcu7AiGEYKe3/YNn5+qu1gAFpV2zKvg1J947IkM7E+FX1B2Cj6NHa7Ct2/YCE5+xVJV6jMew9GI/t7k5mFNhMhk8MVFEuqMNDnqUMaM7X4lfBZIgJDqWXoHcIg+7IVHmzk4fhzl/gJfChNHc2irVDs/BISaArWBMJCrtCdiM7yHYbge5ED1cvbFnAtNeEoEGv+kPF8kr3pONgjVxc+LjW6IpzABCXY9PHzzkupESu+UyII0jNZpzeiJIQTcCYo7T/lvA4GnU3rcL2xKVdpAjGHndr8KaBRI5QY3U79KxMsOcQSDun3R4uv5MlC4fEQIY5i/C9UBW1T7F6nTxpKfUw+gpCLR7LKwnQpAnSYpLiHqWdpTiWfWz69sFaBrjy34lsf8cNlUZ2RPL6JthmxW+nGlRb03JIT73t4lQViVbJ2VUXXw8282fMWDeeAfIboFFmLfgn+RJSVnQXGLy+TKwUMKszxUN9drPftjqDRcu4DpWI5Q/QgY/LMoaQxDZvzGh3tmmE28NICHzK7VhvsLE5gZ2xQQi728FFCDPoFJj8iB+wuTOr+ZqPyZXNpnBz2qZIISq6aUpSl1SU1kIJraRfxySK5D0kII+XOI3qVgK2gygFaPBsQOcV+Sm3qa4WZ52D8ygKmuEOv7pyKALLd9CEKy8PlZCPBC4/aE6Hl/XTmYmQhaaxX6knv+GprXMazPadAM48c0zPXiXGkM6XYlbMGdGmo6T2NCs6RJXceEDEeLLCaNubKq7+zLwUh/3lsffC+c+HEc/CNFq1G4llOPhtFNlulmyDnm5w/jkp09P0BWkOifplrFyw+yzr9xUn3HHVdd+AzuJKbHfs2kLM/j3a1RzEcXEBNoMDVpGl3zVpfecUgfHlTh5vnq5I4QGsynFUAl1qvRDkbcaRdc/pstyseNQNhBm6moWASfZ5XHRqbgQAvfzITl24WvAvM5Bi4jEXCmhdHCU0fnDsDjosp9szq00FX48s5EdFbmHaYC7T4KEo5Xys9RELEBbw4lAQjAFmDuFcLVycFwuj5xKRxWDJjD80yEQppK23OkdAEInrmDRgdpEsRBg0A5Bb86A6pGpRJ4VAOZAqmTPu3uj/1VrOaLUH20qapvO4zN3khb6mCvTP37b7MPXsWizbFwp2zOCsZUrCZ6QKs4whC24Lhdf6wvYuvKBdmaXL+UDO2VofwjgoNX8uYVO3aaP90LzsZDwZqFbEg+g/OFdk7OHDihd3kyA2Jm1Xa5nYZxahui22YvLIFf/6phjwade2MCdUx9eWDMmXU8peZbCu+SU1G0Hzf9FSkTIJak3ga8Kkek6CnB4RsLoMwnDlQzxvuuqWpqtWaCxg4yDEL4I/mnK+BI+XQN5KntVoKIAdF3QhM0unxTfSIde6zm/r6cEAj1GEu1dFFsLtIFr5HjxAK+FnpN54OR3ExApUdrlvXKA7HjC3/vsi9uNmpjAXSBm3uwhi9ayVMVbAvcsaR13gHgZyFEzNbDs8q7iV/2dHdJG6FtZSeZvr9XCbHc9cpT2ZZdS5pOQ4W6id9c7CgdAEJI32DA9Vq8oEFklZ6g6Ts5kbY/LFxmb5GM2eqXegoFPVvVK7nQmjQ1h8BdawC6ZuMmIRLSSaAqKT6PnxsYgbj92I392ANJEnSaMgOpg7rEy7SujVF5HRByGpYbppB7Y6I+owvoexoYVyyNJ5RrQ5V3FWXaTqBQKABirtWJltkP/oyQmH89yLV5/EgGERDLuP6BBNuRKO4nvRn9GAIhoLCQj/Cx/1JtZN4C5TSrjwiRGzwzIUQI0373lasvGqqI4EopXiiuS4WZj27OTvK6VxRrs9NAa2j64+YR9PX09qlsNErbToHguIsBDHcEDbSu15cUOnHcDYCu2gA0Ybrh8fUPMJvDxjPsKFQr8bTN47zZRdUYMl2qmRtbq5mFKKGg8OQmA/3of/HRGid8xlsH2xIgcqc1v+ajDRUko6iIvB5ADxBVO5AOiJWjntZjGQg/MQ391aszdU1iEl5Od81q3YLEf1iFgSmm9+heq8B9HZMOEoj9xryOXjX1S9H8oeKjQjYUIGcATRkk+FReWot6cSn/wkA8lDG3LNqKgz6rh0jUPsOadqQj8kJTpznPMXJGnpCHPBpsr0NWMimVF3r0/13XY5H52pXLPgOH47TMfcEfdcPMqqMhB5VtacMMwxK/e3NO89cVg7Da2RjfYlvBf9Y4KgdYWmJhIPpVefVCKGL7Bu7M24sZp829clwFKUyid43g3A6vnVXSIP2xrTFw/mUWeHPkgAZkvbRtPyZjT9GS3B6quXt3aryd0rDia3G64eyUAgOmhzZTiTF7EYVaV017nEobM3ZK6a2E3HeLnbdbLaPOebjxH+oCnPwUBCLwppVAPOWVh7/heIkfulVaaAVtPaU/d83wa7jhiSs9iLAWKFhksPZYQKmiQ1LCbq8D2ExYGvU4nVUR32L7qfhvDte1Y/+ZUggyQU9odh6FJq0KWBY6xtbOcZ+F6dFE0/CbzqLVWgZkMdthFQE15to8Zu38XW7HdnLp6QCeMDzfSwV9wH+4SKPz0er+W/0shHvgKbMHOwO8k/3bFDPwsIuB4nu9fHENCU3fhppHKKjfJdQG5PC7XRxkxP7ZSTj3SjHV7HEj2+qVwJmkG46zSnz/epAWoqQOM1QjMomBTVAmaGa4uGIgx05PABLAVRESY/JoRqe9dLWeK95+aMXZxi5D2i7QMCimpvErWG5t1ZhtaZS76kQFI225LLXwqVUwx9J57TldmlHHg6WV1TFpEPGOKo9PKBmGpYzlHnkJW0udC0Qw8BIlAnyQiCpNvnRiwRa31Ulbc+LJbzHdSUDKVfRW5W/eotqe2eZj7de0FvsoBTBZuYJ0iESUjsTJWyJHavnBi56/9onxxBAA9Qf8WW0wdpamOog5MGuRcjENuAqffvY8wS56kLoTa8cSi+BpGFHx9pG98dNwUBfcTr+vsAvP1IbO9sFOxxF6WGZSx7Iw7NiBgV7UmGUFS/+HjwpaJaaDKiVmC+acU5xqyxf3mRpLasNdojPpkcBFROqfbc4w9n6kmx3pw2vMpoKEvaosG5865emFd3rI56gykC1pxcr9/aKxosyrL0rmNsz1DvpFgtCGo1JdL5je56GJjSsEVGGrxt2fGl2jbsdT34PDsi/HUJxWcpOyXLVvrzvkKSicboG2ewY4siK7qzPY/b9Hbj37DyksVtdOGLha3rtiyhdfD2X7hGDyhlwu7CctFVqkU6BCTTSUcRZIOHEX5pKKyNNtvpxa7vz79MRoJB/vgw6EYGhNFxKRUH2mK0NulMcGAtoldOFpvXQpXB2rCdgEdYWdp7EFJCLmRR/pfufPgxL2GLlJMDovWYdQ0LDtLt+dJjw2L7c73CN8UpSgwWksSpPx88LJVxaY89SfsuPQn8+yMZzO92m1B77lXE6CO9rJ2m5e+ecC2E9NvpQXYQjCcPtvdAYkWz9P7EqPyafFt8xq1YHxWMP9Dh6a3U0nLHIgD6WAqcnSjEe05Ylxn13slQtWKK4FkALzJHtRG9wOkt5GApFRigSTze4VpZ4kJ7uoZbpPZ5Z34nf3yBuT40KNYtYTdGeyyDqPXOxmpelfLTB42Y9RinQY5RZaOsQZhf0+92geBFsJTUv7qqcZ4V62q/+2XMZIql8YkWLVgQCrGR2d53jNxnQy7u0wXfrropU68IR9I5dtwxRbdRV/WbnZK2L7NdG40b5hMTYBfXa0usq5tMVR5pZpYPs5okHTcR0+3QACuRKWnCMBEmPsjQsQH69TwyMifJzKIJjAKJ8MGOUWZS6wnWC+7Zl0s3vqPJFMnnyDKEvtjqABG0ieYku9HxbP2G6rv94SkC7EIO7OabELwQG+CSsmN8iGaVYVAbCfSpzjcNJ6fJV7gAUzxB6SnifoNaCTk+lOxjLSPHIUwmzJFozySuk3A9ss0pbKPxQfhGJSxyEQ0Y3NbnxzAk5YKV8JLlT46GyqWd7+mR2cWC+cwZoBQgffmsceLGxWimpQizBg3HgeGmUoU+lxqs46yzcJQKX6BC4d5oaVNxtFRf66HBAILhNXwP1XQLxTT4VCExCpuDpCaTVv3yPpAK9TIPdWNAHckjOdoj7ig4ovRAN+Lf2hMJA9HCZ7xv+g7YeL0Qdj0djFZKPnQGbwYhXen38e5vrMuUh5X7CNF31ZBi+2oIBdk724Fy27eXsvH0VWUsyVaIwWxD3L8JF+7LUTmUp8TmUMdrlkUqTDW5ldSqjpfBGmhc55TE9S6pDGBzCbl04GcLUiQoCzYLKaA5UhPVetuTyeF72CxowFAcGu+UVWUOl2EguCq6HbO5tbtV1dgPBzukpJR6yrYYkbmCVTxT3L4o4rNXtODikx3+sCgssvp0q7iptFXOuSHOqXzx5YIdE7Nj+p/wQQMF6jLs5C/7bcbCNLb48EcgEoWL4XPSSQvLB/3CBmpD8lP4i7TOZ8J/mZBGbVccdNlNS0Vl4S1Q/yZ/Eec32YKQgpw9eea7QkWAJ2BjZBXATQ1sygHM1a7vzC0Z9N4zwB8XwcmIxN8csWiJG06nuIjLhpji9R0wki1TKNsqhfe4aBfUujd7MTqleJhlGc3mbACRe92Pczi+ZmCSul45izXwSbcspns2csRRwdUSr9f70EafxHEXupnhpSmbS/XFRckOKpxS+Y3FnfbEMrGTNW4LfbYPqzfsMd1f060hd0ygpZg32iUtcPrRnSsitbRiMVHs8PEW2rbKi/wYQ95OTz9rV6njLQg6a6lR/pfQwF4SHmplug0lRg8/tkdm9SXDXXMX31J7qFJNVejT7a7lNnAQcOV+ZFizg0JITyfNYVqr2HkSFAsmejuYYpcRm1PVWUZygYkvz5dXcaBbWYnx48e4IiDoaFjmnVVWUiowBwM9wG2KKwzx2LASGy0dWqqekuBO/9+3gyRvm6cFILtzAgyaIbvOukOOZhCCVVRqemJLQ+M17HnZFLWbKcDu6kxK2KemcGuyMNoLhcFAYZAkh3pO81Q9Iz6FvESXOmdlzhsioVTmVmCoNJXs3dqsxyr983sLbSnSCIf52TcDkMuj9PEWFZhGqqEeB/F3M3ttnLFEjkaVQH0hxDo1VoeXwI7PngTWfsvg5bDp8DJR8UpRCD9iiMrBv+8rvWBqWFGSw3fkdNDiG77CddgLL5FAJPkL/j5M0VVDoQTW2mrkTKJg1KY1yH+OMUt+60G+d1OMFyk3s78d14dyJkypUd0cOdgIld4h052q0iZhIDvV32PUzfIMOeTEjADOzMFqEcWdr6vb6N2iNi86puImNiosMaKdAr47GTAsPgXklt9+ILIhkFucL3mjGoFwkjmQOWKAH/Oh1RliXpd8MVU8C0pqHAmE8lp7T6PtYNzdLvaTWS8yn</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
</samlp:Response>
XML odpověď (saml:Response) je od NIA přítomna v HTTP POST datech (poslední krok u NIA je odeslání klasického formuláře)
Tato odpověď je v POST klíči SAMLResponse a je enkódována base64
Následující kód představuje (a v komentářích vysevětluje) jednotlivé kroky při získání a ověření odpovědi
use SAML2\DOMDocumentFactory;
use RobRichards\XMLSecLibs\XMLSecurityKey;
// můžete použít soubor https://github.com/otevrenamesta/eidentita-example/blob/master/webroot/tnia.crt
$tnia_public_key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'public']);
$tnia_public_key->loadKey(file_get_contents('tnia.crt'), false, true);
// pokud není přítomna odpověď
if (!$_POST['SAMLResponse']) { exit("Chybí odpověď v POST datech"); }
// získání z POST dat
$post_raw = $_POST['SAMLResponse'];
// dekódování
$post_raw = base64_decode($post_raw, true /* striktní validace base64 */);
// pokud data nejsou platně dekódována base64
if ($post_raw === false) { exit("Data nejsou validní Base64"); }
try {
$post_dom = DOMDocumentFactory::fromString($post_raw);
} catch (\Exception $e) {
// UnparseableXmlException pokud data nejsou kompletní nebo nejsou validní XML
// RuntimeException pokud je v datech neočekávaný obsah
exit("Data nejsou platným XML");
}
$response = new Response($saml_response_dom->documentElement);
try {
if (!$response->validate($tnia_public_key)) {
// false je pokud není žádný dostupný validátor
exit("Není možné zkontrolovat podpis odpovědi");
}
} catch (\Exception $e) {
// vyjímka bude první vyjímkou z potenciálně mnoha, která popisuje, proč podpis dokumentu není validní dle
// daného veřejného klíče
exit("Neplatný XML podpis");
}
// konstanta RSA_OAEP_MGF1P definuje algoritmus, který NIA využívá při XML přenosu šifrované odpovědi
$local_private_key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, ['type' => 'private']);
// načtení privátního klíči k certifikátu, kterým byla podesaná žádost o autorizaci (saml:AuthnRequest)
$local_private_key->loadKey(file_get_contents('private.key'), false, false);
// získání přítomných autorizací
$assertions = $response->getAssertions();
$encrypted_assertion = false;
try {
foreach ($assertions as $a) {
if ($a instanceof EncryptedAssertion) {
// získání dešifrované Assertion z objektu EncryptedAssertion
$encrypted_assertion = $a->getAssertion($local_private_key);
}
}
} catch (\Exception $e) {
exit("Nastala chyba při dešifrování XML")
}
// pokud nebyla nalezena žádná uživatelská identifikace
if (!$encrypted_assertion) {
exit("V datech chybí identifikace uživatele");
}
<?xml version="1.0"?>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_0c392a8c-07ab-4780-9bb4-0cee63dca609" Version="2.0" IssueInstant="2019-11-28T15:41:05Z">
<saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/225171f6-4662-4f04-a889-5e9b1870f608</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2019-11-28T16:41:05Z" Recipient="https://nia.otevrenamesta.cz/ExternalLogin" InResponseTo="_4e1c9abc-74d6-4827-946d-83de8adf6a55"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2019-11-28T15:41:05Z" NotOnOrAfter="2019-11-28T16:41:05Z">
<saml:AudienceRestriction>
<saml:Audience>https://nia.otevrenamesta.cz/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2019-11-28T15:41:05Z" SessionIndex="_139703d8173a40e180636c52448ca2a3">
<saml:AuthnContext>
<saml:AuthnContextClassRef>http://eidas.europa.eu/LoA/substantial</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="tn:CurrentFamilyNameType">DVOŘÁKOVÁ</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="tn:CurrentGivenNameType">PAVLA</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/DateOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="tn:DateOfBirthType">1955-06-07</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/CurrentAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="tn:CurrentAddressType">PGVpZGFzOkxvY2F0b3JEZXNpZ25hdG9yPjEzMTwvZWlkYXM6TG9jYXRvckRlc2lnbmF0b3I+DQo8ZWlkYXM6VGhvcm91Z2hmYXJlPjwvZWlkYXM6VGhvcm91Z2hmYXJlPg0KPGVpZGFzOlBvc3ROYW1lPkFybm9sdGljZSB1IETEm8SNw61uYTwvZWlkYXM6UG9zdE5hbWU+DQo8ZWlkYXM6UG9zdENvZGU+NDA3MTQ8L2VpZGFzOlBvc3RDb2RlPg0KPGVpZGFzOkN2YWRkcmVzc0FyZWE+QXJub2x0aWNlPC9laWRhczpDdmFkZHJlc3NBcmVhPg0K</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://www.stork.gov.eu/1.0/isAgeOver" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">True</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://www.stork.gov.eu/1.0/age" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">64</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://www.stork.gov.eu/1.0/countryCodeOfBirth" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">CZ</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://schemas.eidentita.cz/moris/2016/identity/claims/tradresaid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">PFRSYWRyZXNhSUQgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLmVpZGVudGl0YS5jei9tb3Jpcy8yMDE2L2lkZW50aXR5L2NsYWltcy90cmFkcmVzYWlkIj4NCiAgPG9rcmVzS29kPjM1MDI8L29rcmVzS29kPg0KICA8b2JlY0tvZD41NjIzNDM8L29iZWNLb2Q+DQogIDxjYXN0T2JjZUtvZD40MzQ8L2Nhc3RPYmNlS29kPg0KICA8dWxpY2VLb2Q+PC91bGljZUtvZD4NCiAgPHBvc3RhS29kPjQwNzE0PC9wb3N0YUtvZD4NCiAgPHN0YXZlYm5pT2JqZWt0S29kPjE4MTM8L3N0YXZlYm5pT2JqZWt0S29kPg0KICA8YWRyZXNuaU1pc3RvS29kPjE4MTM8L2FkcmVzbmlNaXN0b0tvZD4NCiAgPGNpc2xvRG9tb3ZuaT4xMzE8L2Npc2xvRG9tb3ZuaT4NCiAgPGNpc2xvT3JpZW50YWNuaT48L2Npc2xvT3JpZW50YWNuaT4NCiAgPGNpc2xvT3JpZW50YWNuaVBpc21lbm8+PC9jaXNsb09yaWVudGFjbmlQaXNtZW5vPg0KPC9UUmFkcmVzYUlEPg==</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://www.stork.gov.eu/1.0/eMail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="tn:string">info@mawis.eu</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/225171f6-4662-4f04-a889-5e9b1870f608</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Výše je vidět, že pro většinu požadovaných údajů nám byla poskytnuta odpověď, některé elementy však neobsahují triviální obsah (text, číslo, identifikátor)
Obsah těchto elementů je Base64 enkódovaná podoba XML obsahu, který by měl být validní podle XSD schématů uvedených v příručce SeP sekce 8.4
<eidas:LocatorDesignator>131</eidas:LocatorDesignator>
<eidas:Thoroughfare></eidas:Thoroughfare>
<eidas:PostName>Arnoltice u Děčína</eidas:PostName>
<eidas:PostCode>40714</eidas:PostCode>
<eidas:CvaddressArea>Arnoltice</eidas:CvaddressArea>
Přihlášení uživatele je pak na základě poskytnutých a ověřených informací od IdP plně v kompetenci vaší aplikace
Pro odhlášení uživatele je nutné si uložit (např. v databázi, session nebo cookie) obsah atributů SessionIndex elementu saml:AuthnStatement a obsah elementu saml:NameID
Odhlášení uživatele provedeme vytvořením XML požadavku typu samlp:LogoutRequest a vytvořením URL pro odhlášení, stejným způsobem jako jsme vytvářeli URL pro přihlášení
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="c7712fd2-e2de-4b2c-90de-bd5d7ea0c650" Version="2.0" IssueInstant="2024-11-21T10:17:50Z" Destination="https://tnia.identita.gov.cz/FPSTS/saml2/basic">
<saml:Issuer>https://nia.otevrenamesta.cz/</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#c7712fd2-e2de-4b2c-90de-bd5d7ea0c650"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>IE8ZPdVzPDnE0y3+IvSXXRV+RtKgRr0zaXKmJd4iHPs=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>DD38VTGCRrGQOEJz3T/1A+9wqpWyLK+thNwKTlSo8+dz5C2nnVdUK0t8dOf8S0rrKjwmRv6DJHlAZ8/E6BGUk5SFNrkH5Uj57ENg5hFBbKUor+0zYAtGoO5etuwi8rZtv4CDpxxrab0/SKPUhPINw4ap+qcXB7WzAcD2QiT4+rTrHtAsvUJMmxfNt5Kx7XQzrPGj0xmH6DoflTe4fg4BR407ptsEqWzLbf+slOWITY/tA/hk08aZ/ar3cc8OOQFv0hswUSBpKAQ6VNzRUOMnzUrzKvx348FraGJOjNtt//bVV42nxwBU7icZOaOY+LsjkauPfqXCPY1br0d2pBH/Sw==</ds:SignatureValue>
</ds:Signature>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/225171f6-4662-4f04-a889-5e9b1870f608</saml:NameID>
<samlp:SessionIndex>_139703d8173a40e180636c52448ca2a3</samlp:SessionIndex>
</samlp:LogoutRequest>
kompresí (gzdeflate), enkódováním (base64) a urlenkódováním (urlencode) daného XML, získáme následující textový řetězec
lVXbcuI4EH3PV1DOI2Uk340rMAWYW5xwMyaEly1hy%2BDEWI4kMOOvXwFDJsnuzs5U%2BcFq9zl9%2BrSqffftuEsrB0xZQrKGpNSg9K15c8fQLs2dB7Ihez7Db3vMeEUkZsw5f2lIe5o5BLGEORnaYebw0PFbjw%2BOWoNOTgknIUmlD5BfIxBjmHKhQKoM3YYUWpaixpEqYzXCsr5WQ7kOxds6MiILIxiaBpQqi6towSBwjO3xMGMcZVyEoKrLiiKrylyBjmI5BlxJFVe0kWSIn1FbznPmAMCzBNWSCGc84ai2IYdaWILexJ%2F74CRcBWshOpSaN5XK2RbnXIk2r%2FgTnHB8oPjcl%2BAQ%2BDvwMfUEjZjjJxtRfE%2FxD18idlEhSIqiqBVajdANUCGEANaByIlYsrmVPsJxNMxi0jwdOygjWRKiNCnPHT1iviVRpZVuCE34dvcf3ApQ4IlbxsdQDhU9u5XAqcIXib%2FNBvWrUnlHKL6lDMlsi1TDvPCeWGc4xsKeEFeC2bAh3f7WfM9NzinKWEzojn0%2B%2Fq%2BwTxbi7IBTkuNIZtf%2BhLg%2FI%2FxX3%2B7APzW6yUbcgj%2F0T5hz%2B%2B7aT5YFSve4Oezaq0m0KCdu1oXfterw4C%2BXs0V1xr3NjMISLb3dfaQngwlrnBV9BJ8D7wO4HL%2FcpPehXxCuq9mLeb8zo%2F3puHtfanOgtKr14i1%2F%2Bv7gVfl2VHjz1Cd2NSqNjppliyjwILejcWz7kFLvpdjNDqZ7P0hbKxt0zXY%2FeDX83oi%2BDozgxbC6o42x7bXXXkBoFZbPLd4nYwPzfZHYdMUPesfNj0eK1hD43iTYToajQkd59S1ctq2nshW66jSZ61U6pwPeYofg%2FnF3jEfc8I7WclrSSf8FHncD0yVxOsd6vNHbMx1aOWfdt6fyYR1XWTp%2BGs6fAW%2BB7Su00QogqoWhPR5Pewe4ZUXgt3OvNTUXo3IWjB%2BzMqCldzhqut2jqH8%2FfhlxDsB6sdDV7Fi0AysJV2M0fq4%2BsJdXtJ%2FEb8vO5FlZUxipeXsA%2FKLReLf%2Bg9c3n4M%2Fl8xI7JKhW%2BmJa4X4r5fnKZJEcnxOdfLTVmRcrDOp2VkB8aiqoVhKbMq6aaqyHkNdRrZdlw1cXyu2BWMT2j%2F21aXqu4rc8TE77dhhFuFj8y9Fq1tQi2zF0pAOsWJDUzNDQ9V1O0Qq0i4sX1A31%2Binv0nz5m8%3D
Ten následně spojíme s URL adresou z metadat IdP (SingleLogoutService s binding HTTP-REDIRECT), abychom dostali výslednou URL, kam uživatele přesměrovat