More tests for XML Signature Wrapping .Merge branch 'tgoddard-master'

Author: pitbulk

test/response_test.rb

@@ -1288,4 +1288,42 @@ class RubySamlTest < Minitest::Test
      assert_equal "ZdrjpwEdw22vKoxWAbZB78/gQ7s=", response.attributes.single('urn:oid:1.3.6.1.4.1.5923.1.1.1.10')
     end
   end
+
+  describe "signature wrapping attack with encrypted assertion" do
+    it "should not be valid" do
+      settings.private_key = ruby_saml_key_text
+      signature_wrapping_attack = read_invalid_response("encrypted_new_attack.xml.base64")
+      response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
+      response_wrapped.stubs(:conditions).returns(nil)
+      response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+      settings.idp_cert_fingerprint = "385b1eec71143f00db6af936e2ea12a28771d72c"
+      assert !response_wrapped.is_valid?
+      assert_includes response_wrapped.errors, "Found an invalid Signed Element. SAML Response rejected"
+    end
+  end
+
+  describe "signature wrapping attack - concealed SAML response body" do
+    it "should not be valid" do
+      signature_wrapping_attack = read_invalid_response("response_with_concealed_signed_assertion.xml")
+      response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
+      settings.idp_cert_fingerprint = '4b68c453c7d994aad9025c99d5efcf566287fe8d'
+      response_wrapped.stubs(:conditions).returns(nil)
+      response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+      assert !response_wrapped.is_valid?
+      assert_includes response_wrapped.errors, "SAML Response must contain 1 assertion"
+    end
+  end
+
+  describe "signature wrapping attack - doubled signed assertion SAML response" do
+    it "should not be valid" do
+      signature_wrapping_attack = read_invalid_response("response_with_doubled_signed_assertion.xml")
+      response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
+      settings.idp_cert_fingerprint = '4b68c453c7d994aad9025c99d5efcf566287fe8d'
+      response_wrapped.stubs(:conditions).returns(nil)
+      response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+      assert !response_wrapped.is_valid?
+      assert_includes response_wrapped.errors, "SAML Response must contain 1 assertion"
+    end
+  end
+
 end

test/responses/invalids/encrypted_new_attack.xml.base64

@@ -0,0 +1 @@
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJuZXctaWQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiIgRGVzdGluYXRpb249Imh0dHA6Ly9hcHAubXVkYS5uby9zc28vY29uc3VtZSIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl81ZDllMzE5YzFiOGE2N2RhNDgyMjc5NjRjMjhkMjgwZTc4NjBmODA0Ij4KICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9zaW1wbGVzYW1sL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPgogIDxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPjxkczpSZWZlcmVuY2UgVVJJPSIjcGZ4NTdlYTM0MDgtM2ExZS05YjY1LTYxZjktMDQ3MjAyODdlNmZlIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5wZFhNRGQzTlh4dmRDVnNFaTc3MCtJZVNUVnc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+CiAgICA8ZHM6U2lnbmF0dXJlVmFsdWU+cjFYVm9hbitSL2RLVTR0a2FSTzRhNjl6UE5SSmVHNFhyVnpGbFdoZGhScmd5dWxjNGE2SHJ3UVJPUno2MGxsQjRlczV0RWZTQW5VTWF4d3FRVXowVmdKNUxkUG5XWmpxeFhTT3NidzNtNUoyZ1NrbmNVMWZUaURpdXVmS1poZUZEZG5ocDdvZzgzRGRORFczMTJVQ2FjWUlhRHQyMDVvZG1LT1V1TGFZbWFFPTwvZHM6U2lnbmF0dXJlVmFsdWU+CiAgICA8ZHM6S2V5SW5mbz4KICAgICAgPGRzOlg1MDlEYXRhPgogICAgICAgIDxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ1BqQ0NBYWVnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVEwRkFEQThNUXN3Q1FZRFZRUUdFd0oxY3pFUE1BMEdBMVVFQ0F3R1NHRjNZV2xwTVFzd0NRWURWUVFLREFKTlpURVBNQTBHQTFVRUF3d0diV1V1WTI5dE1CNFhEVEUyTURZeE5ERTBNREl4TTFvWERURTNNRFl4TkRFME1ESXhNMW93UERFTE1Ba0dBMVVFQmhNQ2RYTXhEekFOQmdOVkJBZ01Ca2hoZDJGcGFURUxNQWtHQTFVRUNnd0NUV1V4RHpBTkJnTlZCQU1NQm0xbExtTnZiVENCbnpBTkJna3Foa2lHOXcwQkFRRUZBQU9CalFBd2dZa0NnWUVBNXhXc25BbUlnQ3drd2JRb2RQNGVpTEFVT1BtdXVybFYyOXdoY0d0NkFjM2h2T1F0bk1tOWdkbE5KcnZqbHY0WmFHM0g2QTBBa3lzODExQW1kbStvS3ZlWHltRm9MRzRLSExNalRNSWZRdktPbDhJZC8rVXZ4NjlaZHcvMG91ZW1oSWFncHcxei9iT1h6TC9pLzNLeEdKZzhud2FWM2R4dGJQTlNGemNEdnkwQ0F3RUFBYU5RTUU0d0hRWURWUjBPQkJZRUZFNGdqbktCNXlKR1daTWN1NWxIbFJuU0FhZTJNQjhHQTFVZEl3UVlNQmFBRkU0Z2puS0I1eUpHV1pNY3U1bEhsUm5TQWFlMk1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTkJRQURnWUVBT3NtUng2dGtuVkRIQzhFK0VhczJlRjZPNEhtMTVZdDVYQWp6SVgzT2lFMnp2cW0zZk9rM0hOamNIT0FJRkI3TWR2cjYrMjNBUlhwWkZLaVMyK01rVXM1d21FekNMcVUvaFJPeWp5ajlQWUcxak1QckFIUE9wV2pWdGxXdUpzbE4yOEk2emlNOHVxK3VpdFRqSWR0OEpaNlAyZFd0b1RtRGdzVlVtRk0wbmFVPTwvZHM6WDUwOUNlcnRpZmljYXRlPgogICAgICA8L2RzOlg1MDlEYXRhPgogICAgPC9kczpLZXlJbmZvPgogIDwvZHM6U2lnbmF0dXJlPgogIDxzYW1scDpTdGF0dXM+CiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+CiAgICA8c2FtbHA6U3RhdHVzRGV0YWlsPgogICAgICA8c2FtbHA6TG9nb3V0UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeDU3ZWEzNDA4LTNhMWUtOWI2NS02MWY5LTA0NzIwMjg3ZTZmZSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDctMThUMDE6MTM6MDZaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2FwcC5tdWRhLm5vL3Nzby9jb25zdW1lIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzIxZGY5MWE4OTc2Nzg3OWZjMGY3ZGY2YTE0OTBjNjAwMGM4MTY0NGQiPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PC9zYW1scDpMb2dvdXRSZXNwb25zZT4KICAgIDwvc2FtbHA6U3RhdHVzRGV0YWlsPgogIDwvc2FtbHA6U3RhdHVzPgogIAo8c2FtbDpFbmNyeXB0ZWRBc3NlcnRpb24+PHhlbmM6RW5jcnlwdGVkRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VsZW1lbnQiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyN0cmlwbGVkZXMtY2JjIi8+PGRzaWc6S2V5SW5mbyB4bWxuczpkc2lnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48eGVuYzpFbmNyeXB0ZWRLZXk+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS0xXzUiLz48eGVuYzpDaXBoZXJEYXRhPjx4ZW5jOkNpcGhlclZhbHVlPlhzZWhuemxaMUZaemhWK2JFSVhmUlJsSGo4OVpKS2EvdHFhLzBFb2lWZUZvU1A3Z09TcVYveU5WclRYdmkrYUxYUWo3TG5Sa1FhbS9sTlRMVmQxN2IxV1NUWlZ2NGdUbjhFMk1SWDN0bXI0eUhwUUZ1c1VIOFJqeFduR3lzZ2ZET1EvSGR4SDdhWDdpNVhvTS9KQUdMeU1GMWc4ZFdnc2I4ODN2aTByN09MTT08L3hlbmM6Q2lwaGVyVmFsdWU+PC94ZW5jOkNpcGhlckRhdGE+PC94ZW5jOkVuY3J5cHRlZEtleT48L2RzaWc6S2V5SW5mbz4KICAgPHhlbmM6Q2lwaGVyRGF0YT4KICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+VUlxazBXRmI2NWlRZUxPZDExU3JQTGJmeVovei80Q3phcFZqSERiRzFUOUprSjA4WHZRVjJPR1d2a1IyMUY1MEhVT0lkdFJ0RWVxdGdidnNRVjNhQldqVTN5cFFhYzliOFJLS2lRYVd1Y1R4K0lXZDNVVW9iTjAwRVFzNFlVU29JMFYwTEczQlRReThUVnVsTzhXdm8rcndEMHJxWGxMdDFvek1kcUFTN0VlTkxmNW5BTkR1bTN0OXZScys5cnFCSGw3eVFKdFo0eEl3a1ZJSHlsVkJYR3lRN2hSZVA5NVFWcTRmSWhMa0lkL2ZsKzltamE4VEdRME4rcE40Sk9YbVEwRUJyNG9IRHBRR0pGQlBsMzBlM04vTTZnVHNLQk1reit6RDd3Y1JLaU9TcDh2Zm1lMEVhRkR0Z01sZWVMcUVJWXpSUG1XRnFmMk8xMjY5R2pXRGtEcTd6WUxYRExUdmNlMUt6WjBudmNkbnpyMjdaVnU1Q3YzMWNqenlNdmVDT3dEcVEvZVZlWjBvTEp4Tlc2Y2xoT2NwK0pFQWZ1SUlsdHNjU3VMOERoKzRma2VCYUlRZmExMCtKcDBRVW1rSHZGemJab0tvblgvT0tTR0ZldmM1Rnc5ZUlOcFErTzAxUzU1MjhIaGJmY3JHR3BrSWh2YmlTM0xFZWhVNjA2dS9Ob0p3Um9FcWNzQjZXR21rUmUvb0hIU3Rib0ZtMmFKOGRmV2E5Sk5wUHVSeFVuTDZFeXhOTlhieUdrZGp1ZXh6U3haVkRZMDZRbU9odzZXcFVJY203dktraEVZL3YvWkFXN1dnQTVyVVUwS1lSQjlvTldCYUZQTjdjb1ZpM0prUnJkZjRqRUNzeXFTc1ZaRWR4L2tLSWJGSG53QVJ4a1pFSXdSZ1J0bE1WYit3cnpQWkJTT0hHcG1mSmJwNS9zbll1REN0RE13c3lTcG5HdFArYUZLNE1QWk5ORWdrWVJlYktlRXNiQjMxdVh2dzdMelZWY0V6cnVHWGRaMFN1dWR1VVBIVE0wZno0U2VQMERKclZEcnVuWGtDMEg1UDRwZTNVSVNSUDlUOVorSjg5N1lhRW1HckE5OHZuVEdWaE0wQXV1WFIrSTlJak05STlUZHFQUDV3bnhZclp0ZDFVc0JBaCtXRUNuM1JpZmNEWURzZm96eTNtZ1RzUVpxbW1ZZ1ltL1J2dStWdnliNlBBR3VkREFuTU1oanEyeUhxMThYem01elpWcTJFMVV5RU8yMjFyVmhqOGxSNVF0V0x3NHFyZmc3dkQ5ZHJwWWFiRkM4RGVZYVNFRzNsckxtNFAwNFBpMy9zOVo0NjNmRGxwWUVMMVlHVjhiWElhUWFDN2ZtRFIrTWRtaCtVTG1PU0owRXJYODA3UUQyZFlkWFdhQjZlRXNPeEpzMWRjU1VGTXlKN0ppSWR1clkweHJNNDR1d3oxUU9MeitxSkFQcjBDMitTRGozeFBZUFlqbVEyNkFMUit2M0Jldngzc1JSOXoyUnRROUlaVFY5SXVXc3RHU1U5N0laUXcyaWV3bGhZNkJMeHIwNDRVZWhsc2QvQ3d2U2JoYVZRQ3E0V0JqcU02RGc4ODlUVnJKN0x3bTlTZzVGOFphT2lQajZzc0NsMG1zS04zbGZyZVJQQS9mTkRCODJPSGVuOTNFeWg1THBxaGJsNzBVT2RVdlFaVGFJNWs3QjZrcHpuYjlIa1BkSHRuSE9LUmdMVE50MXhFUzQ1blhDSXFqVWxORGpZYWtaMnBuQU5OU3FMMlVYTFBLbVBXMVNyWkU1RVUybFRPUFp3TmJCZkF1ejRYZXFSWWRpQm1lR001dzBMWnd3TGE5a1NjeE81QUlUeE8wV1FMa0t4d1NrbCt6WlNiejJXbEx6RmxiZzNRRnZuLzN0NS92UDA1SzRNbzNEQWlnbTFPUHdCazlaV244MVNESkFPUkV0SnllRmxVTGl5dTFySW91WTNZSFhWZjY1aFZhc3ZFWjM3MDdsL3BSdXNIdWhOYVNaQ3dvSXV0VEYxZjhmN3k3SU1XSVBXUld5NWJLdDBudFRlK25VYWZvQk10cTdGcUVlTVg2TklGdUpHRzBVWkRNUVkrNzJpNXFSemt2QXpIUEhtR1pWdHZjdjg5N2M2ZzI1eXNyQjQwSHVqMDRFTUc5c2NhVEIyTk56R1k3Nm52c2JMNXRmanYydGFjN2ZmK2YrbnQrbTVvckhLQ3dRN3ZmSFBacUhlelN6azlFVVQ1aDV5Z1RvelVxRXkvNkptZW5KMHRZNWMzRmg2K0FNSkFicWdNamVjRTlkY1BSZEpyV3NTTXVNMllHZnVBY2syY2oycndIQmduelZiZUN6d3E4NnpzTEpQQXZ1VzlnbmRHVzIybi9Uc3hxb2R4ZWN2cTlURXRGd2hpSGdubTRvV0xzS2VpaHRrUnpPUUdFUkdIbTNXd3NXTWJtVVJUUDdnaFNNUytnellSUkVhalJYYzhONFhvRTlHVnZXOHRnUVVIMVM5aFE3M056MytmTTFuQ0dsWW1zTUN0SU5GWGNacm44WXlSRTNsMFZyOUtoczBYUkVnc0VqWVhpT2JWU05sKytZSHBkK044RXRKQ1ZFNkMrQ09wanlPUUhmNDZ4NElueHhkVk83ZmZpa1FDMHdKbHROaGJQb3hBMGtzZzNWNWlCNzhUNGJHVE16elNFa1JUTngyajhrWjJ1eHdxUFFZTFdvYmxTaEszdEpXRTk2M28xd3lOVmlhNmJUekF6cFR4eDVveHRKWjAza0hRM28zMExIV2Q1TXgwemJrWUdCWll3cTI5ZmVnQ0ozK2dreDR4V2NSc3ZHVlRiY296VXZUREp2bjlLd3pMdFR3aVJVV2tnOE9qdll3Vzd6bU9rWWVDeS9XdDRCRVNUcVd5Q0dKNU9RZ3VXd29FMitRem82VFVrRU5zT1ljMElpRGdxQ3BzaVl3OEsrLzNiTzFVSHVzQ2FBUjA3WWJaaVp0Q2FBTjBHbGRKZnR2RlhLRFQxTmwxWHpHaWpZeTdrS2x2TGxZd0M4UlN5d0hrK2xReEIwdVlhakNtV0ZtZmh2aVQxK2laR1VQdW9CWkpsMzRpeWF6ZEJZZi9kS3BsYVlzanJPcjdWMWV2d1JmVGNCVmQ1RzJLcGU1K0hhOXNzUm9NdHZKTUdBNy9CeUwxQ0lGaDNRbTVxNzNnL04zU0lzVGM0VE1sNDVtT2VYdEl3anBBekl1TEh0SUozc1J3aWFsNEtEVGMrNHdzZ1hzTmxEcTAwVERzMVhEbEJzSmovdHlEcUtuU3A2UU05S1BZL1lnd2ZTQTgwejNPa1hhVWx6cUFtZStXb3ljZHN6MEV5NGhDSE1Dd2NCeXRVc1VlODZKbWNEemFEL3A5RldwT0JJQitVeGhSRVhvS3NrYWVHZDlUVFJTbzk5QkJzblMrU1BBQXJ5R1o2TllhL2lnandZejdZaUo3cEdFaEpNdDBLZS9qUVdvUXBWQUFJcGNmdmZmR3ljQmtldUs3dUpXRGZVU3BMYVpkcnV6SXlIaFpTVldCcFBpYnVkWEI5VmtmNmgrcHNwUTY4RXBpOEtiZDZyMEh4aENyN0k2alJmQ0ZWR2x3UVlmUDdlQVQ1SUVuNFNNRTdTeEdKTGYzWTBDZmxvanlBbmJ1Z256OUNKVDBYeUc1TUswVzlpQzY2S0lXOVIvRVVBb0xCaVJmUUdzWGxCczRmajZ0NDRpOHpHRFVDalFPWnV1OWc3ZWJDTWlOb1hWRmlSZmJ5ZHkxbTVFYnhkVWJTM2tTMUVzTXZrQmx5T1JrV0hiRyt0b0tGbC91dFRwbUlBV3QyOHZ2L0U5bU44dmJKR3c1bUdINUJBTGg1OGNYdnE1TDFObHFNSHhCTDEwNzJuNFpIZ0J3bGdjTWlxbXpCeTd0eE9ZLzJpTzUwSk9aamdIUW42YnNqVmJjYyt2RGJsSUdVeGYxcmJZWUNYUHBWQ0J4bzNVa2N4VVZuUmdLN2ZOcm03bEZCSHRxR0M4L2dpblFlWXQ5bHV5cVFGTUNtNmUvQVh1eUVYbGNhSXREYUFsSnNPa1VyZ291NGQ5T1U0dnF6NzRwb2VSaFdlRFJaMlpYa2VGeVcveUtjRENxVzVubnZraUdieUtvTExDNXV6RlkxeXE3c0M3ZURoRlhIK1hmaEN4R0V3bHp0eC96ZXROQUdXWWJjWEwwd2lkREFzWkZabDJYMXhPL0JLWnQ2alpwV29ZNk1kSDl6eUYyYjRGbUJxTDhEdDQ8L3hlbmM6Q2lwaGVyVmFsdWU+CiAgIDwveGVuYzpDaXBoZXJEYXRhPgo8L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+Cg==

test/responses/invalids/response_with_concealed_signed_assertion.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfx0a3cfa31-f178-71f2-9b94-ad4047591acc" Version="2.0" IssueInstant="2012-04-04T07:33:10.921Z" Destination="https://example.com/endpoint">
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp.example.com</saml:Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2012-04-04T07:33:10.923Z" ID="unsigned-assertion">
+    <saml:Issuer>idp.myexample.org</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx7fca52d6-8991-5d99-3147-4f9d7c278d78"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>FA0AbR4w9oYdx7MFjERARVJAHps=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>GDH5jhCNX9PFxW+71SOJPyusAOwzECwmd57NDhvA/VKWHnV3PpvpNkOLyamoBNdZ4qxponnobg2zneLESrFnLJdJ1cgs51YvtBJTxKoA7oZMMNKReZFST8g7pDdrBC82n5rTdzxclaJkpwz1yjcho3K3TjxK+gU1svVrEKMUwyo=</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMIT25lTG9naW4xDDAKBgNVBAsTA0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMxODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTjEVMBMGA1UEBxMMSW5kaWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UECxMDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5PckwsNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MPdyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zdqHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZFhdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUSXxnzQxwcm/9PwAqrQaA3QpQkH57ybF/OoryPe+2h</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
+    <saml:Subject>
+      <saml:NameID NameQualifier="idp.example.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData Recipient="https://example.com/endpoint" InResponseTo="_f7201940-6055-012f-3bc1-782bcb13c426"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2012-04-04T07:28:11.442Z" NotOnOrAfter="2012-04-04T07:38:11.442Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>example.com</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2012-04-04T07:33:11.442Z">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+  </saml:Assertion>
+  <foo>
+  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2012-04-04T07:33:10.923Z" ID="pfx7fca52d6-8991-5d99-3147-4f9d7c278d78">
+    <saml:Issuer>idp.myexample.org</saml:Issuer>
+    <saml:Subject>
+      <saml:NameID NameQualifier="idp.example.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData Recipient="https://example.com/endpoint" InResponseTo="_f7201940-6055-012f-3bc1-782bcb13c426"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2012-04-04T07:28:11.442Z" NotOnOrAfter="2012-04-04T07:38:11.442Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>example.com</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2012-04-04T07:33:11.442Z">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+  </saml:Assertion>
+  </foo>
+</samlp:Response>