Update encrypted response in sync with decrypted response

GSA-TTS · Sep 20, 2024 · b25f87c · b25f87c
1 parent 9fc3088
commit b25f87c
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 29 deletions.
diff --git a/_includes/snippets/saml/auth/response_example.md b/_includes/snippets/saml/auth/response_example.md
@@ -1,38 +1,50 @@
 {% capture example %}
 ```xml
-<samlp:Response ID="_b28d50c0-dc35-0134-96f3-06d8bac14e9d"
-                Version="2.0"
-                IssueInstant="2017-02-23T20:36:37Z"
-                Destination="https://sp.int.identitysandbox.gov/auth/saml/callback"
-                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
-                InResponseTo="_6fca7b78-9ab7-49f5-bd62-18c48eac3c68"
-                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_7f3d8cd9-d3f8-4b47-a571-5272810d5073" Version="2.0" IssueInstant="2024-09-18T16:20:36Z" Destination="https://sp.int.identitysandbox.gov/auth/saml/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_bf054c05-5b2c-4773-a6a9-9ba075a87bc9">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.int.identitysandbox.gov/api/saml</Issuer>
   <samlp:Status>
     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </samlp:Status>
   <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
     <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="ED" Type="http://www.w3.org/2001/04/xmlenc#Element">
-    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
-    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-      <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" Id="EK">
-        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
-        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-          <ds:KeyName/>
-          <ds:X509Data>
-            <ds:X509Certificate>MIIDejCCAmICCQDxlELhbJBQdzANBgkqhkiG9w0BAQUFADB/MRYwFAYDVQQDDA1TUCBSYWlscyBEZW1vMQwwCgYDVQQKDANHU0ExDDAKBgNVBAsMAzE4ZjETMBEGA1UEBwwKV2FzaGluZ3RvbjELMAkGA1UECAwCREMxCzAJBgNVBAYTAlVTMRowGAYJKoZIhvcNAQkBFgsxOGZAZ3NhLmdvdjAeFw0xNjA4MTgyMDIzMzNaFw0yNjA4MTYyMDIzMzNaMH8xFjAUBgNVBAMMDVNQIFJhaWxzIERlbW8xDDAKBgNVBAoMA0dTQTEMMAoGA1UECwwDMThmMRMwEQYDVQQHDApXYXNoaW5ndG9uMQswCQYDVQQIDAJEQzELMAkGA1UEBhMCVVMxGjAYBgkqhkiG9w0BCQEWCzE4ZkBnc2EuZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6gWv5EDu88CgWTgo+B8+Rp7ZSjNKKdud2I4U6Bfr0IMerdrh1LVwO6JOli/qRRDqECQz7Jm6m4XnVvf1bUiQd8cn/FheQfD2NuDNfrnAvyIRIHDgGHGSx3vjPZJVYi5BVmEOPFEKYEKHqS/UGnNjkS2XsoAkstRe6gioo4Hd2WLwjuCMqgNA3vgwyVxdgfI5vsrm6q43X15wb/wCP4r2rGKGSUIIshZPeUcPOzBMAmwVqREN4ux79Ee5K/87aXBVRF7Z2tFV1d5KEXO3dCw+T6cspj9MjfY2976cQfBXWnDKGdNWaLdwtFqvpgo9IXRxlAmUQtx8SC8z+zXaSSGB/wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCtc97SZLs5eBx7LrxdaeP5hq2etB7l6uM6+l/eSvXu8LlQfTUT7URxX4hXbKyORs1BLpnMYxofeyJlzb9K0koy1ZFhUtBufvU1R+ouMfZlV3QGOUMIUp00UNS39b74214jpuUYi7oEM0gHBN3BXxVyzUEAzt2HYHp2Im97ERSmTMkvSfiqilx/t03qIuZVxzu+jIU2BQUxS7s6XQ2DpDbvfggmnvToCmNA0VSg9rZkziOLSRHblcUpdMYH8+mzbTCfgg/Of0kTDVqXzgNa/iR0HUq18bDf3iFebS/sugwXN3vCxdCnad64q5tqF+VscZEtc7Okech2OuctnWy0nzFQ</ds:X509Certificate>
-          </ds:X509Data>
-        </ds:KeyInfo>
-        <CipherData>
-          <CipherValue>yaI+Z9oWcrP2WL02UdN7wdeoloWSBuz4nrFKh+vuyHitlk3A3/ATy4rtHerREue6uEYJ2sr7RoJbF/pqsr1j2ZWGJRL9FS++i0biE9iv3NwrW1MDvzGAaMiI9q+tmDqhorftiD+0byrtftZU2Emmwz34/bZJQKFszDeWlDrTVIXGDz+jF0Q+AvFxtaMrXXw6VmLlQlM/Hc9GiGCY+yalGmlteAJD+xk9aqUqfO9+qbwqufLQTpLyM8UdjHuwN9V4ZEo09er34SZD3ZhGq7IdWvROpcPeagU2+r6pivCmhY3x1t01uDtKe0jDt8LTGA1/P8atB3zQHkNnbGO1CiBKpg==</CipherValue>
-        </CipherData>
-        <ReferenceList>
-          <DataReference URI="ED"/>
-        </ReferenceList>
-      </EncryptedKey>
-    </ds:KeyInfo>
-    <CipherData>
-      <CipherValue>vy4Ohper0Oq24kU9GBTr0L8dHSBLkRpeu/iNr790cOQrAKphfPRCtLR7RHFI0mTCiko+Wy/oQqX4gu0LVtOOkcjJIicDyuWhIF6guUHvHz1PP4cv3pG++EhAJ73dbCPFSFkrDCzyMM5KZaY0xj6GpcYAVhOjez2ooOqwyTRYVpgozyuIreuooNFV8K++6GixLfBjw9T47eokKqLiROcRjEpV1dBoIkr34KtA7+TCrms1tLwAv4mdzCpUa7j</CipherValue>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" Id="EK">
+          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+            <ds:X509Data>
+              <ds:X509Certificate>
+MIIDgDCCAmgCCQCwpieA9CKuDDANBgkqhkiG9w0BAQUFADCBgTEYMBYGA1UEAwwP
+U1AgU2luYXRyYSBEZW1vMQwwCgYDVQQKDANHU0ExDDAKBgNVBAsMAzE4ZjETMBEG
+<!-- X509Certificate elided -->
+IYOalU+bIBpQt6EGN/mWBu7yZtgxKULZamJUUpd5xpcPcGKwf59etPVMTSxgeeQY
+MFjibtIlMmAweHgIqDyF2s8Etz8hlcKrXIUAK5CoMvgUn41V
+
+</ds:X509Certificate>
+            </ds:X509Data>
+          </ds:KeyInfo>
+          <CipherData>
+            <CipherValue>DUs/UGjZTIioxWuRdUs8dWK4sLZ3zmAoTxX/mxliznXJfKn7JGQ6u9ccAG+o
+NbdunEQd0552Y6jdLGTulpuPxgC79gWsgxjV4sZzlALeLKu/VI/gUN7YNaoy
+QHQeO0XsH51pu5P4H0fjee2sJ++jnrY4auOMIYE3jWFScmRGrDXnvde6N1MW
+QThl1uSu2fDsQZdE9SOzg8rm8c85NcaBorJnHTTt7ywgLSt3weXkztUeujsc
+6ifawqRIdfcvL8eZxqKBUHSRu9gIXbmp13VQVZuKHO+MLrO2eTNMS6wRpGjl
+Lykqm6G3d8d7gn7oC08WI6YDrB5Kzo6hF/eaveOjtw==
+</CipherValue>
+          </CipherData>
+          <ReferenceList>
+            <DataReference URI="ED"/>
+          </ReferenceList>
+        </EncryptedKey>
+      </ds:KeyInfo>
+      <CipherData>
+        <CipherValue>cIGCpOu5tXI1RuBj32Sas6saN5brvkYea2QYgIAFNi6NgHngIs4JAkcTGxRg
+U9Vyfb2F3kndo5hBJaLmnKjLlwZRCBwoVfYfiaKUumH+igiPeyfcOGi617bN
+dpylxgT3Exg/g8qX5V02nIibCvlgO9tm9mPL5Rx0EZ32HMOc+Q62TF7F3e6X
+<!-- CipherValue elided -->
+2SWxCSIh0QLjt0Sos4ixK58eYc0p+8wbJnks14GzDGA07qJenT4NKxIIU2wW
+y+0Uv+X9Bk3S+y/6ba+v
+</CipherValue>
       </CipherData>
     </EncryptedData>
   </EncryptedAssertion>
@@ -41,4 +53,4 @@
 {% endcapture %}
 <div markdown="1" data-example="example" class="markdown long">
 {{ example | markdownify }}
-</div>
+</div>
diff --git a/_pages/saml/authentication.md b/_pages/saml/authentication.md
@@ -173,7 +173,7 @@ A proofed identity request at AAL2, with phishing resistent MFA, for email, phon
         <h2 id="authentication-response">Authentication response</h2>
         <p markdown="1">After the user authenticates, Login.gov will redirect and POST a form back to your registered Assertion Consumer Service URL with a hidden form control named `SAMLResponse`.</p>
         <p markdown="1">`SAMLResponse` contains a base64-encoded XML payload that contains data that is encrypted with the service provider's public key.</p>
-        <p markdown="1"> The decrypted `SAMLResponse` contains a `<saml:Assertion>` element, which in turn contains elements like `<saml:Subject>`, `<saml:AttributeStatement>` and `<saml:AuthnStatement>`. </p>
+        <p markdown="1"> The decrypted `SAMLResponse` contains a `<saml:Assertion>` element, which in turn contains the following elements: </p>
         <dl>
             <dt markdown="1">`Subject`</dt>
             <dd>Contains the NameID, the Recipient of this information and the validity period.</dd>