Connecting ECP with Shibboleth using wso2 Identity Server User Store

Winma Heenatigala
Sep 3, 2018 · 14 min read

Are you trying to connect an ECP with Shibboleth???? Then you at the right place. 👌

In this blog I will guide you on how to connect an ECP with Shibboleth from the very beginning. If you are new to ECP(non-browser based clients) and wonder what is the difference of it, with the browser based clients you can refer my blog post here to get a perfect idea. Don’t worry it’s just a 4 min blog. 😛

Now Let’s move onto the topic. Before trying to connect ECP client with Shibboleth, you must make sure that you have successfully installed both Shibboleth SP and Shibboleth IDP in your Ubuntu machine.

Shibboleth IDP Installation

You can refer my Shibboleth IDP Installation blog from here.

Shibboleth SP Installation

You can refer to my Shibboleth SP Installation (As an apache module) blog from here.

Create the Web Application

Now let’s create a Shibboleth protected simple web application called myservice.

sudo mkdir /var/www/myservicesudo gedit/var/www/myservice/index.html

In the index.html file add the following content to be displayed.

<html><body>If you see this page!!! That means your ECP client works !!!!!!</body></html>

Add the Protected Service to the Apache Configuration

Edit /etc/apache2/sites-available/default-ssl.conf file. My edited file looks like below.

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin winma@localhost
DocumentRoot /var/www/html# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Alias /myservice/ /var/www/myservice/
<Location /myservice/>
AuthType shibboleth
ShibRequestSetting requireSessionWith ECP
AuthName "Secret"
AuthUserFile passwd
Require valid-user
</Location>
</VirtualHost>
</IfModule>

In the /etc/shibboleth/shibboleth2.xml file add the following Session Initator.

<SessionInitiator id="ECP" type="SAML2" Location="/ECP" ECP="true" 
entityID="https://idp.shibboleth.com/idp/shibboleth">
</SessionInitiator>

Now the SP is added.😃. Cool………….. 🆒

Configure Shibboleth IDP

Download the Shibboleth SP metadata file and rename it to ShibbolethSP.xml.

You can download the metadata file by typing the url https://localhost/Shibboleth.sso/Metadata in the browser.

Include that file in opt/shibboleth-idp/metadata directory.

Add the following Metadata Provider to opt/shibboleth-idp/conf file.

<MetadataProvider id="ShibbolethSP"  xsi:type="FilesystemMetadataProvider" metadataFile="/opt/shibboleth-idp/metadata/ShibbolethSP.xml"/>

Make sure that idp.auth.flows propery of conf/idp.properties file is set to Password.

idp.authn.flows= Password

Set up the /opt/shibboleth-idp/conf/ldap.properties file as follows to use the wso2 is LDAP.

idp.authn.LDAP.authenticator = bindSearchAuthenticator
idp.authn.LDAP.ldapURL = ldap://localhost:10389
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = false
idp.authn.LDAP.returnAttributes = uid
idp.authn.LDAP.baseDN = ou=Users,dc=wso2,dc=org
idp.authn.LDAP.userFilter = (&(objectClass=person)(uid={user}))
idp.authn.LDAP.bindDN = uid=admin,ou=system
idp.authn.LDAP.bindDNCredential = admin
idp.authn.LDAP.dnFormat = uid=%s,ou=Users,dc=wso2,dc=org

Edit the /opt/shibboleth-idp/conf/attribute-resolver.xml file as below.

<AttributeDefinition id="uid" xsi:type="PrincipalName">
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
</AttributeDefinition>

Edit the /opt/shibboleth-idp/conf/attribute-filter.xml file as follows.

<AttributeFilterPolicy id="iam_attrib_policy">
<PolicyRequirementRule xsi:type="ANY"/>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

Download a sample ECP

I downloaded the bash ECP client from the shibboleth site and did some minor changes to the client.Copy the following code and save it as ecp.sh.I have changed the IDP end point of the shibboleth Client to be https://idp.shibboleth.com/idp/profile/SAML2/SOAP/ECP and assigned it to Campus01 variable.

#!/bin/bash
#
# Requires bash version >= 4.
#
# This simple client uses command line tools to
# demonstrate how a SAML ECP client works.
#
# Studying this client is not an acceptable replacement
# for reading the ECP profile [ECP] available at
# http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf
#
# Please read the profile document and consult this script
# as one example of a non-conformant client.
# This script cannot be considered a conformant client as defined
# in section 3.1.3 of [ECP] because it does not support the use of
# channel bindings of type "tls-server-end-point" nor does it support
# TLS Client Authentication.
#
# This client has been tested on Debian Jessie against
# the Shibboleth IdP versions 2.4.4 and 3.2.1
# and the Shibboleth Native SP version 2.5.6.
#
# The script assumes both the IdP and SP are properly configured for ECP
# using basic authentication. See the Shibboleth documentation for details.
#
# The script uses the command line tool 'curl' for querying the SP
# and IdP. It uses the command line tool 'xsltproc' for
# simple parsing and manipulation of XML. Consult a reference
# on XSLT and XPath for how to craft the stylesheet inputs to
# xsltproc. A better programmer could probably make sed and grep
# do the same thing.
# hash array of tags the user can use on the command
# line that map to IdP SAML2 ECP endpoints
declare -A idp_endpoints
idp_endpoints=(
["Campus01"]="https://idp.shibboleth.com/idp/profile/SAML2/SOAP/ECP"
["Campus02"]="https://idp.shibboleth.com/idp/profile/SAML2/SOAP/ECP"
)
usage()
{
cat << EOF
usage: `basename $0` [options] IdP_tag target_url login
OPTIONS:
-h Show this message
-d Write debug output to stdout
EXAMPLE:`basename $0` Campus01 https://campus01.edu/my/secret/page jsmithCONFIGURED IDP TAGS:EOFfor tag in "${!idp_endpoints[@]}"; do echo "$tag" ; done
}
DEBUG=while getopts "hd" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
d)
DEBUG=1
;;
esac
done
shift $((OPTIND - 1))if [ $# -ne 3 ]
then
usage
exit 1
fi
# curl is required for sending to and from the SP and IdP
# xlstproc is required for gently massaging XML
# tempfile or mktemp is required for safe temporary files
type -P curl >&/dev/null || { echo "This script requires curl. Aborting." >&2; exit 1; }
type -P xsltproc >&/dev/null || { echo "This script requires xsltproc. Aborting." >&2; exit 1; }
temp_file_maker=`type -P tempfile`
if [ ! $temp_file_maker ] ; then
temp_file_maker=`type -P mktemp`
if [ ! $temp_file_maker ] ; then
echo "This script requires tempfile or mktemp. Aborting." >&2
exit 1
fi
fi
idp_tag=$1
target=$2
login=$3
# verify that the target is of the form https://
if [[ ! "$target" =~ ^https:// ]]
then
echo "Target is not of the form https://..."
exit 1
fi
# some utility functionality for deleting temporary files
declare -a on_exit_items
function on_exit()
{
for i in "${on_exit_items[@]}"
do
eval $i
done
}
function add_on_exit()
{
local n=${#on_exit_items[*]}
on_exit_items[$n]="$*"
if [[ $n -eq 0 ]]; then
trap on_exit EXIT
fi
}
# create a file curl can use to save session cookiescookie_file=`$temp_file_maker`
add_on_exit rm -f $cookie_file
# headers needed for ECP
header_accept="Accept:text/html; application/vnd.paos+xml"
header_paos="PAOS:ver=\"urn:liberty:paos:2003-08\";\"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp\""
if [ -n "$DEBUG" ]
then
CURL_OPT="--verbose"
else
CURL_OPT="--silent"
fi
# request the target from the SP and include headers signalling ECP
sp_resp=`curl -k $CURL_OPT -c $cookie_file -b $cookie_file -H "$header_accept" -H "$header_paos" "$target"`
echo $sp_respret=$?
if [ $ret -ne 0 ]
then
echo "First curl GET of $target failed."
echo "Return value was $ret."
echo "Try curl -H '$header_accept' -H '$header_paos' $target to see error."
exit 1
fi
if [ -n "$DEBUG" ]
then
echo
echo "###### BEGIN SP RESPONSE"
echo
echo $sp_resp
echo
echo "###### END SP RESPONSE"
echo
fi
# craft the request to the IdP by using xsltproc
# and a stylesheet to remove the SOAP header
# but leave everything else
stylesheet_remove_header=`$temp_file_maker`
add_on_exit rm -f $stylesheet_remove_header
cat >> $stylesheet_remove_header <<EOF
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" >
<xsl:output omit-xml-declaration="yes"/><xsl:template match="node()|@*">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
</xsl:copy>
</xsl:template>
<xsl:template match="S:Header" /></xsl:stylesheet>
EOF
idp_request=`echo "$sp_resp" | xsltproc $stylesheet_remove_header -`ret=$?
if [ $ret -ne 0 ]
then
echo "Parse error from xsltproc on first curl GET of $target."
echo "Return value was $ret."
echo "Use -d to see full SP response."
exit 1
fi
if [ -n "$DEBUG" ]
then
echo
echo "###### BEGIN IDP REQUEST"
echo
echo $idp_request
echo
echo "###### END IDP REQUEST"
echo
fi
# pick out the relay state element from the SP response
# so that it can later be included in the package to the SP
stylesheet_get_relay_state=`$temp_file_maker`
add_on_exit rm -f $stylesheet_get_relay_state
cat >> $stylesheet_get_relay_state <<EOF
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" >
<xsl:output omit-xml-declaration="yes"/><xsl:template match="/">
<xsl:copy-of select="//ecp:RelayState" />
</xsl:template>
</xsl:stylesheet>
EOF
relay_state=`echo "$sp_resp" | xsltproc $stylesheet_get_relay_state -`ret=$?
if [ $ret -ne 0 ]
then
echo "Parse error from xsltproc for relay state element."
echo "Return value was $ret."
echo "Use -d to see full SP response."
exit 1
fi
if [ -n "$DEBUG" ]
then
echo
echo "###### BEGIN RELAY STATE ELEMENT"
echo
echo $relay_state
echo
echo "###### END RELAY STATE ELEMENT"
echo
fi
# pick out the responseConsumerURL attribute value from the SP response
# so that it can later be compared to the assertionConsumerURL sent from
# the IdP
stylesheet_get_responseConsumerURL=`$temp_file_maker`
add_on_exit rm -f $stylesheet_get_responseConsumerURL
cat >> $stylesheet_get_responseConsumerURL <<EOF
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:paos="urn:liberty:paos:2003-08" >
<xsl:output omit-xml-declaration="yes"/><xsl:template match="/">
<xsl:value-of select="/S:Envelope/S:Header/paos:Request/@responseConsumerURL" />
</xsl:template>
</xsl:stylesheet>
EOF
echo "Picking up the response consumer URL"
responseConsumerURL=`echo "$sp_resp" | xsltproc $stylesheet_get_responseConsumerURL -`
ret=$?
if [ $ret -ne 0 ]
then
echo "Parse error from xsltproc for consumer URL."
echo "Return value was $ret."
echo "Use -d to see full SP response."
exit 1
fi
if [ -n "$DEBUG" ]
then
echo
echo "###### BEGIN RESPONSE CONSUMER URL"
echo
echo $responseConsumerURL
echo
echo "###### END RESPONSE CONSUMER URL"
echo
fi
# use curl to POST the request to the IdP the user signalled on the command line
# and use the login supplied by the user, prompting for a password
idp_endpoint=${idp_endpoints["$idp_tag"]}
idp_response=`curl -k -v $CURL_OPT --fail -X POST -H 'Content-Type: text/xml; charset=utf-8' -c $cookie_file -b $cookie_file --user $login -d "$idp_request" $idp_endpoint`
ret=$?
if [ $ret -ne 0 ]
then
echo "curl POST to IdP $idp_tag at endpoint $idp_endpoint failed."
echo "Return value was $ret."
exit 1
fi
if [ -n "$DEBUG" ]
then
echo
echo "###### BEGIN IDP RESPONSE"
echo
echo $idp_response
echo
echo "###### END IDP RESPONSE"
echo
fi
# use xlstproc to pick out the assertion consumer service URL
# from the response sent by the IdP
stylesheet_assertion_consumer_service_url=`$temp_file_maker`
add_on_exit rm -f $stylesheet_assertion_consumer_service_url
cat >> $stylesheet_assertion_consumer_service_url <<EOF
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" >
<xsl:output omit-xml-declaration="yes"/><xsl:template match="/">
<xsl:value-of select="S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL" />
</xsl:template>
</xsl:stylesheet>
EOF
assertionConsumerServiceURL=`echo "$idp_response" | xsltproc $stylesheet_assertion_consumer_service_url -`ret=$?
if [ $ret -ne 0 ]
then
echo "Parse error from xsltproc for ACS URL."
echo "Return value was $ret."
echo "Use -d to see full IDP response."
exit 1
fi
if [ -n "$DEBUG" ]
then
echo
echo "###### BEGIN ASSERTION CONSUMER SERVICE URL"
echo
echo $assertionConsumerServiceURL
echo
echo $responseConsumerURL
echo
echo "###### END ASSERTION CONSUMER SERVICE URL"
echo
fi
# compare the responseConsumerURL from the SP to the
# assertionConsumerServiceURL from the IdP and if they
# are not identical then send a SOAP fault to the SP
if [ "$responseConsumerURL" != "$assertionConsumerServiceURL" ]
then
echo "ERROR: assertionConsumerServiceURL $assertionConsumerServiceURL does not"
echo "match responseConsumerURL $responseConsumerURL"
echo ""
echo "sending SOAP fault to SP"
read -d '' soap_fault <<"EOF"
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<S:Fault>
<faultcode>S:Server</faultcode>
<faultstring>responseConsumerURL from SP and assertionConsumerServiceURL from IdP do not match</faultstring>
</S:Fault>
</S:Body>
</S:Envelope>
EOF
curl $CURL_OPT -X POST -c $cookie_file -b $cookie_file -d "$soap_fault" -H "Content-Type: application/vnd.paos+xml" $responseConsumerURL > /dev/null 2>&1exit 1fi# craft the package to send to the SP by
# copying the response from the IdP but removing the SOAP header
# sent by the IdP and instead putting in a new header that
# includes the relay state sent by the SP
stylesheet_sp_package=`$temp_file_maker`
add_on_exit rm -f $stylesheet_sp_package
cat >> $stylesheet_sp_package <<EOF
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/" >
<xsl:output omit-xml-declaration="no" encoding="UTF-8"/><xsl:template match="node()|@*">
<xsl:copy>
<xsl:apply-templates select="node()|@*"/>
</xsl:copy>
</xsl:template>
<xsl:template match="soap11:Header" >
<soap11:Header>$relay_state</soap11:Header>
</xsl:template>
</xsl:stylesheet>
EOF
sp_package=`echo "$idp_response" | xsltproc $stylesheet_sp_package -`ret=$?
if [ $ret -ne 0 ]
then
echo "Parse error from xsltproc for SP package."
echo "Return value was $ret."
echo "Use -d to see full IDP response."
exit 1
fi
if [ -n "$DEBUG" ]
then
echo
echo "###### BEGIN PACKAGE TO SEND TO SP"
echo
echo $sp_package
echo
echo "###### END PACKAGE TO SEND TO SP"
echo
fi
# push the response to the SP at the assertion consumer service
# URL included in the response from the IdP
curl -k $CURL_OPT -c $cookie_file -b $cookie_file -X POST -d "$sp_package" -H "Content-Type: application/vnd.paos+xml" $assertionConsumerServiceURLret=$?
if [ $ret -ne 0 ]
then
echo "Second curl POST to SP failed."
echo "Return value was $ret."
exit 1
fi
# use curl and the existing established session to get the original target
curl -k $CURL_OPT -c $cookie_file -b $cookie_file -X GET "$target"
# on exit the temporary files and cookies will be deleted
# a more sophisticated client could save the cookies and make
# them available for further requests from the same SP
exit 0

Run the ECP client

Before running the client you have to make sure that you up the wso2 identity server as we have used wso2 Identity Server User Store. You can download the wso2 Identity Server from here.Go to the bin folder and start the server using the command sh wso2server.sh

You must also make sure that your Shibboleth sp and idp works properly before connecting the ECP client. Quick test guides are included in my installation blog posts that I mentioned earlier.

You can run the bash client with the command

sudo ./ecp.sh Campus01 https://localhost/myservice/ admin

Here the Campus01 denotes which IDP the client eishes to use.

https://localhost/myservice/ denotes the SP that the client tries to access.

admin denotes the username of the user trying to access the service.

If you want to run the client in the debug mode use the following command.

sudo ./ecp.sh -d Campus01 https://localhost/myservice/ admin

When the client is run, the user is prompted for the login password. When the password is given the Client successfully receives the resource.

I will show you some of the important sample terminal output that you will receive when the client is run in debug mode.(Note: only some part are removed for your convenience) 😃

###### BEGIN SP RESPONSE<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Header><paos:Request xmlns:paos="urn:liberty:paos:2003-08" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1" responseConsumerURL="https://localhost/Shibboleth.sso/SAML2/ECP" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/shibboleth</saml:Issuer><samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:IDPEntry ProviderID="https://idp.shibboleth.com/idp/shibboleth"/></samlp:IDPList></ecp:Request><ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1">ss:mem:d0c8a962fff3962ea618c98b5e75eea33639c5f2b117abf6f37cb29ccc37a8b3</ecp:RelayState></S:Header><S:Body><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost/Shibboleth.sso/SAML2/ECP" ID="_ebcf9cc2f7dce246847f97e41afd0031" IssueInstant="2018-09-02T18:26:15Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/><samlp:Scoping><samlp:IDPList><samlp:IDPEntry ProviderID="https://idp.shibboleth.com/idp/shibboleth"/></samlp:IDPList></samlp:Scoping></samlp:AuthnRequest></S:Body></S:Envelope>###### END SP RESPONSE###### BEGIN IDP REQUEST<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost/Shibboleth.sso/SAML2/ECP" ID="_ebcf9cc2f7dce246847f97e41afd0031" IssueInstant="2018-09-02T18:26:15Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost/shibboleth</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"/><samlp:Scoping><samlp:IDPList><samlp:IDPEntry ProviderID="https://idp.shibboleth.com/idp/shibboleth"/></samlp:IDPList></samlp:Scoping></samlp:AuthnRequest></S:Body></S:Envelope>###### END IDP REQUEST###### BEGIN RELAY STATE ELEMENT<ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1">ss:mem:d0c8a962fff3962ea618c98b5e75eea33639c5f2b117abf6f37cb29ccc37a8b3</ecp:RelayState>###### END RELAY STATE ELEMENTPicking up the response consumer URL###### BEGIN RESPONSE CONSUMER URLhttps://localhost/Shibboleth.sso/SAML2/ECP###### END RESPONSE CONSUMER URLEnter host password for user 'admin':###### BEGIN IDP RESPONSE<?xml version="1.0" encoding="UTF-8"?> <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Header><ecp:Response AssertionConsumerServiceURL="https://localhost/Shibboleth.sso/SAML2/ECP" soap11:actor="http://schemas.xmlsoap.org/soap/actor/next" soap11:mustUnderstand="1" xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><samlec:GeneratedKey soap11:actor="http://schemas.xmlsoap.org/soap/actor/next" xmlns:samlec="urn:ietf:params:xml:ns:samlec">fJBOzSYyR5WobXIG+YonhKGxfYz0wvTDV0HyRVUjRfo=</samlec:GeneratedKey></soap11:Header><soap11:Body><saml2p:Response Destination="https://localhost/Shibboleth.sso/SAML2/ECP" ID="_408b6175c4d7e53dd08df1f7f2040728" InResponseTo="_ebcf9cc2f7dce246847f97e41afd0031" IssueInstant="2018-09-02T18:26:21.224Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.shibboleth.com/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> <ds:Reference URI="#_408b6175c4d7e53dd08df1f7f2040728"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <ds:DigestValue>9R08/piZWFugoPjRVGCLi4xUVzh/dn9yVWH/7vRSqDpJftu6RIG84xlV3GnHpsgUHv4QLC5FJxqv w7MKxadjOQ==</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ddCr8WG/dHCAhePNK3vVuvNCB2QR1bMh4Lpc9sx5GeXoXybOxpXpjcZG8stbhSbWSoK2RgWkj4mY 2aXbGu9InQlPgzYvPeb+eiMp3RTP4Iysw6iWYYm42ANssKooT6mIWjYkHijOg03MP1f831Bve6++ Fo5XL28q1RsE/F9rJpqkGOc/BheDx5gYnLeUA0BSLetAe0MTAUu7bVDTa+Th8fRuCAViVS7X7ef2 D6RPb/QtqXRGukUCswhUGBt+ZOe5grNgLRehYDvE+fhHxhzPmBfNSknbJPyD+Wwjn8lMV452KCJp 1z1grZBJqzSNfcNqRlk36U7XlfVz1yU6Aglanw== </ds:SignatureValue> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDMzCCAhugAwIBAgIUUAFRLb2Ue/ye+8+kOSK/QKH4yKswDQYJKoZIhvcNAQELBQAwHTEbMBkG A1UEAwwSaWRwLnNoaWJib2xldGguY29tMB4XDTE4MDgwOTA5MDY1M1oXDTM4MDgwOTA5MDY1M1ow HTEbMBkGA1UEAwwSaWRwLnNoaWJib2xldGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAupOQgM6h0AGOG8d3GRGYV41gaRERu72V2vSOXQKQExg4MzHHl8mAQFgKDRb4Y04U5cdo UJmUFb41jF39Hwfl3J9L//rcR2sHBt2gEwQj9HAmj9itQTKvjqEusMxbMh+e8DnE3GBReFN81Ndo HhVpwo5tNCIdK4wNT0WLpCFyWoQtBdSMTtz+1v2pqb+hdhxBxh5KeOdJ1iGJxCqOlxv/VcDmc3F7 DahYW8GZZlKxGU37le5QkHiQDKK4Z5tS9KBTeBD9t1jjvlm08eYTxFBSCEV8UTeH/NON771GMD5A +8kRgniNmokoVXWZgYRZXDXE6nI1QnIOLvEkunS4vX/K7QIDAQABo2swaTAdBgNVHQ4EFgQUPp5+ OsPqu06buO1yMNn6z1DnWLUwSAYDVR0RBEEwP4ISaWRwLnNoaWJib2xldGguY29thilodHRwczov L2lkcC5zaGliYm9sZXRoLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAIfmg h3ruHVa3pHWkX5xo68DceekztFSP64Pg98nceDSlsmP5NvuCnUIBTvFuPH5xdLjLsYhE0nygq7sC AkCe2q1WXKhI842hjDzTBIhr4MSUwkl20kAXjH6NFj/IORf1mb2oKH4JtjlzCDPQrZWq/kbIG8rX P6lRYIZD+5NTkmukoUBBhv7AtqaaOkaFT9fslVUTHt/0Vm95pezyiU9wOniiPXt/2j+zKmw7OuvT uxnRKVih4hmg8f1Bo/Im0P0GPe2f5dUUwlb1tlDub239VaDv99AsiTvaZ+4mvK0l2QleIsDWuTlK 9HfxYSwgTtwvL0VUF4PJZV3kDg2cqO+y9A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData Id="_ae7318a902e3115b4958531c4d589baf" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_6bb070b4adfa17a35c714b1ad448d877" Recipient="https://localhost/shibboleth" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><xenc11:MGF Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDETCCAfmgAwIBAgIJANHjOPAHeEmDMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNVBAMMFHdpbm1h LVRoaW5rUGFkLVQ1NDBwMB4XDTE4MDgyMzEwMjMwN1oXDTI4MDgyMDEwMjMwN1owHzEdMBsGA1UE AwwUd2lubWEtVGhpbmtQYWQtVDU0MHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD Fm+rdHkXuSYgT+Oy836x86/frlZiYp3UZ1g+5oG8XbzztjQKju0lnZ/kdRtD3eZJbW+iLi6VrXpo /ZsaXf/w2f0id4UxoSXaAKxThqcjv+v97w1jBkUdXLcmxR0QgFYNqnbl6aYclBUnctMsRGhaUccL IP8L6UAqY5CwfkR3ZxzPwARtTSpWDgPbiBd+YGh5FzhPPCSwnOFvVYCxRTr4l5VyUYNiq33N1lpb j+FXhqao6z9OS6R/aVD6lgENOODhOG3Hhiv7Kevoq9xDo11cGDpA8qiYw/MdEKYDvHOEkIWwPqJe Xw0GkQnjI3xWPYuFqhza/3OfG3YlLTi+5qMXAgMBAAGjUDBOMB0GA1UdDgQWBBTZlaVvvtvUCo1I bOh5C3sA35mdRjAfBgNVHSMEGDAWgBTZlaVvvtvUCo1IbOh5C3sA35mdRjAMBgNVHRMEBTADAQH/ MA0GCSqGSIb3DQEBCwUAA4IBAQC3VIKBX2hHlISwfmZCt/v5LUEbhJLoMlIs5gJvJn/xsGEb/rQD BUZ7T6JdXARe6Y5rXxJVgd+F3ZxXjJkJ8VMz4V2RVJ1zabjhXqRLbNeDd4t4OMNPT29r5cEoPCWc JNxJ9QMOnlSsWZdAQUknz4oqFQ8AuyYIpy6/kx9hParv8FQbbQHfiXkBjniLwnyq9itiq4iDL2gz LB/WpZAnmNTU3kfTOHurQs+T8+9NOenBw30FNGsXuBpfeeveNLUsGKa+OFPfI0iHaaw0j9YRxaT4 dL3NWBn+tsu8YjliK+krYwTYVjw2bFCzdNZUlinl6zOD7m4bsqsNEZG8AKCBrqj6</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>BG786Sv9rN+xl5FQpEPDcbJ8xU22vs58rfPApaGfNL91bRS7agPVUYEfj3gtL6lVfCCxwKhBCQWf 92QGwuQpSJM5y8ExfqiXDWr+xAWQaHfP5JfidGhO9/2ZTS4jE6QskBcI2jT8wBi8R78sMyqNlh5O GJ/S9Lgb18GLX3Eo9hfhUaI0aC/gCOr2QI5Cc41FN+2eh72Ik7pNLFkdhzYuvIh8zaxwIchDtT4f Rs5Q/Q38VAfmYb25bOV9CN9mh08wh4wIyGhRcqw8B95QMLWzPke4v/0pCQZgbpNhbE9yWDOVf1uY TZE0h3Ar510NEmmNFyK7lnHuboDvidDfjG3Fsg==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>qgG9m8Ni0f9hoiSpG+/hLSdPTWGgx4ew7aN/0KBYsmgdGuXZc5zs1ePRPCc3GdkPhgX9gryn3LJo Gt9iKelw7mW0rwhUY40Fk/M2QtFjOJZbNlO/sAI8TXIWtwar5yMnZTSnwR1ebP/XdWn84Q+xlr7Z QYCYHOOTUm9imuN4KCm3elxorTnTdfeTmtd524qcL/FCSS2whqvT8qJEHN2HzAQL7IeyYY6O4rZy MfX950fea0ROd8Kd3ox6XwxriHurDq0wVyk+7eLw3VY1JMdaO85tM9LI55PYZXY23indQRHtO1tZ 4VU8r8xY8+xHSYr8ZxRBaOXzilBd91vTkB/el0oeyEepDBD2jk8mbAPqlpigDesmibxkUBPG6rW0 /vOVqKb40nnpqCx4BIX6+CA18Fb3UkgiSAG8qvT7w6Ilg1YXWIhuM+hLWIJvN7cp3gQEZ9kE3n2Y hcsAIiLsu8ogWNEkGOpmpSmEh4o4R/bVxCjNuMoDRsF1JJsgnLkdpPgslGQksbQG6j+4iI0G5kVp CWXn43q6/7QJ2dmkkqYu+OWukgXap5qXr7L62PTbo2tpiDKAE3ZalWVggb+p21/CbENXys+IhgiJ j+5CIxD9Kg7RbaVKjBbadvDVM/Kjic7zxy4tcUdPF8a19dPNh98RqOfAu2U4HL1yX7LSH2KmMkKk aMh+knCqy+OM2AhRIbUt+pMT46C5KE2iwAD8n8kO6OJf4mEuc5+V1wmd8DeJP5ZNzJEpHas1aMkx EKvdob4+VablLMu+COBgHkyAZy+MFPdCMpbN8lvUnnpGezG/uI1oEuH5S5+y+T3H5ADlgTc2MBRu Uq6cgPnNKKx2B6QlYD9QvKHcPvpADzDc6vfubMdS9LuSOeMw1ynvvjPLI0j2Qdi57yHu34SXFYnD QtR+D+B95+mxNFMX0USbIWugrc5GPoN2fHgZLnLrcX4HP2b2NzYumbXbUeHynOCgaNJl3iX7vuGk SVix/vGX7fuHKM6AfWn0elC5SxwQ844R1HIUOpzXVZnhzqQkrTwcslLWyW5+UBRYrzEpxQ7wAKl2 6Dp7UHj4afgyx1CEyAMhIGTUIJ3rHWF+EfsQcNl/xs3cLxrs//Vo6ZZF97RvVPyMnqHs0GSDsYts 4/iRVj8Syw2Cagf9PoBJDlokCcEvoOlhHoEnkmXGQcO1ipY+Zen75bq4IetlNLIjUsRXENti4R2g Hq25z/9A1i7b9DocUD3UY96sVV8JrsIt3IK6+rqgPZY3qC+XScsR6L54HMRMvsacZATmezo0yD61 nBKuYO2vhUbtXLBOB2KEws9lP5zk3u2Or3lRXsxHViT1yeqJDfykZARv/Ne4GaRvdrHYjRyQEweu WRw9lNFm7szdIZyYB7+IZFlTef5Hug7iHsRSTL21dxWPZBGrSgIYBXdfhMvEI88UDScLq4jOUrxh 8Jut5UZSvH7L0Nj4BkqPbf7QKFJ4ly1wVatyvZmfq1kuaIulTKcGFMFO/Y2djRkiR/OFoGp4hg/D jqATIAuSkqKFRAqVKlOW9rjKaHM8qOf0L8xhqda8ZL7cnREuGKoxSPPnrj4AJ5yY6glDMhSEV5lI WwZ+MmSoahvmoWnGvllqQmN/LRLTU7Sa9aiQBA0PQFMd2HmTVuLWr9W9OuZPcQ516aBe5TxZOEOY x5w6fe+Zho1Hv+zPR+C95GGUjKwXgwoVIwhSkqoPzeBsDYfB+6+An6BPRybU4iSJkvj5ZKfT0Ock 6I+GFoPtNpD9+c4xIZ9Vy1FGnCiBBeKw+cdu75KI+pxdVdEhrS7PwB65GOYvNsd5qTSW5YeIr7eR ujrPikZlzmMOUCldZAh7GlZzVXKiwlPNrXKsjJYV+4pn+w0XPdIXlVmbcR+4j9YPV/f+ckrDXfZ6 qtEr91DnqpZpj9Gh0/x1FG1RFn0FJ2vvAMThU9/ez6oq84Cl0MQ9A/CF2qdG/C0lFfcjiLQsOWeW 290h5XlUbnzIfwoEEYL8dy2DpJAxB44iwWcyAeasFaBB9Yv/I4bVM6F7FKirBXolmQZoBqUA+Vyh jKcD630nAJe1Qa8Y9q/xDreAopXGsJhJAvjL/Eu6ngHBCqKvpIREzxLfuExbdMUWHieQMkZRtnfG /Y6ttQQqLh4kM/Ys9RnAuj9L1av5f31zx/WSYLanGTWZ2WdlwhjjVdRrFgeeVcv9TeVPpsdZ2E0M PZw6yqMtq0tUbDBWrvxXgBZI9jr1yfl/MJJgamPIqnpgMW0Aaf2ZTUeAumj0JfLbbJYwZEZlccxH +hU9blYuo9i1Kzm1z7iG+TgQASTGQDyE12i680JVvnQGrrkCAPsZNxoPq7Sgot6nGzJI/8Fzl5hn QsHXlnzH90B/D/kq0IfL/HO3crgLZ7h6aT5nfEmNeGf6WqyeuEKEEiOaeYhOXUfLpDC1K8IPacRu bQ3tGwW+8jpvgr12OYkvjoSWeZ53muWLAlmeLZxY5OXnG1vWRpLUD/w5DL6zq2gYRe5nk6INpNec QSPKQpr5Dpim+mm5ROn+JhBo0TBdoYg5/91CP+FiHR95yGpEB+g85qxhpxUb7stI68HglhntT+ER 2jLvuQDtlp+eixVw1J2m7IfLK/RGjeJj7xk8NwgVAlZ79p34Tz9el1Nn8EyF3hUGlg==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response></soap11:Body></soap11:Envelope>###### END IDP RESPONSE###### BEGIN ASSERTION CONSUMER SERVICE URLhttps://localhost/Shibboleth.sso/SAML2/ECPhttps://localhost/Shibboleth.sso/SAML2/ECP###### END ASSERTION CONSUMER SERVICE URL###### BEGIN PACKAGE TO SEND TO SP<?xml version="1.0" encoding="UTF-8"?> <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Header><ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" S:actor="http://schemas.xmlsoap.org/soap/actor/next" S:mustUnderstand="1">ss:mem:d0c8a962fff3962ea618c98b5e75eea33639c5f2b117abf6f37cb29ccc37a8b3</ecp:RelayState></soap11:Header><soap11:Body><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://localhost/Shibboleth.sso/SAML2/ECP" ID="_408b6175c4d7e53dd08df1f7f2040728" InResponseTo="_ebcf9cc2f7dce246847f97e41afd0031" IssueInstant="2018-09-02T18:26:21.224Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.shibboleth.com/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> <ds:Reference URI="#_408b6175c4d7e53dd08df1f7f2040728"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <ds:DigestValue>9R08/piZWFugoPjRVGCLi4xUVzh/dn9yVWH/7vRSqDpJftu6RIG84xlV3GnHpsgUHv4QLC5FJxqv w7MKxadjOQ==</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ddCr8WG/dHCAhePNK3vVuvNCB2QR1bMh4Lpc9sx5GeXoXybOxpXpjcZG8stbhSbWSoK2RgWkj4mY 2aXbGu9InQlPgzYvPeb+eiMp3RTP4Iysw6iWYYm42ANssKooT6mIWjYkHijOg03MP1f831Bve6++ Fo5XL28q1RsE/F9rJpqkGOc/BheDx5gYnLeUA0BSLetAe0MTAUu7bVDTa+Th8fRuCAViVS7X7ef2 D6RPb/QtqXRGukUCswhUGBt+ZOe5grNgLRehYDvE+fhHxhzPmBfNSknbJPyD+Wwjn8lMV452KCJp 1z1grZBJqzSNfcNqRlk36U7XlfVz1yU6Aglanw== </ds:SignatureValue> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDMzCCAhugAwIBAgIUUAFRLb2Ue/ye+8+kOSK/QKH4yKswDQYJKoZIhvcNAQELBQAwHTEbMBkG A1UEAwwSaWRwLnNoaWJib2xldGguY29tMB4XDTE4MDgwOTA5MDY1M1oXDTM4MDgwOTA5MDY1M1ow HTEbMBkGA1UEAwwSaWRwLnNoaWJib2xldGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAupOQgM6h0AGOG8d3GRGYV41gaRERu72V2vSOXQKQExg4MzHHl8mAQFgKDRb4Y04U5cdo UJmUFb41jF39Hwfl3J9L//rcR2sHBt2gEwQj9HAmj9itQTKvjqEusMxbMh+e8DnE3GBReFN81Ndo HhVpwo5tNCIdK4wNT0WLpCFyWoQtBdSMTtz+1v2pqb+hdhxBxh5KeOdJ1iGJxCqOlxv/VcDmc3F7 DahYW8GZZlKxGU37le5QkHiQDKK4Z5tS9KBTeBD9t1jjvlm08eYTxFBSCEV8UTeH/NON771GMD5A +8kRgniNmokoVXWZgYRZXDXE6nI1QnIOLvEkunS4vX/K7QIDAQABo2swaTAdBgNVHQ4EFgQUPp5+ OsPqu06buO1yMNn6z1DnWLUwSAYDVR0RBEEwP4ISaWRwLnNoaWJib2xldGguY29thilodHRwczov L2lkcC5zaGliYm9sZXRoLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAIfmg h3ruHVa3pHWkX5xo68DceekztFSP64Pg98nceDSlsmP5NvuCnUIBTvFuPH5xdLjLsYhE0nygq7sC AkCe2q1WXKhI842hjDzTBIhr4MSUwkl20kAXjH6NFj/IORf1mb2oKH4JtjlzCDPQrZWq/kbIG8rX P6lRYIZD+5NTkmukoUBBhv7AtqaaOkaFT9fslVUTHt/0Vm95pezyiU9wOniiPXt/2j+zKmw7OuvT uxnRKVih4hmg8f1Bo/Im0P0GPe2f5dUUwlb1tlDub239VaDv99AsiTvaZ+4mvK0l2QleIsDWuTlK 9HfxYSwgTtwvL0VUF4PJZV3kDg2cqO+y9A==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_ae7318a902e3115b4958531c4d589baf" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey Id="_6bb070b4adfa17a35c714b1ad448d877" Recipient="https://localhost/shibboleth"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha1"/></xenc:EncryptionMethod><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDETCCAfmgAwIBAgIJANHjOPAHeEmDMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNVBAMMFHdpbm1h LVRoaW5rUGFkLVQ1NDBwMB4XDTE4MDgyMzEwMjMwN1oXDTI4MDgyMDEwMjMwN1owHzEdMBsGA1UE AwwUd2lubWEtVGhpbmtQYWQtVDU0MHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD Fm+rdHkXuSYgT+Oy836x86/frlZiYp3UZ1g+5oG8XbzztjQKju0lnZ/kdRtD3eZJbW+iLi6VrXpo /ZsaXf/w2f0id4UxoSXaAKxThqcjv+v97w1jBkUdXLcmxR0QgFYNqnbl6aYclBUnctMsRGhaUccL IP8L6UAqY5CwfkR3ZxzPwARtTSpWDgPbiBd+YGh5FzhPPCSwnOFvVYCxRTr4l5VyUYNiq33N1lpb j+FXhqao6z9OS6R/aVD6lgENOODhOG3Hhiv7Kevoq9xDo11cGDpA8qiYw/MdEKYDvHOEkIWwPqJe Xw0GkQnjI3xWPYuFqhza/3OfG3YlLTi+5qMXAgMBAAGjUDBOMB0GA1UdDgQWBBTZlaVvvtvUCo1I bOh5C3sA35mdRjAfBgNVHSMEGDAWgBTZlaVvvtvUCo1IbOh5C3sA35mdRjAMBgNVHRMEBTADAQH/ MA0GCSqGSIb3DQEBCwUAA4IBAQC3VIKBX2hHlISwfmZCt/v5LUEbhJLoMlIs5gJvJn/xsGEb/rQD BUZ7T6JdXARe6Y5rXxJVgd+F3ZxXjJkJ8VMz4V2RVJ1zabjhXqRLbNeDd4t4OMNPT29r5cEoPCWc JNxJ9QMOnlSsWZdAQUknz4oqFQ8AuyYIpy6/kx9hParv8FQbbQHfiXkBjniLwnyq9itiq4iDL2gz LB/WpZAnmNTU3kfTOHurQs+T8+9NOenBw30FNGsXuBpfeeveNLUsGKa+OFPfI0iHaaw0j9YRxaT4 dL3NWBn+tsu8YjliK+krYwTYVjw2bFCzdNZUlinl6zOD7m4bsqsNEZG8AKCBrqj6</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>BG786Sv9rN+xl5FQpEPDcbJ8xU22vs58rfPApaGfNL91bRS7agPVUYEfj3gtL6lVfCCxwKhBCQWf 92QGwuQpSJM5y8ExfqiXDWr+xAWQaHfP5JfidGhO9/2ZTS4jE6QskBcI2jT8wBi8R78sMyqNlh5O GJ/S9Lgb18GLX3Eo9hfhUaI0aC/gCOr2QI5Cc41FN+2eh72Ik7pNLFkdhzYuvIh8zaxwIchDtT4f Rs5Q/Q38VAfmYb25bOV9CN9mh08wh4wIyGhRcqw8B95QMLWzPke4v/0pCQZgbpNhbE9yWDOVf1uY TZE0h3Ar510NEmmNFyK7lnHuboDvidDfjG3Fsg==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>qgG9m8Ni0f9hoiSpG+/hLSdPTWGgx4ew7aN/0KBYsmgdGuXZc5zs1ePRPCc3GdkPhgX9gryn3LJo Gt9iKelw7mW0rwhUY40Fk/M2QtFjOJZbNlO/sAI8TXIWtwar5yMnZTSnwR1ebP/XdWn84Q+xlr7Z QYCYHOOTUm9imuN4KCm3elxorTnTdfeTmtd524qcL/FCSS2whqvT8qJEHN2HzAQL7IeyYY6O4rZy MfX950fea0ROd8Kd3ox6XwxriHurDq0wVyk+7eLw3VY1JMdaO85tM9LI55PYZXY23indQRHtO1tZ 4VU8r8xY8+xHSYr8ZxRBaOXzilBd91vTkB/el0oeyEepDBD2jk8mbAPqlpigDesmibxkUBPG6rW0 /vOVqKb40nnpqCx4BIX6+CA18Fb3UkgiSAG8qvT7w6Ilg1YXWIhuM+hLWIJvN7cp3gQEZ9kE3n2Y hcsAIiLsu8ogWNEkGOpmpSmEh4o4R/bVxCjNuMoDRsF1JJsgnLkdpPgslGQksbQG6j+4iI0G5kVp CWXn43q6/7QJ2dmkkqYu+OWukgXap5qXr7L62PTbo2tpiDKAE3ZalWVggb+p21/CbENXys+IhgiJ j+5CIxD9Kg7RbaVKjBbadvDVM/Kjic7zxy4tcUdPF8a19dPNh98RqOfAu2U4HL1yX7LSH2KmMkKk aMh+knCqy+OM2AhRIbUt+pMT46C5KE2iwAD8n8kO6OJf4mEuc5+V1wmd8DeJP5ZNzJEpHas1aMkx EKvdob4+VablLMu+COBgHkyAZy+MFPdCMpbN8lvUnnpGezG/uI1oEuH5S5+y+T3H5ADlgTc2MBRu Uq6cgPnNKKx2B6QlYD9QvKHcPvpADzDc6vfubMdS9LuSOeMw1ynvvjPLI0j2Qdi57yHu34SXFYnD QtR+D+B95+mxNFMX0USbIWugrc5GPoN2fHgZLnLrcX4HP2b2NzYumbXbUeHynOCgaNJl3iX7vuGk SVix/vGX7fuHKM6AfWn0elC5SxwQ844R1HIUOpzXVZnhzqQkrTwcslLWyW5+UBRYrzEpxQ7wAKl2 6Dp7UHj4afgyx1CEyAMhIGTUIJ3rHWF+EfsQcNl/xs3cLxrs//Vo6ZZF97RvVPyMnqHs0GSDsYts 4/iRVj8Syw2Cagf9PoBJDlokCcEvoOlhHoEnkmXGQcO1ipY+Zen75bq4IetlNLIjUsRXENti4R2g Hq25z/9A1i7b9DocUD3UY96sVV8JrsIt3IK6+rqgPZY3qC+XScsR6L54HMRMvsacZATmezo0yD61 nBKuYO2vhUbtXLBOB2KEws9lP5zk3u2Or3lRXsxHViT1yeqJDfykZARv/Ne4GaRvdrHYjRyQEweu WRw9lNFm7szdIZyYB7+IZFlTef5Hug7iHsRSTL21dxWPZBGrSgIYBXdfhMvEI88UDScLq4jOUrxh 8Jut5UZSvH7L0Nj4BkqPbf7QKFJ4ly1wVatyvZmfq1kuaIulTKcGFMFO/Y2djRkiR/OFoGp4hg/D jqATIAuSkqKFRAqVKlOW9rjKaHM8qOf0L8xhqda8ZL7cnREuGKoxSPPnrj4AJ5yY6glDMhSEV5lI WwZ+MmSoahvmoWnGvllqQmN/LRLTU7Sa9aiQBA0PQFMd2HmTVuLWr9W9OuZPcQ516aBe5TxZOEOY x5w6fe+Zho1Hv+zPR+C95GGUjKwXgwoVIwhSkqoPzeBsDYfB+6+An6BPRybU4iSJkvj5ZKfT0Ock 6I+GFoPtNpD9+c4xIZ9Vy1FGnCiBBeKw+cdu75KI+pxdVdEhrS7PwB65GOYvNsd5qTSW5YeIr7eR ujrPikZlzmMOUCldZAh7GlZzVXKiwlPNrXKsjJYV+4pn+w0XPdIXlVmbcR+4j9YPV/f+ckrDXfZ6 qtEr91DnqpZpj9Gh0/x1FG1RFn0FJ2vvAMThU9/ez6oq84Cl0MQ9A/CF2qdG/C0lFfcjiLQsOWeW 290h5XlUbnzIfwoEEYL8dy2DpJAxB44iwWcyAeasFaBB9Yv/I4bVM6F7FKirBXolmQZoBqUA+Vyh jKcD630nAJe1Qa8Y9q/xDreAopXGsJhJAvjL/Eu6ngHBCqKvpIREzxLfuExbdMUWHieQMkZRtnfG /Y6ttQQqLh4kM/Ys9RnAuj9L1av5f31zx/WSYLanGTWZ2WdlwhjjVdRrFgeeVcv9TeVPpsdZ2E0M PZw6yqMtq0tUbDBWrvxXgBZI9jr1yfl/MJJgamPIqnpgMW0Aaf2ZTUeAumj0JfLbbJYwZEZlccxH +hU9blYuo9i1Kzm1z7iG+TgQASTGQDyE12i680JVvnQGrrkCAPsZNxoPq7Sgot6nGzJI/8Fzl5hn QsHXlnzH90B/D/kq0IfL/HO3crgLZ7h6aT5nfEmNeGf6WqyeuEKEEiOaeYhOXUfLpDC1K8IPacRu bQ3tGwW+8jpvgr12OYkvjoSWeZ53muWLAlmeLZxY5OXnG1vWRpLUD/w5DL6zq2gYRe5nk6INpNec QSPKQpr5Dpim+mm5ROn+JhBo0TBdoYg5/91CP+FiHR95yGpEB+g85qxhpxUb7stI68HglhntT+ER 2jLvuQDtlp+eixVw1J2m7IfLK/RGjeJj7xk8NwgVAlZ79p34Tz9el1Nn8EyF3hUGlg==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></saml2:EncryptedAssertion></saml2p:Response></soap11:Body></soap11:Envelope>
< HTTP/1.1 200 OK
< Date: Sun, 02 Sep 2018 18:26:21 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Sun, 02 Sep 2018 13:50:49 GMT
< ETag: "5e-574e3b65fe2f3"
< Accept-Ranges: bytes
< Content-Length: 94
< Vary: Accept-Encoding
< Content-Type: text/html
<
<html>
<body>
If you see this page!!! That means your ECP client works !!!!!!
</body>
</html>

Undergraduate, CSE @University of Moratuwa, Former Software Engineering Intern @ WSO2

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade