From b5212d58ec9411b5b17b7f11fab76a407340e57f Mon Sep 17 00:00:00 2001
From: Hynek Mlnarik <hmlnarik@redhat.com>
Date: Mon, 23 Jan 2017 13:43:55 +0100
Subject: [PATCH] KEYCLOAK-4236 Fix AttributeProfile element handler in SAML
 metadata

---
 .../common/constants/JBossSAMLConstants.java  |   2 +-
 .../metadata/SAMLEntityDescriptorParser.java  |   3 +
 .../core/parsers/saml/SAMLParserTest.java     |   8 +
 ...KEYCLOAK-4236-AttributeProfile-element.xml | 180 ++++++++++++++++++
 4 files changed, 192 insertions(+), 1 deletion(-)
 create mode 100644 saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4236-AttributeProfile-element.xml

diff --git a/saml-core-api/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java b/saml-core-api/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java
index d0b8b855b3..fd6acd4e4b 100755
--- a/saml-core-api/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java
+++ b/saml-core-api/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java
@@ -29,7 +29,7 @@ public enum JBossSAMLConstants {
             "AssertionConsumerService"), ASSERTION_CONSUMER_SERVICE_URL("AssertionConsumerServiceURL"), ASSERTION_CONSUMER_SERVICE_INDEX(
             "AssertionConsumerServiceIndex"), ASSERTION_ID_REQUEST_SERVICE("AssertionIDRequestService"), ATTRIBUTE("Attribute"), ATTRIBUTE_QUERY(
             "AttributeQuery"), ATTRIBUTE_AUTHORITY_DESCRIPTOR("AttributeAuthorityDescriptor"), ATTRIBUTE_CONSUMING_SERVICE(
-            "AttributeConsumingService"), ATTRIBUTE_CONSUMING_SERVICE_INDEX("AttributeConsumingServiceIndex"), ATTRIBUTE_SERVICE(
+            "AttributeConsumingService"), ATTRIBUTE_CONSUMING_SERVICE_INDEX("AttributeConsumingServiceIndex"), ATTRIBUTE_PROFILE("AttributeProfile"), ATTRIBUTE_SERVICE(
             "AttributeService"), ATTRIBUTE_STATEMENT("AttributeStatement"), ATTRIBUTE_VALUE("AttributeValue"), AUDIENCE(
             "Audience"), AUDIENCE_RESTRICTION("AudienceRestriction"), AUTHN_CONTEXT("AuthnContext"), AUTHENTICATING_AUTHORITY(
             "AuthenticatingAuthority"), AUTHN_AUTHORITY_DESCRIPTOR("AuthnAuthorityDescriptor"), AUTHN_CONTEXT_CLASS_REF(
diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java b/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
index 2af29a37ff..5c3c30b2f5 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
@@ -363,6 +363,9 @@ public class SAMLEntityDescriptorParser extends AbstractDescriptorParser impleme
                 StaxParserUtil.validate(endElement, JBossSAMLConstants.ATTRIBUTE_SERVICE.get());
 
                 attributeAuthority.addAttributeService(endpoint);
+            } else if (JBossSAMLConstants.ATTRIBUTE_PROFILE.get().equalsIgnoreCase(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                attributeAuthority.addAttributeProfile(StaxParserUtil.getElementText(xmlEventReader));
             } else if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
                 attributeAuthority.addKeyDescriptor(parseKeyDescriptor(xmlEventReader));
             } else if (JBossSAMLConstants.NAMEID_FORMAT.get().equalsIgnoreCase(localPart)) {
diff --git a/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java
index 51854fcc5f..fdacdd7412 100644
--- a/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java
+++ b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java
@@ -155,4 +155,12 @@ public class SAMLParserTest {
             assertThat(parsedObject, instanceOf(EntityDescriptorType.class));
         }
     }
+
+    @Test
+    public void testAttributeProfileMetadata() throws Exception {
+        try (InputStream st = SAMLParserTest.class.getResourceAsStream("KEYCLOAK-4236-AttributeProfile-element.xml")) {
+            Object parsedObject = parser.parse(st);
+            assertThat(parsedObject, instanceOf(EntityDescriptorType.class));
+        }
+    }
 }
diff --git a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4236-AttributeProfile-element.xml b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4236-AttributeProfile-element.xml
new file mode 100644
index 0000000000..14bdf8e41f
--- /dev/null
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4236-AttributeProfile-element.xml
@@ -0,0 +1,180 @@
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdext="urn:oasis:names:tc:SAML:metadata:extension" xmlns:ns10="urn:oasis:names:tc:SAML:profiles:v1metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="id-x-io4poU3tSqnNHhcDCTgbsMAMYMc-DQFWTm61QB" cacheDuration="P30DT0H0M0S" entityID="http://host.localdomain:14100/oam/fed" validUntil="2025-09-05T15:21:38Z">
+    <dsig:Signature>
+        <dsig:SignedInfo>
+            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+            <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+            <dsig:Reference URI="#id-x-io4poU3tSqnNHhcDCTgbsMAMYMc-DQFWTm61QB">
+                <dsig:Transforms>
+                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+                </dsig:Transforms>
+                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+                <dsig:DigestValue>XKGk9TDAD9Exf4cz5B/HN4WyuII=</dsig:DigestValue>
+            </dsig:Reference>
+        </dsig:SignedInfo>
+        <dsig:SignatureValue>
+            C9dJFysqd2DsRSshxU8TIuqo1ECN5ASx6m8wT1sXxuBjQ1eitkgTs0ufC8P/t1aewOaDtg955+HTFnuOhV2r+rjoo8MY6Vrfdb14sj5UkTRU8Bv+ktnaPlBv+hKBVSwBVUwruSraTSaka7N42MfpteHupZGOcbeA3dSde/qg1AQ=
+        </dsig:SignatureValue>
+        <dsig:KeyInfo>
+            <dsig:X509Data>
+                <dsig:X509Certificate>
+                    MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                </dsig:X509Certificate>
+            </dsig:X509Data>
+        </dsig:KeyInfo>
+    </dsig:Signature>
+    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:KeyDescriptor use="signing">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+        </md:KeyDescriptor>
+        <md:KeyDescriptor use="encryption">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+        </md:KeyDescriptor>
+        <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://host.localdomain:14100/oamfed/idp/soap" index="1" isDefault="true"/>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://host.localdomain:14100/oamfed/idp/samlv20" ResponseLocation="http://host.localdomain:14100/oamfed/idp/samlv20"/>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://host.localdomain:14100/oamfed/idp/samlv20" ResponseLocation="http://host.localdomain:14100/oamfed/idp/samlv20"/>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://host.localdomain:14100/oamfed/idp/samlv20"/>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://host.localdomain:14100/oamfed/idp/soap"/>
+        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://host.localdomain:14100/oamfed/idp/samlv20"/>
+    </md:IDPSSODescriptor>
+    <md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:KeyDescriptor use="signing">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+        </md:KeyDescriptor>
+        <md:KeyDescriptor use="encryption">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+        </md:KeyDescriptor>
+        <md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://host.localdomain:14100/oamfed/aa/soap"/>
+        <md:AttributeProfile>
+            urn:oasis:names:tc:SAML:2.0:profiles:attribute:basic
+        </md:AttributeProfile>
+    </md:AttributeAuthorityDescriptor>
+    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:KeyDescriptor use="signing">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+        </md:KeyDescriptor>
+        <md:KeyDescriptor use="encryption">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+        </md:KeyDescriptor>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://host.localdomain:14100/oamfed/sp/samlv20" ResponseLocation="http://host.localdomain:14100/oamfed/sp/samlv20"/>
+        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://host.localdomain:14100/oamfed/sp/samlv20" ResponseLocation="http://host.localdomain:14100/oamfed/sp/samlv20"/>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://host.localdomain:14100/oam/server/fed/sp/sso" index="0" isDefault="true"/>
+        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://host.localdomain:14100/oam/server/fed/sp/sso" index="1"/>
+    </md:SPSSODescriptor>
+    <md:RoleDescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" xsi:type="query:AttributeQueryDescriptorType">
+        <md:KeyDescriptor use="signing">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+        </md:KeyDescriptor>
+        <md:KeyDescriptor use="encryption">
+            <dsig:KeyInfo>
+                <dsig:X509Data>
+                    <dsig:X509Certificate>
+                        MIIB/DCCAWWgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wHhcNMTUwOTA4MTUyMTM4WhcNMjUwOTA1MTUyMTM4WjAjMSEwHwYDVQQDExhvYW1zZXJ2ZXJwczMubG9jYWxkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIYXVJI+3G8AL/8sRC2BRVc9uGZudAuc/KZARTwK5+fEJywBSOnB+p+MCYjDTkCOehtK7V3UX/lXJvkQwSBaAl938RUNyW5WcOV+mi0C8yqR8VEAHL4EqnikUtOD7kysp0FNBT+Z71G6c4kJ2fszZyggiUUdjPuQHSqHFB4smfQrAgMBAAGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAwfYADAdBgNVHQ4EFgQUql4UpKGYI9j30VJGuJkBoTqCwjAwDQYJKoZIhvcNAQEEBQADgYEAc9du+MB7/uZDd73JX5/31naQnW0GvORIH5hszlp8c8Z7KlQzfwxLgldK5RCO61Qw10LjYARZiVm/1YhsRJ5qRWeMDfO4+soTBgMd2/dyyp25RsmEoANMToB1CWGWujlB2L/A33dU6Zbo1qtsuxhfQg1mYHd935+Xyd8j8175/mk=
+                    </dsig:X509Certificate>
+                    <dsig:X509IssuerSerial>
+                        <dsig:X509IssuerName>CN=host.localdomain</dsig:X509IssuerName>
+                        <dsig:X509SerialNumber>10</dsig:X509SerialNumber>
+                    </dsig:X509IssuerSerial>
+                    <dsig:X509SubjectName>CN=host.localdomain</dsig:X509SubjectName>
+                </dsig:X509Data>
+            </dsig:KeyInfo>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+            <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+        </md:KeyDescriptor>
+    </md:RoleDescriptor>
+</md:EntityDescriptor>
\ No newline at end of file