luuuis · September 14, 2020 10:04
diff --git a/0001-test-master-log-all-SAML-payloads-for-manual-compari.patch b/0001-test-master-log-all-SAML-payloads-for-manual-compari.patch
 From f1488a370a1de1df79a45c3c07b6bb5af5bd88fc Mon Sep 17 00:00:00 2001
 From: Luis Miranda <[email protected]>
 Date: Fri, 11 Sep 2020 14:44:48 +0100
 Subject: [PATCH] test(master): log all SAML payloads for manual comparison

 ---
 package.json         |  4 ++-
 test/saml11.tests.js | 74 ++++++++++++++++++++++++++++++++++++++++++++++------
 test/saml20.tests.js | 72 +++++++++++++++++++++++++++++++++++++++++---------
 3 files changed, 128 insertions(+), 22 deletions(-)

 diff --git a/package.json b/package.json
 index 83c47b1..9cb1e63 100644
 --- a/package.json
 +++ b/package.json
 @@ -3,7 +3,9 @@
   "version": "0.14.0",
   "devDependencies": {
     "mocha": "3.5.3",
 -    "should": "~1.2.1"
 +    "should": "~1.2.1",
 +    "timekeeper": "^2.2.0",
 +    "xml-formatter": "^2.1.3"
   },
   "main": "./lib",
   "repository": "https://github.com/auth0/node-saml",
 diff --git a/test/saml11.tests.js b/test/saml11.tests.js
 index d924c27..3415abe 100644
 --- a/test/saml11.tests.js
 +++ b/test/saml11.tests.js
 @@ -5,9 +5,24 @@ var assert = require('assert'),
     should = require('should'),
     xmldom = require('xmldom'),
     xmlenc = require('xml-encryption'),
 -    saml11 = require('../lib/saml11');
 +    saml11 = require('../lib/saml11')
 +    timekeeper = require('timekeeper');
 +
 +var format = require('xml-formatter');
 +
 +function logAssertion(test, assertion) {
 +  console.log('Saml11', '"' + test.test.fullTitle() + '"');
 +  console.log(format(assertion));
 +}
 
 describe('saml 1.1', function () {
 +  before(function () {
 +    timekeeper.freeze(new Date(123));
 +  });
 +
 +  after(function () {
 +    timekeeper.reset();
 +  });
 
   it('should create a saml 1.1 signed assertion', function () {
     // cert created with:
 @@ -19,6 +34,7 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
   });
 @@ -31,6 +47,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     assert.equal('urn:issuer', utils.getIssuer(signedAssertion));
   });
 
 @@ -41,6 +59,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     // 2012-12-17T01:59:14.782Z
     var now = moment.utc();
     var issueInstant = moment(utils.getIssueInstant(signedAssertion)).utc();
 @@ -58,6 +78,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var id = utils.getAssertionID(signedAssertion);
     assert.equal('_', id[0]); // first char is underscore
   });
 @@ -70,6 +92,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var conditions = utils.getConditions(signedAssertion);
     assert.equal(1, conditions.length);
     var notBefore = conditions[0].getAttribute('NotBefore');
 @@ -89,6 +113,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var audiences = utils.getAudiences(signedAssertion);
     assert.equal(1, audiences.length);
     assert.equal('urn:myapp', audiences[0].textContent);
 @@ -102,6 +128,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var audiences = utils.getAudiences(signedAssertion);
     assert.equal(2, audiences.length);
     assert.equal('urn:myapp', audiences[0].textContent);
 @@ -122,6 +150,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 @@ -149,6 +179,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var attributes = utils.getAttributes(signedAssertion);
     assert.equal(1, attributes.length);
     assert.equal('role', attributes[0].getAttribute('AttributeName'));
 @@ -165,6 +197,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var nameIdentifier = utils.getNameIdentifier(signedAssertion);
     assert.equal('foo', nameIdentifier.textContent);
   });
 @@ -177,6 +211,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     assert.equal(-1, signedAssertion.indexOf('\n'));
   });
 
 @@ -188,6 +224,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var authenticationStatement = utils.getAuthenticationStatement(signedAssertion);
     assert.ok(!!authenticationStatement.getAttribute('AuthenticationInstant'));
   });
 @@ -199,6 +237,8 @@ describe('saml 1.1', function () {
       nameIdentifier: 'foo'
     };
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var nameIdentifier = utils.getAuthenticationStatement(signedAssertion)
                               .getElementsByTagName('saml:NameIdentifier')[0]
                               .textContent;
 @@ -212,6 +252,8 @@ describe('saml 1.1', function () {
       nameIdentifier: 'foo'
     };
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var format = utils.getAuthenticationStatement(signedAssertion)
                               .getElementsByTagName('saml:NameIdentifier')[0]
                               .getAttribute('Format');
 @@ -225,6 +267,8 @@ describe('saml 1.1', function () {
       nameIdentifier: 'foo'
     };
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var format = utils.getNameIdentifier(signedAssertion)
                               .getAttribute('Format');
     assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', format);
 @@ -238,6 +282,8 @@ describe('saml 1.1', function () {
       nameIdentifierFormat: 'http://foo'
     };
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var format = utils.getAuthenticationStatement(signedAssertion)
                           .getElementsByTagName('saml:NameIdentifier')[0]
                           .getAttribute('Format');
 @@ -252,6 +298,8 @@ describe('saml 1.1', function () {
       xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']"
     };
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
     
     var signature = doc.documentElement.getElementsByTagName('Signature');
 @@ -275,6 +323,8 @@ describe('saml 1.1', function () {
     };
 
     var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -312,14 +362,17 @@ describe('saml 1.1', function () {
         cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
         key: fs.readFileSync(__dirname + '/test-auth0.key'),
         encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 -        encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
 +        encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        holderOfKeyProofSecret: Buffer.alloc(32) // for deterministic
       };
 
 +      var instance = this;
       saml11.create(options, function(err, encrypted) {
         if (err) return done(err);
 -        
 +
         xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
           if (err) return done(err);
 +          logAssertion(instance, decrypted);
           var isValid = utils.isValidSignature(decrypted, options.cert);
           assert.equal(true, isValid);
           done();
 @@ -333,15 +386,18 @@ describe('saml 1.1', function () {
         key: fs.readFileSync(__dirname + '/test-auth0.key'),
         encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
         encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -        subjectConfirmationMethod: 'holder-of-key'
 +        subjectConfirmationMethod: 'holder-of-key',
 +        holderOfKeyProofSecret: Buffer.alloc(32) // for deterministic
       };
 
 +      var instance = this;
       saml11.create(options, function(err, encrypted, proofSecret) {
         if (err) return done(err);
 -        
 +
         xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
           if (err) return done(err);
 -          
 +          logAssertion(instance, decrypted);
 +
           var doc = new xmldom.DOMParser().parseFromString(decrypted);
           var subjectConfirmationNodes = doc.documentElement.getElementsByTagName('saml:SubjectConfirmation');
           assert.equal(2, subjectConfirmationNodes.length);
 @@ -350,7 +406,7 @@ describe('saml 1.1', function () {
             assert.equal(method.textContent, 'urn:oasis:names:tc:SAML:1.0:cm:holder-of-key');
 
             var decryptedProofSecret = xmlenc.decryptKeyInfo(subjectConfirmationNodes[i], options);
 -            assert.equal(proofSecret.toString('base64'), decryptedProofSecret.toString('base64'));
 +            assert.equal(options.holderOfKeyProofSecret.toString('base64'), decryptedProofSecret.toString('base64'));
           }
 
           done();
 @@ -372,11 +428,13 @@ describe('saml 1.1', function () {
         }
       };
 
 +      var instance = this;
       saml11.create(options, function(err, encrypted) {
         if (err) return done(err);
 -        
 +
         xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
           if (err) return done(err);
 +          logAssertion(instance, decrypted);
 
           var isValid = utils.isValidSignature(decrypted, options.cert);
           assert.equal(true, isValid);
 diff --git a/test/saml20.tests.js b/test/saml20.tests.js
 index e351cfa..16145ad 100644
 --- a/test/saml20.tests.js
 +++ b/test/saml20.tests.js
 @@ -5,9 +5,28 @@ var assert = require('assert'),
     should = require('should'),
     xmldom = require('xmldom'),
     xmlenc = require('xml-encryption'),
 -    saml = require('../lib/saml20');
 +    saml = require('../lib/saml20')
 +    timekeeper = require('timekeeper');
 +
 +var format = require('xml-formatter');
 +
 +function logAssertion(test, assertion) {
 +  console.log('Saml20', '"' + test.test.fullTitle() + '"');
 +  console.log(format(assertion));
 +}
 
 describe('saml 2.0', function () {
 +  before(function () {
 +    timekeeper.freeze(new Date(123));
 +  });
 +
 +  after(function () {
 +    timekeeper.reset();
 +  });
 +
 +  beforeEach(function () {
 +    console.log('');
 +  })
 
   it('whole thing with default authnContextClassRef', function () {
     var options = {
 @@ -25,6 +44,7 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 +    logAssertion(this, signedAssertion);
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -70,7 +90,7 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -102,7 +122,8 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -142,7 +163,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -185,7 +208,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -224,7 +249,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -263,7 +290,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -309,6 +338,8 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 +    logAssertion(this, signedAssertion);
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 
 @@ -355,7 +386,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
     
 @@ -381,7 +414,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
     
 @@ -406,7 +441,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
     
 @@ -431,7 +468,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
     
 @@ -457,7 +496,9 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 -    
 +    logAssertion(this, signedAssertion);
 +
 +
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
     
 @@ -475,6 +516,8 @@ describe('saml 2.0', function () {
     };
 
     var signedAssertion = saml.create(options);
 +    logAssertion(this, signedAssertion);
 +
 
     var isValid = utils.isValidSignature(signedAssertion, options.cert);
     assert.equal(true, isValid);
 @@ -494,13 +537,14 @@ describe('saml 2.0', function () {
         encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
       };
 
 +      var instance = this;
       saml.create(options, function(err, encrypted) {
         if (err) return done(err);
 -
         var encryptedData = utils.getEncryptedData(encrypted);
         
         xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
           if (err) return done(err);
 +          logAssertion(instance, decrypted);
           var isValid = utils.isValidSignature(decrypted, options.cert);
           assert.equal(true, isValid);
           done();
 @@ -522,6 +566,7 @@ describe('saml 2.0', function () {
         }
       };
 
 +      var instance = this;
       saml.create(options, function(err, encrypted) {
         if (err) return done(err);
 
 @@ -529,6 +574,7 @@ describe('saml 2.0', function () {
         
         xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
           if (err) return done(err);
 +          logAssertion(instance, decrypted);
 
           var isValid = utils.isValidSignature(decrypted, options.cert);
           assert.equal(true, isValid);
 -- 
 2.16.2

diff --git a/0001-test-refactor-log-all-SAML-payloads-for-manual-compa.patch b/0001-test-refactor-log-all-SAML-payloads-for-manual-compa.patch
 From cc391fcd5aa0145d64eaf5f2c36cca37c2f35058 Mon Sep 17 00:00:00 2001
 From: Luis Miranda <[email protected]>
 Date: Mon, 14 Sep 2020 10:47:27 +0100
 Subject: [PATCH] test(refactor): log all SAML payloads for manual comparison

 ---
 package.json         |   4 +-
 test/saml11.tests.js | 785 +++++++++++++++++++++--------------------
 test/saml20.tests.js | 972 ++++++++++++++++++++++++++-------------------------
 3 files changed, 905 insertions(+), 856 deletions(-)

 diff --git a/package.json b/package.json
 index ef75275..79eaf6c 100644
 --- a/package.json
 +++ b/package.json
 @@ -7,7 +7,9 @@
     "husky": "^4.3.0",
     "mocha": "3.5.3",
     "should": "~1.2.1",
 -    "standard-version": "^9.0.0"
 +    "standard-version": "^9.0.0",
 +    "timekeeper": "^2.2.0",
 +    "xml-formatter": "^2.1.3"
   },
   "main": "./lib",
   "repository": "https://github.com/auth0/node-saml",
 diff --git a/test/saml11.tests.js b/test/saml11.tests.js
 index 0e7a3c8..f14ecd6 100644
 --- a/test/saml11.tests.js
 +++ b/test/saml11.tests.js
 @@ -4,419 +4,458 @@ var moment = require('moment');
 var should = require('should');
 var xmldom = require('xmldom');
 var xmlenc = require('xml-encryption');
 +var timekeeper = require('timekeeper');
 +var format = require('xml-formatter');
 
 var utils = require('./utils');
 var saml11 = require('../lib/saml11');
 
 +function logAssertion(test, assertion) {
 +  console.log('Saml11', '"' + test.test.fullTitle() + '"');
 +  console.log(format(assertion));
 +}
 +
 describe('saml 1.1', function () {
 +  before(function () {
 +    timekeeper.freeze(new Date(123));
 +  });
 
 -  saml11TestSuite({
 -    createAssertion: 'create',
 -    assertSignature: Object.assign(function (assertion, options) {
 -      assert.isTrue(utils.isValidSignature(assertion, options.cert));
 -    }, {
 -      it: it
 -    })
 +  after(function () {
 +    timekeeper.reset();
   });
 
 -  saml11TestSuite({
 -    createAssertion: 'createUnsignedAssertion',
 -    assertSignature: Object.assign(function (assertion) {
 -      assert.isEmpty(utils.getXmlSignatures(assertion));
 -    }, {
 -      it: it.skip
 -    })
 +  it('should create a saml 1.1 signed assertion', function () {
 +    // cert created with:
 +    // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem
 +
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key')
 +    };
 +
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +    var isValid = utils.isValidSignature(signedAssertion, options.cert);
 +    assert.equal(true, isValid);
   });
 -  
 -  function saml11TestSuite(options) {
 -    var createAssertion = options.createAssertion;
 -    var assertSignature = options.assertSignature;
 -
 -    describe('#' + createAssertion, function () {
 -      it('should create a saml 1.1 assertion', function () {
 -        // cert created with:
 -        // openssl req -x509 -new -newkey rsa:2048 -nodes -subj '/CN=auth0.auth0.com/O=Auth0 LLC/C=US/ST=Washington/L=Redmond' -keyout auth0.key -out auth0.pem
 -
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key')
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -        assertSignature(signedAssertion, options);
 -      });
 
 -      it('should support specifying Issuer property', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          issuer: 'urn:issuer'
 -        };
 +  it('should support specifying Issuer property', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      issuer: 'urn:issuer'
 +    };
 
 -        var signedAssertion = saml11[createAssertion](options);
 -        assert.equal('urn:issuer', utils.getIssuer(signedAssertion));
 -      });
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 
 -      it('should create IssueInstant property', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key')
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -        // 2012-12-17T01:59:14.782Z
 -        var now = moment.utc();
 -        var issueInstant = moment(utils.getIssueInstant(signedAssertion)).utc();
 -        assert.equal(now.year(), issueInstant.year());
 -        assert.equal(now.month(), issueInstant.month());
 -        assert.equal(now.day(), issueInstant.day());
 -        assert.equal(now.hours(), issueInstant.hours());
 -        assert.equal(now.minutes(), issueInstant.minutes());
 -      });
 +    assert.equal('urn:issuer', utils.getIssuer(signedAssertion));
 +  });
 
 -      it('should create AssertionID and start with underscore', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key')
 -        };
 +  it('should create IssueInstant property', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key')
 +    };
 +
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    // 2012-12-17T01:59:14.782Z
 +    var now = moment.utc();
 +    var issueInstant = moment(utils.getIssueInstant(signedAssertion)).utc();
 +    assert.equal(now.year(), issueInstant.year());
 +    assert.equal(now.month(), issueInstant.month());
 +    assert.equal(now.day(), issueInstant.day());
 +    assert.equal(now.hours(), issueInstant.hours());
 +    assert.equal(now.minutes(), issueInstant.minutes());
 +  });
 
 -        var signedAssertion = saml11[createAssertion](options);
 -        var id = utils.getAssertionID(signedAssertion);
 -        assert.equal('_', id[0]); // first char is underscore
 -      });
 +  it('should create AssertionID and start with underscore', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key')
 +    };
 
 -      it('should create NotBefore and NotOnOrAfter properties', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          lifetimeInSeconds: 600
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -        var conditions = utils.getConditions(signedAssertion);
 -        assert.equal(1, conditions.length);
 -        var notBefore = conditions[0].getAttribute('NotBefore');
 -        var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 -        should.ok(notBefore);
 -        should.ok(notOnOrAfter);
 -
 -        var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 -        assert.equal(600, lifetime);
 -      });
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 
 -      it('should set audience restriction', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          audiences: 'urn:myapp'
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -        var audiences = utils.getAudiences(signedAssertion);
 -        assert.equal(1, audiences.length);
 -        assert.equal('urn:myapp', audiences[0].textContent);
 -      });
 +    var id = utils.getAssertionID(signedAssertion);
 +    assert.equal('_', id[0]); // first char is underscore
 +  });
 
 -      it('should set multiple audience restriction', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          audiences: ['urn:myapp', 'urn:myapp2']
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -        var audiences = utils.getAudiences(signedAssertion);
 -        assert.equal(2, audiences.length);
 -        assert.equal('urn:myapp', audiences[0].textContent);
 -        assert.equal('urn:myapp2', audiences[1].textContent);
 -      });
 +  it('should create NotBefore and NotOnOrAfter properties', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      lifetimeInSeconds: 600
 +    };
 +
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var conditions = utils.getConditions(signedAssertion);
 +    assert.equal(1, conditions.length);
 +    var notBefore = conditions[0].getAttribute('NotBefore');
 +    var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 +    should.ok(notBefore);
 +    should.ok(notOnOrAfter);
 +
 +    var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 +    assert.equal(600, lifetime);
 +  });
 
 -      it('should set attributes', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(3, attributes.length);
 -        assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 -        assert.equal('[email protected]', attributes[0].firstChild.textContent);
 -        assert.equal('name', attributes[1].getAttribute('AttributeName'));
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[1].getAttribute('AttributeNamespace'));
 -        assert.equal('Foo Bar', attributes[1].firstChild.textContent);
 -        assert.equal('testaccent', attributes[2].getAttribute('AttributeName'));
 -        assert.equal('http://example.org/claims', attributes[2].getAttribute('AttributeNamespace'));
 -        assert.equal('fóo', attributes[2].firstChild.textContent);
 -      });
 +  it('should set audience restriction', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      audiences: 'urn:myapp'
 +    };
 
 -      it('should set attributes with multiple values', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role': ['admin','contributor']
 -          }
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(1, attributes.length);
 -        assert.equal('role', attributes[0].getAttribute('AttributeName'));
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 -        assert.equal('admin', attributes[0].childNodes[0].textContent);
 -        assert.equal('contributor', attributes[0].childNodes[1].textContent);
 -      });
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 
 -      it('should set NameIdentifier', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          nameIdentifier: 'foo'
 -        };
 +    var audiences = utils.getAudiences(signedAssertion);
 +    assert.equal(1, audiences.length);
 +    assert.equal('urn:myapp', audiences[0].textContent);
 +  });
 
 -        var signedAssertion = saml11[createAssertion](options);
 -        var nameIdentifier = utils.getNameIdentifier(signedAssertion);
 -        assert.equal('foo', nameIdentifier.textContent);
 -      });
 +  it('should set multiple audience restriction', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      audiences: ['urn:myapp', 'urn:myapp2']
 +    };
 
 -      it('should not contains line breaks', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          nameIdentifier: 'foo'
 -        };
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 
 -        var signedAssertion = saml11[createAssertion](options);
 -        assert.equal(-1, signedAssertion.indexOf('\n'));
 -      });
 +    var audiences = utils.getAudiences(signedAssertion);
 +    assert.equal(2, audiences.length);
 +    assert.equal('urn:myapp', audiences[0].textContent);
 +    assert.equal('urn:myapp2', audiences[1].textContent);
 +  });
 
 -      it('should set AuthenticationInstant', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          nameIdentifier: 'foo'
 -        };
 +  it('should set attributes', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      attributes: {
 +        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +        'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +        'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +        'http://undefinedattribute/ws/com.com': undefined
 +      }
 +    };
 +
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +
 +    var isValid = utils.isValidSignature(signedAssertion, options.cert);
 +    assert.equal(true, isValid);
 +    
 +    var attributes = utils.getAttributes(signedAssertion);
 +    assert.equal(3, attributes.length);
 +    assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
 +    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 +    assert.equal('[email protected]', attributes[0].firstChild.textContent);
 +    assert.equal('name', attributes[1].getAttribute('AttributeName'));
 +    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[1].getAttribute('AttributeNamespace'));
 +    assert.equal('Foo Bar', attributes[1].firstChild.textContent);
 +    assert.equal('testaccent', attributes[2].getAttribute('AttributeName'));
 +    assert.equal('http://example.org/claims', attributes[2].getAttribute('AttributeNamespace'));
 +    assert.equal('fóo', attributes[2].firstChild.textContent);
 +  });
 
 -        var signedAssertion = saml11[createAssertion](options);
 -        var authenticationStatement = utils.getAuthenticationStatement(signedAssertion);
 -        assert.ok(!!authenticationStatement.getAttribute('AuthenticationInstant'));
 -      });
 +  it('should set attributes with multiple values', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      attributes: {
 +        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role': ['admin','contributor']
 +      }
 +    };
 +
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var attributes = utils.getAttributes(signedAssertion);
 +    assert.equal(1, attributes.length);
 +    assert.equal('role', attributes[0].getAttribute('AttributeName'));
 +    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 +    assert.equal('admin', attributes[0].childNodes[0].textContent);
 +    assert.equal('contributor', attributes[0].childNodes[1].textContent);
 +  });
 
 -      it('should set AuthenticationStatement NameIdentifier', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          nameIdentifier: 'foo'
 -        };
 -        var signedAssertion = saml11[createAssertion](options);
 -        var nameIdentifier = utils.getAuthenticationStatement(signedAssertion)
 -        .getElementsByTagName('saml:NameIdentifier')[0]
 -          .textContent;
 -        assert.equal('foo', nameIdentifier);
 -      });
 +  it('should set NameIdentifier', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      nameIdentifier: 'foo'
 +    };
 
 -      it('should set AuthenticationStatement NameFormat', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          nameIdentifier: 'foo'
 -        };
 -        var signedAssertion = saml11[createAssertion](options);
 -        var format = utils.getAuthenticationStatement(signedAssertion)
 -        .getElementsByTagName('saml:NameIdentifier')[0]
 -        .getAttribute('Format');
 -        assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', format);
 -      });
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 
 -      it('should set AttirubteStatement NameFormat', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          nameIdentifier: 'foo'
 -        };
 -        var signedAssertion = saml11[createAssertion](options);
 -        var format = utils.getNameIdentifier(signedAssertion)
 -        .getAttribute('Format');
 -        assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', format);
 -      });
 +    var nameIdentifier = utils.getNameIdentifier(signedAssertion);
 +    assert.equal('foo', nameIdentifier.textContent);
 +  });
 
 -      it('should override AttirubteStatement NameFormat', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          nameIdentifier: 'foo',
 -          nameIdentifierFormat: 'http://foo'
 -        };
 -        var signedAssertion = saml11[createAssertion](options);
 -        var format = utils.getAuthenticationStatement(signedAssertion)
 -        .getElementsByTagName('saml:NameIdentifier')[0]
 -        .getAttribute('Format');
 -
 -        assert.equal('http://foo', format);
 -      });
 +  it('should not contains line breaks', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      nameIdentifier: 'foo'
 +    };
 
 -      assertSignature.it('should place signature where specified', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']"
 -        };
 -        var signedAssertion = saml11[createAssertion](options);
 -        var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 
 -        var signature = doc.documentElement.getElementsByTagName('Signature');
 +    assert.equal(-1, signedAssertion.indexOf('\n'));
 +  });
 
 -        assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 -      });
 +  it('should set AuthenticationInstant', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      nameIdentifier: 'foo'
 +    };
 
 -      it('should test the whole thing', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          issuer: 'urn:issuer',
 -          lifetimeInSeconds: 600,
 -          audiences: 'urn:myapp',
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
 -          },
 -          nameIdentifier:       'foo',
 -          nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
 -        };
 -
 -        var signedAssertion = saml11[createAssertion](options);
 -        assertSignature(signedAssertion, options);
 -
 -        var nameIdentifier = utils.getNameIdentifier(signedAssertion);
 -        assert.equal('foo', nameIdentifier.textContent);
 -        assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(2, attributes.length);
 -        assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 -        assert.equal('[email protected]', attributes[0].firstChild.textContent);
 -        assert.equal('name', attributes[1].getAttribute('AttributeName'));
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[1].getAttribute('AttributeNamespace'));
 -        assert.equal('Foo Bar', attributes[1].firstChild.textContent);
 -
 -        assert.equal('urn:issuer', utils.getIssuer(signedAssertion));
 -
 -        var conditions = utils.getConditions(signedAssertion);
 -        assert.equal(1, conditions.length);
 -        var notBefore = conditions[0].getAttribute('NotBefore');
 -        var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 -        should.ok(notBefore);
 -        should.ok(notOnOrAfter);
 -
 -        var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 -        assert.equal(600, lifetime);
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 
 -      });
 +    var authenticationStatement = utils.getAuthenticationStatement(signedAssertion);
 +    assert.ok(!!authenticationStatement.getAttribute('AuthenticationInstant'));
 +  });
 +
 +  it('should set AuthenticationStatement NameIdentifier', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      nameIdentifier: 'foo'
 +    };
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var nameIdentifier = utils.getAuthenticationStatement(signedAssertion)
 +                              .getElementsByTagName('saml:NameIdentifier')[0]
 +                              .textContent;
 +    assert.equal('foo', nameIdentifier);
 +  });
 +
 +  it('should set AuthenticationStatement NameFormat', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      nameIdentifier: 'foo'
 +    };
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var format = utils.getAuthenticationStatement(signedAssertion)
 +                              .getElementsByTagName('saml:NameIdentifier')[0]
 +                              .getAttribute('Format');
 +    assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', format);
 +  });
 +
 +  it('should set AttirubteStatement NameFormat', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      nameIdentifier: 'foo'
 +    };
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var format = utils.getNameIdentifier(signedAssertion)
 +                              .getAttribute('Format');
 +    assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', format);
 +  });
 +
 +  it('should override AttirubteStatement NameFormat', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      nameIdentifier: 'foo',
 +      nameIdentifierFormat: 'http://foo'
 +    };
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var format = utils.getAuthenticationStatement(signedAssertion)
 +                          .getElementsByTagName('saml:NameIdentifier')[0]
 +                          .getAttribute('Format');
 +
 +    assert.equal('http://foo', format);
 +  });
 +
 +  it('should place signature where specified', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']"
 +    };
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +    
 +    var signature = doc.documentElement.getElementsByTagName('Signature');
 
 -      describe('encryption', function () {
 -
 -        it('should create a saml 1.1 encrypted assertion', function (done) {
 -          var options = {
 -            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -            encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 -            encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
 -          };
 -
 -          saml11[createAssertion](options, function(err, encrypted) {
 -            if (err) return done(err);
 -
 -            xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
 -              if (err) return done(err);
 -              assertSignature(decrypted, options);
 -              done();
 -            });
 -          });
 +    assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 +  });
 +
 +  it('should test the whole thing', function () {
 +    var options = {
 +      cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +      key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +      issuer: 'urn:issuer',
 +      lifetimeInSeconds: 600,
 +      audiences: 'urn:myapp',
 +      attributes: {
 +        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
 +      },
 +      nameIdentifier:       'foo',
 +      nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
 +    };
 +
 +    var signedAssertion = saml11.create(options);
 +    logAssertion(this, signedAssertion);
 +
 +    var isValid = utils.isValidSignature(signedAssertion, options.cert);
 +    assert.equal(true, isValid);
 +
 +    var nameIdentifier = utils.getNameIdentifier(signedAssertion);
 +    assert.equal('foo', nameIdentifier.textContent);
 +    assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
 +
 +    var attributes = utils.getAttributes(signedAssertion);
 +    assert.equal(2, attributes.length);
 +    assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
 +    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 +    assert.equal('[email protected]', attributes[0].firstChild.textContent);
 +    assert.equal('name', attributes[1].getAttribute('AttributeName'));
 +    assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[1].getAttribute('AttributeNamespace'));
 +    assert.equal('Foo Bar', attributes[1].firstChild.textContent);
 +
 +    assert.equal('urn:issuer', utils.getIssuer(signedAssertion));
 +
 +    var conditions = utils.getConditions(signedAssertion);
 +    assert.equal(1, conditions.length);
 +    var notBefore = conditions[0].getAttribute('NotBefore');
 +    var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 +    should.ok(notBefore);
 +    should.ok(notOnOrAfter);
 +
 +    var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 +    assert.equal(600, lifetime);
 +
 +  });
 +
 +  describe('encryption', function () {
 +
 +    it('should create a saml 1.1 signed and encrypted assertion', function (done) {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 +        encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        holderOfKeyProofSecret: Buffer.alloc(32) // for deterministic
 +      };
 +
 +      var instance = this;
 +      saml11.create(options, function(err, encrypted) {
 +        if (err) return done(err);
 +
 +        xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
 +          if (err) return done(err);
 +          logAssertion(instance, decrypted);
 +          var isValid = utils.isValidSignature(decrypted, options.cert);
 +          assert.equal(true, isValid);
 +          done();
         });
 +      });
 +    });
 
 -        it('should support holder-of-key suject confirmationmethod', function (done) {
 -          var options = {
 -            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -            encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 -            encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            subjectConfirmationMethod: 'holder-of-key'
 -          };
 -
 -          saml11[createAssertion](options, function(err, encrypted, proofSecret) {
 -            if (err) return done(err);
 -
 -            xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
 -              if (err) return done(err);
 -
 -              var doc = new xmldom.DOMParser().parseFromString(decrypted);
 -              var subjectConfirmationNodes = doc.documentElement.getElementsByTagName('saml:SubjectConfirmation');
 -              assert.equal(2, subjectConfirmationNodes.length);
 -              for (var i=0;i<subjectConfirmationNodes.length;i++) {
 -                var method = subjectConfirmationNodes[i].getElementsByTagName('saml:ConfirmationMethod')[0];
 -                assert.equal(method.textContent, 'urn:oasis:names:tc:SAML:1.0:cm:holder-of-key');
 -
 -                var decryptedProofSecret = xmlenc.decryptKeyInfo(subjectConfirmationNodes[i], options);
 -                assert.equal(proofSecret.toString('base64'), decryptedProofSecret.toString('base64'));
 -              }
 -
 -              done();
 -            });
 -          });
 +    it('should support holder-of-key suject confirmationmethod', function (done) {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 +        encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        subjectConfirmationMethod: 'holder-of-key',
 +        holderOfKeyProofSecret: Buffer.alloc(32) // for deterministic
 +      };
 +
 +      var instance = this;
 +      saml11.create(options, function(err, encrypted, proofSecret) {
 +        if (err) return done(err);
 +
 +        xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
 +          if (err) return done(err);
 +          logAssertion(instance, decrypted);
 +
 +          var doc = new xmldom.DOMParser().parseFromString(decrypted);
 +          var subjectConfirmationNodes = doc.documentElement.getElementsByTagName('saml:SubjectConfirmation');
 +          assert.equal(2, subjectConfirmationNodes.length);
 +          for (var i=0;i<subjectConfirmationNodes.length;i++) {
 +            var method = subjectConfirmationNodes[i].getElementsByTagName('saml:ConfirmationMethod')[0];
 +            assert.equal(method.textContent, 'urn:oasis:names:tc:SAML:1.0:cm:holder-of-key');
 +
 +            var decryptedProofSecret = xmlenc.decryptKeyInfo(subjectConfirmationNodes[i], options);
 +            assert.equal(options.holderOfKeyProofSecret.toString('base64'), decryptedProofSecret.toString('base64'));
 +          }
 +
 +          done();
         });
 +      });
 +    });
 
 -        it('should set attributes', function (done) {
 -          var options = {
 -            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -            encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 -            encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            attributes: {
 -              'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -              'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -              'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -              'http://undefinedattribute/ws/com.com': undefined
 -            }
 -          };
 -
 -          saml11[createAssertion](options, function(err, encrypted) {
 -            if (err) return done(err);
 -
 -            xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
 -              if (err) return done(err);
 -
 -              assertSignature(decrypted, options);
 -
 -              var attributes = utils.getAttributes(decrypted);
 -              assert.equal(3, attributes.length);
 -              assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
 -              assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 -              assert.equal('[email protected]', attributes[0].firstChild.textContent);
 -              assert.equal('name', attributes[1].getAttribute('AttributeName'));
 -              assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[1].getAttribute('AttributeNamespace'));
 -              assert.equal('Foo Bar', attributes[1].firstChild.textContent);
 -              assert.equal('testaccent', attributes[2].getAttribute('AttributeName'));
 -              assert.equal('http://example.org/claims', attributes[2].getAttribute('AttributeNamespace'));
 -              assert.equal('fóo', attributes[2].firstChild.textContent);
 -
 -              done();
 -            });
 -          });
 +    it('should set attributes', function (done) {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 +        encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var instance = this;
 +      saml11.create(options, function(err, encrypted) {
 +        if (err) return done(err);
 +
 +        xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
 +          if (err) return done(err);
 +          logAssertion(instance, decrypted);
 +
 +          var isValid = utils.isValidSignature(decrypted, options.cert);
 +          assert.equal(true, isValid);
 +          
 +          var attributes = utils.getAttributes(decrypted);
 +          assert.equal(3, attributes.length);
 +          assert.equal('emailaddress', attributes[0].getAttribute('AttributeName'));
 +          assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[0].getAttribute('AttributeNamespace'));
 +          assert.equal('[email protected]', attributes[0].firstChild.textContent);
 +          assert.equal('name', attributes[1].getAttribute('AttributeName'));
 +          assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims', attributes[1].getAttribute('AttributeNamespace'));
 +          assert.equal('Foo Bar', attributes[1].firstChild.textContent);
 +          assert.equal('testaccent', attributes[2].getAttribute('AttributeName'));
 +          assert.equal('http://example.org/claims', attributes[2].getAttribute('AttributeNamespace'));
 +          assert.equal('fóo', attributes[2].firstChild.textContent);
 +          
 +          done();
         });
       });
     });
 -  }
 +
 +  });
 +
 });
 diff --git a/test/saml20.tests.js b/test/saml20.tests.js
 index b55a7b6..dd39831 100644
 --- a/test/saml20.tests.js
 +++ b/test/saml20.tests.js
 @@ -6,548 +6,556 @@ var should = require('should');
 var xmldom = require('xmldom');
 var xmlenc = require('xml-encryption');
 
 +var timekeeper = require('timekeeper');
 +var format = require('xml-formatter');
 +
 var saml = require('../lib/saml20');
 
 +function logAssertion(test, assertion) {
 +  console.log('Saml20', '"' + test.test.fullTitle() + '"');
 +  console.log(format(assertion));
 +}
 +
 describe('saml 2.0', function () {
 +  before(function () {
 +    timekeeper.freeze(new Date(123));
 +  });
 +
 +  after(function () {
 +    timekeeper.reset();
 +  });
 +
   saml20TestSuite({
     createAssertion: 'create',
 -    assertSignature: Object.assign(function (assertion, options) {
 -        assert.isTrue(utils.isValidSignature(assertion, options.cert));
 +    assertSignature: Object.assign(function (test, assertion, options) {
 +      assert.isTrue(utils.isValidSignature(assertion, options.cert));
 +      logAssertion(test, assertion);
     }, {
       it: it
     })
   });
 
 -  saml20TestSuite({
 -    createAssertion: 'createUnsignedAssertion',
 -    assertSignature: Object.assign(function (assertion) {
 -        assert.isEmpty(utils.getXmlSignatures(assertion));
 -    }, {
 -      it: it.skip
 +  function saml20TestSuite({ createAssertion, assertSignature }) {
 +    beforeEach(function () {
 +      console.log('');
     })
 -  });
 -
 -  function saml20TestSuite(options) {
 -    var createAssertion = options.createAssertion;
 -    var assertSignature = options.assertSignature;
 -
 -    describe('#' + createAssertion, function () {
 -      it('whole thing with default authnContextClassRef', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          issuer: 'urn:issuer',
 -          lifetimeInSeconds: 600,
 -          audiences: 'urn:myapp',
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
 -          },
 -          nameIdentifier: 'foo',
 -          nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
 -        };
 -
 -        var signedAssertion = saml[createAssertion](options);
 -        assertSignature(signedAssertion, options);
 -
 -        var nameIdentifier = utils.getNameID(signedAssertion);
 -        assert.equal('foo', nameIdentifier.textContent);
 -        assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(2, attributes.length);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 -
 -        assert.equal('urn:issuer', utils.getSaml2Issuer(signedAssertion).textContent);
 -
 -        var conditions = utils.getConditions(signedAssertion);
 -        assert.equal(1, conditions.length);
 -        var notBefore = conditions[0].getAttribute('NotBefore');
 -        var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 -        should.ok(notBefore);
 -        should.ok(notOnOrAfter);
 -
 -        var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 -        assert.equal(600, lifetime);
 -
 -        var authnContextClassRef = utils.getAuthnContextClassRef(signedAssertion);
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', authnContextClassRef.textContent);
 -      });
 -
 -      it('should set attributes', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 -
 -        var signedAssertion = saml[createAssertion](options);
 -        assertSignature(signedAssertion, options);
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(3, attributes.length);
 -        assert.equal('saml:AttributeStatement', attributes[0].parentNode.nodeName);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 -        assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 -        assert.equal('fóo', attributes[2].textContent);
 -      });
 -
 -      it('should set attributes with the correct attribute type', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://attributes/boolean': true,
 -            'http://attributes/booleanNegative': false,
 -            'http://attributes/number': 123,
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 -
 -        var signedAssertion = saml[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(6, attributes.length);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 -        assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 -        assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
 -        assert.equal('fóo', attributes[2].textContent);
 -        assert.equal('http://attributes/boolean', attributes[3].getAttribute('Name'));
 -        assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
 -        assert.equal('true', attributes[3].textContent);
 -        assert.equal('http://attributes/booleanNegative', attributes[4].getAttribute('Name'));
 -        assert.equal('xs:boolean', attributes[4].firstChild.getAttribute('xsi:type'));
 -        assert.equal('false', attributes[4].textContent);
 -        assert.equal('http://attributes/number', attributes[5].getAttribute('Name'));
 -        assert.equal('xs:double', attributes[5].firstChild.getAttribute('xsi:type'));
 -        assert.equal('123', attributes[5].textContent);
 -      });
 -
 -      it('should set attributes with the correct attribute type and NameFormat', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'testaccent': 'fóo', // should supports accents
 -            'urn:test:1:2:3': true,
 -            '123~oo': 123,
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 -
 -        var signedAssertion = saml[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(5, attributes.length);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[0].getAttribute('NameFormat'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[1].getAttribute('NameFormat'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 -        assert.equal('testaccent', attributes[2].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', attributes[2].getAttribute('NameFormat'));
 -        assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
 -        assert.equal('fóo', attributes[2].textContent);
 -        assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[3].getAttribute('NameFormat'));
 -        assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
 -        assert.equal('true', attributes[3].textContent);
 -        assert.equal('123~oo', attributes[4].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', attributes[4].getAttribute('NameFormat'));
 -        assert.equal('xs:double', attributes[4].firstChild.getAttribute('xsi:type'));
 -        assert.equal('123', attributes[4].textContent);
 -      });
 -
 -      it('should set attributes to anytpe when typedAttributes is false', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          typedAttributes: false,
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://attributes/boolean': true,
 -            'http://attributes/number': 123,
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 -
 -        var signedAssertion = saml[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(5, attributes.length);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 -        assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 -        assert.equal('xs:anyType', attributes[2].firstChild.getAttribute('xsi:type'));
 -        assert.equal('fóo', attributes[2].textContent);
 -        assert.equal('http://attributes/boolean', attributes[3].getAttribute('Name'));
 -        assert.equal('xs:anyType', attributes[3].firstChild.getAttribute('xsi:type'));
 -        assert.equal('true', attributes[3].textContent);
 -        assert.equal('http://attributes/number', attributes[4].getAttribute('Name'));
 -        assert.equal('xs:anyType', attributes[4].firstChild.getAttribute('xsi:type'));
 -        assert.equal('123', attributes[4].textContent);
 -      });
 
 -      it('should not set NameFormat in attributes when includeAttributeNameFormat is false', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          typedAttributes: false,
 -          includeAttributeNameFormat: false,
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'testaccent': 'fóo', // should supports accents
 -            'urn:test:1:2:3': true,
 -            '123~oo': 123,
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 -
 -        var signedAssertion = saml[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(5, attributes.length);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('', attributes[0].getAttribute('NameFormat'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('', attributes[1].getAttribute('NameFormat'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 -        assert.equal('testaccent', attributes[2].getAttribute('Name'));
 -        assert.equal('', attributes[2].getAttribute('NameFormat'));
 -        assert.equal('fóo', attributes[2].textContent);
 -        assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
 -        assert.equal('', attributes[3].getAttribute('NameFormat'));
 -        assert.equal('true', attributes[3].textContent);
 -        assert.equal('123~oo', attributes[4].getAttribute('Name'));
 -        assert.equal('', attributes[4].getAttribute('NameFormat'));
 -        assert.equal('123', attributes[4].textContent);
 -      });
 -
 -      it('should ignore undefined attributes in array', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'arrayAttribute': [ 'foo', undefined, 'bar'],
 -            'urn:test:1:2:3': true,
 -            '123~oo': 123,
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 +    it('whole thing with default authnContextClassRef', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        issuer: 'urn:issuer',
 +        lifetimeInSeconds: 600,
 +        audiences: 'urn:myapp',
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
 +        },
 +        nameIdentifier:       'foo',
 +        nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +      assertSignature(this, signedAssertion, options);
 +
 +      var nameIdentifier = utils.getNameID(signedAssertion);
 +      assert.equal('foo', nameIdentifier.textContent);
 +      assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(2, attributes.length);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +
 +      assert.equal('urn:issuer', utils.getSaml2Issuer(signedAssertion).textContent);
 +
 +      var conditions = utils.getConditions(signedAssertion);
 +      assert.equal(1, conditions.length);
 +      var notBefore = conditions[0].getAttribute('NotBefore');
 +      var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 +      should.ok(notBefore);
 +      should.ok(notOnOrAfter);
 +
 +      var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 +      assert.equal(600, lifetime);
 +
 +      var authnContextClassRef = utils.getAuthnContextClassRef(signedAssertion);
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified', authnContextClassRef.textContent);
 +    });
 
 -        var signedAssertion = saml[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 -
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(5, attributes.length);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[0].getAttribute('NameFormat'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[1].getAttribute('NameFormat'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 -        assert.equal('arrayAttribute', attributes[2].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', attributes[2].getAttribute('NameFormat'));
 -        assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
 -        assert.equal(2, attributes[2].childNodes.length);
 -        assert.equal('foo', attributes[2].childNodes[0].textContent);
 -        // undefined should not be here
 -        assert.equal('bar', attributes[2].childNodes[1].textContent);
 -        assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[3].getAttribute('NameFormat'));
 -        assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
 -        assert.equal('true', attributes[3].textContent);
 -        assert.equal('123~oo', attributes[4].getAttribute('Name'));
 -        assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', attributes[4].getAttribute('NameFormat'));
 -        assert.equal('xs:double', attributes[4].firstChild.getAttribute('xsi:type'));
 -        assert.equal('123', attributes[4].textContent);
 -      });
 +    it('should set attributes', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +      assertSignature(this, signedAssertion, options);
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(3, attributes.length);
 +      assert.equal('saml:AttributeStatement', attributes[0].parentNode.nodeName);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +      assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 +      assert.equal('fóo', attributes[2].textContent);
 +    });
 
 -      it('whole thing with specific authnContextClassRef', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          issuer: 'urn:issuer',
 -          lifetimeInSeconds: 600,
 -          audiences: 'urn:myapp',
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
 -          },
 -          nameIdentifier:       'foo',
 -          nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
 -          authnContextClassRef: 'specific'
 -        };
 +    it('should set attributes with the correct attribute type', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://attributes/boolean': true,
 +          'http://attributes/booleanNegative': false,
 +          'http://attributes/number': 123,
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(6, attributes.length);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +      assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 +      assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
 +      assert.equal('fóo', attributes[2].textContent);
 +      assert.equal('http://attributes/boolean', attributes[3].getAttribute('Name'));
 +      assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
 +      assert.equal('true', attributes[3].textContent);
 +      assert.equal('http://attributes/booleanNegative', attributes[4].getAttribute('Name'));
 +      assert.equal('xs:boolean', attributes[4].firstChild.getAttribute('xsi:type'));
 +      assert.equal('false', attributes[4].textContent);
 +      assert.equal('http://attributes/number', attributes[5].getAttribute('Name'));
 +      assert.equal('xs:double', attributes[5].firstChild.getAttribute('xsi:type'));
 +      assert.equal('123', attributes[5].textContent);
 +    });
 
 -        var signedAssertion = saml[createAssertion](options);
 -        assertSignature(signedAssertion, options);
 +    it('should set attributes with the correct attribute type and NameFormat', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'testaccent': 'fóo', // should supports accents
 +          'urn:test:1:2:3': true,
 +          '123~oo': 123,
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(5, attributes.length);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[0].getAttribute('NameFormat'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[1].getAttribute('NameFormat'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +      assert.equal('testaccent', attributes[2].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', attributes[2].getAttribute('NameFormat'));
 +      assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
 +      assert.equal('fóo', attributes[2].textContent);
 +      assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[3].getAttribute('NameFormat'));
 +      assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
 +      assert.equal('true', attributes[3].textContent);
 +      assert.equal('123~oo', attributes[4].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', attributes[4].getAttribute('NameFormat'));
 +      assert.equal('xs:double', attributes[4].firstChild.getAttribute('xsi:type'));
 +      assert.equal('123', attributes[4].textContent);
 +    });
 
 -        var nameIdentifier = utils.getNameID(signedAssertion);
 -        assert.equal('foo', nameIdentifier.textContent);
 -        assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
 +    it('should set attributes to anytpe when typedAttributes is false', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        typedAttributes: false,
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://attributes/boolean': true,
 +          'http://attributes/number': 123,
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(5, attributes.length);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +      assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 +      assert.equal('xs:anyType', attributes[2].firstChild.getAttribute('xsi:type'));
 +      assert.equal('fóo', attributes[2].textContent);
 +      assert.equal('http://attributes/boolean', attributes[3].getAttribute('Name'));
 +      assert.equal('xs:anyType', attributes[3].firstChild.getAttribute('xsi:type'));
 +      assert.equal('true', attributes[3].textContent);
 +      assert.equal('http://attributes/number', attributes[4].getAttribute('Name'));
 +      assert.equal('xs:anyType', attributes[4].firstChild.getAttribute('xsi:type'));
 +      assert.equal('123', attributes[4].textContent);
 +    });
 
 -        var attributes = utils.getAttributes(signedAssertion);
 -        assert.equal(2, attributes.length);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -        assert.equal('[email protected]', attributes[0].textContent);
 -        assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -        assert.equal('Foo Bar', attributes[1].textContent);
 +    it('should not set NameFormat in attributes when includeAttributeNameFormat is false', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        typedAttributes: false,
 +        includeAttributeNameFormat: false,
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'testaccent': 'fóo', // should supports accents
 +          'urn:test:1:2:3': true,
 +          '123~oo': 123,
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(5, attributes.length);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('', attributes[0].getAttribute('NameFormat'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('', attributes[1].getAttribute('NameFormat'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +      assert.equal('testaccent', attributes[2].getAttribute('Name'));
 +      assert.equal('', attributes[2].getAttribute('NameFormat'));
 +      assert.equal('fóo', attributes[2].textContent);
 +      assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
 +      assert.equal('', attributes[3].getAttribute('NameFormat'));
 +      assert.equal('true', attributes[3].textContent);
 +      assert.equal('123~oo', attributes[4].getAttribute('Name'));
 +      assert.equal('', attributes[4].getAttribute('NameFormat'));
 +      assert.equal('123', attributes[4].textContent);
 +    });
 
 -        assert.equal('urn:issuer', utils.getSaml2Issuer(signedAssertion).textContent);
 +    it('should ignore undefined attributes in array', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'arrayAttribute': [ 'foo', undefined, 'bar'],
 +          'urn:test:1:2:3': true,
 +          '123~oo': 123,
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(5, attributes.length);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[0].getAttribute('NameFormat'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[1].getAttribute('NameFormat'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +      assert.equal('arrayAttribute', attributes[2].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:basic', attributes[2].getAttribute('NameFormat'));
 +      assert.equal('xs:string', attributes[2].firstChild.getAttribute('xsi:type'));
 +      assert.equal(2, attributes[2].childNodes.length);
 +      assert.equal('foo', attributes[2].childNodes[0].textContent);
 +      // undefined should not be here
 +      assert.equal('bar', attributes[2].childNodes[1].textContent);
 +      assert.equal('urn:test:1:2:3', attributes[3].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', attributes[3].getAttribute('NameFormat'));
 +      assert.equal('xs:boolean', attributes[3].firstChild.getAttribute('xsi:type'));
 +      assert.equal('true', attributes[3].textContent);
 +      assert.equal('123~oo', attributes[4].getAttribute('Name'));
 +      assert.equal('urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified', attributes[4].getAttribute('NameFormat'));
 +      assert.equal('xs:double', attributes[4].firstChild.getAttribute('xsi:type'));
 +      assert.equal('123', attributes[4].textContent);
 +    });
 
 -        var conditions = utils.getConditions(signedAssertion);
 -        assert.equal(1, conditions.length);
 -        var notBefore = conditions[0].getAttribute('NotBefore');
 -        var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 -        should.ok(notBefore);
 -        should.ok(notOnOrAfter);
 +    it('whole thing with specific authnContextClassRef', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        issuer: 'urn:issuer',
 +        lifetimeInSeconds: 600,
 +        audiences: 'urn:myapp',
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar'
 +        },
 +        nameIdentifier:       'foo',
 +        nameIdentifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
 +        authnContextClassRef: 'specific'
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +      assertSignature(this, signedAssertion, options);
 +
 +      var nameIdentifier = utils.getNameID(signedAssertion);
 +      assert.equal('foo', nameIdentifier.textContent);
 +      assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', nameIdentifier.getAttribute('Format'));
 +
 +      var attributes = utils.getAttributes(signedAssertion);
 +      assert.equal(2, attributes.length);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +      assert.equal('[email protected]', attributes[0].textContent);
 +      assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +      assert.equal('Foo Bar', attributes[1].textContent);
 +
 +      assert.equal('urn:issuer', utils.getSaml2Issuer(signedAssertion).textContent);
 +
 +      var conditions = utils.getConditions(signedAssertion);
 +      assert.equal(1, conditions.length);
 +      var notBefore = conditions[0].getAttribute('NotBefore');
 +      var notOnOrAfter = conditions[0].getAttribute('NotOnOrAfter');
 +      should.ok(notBefore);
 +      should.ok(notOnOrAfter);
 +
 +      var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 +      assert.equal(600, lifetime);
 +
 +      var authnContextClassRef = utils.getAuthnContextClassRef(signedAssertion);
 +      assert.equal('specific', authnContextClassRef.textContent);
 +    });
 
 -        var lifetime = Math.round((moment(notOnOrAfter).utc() - moment(notBefore).utc()) / 1000);
 -        assert.equal(600, lifetime);
 +    assertSignature.it('should place signature where specified', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 
 -        var authnContextClassRef = utils.getAuthnContextClassRef(signedAssertion);
 -        assert.equal('specific', authnContextClassRef.textContent);
 -      });
 +      var signedAssertion = saml[createAssertion](options);
 
 -      assertSignature.it('should place signature where specified', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 +      assertSignature(this, signedAssertion, options);
 
 -        var signedAssertion = saml[createAssertion](options);
 +      var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +      var signature = doc.documentElement.getElementsByTagName('Signature');
 
 -        assertSignature(signedAssertion, options);
 +      assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 +    });
 
 -        var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 -        var signature = doc.documentElement.getElementsByTagName('Signature');
 +    assertSignature.it('should place signature with prefix where specified', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 +        signatureNamespacePrefix: 'anyprefix',
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +      var signature = doc.documentElement.getElementsByTagName(options.signatureNamespacePrefix + ':Signature');
 +      assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 +    });
 
 -        assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 -      });
 +    assertSignature.it('should place signature with prefix where specified (backwards compat)', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 +        prefix: 'anyprefix',
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +      var signature = doc.documentElement.getElementsByTagName(options.prefix + ':Signature');
 +      assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 +    });
 
 -      assertSignature.it('should place signature with prefix where specified', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 -          signatureNamespacePrefix: 'anyprefix',
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 +    assertSignature.it('should ignore prefix if not a string', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 +        signatureNamespacePrefix: 123,
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +      var signature = doc.documentElement.getElementsByTagName('Signature');
 +      assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 +    });
 
 -        var signedAssertion = saml[createAssertion](options);
 
 -        assertSignature(signedAssertion, options);
 +    it('should not include AudienceRestriction when there are no audiences', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 +        signatureNamespacePrefix: 123,
 +        attributes: {
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 +          'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 +          'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 +          'http://example.org/claims/testaccent': 'fóo', // should supports accents
 +          'http://undefinedattribute/ws/com.com': undefined
 +        }
 +      };
 +
 +      var signedAssertion = saml[createAssertion](options);
 +
 +      assertSignature(this, signedAssertion, options);
 +
 +      var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +      var audienceRestriction = doc.documentElement.getElementsByTagName('saml:AudienceRestriction');
 +      assert.equal(audienceRestriction.length, 0);
 +    });
 
 -        var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 -        var signature = doc.documentElement.getElementsByTagName(options.signatureNamespacePrefix + ':Signature');
 -        assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 -      });
 +    it('should not include AttributeStatement when there are no attributes', function () {
 +      var options = {
 +        cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 +        key: fs.readFileSync(__dirname + '/test-auth0.key'),
 +        xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 +        signatureNamespacePrefix: 123
 +      };
 
 -      assertSignature.it('should place signature with prefix where specified (backwards compat)', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 -          prefix: 'anyprefix',
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 -        };
 +      var signedAssertion = saml[createAssertion](options);
 
 -        var signedAssertion = saml[createAssertion](options);
 +      assertSignature(this, signedAssertion, options);
 
 -        assertSignature(signedAssertion, options);
 +      var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 +      var attributeStatement = doc.documentElement.getElementsByTagName('saml:AttributeStatement');
 +      assert.equal(attributeStatement.length, 0);
 +    });
 
 -        var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 -        var signature = doc.documentElement.getElementsByTagName(options.prefix + ':Signature');
 -        assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 -      });
 +    describe('encryption', function () {
 
 -      assertSignature.it('should ignore prefix if not a string', function () {
 +      it('should create a saml 2.0 signed and encrypted assertion', function (done) {
         var options = {
           cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
           key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 -          signatureNamespacePrefix: 123,
 -          attributes: {
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
 -            'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -            'http://undefinedattribute/ws/com.com': undefined
 -          }
 +          encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 +          encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
         };
 
 -        var signedAssertion = saml[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 +        var instance = this;
 +        saml[createAssertion](options, function (err, encrypted) {
 +          if (err) return done(err);
 +          var encryptedData = utils.getEncryptedData(encrypted);
 
 -        var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 -        var signature = doc.documentElement.getElementsByTagName('Signature');
 -        assert.equal('saml:Conditions', signature[0].previousSibling.nodeName);
 +          xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key') }, function (err, decrypted) {
 +            if (err) return done(err);
 +            assertSignature(instance, decrypted, options);
 +            done();
 +          });
 +        });
       });
 
 -
 -      it('should not include AudienceRestriction when there are no audiences', function () {
 +      it('should set attributes', function (done) {
         var options = {
           cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
           key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 -          signatureNamespacePrefix: 123,
 +          encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 +          encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
           attributes: {
             'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
             'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -            'http://example.org/claims/testemptyarray': [], // should dont include empty arrays
             'http://example.org/claims/testaccent': 'fóo', // should supports accents
             'http://undefinedattribute/ws/com.com': undefined
           }
         };
 
 -        var signedAssertion = saml[createAssertion](options);
 -
 -        assertSignature(signedAssertion, options);
 -
 -        var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 -        var audienceRestriction = doc.documentElement.getElementsByTagName('saml:AudienceRestriction');
 -        assert.equal(audienceRestriction.length, 0);
 -      });
 -
 -      it('should not include AttributeStatement when there are no attributes', function () {
 -        var options = {
 -          cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -          key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -          xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']",
 -          signatureNamespacePrefix: 123
 -        };
 -
 -        var signedAssertion = saml[createAssertion](options);
 +        var instance = this;
 +        saml[createAssertion](options, function (err, encrypted) {
 +          if (err) return done(err);
 
 -        assertSignature(signedAssertion, options);
 +          var encryptedData = utils.getEncryptedData(encrypted);
 
 -        var doc = new xmldom.DOMParser().parseFromString(signedAssertion);
 -        var attributeStatement = doc.documentElement.getElementsByTagName('saml:AttributeStatement');
 -        assert.equal(attributeStatement.length, 0);
 -      });
 -
 -      describe('encryption', function () {
 -
 -        it('should create a saml 2.0 signed and encrypted assertion', function (done) {
 -          var options = {
 -            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -            encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 -            encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
 -          };
 -
 -          saml[createAssertion](options, function (err, encrypted) {
 +          xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key') }, function (err, decrypted) {
             if (err) return done(err);
 
 -            var encryptedData = utils.getEncryptedData(encrypted);
 -
 -            xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key') }, function (err, decrypted) {
 -              if (err) return done(err);
 -              assertSignature(decrypted, options);
 -              done();
 -            });
 -          });
 -        });
 -
 -        it('should set attributes', function (done) {
 -          var options = {
 -            cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            key: fs.readFileSync(__dirname + '/test-auth0.key'),
 -            encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
 -            encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
 -            attributes: {
 -              'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': '[email protected]',
 -              'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Foo Bar',
 -              'http://example.org/claims/testaccent': 'fóo', // should supports accents
 -              'http://undefinedattribute/ws/com.com': undefined
 -            }
 -          };
 -
 -          saml[createAssertion](options, function (err, encrypted) {
 -            if (err) return done(err);
 -
 -            var encryptedData = utils.getEncryptedData(encrypted);
 -
 -            xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key') }, function (err, decrypted) {
 -              if (err) return done(err);
 -
 -              assertSignature(decrypted, options);
 +            assertSignature(instance, decrypted, options);
 
 -              var attributes = utils.getAttributes(decrypted);
 -              assert.equal(3, attributes.length);
 -              assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 -              assert.equal('[email protected]', attributes[0].textContent);
 -              assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 -              assert.equal('Foo Bar', attributes[1].textContent);
 -              assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 -              assert.equal('fóo', attributes[2].textContent);
 +            var attributes = utils.getAttributes(decrypted);
 +            assert.equal(3, attributes.length);
 +            assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', attributes[0].getAttribute('Name'));
 +            assert.equal('[email protected]', attributes[0].textContent);
 +            assert.equal('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', attributes[1].getAttribute('Name'));
 +            assert.equal('Foo Bar', attributes[1].textContent);
 +            assert.equal('http://example.org/claims/testaccent', attributes[2].getAttribute('Name'));
 +            assert.equal('fóo', attributes[2].textContent);
 
 -              done();
 -            });
 +            done();
           });
         });
       });
 -- 
 2.16.2

diff --git a/master.txt b/master.txt
 [2J[1;3HSaml11 "saml 1.1 should create a saml 1.1 signed assertion"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_mUcEwMFOVHOmsErjoergKjvjZOuVZhba" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_mUcEwMFOVHOmsErjoergKjvjZOuVZhba">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    dRqcLPOYe6ZJb2W58d1iblnQNa9N12b+pCRXAAu5qzA=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            QuzCw+z80TDNx7ywgcd6rKSxRKqEMPJ5/MxLdrZ836AuZLjtRsaF31vjzWnwoTi8QcQkz6Ah2UrPUiXyBHZ+gtyABePR1NsHcTvfMZr/pljthJa6dxbyC1zdw3F/ng1J79KADWem0UfLIbxloGDJeU4WNs5Fk0iTJ3To2OHEQN8POKoqV1+HVytKrMNyh8lEihbZ64j9QZsUeu12XueaTLHEpF1ce0/ZDrwR12zI05WS8bbC8atrQxrKFULvQW2oy8TLPc9QdEOZUC70Kl/5sUW92nEmsjFkcJQqryBIcKrns+nxoVaSA4zsxQrRZ6wKIDqgydHOx6dUBT3wrwNo8Q==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should support specifying Issuer property"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_zwEMxmCYtY84Mpbv5iPCGP8QZKXW59He" IssueInstant="1970-01-01T00:00:00.123Z" Issuer="urn:issuer">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_zwEMxmCYtY84Mpbv5iPCGP8QZKXW59He">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    vmm9VJVPJ/z38Sz7/EUi32BXF7ybs6CpmeqEG+Mbl7Y=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            LHwIuOQCgC226HSKDD0n3PNLy5bsfljYKA1tVS4E6EX034e7CrpcJbhv46g1xu5iA/gjBjtPaV1uBFlrUfOLmH7k78UGRCAu8s7s6Jw78qEsmII3kBTXGWOLKH//XcFrHiPrCz/GT7Ii5W6K9bvy2YOS+Ab0/OyIGkGPnKO1pPEWH9AWabWtOsgcoXro5AEXNm3M1EjG9FGPz7o/nqyt+MIBvIiQLoW9Msc4ToYuhH1Fg6UNwaVS4JVIO//6viJyIspCb9//ZNWh0HFEI12p2Y/I123WtjcBqxUCmIXFwTAa4Qu3KGEERDd6uKnH6YpM2oCC+Pa1YlvdjfobychqvA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should create IssueInstant property"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_KIGOy87XSIVWjrO2xxkf7VCJ4dlhkQfk" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_KIGOy87XSIVWjrO2xxkf7VCJ4dlhkQfk">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    7vXA90gAC1rz7tJSD24jS60vqrY7kr9Z8X98KD7Wqd0=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            pZnSdXiHkJAT2AptdqtEqhofZlRc0CcJddN3RoLG9wtoLcoLseVERrDDx3yX8Q/+JK5ZDxZPA6TmX7h8xtw+qjih5y6kdUh4voekkytQnDHh+jDV5AgIfduSW5C7WYYyay7wwjbciuOwI3yS4nzagOnXbzW4myenzeInjtBIp0LJkeC+2d3WSGvzpQQLiea1AFFGXtq7mAixur6UTytsjLExu9C5FQyPhqhYnExs4YUruMMDqMBTdr5jMi5VhxQUDGe5t1kNg4cEFUsjRvTHmsSdHtmmoS4uhstAJzC7Mpn5aEINOoRmqQKlsJJX2ccxGDcIVDUXz6iQhwqPgPTfwQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should create AssertionID and start with underscore"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_pqPWpWZZTJo7UF2ljub7brGDm61oXx1W" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_pqPWpWZZTJo7UF2ljub7brGDm61oXx1W">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    XrwTCwJX7O9UeKgjyr61sgXr2g/BYkx/xSdTEQj06dY=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            JqazRKqLulY54Sz8iUQ3Z9Wg83SLB0UCSBCMkp+1vDvATnmFA24MtFzW05E6zSB2u8GQhP7qoPrh7l7iHKwRiy0/gp3AQX8mgid5tqQwUudjsssconiw+979QXy+S+pWDWnmP0MiczvE1Z8xYRDtDkQZD/0w1EN1XVZyp+RCMCvbvCvOgDJj0ksdHRhfcmYtTA2J5Vkgqhd9+CNlw/iCnAPrqjxxjwTyT6vE1CRsQTOt61egY2TYFy/qcRUQs3G9yNrZjaGsQuuwDB2+eqoZtPU51wE/6UxRzkzOFNALFBJcz6ukzaruH3WG/vMWjSoOyp5THtAGDgBeFIBGc47j2Q==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should create NotBefore and NotOnOrAfter properties"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_Uyrg05GnIrCNZiir5Tqyr4uOPNTrmqEl" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:10:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_Uyrg05GnIrCNZiir5Tqyr4uOPNTrmqEl">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    GnwQ5gWrqv9ki9ot1d8ud8R+2QA8RwN2WT0Iy0Eg3tQ=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            W2IhRjeYL2KsC4kUkwNj9ZKJv0TMeqgLLdef7PDQqRcjqqgPraa92N97IiZnV9Z1u575nINFuDIRPXvHdk/OoRoCJFfL1P0RAxsYVMtTiivYquf/VuFn5Cq1+pnL0ADTxGO61ezi/nUaE4isWBgVj3DS5HvaJWJCvnsInveQG0VJTxc+z7Xz6LTxWdtQNk8SBPLBPiReFhuU2kqPzjHLdxWMkRqZ5YJIrQvhL846mEb0cZ51uXC6x92us7NXBULekvxcUDE706qo9FmX96mLPbGRYF6PxFd+Kq6Vckv2qw1Nknyf2Nve38p9xeZbT8InL/K1MhY8mZncmthBCb0Rxg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set audience restriction"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_GGF47RZnNVX1iNslsKX3PDXgLM3tQYbC" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_GGF47RZnNVX1iNslsKX3PDXgLM3tQYbC">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    MElhQvxAJ6rL4i8gbJJoE4sxcBZcOgapXO1eoKUHG+U=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            hwG24ATHIiYvNn/5sfMJrsefaqJ1AeGfzFHmHC6JYWmadz0F4Nc8FTVdWUKlHM1d0zVcs4ZG8QCn2x+yM76jH22319EgfzcUWxMGi8oJF5U0aGYl89gr/RtcfOeT/HLnC3kBPQ3mLlAP6IndzWFUaEfQnP2N43261kbGiipm+cUEO7yjcxuUzFNpib8/Y9TqbsnTaIsnRkz6lbO4PM3N4Pi2+T3s9yrZVx4VVpobQYQzDuP9bf4ln5d5gYqBFH2a3sE/6gXmdrCjvVkPqInJC8k3iVlognScVG5PT6PNqhAEOgTHXJFjug4DUGMYKu5TWj30W0j0IsrAS1n/R0jtoQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set multiple audience restriction"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_5MV6kB7lcgwgkVbZzKDmGjBnNB2xw1AY" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
            <saml:Audience>
                urn:myapp2
            </saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_5MV6kB7lcgwgkVbZzKDmGjBnNB2xw1AY">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    AKHff2fV7heYo09MYq/YOjgd46rUUGfd+9Ut3s3AfC4=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            X0Key+5PSDMKDazDPHHXfnlQa4H+7lQwz2e9fIYdJeQMzHcP3NuMIX2bIVRenRR3nf8xxcwwULJazS3cWBhpmxDL4/08AIConINwWj/mva1cKyGxSLUC7phYRCL/LCy1DfnFcZF5EIK+bUHmTJMmg9F/KwBZhA9Msp2WVQxE3Bn7+ucStcQ7hZBl4hJy/lv3WtHortGALLvlab4S84g/uum0xhVAtqKEYzVRuvgcgTRYdrA4m+UHaCvov5DnJwkoi6ORKUvKTbB9Q8wkL+M065stCOslUakhpJHWZaLPrzDXwKQ3IKKC06yf35el8v3ItJWNnOVZ7PYTs8ADnrmsGg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_XR1YsBECGMGUfKXqUKOtlJD8YVR1dG8N" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="emailaddress">
            <saml:AttributeValue>
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="name">
            <saml:AttributeValue>
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://example.org/claims" AttributeName="testaccent">
            <saml:AttributeValue>
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_XR1YsBECGMGUfKXqUKOtlJD8YVR1dG8N">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    Mx4/ugJC+qv5QipJnw32+osgGLtjPcZEZvQeBuHLmP4=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            sINaW4XCxKXSQ6Bowms9Tp4aGE7HeWMHVRYwAGXDDd7lQEcgbrD8X8RaX9Yav2197E3BrVYb/0G93iCsNg9U7/Ex+OZd2nYUhKSd3x4laWzO/2dw1AqvbjHbfnxzWBZfiEZjnkR2jlo09rtOXXJtELiMsM9Zhu7fL7UhVpQGNiXeu7lJXk7ZaR2YMFiKJVhJnMnqTKBiTl1Z1pNIDZKAt0Cqno7C92zL1Gbs0Q+D8g9gzsvxsBneqwJlFaz+0+JxMZY3iE2afYr8JCRr3Oyh/SduCdczp4yiBBwGw5A2CtVdcOGSKjOHPMpX/P190YREm8ABLf/D2zSLvuS6yj9mRA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set attributes with multiple values"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_qfsjtfW9AZkCBHFH1z5rSqYT3l27iw9x" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="role">
            <saml:AttributeValue>
                admin
            </saml:AttributeValue>
            <saml:AttributeValue>
                contributor
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_qfsjtfW9AZkCBHFH1z5rSqYT3l27iw9x">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    UHwGtZ1MeF9N101K2ZSR79P5ZX7mENUpfd1j9yO1vmM=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            Ip8WCKUmI/+yf4t/0nlJzbr8tDlPccpfsBMRBpBfIEz5dlm8yhZOtpkg8PIqk5XVK1JM4GLqXD+bB+LzakzcKl8MkGcnch7jdZVwAoelDqah8qW6BcwY3Kv515lspTYt4iLF5lCllBChudBT0j4PlnIpkvLQ25sur+zrX2KwHbOWsmPOayiZMhwUsuJonrFkcGXxNm8Z+Wz2Z4Wdz/NZAaWELdv07N37FMvv7SdcqIepcq8ROn1HzoFyN0cSydl0Kx4ZUSLt8F+2tCi13DyPA1TifFkX4c9OZ4I0LreRtIqLiQJHM25neTPu/+BVkBZFIOYxfoicc/eTwQyAZvCXZw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set NameIdentifier"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_WZenFFb8IvENTDBYXHvgfnAb1P3Qv0e3" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_WZenFFb8IvENTDBYXHvgfnAb1P3Qv0e3">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    xVIzAX6Lye/txzswpNbn7Q5+vBYINyhKD3NBZlEoBzI=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            DxELlyOo2uQ//REV39cHMeka1FjClq/RKFK2dCmXeqh3UxOpNSjB1PNMDVqltOSkwjzbR1MYz8UdUhkaQzjkEhBE9QlcQGR2PB6NitkgNrLrZgtg1LwPw79JZJ3SX0enLMeNfPkvKoLpO1rP6pZZjlxfDqHTu+FUeoNGXvi4zgD/6LVL48ldobiZBfA9hnAyoOTuC3k8UgwRpO7Q1HA1tn7pqgseynTYRIC5SGFQlTSx6rHWHhhl0w79Psd9Np/APCbcZ9SQJTp2g1QWkwI3tI3H3WH6D9oc2IuTM5wjxuj8INOhEGLkipeFzmMMb4TEZ8hLx2dVcUWufOpAkerIHg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should not contains line breaks"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_JTDVdJ6pd4cXijF0xJc0ZfDaqGksYNF8" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_JTDVdJ6pd4cXijF0xJc0ZfDaqGksYNF8">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    Y7YT3vDOmn5JZq+s62KtPpcaMqRkCMzsL5KptZ5d0hg=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            YDvAG3LErM1xVJXJjhzej6szsh4cn/sc6tmX4JcWXM7rpSWw4tkiyXv43I627ONrH0dt6OMb+2u1Sr/2SEW//uJcdJ7JBnAkSv2GcJy6pcOGaOvGKNVKzY1IM6k3yfHkT3BUfb9Dsd/YST8fnJdEGBSpu4RQFIiT7gpSqMNkbBlvSXXYyXBlBwWitvrnspXJ/6zHDwdylSAOlAlVT0JvpjT9oR/Q/B5YF8OsryGjAsqX0lSqb5OIb8+A3s22u/t4k/Uc2b/qoGnlVQ+4oioLuivYuYNHq6KG7V4fLTRkUA1WDa6rdP7/toAWAkhwIkuCLou6m6+g59uAMkGdQuoDHw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AuthenticationInstant"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_1d7Qy6LAKY1MtkDqeGZxqCJhk8Z6mvLF" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_1d7Qy6LAKY1MtkDqeGZxqCJhk8Z6mvLF">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    XhMHqqis9npJVboLqD6Qv0mxeMnMU3Q+LLfPauUZu6o=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            rhbS8c5w3CeerbxC/GEg70OdNbGFvTRLZToQCiinIElJ28xDP96Ig7a2/OWb0QYVYJsdJnSgaIQUAK7XgRW4Oph6HlCijfkIEkkXcxCBVbvcfB6e02QOrJ7c1fiKBm56xJoQCu0yhgZifAyPLYdq67GS4j/azzWVJOG3eHTES74kuq6JZotL02Fp9GQ8f/cesbSRLx0czwKPaX2L6C9ZP57Z0rK8e8Blhk9Qu18BtXA4YvCDUcSfuXYvN4Bmvin71QHwY8N8i4UdaVvajlnN8UbvvPYz0VqRDH9d6mDODfGR+GT2ry8iW0u6zr1bJpbD4vr+vEW2VksSnr51LeOpnA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AuthenticationStatement NameIdentifier"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_DszMjwgegh9EGQnc9mgIaFXn7dirl8Zh" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_DszMjwgegh9EGQnc9mgIaFXn7dirl8Zh">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    iSyzjr102RLZBjpdqyblhxcHOzdzJUFEmN0X6pN/Kr4=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            ravZyJk0GVMvJr56++XsGfqveasVbSFvSHLJ9mc2Npap2HettqA0/MKGK9Clg4GXZoZiUeCvip64XKdl1svMGaw9k8naqM63BdWb54K1ac16rtRhVl2L2gehR28e95EwFgJJvLy2Pu/BAnpKMJzgzyoiZqwTvODpozN4b+AWo24gq1I+ez/NIu0HSKcAUURYOJmxoxSu+YYlUCRLpEcU3EbyyXRjtKanjhGsYRgTTSYOgQHsbTOAGVgyCP+yqWuRilT+oCrgBQs8eEEJzL+k6LykaZXrbCYdjaDKVnNRsqt/2uIJIx0/DFZAUkvl49nki0jSJazGdTEnhX3Ccj4Rcg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AuthenticationStatement NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_uTQqvcZuFtS6bvOVpTfjxb78jzGLsuAa" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_uTQqvcZuFtS6bvOVpTfjxb78jzGLsuAa">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    L5+UUaNISSwuoHfY9yLjNKI2xSY7RGjkTOnwdXqNGGM=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            o/JjTT0QAwED3zApYjKCw3xkHbNwtXXyNAM1WEsvrTEbnRdgPOK+JcxTy0c9gbwyAP4ORXsj/sjLCa7KhJp7hzROCUENt7FfqyzsDqCcM39KJAO3jAk+zGLml0fu7TwIHt9CHQBYZUeIIOcc7DTDx6Af3LZSWR6D/DzuxFf7gE1QBFCNnmt5dy2OD8S868jK9f8z9yZ338x+kLWrCBcF+t4GKCR3emOOJkINQtwBue5tbzV/qk9YBwA1MBgRMkWkp09qSommfvCaGnnJna+YaY6p7tkQN30uRbPVtcOxxCfbgeVluH2YJa+LKPNaTCaUxBx4yZb61Tzp/+HIKzMSsg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AttirubteStatement NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_4UpJKwQnj4nKCeP2WpHw6spU2BQLixmH" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_4UpJKwQnj4nKCeP2WpHw6spU2BQLixmH">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    8CIbvOfoa5ooeB7ZQubY7SKARZkeuddgzoF/zrIbuhA=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            oR+T2juob3itlEXjB801hqVWvu5WHxuyqY/yiUA7C2fdKfCa+yXVUZjnXJ95dqbP9CihloiqruB4bf7sLP3mknb8KrLVEb9KQSm0R6mCSy0QTy3XKk4ojgRREOXQV36A25JAtuzC/oBV+04XnYcCsuuCQz/WCIcJruMUr6AZxFydkNIJcDWSC5wtW1sL49ebPOkqs50hiLit2wcPtyGT4R533/AA5PrBAnUsJsWFbJOimqkRvcZeBNSNfaVrz91Zm8zqmGIILiG310WFUzYFmY/VipAVMadI5V3CsiUYUZY371NtRv8c/9Bu0uyzPkyHkmWxQvA1AzustsvNtZNjfw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should override AttirubteStatement NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_UV8KcU9IoL1ufezRbv8K1X4H9G8hVqhs" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="http://foo">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="http://foo">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_UV8KcU9IoL1ufezRbv8K1X4H9G8hVqhs">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    LBqfvVHhvHdAgHPiO61OFMKBUcXtY5Z+32wLvMK1jiY=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            i+I8dchdfi8BzKfQFKZV2dgvDRq0RrEUKsmr8DJGT0phb2+Hpg9G10zvGBC2uLOTGJ1UX9mnJIbA7lmV+rLEvujrnIAD3DoFWheuzg+2/ccrA2o1MlPtaJeuSWiY8mW/vnBUyS2HpN91VXecIC2gIl+0LAUxhvFRiZHGS1Ew3faYET4ZffQrlTaq10VUvIsd0MVLZV3cUibOcehBud5mPqkg7csB8vgETeC4Y3d4d9RykrqYWWk34N2HIV5NTDBR7mR+PoaSEearNkxpOEJ6Cdm7aAo/kiHqcxcFTI8RjMA77x8Ce0cTLxydGZDY6XmU2caUqSkwKcbSiq1UvWHG/w==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should place signature where specified"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_4p88zZ3r2MaOjNkagt1ZxnKgp9QguCGV" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_4p88zZ3r2MaOjNkagt1ZxnKgp9QguCGV">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    4CN2zsnXilgPIuv0M8trs0+c8qSvonDRG1HAmDTunl8=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            R0SJkEIVTxI9ZScbn9vYjm4Umheb9FTfQzX9vpxbBdSm8ag9x8PVze5D/UxKZ4OqMtYRRM788KRqGqcaQ0pMcIXNwTIF8xx7daq9J+H5B0l2KzNt7F/1MFRYaU2MpX3bHWJfIFvUTg6WtKKy8x1bGy/9zSQxx5G18MFfv2tfe8yBAnLFHT5am3Zu5pZ/7BkoYvf0dQ0Zutw7kQCAQ8dSpQJ7W0hSl7L2SkIjpzYbtfSkFJ6Ptf4dNMQ0nijEB+S3WkG5wmGPe05g8weKuWt1LBnLJg7WICK0Dvu0wAZ2UVdTbv+d7QS/JA+bfeeDZoB8CIVdNqW+gF2TZNtYvlOpvQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
 </saml:Assertion>
 Saml11 "saml 1.1 should test the whole thing"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_j75P3fjna6HCeFghGdV1aK3cBUK6bB39" IssueInstant="1970-01-01T00:00:00.123Z" Issuer="urn:issuer">
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestrictionCondition>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="emailaddress">
            <saml:AttributeValue>
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="name">
            <saml:AttributeValue>
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:10:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_j75P3fjna6HCeFghGdV1aK3cBUK6bB39">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    UZR3S9qbVEZ8AWqeQ1FG/iOt6ylXTJqXrx4VbMxqI/U=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            FYweZprKoJpzJFhEHO8SUE3DNAgOnzclms2AJFp7rjRgY0qBokaZ2fR3ITwM4Ra2y3OQPRP2vOM/kMYYy2cXFpm5lVJFO/E59mUc1Iv3B8UDIeDbHTVU/Wkj76+qaA33pYfVtQJcnjv4WwSYk45GL6+g0Goz9Fx6mfawuuv9V44VtNriCTI/3qvfX/xrFvwpOrEMcjXD9ldbDr6yKeAdgVyyGtl36nS+qKz8I8meJOTHrVTS/Ry4j0Wl0zYkKc7j2xvjWtUAzhHmspOz9uyvC0xnvlqYykNf5DeiAIoflQkQK17+Je3AlbKv24B2lfGrSHYVARpJAJNpAn2cicoPlA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 encryption should create a saml 1.1 signed and encrypted assertion"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_hoFz6tXKXA4G3MMl2wnrAd4jnK9ACp51" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_hoFz6tXKXA4G3MMl2wnrAd4jnK9ACp51">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    ocx1NMpxfyGFtKL9dQCRbFP8zHU7xpzV2eRDeOWWUfQ=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            gUT02BRbm29ePhX9JGfV2PpHTJ8stv+suwHkXcWn8ed4xm9XAdQdaX9LBo2blrI9lQtdYtUWV3siSzt9kxPczPO1an4knE6cckZEzbgFF0K9/whPmIMCbiaXKE/IP8IZN7ciy2aFmFieL87u8LrwJkGDQ6L7rR+YGgg13Nr2VKrEvN1N2oipUgXRTs3b5hn1JVhV+gyBrxs0wVwHoE86qQ5ohyv0lW17X4uHxLqqwHkYY9cE/z7lGDQ71b/cydY7/a7BRZhBB6CL4eiIL7QgFEvs0RHssScWWW1mHHTST9JQoo+3ad6j/9xvC2FdGIIM2O4d8y7zR4l8syQvOW09Sg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 encryption should support holder-of-key suject confirmationmethod"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_dV0SalUhq2AY4x4IHuzUgRNJfrOLmY2N" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
                </saml:ConfirmationMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        </e:EncryptionMethod>
                        <KeyInfo>
                            <X509Data>
                                <X509Certificate>
                                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                                </X509Certificate>
                            </X509Data>
                        </KeyInfo>
                        <e:CipherData>
                            <e:CipherValue>
                                lCGvZX9glurOtWvJy5jV74CITZI8bu8x3G9tKLwa/JewbqLurJi58jXjFEVz6aTLub+ILXp9PaViaS8vCIvrPes+vsUIQn62E4i4NzStsE2wZ6cQLaCBbZZ8Ti00Jj7+7jmi5f02nOwQ/u8R+7McEkdrzKWz9a8aO4RhUzWHakYG+4hoDfFrr3YN07ELHaMT1pUeSV1KL0tCgvijpLbnc5EALVgmyXS6ytw0IrP1xk+08deDaJ3YsklQeVUiKrZtVcpnuoNDBZkaIBeHXLCi34kKcj3nT5jQ1IhvIcWBuGsXxChuYFisitPJO+TJpei4CZwAF/2/k/PIe+t9B7ugAg==
                            </e:CipherValue>
                        </e:CipherData>
                    </e:EncryptedKey>
                </KeyInfo>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
                </saml:ConfirmationMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        </e:EncryptionMethod>
                        <KeyInfo>
                            <X509Data>
                                <X509Certificate>
                                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                                </X509Certificate>
                            </X509Data>
                        </KeyInfo>
                        <e:CipherData>
                            <e:CipherValue>
                                lCGvZX9glurOtWvJy5jV74CITZI8bu8x3G9tKLwa/JewbqLurJi58jXjFEVz6aTLub+ILXp9PaViaS8vCIvrPes+vsUIQn62E4i4NzStsE2wZ6cQLaCBbZZ8Ti00Jj7+7jmi5f02nOwQ/u8R+7McEkdrzKWz9a8aO4RhUzWHakYG+4hoDfFrr3YN07ELHaMT1pUeSV1KL0tCgvijpLbnc5EALVgmyXS6ytw0IrP1xk+08deDaJ3YsklQeVUiKrZtVcpnuoNDBZkaIBeHXLCi34kKcj3nT5jQ1IhvIcWBuGsXxChuYFisitPJO+TJpei4CZwAF/2/k/PIe+t9B7ugAg==
                            </e:CipherValue>
                        </e:CipherData>
                    </e:EncryptedKey>
                </KeyInfo>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_dV0SalUhq2AY4x4IHuzUgRNJfrOLmY2N">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    //KAjnXtyAlZpkzpkxhO4eGOKt7UD9TaGQ8lqB1JbUs=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            wcipPT55Je2uAuU4d3PrfE5+hVdNoeDR2yFTkk4/ZLCLh/QV7Q4/cFi7ZNmh2d/ZAEMAb9wQlVo4cICpHhnDyXtkIBVJ9zE+pf5E9oi20KyThYxDnN2Ywy4gt4m69r61y2bOxXqqjVC0v7/8e/Xn7ErMezG3YJT+4d22k/pOA+24V/3SJtiJ1pHZf2sdMKmZFBoNp4vtXlBBQ+REQz8x07nE4905OEIGDeO0bffv755bEf8/pnvSTHbBKSOwwwScEa+Idf5MnN56VMH23PZeBuvPRCKDDz/ln2Alz9wDMF13xnUyEHtcYSRSVI79pHPa/tGA4csCyqoC8B0AP5sMoA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 encryption should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_QkYRGCeQeI6TRmn6j6xK7Q14szgrAfIR" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="emailaddress">
            <saml:AttributeValue>
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="name">
            <saml:AttributeValue>
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://example.org/claims" AttributeName="testaccent">
            <saml:AttributeValue>
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_QkYRGCeQeI6TRmn6j6xK7Q14szgrAfIR">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    GYLhAcurNxPB/+DaCRWolF3HGDg9Q4ca15jgSKar5kI=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            Z4sVNjT1pWnPD9GddX5N5vZiF8VLAQmvgHPVfp79Blhxao/BvMN6Fu7l3s0hECxsutkzYbzu4kxpKtMV3LCmHIgwR4qrDZnNaBjqwKJPKkBkN2YidM0zOnGjs/Bd5gUL/aOlcgld+xILvsIBka3y8rZUkgaONKwTBdZHUpj//kaO84nBiz17k88lgVKDUfeLSEM1ZgwjKtozFeOTjEhz3Uwb4fk8Fyu9NUen1nHbBeLW0QSli3npPr9TgZDKVUzAu/YfReYsoLpmEq158/1BjDI1Z5SVoneSJyzcSF8Y83uJdjA0eehnT8sEoXdcbGCGHNEnk1O5PpZOyFQM56bDlA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>

 Saml20 "saml 2.0 whole thing with default authnContextClassRef"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_OW9QIewaSpuSxND6KyntfPnkFb4pkClQ" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer>
        urn:issuer
    </saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_OW9QIewaSpuSxND6KyntfPnkFb4pkClQ">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    fDSkzTg1Q+rXAA/YvPtTmEeIQUNemTiY7L9D5USLGEU=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            dRSicJPH6FlfrUCEtp8xwLYwmekSimJfBjwll/JQDB2/ZOH3wCN6NLjJ82zh6WcTLUg8ZiXRMAMDaD/8nfI01O0mmBhqKz6PFE+lMMHEOrEJmvMzRAWZbZYx3aolUCJPV9oZHZ7J9EEgacsaq4MzIZnaWUIEYeVbrkaOCvMEKnat6tkz9+Xl+yZfYJijUcezcjBsVSNAY2qay70PvLAC3gx5zDhgRjTZ9CjJ7hYiLwYzGLqNkfvQRzAfOCe/r4esQ9TCxj4O3SO120ibkgxwP9wksRw+2TKXojYeiJgOXdDeiI86aPwWM8GmP/a9FeNAm+K36hlk7Y37cQy0lKZtog==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
            foo
        </saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="1970-01-01T00:10:00.123Z"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestriction>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_jE7u00AabHHYVzABfjOdEnDwLXfsaRne" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_jE7u00AabHHYVzABfjOdEnDwLXfsaRne">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    ExXynI7XbUyiJGyOO7uoSPBhqe/apZ7us4dFDb+DGXY=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            D/TQwin7p8WDzUk7XXIQmYLIt/w98YMyo6uxaIymTfueemGjlt9Trlast089cEIEF4oZ0T8oIyfvXC7ryBh01Cv8psyJJnivIM3WlJPsjpdC79iisVuZK0VfIKX2BeHVeuNK6jd4vEvYmUd35/4YILSfR7xJLLlHjkMVARO/dLshTXXh54VvNJrh2Xiuj5I/CyYIoM+XcksX53RYj7Jl9FqGemHqJia7oxU6BrTpgC5RCSzka5YGZS6mo3+5F8de8G/XDgwJqOKwbg/BKm/6NLpIlPC/uYT4Y8WuVf6EQAi/2xg+4cBJfybB77Fs1d5X0uUUBBdDCym5Bg+sGNFUDQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes with the correct attribute type"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_7EonpvjPx1H7FouTGRWU4rS6zWTP6sHU" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_7EonpvjPx1H7FouTGRWU4rS6zWTP6sHU">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    ebjlVC5YHai61esxL+RlorXAfgamc2uq4dUNKzFPsV8=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            drVdAD3G+dNqR+z5Yh7Sd4hosYYzbmMqVjpsqNAYi+YF82uT2tjaa78amzGfOdi9NZQb9Ar9GEy76QNLDg9YA18tjmTrLvU9yrJOuoFwClU6IWw+3tMMoW1IC+rSBfL0wnA1fcMRl+W7DLftkWRhs+VKxM8D+vPBAsMidwzWy52K7pJOVuzTkggwaRoCEpKQ/aNR0tUhFCz5cLrt91eVGpTKlBlQcgVljM1YhiOUmmzIE+fdH54Z40fFvNMhTtqxIhsenfc+WCqltxQTxP6zrMADE9Ubc2OhM5jRw+KfWcvmf0eLOVwRf54/0sknJPA6izUdWz77A+RZZxMIUHfTZQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/boolean" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/booleanNegative" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                false
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:double">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes with the correct attribute type and NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_PiUJImL9LRbvYIOooVoNreEoL9aMyxiK" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_PiUJImL9LRbvYIOooVoNreEoL9aMyxiK">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    rhk0Oo0hkSCD6ywWh1WeVwPQbEAHPsaJJdKbfbSVoBs=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            jCPIQXOPPck3cOVTKvyh3oPvuvkBTyEaOT8uuEXJ1t3qTKUlOHvxoFxI31JM2KmB+A6wk1IjKqL2PY1fdMtNpq9PKJCj5VqdDeFqF2NtojL4dRVO5GfXxfGskem+X6s+3cvbA0P6XlUFec6NesrkZuoLbNldqVnJrmkhYVa2FigaVeoRDnFgh/RrgrlEuUk+W7aKMjQIhhaM4k8hQQXQfBNEHzdPiGsWbP163D6wlvev4tOlGiRmypBHmjUEY5ukQKfD2YAiilGDg/k8wvStgZakGRfOnnHfhQK5C5gDAlBNOippKMRfEcE1FhrVheELCvJ+vBhf0z3GLq/MzE7Bzw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="urn:test:1:2:3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="123~oo" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xsi:type="xs:double">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes to anytpe when typedAttributes is false"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_YEFxq6nu6UzH7iy7OsHtHU4n6NQPy7e0" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_YEFxq6nu6UzH7iy7OsHtHU4n6NQPy7e0">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    Mftt9vDfYKlqQxsgFtBSUw9EpadecOn8PdT1ovlGZf4=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            ILdyeKxX3aoDxA0CRIwKMm3UBsozceUgHY4MZ1IpyMmn6Y2J2hlal3yh9Pp3H4ZvE/R66Qt2IBjNKIS19LF1ruBrkSn4pfrMSSeaK/4BbKqzsHjpwf9U4UGoycU/h7oOILPQB9suJxM0yl6/XpQwbYr0MsjrCQgp2o8jrPESLIbUlBQvKP98TrLnm4CHxEyRn1xxmyougYa3B0gpVUDnA6uNMuS0pnhBBXF/WNgRS+to5Q6W9DmpQ9bcF4mB22foCR3+404umJwGZc2GLAYyZHMHcF7PTlhGPgW0+I2SOShw6qK0aZXY4bRSPYNfHeAidyO0TL9kMjnWgcJpBB3t5Q==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/boolean" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should not set NameFormat in attributes when includeAttributeNameFormat is false"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_yv9YomnHYkEOI4BZQUBAqGRr60366GMq" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_yv9YomnHYkEOI4BZQUBAqGRr60366GMq">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    /me89+g/gRR66VVIZk7QbNI/ZNqmyGpA2oib5hvzRzM=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            ZyTbVcSzUGpWrK3XIjHQTZzJQiZyqwG7n1z1SEmX5eV7NjsXutVyuzH2ZHm+uRQlnjhOWXOqQbrgOOEiBUbzg+zD6PUDnrIyw9HRHo55K6xwqgwk6VF4C9OdW64ER82iNG7FclYnHNdyaYYI+HOhpxJsxCOqeKhx9nCzsJ4eFd0nxbcsoQB+p9kQSotvF0uhRstHmSweaMkl3A+yxWz8f8bHaJTniLBfaGoaeTKjoWoM9ARVdQdZHg4JAcZTcMET0WDk10+5ww5i7MVMBeJAfe6I2OwZIorkAcYAPl/U5JoC3KPW7bS3bEzCdcLRbRyQIGHq7KDKCirEupU/poip1A==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <saml:AttributeValue xsi:type="xs:anyType">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
            <saml:AttributeValue xsi:type="xs:anyType">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="testaccent">
            <saml:AttributeValue xsi:type="xs:anyType">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="urn:test:1:2:3">
            <saml:AttributeValue xsi:type="xs:anyType">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="123~oo">
            <saml:AttributeValue xsi:type="xs:anyType">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should ignore undefined attributes in array"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_quzlNy0aXFwRthmSpKhANlsj4PWHLLIh" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_quzlNy0aXFwRthmSpKhANlsj4PWHLLIh">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    j7eTpanqqNGnum5pa5ap7Mvj57HrLf1xVz92iuNSrsk=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            cgianSspZRTERn28c+ilUDgnsNK3ViN0TbpgkWrV0IMKEta9p6FFYsxvJnfOM7FGjx08bepK7mPayHFjYaNzCwC2RGF4xCfVH6PcbjBa+phtYyh9Y2AJg7zhsr6WnQPUmVYEbkjnrWRYwcvvmq52bVem4/NZBMu242/xb0HEOiyZ4eOCMP/e4CxEjDhYNx4JTUizaP3upL/xK2uTxjy2CP7p3/DqMyb/h6XYmv1Fqk32VuEYLEd+GGLFKuwFbByxBJikrV0GN/2Er/OiS2fiMCVohVAel7W+QW7vYUIt/lR9NU12DaBLLgSUDSkaBAjMYYP6Yqo+07BfOfXrhn2mVw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="arrayAttribute" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">
                foo
            </saml:AttributeValue>
            <saml:AttributeValue xsi:type="xs:string">
                bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="urn:test:1:2:3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="123~oo" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xsi:type="xs:double">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 whole thing with specific authnContextClassRef"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_GofyOE2RrBWQkHyHdnTK4C29wVW9IeI7" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer>
        urn:issuer
    </saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_GofyOE2RrBWQkHyHdnTK4C29wVW9IeI7">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    NzMOvyut6Lyd8hn2P7oJabNoxiKL/sT2FUvfGSouMc8=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            Jv4UkU6uCwxxAIyZz3HlenqsQp9yQlGDy3+s0is2lF9eWYwzL7hQekmSfbzipmbSZFCbt7fzlgep5CVZhV31h2Y91M7C2tekriz/OT2I+5AoeykTKEdQVW+N/axFUO+701IXAGrdr54uNUu7myFoZnKwncoCiSU0z2W/aGx/qwZ5qXoH5ulcEwvEDMgIIQPocD9FhSLDGzuR0zFxMHKQhTtRQ1JqRUNRYuADZ3AJ7nWk0J3DugveEbhfDXxQ3KyzdEOh376Yn54xV+kHK28rr8w19H0tX2dB13AcPmh5vPbXsaR6eqZF14eApWUfs1xWnrqS9fpLtHDjNr/TOS1JXQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
            foo
        </saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="1970-01-01T00:10:00.123Z"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestriction>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                specific
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should place signature where specified"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_kjWawkJFfmvoRUIaON4pytrN1jnOSnTE" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_kjWawkJFfmvoRUIaON4pytrN1jnOSnTE">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    YQ13ABG5C4/DTqK1Uc5MTdegpeX7yHjLQlAvnVxeFr8=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            wqQ5kzSasGquMrY80b1x3niXVTElpuVQgNGiVGtUyANzUJMFj5+Zi9n84kmLqr995X5QMxw+gJyaaPuRVr0LCMe0ZQFz6ZMnoPOh4KYHXx46fiVirw9R1SKnxmX4WH2yoLNub7JEM5MmzYuTyy60agdcJKDyIA9wmicZuT6JDkyFQNsLx8kS6dzHRq2Xkg6Nm9un7MffV5wumcpnEWlofUZfAxMVCJJ8nikCOjC6VnofTWqNM/SvjjC82nQBcKE3rci9qIWkaZKdlOagHUECgGsWEeQQqUQaxg+jm8RmIhp0y/UPW1tblRbsdfbKZqkVgKfHwWR7oWcguZDcCq0jPQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should place signature with prefix where specified"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_uwjIOZKSkf5g3xRGlEpj5N1n5W7hbXMz" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <anyprefix:Signature xmlns:anyprefix="http://www.w3.org/2000/09/xmldsig#">
        <anyprefix:SignedInfo>
            <anyprefix:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <anyprefix:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <anyprefix:Reference URI="#_uwjIOZKSkf5g3xRGlEpj5N1n5W7hbXMz">
                <anyprefix:Transforms>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </anyprefix:Transforms>
                <anyprefix:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <anyprefix:DigestValue>
                    25jHBjOi4YxPvxzEGwZjEBvvpphT5rgIYUM566kxDUY=
                </anyprefix:DigestValue>
            </anyprefix:Reference>
        </anyprefix:SignedInfo>
        <anyprefix:SignatureValue>
            NACxVtqNUD4PPzfME5GFHtC3kD5P6PdxlFyFaGSAnbAfG8y0oalD1XbzuNIQhkisDGavEYf7OkfmtKPALRqVc72a7vZkg7rpvZhUCjHwgyTYuV2ur+vhAZgba9Ms3ObKCGDKA6AtFDFtYsBnniLTg3Se6NrYqxwttWlaqA9lGrIdhCa6eW8SC3Cj5tWVB/UQDeHaWuVAVENWvu6so2t0nSVVIjA/n2X6SXUWg/EjmHmdHSCpDk6aSNHNlDNd2f/GLO87Krd4Ujq8gvDwB3hfyXLLl9lQ6b8GnDdz6WDzXERGHY787IvVlmijF06N98+5funB4dXl7L+f/qYw1UKYAg==
        </anyprefix:SignatureValue>
        <anyprefix:KeyInfo>
            <anyprefix:X509Data>
                <anyprefix:X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </anyprefix:X509Certificate>
            </anyprefix:X509Data>
        </anyprefix:KeyInfo>
    </anyprefix:Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should place signature with prefix where specified (backwards compat)"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_E5dq4BQmJdxtfRqgvOgR5Cm8hvywri6G" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <anyprefix:Signature xmlns:anyprefix="http://www.w3.org/2000/09/xmldsig#">
        <anyprefix:SignedInfo>
            <anyprefix:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <anyprefix:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <anyprefix:Reference URI="#_E5dq4BQmJdxtfRqgvOgR5Cm8hvywri6G">
                <anyprefix:Transforms>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </anyprefix:Transforms>
                <anyprefix:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <anyprefix:DigestValue>
                    WuuYCnkmUOU80w36Ci0vF+AAmq3kfwZwbs4TrLEZOmM=
                </anyprefix:DigestValue>
            </anyprefix:Reference>
        </anyprefix:SignedInfo>
        <anyprefix:SignatureValue>
            W5FMqucKp3RGI1t/D7vaguArsPHk75xLqPaVAWr5pBu+S5W4AdkvI5+Ot5h22UeC1lzzfNuHa03ZGiVKUVlHVD3JswVzoHFVThwvC3LTWlKw193JUYMSTftXIINYfsxHPVM6tD887swktQA272MBXpNS5DZcNYfu33dtqkTtE3LOP2FEkdTNEfOdesIYZ4PIluhLtSvpRwfcZ9g16Lgt8/1sMCGkRnalVFcSEAtsjBsvg+BWM6zDlPOha3KHPXFIbyzF1ysFS1KLYTRhdHG5U3/DDfd4Q8SH2Pd5oy0kgBvluN/oUwp62tl5duOXq4GP7PZDimxHhJiLPcw+pQlZMw==
        </anyprefix:SignatureValue>
        <anyprefix:KeyInfo>
            <anyprefix:X509Data>
                <anyprefix:X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </anyprefix:X509Certificate>
            </anyprefix:X509Data>
        </anyprefix:KeyInfo>
    </anyprefix:Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should ignore prefix if not a string"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_8zYNFXKHnFnml7nPJ9vTlNQoGYO2s89A" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_8zYNFXKHnFnml7nPJ9vTlNQoGYO2s89A">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    N3aQ1xWlpbDHPBSadhNptXINASB8qvaGTI0xbj5HCO8=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            qq5VMSVpKv8N0IOjtBcN9FKgJpRZpgV9tLujF+6enYjfbZQTsb9CA4e3+n94XQ/n6vAQaYOgqakfdghhmeLrIYbAEk3Ta9nHI2V10o9015nRQVIO3BUH0Wt5/T90ZYhIW/oWQoaCStDAx7wWi4PwTtAeqCOFGm41zuIYSf4zbT34j39Anu9373lu4jV6WMPfsmy80gmLD35aer/kKzCeMjGi8lkl6TKGRP5WAxNcmlfQfPTt6gI4PvzPTa0/NW7d0OeKq9LFHHESiWWwLrzlJibtP2Rh0lk6Sqy5YxoVGWUKg53DSy/bBxkginya/jYpRUwo6QbOPa7gbHAVMMp8UQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should not include AudienceRestriction when there are no audiences"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_7KruIViQ5n8gipTzhqPZknJ1rrKJdOJc" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_7KruIViQ5n8gipTzhqPZknJ1rrKJdOJc">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    pUoK+3vTilFEwMbE0ciCW7kUnr1rhndbzoQLd9iJ624=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            I95KX1LsXCulvWevFbTe13sqlZHrMc0LbnE+X2LeBRFSMxhXE+fx+s/HoSpz8k8ZxM2UEz0R7Sbwqg720c8CyS7xn7rrb4dU/rvGwLLIdNT6GT+7UfrfmOpz0GkeOUbHFnKzizLixzqUwglMAK8j//AL6ZwcTJ7byXSfSoVaNYAD+hUHDjFaNoVBhzA6PJ7uF2LF8lEF/jT+Mb5D611tLPcNQvvqbo73oksrATIGsUsVfEoUkfIxOG8SKgNzThBS9QGjYocNgXxCOMFQrNLN51AlA4UwNZm5P159H/UA/wGCIx+Tt85QbegUMvNpJEOOV7CUwp8d2POzOqLCzxp3vg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should not include AttributeStatement when there are no attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_Or86hpCRKe4BR61SEot7CmwnzbwmJru2" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_Or86hpCRKe4BR61SEot7CmwnzbwmJru2">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    ku14PVvKj+hBwzQ8W4c+i4/9tGdf1QFJIazWffBFNTw=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            b2j154n8ZzCdVgfdermOsPe1IIatXZ5PMrKNZ1K7ptpfuNestlWwuCKJA/g1w5PlOddoLIYzNHHTF++AD/3kYMG5kNYBCOmsaiwb9tAvP82Er0hdgtHcPHU0LQDnFAmGFgU0pTXlwCjfnfrvCZGVKNd/dndsLGnUsz+8GxhUmuf/7YzM8bpQwRdzRTdcDVVVMKhbHr4XFgi9cP4HRbA3IF66NWkD+2gnxfmx0rFp2fXte1/tdzb+qX34OyUzrNn+ExKKSjbJjsATFGwpAYK71YMGskzm0F1aZWnJHt80QPTZ0p5om02jfAksT/6I0was427HAghTmKLBfHYfuxRRYg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 encryption should create a saml 2.0 signed and encrypted assertion"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_yMsZWfEppATlAAKo1B41OTXN0hQGTmjY" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_yMsZWfEppATlAAKo1B41OTXN0hQGTmjY">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    4iqkzYxGUaP58MEw/xVLL51fFMc84PFj5xwuJamOV04=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            O8cf+6McrR+56BqncV2h5WvqdiOzvWd0Np3kqxNv2qEnduKNaVkJ6ZrHN873flN4j8U1JG2yEo4EHumvXKX3cKy6RcGc9dYbbo3+dwex0DQXp6pARnvsasYfMqL5ltSu+tYSJoDQgxoOTI8/1URKVZEC7C5FZDV23i9nPq9jjMuDCzT867yLn02bUSRzqPHTOGT/7JCSGjsB8EUCulEtLKMZWLC76suEQBGrN0WZnbosFSZdd+Nhk/92ROw2zCpmIbKdzpgmUzmKzBCQrc9uV8MbYqIC/qtJYDiRxhT1rambCpIznW5HX43vgJd/sUOEJ9S7XaGixuhmrFdLDusVtg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 encryption should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_Q68niVZghpNYafhG0WP6qzVnzI5nVnq0" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_Q68niVZghpNYafhG0WP6qzVnzI5nVnq0">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    rNFgh8rs2bBZ8PzBVYKVHp/UYDr/YuR61QWerCaNspE=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            W+XmqPRi5VR0Fhsg4tYlf6AoFVmdAbF8Q5gTQFljhuRpR0RuSeebAkuyB0zLOwlANRT+yIKfuYtXDxYO0b9cmUvsou+t9awMMWUsHxxRm2fWu6aM6On0Liv1pXHD3u+j3/FRva0bs+DWvWr+0bM/ijPxreKYBSMHrvazmXMRvZGJaNJU4MYlz5awzvb8ojjWneAQq920016wZwQ3qz0ca0bk/SU6ooOn6SWQ5ga6SMpVEzuwE3X9wJ79WYH0usZR/EP6J+uJL+NHsYsK791zctJ/UxtBhzzbF5KVM/5VYfxEUQKm2jVA9FEM+4d6JjPU/t+bLlj+/37FD8Tki1OH0Q==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

  38 passing (814ms)

diff --git a/refactored.txt b/refactored.txt
 [2J[1;3HSaml11 "saml 1.1 should create a saml 1.1 signed assertion"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_NlMvGhKQzL0IAtyFxHFihlE2oVBp6FKa" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_NlMvGhKQzL0IAtyFxHFihlE2oVBp6FKa">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    UpUrW4JJN+8/AawecRfUftqoexTzsJjuLHL0+ErTieE=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            tIYOp5qxq7SOFMdXqZig/r9RfuxIAAnws3JyVYDmgcxsrHpnW//tWxSDI0EicvZiKEuNbahE56M2kbYqp1XKA89D2dAwRJvF3Us8C6GMKeZ0yxD9oCrHh7nMeL/yf+PBbClrkwx5UqWsUBjfiURnMNqnHXTbRikh/Kp3laQWgRLOwgHuuwvb91fZlO0Qn5I6R1dleFsnJwO5IEbH7FfmOmMf3oOG5ImWSLVsR6sUSwvzxHdjJXKh5ZXF64r5eNAJFr3Val5VWZ5wVMa5Oc/pGHWW3UebEdAMjdmwFFrIQRpZvQo2WeJukQKGEW0/SrWtNluEcH8w5Kawi/Smmd6qKw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should support specifying Issuer property"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_Wszv8FhesOj2GS7dLWZG7PlvTlkqyxfi" IssueInstant="1970-01-01T00:00:00.123Z" Issuer="urn:issuer">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_Wszv8FhesOj2GS7dLWZG7PlvTlkqyxfi">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    NQq80roZa29JkEBIxx/nnGZIs2Ul+4c9hXuSoZMF1qs=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            jRRQ5RHtalMyJJV+6FoGfyVMjP4zhZo6on+3Q3RH2avp/zDO2Fi84KmdpbSQYnT6zFhF/HE/NNOXP6p4VuRtVyU81tqGqqSiJI9zYEiZPennhiJEMAY9waLeNylV6fWZov88n88rcHCPfpYWyMDuxETV0WRHsLtC1LbGguSQV/3roPjfaLjdQtZ6NdyqweoxJjW4MYC6YhjlP9vN3cNb2cO0mOuLZCErGr8yF0JNWYa4pCfRu7q/ObLmH3/svXEeNt1dRZ3MpYy+QstbWaj4qNRh4bqLkJe/nvUkOut0NU/9Y7sSFe7wu4jW8idqk/OvrYhwHOq8+C3IunuLxR3mzg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should create IssueInstant property"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_7FgrkUPUhIKBa4RVk5zn62lowlR4tOor" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_7FgrkUPUhIKBa4RVk5zn62lowlR4tOor">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    JeRpIYYOeL5uc547mSh4h4235PaSN7j5aDxVRSjc1/E=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            FKtj4k20SRA7Y2SALqoQmcD89YD/LB1ydVBA/3JyBpFeEhNbsvNB+iz0drWgenwel/1L+GqicRvwVQctpUbJFl4dFCsmAePjj7azVr8U19NQnK7FbC4+dtL0zlRBijsiWVBNjvFDHHnV83TuZMrIfTpcHXhIctJKKPbG1UZ3QYKhfBrAbGJbK1iR1mlSy4JQDUQJTnKH3VFfQ5nJZ11ZF7pRD31bBbF12wDfCcGfTN8z5eFp6B5tsMVlRrJbRRnEuj4TbGIAzkcTtCGNCRRbJ5YbocKkHmKHpRxjQ8BSjTGz3wGOY+8e0YocUHrOB39eZA1k9jaHK29G/EORY8XBTA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should create AssertionID and start with underscore"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_WbzIhLsj4fxPfbVfTRChVKLIDr72jOTa" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_WbzIhLsj4fxPfbVfTRChVKLIDr72jOTa">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    W+RIEkVk3lki8xbrLJkrx1WJY8hL/e6cituB3LBdNQ4=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            aAhDiP3XlKv8JlSIvc0xtBiV6oUNtOTsaK6Lta2uUsc0rCgmTibJkjzIManBYycPjuf7NcHKBB1t02WYRBQbxcvD6xYPUilZgz7f4CziLQ8uxUIpcdqxbP59BqIqK+1IR07gQ/dRzvsnHRg6AzSnwafOXpol8+iPRaH43qv1tJY8R0L8MyL8n8De810Ks51vlnSOFc4neNOu1qCmTaMN/GeBKIILrLly7zuhSrFlq79i9OS3keTuDTI7hMtuliIA+mJL4fxUc7Jn4/99w5E76tmFOjHZWPrH6pALs0CQuy9zY0R/BY361IESxDbntxTOfYSr6VIgyXK42DxTneE5ZA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should create NotBefore and NotOnOrAfter properties"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_DyQvg0IM2tJYXMpeTD6h80EMZSMbTgz9" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:10:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_DyQvg0IM2tJYXMpeTD6h80EMZSMbTgz9">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    iQR/OgYlk+xYRFkEULG2aG1/+IqKPL/BYOPPi5zng9k=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            bH5LgNOhGaCvl3d1HkG12LO6pGV2YUZTdMNiUiMWVctZJVHM1B6grHreR8d2S/g3cWUPSOOfV8xilxrbN6TbqSUvpGQgtiV73B9XzDLAYMG0TsjHodF19FIyCT6/5S3PZNsaKdpMFfTgwVRDoe1Yo2pChRw5m+ztqPp6oFApjRxBip4QcxRqAWa988wsPy5i5ibR3luhfemZR2/4ROct8heyCrH2jlZHS3irr3B5bbonNFv8UZcEBXXZk7J5k2OUGmplRZVQ9yGj0TKzqHvDdb2jsqo0GNF1TxtbLgDu4x0gg2n3A4Ey8i21lAG+jbyRScCjnuobBQiwA4cCa9B8hw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set audience restriction"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_JnyBNzvwTiktOlehxtT2y713UAWLDCmG" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_JnyBNzvwTiktOlehxtT2y713UAWLDCmG">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    +NTQJqyFz3+jhSB6BT6zJLJsPEWbu11ViVN1M+pJ+7c=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            F8XlouJ9rrTf1BRBXDoWtl4Uh3ee4AwhOXFzVScbZYYx2zT8KaN3L7sNwaa6uClvyzB5gDf9FYQb+0UP9ErNoVMJ7oEX4DSpEdz1YI6M2UI4edSveA+i6D4Lg3iF5FsM12k2ayyHoC8crvtVSm2m3psx/PbKxbMKL9Rimg81ypbi8Bui03w9bSfDVRDAGJ1Afzy+VcsprjDtWLwi8eZojtO40Dr26gIjF5kIE88+nALEPLweY+kTDv+JxT2pYA13TFox76+Hkx+5iK8fzlAxyI+ENWNpdRhGQW08BOLs4Kh7wKy4DDbke3PR+kZWgRbplq37ZRopnfrgtoCifg1Uyg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set multiple audience restriction"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_8n5SAokDv6bRrtIbrvPRPSjhdXlZcsDn" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
            <saml:Audience>
                urn:myapp2
            </saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_8n5SAokDv6bRrtIbrvPRPSjhdXlZcsDn">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    XR1qZqCnLFB81fyrwTImjeqSMIf/AlQ7CtI0GR/pQUo=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            S21N/iD6zmLAXu+gCi+Vkd0CIBLSOaYLZZxs8tTyV+w1S7yBtF4U20V2oBZIJ4dCRrB5cLMkCQzw+wP2Fz2YXQTtkv5jYniFNttkyUKNOGfm8d1UOocbbVq6z4IpIOtgJX0J+A2C0XruXxLfUzAgQKyXPj36hRB6K60YBydAycxPx697aRNGPEUUpJLWCBm2E3rsj+otvRgcAdZd0M+CHuZvJSBJ1YE5cMUUlk04lORqpdsk6AD/SToZ8yn1ezHkEfsy8dG7oTnnKDGLr4qTBL7q1uFLHR7QKJcaSh/O3xJh+ICydmd2clxCcLdGqvrbJntMn5LZr5IblhXrKAC/fQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_BQwrVEnShH7jLSmNvWtTn5fztoHNPoGZ" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="emailaddress">
            <saml:AttributeValue>
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="name">
            <saml:AttributeValue>
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://example.org/claims" AttributeName="testaccent">
            <saml:AttributeValue>
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_BQwrVEnShH7jLSmNvWtTn5fztoHNPoGZ">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    oHlC0MZbVZFqsvhhtpT1SZzemqhNHHdrh8bu49I9lrw=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            tiu2jCvxnaL2SdVWCJsDyZVFSqV3eVg3atkw/kH15HRtnjdcDy4xQ1vRkCgkFlDIfjHGFNsdlNB7XT0KxFk3zxOJh//HOfSr1eECQAmMYEg5SvnB7knnUjxcCFD6OfsR0HS5BB55Vzy3a8sGQ4vMe/x7I0cV04MRKOgs4QgE4+SRDvbzVtgeLfUP3INElMTA7y98OddjDjunaZ6x+FJEyAjIsVKSndGL3ln+ho2kQnu2CG+U7avE7vjx85U8UTZU2eh5o85ACxTnVUYaFDHjI1pfasZuKYGJOGlcOpkIQoX8CNFwuj2J7B/ywpKc+dguhynIIcUqWIt4YBVciQTMow==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set attributes with multiple values"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_0xIlSClLlFxAoVxp3mJahnWLJVaOwWL7" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="role">
            <saml:AttributeValue>
                admin
            </saml:AttributeValue>
            <saml:AttributeValue>
                contributor
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_0xIlSClLlFxAoVxp3mJahnWLJVaOwWL7">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    a+2GJ7RSmnlCJ//+JQ6TdleGlLwROogWvuJJyRIwfzw=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            wdgT2IuSSptgcNl5ojXx0xoH6uSZjEkpRhfGZYVhObMqHFxOa41FQ7z11LgIbzB9sAVIZTr+0iMsWcEqWofwSna5aowtNzEesDwNiC21bMity6KHMJhSGD8yh5X1y210HQZM921iw/SnJ7CAsa0QoHLaIQuVpPO2trJbjO87fwc/Hxapd/+8bxrB9cDeX75CnxT2BkMscyYNO1I9JdTt/cOAqcZx0ta5FHeEIunN2xemid6M6qQ8Q+VBE8BiFH1Rfox11+b4Y4dgDZdgcyCxRUMZtanzCiPYFdT4GvIA68/pSeNpVjYPRDjFzkwQoRgs79fH1r9GvoBgqv29h4AHiQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set NameIdentifier"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_EDeWNInLI2I0KfZrtwszUDSH7lhAPTQr" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_EDeWNInLI2I0KfZrtwszUDSH7lhAPTQr">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    I8mkVcy+cyUFCJ/GAHnixXC8a+bComqHr7SYHCvBwSc=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            YfZnHBjsuBDhH/wM8HVRFlcGLSVHsLFwqiHM/zpihPj2gWoG2OJTGS4639BWNExvm5smOwxvdgDs4ejtnFVfHrZG81Od4KKNfwrxo/SFxmmqTOSrk+J3qjrx2WBjYW/bcoIMc2TxC+9MHCLn81PJvmXmlsAlSPEZKaio/KeoD/K1zeEgqtkWB1jKoiXBjb0+85N7xkM995uw0jDmx6aoD5TxNT/wRBf3kQMar2gYstpxcWgmAK1mOcPX+AQAnzptBrVNmYPDkIPbexCWgmgZC+IZclysyd4uArEzLahdUSB4Ch9U0lWpbdX0xxLeiHXhvmtDvaN34cwRPjmxjzDrtg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should not contains line breaks"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_AbYk5dc1YYveOGkaBqyEqx0E5BbQgkMN" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_AbYk5dc1YYveOGkaBqyEqx0E5BbQgkMN">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    jzaCch5TdjcvkIKv0tMu+Q3jcYP1FhpODV9Dlv0HdAg=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            aNmf58X7W70Vflqnc59DdPjQARAJHWmVpA1vsT7yDmzh/yC+7ix5y4mJg/eFa9mEGhsulxsdRE16Gkf6cBkwNvJ1B/VHOVCcbe6AmGt5nxxAavDlS7SCZtxv+Acvyth8nTDDJV78wx2/YKntO3X4H67wrCDmddohFdvkTVh7C1l1jVU1YqUoy2HhbRfjfVGkaXUMVPKwDX7p4R/dsjsnc333u5PeX5YJRPeP4qn5wui8xdNPPJ2f+CuWfrC7Jb05YnYFiPqhlqABxn58vn7MA4HwN9T2rbEpTjXsBcOZ1j1i7PcHXaTUJJcbe9lNJneJIQ+oN9vGttZmYuPbGO2vHg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AuthenticationInstant"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_vdzp9aGwVtRyMU818TJgjZW3Sy11qFm3" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_vdzp9aGwVtRyMU818TJgjZW3Sy11qFm3">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    NV9CJG7tnqU3yaLYn5qIUxLb4r2Rt9ThRkDTzG2o99E=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            N0h9/WnRaXR2iUBJAZRt8jjvisSCob3c1BGEFwhvSK2JeTbsBAYxKEo054KWF6x5rbTG5k9zB5CJxhuOPhM90Sq+xv/X262rtaaHQR+TKnLFW4pWj9vRgcSsqx/Y8JpzJMkmMlxLjfCNJ+B19dnIfd4LkZfvtVBP7QpVYo2PBhdxCbWwToNLsmlrAxCrd6z9VEsSTu6LdNngc8Uw+yJjeK9eBNIOyCYJJ50s2icOTjIIdHbXjdiQ8/OgMYJqOqNu+1xHCfeI4Aef7xirczl09V3dvYnz8OPJ67PFn5oepGSo5Kq/78leXJulXOxk2+daC3ID9PksoonLH5vQVa/nbQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AuthenticationStatement NameIdentifier"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_iHzhuUtRgCexOVByQDFUxq2uGGF1RF1G" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_iHzhuUtRgCexOVByQDFUxq2uGGF1RF1G">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    /0/Lpn0TVqO49Q/BnS9e0+mnqwq6Z4mzPvwJEZA3Z5o=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            LdFNWog31iQIBeA0nG7OZ0wYDXp8kiIkMx+fR4bbIXuJ30ThIZrT89JFZpSMoizWiX+u9DKBbaArGTboMT7txd5I0nUif7z0dDPg2Ge1OQM+ba/mx0CuhomoFcmYYn4DgRUuhpZzc90TyJTMyIeiW9K50howIr3Ob/aNhKN5KAxkcphzUOxo4wbyyZclYpq6ps6miSiDtYB3HT4XU2sgLnU2DgFCdGiGKsYGJIoMhXDo3VFHlnf/hQuw8fy2oVHw4TtvREvjc5l7lYsxbQA5gvDycgteBHBkVFPKIm+87Hwjx8BImzfKj8Zb9VTQwybaSmVNFulxeBurgTlAktUHAA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AuthenticationStatement NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_Z2jWI9dTKAKJ56bZiwx8unveK5G915Yn" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_Z2jWI9dTKAKJ56bZiwx8unveK5G915Yn">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    jdfL6MqaVdj29hB8RRGVIRmP8sUDmSoGdcoVSIb5zGw=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            ONtk9UKGBcnme0khZ6u4kMout6edGZCNVAnnsXthxTbmZ/fXnU25U2lS7fKDoGadeqdIsRg9iCEUWw/tyQ5u4b1atsG4wjRJlur3S7N4a30fGaTQV0v9hsZ1vcm3qpyvXV90Jc8+1tsSNHA8ZwRwXhtq4pR3/1BAtKH5oFUk4p3mPKGCl5Xmrj/Z+ZP9Uc65NnsnASnmBQ/xMjncPERNd8YejmruCjn4+JwnrhCNMtxYeBJYk0Vy1UMWg5m7rgcXvWKsXJE+suqmUNO+mH14d2wGIVFkjQGImWPGPS49GwoI9phYk9AyqXZ2TQ3ybZViS1/rHoM2HFnF3/FALvGy9g==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should set AttirubteStatement NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_k5amuCaV992oe3DqG1RcNGqVITwpCO4q" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_k5amuCaV992oe3DqG1RcNGqVITwpCO4q">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    q4JmMdZ4kQkFX7/6Yoco5Z8HEzgDcSst5IsdHUGp2OM=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            Ti3gA4GoWDZy5yAXL5QZSsETnEY3csLRq3ELNR0NcUwbnjs4oXuFrKHiIlZ1q/ewtFfJyKtJvLlON+BmepCMZMY7W/TK/T5AF+a/H4A0upbsAD85+2CgpzlMYhQmRrvnEobOzCeTofBbywc1dKAVXzSj6Z3zpIONYr/AO60jTkUl33IolD+B5S9zxyMwyNL8v8e2kKQ57KoW8WYs9c57tod/CnOV0bTnaMYQWgrOxUfOcOm0shbv6bfk9Qi/i3EYbmlEDp0hXhDZPyoxlvQahjzEE0pPUjCS+iFA86U7cbV5nT/W1zsSkIrEq22XDSaJDwQKFJONVoEVXL/mdeAPtQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should override AttirubteStatement NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_gYcXTFZUCRn08uryJiMGGvrLTWiuy4JK" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="http://foo">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="http://foo">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_gYcXTFZUCRn08uryJiMGGvrLTWiuy4JK">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    cUhk1VPeR7n/5wHrxx907Q8GRCle83epA/n7e9AlWps=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            vIdQOyHPPodtPpWRpDqb+qE/ZOsL0I75ruNdLxGfXgYCJfS4tNPoGY19AK5gv0BonUHpkiJuOmRaqbCxW9yXLGBOfMdi0EhDW8FSsD0Xbe43o437MZ1ar5ngCLuvwdhADvEYJWJL87pOdnFPZb39AS4iHTfCJeu+rYRxDlqbK3PaqOsbxaS2l43lFIDQ6P663GR5DyB39wQbciB9Y9uiw8gXKqbD8rVX9yFijI5KTWJ/DP07mp7pwdYXm8LkRkH6IDiWHjtghFyXSDr+9R41RTOddyExnjJKQwpaUf5n1mCfZKN8SoXhvB2ge6GIY9SNVDek7bFTI+xajKJ088e78g==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 should place signature where specified"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_H4B6YC1T8lnEo4LDg3Zpq7RWVcgw8lMb" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_H4B6YC1T8lnEo4LDg3Zpq7RWVcgw8lMb">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    yvQ3pX0kH4BjRjk8bM+0/7vp52S7JRv8wIbYvMEGhPk=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            iNJlfIAQ5BNZHVdVefCQXDNsZAZjOT+6PMQwau20N1y6t7iZ8kmkcdGkAjAO8vm/BMwZfvnF6EFf+5DnVOi62v5vRoXuxxym1bpHg//IdlND6SxIPxgejfch3hWi8WHrHoGykXP0XvNmmaA7+6pKp2PUJzZiRBGWb0W3EyZ/S7LkCPQ+s+r9+mPt2SiMK10gczaafWHmafRW0QVdDpZuX7UiDoXGGZ/4V1n2DMbS1aFut7jUVBQApoCTSkH/ZDZLzydIFg4u3owVAJnoTDdo3M/adG5xde+M3QHabDUxUpXMqD9d8AVaE3d6r+dVYcBV+a17tEK7nnH8ghEFAk5dBQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
 </saml:Assertion>
 Saml11 "saml 1.1 should test the whole thing"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_XHSSV1Ag8eKnWs6TFYOiZgbinwMCLdZb" IssueInstant="1970-01-01T00:00:00.123Z" Issuer="urn:issuer">
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestrictionCondition>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="emailaddress">
            <saml:AttributeValue>
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="name">
            <saml:AttributeValue>
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:10:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                foo
            </saml:NameIdentifier>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_XHSSV1Ag8eKnWs6TFYOiZgbinwMCLdZb">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    Kz4Dikg7+6YY4/FbqGyLtolPMYpEVhx5P+lNXH0aQYQ=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            BmPTPNfgOZwuZZFgOtMh6rU5wUENfiUJgUyj+64JfPS534jz+N8k4BWkXpMXfaRwoeBr7gEHUbhKZSchui6WZfA4qdS4vQLQJ38tPWTCCZ4kHi9a9V2H4SQItv0Z+itpMJipG3iLSbvB+7HswxPaSp5ABx/c9+y1WY49tvJ/t8ZATOa8Ng/08cpu1xv+wFlUbnzaJ6105R/4eDlxQLLc0NoWTwIYkqdE/q6vO1qbi+AaBJ7twJDOqrAvnN9u39amfRynfd4S8EKrGP7XdkNQm4rKB2CoGLki897Tt/QtI///tP52s9S6TS7doUe0gjdcuHFRw7+wuUF3HOWJJyHUJA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 encryption should create a saml 1.1 signed and encrypted assertion"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_lm2U1eSHWiUustLvwxfDOvIgOjHAUvls" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_lm2U1eSHWiUustLvwxfDOvIgOjHAUvls">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    lLS/9dO/CfgW9uhTmzteqs10qKJmM64lyT+3+FA/LU0=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            VUd9OMkcqnzQx8wXI2CWXhJMIiQ0uD5w9+f7Cp3/cJCELtLzn0OhCs9ZJoRjFBo8i6H7+Sb+8r/87v2WBhEpPD8nvc2W03oRQUzFB1tEqGg6pOfeESYos54ROqDi/keGYJQxggAKaaA/x8vMWqlRU/QlsTjpE5wsmEjKelmy6PM+fXK4K2qqEL2yPVjaoD6LUUc5N0LiHXYIYmvUR1pb9FBz2FTAYcKvkfpg26O6K7l0d/jfU8/qmX5FwOkDc4vv6kDKYns/EfM3IlWDX8piVQyYA6wjjzv4X43BVPnMZqQImP2AU/Q7GkwaC1a0mZDl9AYs5oSElXPjZVM7giSdNA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 encryption should support holder-of-key suject confirmationmethod"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_fo8qiLBRb66Rl5TdmAp3VqQw2qIGyRGo" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
                </saml:ConfirmationMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        </e:EncryptionMethod>
                        <KeyInfo>
                            <X509Data>
                                <X509Certificate>
                                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                                </X509Certificate>
                            </X509Data>
                        </KeyInfo>
                        <e:CipherData>
                            <e:CipherValue>
                                r3Qy+Woc3dT37sdWSTjjjCAPSPhl7nBL6UEZyKgMLYMP8/r+KzJVbA95ouqnffzI+41yf2PI2I3TAVRoKUJgxUQvoE3kmarPJcIoXeYzsZsE7g34a9d/QYR3FzGiSRYorJBrVJuWfkjMhW3qBagtksTbH5HFTENmwDpeStkp9723dYk08TNB+ZoEAbZOOrU5NLOi3scXouh5Sr5Ky8yxnVJkxEAxSkE7OrK4nPAcS2GKtOu8eh7gv8A8v2ujE9SCSCqrinf46CY5fGxouXN6ieDqfrmktgKYiX0YsnsHcR8j1HzCwnB3k/+Z5fD5j7igxMqInvX+GWRy7C9aWsqbvw==
                            </e:CipherValue>
                        </e:CipherData>
                    </e:EncryptedKey>
                </KeyInfo>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
                </saml:ConfirmationMethod>
                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        </e:EncryptionMethod>
                        <KeyInfo>
                            <X509Data>
                                <X509Certificate>
                                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                                </X509Certificate>
                            </X509Data>
                        </KeyInfo>
                        <e:CipherData>
                            <e:CipherValue>
                                r3Qy+Woc3dT37sdWSTjjjCAPSPhl7nBL6UEZyKgMLYMP8/r+KzJVbA95ouqnffzI+41yf2PI2I3TAVRoKUJgxUQvoE3kmarPJcIoXeYzsZsE7g34a9d/QYR3FzGiSRYorJBrVJuWfkjMhW3qBagtksTbH5HFTENmwDpeStkp9723dYk08TNB+ZoEAbZOOrU5NLOi3scXouh5Sr5Ky8yxnVJkxEAxSkE7OrK4nPAcS2GKtOu8eh7gv8A8v2ujE9SCSCqrinf46CY5fGxouXN6ieDqfrmktgKYiX0YsnsHcR8j1HzCwnB3k/+Z5fD5j7igxMqInvX+GWRy7C9aWsqbvw==
                            </e:CipherValue>
                        </e:CipherData>
                    </e:EncryptedKey>
                </KeyInfo>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_fo8qiLBRb66Rl5TdmAp3VqQw2qIGyRGo">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    gEpe1untq0n3EizeCUNW88n4ZiZ67ArxK2FSIL6FG1I=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            h/1ReUZtxln+Rlw60bItdUUZHf+o31dEaO1pIIRxSj9x04NSC7zUImMKx/+ynWVExYBbrqzmi+wO9bOPCM+zhhjkLb3ipumubRsvZLQg6yGcQINGniaKcP9k5tKyocxg9Yt2Fh3abSgpNjphD6jLZK32sZglPXjgfmVJr7q8o21MJT21jBg0RQnIc9jczfy7Qm2Y183/Qe4BQzo13Xmtf3za+p3t2guRq0Nq2Vand28AZfh7Lm2QcNrgEXE6qXqnAXW0j9gmYXwJ7MmDTxQJb+ik6Y7U7ESMSjvbN5EGtIki16qYfrkwtFH0RwxGaaF9sFRRg9lmNnEKCCw8ksrW5g==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>
 Saml11 "saml 1.1 encryption should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_50aLl9DNpgZIQWfHEB66saTmCag5gyiL" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Conditions>
        <saml:AudienceRestrictionCondition/>
    </saml:Conditions>
    <saml:AttributeStatement>
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="emailaddress">
            <saml:AttributeValue>
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" AttributeName="name">
            <saml:AttributeValue>
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute AttributeNamespace="http://example.org/claims" AttributeName="testaccent">
            <saml:AttributeValue>
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="1970-01-01T00:00:00.123Z">
        <saml:Subject>
            <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
            <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                </saml:ConfirmationMethod>
            </saml:SubjectConfirmation>
        </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_50aLl9DNpgZIQWfHEB66saTmCag5gyiL">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    JcCc5FqQJcn+x83y5fFvi1+M6Xe1c5vaitP6mN2NYOE=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            fcbB95sCH3zTo2e0oB/ZoV9hphdCddqXXISddc0fOdVO4kWII1BM6HzPpZUbA5E7E8V1B3NpwqnkRR/e3TM0/mdlqytpVp6rdjveSE2sg3skvRX71NTl/rH7q6mG7KFCVJ1P5DLbz+9iK9h1HkUxVxGQxQQL9sTqrXlQEWeuRoyW9ktGjpx4sM2svfDVEbq/I52HHZlAXgck0uzjFkAcWYSwWL8HB8Go7+pq57Qf9axyxp/YlR4DAC1uvkFl9miy0JRbmtMDSUqcyJU39jviOB9CajK6LhZ6gXRA82eBjejdXOKKN5KXeE+oUDhU+D06Msf8Yu0oNImfdp0hcOx0Rg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
 </saml:Assertion>

 Saml20 "saml 2.0 whole thing with default authnContextClassRef"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_fCunBy4jPL6jpHHnB687pjyzqSs9DWeA" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer>
        urn:issuer
    </saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_fCunBy4jPL6jpHHnB687pjyzqSs9DWeA">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    qF+FdDu6KHf8msZYfl5aLnpRr8/TSStyEiRJAe0nlY4=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            Ep0ZWUCMhkmJPoVNh0w0cQW9DMO56yh5wrke/yZ9YpLXdh2hQfmHiCR38ZmqAsLP/KZiVytV/nRyDNOx0iotfwhtMVDhIeFSUr/2RDyfyaAJrEM6syKNmagztnf5itNaJbSSd15QfJZCFaQtqV4OnlHJjCQ5ukFPWZyU06u9fSXj3689wfM9qF3HQTBfHnHp8BzVRsAMKgUc5gWv9j6k9AP0ljg+Qjr469A3TXePGYhmmoj3zmsKq5YtYKNvUa+YY1YoA6Rn91rWRwksy4rENNH1WlhybD7ksWk8NWaXqLDUaerfzqpfwuHtsXBzjaXFrGPTqh+YwMPRbvBqzqlv+g==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
            foo
        </saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="1970-01-01T00:10:00.123Z"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestriction>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_pqbhx36GRo9oLXmzlER3rwVj8VfqSmvV" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_pqbhx36GRo9oLXmzlER3rwVj8VfqSmvV">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    xpQwBKzlUpeOmwNse2G+B2q6Pq7kiahczhRvMngE1go=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            u5sRz1uB6osPp5ioCJsIJD+pSSS6wO9Asi/TXEqR2xeOgiP3NETIglUmotNw0qTnOukHL1DDkH81WIUL+WoJtV6m6cvUEVsKg6XY4hC+tYQANKR/X0gHiPhSjUznFmgbVrAa6VzdAdF68D7Xyh9aYlrnrnUQBWqdKVNdEeOrNSgnVCXbcR4m8MdHE3+iI4gIKGU1qlYd0wJiosDMufddXdb7o4t/TZgyTEDxLFY5xmQTihJiArhNbjR6vCvydVfkHa7su+pZ/rVWDeYjoZ8QjXQGCTY5qHNtUmYFTT8DaUJMrM/fBXg0dE2LzXy2Z3+VoIAtrRV1tonktqenmbnk0w==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes with the correct attribute type"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_8FNcsJgSztFLmdrpaoTwIyeivlNeeCSd" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_8FNcsJgSztFLmdrpaoTwIyeivlNeeCSd">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    nCvje20ZXky2Db3C5czGuYs3iLLTgaU3aMHsLRMCzp0=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            EWY6ueSU/+oMptAaYwrL4ANqVNxeFU2GNzANnThch6s3JUQzhthEUXYKMGFKEsz8jMR8rNx3mbRKDGoaGd/3U6C+Lzb3sB1joTRXjqN88UcTb+lhFfgnvL/Kcef2FD3qPSQRUsBPg8oBI8UW6o8CyMec1UNkxtGIM0ah/DLZANX6U7KyqETUJDgcrJJGumD+ZPOdOorqOumeQZedHLq6vFjJZf3v8LYF9J5bZwp85z5lwDqmIwZ6Wl4tG/8NjYJYdXyenmoq/6kwSVuJzgH/xIGIatjrLrjxvy5vtQVbn4j/XGPV2VvS7l64WIRhpeHCRrf3wxugns2BZwjoPd7pEg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/boolean" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/booleanNegative" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                false
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:double">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes with the correct attribute type and NameFormat"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_lbkap2wh33c779ElSzIQgGmtg2WILkoL" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_lbkap2wh33c779ElSzIQgGmtg2WILkoL">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    DYQ4J3BwionRqzIesXU7ker9YS9KgIIfK1beVvaEyTs=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            imRTsmqo4ik1DPR8QYU/WRzwuz4YvBg1QMT5NAWVP+APd4Luprwsf5ORV/FSkujll9avwRUA7iGMw7yIWJpluNvQyhBQyL3tW9BuyVUdRlld8CXLx/GNvT+JhP4YfFH+lRzePm0J5Dj6jPYAGsRIn57PQcw501/t96mDN561q/oXY+aJTjSJMm+BQ5xfA8l77KKX0P8g5rV4dGjSdmSGusOVA9YpKqxPh52YxvsThw8YBZS88ii3VVVTEKtuK32calKIdCWhi+o9xHDZB4eKKYHBDvDaesoNDuHwskMFhpZdA/Q0UTxpH3OTPT9HPFMdXBXiYufkZ2DurIsiuF6fYQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="urn:test:1:2:3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="123~oo" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xsi:type="xs:double">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should set attributes to anytpe when typedAttributes is false"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_QOWNCUKaVGLFAKr5HwbVbKBRyQtW7wcp" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_QOWNCUKaVGLFAKr5HwbVbKBRyQtW7wcp">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    ZmpBbXR8+PF2GzFL2oTffTJ48P66yEBV8h+FvIl5I/4=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            rEfxwVz4YuNNKue28uCIaUdxDOkEyOxAQQfuTBnT8ZlRzUDsD30bihYf+7ejnqWcCY/0IfG0+X6Pzzt5humeT6y1/0Qq6sLMpcRQXjcAUiFJr3uhObyD1h3zL/MzRtKP+1Wjvm+/kvARmpD+PF6ke2lrH5Eh8/gVHr6WAE+SffYFdQTdFs3LXxl9p6UmHezousUAclc+IeUPDeZyxNIB1d+bu5AECrE5o9zcBzXDZlD29xAKcwZuTNuRZ01ll2XRG41/rRXhMK3IOB3cfY1+oBrM5QGpX3WNHb7y01yL8Nq8QtJAAmDo2ShszBxdREgwuiYSjudRcBQydnvOk5uA5g==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/boolean" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://attributes/number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:anyType">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should not set NameFormat in attributes when includeAttributeNameFormat is false"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_OUkNzw9AwlNgmLidOpsWIqVSPc095sfi" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_OUkNzw9AwlNgmLidOpsWIqVSPc095sfi">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    9sj9yGLvtIFxF0BIj+edlLscf9mFuc/botDYO0jfZqU=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            l025ev91SSmdNTlxHosej+UCQAQk3xQ2jLzvOd/Mx2OQ4J7cuNDFdYWYARNC+hl56abD+1uY8eqHyDzySdYn85Q5JClwg9MtTmPxlJT44vjXUbsrQeivOGAJqfZa+uOkVrGGzlnuPXf8vFT/Cn9Q8OZGZRpnvEQdhIdMizo3nxcC9x3O5Xx4p2Bjrfnp7F8eNsKFfCUL+KWFcpZ95Ibcvol+FkX54OokDjOpRn0o6B3RvY22Ou87LylJ0HXG1i/EQNJsBgTtynCF/ZGxSLZ6Ehy1MnX06kG/EGpGLo3A0BjPhSqLnRub/ffVCIcHMZJd0jLGZCpkks2SK/XbEX+6NA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <saml:AttributeValue xsi:type="xs:anyType">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
            <saml:AttributeValue xsi:type="xs:anyType">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="testaccent">
            <saml:AttributeValue xsi:type="xs:anyType">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="urn:test:1:2:3">
            <saml:AttributeValue xsi:type="xs:anyType">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="123~oo">
            <saml:AttributeValue xsi:type="xs:anyType">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should ignore undefined attributes in array"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_sIKctMReUqRPVvvhxHERJUdn3Wcdh01Z" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_sIKctMReUqRPVvvhxHERJUdn3Wcdh01Z">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    XwWEv/ZVkIW49iIMb8EGw1s5wn1YFv5rd0lL+tEv3uQ=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            pu8Iy2JEclSPYkeJbfV3v35DzCHpkrKjiJZSualFyiYYj8PqprWHtNK4PC2y7c0EebFZMmHR+4DT31Sb1kkCC3Z9ndnZQ4iVHZcKwHVIileJRW8KkDM1QuZmiuCjLFrlXKIpSsEhjnwy1qIZNNghzHdVq+h//n8JT/pdkbiUT3flDKo3Osd2F3DUN+HmrEMd4rT5TGsjkXBnFHioYuxAbTxLjMGlQrk2AcwOVZlkoWbiKpfSr3C3HbkmnOmpxOYsM5zz/USjSF2lAfeuhtL1iK2ueC64/3eDOkl3Z9Ztw3R71fxikqn5zqPkTx9T49nuCvmt+oJMOP5Z8TvsKbe2VA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="arrayAttribute" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">
                foo
            </saml:AttributeValue>
            <saml:AttributeValue xsi:type="xs:string">
                bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="urn:test:1:2:3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:boolean">
                true
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="123~oo" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xsi:type="xs:double">
                123
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 whole thing with specific authnContextClassRef"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_vlnAFCjoGKWoEdR52AKoa0jrzOqn3IU9" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer>
        urn:issuer
    </saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_vlnAFCjoGKWoEdR52AKoa0jrzOqn3IU9">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    YgQXt8Mw5cw1fjKEurXCiT0tKAfSL1nir2pXlaU/dGo=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            Xb3zf1GIDbVXrXvF1FSTv+tFMqxdMKFNa0lBn94SE5y9E4mSpPh/kA+7mHRtXL/GMfIFhT0mZyVIQL/Zg021OspHOZPeHxxXxkiSSXRRlXItql9zDql0aSPtF5Aq8R+obmAyOV8gMDKJo2y25w1dBmGGqmUTaNjnI+1cfLj9oP/j0d3MNbWRzNbSYcVMrQH58K+Dcd0QH6gvxYEgXTzr+PpSaQhDU4DGFymzLBWnMJZrJxOzDparMN79Y9j+jviXkdjvxIdXQWE6aZnfpM63RlPnnUB0BUk/nthAW2llByTNOkUNZzSHzpxR0MR9WmX5m1XJkvZ0erfdn8u0gWmhKg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
            foo
        </saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="1970-01-01T00:10:00.123Z"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="1970-01-01T00:00:00.123Z" NotOnOrAfter="1970-01-01T00:10:00.123Z">
        <saml:AudienceRestriction>
            <saml:Audience>
                urn:myapp
            </saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                specific
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should place signature where specified"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_uklO1GYirdMWoQIdHQiYpAWkEp11WSYy" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_uklO1GYirdMWoQIdHQiYpAWkEp11WSYy">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    TIQMZFZd7Orjq+/zwlvHSh8Yluz2t1lAGy2pgF9xx+k=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            IdN7R3/6NLfQbYCR5mgiZSEvWKWHo2I2sAg5t13ruoOIoB1dj2ctkSLTCqt9on1m7vZ4edK8JQi338XEoImA/bVXHYiyliQV/MLZr1qGoconOQlNQL8bxXSSS8RY2bMkOzu58slbgazwReWUpHESbJnVF7ScDbxbdu6kjV2F6ni0qS/lIqXT7ykQPDLGDIBBkCFv3zwoKsMN+aqyv+b5n6iOsS0nQwshw7IeB+9RU0259U4koYO9mDSg8IytSZ2QISCrAIYVbmMGHJ/mxlfvkDP5hOdDeWYYK/tGarBTNQ92ffc01dESJWlMt0DQHm1Sy1u3w7XuJG7gW+Ph+8jNPg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should place signature with prefix where specified"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_6p8RpBQsEXQLHvExsE1BzZr0dr45KtO3" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <anyprefix:Signature xmlns:anyprefix="http://www.w3.org/2000/09/xmldsig#">
        <anyprefix:SignedInfo>
            <anyprefix:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <anyprefix:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <anyprefix:Reference URI="#_6p8RpBQsEXQLHvExsE1BzZr0dr45KtO3">
                <anyprefix:Transforms>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </anyprefix:Transforms>
                <anyprefix:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <anyprefix:DigestValue>
                    0tOe4JfftuBanPI80/90ycc2fvnWnSVgdYzQjUlwpwU=
                </anyprefix:DigestValue>
            </anyprefix:Reference>
        </anyprefix:SignedInfo>
        <anyprefix:SignatureValue>
            rNFH4TQZuQardEo5kzfJAHW5ptjCGix0jyZJBKtB+CS4cMBzGIRm3Hlirdm2HCjKKKJcLvB3zz5ULxdi4Xy+cVQg6dV33ilCSmuYzz7R3tZfVcsLqLeJwMJzF1g6hDXskhnEXHHDt3YPdsg4QTCkD4XfZQe3HAidz//rVc83rfjDf/jHtM6a+rpShSmXFNg962urfUWecW+TrBBfzEO8GjbGRTjFkdo6CNREc6Ok32hHFYDKGLHyeg2As4QMAmpDt8rKjO2GF8d4kKE92gnB2+pmx5Uu75mzr0cnwQhJtiGaLgRc7vyNMVJzZJCUlKYxyN1SHULO3TAmkfBk049UBg==
        </anyprefix:SignatureValue>
        <anyprefix:KeyInfo>
            <anyprefix:X509Data>
                <anyprefix:X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </anyprefix:X509Certificate>
            </anyprefix:X509Data>
        </anyprefix:KeyInfo>
    </anyprefix:Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should place signature with prefix where specified (backwards compat)"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_gxK8YWgsOQcXUYIYIweMhmQYgiVGTQF7" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <anyprefix:Signature xmlns:anyprefix="http://www.w3.org/2000/09/xmldsig#">
        <anyprefix:SignedInfo>
            <anyprefix:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <anyprefix:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <anyprefix:Reference URI="#_gxK8YWgsOQcXUYIYIweMhmQYgiVGTQF7">
                <anyprefix:Transforms>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <anyprefix:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </anyprefix:Transforms>
                <anyprefix:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <anyprefix:DigestValue>
                    JZxB6l+OD0b35k70p3dbf5dy6W3jhH0RjQzQ/qFTQFo=
                </anyprefix:DigestValue>
            </anyprefix:Reference>
        </anyprefix:SignedInfo>
        <anyprefix:SignatureValue>
            CmIcl67juoanIypF7zJbP20QIbCKAlfyNiwHW85r4quj58Xc9nxMqotrDojodnPyFW+JDCNDM7UnDc+k7AEij1rDqaBlUe7GjrwfiB/ll+FjObKtKPS92LaLmLEd0W9fAmOuhr6pTvJUIj/8auN9accV8NLe2JAcdE4B9u9iYCQZuL6Fa6AGU1dM+3WkErY5wG+Xb9k8wdS4JbN+yQvhpfi7GuaEz7Ah8X2mBeWlHqb77WbnT6Af4c7GET5TvnpaoYQIAxdhBNmkH8bLG2bSGp6gaIKc34XREt5sZK9DRFGZhWf4NdRrLC+xRwPBmirfuLYin1q2wGYzDNlm+G8bdQ==
        </anyprefix:SignatureValue>
        <anyprefix:KeyInfo>
            <anyprefix:X509Data>
                <anyprefix:X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </anyprefix:X509Certificate>
            </anyprefix:X509Data>
        </anyprefix:KeyInfo>
    </anyprefix:Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should ignore prefix if not a string"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_WfbMmHKoD1rIff1gVR0T9qmtheyjflxV" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_WfbMmHKoD1rIff1gVR0T9qmtheyjflxV">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    Lw2+zAV9gL61S1/Ak0oYpovXKiYxXh9VccnZ9X1QN40=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            olfSIJJVy+iLLVar+jlriVWYe+G9wFyfVzXADDwwY2pS1dv1uoX5+KaTkbOMsq+/ranBtSl/CaMKCO9c31x2rhfqi1iqhrrW5mQPqLzp1EKlzwXToOeh/SFR0QVir1jpyiSXXe6nJz+YDLE9wdSp41bPL8qaJQK/xMK+lju7+1sa3kGqxiqxdBsx7aCjk7V2+TWQImVd+Pfer6zmRhZGDRMl3mR3zLbnH0aLDEgB02BFWO+H6iJ2+SYRPD+kIeX2Mt7xmB3LtEORFZ1+9gTTswpRSa/d9Rx79Bj5Okxq5+4LvCMdJUzT5BW2/AOSSyeU8MUrKWp0M7d6gg/kOfDckA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should not include AudienceRestriction when there are no audiences"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_NuMnlxOTLJ9XgHtwpCzG0CN6BOgaHo8B" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_NuMnlxOTLJ9XgHtwpCzG0CN6BOgaHo8B">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    8rq0hC/ic9QhkSlig33A4l9IHvlQ5+AEecNdDoCyDgY=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            k1xbjXE729WsycAYMO0e+tZPDh3S8jQtGsbdxyeYFQCnz5FNgfU3fiS3jqbC25tDm9j5dUPOdfQ10GfHWHHpZvdia4Ud3JjoC1/eCUPlrb85mAi+rZakrd5huYgn6TsgTtj5GweRrsu63vTGe9IeC1RcqIzicIHhoV4KB7dAhlfflNEpHUjpQtYmJsO8bHFGk9/1ObwhSNBTjwD6GSj7lZLuu+i6+rdGLtQRpz0nx+clVbcduVJOjYT+OdZdGtxivWMCaRAqlPqyqGvDBKbPsEoDArD4P+gN4T8r0a59KJ9SgFXXDgjPMxGVAPIZ4PGz+6EsTVQQaa3LxRELK7jGYA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 should not include AttributeStatement when there are no attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_b7JcQ623FSJKiN9gCJOBIp5tJPCQnkfO" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_b7JcQ623FSJKiN9gCJOBIp5tJPCQnkfO">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    BhttDuB6KHYLdU9966/B7Y8lvw6gvhwUA9+gUwQkb44=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            OIj7/5uFuc0hmHQbj8OUe3PYfnqI8rBt311BE9ngMHn+23/BJS/UIVuMzczi4Qg3TXKBH5Sc4+bWn/Tpod4w3po/mrr6fWW+RbPDaiYg/2sRQuNSVTJmVFEms1JVSgFExSOFtMsIj5ZF1y/1X2t58p3zZG7AVWThwmNpFBWpg772CYSrJDVDIgbHhqnBfAsj5JCY1iAayylcFbzhfwGUVapWjU2enWtmfpwJBTiJc6uCiX4rY6hj66DDPeEe1CLN291BycCdfEeF6vTTjTzTheDTAOUku4sSEz8PAli27dgfgAtxIC8kWkVCk4RNVJOV9f8wbWT8E1DfvT6G8MeQhw==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 encryption should create a saml 2.0 signed and encrypted assertion"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_2RgBggodozDOgD02Csbq8NuQbZEmaavH" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_2RgBggodozDOgD02Csbq8NuQbZEmaavH">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    12DwV6IxvGK6lOeqnuK9cHV1nOCJpn5kcj5mjy7wDqk=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            cphf4N7e9UfJ7wrXFb3ozGG4fBpVmdNbO8bvQINwd5xq2RKPjwH5UC6BFbU45pcsZoAH7Ek64y/OffEm1HlEdJITmbKgusNWDyh/TEdSO7kXA25Io1zt8DVQSvPEu9kEL/1qeDvLrmMSAIeJL5IkEodFuvrhsapFsLP2wVqsiiqJu5NVQr8fPTr9U7rs04z08dE/ciMQWSLy1QPMCNzMm1tnfA7yjdke7UY0A27eOu+Zfeplec4aPqPmu21tZb96DyusjT+LgeOvUZbvwhNdrajIBHWd3TU6PqeM4HUjIzGWEZLtM4LTiUyenCoKsZwjP/G/zRdu5x/Bz9BqlPXGTg==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
 </saml:Assertion>

 Saml20 "saml 2.0 encryption should set attributes"
 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_r4Wfem7XMOX9DwaSdV1nJ0F4XNSthJBC" IssueInstant="1970-01-01T00:00:00.123Z">
    <saml:Issuer/>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_r4Wfem7XMOX9DwaSdV1nJ0F4XNSthJBC">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
                    rqCyG4cBPf/2R3nZoQ46YjNJiKdiQYC1RN3JEABVBNI=
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            JKZD2ZEgaqCQUVTn1V0GwnkA2KYC8EjzmYJAjACDuGTPSAJrMsgRiWZxhdUgQvNPOzGohDYcVCkxjJ685AIoTYu2a42Vqh2IIojdTPi9P4KTMHBmG1WiPCDEMqTlF0yJ2m4vLYsO5YZUZAWPu5ffwZcgO0JDAQ4NtoFtl6TVEjzrxaAihC7URXVwUsrBuGZv0QPIC1DYn4/biKXR/c98hMUxU8OOZVVKW+s1dlteXbv2FQ56BwwX/liHf+iBmv7icOzNBcfRIFUs4j6tFSwCBnb/Q9rDZVdljvLBBNCojo0d0BBI9JrLWOPm0WRVrE5nYb+q297F+NJQH8FtjWCETA==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    MIIEDzCCAvegAwIBAgIJALr9HwgrQ7GeMA0GCSqGSIb3DQEBBQUAMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDAeFw0xMjEyMjkxNTMwNDdaFw0xMzAxMjgxNTMwNDdaMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZiVmNHiXLldrgbS50ONNOH7pJ2zg6OcSMkYZGDZJbOZ/TqwauC6JOnI7+xtkPJsQHZSFJs4U0srjZKzDCmaz2jLAJDShP2jaXlrki16nDLPE//IGAg3BJguSmBCWpDbSm92V9hSsE+Mhx6bDaJiw8yQ+Q8iSm0aTQZtp6O4ICMu00ESdh9NJqIECELvP31ADV1Xhj7IbyyVPDFxMv3ol5BySE9wwwOFUq/wv7Xz9LRiUjUzPO+Lq3OM3o/uCDbk7jD7XrGUuOydALD8ULsXp4EuDO+nFbeXB/iKndZynuVKokirywl2nD2IP0/yncdLQZ8ByIyqP3G82fq/l8p7AsCAwEAAaOBxzCBxDAdBgNVHQ4EFgQUHI2rUXeBjTv1zAllaPGrHFcEK0YwgZQGA1UdIwSBjDCBiYAUHI2rUXeBjTv1zAllaPGrHFcEK0ahZqRkMGIxGDAWBgNVBAMTD2F1dGgwLmF1dGgwLmNvbTESMBAGA1UEChMJQXV0aDAgTExDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZIIJALr9HwgrQ7GeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFrXIhCy4T4eGrikb0R2wHv/uS548r3pZyBV0CDbcRwAtbnpJMvkGFqKVp4pmyoIDSVNK/j+sLEshB20XftezHZyRJbCUbtKvXQ6FsxoeZMlN0ITYKTaoBZKhUxxj90otAhNC58qwGUPqt2LewJhHyLucKkGJ1mQ3b5xKZ532ToufouH9VLhig3H1KnxWo/zMD6Ke8cCk6qO9htuhI06s3GQGS1QWQtAmm17C6TfKgDwQFZwhqHUUZnwKRH8gU6OgZsvhgV1B7H5mjZcu57KMiDBekU9MEY0DCVTN3WkmcTII668zLsJrkNX6PEfck1AMBbVE6pEUKcWwq3uaLvlAUo=
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions/>
    <saml:AuthnStatement AuthnInstant="1970-01-01T00:00:00.123Z">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>
                urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
            </saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                [email protected]
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                Foo Bar
            </saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="http://example.org/claims/testaccent" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue xsi:type="xs:string">
                fóo
            </saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
 </saml:Assertion>

  38 passing (780ms)
	From f1488a370a1de1df79a45c3c07b6bb5af5bd88fc Mon Sep 17 00:00:00 2001
	From: Luis Miranda <[email protected]>
	Date: Fri, 11 Sep 2020 14:44:48 +0100
	Subject: [PATCH] test(master): log all SAML payloads for manual comparison

	---
	package.json \| 4 ++-
	test/saml11.tests.js \| 74 ++++++++++++++++++++++++++++++++++++++++++++++------
	test/saml20.tests.js \| 72 +++++++++++++++++++++++++++++++++++++++++---------
	3 files changed, 128 insertions(+), 22 deletions(-)

	diff --git a/package.json b/package.json
	index 83c47b1..9cb1e63 100644
	--- a/package.json
	+++ b/package.json
	@@ -3,7 +3,9 @@
	"version": "0.14.0",
	"devDependencies": {
	"mocha": "3.5.3",
	- "should": "~1.2.1"
	+ "should": "~1.2.1",
	+ "timekeeper": "^2.2.0",
	+ "xml-formatter": "^2.1.3"
	},
	"main": "./lib",
	"repository": "https://github.com/auth0/node-saml",
	diff --git a/test/saml11.tests.js b/test/saml11.tests.js
	index d924c27..3415abe 100644
	--- a/test/saml11.tests.js
	+++ b/test/saml11.tests.js
	@@ -5,9 +5,24 @@ var assert = require('assert'),
	should = require('should'),
	xmldom = require('xmldom'),
	xmlenc = require('xml-encryption'),
	- saml11 = require('../lib/saml11');
	+ saml11 = require('../lib/saml11')
	+ timekeeper = require('timekeeper');
	+
	+var format = require('xml-formatter');
	+
	+function logAssertion(test, assertion) {
	+ console.log('Saml11', '"' + test.test.fullTitle() + '"');
	+ console.log(format(assertion));
	+}

	describe('saml 1.1', function () {
	+ before(function () {
	+ timekeeper.freeze(new Date(123));
	+ });
	+
	+ after(function () {
	+ timekeeper.reset();
	+ });

	it('should create a saml 1.1 signed assertion', function () {
	// cert created with:
	@@ -19,6 +34,7 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);
	});
	@@ -31,6 +47,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	assert.equal('urn:issuer', utils.getIssuer(signedAssertion));
	});

	@@ -41,6 +59,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	// 2012-12-17T01:59:14.782Z
	var now = moment.utc();
	var issueInstant = moment(utils.getIssueInstant(signedAssertion)).utc();
	@@ -58,6 +78,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var id = utils.getAssertionID(signedAssertion);
	assert.equal('_', id[0]); // first char is underscore
	});
	@@ -70,6 +92,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var conditions = utils.getConditions(signedAssertion);
	assert.equal(1, conditions.length);
	var notBefore = conditions[0].getAttribute('NotBefore');
	@@ -89,6 +113,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var audiences = utils.getAudiences(signedAssertion);
	assert.equal(1, audiences.length);
	assert.equal('urn:myapp', audiences[0].textContent);
	@@ -102,6 +128,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var audiences = utils.getAudiences(signedAssertion);
	assert.equal(2, audiences.length);
	assert.equal('urn:myapp', audiences[0].textContent);
	@@ -122,6 +150,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+

	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);
	@@ -149,6 +179,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var attributes = utils.getAttributes(signedAssertion);
	assert.equal(1, attributes.length);
	assert.equal('role', attributes[0].getAttribute('AttributeName'));
	@@ -165,6 +197,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var nameIdentifier = utils.getNameIdentifier(signedAssertion);
	assert.equal('foo', nameIdentifier.textContent);
	});
	@@ -177,6 +211,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	assert.equal(-1, signedAssertion.indexOf('\n'));
	});

	@@ -188,6 +224,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var authenticationStatement = utils.getAuthenticationStatement(signedAssertion);
	assert.ok(!!authenticationStatement.getAttribute('AuthenticationInstant'));
	});
	@@ -199,6 +237,8 @@ describe('saml 1.1', function () {
	nameIdentifier: 'foo'
	};
	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var nameIdentifier = utils.getAuthenticationStatement(signedAssertion)
	.getElementsByTagName('saml:NameIdentifier')[0]
	.textContent;
	@@ -212,6 +252,8 @@ describe('saml 1.1', function () {
	nameIdentifier: 'foo'
	};
	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var format = utils.getAuthenticationStatement(signedAssertion)
	.getElementsByTagName('saml:NameIdentifier')[0]
	.getAttribute('Format');
	@@ -225,6 +267,8 @@ describe('saml 1.1', function () {
	nameIdentifier: 'foo'
	};
	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var format = utils.getNameIdentifier(signedAssertion)
	.getAttribute('Format');
	assert.equal('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', format);
	@@ -238,6 +282,8 @@ describe('saml 1.1', function () {
	nameIdentifierFormat: 'http://foo'
	};
	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var format = utils.getAuthenticationStatement(signedAssertion)
	.getElementsByTagName('saml:NameIdentifier')[0]
	.getAttribute('Format');
	@@ -252,6 +298,8 @@ describe('saml 1.1', function () {
	xpathToNodeBeforeSignature: "//*[local-name(.)='Conditions']"
	};
	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var doc = new xmldom.DOMParser().parseFromString(signedAssertion);

	var signature = doc.documentElement.getElementsByTagName('Signature');
	@@ -275,6 +323,8 @@ describe('saml 1.1', function () {
	};

	var signedAssertion = saml11.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -312,14 +362,17 @@ describe('saml 1.1', function () {
	cert: fs.readFileSync(__dirname + '/test-auth0.pem'),
	key: fs.readFileSync(__dirname + '/test-auth0.key'),
	encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
	- encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
	+ encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
	+ holderOfKeyProofSecret: Buffer.alloc(32) // for deterministic
	};

	+ var instance = this;
	saml11.create(options, function(err, encrypted) {
	if (err) return done(err);
	-
	+
	xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
	if (err) return done(err);
	+ logAssertion(instance, decrypted);
	var isValid = utils.isValidSignature(decrypted, options.cert);
	assert.equal(true, isValid);
	done();
	@@ -333,15 +386,18 @@ describe('saml 1.1', function () {
	key: fs.readFileSync(__dirname + '/test-auth0.key'),
	encryptionPublicKey: fs.readFileSync(__dirname + '/test-auth0_rsa.pub'),
	encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem'),
	- subjectConfirmationMethod: 'holder-of-key'
	+ subjectConfirmationMethod: 'holder-of-key',
	+ holderOfKeyProofSecret: Buffer.alloc(32) // for deterministic
	};

	+ var instance = this;
	saml11.create(options, function(err, encrypted, proofSecret) {
	if (err) return done(err);
	-
	+
	xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
	if (err) return done(err);
	-
	+ logAssertion(instance, decrypted);
	+
	var doc = new xmldom.DOMParser().parseFromString(decrypted);
	var subjectConfirmationNodes = doc.documentElement.getElementsByTagName('saml:SubjectConfirmation');
	assert.equal(2, subjectConfirmationNodes.length);
	@@ -350,7 +406,7 @@ describe('saml 1.1', function () {
	assert.equal(method.textContent, 'urn:oasis:names:tc:SAML:1.0:cm:holder-of-key');

	var decryptedProofSecret = xmlenc.decryptKeyInfo(subjectConfirmationNodes[i], options);
	- assert.equal(proofSecret.toString('base64'), decryptedProofSecret.toString('base64'));
	+ assert.equal(options.holderOfKeyProofSecret.toString('base64'), decryptedProofSecret.toString('base64'));
	}

	done();
	@@ -372,11 +428,13 @@ describe('saml 1.1', function () {
	}
	};

	+ var instance = this;
	saml11.create(options, function(err, encrypted) {
	if (err) return done(err);
	-
	+
	xmlenc.decrypt(encrypted, { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
	if (err) return done(err);
	+ logAssertion(instance, decrypted);

	var isValid = utils.isValidSignature(decrypted, options.cert);
	assert.equal(true, isValid);
	diff --git a/test/saml20.tests.js b/test/saml20.tests.js
	index e351cfa..16145ad 100644
	--- a/test/saml20.tests.js
	+++ b/test/saml20.tests.js
	@@ -5,9 +5,28 @@ var assert = require('assert'),
	should = require('should'),
	xmldom = require('xmldom'),
	xmlenc = require('xml-encryption'),
	- saml = require('../lib/saml20');
	+ saml = require('../lib/saml20')
	+ timekeeper = require('timekeeper');
	+
	+var format = require('xml-formatter');
	+
	+function logAssertion(test, assertion) {
	+ console.log('Saml20', '"' + test.test.fullTitle() + '"');
	+ console.log(format(assertion));
	+}

	describe('saml 2.0', function () {
	+ before(function () {
	+ timekeeper.freeze(new Date(123));
	+ });
	+
	+ after(function () {
	+ timekeeper.reset();
	+ });
	+
	+ beforeEach(function () {
	+ console.log('');
	+ })

	it('whole thing with default authnContextClassRef', function () {
	var options = {
	@@ -25,6 +44,7 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	+ logAssertion(this, signedAssertion);
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -70,7 +90,7 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -102,7 +122,8 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -142,7 +163,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -185,7 +208,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -224,7 +249,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -263,7 +290,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -309,6 +338,8 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	+ logAssertion(this, signedAssertion);
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -355,7 +386,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -381,7 +414,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -406,7 +441,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -431,7 +468,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -457,7 +496,9 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	-
	+ logAssertion(this, signedAssertion);
	+
	+
	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);

	@@ -475,6 +516,8 @@ describe('saml 2.0', function () {
	};

	var signedAssertion = saml.create(options);
	+ logAssertion(this, signedAssertion);
	+

	var isValid = utils.isValidSignature(signedAssertion, options.cert);
	assert.equal(true, isValid);
	@@ -494,13 +537,14 @@ describe('saml 2.0', function () {
	encryptionCert: fs.readFileSync(__dirname + '/test-auth0.pem')
	};

	+ var instance = this;
	saml.create(options, function(err, encrypted) {
	if (err) return done(err);
	-
	var encryptedData = utils.getEncryptedData(encrypted);

	xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
	if (err) return done(err);
	+ logAssertion(instance, decrypted);
	var isValid = utils.isValidSignature(decrypted, options.cert);
	assert.equal(true, isValid);
	done();
	@@ -522,6 +566,7 @@ describe('saml 2.0', function () {
	}
	};

	+ var instance = this;
	saml.create(options, function(err, encrypted) {
	if (err) return done(err);

	@@ -529,6 +574,7 @@ describe('saml 2.0', function () {

	xmlenc.decrypt(encryptedData.toString(), { key: fs.readFileSync(__dirname + '/test-auth0.key')}, function(err, decrypted) {
	if (err) return done(err);
	+ logAssertion(instance, decrypted);

	var isValid = utils.isValidSignature(decrypted, options.cert);
	assert.equal(true, isValid);
	--
	2.16.2