OIOSAML 3 Request and Response when Access Manager acts as an Identity Provider

Request

Following is the example of authentication request from a OIOSAML 3-compliant trusted provider (For example, Nemlogin) to Access Manager Identity Provider:

<AuthnRequest ID="_bd71a98e-37fe-9a8c-bf3e-d20e39337d5b"
              Version="2.0"
              IssueInstant="2023-02-15T09:34:54.8455204Z"
              Destination="https://slesnode1.kcdad1.com:8443/nidp/saml2/sso"
              IsPassive="false"
              ForceAuthn="false"
              AssertionConsumerServiceURL="https://devtest4-nemlog-in.dk/localidp/saml/1.0/"
              ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
              xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
              >
    <Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
            xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
            >https://saml.devtest4-nemlog-in.dk</Issuer>
    <Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <AudienceRestriction>
            <Audience>https://saml.devtest4-nemlog-in.dk</Audience>
        </AudienceRestriction>
    </Conditions>
    <RequestedAuthnContext comparison="minimum">
        <AuthnContextClassRef xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://data.gov.dk/concept/core/nsis/loa/Substantial</AuthnContextClassRef>
        <AuthnContextClassRef xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://data.gov.dk/eid/Professional</AuthnContextClassRef>
    </RequestedAuthnContext>
    <Scoping>
        <RequesterID>https://saml.services.devtest4-nemlog-in.dk</RequesterID>
    </Scoping>
</AuthnRequest>

Response

Following is the example of authentication response from Access Manager Identity Provider to OIOSAML 3-compliant trusted provider:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:obtained"
                Destination="https://devtest4-nemlog-in.dk/localidp/saml/1.0/"
                ID="idL4NswVTVNPY69m7ld5Kf6744y0Q"
                InResponseTo="_bd71a98e-37fe-9a8c-bf3e-d20e39337d5b"
                IssueInstant="2023-02-15T09:35:06Z"
                Version="2.0"
                >
    <saml:Issuer>https://slesnode1.kcdad1.com:8443/nidp/saml2/metadata</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#idL4NswVTVNPY69m7ld5Kf6744y0Q">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>9op0qndP22y6OTkYB5QKqvcep0OU6p0raobXlDF9jXc=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
RXHrgFsZOuFTYxiBwws6moKmCqqseM1w79h9dnS4FkgV4cF/9mHm9LnuWMPmHq/eHyNSOj7YLXW5
4ewsKbxZjr769DkQ+vB3f91nr35IEG/pHMURgW9Z2DqKvbO2z5ApWuClHO4HXq7RykgVDXKubQvY
h2/t6zVIbBAaZuyNvh2LZjK7fptEwvAxsqL7ny/vTnN+o13lL3DsJKT+4E4sOpDUCfSM94lJqwfq
Hd2mKyYn095mKhp9Em2zy1YLQrbyJcS+jdqXnWLK7OKc7xNIRxAtSf7y3lLpw9LGxcGrEGKFMf+9
Wu6UN5j4SfWoaIR9GE5zbHuYXSUZ1CGd5HOzPpAA6ARqY007sSetimKb/mF1AVLy8vaF5G6na89S
UczqcZn3DgM2mZEixOQp3iyjw50rIGlZC51EUxwhH84zxe5mhYQiAnkq6/1oBjav6OERoURVE/2W
UwLUV0nKsWPPd9PqQpT0XxO5Aghn/puenpoGUiOqNXbqCb79nQyLa9K4
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>
***
</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:EncryptedAssertion>
        <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                            Type="http://www.w3.org/2001/04/xmlenc#Element"
                            >
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <xenc:EncryptedKey>
                    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep">
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"
                                         xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                                         />
                        <xenc11:MGF xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
                                    Algorithm="http://www.w3.org/2009/xmlenc11#mgf1sha256"
                                    />
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                            <ds:X509Data>
                                <ds:X509IssuerSerial>
                                    <ds:X509IssuerName>CN=TRUST2408 Systemtest XXXIV CA, O=TRUST2408, C=DK</ds:X509IssuerName>
                                    <ds:X509SerialNumber>1604723226</ds:X509SerialNumber>
                                </ds:X509IssuerSerial>
                            </ds:X509Data>
                        </wsse:SecurityTokenReference>
                    </ds:KeyInfo>
                    <xenc:CipherData>
                        <xenc:CipherValue>***
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>***
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml:EncryptedAssertion>
</samlp:Response>