メモ
XMLを署名では、AssertionとResponseどちらにあってもよいとなってる。
※以下がSAMPレスポンスのフォーマット。samlp:Response、saml:Assertionどちらのタグにds:Signatureをつけても良いという事だろう。
<samlpResponse xmlnssamlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlnssaml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_2" InResponseTo="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:22:05Z" Destination="https://sp.example.com/SAML2/SSO/POST">
<samlIssuer>https://idp.example.org/SAML2</samlIssuer>
<samlpStatus>
<samlpStatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlpStatus>
<samlAssertion xmlnssaml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_3" Version="2.0" IssueInstant="2004-12-05T09:22:05Z">
<samlIssuer>https://idp.example.org/SAML2</samlIssuer>
<dsSignature xmlnsds="http://www.w3.org/2000/09/xmldsig#">...</dsSignature>
<samlSubject>
<samlNameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">3f7b3dcf-1674-4ecd-92c8-1544f346baf8</samlNameID>
<samlSubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<samlSubjectConfirmationData InResponseTo="identifier_1" Recipient="https://sp.example.com/SAML2/SSO/POST" NotOnOrAfter="2004-12-05T09:27:05Z"/>
</samlSubjectConfirmation>
</samlSubject>
<samlConditions NotBefore="2004-12-05T09:17:05Z" NotOnOrAfter="2004-12-05T09:27:05Z">
<samlAudienceRestriction>
<samlAudience>https://sp.example.com/SAML2</samlAudience>
</samlAudienceRestriction>
</samlConditions>
<samlAuthnStatement AuthnInstant="2004-12-05T09:22:00Z" SessionIndex="identifier_3">
<samlAuthnContext>
<samlAuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</samlAuthnContextClassRef>
</samlAuthnContext>
</samlAuthnStatement>
</samlAssertion>
</samlpResponse>