From e4d74de3f9958577cb40826fdf21059c31fe07bb Mon Sep 17 00:00:00 2001 From: Joe Rayhawk Date: Mon, 15 Jun 2020 17:40:24 -0700 Subject: [PATCH 1/8] aws_ec2_client_vpn_endpoint: add federated auth While AWS *can* act as an SSO IdP, I don't think there's a public API for enabling it. Automated testing might be troublesome. --- aws/resource_aws_ec2_client_vpn_endpoint.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/aws/resource_aws_ec2_client_vpn_endpoint.go b/aws/resource_aws_ec2_client_vpn_endpoint.go index bc34139e0fc..9bdf7828219 100644 --- a/aws/resource_aws_ec2_client_vpn_endpoint.go +++ b/aws/resource_aws_ec2_client_vpn_endpoint.go @@ -71,8 +71,15 @@ func resourceAwsEc2ClientVpnEndpoint() *schema.Resource { ValidateFunc: validation.StringInSlice([]string{ ec2.ClientVpnAuthenticationTypeCertificateAuthentication, ec2.ClientVpnAuthenticationTypeDirectoryServiceAuthentication, + ec2.ClientVpnAuthenticationTypeFederatedAuthentication, }, false), }, + "saml_provider_arn": { + Type: schema.TypeString, + Optional: true, + ForceNew: true, + ValidateFunc: validateArn, + }, "active_directory_id": { Type: schema.TypeString, Optional: true, @@ -366,6 +373,9 @@ func flattenAuthOptsConfig(aopts []*ec2.ClientVpnAuthentication) []map[string]in if aopt.MutualAuthentication != nil { r["root_certificate_chain_arn"] = aws.StringValue(aopt.MutualAuthentication.ClientRootCertificateChain) } + if aopt.FederatedAuthentication != nil { + r["saml_provider_arn"] = aws.StringValue(aopt.FederatedAuthentication.SamlProviderArn) + } if aopt.ActiveDirectory != nil { r["active_directory_id"] = aws.StringValue(aopt.ActiveDirectory.DirectoryId) } @@ -391,5 +401,11 @@ func expandEc2ClientVpnAuthenticationRequest(data map[string]interface{}) *ec2.C } } + if data["type"].(string) == ec2.ClientVpnAuthenticationTypeFederatedAuthentication { + req.FederatedAuthentication = &ec2.FederatedAuthenticationRequest{ + SAMLProviderArn: aws.String(data["saml_provider_arn"].(string)), + } + } + return req } From 56bce568b3a1589b3370048bd5f07184088f1776 Mon Sep 17 00:00:00 2001 From: Jim Geurts Date: Tue, 14 Jul 2020 12:28:07 -0500 Subject: [PATCH 2/8] Add documentation and test for federated-authentication --- ...source_aws_ec2_client_vpn_endpoint_test.go | 51 +++++++++++++++++++ .../r/ec2_client_vpn_endpoint.html.markdown | 3 +- 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_ec2_client_vpn_endpoint_test.go b/aws/resource_aws_ec2_client_vpn_endpoint_test.go index fd80deda7dd..feafb980513 100644 --- a/aws/resource_aws_ec2_client_vpn_endpoint_test.go +++ b/aws/resource_aws_ec2_client_vpn_endpoint_test.go @@ -178,6 +178,33 @@ func TestAccAwsEc2ClientVpnEndpoint_mutualAuthAndMsAD(t *testing.T) { }) } +func TestAccAwsEc2ClientVpnEndpoint_federatedAuth(t *testing.T) { + rStr := acctest.RandString(5) + resourceName := "aws_ec2_client_vpn_endpoint.test" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAwsEc2ClientVpnEndpointDestroy, + Steps: []resource.TestStep{ + { + Config: testAccEc2ClientVpnEndpointConfigWithFederatedAuth(rStr), + Check: resource.ComposeTestCheckFunc( + testAccCheckAwsEc2ClientVpnEndpointExists(resourceName), + resource.TestCheckResourceAttr(resourceName, "authentication_options.#", "1"), + resource.TestCheckResourceAttr(resourceName, "authentication_options.0.type", "federated-authentication"), + ), + }, + + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccAwsEc2ClientVpnEndpoint_withLogGroup(t *testing.T) { rStr := acctest.RandString(5) resourceName := "aws_ec2_client_vpn_endpoint.test" @@ -514,6 +541,30 @@ resource "aws_ec2_client_vpn_endpoint" "test" { `, rName) } +func testAccEc2ClientVpnEndpointConfigWithFederatedAuth(rName string) string { + return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(` +resource "aws_iam_saml_provider" "default" { + name = "myprovider-%s" + saml_metadata_document = "${file("./test-fixtures/saml-metadata.xml")}" +} + +resource "aws_ec2_client_vpn_endpoint" "test" { + description = "terraform-testacc-clientvpn-%s" + server_certificate_arn = "${aws_acm_certificate.test.arn}" + client_cidr_block = "10.0.0.0/16" + + authentication_options { + type = "federated-authentication" + saml_provider_arn = "${aws_iam_saml_provider.default.arn}" + } + + connection_log_options { + enabled = false + } +} +`, rName) +} + func testAccEc2ClientVpnEndpointConfig_tags(rName string) string { return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(` resource "aws_ec2_client_vpn_endpoint" "test" { diff --git a/website/docs/r/ec2_client_vpn_endpoint.html.markdown b/website/docs/r/ec2_client_vpn_endpoint.html.markdown index c3e89b0830a..148dfa709f5 100644 --- a/website/docs/r/ec2_client_vpn_endpoint.html.markdown +++ b/website/docs/r/ec2_client_vpn_endpoint.html.markdown @@ -50,9 +50,10 @@ The following arguments are supported: One of the following arguments must be supplied: -* `type` - (Required) The type of client authentication to be used. Specify `certificate-authentication` to use certificate-based authentication, or `directory-service-authentication` to use Active Directory authentication. +* `type` - (Required) The type of client authentication to be used. Specify `certificate-authentication` to use certificate-based authentication, `directory-service-authentication` to use Active Directory authentication, or `federated-authentication` to use Federated Authentication via SAML 2.0. * `active_directory_id` - (Optional) The ID of the Active Directory to be used for authentication if type is `directory-service-authentication`. * `root_certificate_chain_arn` - (Optional) The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to `certificate-authentication`. +* `saml_provider_arn` - (Optional) The ARN of the IAM SAML identity provider if type is `federated-authentication`. ### `connection_log_options` Argument Reference From 435ed0d3c7eed78aa27abc42c2f167c99965c3fd Mon Sep 17 00:00:00 2001 From: Jim Geurts Date: Tue, 14 Jul 2020 14:33:24 -0500 Subject: [PATCH 3/8] Add missing variable declaration --- aws/resource_aws_ec2_client_vpn_endpoint_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/aws/resource_aws_ec2_client_vpn_endpoint_test.go b/aws/resource_aws_ec2_client_vpn_endpoint_test.go index e8591b65226..f4dbb860f24 100644 --- a/aws/resource_aws_ec2_client_vpn_endpoint_test.go +++ b/aws/resource_aws_ec2_client_vpn_endpoint_test.go @@ -252,6 +252,7 @@ func testAccAwsEc2ClientVpnEndpoint_federated(t *testing.T) { } func TestAccAwsEc2ClientVpnEndpoint_withLogGroup(t *testing.T) { + var v1, v2 ec2.ClientVpnEndpoint rStr := acctest.RandString(5) resourceName := "aws_ec2_client_vpn_endpoint.test" From 91159213025ae250d6593f00e4d91fc883b9e523 Mon Sep 17 00:00:00 2001 From: Jim Geurts Date: Tue, 14 Jul 2020 14:37:01 -0500 Subject: [PATCH 4/8] Fix spacing --- aws/resource_aws_ec2_client_vpn_endpoint_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_ec2_client_vpn_endpoint_test.go b/aws/resource_aws_ec2_client_vpn_endpoint_test.go index f4dbb860f24..e2c2cc9c3ed 100644 --- a/aws/resource_aws_ec2_client_vpn_endpoint_test.go +++ b/aws/resource_aws_ec2_client_vpn_endpoint_test.go @@ -252,7 +252,7 @@ func testAccAwsEc2ClientVpnEndpoint_federated(t *testing.T) { } func TestAccAwsEc2ClientVpnEndpoint_withLogGroup(t *testing.T) { - var v1, v2 ec2.ClientVpnEndpoint + var v1, v2 ec2.ClientVpnEndpoint rStr := acctest.RandString(5) resourceName := "aws_ec2_client_vpn_endpoint.test" From 98efe451a1cb7f707273d7dbf2af4f5604ac5f07 Mon Sep 17 00:00:00 2001 From: Jim Geurts Date: Tue, 14 Jul 2020 15:13:13 -0500 Subject: [PATCH 5/8] Fix function name --- aws/resource_aws_ec2_client_vpn_endpoint_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_ec2_client_vpn_endpoint_test.go b/aws/resource_aws_ec2_client_vpn_endpoint_test.go index e2c2cc9c3ed..63150cdc3ef 100644 --- a/aws/resource_aws_ec2_client_vpn_endpoint_test.go +++ b/aws/resource_aws_ec2_client_vpn_endpoint_test.go @@ -251,7 +251,7 @@ func testAccAwsEc2ClientVpnEndpoint_federated(t *testing.T) { }) } -func TestAccAwsEc2ClientVpnEndpoint_withLogGroup(t *testing.T) { +func testAccAwsEc2ClientVpnEndpoint_withLogGroup(t *testing.T) { var v1, v2 ec2.ClientVpnEndpoint rStr := acctest.RandString(5) resourceName := "aws_ec2_client_vpn_endpoint.test" From 936779824ce555f47e800b05c6945800e70c8ae7 Mon Sep 17 00:00:00 2001 From: Jim Geurts Date: Wed, 15 Jul 2020 10:12:00 -0500 Subject: [PATCH 6/8] Add missing argument to string fn --- aws/resource_aws_ec2_client_vpn_endpoint_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/resource_aws_ec2_client_vpn_endpoint_test.go b/aws/resource_aws_ec2_client_vpn_endpoint_test.go index 63150cdc3ef..ab25aa6c2ea 100644 --- a/aws/resource_aws_ec2_client_vpn_endpoint_test.go +++ b/aws/resource_aws_ec2_client_vpn_endpoint_test.go @@ -629,7 +629,7 @@ resource "aws_ec2_client_vpn_endpoint" "test" { enabled = false } } -`, rName) +`, rName, rName) } func testAccEc2ClientVpnEndpointConfig_tags(rName string) string { From bc210ad4fde38e5899ffa896fc4d068dd4f85fb2 Mon Sep 17 00:00:00 2001 From: Jim Geurts Date: Thu, 27 Aug 2020 10:48:19 -0500 Subject: [PATCH 7/8] Update legacy expression syntax --- ...source_aws_ec2_client_vpn_endpoint_test.go | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/aws/resource_aws_ec2_client_vpn_endpoint_test.go b/aws/resource_aws_ec2_client_vpn_endpoint_test.go index ab25aa6c2ea..6b77899cbef 100644 --- a/aws/resource_aws_ec2_client_vpn_endpoint_test.go +++ b/aws/resource_aws_ec2_client_vpn_endpoint_test.go @@ -470,15 +470,15 @@ resource "aws_vpc" "test" { } resource "aws_subnet" "test1" { - vpc_id = "${aws_vpc.test.id}" + vpc_id = aws_vpc.test.id cidr_block = "10.0.1.0/24" - availability_zone = "${data.aws_availability_zones.available.names[0]}" + availability_zone = data.aws_availability_zones.available.names[0] } resource "aws_subnet" "test2" { - vpc_id = "${aws_vpc.test.id}" + vpc_id = aws_vpc.test.id cidr_block = "10.0.2.0/24" - availability_zone = "${data.aws_availability_zones.available.names[1]}" + availability_zone = data.aws_availability_zones.available.names[1] } resource "aws_directory_service_directory" "test" { @@ -487,8 +487,8 @@ resource "aws_directory_service_directory" "test" { type = "MicrosoftAD" vpc_settings { - vpc_id = "${aws_vpc.test.id}" - subnet_ids = ["${aws_subnet.test1.id}", "${aws_subnet.test2.id}"] + vpc_id = aws_vpc.test.id + subnet_ids = [aws_subnet.test1.id, aws_subnet.test2.id] } } `) @@ -498,12 +498,12 @@ func testAccEc2ClientVpnEndpointConfig(rName string) string { return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(` resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" authentication_options { type = "certificate-authentication" - root_certificate_chain_arn = "${aws_acm_certificate.test.arn}" + root_certificate_chain_arn = aws_acm_certificate.test.arn } connection_log_options { @@ -521,23 +521,23 @@ resource "aws_cloudwatch_log_group" "lg" { resource "aws_cloudwatch_log_stream" "ls" { name = "${aws_cloudwatch_log_group.lg.name}-stream" - log_group_name = "${aws_cloudwatch_log_group.lg.name}" + log_group_name = aws_cloudwatch_log_group.lg.name } resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" authentication_options { type = "certificate-authentication" - root_certificate_chain_arn = "${aws_acm_certificate.test.arn}" + root_certificate_chain_arn = aws_acm_certificate.test.arn } connection_log_options { enabled = true - cloudwatch_log_group = "${aws_cloudwatch_log_group.lg.name}" - cloudwatch_log_stream = "${aws_cloudwatch_log_stream.ls.name}" + cloudwatch_log_group = aws_cloudwatch_log_group.lg.name + cloudwatch_log_stream = aws_cloudwatch_log_stream.ls.name } } `, rName, rName) @@ -547,14 +547,14 @@ func testAccEc2ClientVpnEndpointConfigWithDNSServers(rName string) string { return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(` resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" dns_servers = ["8.8.8.8", "8.8.4.4"] authentication_options { type = "certificate-authentication" - root_certificate_chain_arn = "${aws_acm_certificate.test.arn}" + root_certificate_chain_arn = aws_acm_certificate.test.arn } connection_log_options { @@ -569,12 +569,12 @@ func testAccEc2ClientVpnEndpointConfigWithMicrosoftAD(rName string) string { testAccEc2ClientVpnEndpointMsADBase() + fmt.Sprintf(` resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" authentication_options { type = "directory-service-authentication" - active_directory_id = "${aws_directory_service_directory.test.id}" + active_directory_id = aws_directory_service_directory.test.id } connection_log_options { @@ -588,17 +588,17 @@ func testAccEc2ClientVpnEndpointConfigWithMutualAuthAndMicrosoftAD(rName string) return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + testAccEc2ClientVpnEndpointMsADBase() + fmt.Sprintf(` resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" authentication_options { type = "directory-service-authentication" - active_directory_id = "${aws_directory_service_directory.test.id}" + active_directory_id = aws_directory_service_directory.test.id } authentication_options { type = "certificate-authentication" - root_certificate_chain_arn = "${aws_acm_certificate.test.arn}" + root_certificate_chain_arn = aws_acm_certificate.test.arn } connection_log_options { @@ -612,17 +612,17 @@ func testAccEc2ClientVpnEndpointConfigWithFederatedAuth(rName string) string { return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(` resource "aws_iam_saml_provider" "default" { name = "myprovider-%s" - saml_metadata_document = "${file("./test-fixtures/saml-metadata.xml")}" + saml_metadata_document = file("./test-fixtures/saml-metadata.xml") } resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" authentication_options { type = "federated-authentication" - saml_provider_arn = "${aws_iam_saml_provider.default.arn}" + saml_provider_arn = aws_iam_saml_provider.default.arn } connection_log_options { @@ -636,12 +636,12 @@ func testAccEc2ClientVpnEndpointConfig_tags(rName string) string { return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(` resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" authentication_options { type = "certificate-authentication" - root_certificate_chain_arn = "${aws_acm_certificate.test.arn}" + root_certificate_chain_arn = aws_acm_certificate.test.arn } connection_log_options { @@ -660,12 +660,12 @@ func testAccEc2ClientVpnEndpointConfig_tagsChanged(rName string) string { return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(` resource "aws_ec2_client_vpn_endpoint" "test" { description = "terraform-testacc-clientvpn-%s" - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn client_cidr_block = "10.0.0.0/16" authentication_options { type = "certificate-authentication" - root_certificate_chain_arn = "${aws_acm_certificate.test.arn}" + root_certificate_chain_arn = aws_acm_certificate.test.arn } connection_log_options { @@ -684,12 +684,12 @@ func testAccEc2ClientVpnEndpointConfigSplitTunnel(rName string, splitTunnel bool resource "aws_ec2_client_vpn_endpoint" "test" { client_cidr_block = "10.0.0.0/16" description = %[1]q - server_certificate_arn = "${aws_acm_certificate.test.arn}" + server_certificate_arn = aws_acm_certificate.test.arn split_tunnel = %[2]t authentication_options { type = "certificate-authentication" - root_certificate_chain_arn = "${aws_acm_certificate.test.arn}" + root_certificate_chain_arn = aws_acm_certificate.test.arn } connection_log_options { From b07667c78507b492f41712dc2e48b40233c25afd Mon Sep 17 00:00:00 2001 From: Jim Geurts Date: Sat, 29 Aug 2020 09:52:35 -0500 Subject: [PATCH 8/8] Update 509 certificate to expire in 50 years --- aws/test-fixtures/saml-metadata.xml | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/aws/test-fixtures/saml-metadata.xml b/aws/test-fixtures/saml-metadata.xml index 69e353b7701..fb42fca70f1 100644 --- a/aws/test-fixtures/saml-metadata.xml +++ b/aws/test-fixtures/saml-metadata.xml @@ -1,14 +1,15 @@ - - - - - - MIIErDCCA5SgAwIBAgIOAU+PT8RBAAAAAHxJXEcwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzAyU2VwMjAxNV8xODI2NTMxGDAWBgNVBAsMDzAwRDI0MDAwMDAwcEFvQTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTUwOTAyMTgyNjUzWhcNMTcwOTAyMTIwMDAwWjCBkDEoMCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDJTZXAyMDE1XzE4MjY1MzEYMBYGA1UECwwPMDBEMjQwMDAwMDBwQW9BMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJp/wTRr9n1IWJpkRTjNpep47OKJrD2E6rGbJ18TG2RxtIz+zCn2JwH2aP3TULh0r0hhcg/pecv51RRcG7O19DBBaTQ5+KuoICQyKZy07/yDXSiZontTwkEYs06ssTwTHUcRXbcwTKv16L7omt0MjIhTTGfvtLOYiPwyvKvzAHg4eNuAcli0duVM78UIBORtdmy9C9ZcMh8yRJo5aPBq85wsE3JXU58ytyZzCHTBLH+2xFQrjYnUSEW+FOEEpI7o33MVdFBvWWg1R17HkWzcve4C30lqOHqvxBzyESZ/N1mMlmSt8gPFyB+mUXY99StJDJpnytbY8DwSzMQUo/sOVB0CAwEAAaOCAQAwgf0wHQYDVR0OBBYEFByu1EQqRQS0bYQBKS9K5qwKi+6IMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUHK7URCpFBLRthAEpL0rmrAqL7oihgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzAyU2VwMjAxNV8xODI2NTMxGDAWBgNVBAsMDzAwRDI0MDAwMDAwcEFvQTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFPj0/EQQAAAAB8SVxHMA0GCSqGSIb3DQEBCwUAA4IBAQA9O5o1tC71qJnkq+ABPo4A1aFKZVT/07GcBX4/wetcbYySL4Q2nR9pMgfPYYS1j+P2E3viPsQwPIWDUBwFkNsjjX5DSGEkLAioVGKRwJshRSCSynMcsVZbQkfBUiZXqhM0wzvoa/ALvGD+aSSb1m+x7lEpDYNwQKWaUW2VYcHWv9wjujMyy7dlj8E/jqM71mw7ThNl6k4+3RQ802dMa14txm8pkF0vZgfpV3tkqhBqtjBAicVCaveqr3r3iGqjvyilBgdY+0NR8szqzm7CD/Bkb22+/IgM/mXQuL9KHD/WADlSGmYKmG3SSahmcZxznYCnzcRNN9LVuXlz5cbljmBj - - - - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - - - + + + + + + + MIICfjCCAeegAwIBAgIBADANBgkqhkiG9w0BAQ0FADBbMQswCQYDVQQGEwJ1czELMAkGA1UECAwCQ0ExEjAQBgNVBAoMCVRlcnJhZm9ybTErMCkGA1UEAwwidGVycmFmb3JtLWRldi1lZC5teS5zYWxlc2ZvcmNlLmNvbTAgFw0yMDA4MjkxNDQ4MzlaGA8yMDcwMDgxNzE0NDgzOVowWzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlUZXJyYWZvcm0xKzApBgNVBAMMInRlcnJhZm9ybS1kZXYtZWQubXkuc2FsZXNmb3JjZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOxUTzEKdivVjfZ/BERGpX/ZWQsBKHut17dQTKW/3jox1N9EJ3ULj9qEDen6zQ74Ce8hSEkrG7MP9mcP1oEhQZSca5tTAop1GejJG+bfF4v6cXM9pqHlllrYrmXMfESiahqhBhE8VvoGJkvp393TcB1lX+WxO8Q74demTrQn5tgvAgMBAAGjUDBOMB0GA1UdDgQWBBREKZt4Av70WKQE4aLD2tvbSLnBlzAfBgNVHSMEGDAWgBREKZt4Av70WKQE4aLD2tvbSLnBlzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACxeC29WMGqeOlQF4JWwsYwIC82SUaZvMDqjAm9ieIrAZRH6J6Cu40c/rvsUGUjQ9logKX15RAyI7Rn0jBUgopRkNL71HyyM7ug4qN5An05VmKQWIbVfxkNVB2Ipb/ICMc5UE38G4y4VbANZFvbFbkVq6OAP2GGNl22o/XSnhFY8 + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + +