From 54a1e0457f8e59a9b6947894072f7f9fb2bf8387 Mon Sep 17 00:00:00 2001
From: Nickie Pucel <nickiepucel@asana.com>
Date: Wed, 28 Apr 2021 11:28:32 -0700
Subject: [PATCH] Add optional setting to set a ceiling on how old a SAML
 response is allowed to be (#577)

Co-authored-by: Mark Stosberg <mark@rideamigos.com>
---
 README.md                                     |   1 +
 src/node-saml/saml.ts                         |  77 +++++++++-
 src/node-saml/types.ts                        |   1 +
 test/node-saml/test-signatures.spec.ts        |   8 +-
 test/node-saml/tests.spec.ts                  | 140 +++++++++++++++++-
 ...root-signed.assertion-invalidly-signed.xml |   2 +-
 ...signed.assertion-signed.1advice-signed.xml |   4 +-
 ...gned.assertion-signed.1advice-unsigned.xml |   4 +-
 ...signed.assertion-signed.2advice-signed.xml |   6 +-
 ...gned.assertion-signed.2advice-unsigned.xml |   6 +-
 .../response.root-signed.assertion-signed.xml |   2 +-
 ...ed.assertion-unsigned.1advice-unsigned.xml |   4 +-
 ...ed.assertion-unsigned.2advice-unsigned.xml |   6 +-
 ...esponse.root-signed.assertion-unsigned.xml |   2 +-
 ...signed.assertion-signed.1advice-signed.xml |   4 +-
 ...gned.assertion-signed.1advice-unsigned.xml |   4 +-
 ...esponse.root-unsigned.assertion-signed.xml |   2 +-
 ...ed.assertion-unsigned.1advice-unsigned.xml |   4 +-
 ...ed.assertion-unsigned.2advice-unsigned.xml |   6 +-
 ...ponse.root-unsigned.assertion-unsigned.xml |   2 +-
 ...signed.assertion-signed.1advice-signed.xml |  10 +-
 ...gned.assertion-signed.1advice-unsigned.xml |  24 ++-
 ...signed.assertion-signed.2advice-signed.xml |  12 +-
 ...gned.assertion-signed.2advice-unsigned.xml |  26 ++--
 .../response.root-signed.assertion-signed.xml |  50 ++-----
 ...ed.assertion-unsigned.1advice-unsigned.xml |  14 +-
 ...ed.assertion-unsigned.2advice-unsigned.xml |  16 +-
 ...esponse.root-signed.assertion-unsigned.xml |  12 +-
 ...signed.assertion-signed.1advice-signed.xml |   8 +-
 ...gned.assertion-signed.1advice-unsigned.xml |  15 +-
 ...esponse.root-unsigned.assertion-signed.xml |  13 +-
 31 files changed, 349 insertions(+), 136 deletions(-)

diff --git a/README.md b/README.md
index db7fd32f..4d38bf38 100644
--- a/README.md
+++ b/README.md
@@ -128,6 +128,7 @@ type Profile = {
 - `identifierFormat`: optional name identifier format to request from identity provider (default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
 - `wantAssertionsSigned`: if truthy, add `WantAssertionsSigned="true"` to the metadata, to specify that the IdP should always sign the assertions.
 - `acceptedClockSkewMs`: Time in milliseconds of skew that is acceptable between client and server when checking `OnBefore` and `NotOnOrAfter` assertion condition validity timestamps. Setting to `-1` will disable checking these conditions entirely. Default is `0`.
+- `maxAssertionAgeMs`: Amount of time after which the framework should consider an assertion expired. If the limit imposed by this variable is stricter than the limit imposed by `NotOnOrAfter`, this limit will be used when determining if an assertion is expired.
 - `attributeConsumingServiceIndex`: optional `AttributeConsumingServiceIndex` attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response ([link](http://blog.aniljohn.com/2014/01/data-minimization-front-channel-saml-attribute-requests.html))
 - `disableRequestedAuthnContext`: if truthy, do not request a specific authentication context. This is [known to help when authenticating against Active Directory](https://github.com/node-saml/passport-saml/issues/226) (AD FS) servers.
 - `authnContext`: if truthy, name identifier format to request auth context (default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`); array of values is also supported
diff --git a/src/node-saml/saml.ts b/src/node-saml/saml.ts
index 38891263..ed537402 100644
--- a/src/node-saml/saml.ts
+++ b/src/node-saml/saml.ts
@@ -140,6 +140,7 @@ class SAML {
       skipRequestCompression: ctorOptions.skipRequestCompression ?? false,
       disableRequestAcsUrl: ctorOptions.disableRequestAcsUrl ?? false,
       acceptedClockSkewMs: ctorOptions.acceptedClockSkewMs ?? 0,
+      maxAssertionAgeMs: ctorOptions.maxAssertionAgeMs ?? 0,
       path: ctorOptions.path ?? "/saml/consume",
       host: ctorOptions.host ?? "localhost",
       issuer: ctorOptions.issuer ?? "onelogin_saml",
@@ -1075,11 +1076,17 @@ class SAML {
           if (confirmData && confirmData.$) {
             const subjectNotBefore = confirmData.$.NotBefore;
             const subjectNotOnOrAfter = confirmData.$.NotOnOrAfter;
+            const maxTimeLimitMs = this.processMaxAgeAssertionTime(
+              this.options.maxAssertionAgeMs,
+              subjectNotOnOrAfter,
+              assertion.$.IssueInstant
+            );
 
             const subjErr = this.checkTimestampsValidityError(
               nowMs,
               subjectNotBefore,
-              subjectNotOnOrAfter
+              subjectNotOnOrAfter,
+              maxTimeLimitMs
             );
             if (subjErr) {
               throw subjErr;
@@ -1126,10 +1133,16 @@ class SAML {
       throw new Error(msg);
     }
     if (conditions && conditions.$) {
+      const maxTimeLimitMs = this.processMaxAgeAssertionTime(
+        this.options.maxAssertionAgeMs,
+        conditions.$.NotOnOrAfter,
+        assertion.$.IssueInstant
+      );
       const conErr = this.checkTimestampsValidityError(
         nowMs,
         conditions.$.NotBefore,
-        conditions.$.NotOnOrAfter
+        conditions.$.NotOnOrAfter,
+        maxTimeLimitMs
       );
       if (conErr) throw conErr;
     }
@@ -1190,18 +1203,27 @@ class SAML {
     return { profile, loggedOut: false };
   }
 
-  private checkTimestampsValidityError(nowMs: number, notBefore: string, notOnOrAfter: string) {
+  private checkTimestampsValidityError(
+    nowMs: number,
+    notBefore: string,
+    notOnOrAfter: string,
+    maxTimeLimitMs?: number
+  ) {
     if (this.options.acceptedClockSkewMs == -1) return null;
 
     if (notBefore) {
-      const notBeforeMs = Date.parse(notBefore);
+      const notBeforeMs = this.dateStringToTimestamp(notBefore, "NotBefore");
       if (nowMs + this.options.acceptedClockSkewMs < notBeforeMs)
         return new Error("SAML assertion not yet valid");
     }
     if (notOnOrAfter) {
-      const notOnOrAfterMs = Date.parse(notOnOrAfter);
+      const notOnOrAfterMs = this.dateStringToTimestamp(notOnOrAfter, "NotOnOrAfter");
       if (nowMs - this.options.acceptedClockSkewMs >= notOnOrAfterMs)
-        return new Error("SAML assertion expired");
+        return new Error("SAML assertion expired: clocks skewed too much");
+    }
+    if (maxTimeLimitMs) {
+      if (nowMs - this.options.acceptedClockSkewMs >= maxTimeLimitMs)
+        return new Error("SAML assertion expired: assertion too old");
     }
 
     return null;
@@ -1404,6 +1426,49 @@ class SAML {
 
     throw new Error("Invalid key");
   }
+
+  /**
+   * Process max age assertion and use it if it is more restrictive than the NotOnOrAfter age
+   * assertion received in the SAMLResponse.
+   *
+   * @param maxAssertionAgeMs Max time after IssueInstant that we will accept assertion, in Ms.
+   * @param notOnOrAfter Expiration provided in response.
+   * @param issueInstant Time when response was issued.
+   * @returns {*} The expiration time to be used, in Ms.
+   */
+  private processMaxAgeAssertionTime(
+    maxAssertionAgeMs: number,
+    notOnOrAfter: string,
+    issueInstant: string
+  ): number {
+    const notOnOrAfterMs = this.dateStringToTimestamp(notOnOrAfter, "NotOnOrAfter");
+    const issueInstantMs = this.dateStringToTimestamp(issueInstant, "IssueInstant");
+
+    if (maxAssertionAgeMs === 0) {
+      return notOnOrAfterMs;
+    }
+
+    const maxAssertionTimeMs = issueInstantMs + maxAssertionAgeMs;
+    return maxAssertionTimeMs < notOnOrAfterMs ? maxAssertionTimeMs : notOnOrAfterMs;
+  }
+
+  /**
+   * Convert a date string to a timestamp (in milliseconds).
+   *
+   * @param dateString A string representation of a date
+   * @param label Descriptive name of the date being passed in, e.g. "NotOnOrAfter"
+   * @throws Will throw an error if parsing `dateString` returns `NaN`
+   * @returns {number} The timestamp (in milliseconds) representation of the given date
+   */
+  private dateStringToTimestamp(dateString: string, label: string): number {
+    const dateMs = Date.parse(dateString);
+
+    if (isNaN(dateMs)) {
+      throw new Error(`Error parsing ${label}: '${dateString}' is not a valid date`);
+    }
+
+    return dateMs;
+  }
 }
 
 export { SAML };
diff --git a/src/node-saml/types.ts b/src/node-saml/types.ts
index e7dd83ef..a338f6ac 100644
--- a/src/node-saml/types.ts
+++ b/src/node-saml/types.ts
@@ -109,6 +109,7 @@ export interface SamlOptions extends Partial<SamlSigningOptions>, MandatorySamlO
   audience?: string;
   scoping?: SamlScopingConfig;
   wantAssertionsSigned?: boolean;
+  maxAssertionAgeMs: number;
 
   // InResponseTo Validation
   validateInResponseTo: boolean;
diff --git a/test/node-saml/test-signatures.spec.ts b/test/node-saml/test-signatures.spec.ts
index b384c09e..a593c82e 100644
--- a/test/node-saml/test-signatures.spec.ts
+++ b/test/node-saml/test-signatures.spec.ts
@@ -25,7 +25,7 @@ describe("Signatures", function () {
 
       //== Run the test in `func`
       await assert.rejects(samlObj.validatePostResponseAsync(samlResponseBody), {
-        message: shouldErrorWith || "SAML assertion expired",
+        message: shouldErrorWith || "SAML assertion expired: clocks skewed too much",
       });
       //== Assert times `validateSignature` was called
       validateSignatureSpy.callCount.should.eql(amountOfSignatureChecks);
@@ -210,15 +210,15 @@ describe("Signatures", function () {
   describe("Signatures on saml:Response - 1 saml:Assertion + 1 saml:Advice containing 2 saml:Assertion", () => {
     //== VALID
     it(
-      "R1A2Ad - signed root+asrt+advi => error",
+      "R1A2Ad - signed root+asrt+advi => valid",
       testOneResponse("/valid/response.root-signed.assertion-signed.2advice-signed.xml", false, 1)
     );
     it(
-      "R1A2Ad - signed root+asrt => error",
+      "R1A2Ad - signed root+asrt => valid",
       testOneResponse("/valid/response.root-signed.assertion-signed.2advice-unsigned.xml", false, 1)
     );
     it(
-      "R1A2Ad - signed root => error",
+      "R1A2Ad - signed root => valid",
       testOneResponse(
         "/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml",
         false,
diff --git a/test/node-saml/tests.spec.ts b/test/node-saml/tests.spec.ts
index f7dfedfd..6410b6be 100644
--- a/test/node-saml/tests.spec.ts
+++ b/test/node-saml/tests.spec.ts
@@ -1575,6 +1575,28 @@ describe("node-saml /", function () {
         });
       });
 
+      it("onelogin xml document with corrupted NotBefore time should fail", async () => {
+        const unsignedXml =
+          '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
+          '<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa" IssueInstant="2014-05-28T00:16:08Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ploer@subspacesw.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">' +
+          '<saml:SubjectConfirmationData NotOnOrAfter="2014-05-28T00:19:08Z" Recipient="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="INVALID-DATE" NotOnOrAfter="2014-05-28T00:19:08Z"><saml:AudienceRestriction><saml:Audience>{audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-05-28T00:16:07Z" SessionNotOnOrAfter="2014-05-29T00:16:08Z" SessionIndex="_30a4af50-c82b-0131-f8b5-782bcb56fcaa"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>' +
+          "</samlp:Response>";
+
+        const signingKey = fs.readFileSync(__dirname + "/../static/key.pem");
+        const signingCert = fs.readFileSync(__dirname + "/../static/cert.pem", "utf-8");
+        const signedXml = signXmlResponse(unsignedXml, { privateKey: signingKey });
+
+        const base64xml = Buffer.from(signedXml).toString("base64");
+        const container = { SAMLResponse: base64xml };
+        const samlObj = new SAML({ ...samlConfig, cert: signingCert });
+
+        fakeClock.restore();
+        fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:13:07Z"));
+        await assert.rejects(samlObj.validatePostResponseAsync(container), {
+          message: "Error parsing NotBefore: 'INVALID-DATE' is not a valid date",
+        });
+      });
+
       it("onelogin xml document with current time equal to NotOnOrAfter (minus default clock skew) time should fail", async () => {
         const xml =
           '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
@@ -1590,7 +1612,7 @@ describe("node-saml /", function () {
         fakeClock.restore();
         fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:19:08Z"));
         await assert.rejects(samlObj.validatePostResponseAsync(container), {
-          message: "SAML assertion expired",
+          message: "SAML assertion expired: clocks skewed too much",
         });
       });
 
@@ -1609,7 +1631,7 @@ describe("node-saml /", function () {
         fakeClock.restore();
         fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:19:09Z"));
         await assert.rejects(samlObj.validatePostResponseAsync(container), {
-          message: "SAML assertion expired",
+          message: "SAML assertion expired: clocks skewed too much",
         });
       });
 
@@ -1638,6 +1660,118 @@ describe("node-saml /", function () {
         profile!.nameID!.should.startWith("ploer");
       });
 
+      it("onelogin xml document with corrupted NotOnOrAfter time in Conditions should fail", async () => {
+        const unsignedXml =
+          '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
+          '<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa" IssueInstant="2014-05-28T00:16:08Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ploer@subspacesw.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">' +
+          '<saml:SubjectConfirmationData NotOnOrAfter="2014-05-28T00:19:08Z" Recipient="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-05-28T00:13:08Z" NotOnOrAfter="INVALID-DATE"><saml:AudienceRestriction><saml:Audience>{audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-05-28T00:16:07Z" SessionNotOnOrAfter="2014-05-29T00:16:08Z" SessionIndex="_30a4af50-c82b-0131-f8b5-782bcb56fcaa"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>' +
+          "</samlp:Response>";
+
+        const signingKey = fs.readFileSync(__dirname + "/../static/key.pem");
+        const signingCert = fs.readFileSync(__dirname + "/../static/cert.pem", "utf-8");
+        const signedXml = signXmlResponse(unsignedXml, { privateKey: signingKey });
+
+        const base64xml = Buffer.from(signedXml).toString("base64");
+        const container = { SAMLResponse: base64xml };
+        const samlObj = new SAML({ ...samlConfig, cert: signingCert });
+
+        fakeClock.restore();
+        fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:13:07Z"));
+        await assert.rejects(samlObj.validatePostResponseAsync(container), {
+          message: "Error parsing NotOnOrAfter: 'INVALID-DATE' is not a valid date",
+        });
+      });
+
+      it("onelogin xml document with corrupted NotOnOrAfter time in SubjectConfirmationData should fail", async () => {
+        const unsignedXml =
+          '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
+          '<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa" IssueInstant="2014-05-28T00:16:08Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ploer@subspacesw.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">' +
+          '<saml:SubjectConfirmationData NotOnOrAfter="INVALID-DATE" Recipient="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-05-28T00:13:08Z" NotOnOrAfter="2014-05-28T00:19:08Z"><saml:AudienceRestriction><saml:Audience>{audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-05-28T00:16:07Z" SessionNotOnOrAfter="2014-05-29T00:16:08Z" SessionIndex="_30a4af50-c82b-0131-f8b5-782bcb56fcaa"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>' +
+          "</samlp:Response>";
+
+        const signingKey = fs.readFileSync(__dirname + "/../static/key.pem");
+        const signingCert = fs.readFileSync(__dirname + "/../static/cert.pem", "utf-8");
+        const signedXml = signXmlResponse(unsignedXml, { privateKey: signingKey });
+
+        const base64xml = Buffer.from(signedXml).toString("base64");
+        const container = { SAMLResponse: base64xml };
+        const samlObj = new SAML({ ...samlConfig, cert: signingCert });
+
+        fakeClock.restore();
+        fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:13:07Z"));
+        await assert.rejects(samlObj.validatePostResponseAsync(container), {
+          message: "Error parsing NotOnOrAfter: 'INVALID-DATE' is not a valid date",
+        });
+      });
+
+      it("onelogin xml document with current time after MaxAssertionAge (minus default clock skew) should fail", async () => {
+        const xml =
+          '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
+          '<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa" IssueInstant="2014-05-28T00:16:08Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DCnPTQYBb1hKspbe6fg1U3q8xn4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>e0+aFomA0+JAY0f9tKqzIuqIVSSw7LiFUsneEDKPBWdiTz1sMdgr/2y1e9+rjaS2mRmCi/vSQLY3zTYz0hp6nJNU19+TWoXo9kHQyWT4KkeQL4Xs/gZ/AoKC20iHVKtpPps0IQ0Ml/qRoouSitt6Sf/WDz2LV/pWcH2hx5tv3xSw36hK2NQc7qw7r1mEXnvcjXReYo8rrVf7XHGGxNoRIEICUIi110uvsWemSXf0Z0dyb0FVYOWuSsQMDlzNpheADBifFO4UTfSEhFZvn8kVCGZUIwrbOhZ2d/+YEtgyuTg+qtslgfy4dwd4TvEcfuRzQTazeefprSFyiQckAXOjcw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>' +
+          TEST_CERT +
+          '</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ploer@subspacesw.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-05-28T00:19:08Z" Recipient="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-05-28T00:13:08Z" NotOnOrAfter="2014-05-28T00:19:08Z"><saml:AudienceRestriction><saml:Audience>{audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-05-28T00:16:07Z" SessionNotOnOrAfter="2014-05-29T00:16:08Z" SessionIndex="_30a4af50-c82b-0131-f8b5-782bcb56fcaa"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>' +
+          "</samlp:Response>";
+        const base64xml = Buffer.from(xml).toString("base64");
+        const container = { SAMLResponse: base64xml };
+
+        // Set the maxAssertionAgeMs so that IssueInstant + maxAssertionAgeMs == 2014-05-28T00:16:09Z
+        // Note that NotOnOrAfter == 2014-05-28T00:19:08Z in the response
+        const samlObj = new SAML({ ...samlConfig, maxAssertionAgeMs: 1000 });
+
+        // Fake the current date to be after the time limit set by maxAssertionAgeMs,
+        // but before the limit set by NotOnOrAfter
+        fakeClock.restore();
+        fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:17:09Z"));
+        await assert.rejects(samlObj.validatePostResponseAsync(container), {
+          message: "SAML assertion expired: assertion too old",
+        });
+      });
+
+      it("onelogin xml document with current time before MaxAssertionAge (minus default clock skew) should pass", async () => {
+        const xml =
+          '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>' +
+          '<saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa" IssueInstant="2014-05-28T00:16:08Z"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>DCnPTQYBb1hKspbe6fg1U3q8xn4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>e0+aFomA0+JAY0f9tKqzIuqIVSSw7LiFUsneEDKPBWdiTz1sMdgr/2y1e9+rjaS2mRmCi/vSQLY3zTYz0hp6nJNU19+TWoXo9kHQyWT4KkeQL4Xs/gZ/AoKC20iHVKtpPps0IQ0Ml/qRoouSitt6Sf/WDz2LV/pWcH2hx5tv3xSw36hK2NQc7qw7r1mEXnvcjXReYo8rrVf7XHGGxNoRIEICUIi110uvsWemSXf0Z0dyb0FVYOWuSsQMDlzNpheADBifFO4UTfSEhFZvn8kVCGZUIwrbOhZ2d/+YEtgyuTg+qtslgfy4dwd4TvEcfuRzQTazeefprSFyiQckAXOjcw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>' +
+          TEST_CERT +
+          '</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ploer@subspacesw.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-05-28T00:19:08Z" Recipient="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2014-05-28T00:13:08Z" NotOnOrAfter="2014-05-28T00:19:08Z"><saml:AudienceRestriction><saml:Audience>{audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-05-28T00:16:07Z" SessionNotOnOrAfter="2014-05-29T00:16:08Z" SessionIndex="_30a4af50-c82b-0131-f8b5-782bcb56fcaa"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>' +
+          "</samlp:Response>";
+        const base64xml = Buffer.from(xml).toString("base64");
+        const container = { SAMLResponse: base64xml };
+
+        // Set the maxAssertionAgeMs so that IssueInstant + maxAssertionAgeMs == 2014-05-28T00:16:09Z
+        // Note that NotOnOrAfter == 2014-05-28T00:19:08Z in the response
+        const samlObj = new SAML({ ...samlConfig, maxAssertionAgeMs: 1000 });
+
+        // Fake the current date to be before the time limit set by maxAssertionAgeMs
+        fakeClock.restore();
+        fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:16:08Z"));
+
+        const { profile } = await samlObj.validatePostResponseAsync(container);
+        profile!.nameID!.should.startWith("ploer");
+      });
+
+      it("onelogin xml document with corrupted IssueInstant time should fail", async () => {
+        const unsignedXml = `
+        <samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="R689b0733bccca22a137e3654830312332940b1be" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
+        <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfx3b63c7be-fe86-62fd-8cb5-16ab6273efaa" IssueInstant="INVALID-DATE"><saml:Issuer>https://app.onelogin.com/saml/metadata/371755</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ploer@subspacesw.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2014-05-28T00:19:08Z" Recipient="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50"/></saml:SubjectConfirmation></saml:Subject>
+        <saml:Conditions NotBefore="2014-05-28T00:19:00Z" NotOnOrAfter="2014-05-28T00:19:08Z"><saml:AudienceRestriction><saml:Audience>{audience}</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2014-05-28T00:16:07Z" SessionNotOnOrAfter="2014-05-29T00:16:08Z" SessionIndex="_30a4af50-c82b-0131-f8b5-782bcb56fcaa"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>
+        </samlp:Response>
+        `;
+
+        const signingKey = fs.readFileSync(__dirname + "/../static/key.pem");
+        const signingCert = fs.readFileSync(__dirname + "/../static/cert.pem", "utf-8");
+        const signedXml = signXmlResponse(unsignedXml, { privateKey: signingKey });
+
+        const base64xml = Buffer.from(signedXml).toString("base64");
+        const container = { SAMLResponse: base64xml };
+        const samlObj = new SAML({ ...samlConfig, cert: signingCert });
+
+        fakeClock.restore();
+        fakeClock = sinon.useFakeTimers(Date.parse("2014-05-28T00:13:07Z"));
+        await assert.rejects(samlObj.validatePostResponseAsync(container), {
+          message: "Error parsing IssueInstant: 'INVALID-DATE' is not a valid date",
+        });
+      });
+
       it("onelogin xml document with audience and no AudienceRestriction should not pass", async () => {
         const signingCert = fs.readFileSync(__dirname + "/../static/cert.pem", "utf-8");
         const xml = `<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfx1e2f568f-ba3e-9d81-af54-ab41fdbc648e" Version="2.0" IssueInstant="2014-05-28T00:16:08Z" Destination="{recipient}" InResponseTo="_a6fc46be84e1e3cf3c50">
@@ -1947,7 +2081,7 @@ describe("node-saml /", function () {
 
         await assert.rejects(
           samlObj.validateRedirectAsync(this.request, this.request.originalQuery),
-          { message: "SAML assertion expired" }
+          { message: "SAML assertion expired: clocks skewed too much" }
         );
       });
       it("errors if request has a bad signature", async function () {
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-invalidly-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-invalidly-signed.xml
index 4efb92b3..68a77825 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-invalidly-signed.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-invalidly-signed.xml
@@ -18,7 +18,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@hacker-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://hacker-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://hacker-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
index d8dce667..72c609cc 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml
index 0af701d0..21c43bdb 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.1advice-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml
index ae50676b..5ba49d4a 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -47,7 +47,7 @@
                         vincent.vega@evil-daughter-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml
index 6a96131d..3eaf0251 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.2advice-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -47,7 +47,7 @@
                         vincent.vega@evil-daughter-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-signed.xml b/test/static/signatures/invalid/response.root-signed.assertion-signed.xml
index 4b24cf47..c5520825 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-signed.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
index ba19b93b..70f5e4f3 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
index 211f3c09..9bee8e16 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -47,7 +47,7 @@
                         vincent.vega@evil-daughter-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml
index 668a05bd..f05a68ef 100644
--- a/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-signed.assertion-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml
index 66d43a17..7430cb23 100644
--- a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
index 81a3467e..5df6626e 100644
--- a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml
index d798f2d6..3efa28e1 100644
--- a/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
index 8e1c271b..0ac4e439 100644
--- a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.1advice-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
index 6532a91c..725aff10 100644
--- a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.2advice-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -47,7 +47,7 @@
                         vincent.vega@evil-daughter-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml
index 90688fa1..03b9fab8 100644
--- a/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml
+++ b/test/static/signatures/invalid/response.root-unsigned.assertion-unsigned.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml
index 5df7a1e7..fcab63c9 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -39,7 +39,7 @@
                         </saml:AttributeValue>
                     </saml:Attribute>
                 </saml:AttributeStatement>
-            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_cccccccccccccccccccccccccccccccc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>xeXYmnRcab1G94jWD+APScicy5YeY3ycxrh7pxcnAO0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IrLED4UYbk4X5JvCH18uVnMcY+4Nh7JnqdiF/WxPx7bxdVqn+yIQkYmdF73m4QjvZF6BiuzRBDkcW0rQNXsW8Y5ZfjWOV5flSOdW9+mu4Md7PFvggLDbU5avixi+lhKP8mtTktYbmTrvEE8xijEmGifqvJNR3RsOT9crU2TjD2gPvpfImS6otKUYoRxf4hJGW/GeLTxRv14YtAOojUaihJjJSUG22edZLbrO5lxUEuCpbHRbb2i/XWwCVHHcRGf9+b2HXzxkZoZAQY/mb/wRM2bfCN2WDEIbX/hK5edXc9HRivnEySPe6cP4KXesOjVd4E7xqHMHjYQWXma1DhKjFA==</ds:SignatureValue></ds:Signature></saml:Assertion>
+            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_cccccccccccccccccccccccccccccccc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>iu2GOAhBCOzYaMDtEgXXt0wh0WmAjbmU5hndLXnEKmA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ihWV+KnaVIQq7ozn1XE23UIqjEZtgKQx3XvWm5OwzKt4c/YdokRUfYiUpVPd1bKEQc3ExNMZ72v8nrM7Ti/RFDV7wz6L3yFxpxIzFYT0EincQ3r9XzEMw5340TiNb//WIsZPX7+EIf8LSoB9qPcinl3E0EwD40yFLyd3ztkJIpUS1LMlakNtMfqMAZFOoyVvrtv//d1zyTGMlQC6OqC/S0HqberzpKOg9NkDaIZ2NKyV1JD3szN+L1AygoGo0BIhkb2PsnglghZjxizxBWH81/2C8jgL6JgPKmmTsfCG6MdTikMX25CmS071el1bP8JjGPGfyubugkdAf2+WQdYIsQ==</ds:SignatureValue></ds:Signature></saml:Assertion>
         </saml:Advice>
         <saml:AuthnStatement AuthnInstant="2020-09-25T16:00:00+00:00" SessionIndex="_9e315bdf7b1b6732be33c377cf6f5c4f">
             <saml:AuthnContext>
@@ -62,5 +62,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>AXtGOc1GEc3p9Fg6sarULpiu5P4XIF8r5dYe+ORZa4U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>pVT0a2wXHoYJMC3rZohEch8/N5q7byeLa9I+YVLUC7E0Q4HAud9VgrYAwUIM6DsyQc3RmcqGVikq63DfUmounFVq3pn+TU8GytU+BDssBhdIvpa+vjaGyTDgZa+98YCU1BDr2hZytbvMBNHwAqi/cB650wEv5lbDNb6F12ttakYg+18Qzru+HrVynzGiuPxVy4RzpQxx7guNAoGwv7l1MEmIrZN104D/EdSIdmS9lZ8AGDSFHcrGVIjs2SQqvbVOXEdr9JN5/ZuEwWlDIi9EU60DvLlZ2treEArx2us141/ukbCg7kc/nWW59rxPRrPu9RGMHLdjhgiTpEPVOUN52Q==</ds:SignatureValue></ds:Signature></saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>ZPDjvY8Jb6jiwg01d9TASXz5o4WBfjTSv1w7O4DAkcc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kwsj44K6HxuRzc7v6YQpYhRODX0uPvrb2ExaXrFyaA9yBv/bmUmE0t0PQFR7kyXkY3mfQ3sbBzGVsI3SiSaBhMoi6Rs9nKhGwUKan9Z/yru4XAPiM5Wm2h+nXjbMiHCTbHwSGXbt9Wo4tRA3nYPOS4+ieBK+jvFJj0yXwWSRiP/+Rui8G76lPRZ15zzJ1GZcsRm4mhpRoSMgjlfo5hWf50uPf8NNiOcx14USjSU4Ry5tbaD9Qui8luctVyjZVGJb/CHpqk7c2/Of+W/OoxZaDROScVK2OwQQhAv4EJh+g5LpyqQLD0HHsY7ENRRtFOAheg64TtkeqtoFEQaNAOYLtQ==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>eBO/GSb57Ez1uhBc//DVjLw43neCH1FKna3wdfuh8+M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>KtcKPcpIDSN3UMygy6JjdKiaX8ZD5wn3v0dsFSREMZpGCLgTuFfhd8mvNERhpaFFigQkVElkbK/L4d6l3ilfPIVEz/jUsfh2Q4n/Na+ife+6Yl/Y3266SWQEErA1KK6qRdDw3eoZymzluTH3hed4yG64YIr8RocRC2VvZSD+jI664BAMbQWnK1GQ8TOc2Thx3gQJGVsSspoqh9kpqEsqcGz1SOYsWDu+eqtIcacaFp24U2fvCH3zCBBjTzSGniagonrideBgD9aydqLuN+LLkJf3AcqDQJRaP+Bh3CdoyHDddI4v11Lke9lkxXLaWBd5WWH+uHTioK6O5pDKyMcKcg==</ds:SignatureValue></ds:Signature></saml:Assertion>
+<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>qC2Q6MG0QqQn0kPjBpEOtw99TJW6XLR2lcS+bWdMfF4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Vj+HX4IxzPaoh46awPWsnTxPoCSHvkBsbIZU5sRyLwfJEqZ/hE4I7NVQqqOUms/R/5K0ot2kDr5v/yqTKFFc8x81Mblg8V08nuvjz9Pt7vg+abMx+pcfTxqcyyQxyl46iGzUdqYvQKkbqCjYBKFZmrvvL6zZ/cFAZpn7/F8Rk9fbyu6NFUGevqfXU1alj0Kcwh1fjGx4DEb5KW4Z7yV9UG5v5Z5QSe8HI/0LybOdsDR82ZOkNtuwoabhclPUWYGCJ5N2YMpiYIyrgYaM2sFjo/L8hi3In5hX4uu+e0E9Mf1HKE5aIUeUJVWQtLpkJjte/o4dsGfeVvvJENJc3i8/3g==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml
index b811e4c7..450724a6 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.1advice-unsigned.xml
@@ -1,16 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
-    <saml:Issuer>https://evil-corp.com</saml:Issuer>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfx777d8da0-3205-2431-09f9-c02d524d7d81" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
+    <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx777d8da0-3205-2431-09f9-c02d524d7d81"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>db5LaTJwQG3yr1m3r/7PPqY2jHA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dSswcUUbhBmsqIj9bZ/+SJ0nnQzskWpInslvt4eHkUb3JfW9LnJF1hPRhDmnfzYKu8L60h8w4vJdRCmiMpiHQmkcILUzjn5lxYNPbry0677WnkSjoAMRrtf4yjUkgIuJugBDtqU/6giC53/g3BrapHOvZTq2eZH9/ELF8QBZj9CEsOCR/Ds1/iYPZxHeJge0I0L3568OqoZBnZppYaSo4i5pRF/3QLSIx1Io9b89LiIItRLdw1KEQMeEqd176XP/+xgsne6sT33fQuQvTqf/5f4ZJc4LkpYKu+1yQFcCui8I9wi7jhVLaS7r3ubVBCVif5OZHzWznh6Ew9F45ojprQ==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
-    <saml:Assertion ID="_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
-        <saml:Issuer>https://evil-corp.com</saml:Issuer>
+    <saml:Assertion ID="pfx747b27b5-9d0a-2427-bc47-f390889a0e9a" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
+        <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx747b27b5-9d0a-2427-bc47-f390889a0e9a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>8YdFZoZ7kbQ99Fsbt9UsGV5QVek=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>L0notPUpEJ0uqy6MtCpPhcdpyt2ZNmbUP1oyl0w4U0uQCIMEQIaOrmaQ4zcOYm5jmvjCmpoZ6VHH5/GNec+pFzldNbynd0+XAANprGfsy6JbJkBxSDeNSteZ26nXW9eMhfpzvk+gCGb6LgSSlKkhAuDsXrna4jO+k8tbWI+VACN6qZWzUCTwage4/DKKN918y9HLLjojHdvIgOfPr8y7hfKDih42cL5kHOJCsZAiH1s6ZhAG55Y4/p0ybhHF9q+3qusCDZOBxupscylA+/Ql7ZVkEpDIsj6v38orpwMOXEKvdEZO1WWw3bsDbcnLkCRSUX9qFEw792hNZe4Z5IGvPg==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
         <saml:Subject>
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +30,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -62,5 +70,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>JXsH4yqs7dEiVLTSW8KhNTpXVtl+Bi4GYkFZY1Emm1I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dKQSuL03fOHOvB980uxsRI9Wzx0Bo1yvcOGFQ0nX1f2EJRPYwkO6HFhZsX7L/l8sjXHmjgjAPK3KHcbxcus1ldWLxlZYBA7RdyW2HsQT8neMJMUpVUuJ5YkbgB1OvDPuAXTHmLByS3YpLaeJXwydBKgPGNmEyGrvqJbYZzGbIhMHt8dfI26PkUkJUqxTxXnn/+dAsZ9w3PXiGvjF/7pggnTWUfvSsTyT3IJ6Mpijlgh3S++Ng3dolpt17gjga4klOQM8uVLudKpOWczjfRu4bmT3VqNs2XmQHqdCb9lgT5S9S/nXaFnt13GIHZaNG1crR6ehGsgUIcuaonCivd82Xg==</ds:SignatureValue></ds:Signature></saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>Zi+4eDy2Qjg6fIzcroHQwbKZIBDpFe57zEavijyBuiU=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>d8AO77YtXkSKxCAbrGrjWLzqSox7idhPXOGDkJWK7I1G2YPlqf8chFE14F3rtml1iVY9MVTduPagsILJ1AIKARgqCaSrIxZA9HtQNrVdILPU5m4k/GYOXkn4g0KwH7DILvucZlZhE4dFcM2GI3HyYutlXBpxur5O8dtKhG7bAhEKfWEh3q/R1nGZhikBa03Hi90hIBvh6CaKuVmWJfSA4acjxrI8jYFUOFNMd5aao2wNhnEIhqGUZD/HAwDKsZgL+RBjf44z4BJ43qPxRIBPJlq7lUwyeKa5ptMOSDtEwQZwxyQd4GcX99ke/6Ny8E3Y1itg15rlp6fbynl/EOprNg==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
+    </saml:Assertion>
+</samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml
index 2c15b397..62a6565e 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -39,7 +39,7 @@
                         </saml:AttributeValue>
                     </saml:Attribute>
                 </saml:AttributeStatement>
-            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_cccccccccccccccccccccccccccccccc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>xeXYmnRcab1G94jWD+APScicy5YeY3ycxrh7pxcnAO0=</ds:DigestValue></ds:Reference><ds:Reference URI="#_dddddddddddddddddddddddddddddddd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>2o7uJTdF5ra173h02sRtBIfAVbnSP/qRE3JSfSrXtao=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BoHad6+OEyqytEHOLe/64cK5hExZRVZxFY+sSWjOSwFLOfiHVFII79Jgd3NNZNrVBZjCF3uVlsrmsXZKC+MieK4n8xHavjTGWZEn2MTPfeamCepbfONPTH8ICHHxvnmtYm2HvmIxXRGy3orRSVpMwdAaf2JVmqmGmLsbYl8HWCsTygu7C+strR9AGER/pm0o66GSI9gvCEP1ZElNsvIv2MosyXOUMqravsKqzwdTeae7m0MeTEpQUmYFSATDzLztRju2Ioz/iDoIeUr/7uVvSCZV8e5EDGw+S0+LhJs3ICnzxOwYLpcFqXZW4ycZOBcnuIA7iJyJvlmD5mtLaXBiJw==</ds:SignatureValue></ds:Signature></saml:Assertion>
+            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_cccccccccccccccccccccccccccccccc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>iu2GOAhBCOzYaMDtEgXXt0wh0WmAjbmU5hndLXnEKmA=</ds:DigestValue></ds:Reference><ds:Reference URI="#_dddddddddddddddddddddddddddddddd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>VR+yKd4j4tZ4y5jyEcGdnoLzRUswZG7jzDgo8KUqUYc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>txCUnBcJjDjdMVzwo9nGwnc6FPYRLud2Gdv7hhOKC3/MFEOJXRzOp/8/oqSX4vZRz2q1wy9iB2KeuPD4qCaQ11HqoKRDo6Wsh0FElUQwn65CGdxU/M5i9b+p9V6IA3ICZPJusNTiongj3P5QSgMct78VITXu6aPXytcl4msLBP8mN0uWm1vQ3MqQx55WUVh3Ak9sLqDuN7AMSLbxhUhj7DLPiM7Fp8m2K3ujxYd6Bu/3VasybzRMPT23l4PtK+6l3mx3fcQCa06J8lSAQu6ftYM88UZSqk1qb1VuXE3fRDhX5RhxgZYu7s2nbtRLa7UeHlPxsTF1/1sLcGo6qICJ9g==</ds:SignatureValue></ds:Signature></saml:Assertion>
             <saml:Assertion ID="_dddddddddddddddddddddddddddddddd" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
                 <saml:Issuer>https://evil-daughter-corp.com</saml:Issuer>
                 <saml:Subject>
@@ -47,7 +47,7 @@
                         vincent.vega@evil-daughter-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -87,5 +87,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>q/gQ4rMIR9zcrM/dbYujVj8RzZddlJRnrtwx/Xwiqik=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>O++/SkaA5duu/bGzxQBjvDjE/ww95fqpz3HFQdtuP5B41ZF3VjvbC9h9HvFuANGqLUJshtoh2u9EFZhfnwdFtiNXfHPSUmSPWcP94d36u4iwCkDUR/3SGW+P9rM64d78YRFlvXV6CNvlHvE54p5EuSbW0I+n1LtdZvnw8NoOgurEkwyEk4H9E6GFxhXjDWasJUORMEmknebFoS30dOFrYBanW94xW81Bx1VFxE7b+xhneNe+0hAi3Y/8smUjxLb0VrorJfzJll7zexGTU19Zhb9N1TWzO3hcjW6OuLsJKMYqA6ozM4reXwP1s1r4qMpuI/6wUcDFLgD5fI03cza0IQ==</ds:SignatureValue></ds:Signature></saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>CvuOTeKUlgVdBer4Zzq1JKrPIXS1m27cm5aAH5EHrus=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lgPH2GXp+sex1NJZo95w9yViFM3mbaDU+x7KFfm/8vo51pVYFJyShyQW/GFlk+Qymt/56I5RClEZ7NmuKZiL/zbTrGmioh3YuIaf1rlzrkBbrUN75dk/8C8SS08DMgHAB/qYbUQQ+jNFtyMyOLdbRBmpXUpGtJNaOFdxXF38d9i5/LG3AqW6GHn3dbvvhze32BggNT4IHoRqo//ac3V4QMd89Q612ZPHq657wTnkbzJxfKR/OmTX01xFcpNARyOymW+dCuEvAJPuPwa+YbqgPXJFtwNlBxfx/lbQY63/37DRB0kjE0dZBi6IAzJoHaiFTWINxzMzztaqR3d7PQOHtg==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>N9Gq1ZJYURJicBmT3A4Gd/EWE6Vr7LHqC0id8jpYnUI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>S+0tov1bKXu8aE775Wz9I0mcvGQ3epXRKYczqGylWqUgx+jQGE/mDjZJ5Rb5nxirHdfWeAdDGCGJsGxd4Brv54ju42N6hsCiu1shlY/TPgiqsDmEETFt9/THxQ4mwBAZTnNkEy5WNEZyH2lryZwDpQgJdY++Kn/clsp/6HJBXloB0iYfuON961CAi/mnnawaK61gG1d2UtudNdlJlV9XMIpnJz2dhSceWwKbc/9VFXezQIlRs7LM35FhRCeG0SCIVLG+X286dI6blQ697nQUr1MrkF1j4AnNfHyMeomB6RLTHSRd+uvO0PT1rRma6os975WKE0zH+MlLDjNzaDHQww==</ds:SignatureValue></ds:Signature></saml:Assertion>
+<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>qr6Hn6//rOpj+a3hfmFBymXCxGENT6x2mUfXeLTDTLk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>hnek1KP5F4xLeEeIznvPXu+nVcsycTGn4x9ju8GkDqWb8KEYMD8mVnTJjoU59u5sP8U5naQKLeWr3ULuZkM4QYZ7+JHZOBwLo8ryGfRF3ADL+LtvIJEwQJwWRCikfGLJk4BZYvTHF5h3qqBY4nHKsqebFo1BsE1lWTATQNk8rIlsTC5ZVnV+JnS1XGaqHQ2adCQ3ZEfvsPEJD0ZQJOHIqqTFhYszwpOX6Szjlag3O91HLFTTrNgQzkhNNvMBGhthV7LUvE27I8sXhNXqTf6nD1jIKB8sbWWMDmuemvLfJeEcpivi3PAgE7sbK36OeIavjofrXyxxFyA613pj3NJkbg==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml
index dec79fac..14598502 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.2advice-unsigned.xml
@@ -1,16 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
-    <saml:Issuer>https://evil-corp.com</saml:Issuer>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfxcd732956-a965-f6c3-dfc3-a3af07ab06d9" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
+    <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxcd732956-a965-f6c3-dfc3-a3af07ab06d9"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>2sgiXxG4hegSQ0XxFgN7V/zhA30=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>lcOm3aFR2SOSb763RLVYwzRUF7SRJ5LZ+NzZrmLmsQfewLzEtYSq5AjtWRcvKV61go4GrfdCkEwBJcB3fKjl/fl4ur0xWADwmnOVMr0nofrM0f1zJCFcJ8CIpE+JR59m54nGYD0uy9mOeGTSIpbO3Tq7GU8beOAQzLwI4JM9vt2lv2BtS+1hg9UumX5F7kY6IGtiqyKvsRGosf3D+IeaLPa6qTtAwiVrsN6h4lPZQipgfUhuA1XL6D1BU9z+w1nbiEG/t0hCm0x0WTMUCU25lvQFtXEcU/CHJuTNPE4Pj22/qOHfdHQLV74FbB9kJZmW341JeWfKy0hGZwHIFzH7kg==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
-    <saml:Assertion ID="_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
-        <saml:Issuer>https://evil-corp.com</saml:Issuer>
+    <saml:Assertion ID="pfx0497fe4a-a765-9d49-4364-5c815cf5a18a" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
+        <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx0497fe4a-a765-9d49-4364-5c815cf5a18a"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>OTGq/WDpS9DSDSLXSjcdXUTL1BE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>i+tfFQx+eTkOitI2ER99cCKqe1bEUzYIad9YFgH0XFgVxZ1FZ5IksGwiBE45yx0bbr0okjjc3hR2UmOXE/+R7ixevcNTARVzJCa3VzShZv0PZwDc292zti2Bb0UPg/sm2PIVGFHGy1K7pleRVjNCr7ETQ10vQBorFJlqnB92FZamjczSQPHEfouoxY/wwEU0G+nYfEeNxWk2o8HxIEmadyDH6zQqgDEkb/OWbJh9kq9wo53WdCx/954S0KiCWX+4QlDOKcKdfi/VVpKqZC3KMkIyD/IyvcTm4Qn6Y0Sq4lD9R7oyHZGOt/HMIELUCSHKUSIIPDD35b5Yxo9phYc6NA==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
         <saml:Subject>
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +30,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -47,7 +55,7 @@
                         vincent.vega@evil-daughter-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -87,5 +95,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>WR/EQp2SVNFw2VuA3YnaOUODb/waG+P9wZAbIyTDidw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>H4OV4BpSMzwuWoB2ODaMVbHmeNJViMJSWtVUTYIFWLoaw9Wlxs6qAaqqAQlFZzoX+OJm3opADYn38P/r2QxM3qp2dsH2qFFkXNIAfDJZ4ZSBKdI3LE4EfJch+PDiLvdzZdZqx1LS2iLtpMWjZzVUQx3Gk4M0Tra44lVhhgjS1I++rAw+Zuh2z8dDATFokozIHI1/P1xF8ltrAJqBr7eKYwOxEm+xU8G8wqa/IBlEjvaN++QOjfsj06zy7Xv41JiSY5TFIjr0K/C53YA75HlNyWvu/XJcDtflz9gni22VaV1up4KGf75A/E8yDpXIxCRScneF7rRcbVU+dt0JxzWd2Q==</ds:SignatureValue></ds:Signature></saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>pSkLBRAvbEy1Uj45aeB9c6/dxphVNBE3zgnQw7oWn30=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>OHW4kkZnM2fXPHi8sihBl9wDcD6UhnKiGdkwq/EksDlzvRRIUCIm8mSAefsD8izaNZFJgNtMSSxjZAu/z4Rnrgba4XmpoJzFtyWf1LKvr0ZxaWpTCH4U9Y532VTa5LtLfSO1MPqNRphaC1s6NZboJYMoowL/0Yvsz6T+sQAV48pec1oB40ACI8mM2Oid3EMHrfQi6lCue2RMIU+F2HTvoGucweC7pibBXBjjT7XFwXP7K/ledEVHp3J/DkcojeLCaV2p0l1GshxiB7ZzoNqhhNT3MaTa7nYy/Y2eA6b9yiGSHj7qCiS0seezsEcqU3oGqjnBklWtg2/G6acH1xrM+A==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
+    </saml:Assertion>
+</samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-signed.xml b/test/static/signatures/valid/response.root-signed.assertion-signed.xml
index 5ea031a4..a83f72a8 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-signed.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-signed.xml
@@ -1,16 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
-    <saml:Issuer>https://evil-corp.com</saml:Issuer>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfxaff18351-e576-25d5-73d6-fedec9114bcd" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
+    <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxaff18351-e576-25d5-73d6-fedec9114bcd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>3n6ACaGMKu/ySoc9UngPIgSNDG8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Ks2M1uCe6AZHI5DMQE0yfPKBSl365csg7gWU+C4+Q3jjrHaq9nZapt2Q2mhKmtbhTFt0eDxSVyv2O7KIE8ix+Vx7Lyr3UhSNCoE6syJfBtUJ/GRt3bNjJh1vxvSTqT0VKqSwU8t2soieGg1WhjGtkTxw0g5KIxRtHL6Sfuj63f9PhELBTrI+tTdc0U/cHpo4fbwaFNEe/jwF6A8toiFQjoVkpi5/aeA/Ogh5ihoUn6dsOopznUyzUWPlbXZ8cTQjeiFAXRJEFxC2hA78H88x0kjreBopJj5iXScks6q6JPzzgTtoYcSPjzqmeFvGmdEjdQ6+4O3cxNy+slwEchcpow==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
-    <saml:Assertion ID="_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
-        <saml:Issuer>https://evil-corp.com</saml:Issuer>
+    <saml:Assertion ID="pfx8210fef2-44bf-9fd7-ba01-28cea11de2fd" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
+        <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx8210fef2-44bf-9fd7-ba01-28cea11de2fd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>gYZo9uLxmXN6ygl708VNwj0yeFs=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>cztZDqj8exKJjUmFPvFvz9LAo6oOn2BycKktlULEVXAO3I0vIqlW4GKXfq3dQNPF0P+5z2nRTMKYNPOFER33N0OsAZXpd5V9WU1eErJsmZhMYUkpyvS/mBvT4fiVvduRjnQIFk0SrtLmLLOJRZIra70Drn3ng41ueyDurl5r8T5paPGtY15Se3aOyKNeq3oAKC9lkARk6ox1wUMOd8wSXSzs32c2AtsJvKVCFiqgRt5Zir3SJ1Hf0/wTVXcC34HrXYg41dntplZh+02GR4bY0UwHFWDSznquUXfngDNLLLTngVEDkYR0z/4socINwtOVVMRnXPNChPj+0NMXlVX0lw==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
         <saml:Subject>
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -35,35 +43,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-            <ds:SignedInfo>
-                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
-                <ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb">
-                    <ds:Transforms>
-                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-                    </ds:Transforms>
-                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-                    <ds:DigestValue>yFyp0ukUesUFin+8yRA2Ldw7F4vJtnHIUaCd+iwswtE=</ds:DigestValue>
-                </ds:Reference>
-            </ds:SignedInfo>
-            <ds:SignatureValue>GXh443ZANwMWTpdn5Yx8Drlx3iuxM7UvQG5Qtw7wJ2GuNaaiR8rhsAvcxWPFhivOEhahS3j8JRAxSpkfB7F/hei3IkKCa21q+gSwfnSjTsFWkicKMTFT575Dq1ucBMir3bAPKjSk282j2NDy7dK6SZMrTd7ilxxEK+ihnLJnk2U2ezqUztEdJwo+t10SXRPQqkIawqCAOCLMT1PrvkjF9hJsFnV9RQRJH7vlB5eWttie+VUYXtzPeh8ZFCKP8aXfj/YPUx6C49EU16JK0UUApdi2bzHAOTMKAAl1L+ul/rlpS/oNwYWtbOWA/yZbgBXLG4oJUQR3zFXPyu7gV0K1Fg==</ds:SignatureValue>
-        </ds:Signature>
     </saml:Assertion>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-        <ds:SignedInfo>
-            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
-            <ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa">
-                <ds:Transforms>
-                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-                </ds:Transforms>
-                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-                <ds:DigestValue>pUbHXQ1WaHtmlrr02h5L59TD4yPouUCTUMinVxyj5R4=</ds:DigestValue>
-            </ds:Reference>
-        </ds:SignedInfo>
-        <ds:SignatureValue>tm/5eCuuiPlC0jlRNqMv4ReNpn4Ss3CekShExbXcMpP7odyrCYmlks7BwB5VH3GNaSqRlOM6mGHLJw32cfo7nYNDZo2fJutdegUwwhfbCJ9MwoJH1nE/eHnknxIaXQv6fSxA9uVeGBlAG1f7S/3lJ+94zMDcxydElotigOyLp2F4INBXl/fzbDgLAVdeMkyUjy+3Kv2pNY8KNcAnRateKnmtFskBq48bidXLFNYeLpsV1t7vj+tUef9+mRxMsHE5PzrQ2bvm3I/k6nmg/WEy5Hnyz5oGKxKH/3boYALMH94fy0hhALm8LQ0DwJxLrX6F0pxyXr+QuVpAPLDqSh32Jg==</ds:SignatureValue>
-    </ds:Signature>
-</samlp:Response>
+</samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
index 9b62846d..e9586b70 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.1advice-unsigned.xml
@@ -1,6 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
-    <saml:Issuer>https://evil-corp.com</saml:Issuer>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfx25f6b24f-cf8b-dc47-42d3-bb39458753f0" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
+    <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx25f6b24f-cf8b-dc47-42d3-bb39458753f0"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Sc5af5Na20Qs9j7hoYqWn1EmVyI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>vCzBHSXOZnSFcI6znkX9d8zsY0+NJeQeZlwQvQnmGg+iBjsXZFanAg3DVRsGbYGQSlQ9z4ZQXGIvfb9EfwVaTEBkLQ5e+HhbEhbDYF4K3+nMPCOPyUWZLnGgvVbPdP7DTV2MhqUm7vlMp1hnsYxT4r5UlRIFu9hDE3/odJBXDwrLDxu+bevWwIrcmqTF2J0XFlHZ53wFg+14n9MWcFkvHXgNCZUvev2WIRfSH5XdmqxuYeXDPtqojs1qt7eB5cB8ER+aFwUd1KhkiTaIdWrx48jfR8qhIOezmrNrzYKF6+tCWWF1AfTCKWaeNnilx1oCmTQyjZLPbSlBIJOfXopnbQ==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
@@ -10,7 +14,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +26,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -63,4 +67,4 @@
             </saml:Attribute>
         </saml:AttributeStatement>
     </saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>XyeBN+3a0SMAbjbG/PGEa251VO07sIDCEMWrgtHEiMk=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IkoMFuWZy02ZRHEG7ssfZyLAYIoXu92RH6Tem74vuvDaxlxaThNkLvDLWtpKyPVCJPaN9jrL5wXvlRqp31KEZ90Tv2SdpprDVF8NgmfLoyjaqidChtH77HN8tLivU+ZpEI1SEjkIwoou+UAr8vhrVYx55id1Do/njJX+kRwOk8QJgLtCKqlwQJGve4+8meogEp/X7ZyFVgqX2L/KeoWu94hobWGx7qyl41lNhVPS1b/jpVfBxqHZku1wAPyGGYlrinU7gtrB8w52rCUF4YRznLGaffYg0u4HZrSZyIfS5UGja4Nyf+iYj1E5cvrK0Y4wo+u3DAnvK4lebhpp9vrr0A==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
+</samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
index e38db68e..15b6c165 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.2advice-unsigned.xml
@@ -1,6 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
-    <saml:Issuer>https://evil-corp.com</saml:Issuer>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfxb97e6542-ca69-4df6-eb85-8ebf7ea5474c" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
+    <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxb97e6542-ca69-4df6-eb85-8ebf7ea5474c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>NOwM1bDLNaHLwaKMpsLFx2PAMLI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SpcV3nfSxdOSYLZhg5Rk1ynBtOcIZ0KB7RKmHh/VCMldiapFCn9kQxHLnsxzprsfmINcWOG0UAGFpiNlazDp1+a1fhsNsKpi6EB99a0frWxVfPMxixTjASwUk1SxQAQt5h9byTfDdRLsqfX6EcHuMOrrDz08TwpBsBeJ7FMdFKIv9wGWmbO7wLmOUye71Yqm3aGYAQEKw/DYzSY4gqajXDNKtLnNrGUGb9aap48cCzouMEjggmtb+fdNNwF2xfn/PpeWPitzAvX2ajqPdRAh53Cp+amuJWKfNq11a4orggSZ3jjuEBT7ozJ9cyBT6VU/mE8/Jd8CdZZLJ9FULyRAhw==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
@@ -10,7 +14,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +26,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -47,7 +51,7 @@
                         vincent.vega@evil-daughter-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -88,4 +92,4 @@
             </saml:Attribute>
         </saml:AttributeStatement>
     </saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>xevlr+TYovbByBWSrQrq/4scMZ9szTtXkikj/Xq83qM=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>vuxF/CKrp+jEkNRxk18J6Cp8yMLftZ9QnTphPshio4jYb2rUHXRInUaz5TEuiuFHVZ7QE31UBufPmvlZ8rD+PosGgVKnC5egKNzdFWavmZVLiTL95oE4mIsvE9ZpF5p9Wqg6Qxp3l3aR/m77SlgE7mn12EA9cQ2wZLA9le5x7yzJxXO1aLhjMZcwkVLeZXb6o8Ud1JhJyy+u6ANXBjjzAveKBiXLsDeQGYxgxt2HF/FAj2zEhczeQlZmoPh7f5W1m6Y1/GQZIk9nVnQkgBqmfQErWQgNVgWBl2RZ6wSrdaq4SoI0+CEjSBGrR3tYC218LLueNDjE6VK4jacQBRFP6Q==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
+</samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml b/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml
index 155003c4..7c1265cf 100644
--- a/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml
+++ b/test/static/signatures/valid/response.root-signed.assertion-unsigned.xml
@@ -1,6 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
-    <saml:Issuer>https://evil-corp.com</saml:Issuer>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="pfxea164cc1-96ac-af95-85e8-058c9d279cc5" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
+    <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfxea164cc1-96ac-af95-85e8-058c9d279cc5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>5669VeX2/9m5/1BEojrL+YgFlMI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>aLZVEDEna5792s0Kn1UtS++N7EUs30jtHoTa4DFVRvVnPUr7xw77SmDr+HHSupVTh7BdA3T+gW5+pwbGqGrG6+CEQEYxF8arIHUlrx6N+nvPpIpJrsEOcfpj0xxBLj8d0Yh5zXIq5JEX9lcZ/JVOCLzK0Rn024OpARxo992K/wqKcXOEnFJP6xGsSaAed3qQu/5+lSbLeS9i9bJJv9G0ab8zZMR+9CmPV0PQxDZIw5f0CNjvmsZ0qPHXSL5fbdfhDHNd3VRJkiLyA9YpG5s7izAiqiFwsXR2x2kn4RrZfv6sajZltDVl9+ejpkHn9ZOV+SfAe2p7LyHKxJFMTlwbFQ==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
@@ -10,7 +14,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -36,4 +40,4 @@
             </saml:Attribute>
         </saml:AttributeStatement>
     </saml:Assertion>
-<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>lxh6m3MiCHxj0VA8oqNSEVIm62MUU5iaEJrw5n4BDc0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>tnFggo2qh3vnvOeX6o+vCDy4yKo7Cgvgps9jZHWixHKRgpVHPEMuWbHxRXa3XJTPETAnYQevL0+T206xBn75zpYXDdyUmW04nOpBNnp+7wjJzL+0SqqoSnyDq8wDB1tGMZ4Gj8JJNN3nF4s2Xerps/AfRTl4TNXUmmIrO0OdkKMEooaJybIOqXuGjU8hhK5RixGFye4rfT1+6+0EXi/xdgKQx0eE/qDdfxrd/6ZVvbLd7mZyNTOqOpSQ8eOAh/7Z6U938sVfp3NyAIoEnNwNJ4h6BhHWC0OJh7XN2arl8Mtfd5ha8raMAJTyN9aZOS9Hzx1DTotBQfLuMC3Ugx0aMg==</ds:SignatureValue></ds:Signature></samlp:Response>
\ No newline at end of file
+</samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml
index 50c428b9..f01e9be0 100644
--- a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-signed.xml
@@ -10,7 +10,7 @@
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +22,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -39,7 +39,7 @@
                         </saml:AttributeValue>
                     </saml:Attribute>
                 </saml:AttributeStatement>
-            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_cccccccccccccccccccccccccccccccc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>xeXYmnRcab1G94jWD+APScicy5YeY3ycxrh7pxcnAO0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IrLED4UYbk4X5JvCH18uVnMcY+4Nh7JnqdiF/WxPx7bxdVqn+yIQkYmdF73m4QjvZF6BiuzRBDkcW0rQNXsW8Y5ZfjWOV5flSOdW9+mu4Md7PFvggLDbU5avixi+lhKP8mtTktYbmTrvEE8xijEmGifqvJNR3RsOT9crU2TjD2gPvpfImS6otKUYoRxf4hJGW/GeLTxRv14YtAOojUaihJjJSUG22edZLbrO5lxUEuCpbHRbb2i/XWwCVHHcRGf9+b2HXzxkZoZAQY/mb/wRM2bfCN2WDEIbX/hK5edXc9HRivnEySPe6cP4KXesOjVd4E7xqHMHjYQWXma1DhKjFA==</ds:SignatureValue></ds:Signature></saml:Assertion>
+            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_cccccccccccccccccccccccccccccccc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>iu2GOAhBCOzYaMDtEgXXt0wh0WmAjbmU5hndLXnEKmA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ihWV+KnaVIQq7ozn1XE23UIqjEZtgKQx3XvWm5OwzKt4c/YdokRUfYiUpVPd1bKEQc3ExNMZ72v8nrM7Ti/RFDV7wz6L3yFxpxIzFYT0EincQ3r9XzEMw5340TiNb//WIsZPX7+EIf8LSoB9qPcinl3E0EwD40yFLyd3ztkJIpUS1LMlakNtMfqMAZFOoyVvrtv//d1zyTGMlQC6OqC/S0HqberzpKOg9NkDaIZ2NKyV1JD3szN+L1AygoGo0BIhkb2PsnglghZjxizxBWH81/2C8jgL6JgPKmmTsfCG6MdTikMX25CmS071el1bP8JjGPGfyubugkdAf2+WQdYIsQ==</ds:SignatureValue></ds:Signature></saml:Assertion>
         </saml:Advice>
         <saml:AuthnStatement AuthnInstant="2020-09-25T16:00:00+00:00" SessionIndex="_9e315bdf7b1b6732be33c377cf6f5c4f">
             <saml:AuthnContext>
@@ -62,5 +62,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>AXtGOc1GEc3p9Fg6sarULpiu5P4XIF8r5dYe+ORZa4U=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>pVT0a2wXHoYJMC3rZohEch8/N5q7byeLa9I+YVLUC7E0Q4HAud9VgrYAwUIM6DsyQc3RmcqGVikq63DfUmounFVq3pn+TU8GytU+BDssBhdIvpa+vjaGyTDgZa+98YCU1BDr2hZytbvMBNHwAqi/cB650wEv5lbDNb6F12ttakYg+18Qzru+HrVynzGiuPxVy4RzpQxx7guNAoGwv7l1MEmIrZN104D/EdSIdmS9lZ8AGDSFHcrGVIjs2SQqvbVOXEdr9JN5/ZuEwWlDIi9EU60DvLlZ2treEArx2us141/ukbCg7kc/nWW59rxPRrPu9RGMHLdjhgiTpEPVOUN52Q==</ds:SignatureValue></ds:Signature></saml:Assertion>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>eBO/GSb57Ez1uhBc//DVjLw43neCH1FKna3wdfuh8+M=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>KtcKPcpIDSN3UMygy6JjdKiaX8ZD5wn3v0dsFSREMZpGCLgTuFfhd8mvNERhpaFFigQkVElkbK/L4d6l3ilfPIVEz/jUsfh2Q4n/Na+ife+6Yl/Y3266SWQEErA1KK6qRdDw3eoZymzluTH3hed4yG64YIr8RocRC2VvZSD+jI664BAMbQWnK1GQ8TOc2Thx3gQJGVsSspoqh9kpqEsqcGz1SOYsWDu+eqtIcacaFp24U2fvCH3zCBBjTzSGniagonrideBgD9aydqLuN+LLkJf3AcqDQJRaP+Bh3CdoyHDddI4v11Lke9lkxXLaWBd5WWH+uHTioK6O5pDKyMcKcg==</ds:SignatureValue></ds:Signature></saml:Assertion>
 </samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
index ff2a368b..f942d5da 100644
--- a/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.1advice-unsigned.xml
@@ -1,16 +1,19 @@
-<?xml version="1.0" encoding="UTF-8"?>
 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
     <saml:Issuer>https://evil-corp.com</saml:Issuer>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
-    <saml:Assertion ID="_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
-        <saml:Issuer>https://evil-corp.com</saml:Issuer>
+    <saml:Assertion ID="pfx9e39a2f7-ed7b-afde-7f23-e2850f5a982c" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
+        <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx9e39a2f7-ed7b-afde-7f23-e2850f5a982c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>wrJZQQyF9t4yTUXC1YrDCN8K8+o=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dCNPiUIaiyavhWHSJ4fCnCG0B3dAZTnJFg82FdAhgn4Bv2gJD+Se+QL0ZTp/2Ojv4LkvLs6Qh3IaraNKqSrVWe7uVbc08G3YmiGWeA9aHZAVTCgZpC+y9WKvWP8RUc9l8XrfX0GtHs2ecqM0MQqp9fZ5W3wj5FVggoaFo9O/ip6Swyp4uQ0QNuLGc3Ptq6QFL6Uvtm4FHqPINPDMPNReZUuNwoWPuzI7CHkUiD9Uv6ubpAai4iACvMx4tOa8fbVJns6xsDYJ4dOgjuzVZ1bYBGWa61kCzGUCxYp4q89SR2EPfczJaruhPrmkarbfkvyeAdGdb2r6GD1M9VefeyuRyQ==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
         <saml:Subject>
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -22,7 +25,7 @@
                         vincent.vega@evil-corp.com
                     </saml:NameID>
                     <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                        <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
                     </saml:SubjectConfirmation>
                 </saml:Subject>
                 <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -62,5 +65,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>JXsH4yqs7dEiVLTSW8KhNTpXVtl+Bi4GYkFZY1Emm1I=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dKQSuL03fOHOvB980uxsRI9Wzx0Bo1yvcOGFQ0nX1f2EJRPYwkO6HFhZsX7L/l8sjXHmjgjAPK3KHcbxcus1ldWLxlZYBA7RdyW2HsQT8neMJMUpVUuJ5YkbgB1OvDPuAXTHmLByS3YpLaeJXwydBKgPGNmEyGrvqJbYZzGbIhMHt8dfI26PkUkJUqxTxXnn/+dAsZ9w3PXiGvjF/7pggnTWUfvSsTyT3IJ6Mpijlgh3S++Ng3dolpt17gjga4klOQM8uVLudKpOWczjfRu4bmT3VqNs2XmQHqdCb9lgT5S9S/nXaFnt13GIHZaNG1crR6ehGsgUIcuaonCivd82Xg==</ds:SignatureValue></ds:Signature></saml:Assertion>
+    </saml:Assertion>
 </samlp:Response>
\ No newline at end of file
diff --git a/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml b/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml
index 5eb53bba..10dc588a 100644
--- a/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml
+++ b/test/static/signatures/valid/response.root-unsigned.assertion-signed.xml
@@ -1,16 +1,19 @@
-<?xml version="1.0" encoding="UTF-8"?>
 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://evil-corp.madness.com/sso/callback" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="_e8df3fe5f04237d25670" IssueInstant="2015-08-31T08:54:06+00:00" Version="2.0">
     <saml:Issuer>https://evil-corp.com</saml:Issuer>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
     </samlp:Status>
-    <saml:Assertion ID="_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
-        <saml:Issuer>https://evil-corp.com</saml:Issuer>
+    <saml:Assertion ID="pfx59cc269d-c4b9-8780-add2-0d79aebd8047" IssueInstant="2020-09-25T16:00:00+00:00" Version="2.0">
+        <saml:Issuer>https://evil-corp.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#pfx59cc269d-c4b9-8780-add2-0d79aebd8047"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>a5ob8qMYkX+MR1ipeAhS6Nc/xgo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BUQlRMoZcm/8pmmouQebYcOl7l2TG26z73XyJF0QDE7gGz0nm48sw2dvKNLnp9Q5uxdNvwfzuJdHvstFZJg/bsW1C5r+9rLnIYGR8lJawpehUJLpqapUN2BAYKVPV4JkfKd3ELUgsFphCJh+1oRN0oTOBtC8Fy8wccEUto5y0AjgJjjjzhBDnWAAfj6itBedzO7HrKCodFVv0MXQti6gzxGGhcGYO6X7NKXxFkSPGjRwj1FQ2TwBuMo/hr8StXgRpr5+aWb1w62idOfNGwGjqEJWy7CiHi5UENN+/YxCYvMXqsrl7WcEG2byakFYHmQL3Ou7joSJH48AWObK/1HiVg==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
         <saml:Subject>
             <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">vincent.vega@evil-corp.com
             </saml:NameID>
             <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T16=7:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
+                <saml:SubjectConfirmationData InResponseTo="_e8df3fe5f04237d25670" NotOnOrAfter="2020-09-25T17:00:00+00:00" Recipient="https://evil-corp.madness.com/sso/callback"/>
             </saml:SubjectConfirmation>
         </saml:Subject>
         <saml:Conditions NotBefore="2020-09-25T16:00:00+00:00" NotOnOrAfter="2020-09-25T17:00:00+00:00"/>
@@ -35,5 +38,5 @@
                 </saml:AttributeValue>
             </saml:Attribute>
         </saml:AttributeStatement>
-    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>UlVrWcRgUXgqQRuYZNEIhLEYv4oC8Kd5/HAl9Cb/jiQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>vWCTy3IYpsGMl+RJQKZvCN/zZvMp/mBs7Y4Y3ihq0lnX2PDsJaHLEUPX+WTlQN8e791PDCkk+uIu+X+Y1sOyFxIjD5dAikZA2d3QWDC5mcHqj/gvzeiirAWA06Maw3jvaZlquBhpixFk+6mcbAP33UvqgA0Zkjb2qYq0GrOno+bED1vUl2Os9EQB30phllxP5WuJlhUz5Y+X1WXT7AS6f0haTvkFwdMRbniDdjvMiEBfbITUQfM3K361L4TKlYB2T/NRpXv+zjGx9xAl93s4DFdbUzI3jvkBYHhIsRFURwWP5UyczT9P4uuJIiaLXLnOYAX4ZgxVtyWltJKRUhRlzg==</ds:SignatureValue></ds:Signature></saml:Assertion>
+    </saml:Assertion>
 </samlp:Response>
\ No newline at end of file