AnsweredAssumed Answered

SAML Attributes not being written to Canvas

Question asked by Nathan Phillips on Dec 17, 2018
Latest reply on Dec 31, 2018 by Kona Jones
Hi, I'm hoping someone may be able to assist me with an authentication issue in Canvas, using the SAML config, I'm having difficulty passing federated attributes.
Basically, this issue is that some attributes are working others are not, however, all the attribute values are showing up in the Canvas authentication debugger, so looks to me like the values are at least getting from the SAML provider to Canvas, I just can't determine why they wouldn't write to the Canvas fields.
Anyone run across this?
-Nathan
here's the tldr;
I’m trying to pull in federated attributes with my SAML authentication (the provider is google, but I set it up as custom SAML on both ends)
here they are,
canvas               provider
sis_user_id        Student_ID
given_name      given_name
surname           family_name
email                email
The given_name and email are coming into Canvas perfectly. But, the surname and sis_user_id are not populating.
The weird thing is that, as you can see in the debug below, it looks like the attributes are being accessed just fine. In other words, the values are being accessed--am I right that because the debug is showing the attribute values that means they are getting passed to Canvas just fine?
But the values are not populating in the user account. So, when you look at this user, the name is just "Test" not "Test User" and the sis_id is empty. 
(the sis_user_id in the SAML provider is “5000x", and the surname is “test”)
(FYI, I tried toggling the "Provisioning only” to see if that would help—and I tested with fresh accounts and already created accounts, no luck)
Any ideas?
here's a paste of the debug, the formatting gets wonky, but I formatted what I think is the relevant part below.
Testing state:
Received LoginResponse from IdP
AuthnRequest sent to IdP
Request ID:
_a61831c8-cd87-41db-80f8-bd557712ac01
LoginRequest encoded URL:
https://accounts.google.com/o/saml2/idp?idpid=C02pscg20&SAMLRequest=fVJLj9MwEL7zKyLf83CgNFhNUUmFqLRA1JY97AW59jS15NjB47Dl3%2BOkLcqB9hBFmvleM54F8lZ3bNX7k9nCrx7QR%2BdWG2RjoyS9M8xyVMgMbwGZF2y3%2BvrE8iRjnbPeCqvJhPKYwRHBeWUNiTbrkvzk72nxlooiFrKYx%2B%2BoPMRFdizig5zN5nOac5FREj2Dw8ApSZAIRMQeNgY9Nz6UMlrENI%2FpfE8%2FMJqz2eyFROswhzLcj6yT9x2yNOVC2N54TBprGw2JsG1q0yF0nirZfQyfkmWV5R2KJg9Oq1vayhrsW3A7cL%2BVgB%2Fbp6nqCRMV4rhe%2BN5dZLVtlBmlSVRft%2FRJGalM83hBhwsI2Zf9vo7r77s9WS4GHTaO7ZaD7T3XcZRFOoUvLu%2F7LRht1rXVSvyJPlvXcn8%2FB03oWFEyPo5QBi1XeiWlA8SwFq3ta%2BWAeyhJCAAkvflcTwjkeFBhbR7OPqps23GncHgMOHPhbzNNUZUOx7GF4%2FLh%2FQgmBlwo1%2BH3ap28zvtfqUvvTqx%2F3enxL9%2F8BQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=hufkQdx6GObV3ekkn3F%2FoMQxhgRYEM1WsIBTHw0KE%2Fs27JC6KxeDYAUJb6YLEljIZgB8IX6mYKRUw8YJZcIftRkDbbsB9NLlR6bEB8HiiNSxAleqfnfXLEN%2BYldgFP5RW%2FHVy42YxXjJC8x%2FPvIevXKEgafy3lBA2P7ghS%2BTLsEt8yACu%2FbhKepl0NstLc85EgFgOyuGLxSjBkkkKMVqquV493qjZZF6xeA%2FFEwdLNO6HeqsgmTPI2AZhi%2Fz16aAwLQXN%2BlQlN52QfgbUxTcOQVq1vLOhByGt4XjuntxTDMRtVnYWO7b%2Bk%2Fs9wzpWj%2FuTnG9odtpNzLegsKxzh2Vrg%3D%3D
LoginRequest XML sent to IdP:
<?xml version="1.0"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_a61831c8-cd87-41db-80f8-bd557712ac01" Version="2.0" IssueInstant="2018-12-17T19:12:55Z" Destination="https://accounts.google.com/o/saml2/idp?idpid=C02pscg20" AssertionConsumerServiceURL="https://achs.instructure.com/login/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">   <saml:Issuer>http://achs.instructure.com/saml2</saml:Issuer>   <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>   <samlp:RequestedAuthnContext Comparison="exact">     <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>   </samlp:RequestedAuthnContext> </samlp:AuthnRequest>
AuthnResponse from IdP
IdP InResponseTo:
_a61831c8-cd87-41db-80f8-bd557712ac01
IdP LoginResponse destination:
https://achs.instructure.com/login/saml
Canvas thinks response is valid:
true
User succesfully logged into Canvas:
true
Logged in user id:
5846
IdP LoginResponse encoded:
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+PHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vYWNocy5pbnN0cnVjdHVyZS5jb20vbG9naW4vc2FtbCIgSUQ9Il9lYTg0ZDA3YjlhMjdkMWJlNDFhODAwNWQyZDA3MDAwZiIgSW5SZXNwb25zZVRvPSJfYTYxODMxYzgtY2Q4Ny00MWRiLTgwZjgtYmQ1NTc3MTJhYzAxIiBJc3N1ZUluc3RhbnQ9IjIwMTgtMTItMTdUMTk6MTM6MDQuMTI3WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2FjY291bnRzLmdvb2dsZS5jb20vby9zYW1sMj9pZHBpZD1DMDJwc2NnMjA8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8+PGRzOlJlZmVyZW5jZSBVUkk9IiNfZWE4NGQwN2I5YTI3ZDFiZTQxYTgwMDVkMmQwNzAwMGYiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3NoYTI1NiIvPjxkczpEaWdlc3RWYWx1ZT4yOEU3RTM4Z0E2OG5BUUpLSmp1cGNMRVhTSG92M29ocmJxWjdRdzJBcDNrPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5pcTkxVWI0VFRZQVl4cCtjcldFWTBWajdlRHBGcDJDQ1d3MXVCQnBlaDVhb1lGcU5aWFpoWHZoc3lzS2p1VnpPazhJWWllVjM4THhQCjlpdTFaL05DKzdFOEVhQjRhL1F0L08yYjg4T21QQ1ZtcHFwQjBoWUVnZjRYUnVWVW84RERaS2xBbnpsVEg5d1RrTC9yTUVtVXBjb1EKaFowVjJVQWFsd0JsZWpqUHNweFR2TkJOK0x3N3I1U0lkd1F5cDl3dTVZWjcrcU1KbndueHpGaitwN2ZlUUhyNVE0RUE0N3JxYmtRUwpzeHJGb0Z6SnZ6akRVNjhCTHVaWkxDZlY5eG9mTThVWlByVDVhZ3RjVVJSYnRlL0Ewelg4eVNTRnM2QnlKUWxxRXNiak5VVTZGSDhYCmhtd0NyMjZ4djRzN2pDUUZMN3pETlZzSlZMZFFIaEN0T1dQNVJnPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOVN1YmplY3ROYW1lPlNUPUNhbGlmb3JuaWEsQz1VUyxPVT1Hb29nbGUgRm9yIFdvcmssQ049R29vZ2xlLEw9TW91bnRhaW4gVmlldyxPPUdvb2dsZSBJbmMuPC9kczpYNTA5U3ViamVjdE5hbWU+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEZERDQ0FseWdBd0lCQWdJR0FXVTUwalhNTUEwR0NTcUdTSWIzRFFFQkN3VUFNSHN4RkRBU0JnTlZCQW9UQzBkdmIyZHNaU0JKCmJtTXVNUll3RkFZRFZRUUhFdzFOYjNWdWRHRnBiaUJXYVdWM01ROHdEUVlEVlFRREV3WkhiMjluYkdVeEdEQVdCZ05WQkFzVEQwZHYKYjJkc1pTQkdiM0lnVjI5eWF6RUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2tOaGJHbG1iM0p1YVdFd0hoY05NVGd3T0RFMApNVGt3TXpJeFdoY05Nak13T0RFek1Ua3dNekl4V2pCN01SUXdFZ1lEVlFRS0V3dEhiMjluYkdVZ1NXNWpMakVXTUJRR0ExVUVCeE1OClRXOTFiblJoYVc0Z1ZtbGxkekVQTUEwR0ExVUVBeE1HUjI5dloyeGxNUmd3RmdZRFZRUUxFdzlIYjI5bmJHVWdSbTl5SUZkdmNtc3gKQ3pBSkJnTlZCQVlUQWxWVE1STXdFUVlEVlFRSUV3cERZV3hwWm05eWJtbGhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QQpNSUlCQ2dLQ0FRRUFvaWhSbVp1RTBhK3RDUDlyZzNpcjN0c2pXcjQyd2ZTZTc3WUFFZU1MNXEvRTB6Slh3SVpXWGtSbG5COVBPRkZsCkxpQUtMY2x6aDVTSnZ1dFQrRzVqSjJTa0xndXRLdXdwc1J1c25HMnlhMTRxM2JkT0hmKzNBdmFObUlETkRidHlJZXF3TmxOTElvY20KTzZkc3lRazByaFRRYmpLMUZhcjZpNWxrUTEzQXVCQlBhNDhjWS9GQ1VhY2VOcEZxOEYxQnhBT09EaDlBQ2lTelh5SkVUWjcwSVFHMAoyNW91QU1hdWNqYWtod1B6RGd5V1dJOVUyamNRcTVSSFlGb1owVzhDdm1JcHFTelFkTnVLM3RqNG96SHQ2T2l1b3BSRmlkK0lwbGtrCndJa3BIVmtkQmpsK3gyakx1d09RSUhxbXd4ZVMrRTRPM3ZSZnlnMUhjQ1RubGtneUV3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUEKQTRJQkFRQjFXSWVYWU9DZGg1Yk5wTEpsdkxVNXJ3NExNYUJiWittN2dNSkw4VTdBUUR5Si9Vb05GQkZZS0xRd0NhSFgvTVVsR29XRgo1OG85S25ENDd0V1ZKTmNySEZGWWozZlplU2ZCN1ZuMEFNdm5CSWREOVkwOS9ndk9GZEhoek5vQWh2cTh1SEJyRzJJbnhXS01uaDFVCkQzS2lIRU9YSGhsQWRUeWltK3NZSlpwTkQzOUxGTWVsdDRmRzR1ZE5JbVZHajVJR3E0TWttT3dyZWVTeUYybGN3b1E3UTFuSDVpZVIKNG45TUVsRzFFYnBkL0pITTVpMWVtT1NEdFl1aHJUbE5heFFZTzJPdGNjM1htdzZPcUFWYXpCZ3lEVFFQZllFM1ZmOHl5ZmNraGtEQgpDTmtJbDUzSytOcmFvWDlPelA2MWsvRFh0SEIyM0lZSmVvRjI3YmQyVk5GRDwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfOGVlY2JkNWQ3MDY3Nzc3YjJmMTFiN2ViMzUxMzQ2MTIiIElzc3VlSW5zdGFudD0iMjAxOC0xMi0xN1QxOToxMzowNC4xMjdaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXI+aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vc2FtbDI/aWRwaWQ9QzAycHNjZzIwPC9zYW1sMjpJc3N1ZXI+PHNhbWwyOlN1YmplY3Q+PHNhbWwyOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+dGVzdHVzZXJAYWNocy5lZHU8L3NhbWwyOk5hbWVJRD48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il9hNjE4MzFjOC1jZDg3LTQxZGItODBmOC1iZDU1NzcxMmFjMDEiIE5vdE9uT3JBZnRlcj0iMjAxOC0xMi0xN1QxOToxODowNC4xMjdaIiBSZWNpcGllbnQ9Imh0dHBzOi8vYWNocy5pbnN0cnVjdHVyZS5jb20vbG9naW4vc2FtbCIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q+PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE4LTEyLTE3VDE5OjA4OjA0LjEyN1oiIE5vdE9uT3JBZnRlcj0iMjAxOC0xMi0xN1QxOToxODowNC4xMjdaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U+aHR0cDovL2FjaHMuaW5zdHJ1Y3R1cmUuY29tL3NhbWwyPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJzaXNfdXNlcl9pZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPjUwMDB4PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImdpdmVuX25hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czphbnlUeXBlIj50ZXN0PC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InN1cm5hbWUiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czphbnlUeXBlIj51c2VyPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImVtYWlsIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6YW55VHlwZSI+dGVzdHVzZXJAYWNocy5lZHU8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTgtMTItMTdUMTk6MTM6MDMuMDAwWiIgU2Vzc2lvbkluZGV4PSJfOGVlY2JkNWQ3MDY3Nzc3YjJmMTFiN2ViMzUxMzQ2MTIiPjxzYW1sMjpBdXRobkNvbnRleHQ+PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg==
IdP LoginResponse encrypted:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://achs.instructure.com/login/saml" ID="_ea84d07b9a27d1be41a8005d2d07000f" InResponseTo="_a61831c8-cd87-41db-80f8-bd557712ac01" IssueInstant="2018-12-17T19:13:04.127Z" Version="2.0">   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C02pscg20</saml2:Issuer>   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     <ds:SignedInfo>       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>       <ds:Reference URI="#_ea84d07b9a27d1be41a8005d2d07000f">         <ds:Transforms>           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>         </ds:Transforms>         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>         <ds:DigestValue>28E7E38gA68nAQJKJjupcLEXSHov3ohrbqZ7Qw2Ap3k=</ds:DigestValue>       </ds:Reference>     </ds:SignedInfo>     <ds:SignatureValue>iq91Ub4TTYAYxp+crWEY0Vj7eDpFp2CCWw1uBBpeh5aoYFqNZXZhXvhsysKjuVzOk8IYieV38LxP 9iu1Z/NC+7E8EaB4a/Qt/O2b88OmPCVmpqpB0hYEgf4XRuVUo8DDZKlAnzlTH9wTkL/rMEmUpcoQ hZ0V2UAalwBlejjPspxTvNBN+Lw7r5SIdwQyp9wu5YZ7+qMJnwnxzFj+p7feQHr5Q4EA47rqbkQS sxrFoFzJvzjDU68BLuZZLCfV9xofM8UZPrT5agtcURRbte/A0zX8ySSFs6ByJQlqEsbjNUU6FH8X hmwCr26xv4s7jCQFL7zDNVsJVLdQHhCtOWP5Rg==</ds:SignatureValue>     <ds:KeyInfo>       <ds:X509Data>         <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>         <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAWU50jXMMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTgwODE0 MTkwMzIxWhcNMjMwODEzMTkwMzIxWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAoihRmZuE0a+tCP9rg3ir3tsjWr42wfSe77YAEeML5q/E0zJXwIZWXkRlnB9POFFl LiAKLclzh5SJvutT+G5jJ2SkLgutKuwpsRusnG2ya14q3bdOHf+3AvaNmIDNDbtyIeqwNlNLIocm O6dsyQk0rhTQbjK1Far6i5lkQ13AuBBPa48cY/FCUaceNpFq8F1BxAOODh9ACiSzXyJETZ70IQG0 25ouAMaucjakhwPzDgyWWI9U2jcQq5RHYFoZ0W8CvmIpqSzQdNuK3tj4ozHt6OiuopRFid+Iplkk wIkpHVkdBjl+x2jLuwOQIHqmwxeS+E4O3vRfyg1HcCTnlkgyEwIDAQABMA0GCSqGSIb3DQEBCwUA A4IBAQB1WIeXYOCdh5bNpLJlvLU5rw4LMaBbZ+m7gMJL8U7AQDyJ/UoNFBFYKLQwCaHX/MUlGoWF 58o9KnD47tWVJNcrHFFYj3fZeSfB7Vn0AMvnBIdD9Y09/gvOFdHhzNoAhvq8uHBrG2InxWKMnh1U D3KiHEOXHhlAdTyim+sYJZpND39LFMelt4fG4udNImVGj5IGq4MkmOwreeSyF2lcwoQ7Q1nH5ieR 4n9MElG1Ebpd/JHM5i1emOSDtYuhrTlNaxQYO2Otcc3Xmw6OqAVazBgyDTQPfYE3Vf8yyfckhkDB CNkIl53K+NraoX9OzP61k/DXtHB23IYJeoF27bd2VNFD</ds:X509Certificate>       </ds:X509Data>     </ds:KeyInfo>   </ds:Signature>   <saml2p:Status>     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>   </saml2p:Status>   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8eecbd5d7067777b2f11b7eb35134612" IssueInstant="2018-12-17T19:13:04.127Z" Version="2.0">     <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C02pscg20</saml2:Issuer>     <saml2:Subject>       <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@achs.edu</saml2:NameID>       <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">         <saml2:SubjectConfirmationData InResponseTo="_a61831c8-cd87-41db-80f8-bd557712ac01" NotOnOrAfter="2018-12-17T19:18:04.127Z" Recipient="https://achs.instructure.com/login/saml"/>       </saml2:SubjectConfirmation>     </saml2:Subject>     <saml2:Conditions NotBefore="2018-12-17T19:08:04.127Z" NotOnOrAfter="2018-12-17T19:18:04.127Z">       <saml2:AudienceRestriction>         <saml2:Audience>http://achs.instructure.com/saml2</saml2:Audience>       </saml2:AudienceRestriction>     </saml2:Conditions>     <saml2:AttributeStatement>       <saml2:Attribute Name="sis_user_id">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">5000x</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="given_name">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">test</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="surname">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">user</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="email">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">testuser@achs.edu</saml2:AttributeValue>       </saml2:Attribute>     </saml2:AttributeStatement>     <saml2:AuthnStatement AuthnInstant="2018-12-17T19:13:03.000Z" SessionIndex="_8eecbd5d7067777b2f11b7eb35134612">       <saml2:AuthnContext>         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>       </saml2:AuthnContext>     </saml2:AuthnStatement>   </saml2:Assertion> </saml2p:Response>
IdP LoginResponse Decrypted:
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://achs.instructure.com/login/saml" ID="_ea84d07b9a27d1be41a8005d2d07000f" InResponseTo="_a61831c8-cd87-41db-80f8-bd557712ac01" IssueInstant="2018-12-17T19:13:04.127Z" Version="2.0">   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=C02pscg20</saml2:Issuer>   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">     <ds:SignedInfo>       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>       <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>       <ds:Reference URI="#_ea84d07b9a27d1be41a8005d2d07000f">         <ds:Transforms>           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>         </ds:Transforms>         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>         <ds:DigestValue>28E7E38gA68nAQJKJjupcLEXSHov3ohrbqZ7Qw2Ap3k=</ds:DigestValue>       </ds:Reference>     </ds:SignedInfo>     <ds:SignatureValue>iq91Ub4TTYAYxp+crWEY0Vj7eDpFp2CCWw1uBBpeh5aoYFqNZXZhXvhsysKjuVzOk8IYieV38LxP 9iu1Z/NC+7E8EaB4a/Qt/O2b88OmPCVmpqpB0hYEgf4XRuVUo8DDZKlAnzlTH9wTkL/rMEmUpcoQ hZ0V2UAalwBlejjPspxTvNBN+Lw7r5SIdwQyp9wu5YZ7+qMJnwnxzFj+p7feQHr5Q4EA47rqbkQS sxrFoFzJvzjDU68BLuZZLCfV9xofM8UZPrT5agtcURRbte/A0zX8ySSFs6ByJQlqEsbjNUU6FH8X hmwCr26xv4s7jCQFL7zDNVsJVLdQHhCtOWP5Rg==</ds:SignatureValue>     <ds:KeyInfo>       <ds:X509Data>         <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>         <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAWU50jXMMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMTgwODE0 MTkwMzIxWhcNMjMwODEzMTkwMzIxWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAoihRmZuE0a+tCP9rg3ir3tsjWr42wfSe77YAEeML5q/E0zJXwIZWXkRlnB9POFFl LiAKLclzh5SJvutT+G5jJ2SkLgutKuwpsRusnG2ya14q3bdOHf+3AvaNmIDNDbtyIeqwNlNLIocm O6dsyQk0rhTQbjK1Far6i5lkQ13AuBBPa48cY/FCUaceNpFq8F1BxAOODh9ACiSzXyJETZ70IQG0 25ouAMaucjakhwPzDgyWWI9U2jcQq5RHYFoZ0W8CvmIpqSzQdNuK3tj4ozHt6OiuopRFid+Iplkk wIkpHVkdBjl+x2jLuwOQIHqmwxeS+E4O3vRfyg1HcCTnlkgyEwIDAQABMA0GCSqGSIb3DQEBCwUA A4IBAQB1WIeXYOCdh5bNpLJlvLU5rw4LMaBbZ+m7gMJL8U7AQDyJ/UoNFBFYKLQwCaHX/MUlGoWF 58o9KnD47tWVJNcrHFFYj3fZeSfB7Vn0AMvnBIdD9Y09/gvOFdHhzNoAhvq8uHBrG2InxWKMnh1U D3KiHEOXHhlAdTyim+sYJZpND39LFMelt4fG4udNImVGj5IGq4MkmOwreeSyF2lcwoQ7Q1nH5ieR 4n9MElG1Ebpd/JHM5i1emOSDtYuhrTlNaxQYO2Otcc3Xmw6OqAVazBgyDTQPfYE3Vf8yyfckhkDB CNkIl53K+NraoX9OzP61k/DXtHB23IYJeoF27bd2VNFD</ds:X509Certificate>       </ds:X509Data>     </ds:KeyInfo>   </ds:Signature>   <saml2p:Status>     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>   </saml2p:Status>   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8eecbd5d7067777b2f11b7eb35134612" IssueInstant="2018-12-17T19:13:04.127Z" Version="2.0">     <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C02pscg20</saml2:Issuer>     <saml2:Subject>       <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@achs.edu</saml2:NameID>       <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">         <saml2:SubjectConfirmationData InResponseTo="_a61831c8-cd87-41db-80f8-bd557712ac01" NotOnOrAfter="2018-12-17T19:18:04.127Z" Recipient="https://achs.instructure.com/login/saml"/>       </saml2:SubjectConfirmation>     </saml2:Subject>     <saml2:Conditions NotBefore="2018-12-17T19:08:04.127Z" NotOnOrAfter="2018-12-17T19:18:04.127Z">       <saml2:AudienceRestriction>         <saml2:Audience>http://achs.instructure.com/saml2</saml2:Audience>       </saml2:AudienceRestriction>     </saml2:Conditions>     <saml2:AttributeStatement>       <saml2:Attribute Name="sis_user_id">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">5000x</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="given_name">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">test</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="surname">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">user</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="email">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">testuser@achs.edu</saml2:AttributeValue>       </saml2:Attribute>     </saml2:AttributeStatement>     <saml2:AuthnStatement AuthnInstant="2018-12-17T19:13:03.000Z" SessionIndex="_8eecbd5d7067777b2f11b7eb35134612">       <saml2:AuthnContext>         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>       </saml2:AuthnContext>     </saml2:AuthnStatement>   </saml2:Assertion> </saml2p:Response>
here's the important bit
      </ds:X509Data>     </ds:KeyInfo>   </ds:Signature>   <saml2p:Status>     <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>   </saml2p:Status>   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8eecbd5d7067777b2f11b7eb35134612" IssueInstant="2018-12-17T19:13:04.127Z" Version="2.0">     <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=C02pscg20</saml2:Issuer>     <saml2:Subject>       <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@achs.edu</saml2:NameID>       <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">         <saml2:SubjectConfirmationData InResponseTo="_a61831c8-cd87-41db-80f8-bd557712ac01" NotOnOrAfter="2018-12-17T19:18:04.127Z" Recipient="https://achs.instructure.com/login/saml"/>       </saml2:SubjectConfirmation>     </saml2:Subject>     <saml2:Conditions NotBefore="2018-12-17T19:08:04.127Z" NotOnOrAfter="2018-12-17T19:18:04.127Z">       <saml2:AudienceRestriction>         <saml2:Audience>http://achs.instructure.com/saml2</saml2:Audience>       </saml2:AudienceRestriction>     </saml2:Conditions>     <saml2:AttributeStatement>       <saml2:Attribute Name="sis_user_id">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">5000x</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="given_name">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">test</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="surname">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">user</saml2:AttributeValue>       </saml2:Attribute>       <saml2:Attribute Name="email">         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">testuser@achs.edu</saml2:AttributeValue>       </saml2:Attribute>     </saml2:AttributeStatement>     <saml2:AuthnStatement AuthnInstant="2018-12-17T19:13:03.000Z" SessionIndex="_8eecbd5d7067777b2f11b7eb35134612">       <saml2:AuthnContext>         <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>       </saml2:AuthnContext>     </saml2:AuthnStatement>   </saml2:Assertion> </saml2p:Response>

Outcomes