breakfix: SAML integration with Keycloak #423
Description
Describe the issue
Trying to use SAML with Keycloak as IdP, authentication is valid and SAMLResponse is valid but caddy reports failed to ParseXMLResponse: Authentication failed
Configuration
Paste full Caddyfile below:
{
debug
servers {
trusted_proxies static 0.0.0.0/0
}
order authenticate before respond
order authorize before basicauth
security {
saml identity provider keycloaksaml {
realm keycloaksaml
driver generic
idp_metadata_location /etc/caddy/descriptor.xml
idp_sign_cert_location /etc/caddy/cert.pem
idp_login_url https://xxxh/auth/realms/xxx/protocol/saml/clients/caddy
application_name "Caddy Auth Test"
application_id "caddy-saml"
entity_id "https://xxx/auth/realms/xxx"
acs_url http://web.test.svc.cluster.local/auth/saml/keycloaksaml
}
authentication portal authz_proxy_portal {
crypto key sign-verify {env.CRYPTO_KEY}
# enable identity provider keycloak
enable identity provider keycloaksaml
cookie lifetime 3600
cookie samesite lax
cookie insecure on
transform user {
match realm keycloaksaml
action add role authp/user
}
}
authorization policy default_authz_policy {
#disable auth redirect query
set auth url /auth/saml/keycloaksaml
crypto key verify {env.CRYPTO_KEY}
allow roles authp/user
}
}
}
:80 {
root /opt/www
log {
output stdout
format transform "{common_log}"
}
route /auth/* {
authenticate with authz_proxy_portal
}
route {
authorize with default_authz_policy
templates
try_files {path}.html
file_server
}
}
Version Information
Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:
http.authentication.hashes.bcrypt v2.10.2
http.authentication.providers.http_basic v2.10.2
http.handlers.authentication v2.10.2
tls.client_auth.verifier.leaf v2.10.2
http.authentication.providers.authorizer v1.1.31
http.handlers.authenticator v1.1.31
security v1.1.31
Expected behavior
Authentication succeeds
Additional context
Log
{"level":"debug","ts":1757062091.427172,"logger":"security","msg":"token validation error","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"5bc20653-9491-48ec-a0f2-d02c54ceceed","error":"no token found"}
{"level":"debug","ts":1757062091.4272056,"logger":"security","msg":"redirecting unauthorized user","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"5bc20653-9491-48ec-a0f2-d02c54ceceed","method":"location"}
{"level":"error","ts":1757062091.4272242,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"authorizer","error":"user authorization failed: src_ip=10.2.1.149, src_conn_ip=10.2.1.149, reason: no token found"}
10.2.1.149 - - [05/Sep/2025:08:48:11 +0000] "GET / HTTP/1.1" 302 5
{"level":"debug","ts":1757062091.42728,"logger":"http.log.error.log0","msg":"not authenticated","request":{"remote_ip":"10.2.1.149","remote_port":"57314","client_ip":"10.2.1.149","proto":"HTTP/1.1","method":"GET","host":"web.test.svc.cluster.local","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7"],"Upgrade-Insecure-Requests":["1"],"Referer":["http://web.test.svc.cluster.local/auth/saml/keycloaksaml"],"Cookie":["REDACTED"],"Connection":["keep-alive"]}},"duration":0.000104178,"status":401,"err_id":"ie98j5m1k","err_trace":"caddyauth.Authentication.ServeHTTP (caddyauth.go:99)"}
{"level":"debug","ts":1757062091.4740946,"logger":"security","msg":"redirect recorded","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"7b8932e4-96aa-42ed-babd-bfd4257d620a","redirect_url":"AUTHP_REDIRECT_URL=http://web.test.svc.cluster.local/; Domain=test.svc.cluster.local; Path=/; Max-Age=3600; SameSite=Lax;"}
{"level":"debug","ts":1757062091.4742203,"logger":"security","msg":"External login requested","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"7b8932e4-96aa-42ed-babd-bfd4257d620a","base_url":"http://web.test.svc.cluster.local","base_path":"/auth/","auth_method":"saml","auth_realm":"keycloaksaml","request_path":"/auth/saml/keycloaksaml"}
{"level":"debug","ts":1757062091.4742584,"logger":"security","msg":"Redirect to authorization server","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"7b8932e4-96aa-42ed-babd-bfd4257d620a","url":"https://xxx/auth/realms/xxx/protocol/saml/clients/caddy"}
10.2.1.149 - - [05/Sep/2025:08:48:11 +0000] "GET /auth/saml/keycloaksaml?redirect_url=http%3A%2F%2Fweb.test.svc.cluster.local%2F HTTP/1.1" 302 89
{"level":"debug","ts":1757062092.7866983,"logger":"security","msg":"External login requested","session_id":"qT8t9Y0RavQgc96sxTtYk6iOBmL3FBKcR43WF8BgJqBfo","request_id":"c9ccb6d3-9824-42c4-9fa8-a5419f9e1be8","base_url":"http://web.test.svc.cluster.local","base_path":"/auth/","auth_method":"saml","auth_realm":"keycloaksaml","request_path":"/auth/saml/keycloaksaml"}
SAML Response
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="http://web.test.svc.cluster.local/auth/saml/keycloaksaml"
ID="ID_ffb29efb-fdff-43b1-80f5-cdce55b083bc" IssueInstant="2025-09-05T08:39:51.778Z"
Version="2.0">
<saml:Issuer>https://xxx/auth/realms/xxx</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<dsig:Reference URI="#ID_ffb29efb-fdff-43b1-80f5-cdce55b083bc">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<dsig:DigestValue>FBERr5WJuU0ghTCA+1odXZRCpIrr4fMw2RJkQCl91jI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
ZLTFHA/EuIFlEzTDzaD4SZiF+zmHFNJVKkmEftAWbo0JTXzlibVLXOr4naN8XL2LGKAUY5N0JiMgqo9feskhE9TfKY7kLDWQiK1KHzEQO/T7fC//yV54i0S4G3XlThZGqibJGB96Kh24iKfOgX9GTgsY9BT5mehGIm5Sfp7XLfUwmYeLREZrK8qIgkJUK/LZHxo1iE8QAOUtsy3Wvk9ZuAUhLfBd1d4WPMBbrC8u6cDW3mzOzgv5hIJnxuUlSAlsP7uAzcsmRN+4As/Egrd78EBRMuoHfxoBykp/vTQRmlCx7c3pM0UuOUi6hZCx0ovtVk3z7d8/tllcOlIp0N26Gw==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyName>L2GoMcKbzJpUwY_XsJzA1SuH06bBDuWXOxfIWrfA900</dsig:KeyName>
<dsig:X509Data>
<dsig:X509Certificate>
MIIClTCCAX0CBgF4JwNynzANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANEb0swHhcNMjEwMzEyMTUxNTQwWhcNMzEwMzEyMTUxNzIwWjAOMQwwCgYDVQQDDANEb0swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCM6rntEZE2rRe15gqSpDagzVJg6nTqCAFdaaUyJq94/nJJicZJGhHpP745ky8I4VW+VtGWIcoA+83at6bjv4Q8SmyC7qaVhhzitffKhNSB3wb6QfjpXWmxZ+48YeAAOxdYr7zFI9BqvL9AxGnAis8mT7sXkE/KjtvmiK9yEx0rG/eAgqJ0WUZIT/zgP2k6+m/AIrQAGPL1JVcG8Qs7DNrtCg45enmk9wRBVDJURIq+B09cd2lvtYK4Afkzqr6DtYjWQqqDgVXZc56VpILaa65H0q5xjv4coqWtvWX+CGq1mgeYD/K8An2M2kIUErYbv11+6sNDc6teGX2YZKnZxEitAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAA3EuEa9D9/QCQ8xnRXV3bflhq4+k+4NysQ5AyRWVqk16P9DYwx6RrneSdNsJedKvZMaf9Vjw5lqy0xNp2SUMWWoaCdI8kAjU//6QhU2i4/lCRGD8mAcDQSoog2JV/FuivWTSa5TSw6REqPX1pL8/OKmTv/7XuU88+TcnzISJ9wCcWigSuiU1nih5tXgz+ZK10Q6gIwxmQ6QqfqfPcAxCziT58Qaoxv/3mk4JyhzzmqGwNRB8UOcK4OE8c2hmlZLftFIKWUvcCgnIUIa/iSfaWJgSEHjRYRv6Z5JxQ6Dwv2faIpP2weivsGIpSaNlcrBtBOAvd/0Fn4M0hOVtYoPyRE=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>
jOq57RGRNq0XteYKkqQ2oM1SYOp06ggBXWmlMiaveP5ySYnGSRoR6T++OZMvCOFVvlbRliHKAPvN2rem47+EPEpsgu6mlYYc4rX3yoTUgd8G+kH46V1psWfuPGHgADsXWK+8xSPQary/QMRpwIrPJk+7F5BPyo7b5oivchMdKxv3gIKidFlGSE/84D9pOvpvwCK0ABjy9SVXBvELOwza7QoOOXp5pPcEQVQyVESKvgdPXHdpb7WCuAH5M6q+g7WI1kKqg4FV2XOelaSC2muuR9KucY7+HKKlrb1l/ghqtZoHmA/yvAJ9jNpCFBK2G79dfurDQ3OrXhl9mGSp2cRIrQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_4a7c5506-ecd0-4b61-b2e8-035de07bdfad" IssueInstant="2025-09-05T08:39:51.777Z"
Version="2.0">
<saml:Issuer>https://xxx/auth/realms/xxx</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2025-09-05T08:44:49.777Z"
Recipient="http://web.test.svc.cluster.local/auth/saml/keycloaksaml" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2025-09-05T08:39:49.777Z"
NotOnOrAfter="2025-09-05T08:40:49.777Z">
<saml:AudienceRestriction>
<saml:Audience>caddy-saml</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2025-09-05T08:39:51.778Z"
SessionIndex="d48c066f-0ea1-419b-99d0-715127946c8c::b5b6a3d6-7b77-440a-ba7d-4297a94c59f6"
SessionNotOnOrAfter="2025-09-05T18:39:51.778Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VAPP
User</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VAPP
PowerUser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
superuser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">power
user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manage-account</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
impersonation</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Administrator</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
view-profile</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
uma_authorization</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
query-groups</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
viewer</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manage-account-links</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
query-users</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
support</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
view-users</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
viewer</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">VAPP
Admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
manager</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
offline_access</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
view-realm</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>