Signature verfication failed - invalid document format -- QName-awareness of attribute values and lxml

[tyctor]

hi

i am getting error in AuthnReponse validation:

{'message': 'Signature verification failed. Invalid document format.', 'error': "global xs:simpleType/xs:complexType 'tn:PersonIdentifierType' not found"}

Code Version

pysaml2-7.4.2

Expected Behavior

validation should success

Current Behavior

validation fails, so user cannot login

Possible Solution

as temporary solution aj have set self.do_not_verify = True in StatusResponse class

Steps to Reproduce

try to verify this response:

<samlp:Response xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_5040626886ed420f9624b53a1a567ca4" InResponseTo="id-3CQSSqiis5eyXHxRG" Version="2.0" IssueInstant="2023-07-26T08:48:51Z" Destination="http://localhost:8000/saml2/acs">
    <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
    <ds:Signature>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_5040626886ed420f9624b53a1a567ca4">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ds:DigestValue>TArwpfXayAca3dWsViIVBIoFWPOwcT7edGMh+3d687U=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>SIeUI2Jee90EmRAe3C/fx/U4eFaz6pORnBIOPj+7si/6/O5DrUFMvGoU3z+0J7KzvbWQiMkzhr9MXtTVmZ8q7Eb335i6TQoF8c9e4f7EMBJphPRjm0HQInobtWbvs9sJvy1xDH4/MdBFS1kX91I6IXFo8SrtAKthQ+Qx20lH0396CFZktbz+N6SbPobb3VswA2sF+Tr8MQk679vA0s7oVVYjBUiw4WpsBixM0jWrCMRls4fy/2amVc0841OzXCdrcyugH3z3jVd6lPib+W8abunVK4ZOaTgoiZJ2ka1SDR4zBpRN79CwZ6DaBxEajkGd8JpK3l1VJjd1Px766YlPrA==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion Version="2.0" ID="_7413e3b9-5f7c-4aef-ac94-f3ed7220c631" IssueInstant="2023-07-26T08:48:51.444Z">
        <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
        <ds:Signature>
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_7413e3b9-5f7c-4aef-ac94-f3ed7220c631">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>+xQXVThsk++RgKO3QGpUfV+eLCFRi2z71n7DjV/0bG4=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>dg0Sx5WqPjlOKdKeB7EogjgRTSeuN873ZXYbhdN/BKh2F53LMYvIQthtAG8TqSmUsLxMRifa3GFAqUyXHqiWJjzajrDKu3ZTD82TAqVtbciKwLpVsXoB+jfYqevPlzpxUkyS7I6FEWJrvvxlzAuEZn18/LQxCThBWsSO1YiKrgiLwga7f/0w+ADxPryV+2koPbVUuO8f1kNNa5aFlWd8ElUDPlq7Tt8C51d8Yu5+9OaZmEsGS56HX1bnc9aomeKXtkGus6l4yKGUgltgeNdQF9sIDdQ4WOeeYG9cyThisRueugSzOxuR/t8nz76Y1HipS+/ZEXGXg0YeO5EXBUsN+Q==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2023-07-26T09:48:51.444Z" Recipient="http://localhost:8000/saml2/acs" InResponseTo="id-3CQSSqiis5eyXHxRG" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2023-07-26T08:48:51.444Z" NotOnOrAfter="2023-07-26T09:48:51.444Z">
            <saml:AudienceRestriction>
                <saml:Audience>app:mysp</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2023-07-26T08:48:51.444Z" SessionIndex="_21ff5691c11045bb8e2330bb9e86d599">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" ns3:OriginalIssuer="urn:microsoft:cgg2010:fpsts">
                <saml:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

it is microsoft implementation of Identity provider have anyone some hints about this error? thanks

[tyctor]

it seems that problem is how pysaml2 creates Response class from xml string

this is xml from IdP and it validates well with same command used in saml2

from saml2.xml.schema import validate as validate_doc_with_schema
validate_doc_with_schema(xml)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_22e2bc6256974246a8244d658c2242bd" Version="2.0" IssueInstant="2023-07-26T14:59:19Z" Destination="http://localhost:8000/saml2/acs" InResponseTo="id-dhocshTiDHSNqmfKq">
    <saml:Issuer>urn:microsoft:cgg2010:fpsts</saml:Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <Reference URI="#_22e2bc6256974246a8244d658c2242bd">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>bXv9NeLmFN0oo5FyNZyF+ngmICpEKstJ+Wa1CC1O2uI=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>ejVw5J3R9w0/QSBF/IuVbp1LOpBESoskcYMUlneb6qek7SGsBz4j5dutOBKoDxVigssriMeE5SRVkhTRt+EKY5AEBsR0a4cZk6tcvshOnkWHs8yEzqwyyxGKTM2AFno2eVGMN2yRo+E01CIyrKrUMpAH5UdHVgnt6kTlpMu2EWGncMjM5oLR0dEZVcuiXRJcxazEBkgaZlX1mtNkylKzB2r6+iEXG4d7KaDXgwsXqgykrO8eX4F+Ng7Zy+pR186vs3JXo4Q3mYyIeGvTbxdKaoHFzDdSB/uM8URkK8x2awZppTCVoO/54vZDSF4gnsanfLSDQSNxZCgHI7PMTtbyVA==</SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_c5729fa0-84f1-44b2-b4e1-87f409a70b33" IssueInstant="2023-07-26T14:59:19.109Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>urn:microsoft:cgg2010:fpsts</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <Reference URI="#_c5729fa0-84f1-44b2-b4e1-87f409a70b33">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <DigestValue>6l79Ufg7F88fyZlV7sTI3lG+PCqbvgQk7pZfP1HQf6I=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>AU0W9wIU+DrErUF9G/CBFSUB+CSCcAn4fSYv0sIliJoJjIec7bloORqCBpiTYMLGK/qpjRB/uO+wKvMXEXJ0tb4dvRHuFZHyQ0tDleF8VvX7NjlRdeWQazZDi5UAYqeCKptHQSl1bmB4HyhIjLeWYlLMlh4TMlWcLbdGachtJfmAEl88iyCCkt+a5AmhZdM4XbPxmdq0guk4B+Y6imIoZXzSA5w2Wz/7Kbwq4fQhDCv26UYdd4Su49b46khe+wL4a97u6TdoFtiZAmM43euMMrWRZ3bO800EHn0NiveMEsHxtYwyrUkE5cU0Upg3BGHyVKG6VREoiSQfEFd2UK7CMQ==</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="id-dhocshTiDHSNqmfKq" NotOnOrAfter="2023-07-26T15:59:19.109Z" Recipient="http://localhost:8000/saml2/acs" />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2023-07-26T14:59:19.109Z" NotOnOrAfter="2023-07-26T15:59:19.109Z">
            <AudienceRestriction>
                <Audience>app:test.cz</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" a:OriginalIssuer="urn:microsoft:cgg2010:fpsts" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
                <AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2023-07-26T14:59:19.109Z" SessionIndex="_f5fd9f3e7f844cc48f31fafdee0bfe17">
            <SubjectLocality Address="89.16.7.239" />
            <AuthnContext>
                <AuthnContextClassRef>http://eidas.europa.eu/LoA/low</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

[tyctor]

and here is Reponse created by saml2.response_from_string(xml) which is later send for validation

<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_22e2bc6256974246a8244d658c2242bd" InResponseTo="id-dhocshTiDHSNqmfKq" Version="2.0" IssueInstant="2023-07-26T14:59:19Z" Destination="http://localhost:8000/saml2/acs">
    <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer>
    <ns2:Signature>
        <ns2:SignedInfo>
            <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ns2:Reference URI="#_22e2bc6256974246a8244d658c2242bd">
                <ns2:Transforms>
                    <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ns2:Transforms>
                <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <ns2:DigestValue>bXv9NeLmFN0oo5FyNZyF+ngmICpEKstJ+Wa1CC1O2uI=</ns2:DigestValue>
            </ns2:Reference>
        </ns2:SignedInfo>
        <ns2:SignatureValue>ejVw5J3R9w0/QSBF/IuVbp1LOpBESoskcYMUlneb6qek7SGsBz4j5dutOBKoDxVigssriMeE5SRVkhTRt+EKY5AEBsR0a4cZk6tcvshOnkWHs8yEzqwyyxGKTM2AFno2eVGMN2yRo+E01CIyrKrUMpAH5UdHVgnt6kTlpMu2EWGncMjM5oLR0dEZVcuiXRJcxazEBkgaZlX1mtNkylKzB2r6+iEXG4d7KaDXgwsXqgykrO8eX4F+Ng7Zy+pR186vs3JXo4Q3mYyIeGvTbxdKaoHFzDdSB/uM8URkK8x2awZppTCVoO/54vZDSF4gnsanfLSDQSNxZCgHI7PMTtbyVA==</ns2:SignatureValue>
        <ns2:KeyInfo>
            <ns2:X509Data>
                <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate>
            </ns2:X509Data>
        </ns2:KeyInfo>
    </ns2:Signature>
    <ns0:Status>
        <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </ns0:Status>
    <ns1:Assertion Version="2.0" ID="_c5729fa0-84f1-44b2-b4e1-87f409a70b33" IssueInstant="2023-07-26T14:59:19.109Z">
        <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer>
        <ns2:Signature>
            <ns2:SignedInfo>
                <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ns2:Reference URI="#_c5729fa0-84f1-44b2-b4e1-87f409a70b33">
                    <ns2:Transforms>
                        <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ns2:Transforms>
                    <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ns2:DigestValue>6l79Ufg7F88fyZlV7sTI3lG+PCqbvgQk7pZfP1HQf6I=</ns2:DigestValue>
                </ns2:Reference>
            </ns2:SignedInfo>
            <ns2:SignatureValue>AU0W9wIU+DrErUF9G/CBFSUB+CSCcAn4fSYv0sIliJoJjIec7bloORqCBpiTYMLGK/qpjRB/uO+wKvMXEXJ0tb4dvRHuFZHyQ0tDleF8VvX7NjlRdeWQazZDi5UAYqeCKptHQSl1bmB4HyhIjLeWYlLMlh4TMlWcLbdGachtJfmAEl88iyCCkt+a5AmhZdM4XbPxmdq0guk4B+Y6imIoZXzSA5w2Wz/7Kbwq4fQhDCv26UYdd4Su49b46khe+wL4a97u6TdoFtiZAmM43euMMrWRZ3bO800EHn0NiveMEsHxtYwyrUkE5cU0Upg3BGHyVKG6VREoiSQfEFd2UK7CMQ==</ns2:SignatureValue>
            <ns2:KeyInfo>
                <ns2:X509Data>
                    <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate>
                </ns2:X509Data>
            </ns2:KeyInfo>
        </ns2:Signature>
        <ns1:Subject>
            <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:NameID>
            <ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <ns1:SubjectConfirmationData NotOnOrAfter="2023-07-26T15:59:19.109Z" Recipient="http://localhost:8000/saml2/acs" InResponseTo="id-dhocshTiDHSNqmfKq" />
            </ns1:SubjectConfirmation>
        </ns1:Subject>
        <ns1:Conditions NotBefore="2023-07-26T14:59:19.109Z" NotOnOrAfter="2023-07-26T15:59:19.109Z">
            <ns1:AudienceRestriction>
                <ns1:Audience>app:test.cz</ns1:Audience>
            </ns1:AudienceRestriction>
        </ns1:Conditions>
        <ns1:AuthnStatement AuthnInstant="2023-07-26T14:59:19.109Z" SessionIndex="_f5fd9f3e7f844cc48f31fafdee0bfe17">
            <ns1:SubjectLocality Address="89.16.7.239" />
            <ns1:AuthnContext>
                <ns1:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</ns1:AuthnContextClassRef>
            </ns1:AuthnContext>
        </ns1:AuthnStatement>
        <ns1:AttributeStatement>
            <ns1:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" ns3:OriginalIssuer="urn:microsoft:cgg2010:fpsts">
                <ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue>
            </ns1:Attribute>
        </ns1:AttributeStatement>
    </ns1:Assertion>
</ns0:Response> 

[tyctor]

from saml2.xml.schema import validate as validate_doc_with_schema
validate_doc_with_schema(xml)

raises XMLSchemaError:

{'doc': '<ns0:Response xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_22e2bc6256974246a8244d658c2242bd" InResponseTo="id-dhocshTiDHSNqmfKq" Version="2.0" IssueInstant="2023-07-26T14:59:19Z" Destination="http://localhost:8000/saml2/acs">\n    <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer><ns2:Signature>\n        <ns2:SignedInfo>\n            <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#_22e2bc6256974246a8244d658c2242bd">\n                <ns2:Transforms>\n                    <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue>bXv9NeLmFN0oo5FyNZyF+ngmICpEKstJ+Wa1CC1O2uI=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>ejVw5J3R9w0/QSBF/IuVbp1LOpBESoskcYMUlneb6qek7SGsBz4j5dutOBKoDxVigssriMeE5SRVkhTRt+EKY5AEBsR0a4cZk6tcvshOnkWHs8yEzqwyyxGKTM2AFno2eVGMN2yRo+E01CIyrKrUMpAH5UdHVgnt6kTlpMu2EWGncMjM5oLR0dEZVcuiXRJcxazEBkgaZlX1mtNkylKzB2r6+iEXG4d7KaDXgwsXqgykrO8eX4F+Ng7Zy+pR186vs3JXo4Q3mYyIeGvTbxdKaoHFzDdSB/uM8URkK8x2awZppTCVoO/54vZDSF4gnsanfLSDQSNxZCgHI7PMTtbyVA==</ns2:SignatureValue><ns2:KeyInfo>\n            <ns2:X509Data>\n                <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns0:Status>\n        <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></ns0:Status><ns1:Assertion Version="2.0" ID="_c5729fa0-84f1-44b2-b4e1-87f409a70b33" IssueInstant="2023-07-26T14:59:19.109Z">\n        <ns1:Issuer>urn:microsoft:cgg2010:fpsts</ns1:Issuer><ns2:Signature>\n            <ns2:SignedInfo>\n                <ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ns2:Reference URI="#_c5729fa0-84f1-44b2-b4e1-87f409a70b33">\n                    <ns2:Transforms>\n                        <ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ns2:DigestValue>6l79Ufg7F88fyZlV7sTI3lG+PCqbvgQk7pZfP1HQf6I=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>AU0W9wIU+DrErUF9G/CBFSUB+CSCcAn4fSYv0sIliJoJjIec7bloORqCBpiTYMLGK/qpjRB/uO+wKvMXEXJ0tb4dvRHuFZHyQ0tDleF8VvX7NjlRdeWQazZDi5UAYqeCKptHQSl1bmB4HyhIjLeWYlLMlh4TMlWcLbdGachtJfmAEl88iyCCkt+a5AmhZdM4XbPxmdq0guk4B+Y6imIoZXzSA5w2Wz/7Kbwq4fQhDCv26UYdd4Su49b46khe+wL4a97u6TdoFtiZAmM43euMMrWRZ3bO800EHn0NiveMEsHxtYwyrUkE5cU0Upg3BGHyVKG6VREoiSQfEFd2UK7CMQ==</ns2:SignatureValue><ns2:KeyInfo>\n                <ns2:X509Data>\n                    <ns2:X509Certificate>MIIH0jCCBbqgAwIBAgIEAV0YjTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIzMDMyODEyMDMyNFoXDTI0MDQxNjEyMDMyNFoweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB4/CorRF9irYIIkTrOUUj4dEq1zLdjD//D7DNuxPmaRtYsdAHqdJqnsDrp9JFO9H38iR8S4cvlMefANjcyBfDT1jNE97z1cw8RP2lJUdRykaFmXNK+xuf93fcozt0mIXbVmAf0LPt3doJhLCc+JBwvqeEeOJgkAwzP7Qw/poOG6iD+4QMgiEnQ5q1oHnQeLbuB1U0JKoGJRGf6kjgDWIPPE3B9it2rSuGMJ6rlS5DkqIAO/yGO5UrBOULSlYMQxwV/6KuO/aXk+1nDIbTqtykgphbqevC/Rhft8VLuI1EvGgrbARp7Ti2NKguEP3pvCccTF8thwXi2s06G2Dg51ghAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBQzXA9iKKnMw1cGd+Z3fefm6sk/sDANBgkqhkiG9w0BAQsFAAOCAgEAVSRQgSbL5NhaBxokAl/mIy2PcZFfUVOvDzBrqSZrdm+orcEJzpaGUb8E7W8cjL0k2XcrqAGmT9tZA7H6AiS6OtDP0JXwhyfeNvqGVe6p6+BGlKRAyKqUzjYx3bY5VHExef/HL5MD7PDsyy8WfJw05NdZHuSRBpbxkBlrBlJ7pMM58JVu1GGdDCWxPIDPHDohd5uaf3nCZKCOnQGRBr9UWZKsAY9n+990C/0vCW+FtW69TA4eZgW2qGnkQWBq1IGz62/Ii61VlqFvFUFgyLJCpT7z79vNWAls7q3+LNeF0AdwyqOqcPjJY3QS6yprynQbwLx6P2DTRAupEr2CQ4FEbZIIAjGn6bXeIEbLEWXy8IMOFwBWUzkHpXqpANEiRqphVLgUnRxjdAjUGYq+ZXQI6ViqjP9UplXuFQXDJ1+2M3eZGE4yKHebEnRRuA9IXvn65KvqWJoiZk+2vLvVqAelDYpWpspeEyUa88KawbH3RSRj0BByPnijH+kcxZ38hd/s8X6eKwGiw7+5LpaDtLsX7Z9kluVUIikT9042X+dQClxB++d751AZsqaVYAGvySS3yLjF4mR/d6cim40i+mtTtwnOt6Mqp8Z4vOkWwEdjwC1oFPBq7ngNayycszZ9tbylV6A+tlfv8+ZrluoTztrfjL67gDu+boPiw18O0YYlmDE=</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature><ns1:Subject>\n            <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:NameID><ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">\n                <ns1:SubjectConfirmationData NotOnOrAfter="2023-07-26T15:59:19.109Z" Recipient="http://localhost:8000/saml2/acs" InResponseTo="id-dhocshTiDHSNqmfKq" /></ns1:SubjectConfirmation></ns1:Subject><ns1:Conditions NotBefore="2023-07-26T14:59:19.109Z" NotOnOrAfter="2023-07-26T15:59:19.109Z">\n            <ns1:AudienceRestriction>\n                <ns1:Audience>app:humpo.cz</ns1:Audience></ns1:AudienceRestriction></ns1:Conditions><ns1:AuthnStatement AuthnInstant="2023-07-26T14:59:19.109Z" SessionIndex="_f5fd9f3e7f844cc48f31fafdee0bfe17">\n            <ns1:SubjectLocality Address="89.176.87.239" /><ns1:AuthnContext>\n                <ns1:AuthnContextClassRef>http://eidas.europa.eu/LoA/low</ns1:AuthnContextClassRef></ns1:AuthnContext></ns1:AuthnStatement><ns1:AttributeStatement>\n            <ns1:Attribute Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PersonIdentifier" ns3:OriginalIssuer="urn:microsoft:cgg2010:fpsts">\n                <ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue></ns1:Attribute></ns1:AttributeStatement></ns1:Assertion></ns0:Response>', 'error': '"global xs:simpleType/xs:complexType \'tn:PersonIdentifierType\' not found"'}

[tyctor]

it seems problem is that this:

<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>

is converted to this:

<ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue>

so xmlns:tn is missing

[c00kiemon5ter]

Correct. This is due to the namespace prefix being embedded within the string value of the type XML attribute.

We could setup a mechanism to process namespaces with specified prefix names, but what do you do when one instance returns type="tn:PersonIdentifierType" and another type="eidas:PersonIdentifierType"? I am not sure how this can be solved..

lxml preserves the namespace-prefixes by default (iirc) and that might be helpful here, but ties us to lxml and a dependency with C-bindings.

[vladimir-mencl-eresearch]

Ideally, the solution here should be independent of the exact prefix names used.

The parser should be aware that xsi:type values are fully-qualified XML names and should adjust the prefix name used in the type name when serialising with a different assignment of prefix names to namespaces.

I don't know enough about the underlying implementation, but I think it should support the above.

Hmm, wondering whether it would help if the environment doing the processing (parsing + serialising) loaded the schema definitions (XSD files) for the namespaces it's dealing with (so have the definition of the PersonIdentifierType)

[c00kiemon5ter]

The XSD files are there and loaded; and they include the PersonIdentifierType. This is part of the eIDAS XSD files, here: https://github.com/IdentityPython/pysaml2/blob/14c649a/src/saml2/data/schemas/eidas-schema-attribute-naturalperson.xsd#L5

The parser should be aware that xsi:type values are fully-qualified XML names and should adjust the prefix name used in the type name when serialising with a different assignment of prefix names to namespaces.

The original XML snippet is

<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>

When parsed it returns

import xml.etree.ElementTree as et

xmlstr = """<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>"""

el = et.fromstring(xmlstr)
et.tostring(el)

<ns1:AttributeValue xsi:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</ns1:AttributeValue>

You can see that

• the namespace-prefixes are reassigned, but the value of the xsi:type attribute does not change
• the tn prefix is actually removed, as it is not seen as something that is used

[c00kiemon5ter]

Doing the same with lxml, preserves the prefixes

import lxml.etree as let

xmlstr = """<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>"""

el = let.fromstring(xmlstr)
let.tostring(el)

<AttributeValue xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance" b:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>

[vladimir-mencl-eresearch]

So it looks like an issue with the xml library implementation - not being aware that xsi:type values are QNames.

I get the same result when I just shorten this to the canonicalize call:

import xml.etree.ElementTree as et
et.canonicalize(b'<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>')

'<AttributeValue xmlns:b="http://www.w3.org/2001/XMLSchema-instance" b:type="tn:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>'

However, I do get the correct result when I explicit list xsi:type as a "QName aware" attribute:

et.canonicalize(b'<AttributeValue b:type="tn:PersonIdentifierType" xmlns:tn="http://eidas.europa.eu/attributes/naturalperson" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</AttributeValue>', rewrite_prefixes=True, qname_aware_attrs=[et.QName('{http://www.w3.org/2001/XMLSchema-instance}type')])

'<n0:AttributeValue xmlns:n0="" xmlns:n1="http://eidas.europa.eu/attributes/naturalperson" xmlns:n2="http://www.w3.org/2001/XMLSchema-instance" n2:type="n1:PersonIdentifierType">CZ/CZ/f93fab3a-b132-4c21-ba05-f00a9988441e</n0:AttributeValue>'

I still could not find how to configure a parser the same way, and I'd expect xsi:type so core to XML that it should not be necessary to declare it as "QName aware" - but maybe that's what needs to be done?

[melanger]

@c00kiemon5ter Hi, is there any progress on this? It is blocking us from using SATOSA for eIDAS.

[c00kiemon5ter]

@melanger I do not see a way to configure the builtin XML parser

• to stop removing the namespace-prefixes it does not recognize as referenced
• or, to consider certain attributes as QName aware (as Vlad reported)

The only solution would be to switch to lxml which is not trivial.

[c00kiemon5ter]

I did some work to hack the code and use lxml with pysaml2. Have a look at #940

This of course needs a lot more work; not all tests pass, the code needs to be reorganized, etc. But it is a sketch on how things would look like if we go that direction.

[melanger]

@c00kiemon5ter, I understand, it's a bit unfortunate but we will pick up the PR and try to finish it

[c00kiemon5ter]

Give it a try first, to ensure it can work for you. I had a minimal test case there just to get things started.

Ideally this can become a configurable choice.