capture invalid SSOe SAML Response payload

[ericbuckley]

Debugging invalid SAML Responses from eauth.va.gov has been difficult because it's not always logged on their side. When a validation issue is raises on line 57, we should persist the value to the PersonalInformationLog table, so we can debug.

Note: that table is set up to store PII, so no need to obfuscate any data in the response before saving.

[ericbuckley]

@jholton / @benniemosher just an FYI on the process if you ever need to lookup a SAML Response payload

I ran a test on staging to verify that the invalid payload would be captured. It worked, but the process to view it was cumbersome.

• I attempted a login on staging with a user to have known account issues (vets.gov.user+0, has multiple MHV ids)
• I then used sentry to find the associated error and found the matching request uuid http://sentry.vfs.va.gov/vets-gov/platform-api-staging/issues/120001/events/7447416/
• Next I logged into a staging vets-api ec2 instance and started up the rails console in docker
• I then used this query to get the payload
  • PersonalInformationLog.where('data @> ?', {request_id: "X"}.to_json)
• locally I downloaded a script to decrypt the SAML payload
• and also using credstash, the SSOe SAML encryption key for staging
• finally using the script, key and encrypted payload I could see what was sent from eauth