Update test cases with schema validation tests

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

tests/eidas_response.xml

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://eidas-connector.at/post" ID="_5a15625de8618920748123042db52367" InResponseTo="_171ccc6b39b1e8f6e762c2e4ee4ded3a" IssueInstant="2015-04-30T19:27:20.159Z" Version="2.0">
+  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://eidas-service.eu</saml2:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"/>
+      <ds:Reference URI="#_5a15625de8618920748123042db52367">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>t5V4hqAh4Nxjd49H/rC+N9tN/dNHBNuCOco1v1GYfFc=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fQ==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>fQ==</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <saml2p:Status>
+    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </saml2p:Status>
+  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:eidas="http://eidas.europa.eu/attributes/naturalperson" ID="_47482789069732322d02d825c9a2fafa" IssueInstant="2015-04-30T19:27:20.159Z" Version="2.0">
+    <saml2:Issuer Format="urn:oasis:names:tc:saml2:2.0:nameid-format:entity">https://eidas-service.eu</saml2:Issuer>
+    <saml2:Subject>
+      <saml2:NameID Format="urn:oasis:names:tc:saml2:2.0:nameid-format:persistent">ES/AT/02635542Y</saml2:NameID>
+      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:saml2:2.0:cm:bearer">
+        <saml2:SubjectConfirmationData InResponseTo="_171ccc6b39b1e8f6e762c2e4ee4ded3a" NotOnOrAfter="2015-04-30T19:32:20.157Z" Recipient="https://eidas-connector.eu/post"/>
+      </saml2:SubjectConfirmation>
+    </saml2:Subject>
+    <saml2:Conditions NotBefore="2015-04-30T19:27:20.159Z" NotOnOrAfter="2015-04-30T19:32:20.157Z">
+      <saml2:AudienceRestriction>
+        <saml2:Audience>https://eidas-connector.eu/post</saml2:Audience>
+      </saml2:AudienceRestriction>
+    </saml2:Conditions>
+    <saml2:AuthnStatement AuthnInstant="2015-04-30T19:27:20.159Z" SessionIndex="_5eeb319253e2d7d125e3dcc72806209a">
+      <saml2:AuthnContext>
+        <saml2:AuthnContextClassRef>http://eidas.europa.eu/LoA/high</saml2:AuthnContextClassRef>
+      </saml2:AuthnContext>
+    </saml2:AuthnStatement>
+    <saml2:AttributeStatement>
+      <saml2:Attribute FriendlyName="PersonIdentifier" Name="http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier" NameFormat="urn:oasis:names:tc:saml2:2.0:attrname-format:uri">
+        <saml2:AttributeValue xsi:type="eidas:PersonIdentifierType">ES/AT/02635542Y</saml2:AttributeValue>
+      </saml2:Attribute>
+      <saml2:Attribute FriendlyName="FamilyName" Name="http://eidas.europa.eu/attributes/naturalperson/CurrentFamilyName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+        <saml2:AttributeValue xsi:type="eidas:CurrentFamilyNameType">Onasis</saml2:AttributeValue>
+        <saml2:AttributeValue eidas:LatinScript="false" xsi:type="eidas:CurrentFamilyNameType">Ωνάσης</saml2:AttributeValue>
+      </saml2:Attribute>
+      <saml2:Attribute FriendlyName="FirstName" Name="http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName" NameFormat="urn:oasis:names:tc:saml2:2.0:attrname-format:uri">
+        <saml2:AttributeValue xsi:type="eidas:CurrentGivenNameType">Sarah</saml2:AttributeValue>
+      </saml2:Attribute>
+      <saml2:Attribute FriendlyName="DateOfBirth" Name="http://eidas.europa.eu/attributes/naturalperson/DateOfBirth" NameFormat="urn:oasis:names:tc:saml2:2.0:attrname-format:uri">
+        <saml2:AttributeValue xsi:type="eidas:DateOfBirthType">1970-05-28</saml2:AttributeValue>
+      </saml2:Attribute>
+    </saml2:AttributeStatement>
+  </saml2:Assertion>
+</saml2p:Response>

tests/encrypted_attribute_statement.xml

@@ -3,7 +3,7 @@
                         xmlns:ns1="http://www.w3.org/2001/04/xmlenc#"
                         xmlns:ns2="http://www.w3.org/2000/09/xmldsig#">
     <ns0:EncryptedAttribute >
-        <ns1:EncryptedData ID="_dcf9eb6ed26d9332d940130e0cae1ba1"
+        <ns1:EncryptedData Id="_dcf9eb6ed26d9332d940130e0cae1ba1"
                            Type="http://www.w3.org/2001/04/xmlenc#Element">
             <ns1:EncryptionMethod
                     Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
@@ -24,7 +24,7 @@
                 </ns1:CipherValue>
             </ns1:CipherData>
         </ns1:EncryptedData>
-        <ns1:EncryptedKey ID="_1234">
+        <ns1:EncryptedKey Id="_1234">
             <ns1:EncryptionMethod
                     Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
             <ns2:KeyInfo>

tests/idp_example.xml

@@ -3,8 +3,7 @@
                       xmlns:ns1="http://www.w3.org/2000/09/xmldsig#"
                       entityID="http://localhost:8088/idp.xml"
                       validUntil="2036-04-12T06:06:13Z">
-    <ns0:IDPSSODescriptor WantAuthnRequestsOnlyWithValidCert="false"
-                          WantAuthnRequestsSigned="false"
+    <ns0:IDPSSODescriptor WantAuthnRequestsSigned="false"
                           protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
         <ns0:KeyDescriptor use="encryption">
             <ns1:KeyInfo>

tests/invalid_metadata_file.xml

@@ -1 +1 @@
-this content is invalid
+<root>this content is invalid for a metadata file</root>

tests/metadata.xml

@@ -1,9 +1,9 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<ns0:EntitiesDescriptor name="urn:mace:example.com:saml:test"
+<ns0:EntitiesDescriptor Name="urn:mace:example.com:saml:test"
                         validUntil="2036-12-04T17:31:07Z"
                         xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata">
   <ns0:EntityDescriptor entityID="urn:mace:example.com:saml:roland:sp">
-    <ns0:SPSSODescriptor AuthnRequestsSigned="False" WantAssertionsSigned="True"
+    <ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
                          protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <ns0:KeyDescriptor>
         <ns1:KeyInfo xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
@@ -34,11 +34,9 @@
           Location="http://localhost:8087/" index="0"/>
     </ns0:SPSSODescriptor>
     <ns0:Organization>
-      <ns0:OrganizationURL xml:lang="en">http://www.example.com/
-      </ns0:OrganizationURL>
       <ns0:OrganizationName xml:lang="en">Example Co</ns0:OrganizationName>
-      <ns0:OrganizationDisplayName xml:lang="en">Example Co
-      </ns0:OrganizationDisplayName>
+      <ns0:OrganizationDisplayName xml:lang="en">Example Co</ns0:OrganizationDisplayName>
+      <ns0:OrganizationURL xml:lang="en">http://www.example.com/</ns0:OrganizationURL>
     </ns0:Organization>
     <ns0:ContactPerson contactType="technical">
       <ns0:GivenName>Roland</ns0:GivenName>
@@ -47,7 +45,7 @@
     </ns0:ContactPerson>
   </ns0:EntityDescriptor>
   <ns0:EntityDescriptor entityID="urn:mace:example.com:saml:roland:idp">
-    <ns0:IDPSSODescriptor WantAuthnRequestsSigned="True"
+    <ns0:IDPSSODescriptor WantAuthnRequestsSigned="true"
                           protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <ns0:KeyDescriptor>
         <ns1:KeyInfo xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
@@ -78,11 +76,9 @@
           Location="http://localhost:8088/sso/"/>
     </ns0:IDPSSODescriptor>
     <ns0:Organization>
-      <ns0:OrganizationURL xml:lang="en">http://www.example.com/
-      </ns0:OrganizationURL>
       <ns0:OrganizationName xml:lang="en">Example Co</ns0:OrganizationName>
-      <ns0:OrganizationDisplayName xml:lang="en">Example Co
-      </ns0:OrganizationDisplayName>
+      <ns0:OrganizationDisplayName xml:lang="en">Example Co</ns0:OrganizationDisplayName>
+      <ns0:OrganizationURL xml:lang="en">http://www.example.com/</ns0:OrganizationURL>
     </ns0:Organization>
     <ns0:ContactPerson contactType="technical">
       <ns0:GivenName>Roland</ns0:GivenName>

tests/metasp.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<ns0:EntitiesDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" name="urn:mace:umu.se:saml:test" validUntil="2036-12-01T09:22:16Z">
+<ns0:EntitiesDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" Name="urn:mace:umu.se:saml:test" validUntil="2036-12-01T09:22:16Z">
   <ns0:EntityDescriptor entityID="urn:mace:umu.se:saml:roland:sp">
-    <ns0:SPSSODescriptor AuthnRequestsSigned="False" WantAssertionsSigned="True" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       <ns0:KeyDescriptor>
         <ns1:KeyInfo xmlns:ns1="http://www.w3.org/2000/09/xmldsig#">
           <ns1:X509Data>

tests/saml_false_signed.xml

@@ -64,15 +64,15 @@ OmuMZY0K6ERY4fNVnGEAoUZeieehC6/ljmfk14xCAlE=</ns2:SignatureValue>
     </ns1:AuthnStatement>
     <ns1:AttributeStatement>
       <ns1:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           student
         </ns1:AttributeValue>
       </ns1:Attribute>
       <ns1:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           member
         </ns1:AttributeValue>
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           student
         </ns1:AttributeValue>
       </ns1:Attribute>

tests/saml_signed.xml

@@ -44,7 +44,7 @@ OmuMZY0K6ERY4fNVnGEAoUZeieehC6/ljmfk14xCAlE=</ns2:SignatureValue>
         </ns2:X509Data>
       </ns2:KeyInfo>
     </ns2:Signature>
-    <ns1:Subject>               
+    <ns1:Subject>
       <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="xenosmilus.umdc.umu.se">
         _cddc88563d433f556d4cc70c3162deabddea3b5019
       </ns1:NameID>
@@ -58,21 +58,21 @@ OmuMZY0K6ERY4fNVnGEAoUZeieehC6/ljmfk14xCAlE=</ns2:SignatureValue>
       </ns1:AudienceRestriction>
     </ns1:Conditions>
     <ns1:AuthnStatement AuthnInstant="2009-09-25T18:12:39Z" SessionIndex="_788db107b9bb1b6ab94f00deebbfe3d92c999b3041">
-      <ns1:AuthnContext>                      
+      <ns1:AuthnContext>
         <ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns1:AuthnContextClassRef>
       </ns1:AuthnContext>
     </ns1:AuthnStatement>
     <ns1:AttributeStatement>
       <ns1:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           student
         </ns1:AttributeValue>
       </ns1:Attribute>
       <ns1:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           member
         </ns1:AttributeValue>
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           student
         </ns1:AttributeValue>
       </ns1:Attribute>

tests/saml_unsigned.xml

@@ -6,7 +6,7 @@
   </ns0:Status>
   <ns1:Assertion xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx9e022535-4b38-cc7f-41ec-9a01bcd2936d" IssueInstant="2009-10-25T18:12:39Z" Version="2.0">
     <ns1:Issuer>http://xenosmilus.umdc.umu.se/simplesaml/saml2/idp/metadata.php</ns1:Issuer>
-    <ns1:Subject>               
+    <ns1:Subject>
       <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="xenosmilus.umdc.umu.se">
         _cddc88563d433f556d4cc70c3162deabddea3b5019
       </ns1:NameID>
@@ -20,21 +20,21 @@
       </ns1:AudienceRestriction>
     </ns1:Conditions>
     <ns1:AuthnStatement AuthnInstant="2009-10-25T18:12:39Z" SessionIndex="_788db107b9bb1b6ab94f00deebbfe3d92c999b3041">
-      <ns1:AuthnContext>                      
+      <ns1:AuthnContext>
         <ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns1:AuthnContextClassRef>
       </ns1:AuthnContext>
     </ns1:AuthnStatement>
     <ns1:AttributeStatement>
       <ns1:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           student
         </ns1:AttributeValue>
       </ns1:Attribute>
       <ns1:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           member
         </ns1:AttributeValue>
-        <ns1:AttributeValue xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
+        <ns1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://www.w3.org/2001/XMLSchema-instance" ns2:type="xs:string">
           student
         </ns1:AttributeValue>
       </ns1:Attribute>

tests/test_30_mdstore.py

@@ -167,6 +167,10 @@
         "class": "saml2.mdstore.MetaDataFile",
         "metadata": [(full_path("idp_uiinfo.xml"),)],
     }],
+    "16": [{
+        "class": "saml2.mdstore.MetaDataFile",
+        "metadata": [(full_path("empty_metadata_file.xml"),)],
+    }],
 }
 
 
@@ -182,9 +186,15 @@ def _fix_valid_until(xmlstring):
 
 
 def test_invalid_metadata():
+    mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
+    mds.imp(METADATACONF["14"])
+    assert mds.entities() == 0
+
+
+def test_empty_metadata():
     mds = MetadataStore(ATTRCONV, sec_config, disable_ssl_certificate_validation=True)
     with raises(SAMLError):
-        mds.imp(METADATACONF["14"])
+        mds.imp(METADATACONF["16"])
 
 
 def test_swami_1():

tests/test_schema_validator.py

@@ -0,0 +1,89 @@
+from pathutils import full_path as expand_full_path
+
+from pytest import raises
+from pytest import mark
+
+from saml2.xml.schema import validate as validate_doc_with_schema
+from saml2.xml.schema import XMLSchemaError
+
+
+@mark.parametrize("doc", ["invalid_metadata_file.xml", "empty_metadata_file.xml"])
+def test_invalid_saml_metadata_doc(doc):
+    with raises(XMLSchemaError):
+        validate_doc_with_schema(expand_full_path(doc))
+
+
+@mark.parametrize(
+    "doc",
+    [
+        "InCommon-metadata.xml",
+        "idp.xml",
+        "idp_2.xml",
+        "idp_aa.xml",
+        "idp_all.xml",
+        "idp_example.xml",
+        "idp_soap.xml",
+        "entity_cat_re.xml",
+        "entity_cat_re_nren.xml",
+        "entity_cat_rs.xml",
+        "entity_cat_sfs_hei.xml",
+        "entity_esi_and_coco_sp.xml",
+        "entity_no_friendly_name_sp.xml",
+        "extended.xml",
+        "idp_slo_redirect.xml",
+        "idp_uiinfo.xml",
+        "metadata.aaitest.xml",
+        "metadata.xml",
+        "metadata_cert.xml",
+        "metadata_example.xml",
+        "metadata_sp_1.xml",
+        "metadata_sp_1_no_encryption.xml",
+        "metadata_sp_2.xml",
+        "metasp.xml",
+        "pdp_meta.xml",
+        "servera.xml",
+        "sp.xml",
+        "sp_slo_redirect.xml",
+        # XXX "swamid-1.0.xml",
+        # XXX "swamid-2.0.xml",
+        # TODO include the fed namespace
+        # TODO see https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html
+        "urn-mace-swami.se-swamid-test-1.0-metadata.xml",
+        "uu.xml",
+        "vo_metadata.xml",
+    ],
+)
+def test_valid_saml_metadata_doc(doc):
+    result = validate_doc_with_schema(expand_full_path(doc))
+    assert result == None
+
+
+@mark.parametrize(
+    "doc",
+    [
+        "attribute_response.xml",
+        "okta_response.xml",
+        "simplesamlphp_authnresponse.xml",
+        "saml2_response.xml",
+        "saml_false_signed.xml",
+        "saml_hok.xml",
+        "saml_hok_invalid.xml",
+        "saml_signed.xml",
+        "saml_unsigned.xml",
+    ],
+)
+def test_valid_saml_response_doc(doc):
+    result = validate_doc_with_schema(expand_full_path(doc))
+    assert result == None
+
+
+@mark.parametrize("doc", ["encrypted_attribute_statement.xml"])
+def test_valid_saml_partial_doc(doc):
+    result = validate_doc_with_schema(expand_full_path(doc))
+    assert result == None
+
+
+@mark.parametrize("doc", ["eidas_response.xml"])
+def test_valid_eidas_saml_response_doc(doc):
+    result = validate_doc_with_schema(expand_full_path(doc))
+    assert result == None

tests/vo_metadata.xml

@@ -1,11 +1,11 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <ns0:EntitiesDescriptor
-  name="urn:mace:example.com:votest"
+  Name="urn:mace:example.com:votest"
   validUntil="2036-11-28T09:10:09Z"
   xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata">
   <ns0:EntityDescriptor
     entityID="urn:mace:example.com:it:tek">
-    <ns0:AffiliationDescriptor 
+    <ns0:AffiliationDescriptor
       affiliationOwnerID="http://vo.example.org/vo">
       <ns0:AffiliateMember>
         urn:mace:example.com:saml:aa