Data Source: AWS CloudTrail UpdateSAMLProvider

Date: 2025-01-23

ID: e5eb628d-711e-499c-87d9-8fa5dee419ec

Author: Patrick Bareiss, Splunk

Description

Logs an event when a SAML provider is updated in AWS.

Details

Property Value
Source aws_cloudtrail
Sourcetype aws:cloudtrail
Separator eventName

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">awsRegion</span>
  
  <span class="pill kill-chain">aws_account_id</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">errorCode</span>
  
  <span class="pill kill-chain">eventCategory</span>
  
  <span class="pill kill-chain">eventID</span>
  
  <span class="pill kill-chain">eventName</span>
  
  <span class="pill kill-chain">eventSource</span>
  
  <span class="pill kill-chain">eventTime</span>
  
  <span class="pill kill-chain">eventType</span>
  
  <span class="pill kill-chain">eventVersion</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">managementEvent</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">readOnly</span>
  
  <span class="pill kill-chain">recipientAccountId</span>
  
  <span class="pill kill-chain">region</span>
  
  <span class="pill kill-chain">requestID</span>
  
  <span class="pill kill-chain">requestParameters.sAMLMetadataDocument</span>
  
  <span class="pill kill-chain">requestParameters.sAMLProviderArn</span>
  
  <span class="pill kill-chain">responseElements.sAMLProviderArn</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourceIPAddress</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">start_time</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">userAgent</span>
  
  <span class="pill kill-chain">userIdentity.accessKeyId</span>
  
  <span class="pill kill-chain">userIdentity.accountId</span>
  
  <span class="pill kill-chain">userIdentity.arn</span>
  
  <span class="pill kill-chain">userIdentity.principalId</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.attributes.creationDate</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.attributes.mfaAuthenticated</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.accountId</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.arn</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.principalId</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.type</span>
  
  <span class="pill kill-chain">userIdentity.sessionContext.sessionIssuer.userName</span>
  
  <span class="pill kill-chain">userIdentity.type</span>
  
  <span class="pill kill-chain">userName</span>
  
  <span class="pill kill-chain">user_access_key</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_arn</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
</div>

Example Log

1{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLMZGPIW6C", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLKFUVAQAIJ", "arn": "arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId" : "111111111111", "userName": "rodonmicrotestrole"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "false", "creationDate": "2021-01-20T03:10:32Z"}}}, "eventTime": "2021-01-20T03:12:39Z", "eventSource": "iam.amazonaws.com", "eventName": "UpdateSAMLProvider", "awsRegion": "us-east-1", "sourceIPAddress": "66.176.252.11", "userAgent": "aws-internal/3 aws-sdk-java/1.11.930 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01 java/1.8.0_275 vendor/Oracle_Corporation", "requestParameters": {"sAMLMetadataDocument": "<?xml version=\"1.0\" encoding=\"utf-8\"?><EntityDescriptor ID=\"_6898aaf1-1639-44d4-956b-5bf936af37f1\" entityID=\"https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\"><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\" /><Reference URI=\"#_6898aaf1-1639-44d4-956b-5bf936af37f1\"><Transforms><Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" /><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" /><DigestValue>ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=</DigestValue></Reference></SignedInfo><SignatureValue>J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></Signature><RoleDescriptor xsi:type=\"fed:SecurityTokenServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:ClaimTypesOffered><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Name</auth:DisplayName><auth:Description>The mutable display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Subject</auth:DisplayName><auth:Description>An immutable, globally unique, non-reusable identifier of the user that is unique to the application for which a token is issued.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Given Name</auth:DisplayName><auth:Description>First name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Surname</auth:DisplayName><auth:Description>Last name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/displayname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Display Name</auth:DisplayName><auth:Description>Display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/nickname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Nick Name</auth:DisplayName><auth:Description>Nick name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication Instant</auth:DisplayName><auth:Description>The time (UTC) when the user is authenticated to Windows Azure Active Directory.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication Method</auth:DisplayName><auth:Description>The method that Windows Azure Active Directory uses to authenticate users.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>ObjectIdentifier</auth:DisplayName><auth:Description>Primary identifier for the user in the directory. Immutable, globally unique, non-reusable.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/tenantid\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>TenantId</auth:DisplayName><auth:Description>Identifier for the user's tenant.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/identityprovider\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>IdentityProvider</auth:DisplayName><auth:Description>Identity provider for the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Email</auth:DisplayName><auth:Description>Email address of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Groups</auth:DisplayName><auth:Description>Groups of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/accesstoken\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External Access Token</auth:DisplayName><auth:Description>Access token issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External Access Token Expiration</auth:DisplayName><auth:Description>UTC expiration time of access token issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/openid2_id\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External OpenID 2.0 Identifier</auth:DisplayName><auth:Description>OpenID 2.0 identifier issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/claims/groups.link\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>GroupsOverageClaim</auth:DisplayName><auth:Description>Issued when number of user's group claims exceeds return limit.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Role Claim</auth:DisplayName><auth:Description>Roles that the user or Service Principal is attached to</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/wids\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>RoleTemplate Id Claim</auth:DisplayName><auth:Description>Role template id of the Built-in Directory Roles that the user is a member of</auth:Description></auth:ClaimType></fed:ClaimTypesOffered><fed:SecurityTokenServiceEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:SecurityTokenServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><RoleDescriptor xsi:type=\"fed:ApplicationServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:TargetScopes><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/</wsa:Address></wsa:EndpointReference></fed:TargetScopes><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\" /><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\" /><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\" /></IDPSSODescriptor></EntityDescriptor>", "sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "responseElements": {"sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}

Source: GitHub | Version: 2