forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws_cloudtrail_updatesamlprovider.yml
187 lines (187 loc) · 21.2 KB
/
aws_cloudtrail_updatesamlprovider.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
name: AWS CloudTrail UpdateSAMLProvider
id: e5eb628d-711e-499c-87d9-8fa5dee419ec
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail UpdateSAMLProvider
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
version: 7.7.1
fields:
- _time
- action
- app
- awsRegion
- aws_account_id
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.sAMLMetadataDocument
- requestParameters.sAMLProviderArn
- responseElements.sAMLProviderArn
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- status
- tag
- tag::eventtype
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.sessionContext.attributes.creationDate
- userIdentity.sessionContext.attributes.mfaAuthenticated
- userIdentity.sessionContext.sessionIssuer.accountId
- userIdentity.sessionContext.sessionIssuer.arn
- userIdentity.sessionContext.sessionIssuer.principalId
- userIdentity.sessionContext.sessionIssuer.type
- userIdentity.sessionContext.sessionIssuer.userName
- userIdentity.type
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
"AROAYTOGP2RLKFUVAQAIJ:[email protected]", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/[email protected]",
"accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLMZGPIW6C", "sessionContext":
{"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLKFUVAQAIJ", "arn":
"arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId": "111111111111",
"userName": "rodonmicrotestrole"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
"false", "creationDate": "2021-01-20T03:10:32Z"}}}, "eventTime": "2021-01-20T03:12:39Z",
"eventSource": "iam.amazonaws.com", "eventName": "UpdateSAMLProvider", "awsRegion":
"us-east-1", "sourceIPAddress": "66.176.252.11", "userAgent": "aws-internal/3 aws-sdk-java/1.11.930
Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
java/1.8.0_275 vendor/Oracle_Corporation", "requestParameters": {"sAMLMetadataDocument":
"<?xml version=\"1.0\" encoding=\"utf-8\"?><EntityDescriptor ID=\"_6898aaf1-1639-44d4-956b-5bf936af37f1\"
entityID=\"https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\"><Signature
xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod
Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"
/><Reference URI=\"#_6898aaf1-1639-44d4-956b-5bf936af37f1\"><Transforms><Transform
Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" /><Transform
Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /></Transforms><DigestMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" /><DigestValue>ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=</DigestValue></Reference></SignedInfo><SignatureValue>J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></Signature><RoleDescriptor
xsi:type=\"fed:SecurityTokenServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor
use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor
use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:ClaimTypesOffered><auth:ClaimType
Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Name</auth:DisplayName><auth:Description>The
mutable display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Subject</auth:DisplayName><auth:Description>An
immutable, globally unique, non-reusable identifier of the user that is unique to
the application for which a token is issued.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Given
Name</auth:DisplayName><auth:Description>First name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Surname</auth:DisplayName><auth:Description>Last
name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/displayname\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Display
Name</auth:DisplayName><auth:Description>Display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/identity/claims/nickname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Nick
Name</auth:DisplayName><auth:Description>Nick name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication
Instant</auth:DisplayName><auth:Description>The time (UTC) when the user is authenticated
to Windows Azure Active Directory.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication
Method</auth:DisplayName><auth:Description>The method that Windows Azure Active
Directory uses to authenticate users.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>ObjectIdentifier</auth:DisplayName><auth:Description>Primary
identifier for the user in the directory. Immutable, globally unique, non-reusable.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/identity/claims/tenantid\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>TenantId</auth:DisplayName><auth:Description>Identifier
for the user''s tenant.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/identityprovider\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>IdentityProvider</auth:DisplayName><auth:Description>Identity
provider for the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Email</auth:DisplayName><auth:Description>Email
address of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Groups</auth:DisplayName><auth:Description>Groups
of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/accesstoken\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External
Access Token</auth:DisplayName><auth:Description>Access token issued by external
identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External
Access Token Expiration</auth:DisplayName><auth:Description>UTC expiration time
of access token issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/identity/claims/openid2_id\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External
OpenID 2.0 Identifier</auth:DisplayName><auth:Description>OpenID 2.0 identifier
issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/claims/groups.link\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>GroupsOverageClaim</auth:DisplayName><auth:Description>Issued
when number of user''s group claims exceeds return limit.</auth:Description></auth:ClaimType><auth:ClaimType
Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Role
Claim</auth:DisplayName><auth:Description>Roles that the user or Service Principal
is attached to</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/wids\"
xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>RoleTemplate
Id Claim</auth:DisplayName><auth:Description>Role template id of the Built-in Directory
Roles that the user is a member of</auth:Description></auth:ClaimType></fed:ClaimTypesOffered><fed:SecurityTokenServiceEndpoint><wsa:EndpointReference
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:SecurityTokenServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><RoleDescriptor
xsi:type=\"fed:ApplicationServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor
use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor
use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:TargetScopes><wsa:EndpointReference
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/</wsa:Address></wsa:EndpointReference></fed:TargetScopes><fed:ApplicationServiceEndpoint><wsa:EndpointReference
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference
xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><IDPSSODescriptor
protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><KeyDescriptor
use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor
use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><SingleLogoutService
Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\"
/><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"
Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\"
/><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\"
/></IDPSSODescriptor></EntityDescriptor>", "sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
"responseElements": {"sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
"requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832",
"readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
"Management", "recipientAccountId": "111111111111"}'