[WIP] Describe the SAML Response in greater detail

Still figuring out why I can't simply use markdown and need to assign
complex fragments using `{% capture %}` and render with `markdownify`

Author: vrajmohan

_pages/saml/authentication.md

@@ -51,6 +51,66 @@ A proofed identity request at AAL2, with phishing resistent MFA, for email, phon
 </samlp:AuthnRequest>
 ```
 {% endcapture %}
+{% capture response_elements %}
+The decrypted SAML Response contains a `<saml:Assertion>` element, which in turn contains elements like `<saml:Subject>`, `<saml:AttributeStatement>` and `<saml:AuthnStatement>`.
+{% endcapture %}
+{% capture decrypted_response %}
+```xml
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d7d0f3fd-e65d-42ee-89f3-ac7d75a56a21" IssueInstant="2024-08-16T19:34:39Z" Version="2.0">
+    <Issuer>http://localhost:3000/api/saml</Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <ds:Reference URI="#_d7d0f3fd-e65d-42ee-89f3-ac7d75a56a21">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+          <ds:DigestValue>Q/FduVpL2MXEufa9fEZ7yelUEu39/NnTIpbvX2o38B8=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue>aFzI+Sd2HRHxr9PVehZ0BuP9kZ/7/m0I5CwnmDtG+tv6Dw0egvZVI9PNrna53ClpG+LLKd6UOSkju+XVhGuNQg0zXb8qmCEUA6UIKBY604ci7TRgx4t5QoXTkg2go/AL9AiYCsjD/T5OECWtzpTEAgx+cJuUMN4n6kjhtNMPvrQo367ZRYYUuVPiCK6qJBgQQoUVbhsbXZy+AF7eN4JnP1dcyFE+nwUQqjMbUoXSBY+s3WLshI5B7YUMAYdyXVdB38R0s9LpXUzYWzt1RjmL98zdCiXvFj4uD1uecgDdu0FNZYr5O5cIzVBoxDHZsU7q+njIoldXfT5FRANwWKCp7w==</ds:SignatureValue>
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIID+TCCAuGgAwIBAgIUUS6s9Rb+KY0fT0qKKgqPPJij/HMwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MB4XDTI0MDEyMjIwMTcwN1oXDTI1MDQwMTIwMTcwN1owgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhmcFFn4b56vHlGBQ1Lx6AXz17sqKnCc6sJ+9csP1RtQBI0NpPHB2z9Di1PNk/ElK7V7yh3uMu4FJYw30GZFUl2f/ttsDkNHrwfh/jzbMNjrOSc0P25oem4uOUfeGH9jtMhKa+HZLOaOmcyWFKkYR2mwacEbQJ1CWviHtP8AzHUPSbHklAmusRLuygTjq0+QRJZgSezGqwU1L3ixPq+gMzPtMS+fxsMOVo2eosip440gz4rcqUUogtD2hV8EQi3+GIkGYuMTS81ug/385TCPEhzWMnNmDi3HykOZeRNb4GfCYw0Yx+v+cb7BPD5EdxUHNwliHvSiRAeYqLjBjuNUfKQIDAQABo1MwUTAdBgNVHQ4EFgQUusictYnNM2TbIt5STz2lkYN1sI8wHwYDVR0jBBgwFoAUusictYnNM2TbIt5STz2lkYN1sI8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATuLF4kHeP7FY9Wzm3DfF+m/5wUhJEtbsF8J9Wq8duhQ4/gtZVJgMDUKLsnSDLCtWiRlsFXquI8tlo32JsVo5NfZI9WYsub7192iCYpqE+x5G+94tt5vAayoF7GKGPxatyldxAQUz7RUzwqas7NCYXQ0p7wZrMqF8z2yvaUgL55v8TJIb7RP+D8b47Cmzx7IYmx3Co30vZWysQe61Bv880hG11YJsBAc0hmyWlokJYZZVm+xcjKkm6aFyyAbeCe0Kh68QU7f9YkpFv/sW2RIvZ/Z0gvxjJE+YJBwOwPDDHdkb0ZmKOJvlaabi5lkTZvUtTHXb5Hu7DxRRt91dm77MlQ==</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </ds:Signature>
+    <Subject>
+      <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">87c45cbc-1e44-4d89-a040-ebdf86f50add</NameID>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <SubjectConfirmationData InResponseTo="_78d78e66-586e-48af-a5dc-d96cea6488c9" NotOnOrAfter="2024-08-16T19:37:39Z" Recipient="http://localhost:4567/consume"/>
+      </SubjectConfirmation>
+    </Subject>
+    <Conditions NotBefore="2024-08-16T19:34:34Z" NotOnOrAfter="2024-08-16T20:34:39Z">
+      <AudienceRestriction>
+        <Audience>urn:gov:gsa:SAML:2.0.profiles:sp:sso:localhost</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AttributeStatement>
+      <Attribute Name="uuid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uuid">
+        <AttributeValue>87c45cbc-1e44-4d89-a040-ebdf86f50add</AttributeValue>
+      </Attribute>
+      <Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email">
+        <AttributeValue>[email protected]</AttributeValue>
+      </Attribute>
+      <Attribute Name="aal" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="aal">
+        <AttributeValue>http://idmanagement.gov/ns/assurance/aal/2</AttributeValue>
+      </Attribute>
+      <Attribute Name="ial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="ial">
+        <AttributeValue>http://idmanagement.gov/ns/assurance/ial/1</AttributeValue>
+      </Attribute>
+    </AttributeStatement>
+    <AuthnStatement AuthnInstant="2024-08-16T19:34:39Z" SessionIndex="_d7d0f3fd-e65d-42ee-89f3-ac7d75a56a21">
+      <AuthnContext>
+        <AuthnContextClassRef>http://idmanagement.gov/ns/assurance/aal/2</AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+```
+{% endcapture %}
 
 <div class="grid-row grid-gap">
     <div class="desktop:grid-col-7 mobile:grid-col-full">
@@ -114,8 +174,10 @@ A proofed identity request at AAL2, with phishing resistent MFA, for email, phon
 <div class="grid-row grid-gap">
     <div class="desktop:grid-col-7 mobile:grid-col-full">
         <h2 id="authentication-response">Authentication response</h2>
-        <p>After the user authenticates, Login.gov will redirect and POST a form back to your registered Assertion Consumer Service URL:</p>
-        <p>The SAMLResponse is a base64-encoded XML payload that contains encrypted data.</p>
+        <p>After the user authenticates, Login.gov will redirect and POST a form back to your registered Assertion Consumer Service URL with a hidden form control named SAMLResponse.</p>
+        <p>The `SAMLResponse` is a base64-encoded XML payload that contains data that is encrypted with the service provider's public key.</p>
+        <p>{{ response_elements | markdownify }}</p>
+        <p>For example, {{ decrypted_response | markdownify }}</p>
           <a href="{{ '/saml/logout/' | prepend: site.baseurl }}" class="usa-link margin-top-4 mobile:display-none desktop:display-block">Next step: Logout</a>
     </div>
     <div class="usa-layout-docs__main code-snippet-column desktop:grid-col-5">