# Use cases

## Premises

1\. An Organizational Unit has been defined as Role holder Yes.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/uBE1WkFeIyqz9D95-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/uBE1WkFeIyqz9D95-image.png)

2\. Several groups have been defined with type organizational unit with role holder Yes.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/A92Ke2fzOpFX6yD2-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/A92Ke2fzOpFX6yD2-image.png)

3\. An attribute sharing policy has been defined.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/RGnCcbn4hHQUBIpq-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/RGnCcbn4hHQUBIpq-image.png)

4\. Indicates which Service Providers will be required group membership after authentication.

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/qHiJkgYhtK3yyHm4-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/qHiJkgYhtK3yyHm4-image.png)

## Use cases

### Use case 1 - Log in to an application

User with no groups, Primary or Secundary, with type holder group Yes. When this user log into an application --> The user login normally to the application

### Use case 2 - Log in to an application


User with only one group, Primary or Secondary, with type holder group Yes. This users can have more groups with holder group No. When this user logs in to an application --> The user will be loged-in the application with the group with type holder group yes.

#### OpenID-Connect

<details id="bkmrk-a.-user-agatha-with-"><summary>a. User Agatha with Primary group RRHH (Role holder Yes)</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/wVj0opxxR3dP9bif-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/wVj0opxxR3dP9bif-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/DKsM0v7zbaUVoTIp-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/DKsM0v7zbaUVoTIp-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/Lhd6oG4JhxMS3oo7-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/Lhd6oG4JhxMS3oo7-image.png)

</details><details id="bkmrk-b.-login%3A-the-user-t"><summary>b. Login: the user type the user and password to login</summary>

 [![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/cYxBAw9La5gqsMkg-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/cYxBAw9La5gqsMkg-image.png)

</details><details id="bkmrk-c.-get-the-json-id_t"><summary>c. Get the JSON id\_token</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/fiFRnrsRiyM73Pff-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/fiFRnrsRiyM73Pff-image.png)

</details><details id="bkmrk-d.-decode-the-json-w"><summary>d. Decode the JSON Web Token using https://jwt.io</summary>

Here you are the scope, the holder\_group and the member\_of data

```json
{
  "sub": "agatha",
  "iss": "https://sync-server.netcompose:1443",
  "holder_group": "RRHH",
  "meber_of": [
    "SOFFID_HOLDER_CONDOMAIN004/RRHH@soffid",
    "SOFFID_HOLDER_CONDOMAIN005/Philosophers@soffid",
    "SOFFID_VAULT_USER@soffid",
    "SOFFID_HOLDER_CONDOMAIN004/Writers@soffid",
    "SOFFID_USER@soffid"
  ],
  "nonce": null,
  "sid": "oeB51Jr/+rb5yE+lbG9iYsAHy1TxOFYm",
  "aud": "angularApp",
  "azp": "angularApp",
  "auth_time": 1737365621,
  "scope": "openid profile email",
  "exp": 1737366221,
  "iat": 1737365622,
  "jti": "WW1wwRD-HaE9DCXfQv4wLRuFgGRbI1lB_9wDFBd6X4ILJBv4vS6mL1yG3S0Ee_Nv",
  "email": "agatha@soffid.com"
}
```

</details>#### SAML

<details id="bkmrk-a.-user-agatha-with--1"><summary>a. User Agatha with Primary group RRHH (Role holder Yes)</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/wVj0opxxR3dP9bif-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/wVj0opxxR3dP9bif-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/DKsM0v7zbaUVoTIp-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/DKsM0v7zbaUVoTIp-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/Lhd6oG4JhxMS3oo7-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/Lhd6oG4JhxMS3oo7-image.png)

</details><details id="bkmrk-b.-login%3A-the-user-t-1"><summary>b. Login: the user type the user and password to login</summary>

 [![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/0XVHTuj0qlc1pPAQ-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/0XVHTuj0qlc1pPAQ-image.png) [![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/IAd2whZ8P5Pzopmt-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/IAd2whZ8P5Pzopmt-image.png)

</details><details id="bkmrk-c.-get-the-saml-resp"><summary>c. Get the SAML response</summary>

```xml
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://pat.soffid.lab:8443/soffid/saml/log/post" ID="_6699870c490dcef896cb33d70187de62" InResponseTo="_edec4bcc9b7bf081e970867995369df9" IssueInstant="2025-01-20T09:35:53.249Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sync-server.netcompose</saml2:Issuer>
 <saml2p:Status>
  <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
 </saml2p:Status>
 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_8d730eeaaa1bcfbf419568e5edc77d27" IssueInstant="2025-01-20T09:35:53.249Z" Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sync-server.netcompose</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
    <ds:Reference URI="#_8d730eeaaa1bcfbf419568e5edc77d27">
     <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"></ec:InclusiveNamespaces>
      </ds:Transform>
     </ds:Transforms>
     <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
     <ds:DigestValue>qEEAkYqFFZxatl6DaVme4IfrojC3zafaKFH+TpIDurY=</ds:DigestValue>
    </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>TeVSWaALsRLMwYxi71/b1k8jKYOrFb7qS9qva2T5T3yKpNLwZxnmRqWznbBM7wpr9U3V0scfh5M1ex/NGflbADbxih7uwUVK8YSAZPwIx/4LXEx0uOxpQi7ZiDOvhb2jkKLdvztvUkBGeJhJGCJy/2WrOHIEdzsn4T4c7TBdWZc=</ds:SignatureValue>
   <ds:KeyInfo>
    <ds:X509Data>
     <ds:X509Certificate>MIICKTCCAZKgAwIBAgIGAY3q71O5MA0GCSqGSIb3DQEBCwUAMFgxJzAlBgNVBAMMHmh0dHBzOi8v
c3luYy1zZXJ2ZXIubmV0Y29tcG9zZTEcMBoGA1UECwwTRmVkZXJhdGlvbiBzZXJ2aWNlczEPMA0G
A1UECgwGU09GRklEMB4XDTI0MDIyNzE0MjkyOVoXDTM0MDIyNzE0MjkyOVowWDEnMCUGA1UEAwwe
aHR0cHM6Ly9zeW5jLXNlcnZlci5uZXRjb21wb3NlMRwwGgYDVQQLDBNGZWRlcmF0aW9uIHNlcnZp
Y2VzMQ8wDQYDVQQKDAZTT0ZGSUQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJZ5G9BnTSLh
X8VOVbdyY01EUkgHexi97+e1iGA0r1WM6cTu4Ku3k7/efIB5ZZfteRKbPwa719y8Ytb5W4RFcZ6O
XzHz9o+FhG64tZHEo4xwVdukv6rOatSSlhomEhruhxX+x7OpFnnlXNSCypi1xjEQyIm8GJKxpxjk
RJvkgfXLAgMBAAEwDQYJKoZIhvcNAQELBQADgYEATbs8iLBYEcPdPBjtmNHYrQpXb3nc83Acmxyy
/pEe4hXaMoB1rBuxNf47IiqJaJld9H6k5oXWcGgG8FyrdOxpY3eE8cw1s+6tM/MACMRuhuV4bQhR
FD1aizcW6fQUfvmkRLUgS1o8BMZZjCWW22FPeSklFXATE/FvmncRGpT9JWs=</ds:X509Certificate>
    </ds:X509Data>
   </ds:KeyInfo>
  </ds:Signature>
  <saml2:Subject>
   <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://sync-server.netcompose">Agatha</saml2:NameID>
   <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml2:SubjectConfirmationData Address="172.18.0.1" InResponseTo="_edec4bcc9b7bf081e970867995369df9" NotOnOrAfter="2025-01-20T09:40:53.249Z" Recipient="https://pat.soffid.lab:8443/soffid/saml/log/post"></saml2:SubjectConfirmationData>
   </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2025-01-20T09:35:53.249Z" NotOnOrAfter="2025-01-20T09:40:53.249Z">
   <saml2:AudienceRestriction>
    <saml2:Audience>https://pat.soffid.lab:8443/soffid-iam-console</saml2:Audience>
   </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AuthnStatement AuthnInstant="2025-01-20T09:35:53.197Z" SessionIndex="_cd9afa8aac3a7a35abc90b488b01d458">
   <saml2:SubjectLocality Address="172.18.0.1"></saml2:SubjectLocality>
   <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
   </saml2:AuthnContext>
  </saml2:AuthnStatement>
  <saml2:AttributeStatement>
   <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">agatha@soffid.com</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Agatha</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="memberOf" Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_HOLDER_CONDOMAIN004/RRHH@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_HOLDER_CONDOMAIN005/Philosophers@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_VAULT_USER@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_HOLDER_CONDOMAIN004/Writers@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_USER@soffid</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="HolderGroup" Name="urn:oid:1.3.6.1.4.1.22896.3.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">RRHH</saml2:AttributeValue>
   </saml2:Attribute>
  </saml2:AttributeStatement>
 </saml2:Assertion>
</saml2p:Response>

```

</details>### Use case 3 - Log in to an application

User with more than one group, Primary or Secondary, with type holder group Yes. When this user log into an application --&gt; The user will have to choose the holder group to login the application. The user will be loged-in the application with the holder group selected.

#### OpenID-Connect

<details id="bkmrk-a.-user-agatha-with--2"><summary>a. User Agatha with three groups with Role holder Yes</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/DdleFWxWsjYqmSza-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/DdleFWxWsjYqmSza-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/epmuYcCCnY1a3yWN-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/epmuYcCCnY1a3yWN-image.png)

</details><details id="bkmrk-b.-login%3A-the-user-t-2"><summary>b. Login: the user type the user and password to login</summary>

 [![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/cYxBAw9La5gqsMkg-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/cYxBAw9La5gqsMkg-image.png)

</details><details id="bkmrk-c.-the-user-has-to-s"><summary>c. The user has to select the holder group to login</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/xyb5gUqjS8s7dp0q-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/xyb5gUqjS8s7dp0q-image.png)

</details><details id="bkmrk-d.-get-the-json-id_t"><summary>d. Get the JSON id\_token</summary>

 [![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/fiFRnrsRiyM73Pff-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/fiFRnrsRiyM73Pff-image.png)

</details><details id="bkmrk-e.-decode-the-json-w"><summary>e. Decode the JSON Web Token using https://jwt.io</summary>

Here you are the scope, the holder\_group and the member\_of data

```json
{
  "sub": "agatha",
  "iss": "https://sync-server.netcompose:1443",
  "holder_group": "Marketing",
  "meber_of": [
    "SOFFID_VAULT_USER@soffid",
    "SOFFID_HOLDER_CONDOMAIN005/Writers@soffid",
    "SOFFID_USER@soffid"
  ],
  "nonce": null,
  "sid": "+cr0VQjIUcwmuJg0jraIO4DwtPfFOH9b",
  "aud": "angularApp",
  "azp": "angularApp",
  "auth_time": 1737366858,
  "scope": "openid profile email",
  "exp": 1737367458,
  "iat": 1737366858,
  "jti": "X1kvNUqr_-LJgz_EHneva0-mtHTLSkhN00d3UX-dtA7LVcjpkyM0yvl5UPst9vV2",
  "email": "agatha@soffid.com"
}
```

</details>#### SAML

<details id="bkmrk-a.-user-agatha-with--3"><summary>a. User Agatha with three groups with Role holder Yes</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/DdleFWxWsjYqmSza-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/DdleFWxWsjYqmSza-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/epmuYcCCnY1a3yWN-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/epmuYcCCnY1a3yWN-image.png)

</details><details id="bkmrk-b.-login%3A-the-user-t-3"><summary>b. Login: the user type the user and password to login</summary>

 [![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/0XVHTuj0qlc1pPAQ-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/0XVHTuj0qlc1pPAQ-image.png) [![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/IAd2whZ8P5Pzopmt-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/IAd2whZ8P5Pzopmt-image.png)

</details><details id="bkmrk-c.-the-user-has-to-s-1"><summary>c. The user has to select the holder group to login</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-01/scaled-1680-/xyb5gUqjS8s7dp0q-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-01/xyb5gUqjS8s7dp0q-image.png)

</details><details id="bkmrk-c.-get-the-saml-resp-1"><summary>d. Get the SAML response</summary>

```xml
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://pat.soffid.lab:8443/soffid/saml/log/post" ID="_82e187f91ad03509cbb5adc502dc75ec" InResponseTo="_5ffefaae23a7626917de0e0d8c4866e5" IssueInstant="2025-01-20T09:56:45.504Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sync-server.netcompose</saml2:Issuer>
 <saml2p:Status>
  <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
 </saml2p:Status>
 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_f351bb2c2cb39df3eeb29f31f4e6ea02" IssueInstant="2025-01-20T09:56:45.504Z" Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sync-server.netcompose</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
    <ds:Reference URI="#_f351bb2c2cb39df3eeb29f31f4e6ea02">
     <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"></ec:InclusiveNamespaces>
      </ds:Transform>
     </ds:Transforms>
     <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
     <ds:DigestValue>FIIpGC4P+i4OYv+1MxIw2tdgPgheB6zsE2QhbHTUP3U=</ds:DigestValue>
    </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>VI2a9cx7vPKH+fppjyRQ4g+/NPknfxVzgbekaWomAxHvgNegRonlalUiRiiVLC5DdcT1dkO85c9FJgf5x8CgEfKFRKVNcaNWRVMZIZYUR/DKjyVH0F8a8lZMdHyxB9z3xj0QVqs7536dalA38hD5p4TG4PoNttYLhE1tFGd8QsI=</ds:SignatureValue>
   <ds:KeyInfo>
    <ds:X509Data>
     <ds:X509Certificate>MIICKTCCAZKgAwIBAgIGAY3q71O5MA0GCSqGSIb3DQEBCwUAMFgxJzAlBgNVBAMMHmh0dHBzOi8v
c3luYy1zZXJ2ZXIubmV0Y29tcG9zZTEcMBoGA1UECwwTRmVkZXJhdGlvbiBzZXJ2aWNlczEPMA0G
A1UECgwGU09GRklEMB4XDTI0MDIyNzE0MjkyOVoXDTM0MDIyNzE0MjkyOVowWDEnMCUGA1UEAwwe
aHR0cHM6Ly9zeW5jLXNlcnZlci5uZXRjb21wb3NlMRwwGgYDVQQLDBNGZWRlcmF0aW9uIHNlcnZp
Y2VzMQ8wDQYDVQQKDAZTT0ZGSUQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJZ5G9BnTSLh
X8VOVbdyY01EUkgHexi97+e1iGA0r1WM6cTu4Ku3k7/efIB5ZZfteRKbPwa719y8Ytb5W4RFcZ6O
XzHz9o+FhG64tZHEo4xwVdukv6rOatSSlhomEhruhxX+x7OpFnnlXNSCypi1xjEQyIm8GJKxpxjk
RJvkgfXLAgMBAAEwDQYJKoZIhvcNAQELBQADgYEATbs8iLBYEcPdPBjtmNHYrQpXb3nc83Acmxyy
/pEe4hXaMoB1rBuxNf47IiqJaJld9H6k5oXWcGgG8FyrdOxpY3eE8cw1s+6tM/MACMRuhuV4bQhR
FD1aizcW6fQUfvmkRLUgS1o8BMZZjCWW22FPeSklFXATE/FvmncRGpT9JWs=</ds:X509Certificate>
    </ds:X509Data>
   </ds:KeyInfo>
  </ds:Signature>
  <saml2:Subject>
   <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://sync-server.netcompose">Agatha</saml2:NameID>
   <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml2:SubjectConfirmationData Address="172.18.0.1" InResponseTo="_5ffefaae23a7626917de0e0d8c4866e5" NotOnOrAfter="2025-01-20T10:01:45.504Z" Recipient="https://pat.soffid.lab:8443/soffid/saml/log/post"></saml2:SubjectConfirmationData>
   </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2025-01-20T09:56:45.504Z" NotOnOrAfter="2025-01-20T10:01:45.504Z">
   <saml2:AudienceRestriction>
    <saml2:Audience>https://pat.soffid.lab:8443/soffid-iam-console</saml2:Audience>
   </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AuthnStatement AuthnInstant="2025-01-20T09:56:45.461Z" SessionIndex="_31bb4c1105aa3c363a69b299e577d9cd">
   <saml2:SubjectLocality Address="172.18.0.1"></saml2:SubjectLocality>
   <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
   </saml2:AuthnContext>
  </saml2:AuthnStatement>
  <saml2:AttributeStatement>
   <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">agatha@soffid.com</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Agatha</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="memberOf" Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_VAULT_USER@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_HOLDER_CONDOMAIN005/Writers@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_USER@soffid</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="HolderGroup" Name="urn:oid:1.3.6.1.4.1.22896.3.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Marketing</saml2:AttributeValue>
   </saml2:Attribute>
  </saml2:AttributeStatement>
 </saml2:Assertion>
</saml2p:Response>

```

</details>
### Use case 4 - Log in to a second application

<details id="bkmrk-a.-agatha-user-was-p"><summary>a. Agatha user was previously loged-in to an application</summary>

Agatha user is loged-in the angularApp Service Provider

```json
{
  "sub": "agatha",
  "iss": "https://sync-server.netcompose:1443",
  "holder_group": "Marketing",
  "meber_of": [
    "SOFFID_VAULT_USER@soffid",
    "SOFFID_HOLDER_CONDOMAIN005/Writers@soffid",
    "SOFFID_USER@soffid"
  ],
  "nonce": null,
  "sid": "+cr0VQjIUcwmuJg0jraIO4DwtPfFOH9b",
  "aud": "angularApp",
  "azp": "angularApp",
  "auth_time": 1737366858,
  "scope": "openid profile email",
  "exp": 1737367458,
  "iat": 1737366858,
  "jti": "X1kvNUqr_-LJgz_EHneva0-mtHTLSkhN00d3UX-dtA7LVcjpkyM0yvl5UPst9vV2",
  "email": "agatha@soffid.com"
}
```

</details><details id="bkmrk-b.-agata-user-is-log"><summary>b. Agata user is loged-in to a second application</summary>

 Agatha user is loged-in the OpenIDConnectApp001 Service Provider, with the same holder group

```json
{
  "sub": "agatha",
  "iss": "https://sync-server.netcompose:1443",
  "holder_group": "Marketing",
  "meber_of": [
    "SOFFID_VAULT_USER@soffid",
    "SOFFID_HOLDER_CONDOMAIN005/Writers@soffid",
    "SOFFID_USER@soffid"
  ],
  "nonce": null,
  "sid": "WDSQEzO6LIgxvQkq/zyIzL/LddKKy/j0",
  "aud": "OpenIDConnectApp001",
  "azp": "OpenIDConnectApp001",
  "auth_time": 1737367082,
  "scope": "openid",
  "exp": 1737367683,
  "iat": 1737367083,
  "jti": "C5xSE7UK0lgwgff5Cl7SPnpZvcRSm8WI0GZMXXObKdCMOuP50qbZjCcuGW7KpJqN",
  "email": "agatha@soffid.com"
}
```

</details>