Hey there!
I stuck for a few days on Weak Public/Private Keys section of the Attacking Authentication Mechanisms module 
, still can’t receive the JWT from the response.
I have:
imported pub.crt and private.pem;
changed logged in username value to hackme;
assertions successfully signed
however my request still attempting to redirect me back to the root web directory.
Can someone tell me what have I missed ?