Weak Public/Private Keys

Hey there!
I stuck for a few days on Weak Public/Private Keys section of the Attacking Authentication Mechanisms module :neutral_face: , still can’t receive the JWT from the response.

I have:
imported pub.crt and private.pem;
changed logged in username value to hackme;
assertions successfully signed

however my request still attempting to redirect me back to the root web directory.

Can someone tell me what have I missed ?