RubyGems - ciam-es - Versions diffs - 0.0.1 - Mend

ciam-es 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

checksums.yaml +7 -0
data/.document +5 -0
data/Gemfile +4 -0
data/README.md +127 -0
data/ciam-es.gemspec +23 -0
data/lib/ciam-es.rb +14 -0
data/lib/ciam/ruby-saml/authrequest.rb +206 -0
data/lib/ciam/ruby-saml/coding.rb +34 -0
data/lib/ciam/ruby-saml/error_handling.rb +27 -0
data/lib/ciam/ruby-saml/logging.rb +26 -0
data/lib/ciam/ruby-saml/logout_request.rb +126 -0
data/lib/ciam/ruby-saml/logout_response.rb +132 -0
data/lib/ciam/ruby-saml/metadata.rb +509 -0
data/lib/ciam/ruby-saml/request.rb +81 -0
data/lib/ciam/ruby-saml/response.rb +683 -0
data/lib/ciam/ruby-saml/settings.rb +89 -0
data/lib/ciam/ruby-saml/utils.rb +225 -0
data/lib/ciam/ruby-saml/validation_error.rb +7 -0
data/lib/ciam/ruby-saml/version.rb +5 -0
data/lib/ciam/xml_security.rb +166 -0
data/lib/ciam/xml_security_new.rb +373 -0
data/lib/schemas/saml20assertion_schema.xsd +283 -0
data/lib/schemas/saml20protocol_schema.xsd +302 -0
data/lib/schemas/xenc_schema.xsd +146 -0
data/lib/schemas/xmldsig_schema.xsd +318 -0
data/test/certificates/certificate1 +12 -0
data/test/logoutrequest_test.rb +98 -0
data/test/request_test.rb +53 -0
data/test/response_test.rb +219 -0
data/test/responses/adfs_response_sha1.xml +46 -0
data/test/responses/adfs_response_sha256.xml +46 -0
data/test/responses/adfs_response_sha384.xml +46 -0
data/test/responses/adfs_response_sha512.xml +46 -0
data/test/responses/no_signature_ns.xml +48 -0
data/test/responses/open_saml_response.xml +56 -0
data/test/responses/response1.xml.base64 +1 -0
data/test/responses/response2.xml.base64 +79 -0
data/test/responses/response3.xml.base64 +66 -0
data/test/responses/response4.xml.base64 +93 -0
data/test/responses/response5.xml.base64 +102 -0
data/test/responses/response_with_ampersands.xml +139 -0
data/test/responses/response_with_ampersands.xml.base64 +93 -0
data/test/responses/simple_saml_php.xml +71 -0
data/test/responses/wrapped_response_2.xml.base64 +150 -0
data/test/settings_test.rb +43 -0
data/test/test_helper.rb +65 -0
data/test/xml_security_test.rb +123 -0
metadata +145 -0

data/lib/ciam/ruby-saml/logging.rb ADDED

@@ -0,0 +1,26 @@
+# Simplistic log class when we're running in Rails
+module Ciam
+  module Saml
+    class Logging
+      def self.debug(message)
+        return if !!ENV["ruby-saml/testing"]
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+      def self.info(message)
+        return if !!ENV["ruby-saml/testing"]
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+  end
+end

data/lib/ciam/ruby-saml/logout_request.rb ADDED

@@ -0,0 +1,126 @@
+require 'uuid'
+module Ciam::Saml
+  class LogoutRequest
+    ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+    PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+    DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+    include Coding
+    include Request
+    attr_reader :transaction_id
+    attr_accessor :settings
+    def initialize( options = {} )
+      opt = {  :request => nil, :settings => nil  }.merge(options)
+      @settings = opt[:settings]
+      @issue_instant = Ciam::Saml::LogoutRequest.timestamp
+      @request_params = Hash.new
+       # We need to generate a LogoutRequest to send to the IdP
+      if opt[:request].nil?
+        @transaction_id = UUID.new.generate
+      # The IdP sent us a LogoutRequest (IdP initiated SLO)
+      else
+        begin
+          @request = Ciam::XMLSecurity::SignedDocument.new( decode( opt[:request] ))
+          raise if @request.nil?
+          raise if @request.root.nil?
+          raise if @request.root.namespace != PROTOCOL
+        rescue
+          @request = Ciam::XMLSecurity::SignedDocument.new( inflate( decode( opt[:request] ) ) )
+        end
+        Logging.debug "LogoutRequest is: \n#{@request}"
+      end
+    end
+    def create( options = {} )
+      opt = { :name_id => nil, :session_index => nil, :extra_parameters => nil  }.merge(options)
+      return nil unless opt[:name_id]
+      @request = REXML::Document.new
+      @request.context[:attribute_quote] = :quote
+      root = @request.add_element "saml2p:LogoutRequest", { "xmlns:saml2p" => PROTOCOL }
+      root.attributes['ID'] = @transaction_id
+      root.attributes['IssueInstant'] = @issue_instant
+      root.attributes['Version'] = "2.0"
+      root.attributes['Destination'] = @settings.single_logout_destination
+      issuer = root.add_element "saml2:Issuer", { "xmlns:saml2" => ASSERTION  }
+      issuer.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+      #issuer.text = @settings.issuer
+      #per la federazione trentina qui ci vanno i metadati...
+      issuer.text = @settings.idp_metadata
+      name_id = root.add_element "saml2:NameID", { "xmlns:saml2" => ASSERTION }
+      name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      name_id.attributes['NameQualifier'] = @settings.idp_name_qualifier
+      name_id.text = opt[:name_id]
+      # I believe the rest of these are optional
+      if @settings && @settings.sp_name_qualifier
+        name_id.attributes["SPNameQualifier"] = @settings.sp_name_qualifier
+      end
+      if opt[:session_index]
+        session_index = root.add_element "saml2p:SessionIndex" #, { "xmlns:samlp" => PROTOCOL }
+        session_index.text = opt[:session_index]
+      end
+      Logging.debug "Created LogoutRequest: #{@request}"
+      meta = Metadata.new(@settings)
+      return meta.create_slo_request( to_s, opt[:extra_parameters] )
+      #action, content =  binding_select("SingleLogoutService")
+      #Logging.debug "action: #{action} content: #{content}"
+      #return [action, content]
+     end
+  # function to return the created request as an XML document
+    def to_xml
+    text = ""
+    @request.write(text, 1)
+      return text
+    end
+   def to_s
+     @request.to_s
+   end
+    # Functions for pulling values out from an IdP initiated LogoutRequest
+  def name_id
+    element = REXML::XPath.first(@request, "/p:LogoutRequest/a:NameID", {
+        "p" => PROTOCOL, "a" => ASSERTION } )
+    return nil if element.nil?
+    # Can't seem to get this to work right...
+    #element.context[:compress_whitespace] = ["NameID"]
+    #element.context[:compress_whitespace] = :all
+    str = element.text.gsub(/^\s+/, "")
+    str.gsub!(/\s+$/, "")
+    return str
+  end
+  def transaction_id
+    return @transaction_id if @transaction_id
+    element = REXML::XPath.first(@request, "/p:LogoutRequest", {
+        "p" => PROTOCOL} )
+    return nil if element.nil?
+    return element.attributes["ID"]
+  end
+  def is_valid?
+    validate(soft = true)
+  end
+  def validate!
+    validate( soft = false )
+  end
+  def validate( soft = true )
+    return false if @request.nil?
+      return false if @request.validate(@settings, soft) == false
+    return true
+  end
+    private
+    def self.timestamp
+      Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+  end
+end

data/lib/ciam/ruby-saml/logout_response.rb ADDED

@@ -0,0 +1,132 @@
+#encoding: utf-8
+require "rexml/document"
+module Ciam
+  module Saml
+    class LogoutResponse
+      include Coding
+		include Request
+		ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+		PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+		DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+      def initialize( options = { } )
+			opt = { :response => nil, :settings => nil }.merge(options)
+			# We've recieved a LogoutResponse from the IdP
+			if opt[:response]
+				begin
+					@response = Ciam::XMLSecurity::SignedDocument.new(decode( opt[:response] ))
+					# Check to see if we have a root tag using the "protocol" namespace.
+					# If not, it means this is deflated text and we need to raise to
+					# the rescue below
+						raise if @response.nil?
+						raise if @response.root.nil?
+						raise if @response.root.namespace != PROTOCOL
+					document
+				rescue
+					@response = Ciam::XMLSecurity::SignedDocument.new( inflate(decode( opt[:response] ) ) )
+				end
+			end
+			# We plan to create() a new LogoutResponse
+			if opt[:settings]
+				@settings = opt[:settings]
+			end
+      end
+		# Create a LogoutResponse to to the IdP's LogoutRequest
+		#  (For IdP initiated SLO)
+		def create( options )
+			opt = { :transaction_id => nil,
+				:in_response_to => nil,
+				:status => "urn:oasis:names:tc:SAML:2.0:status:Success",
+				:extra_parameters => nil }.merge(options)
+			return nil if opt[:transaction_id].nil?
+			@response = REXML::Document.new
+			@response.context[:attribute_quote] = :quote
+			uuid = "_" + UUID.new.generate
+			time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+			root = @response.add_element "saml2p:LogoutResponse", { "xmlns:saml2p" => PROTOCOL }
+			root.attributes['ID'] = uuid
+			root.attributes['IssueInstant'] = time
+			root.attributes['Version'] = "2.0"
+			# Just convenient naming to accept both names as InResponseTo
+			if opt[:transaction_id]
+				root.attributes['InResponseTo'] = opt[:transaction_id]
+			elsif opt[:in_response_to]
+				root.attributes['InResponseTo'] = opt[:in_response_to]
+			end
+			if opt[:status]
+				status = root.add_element "saml2p:Status"
+				status_code = status.add_element "saml2p:StatusCode", {
+						"Value" => opt[:status]
+				}
+			end
+			if @settings && @settings.issuer
+				issuer = root.add_element "saml:Issuer", {
+					"xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+				}
+				issuer.text = @settings.issuer
+			end
+			meta = Metadata.new( @settings )
+			Logging.debug "Created LogoutResponse:\n#{@response}"
+			return meta.create_slo_response( to_s, opt[:extra_parameters] )
+			#root.attributes['Destination'] = action
+		end
+		# function to return the created request as an XML document
+		def to_xml
+			text = ""
+			@response.write(text, 1)
+			return text
+		end
+		def to_s
+			@response.to_s
+		end
+      def issuer
+			element = REXML::XPath.first(@response, "/p:LogoutResponse/a:Issuer", {
+						"p" => PROTOCOL, "a" => ASSERTION} )
+			return nil if element.nil?
+			element.text
+      end
+      def in_response_to
+			element = REXML::XPath.first(@response, "/p:LogoutResponse", {
+					 "p" => PROTOCOL })
+			return nil if element.nil?
+        element.attributes["InResponseTo"]
+      end
+      def success?
+			element = REXML::XPath.first(@response, "/p:LogoutResponse/p:Status/p:StatusCode", {
+					"p" => PROTOCOL })
+			return false if element.nil?
+        element.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
+      end
+		def is_valid?
+			validate(soft = true)
+		end
+		def validate!
+			validate( soft = false )
+		end
+		def validate( soft = true )
+			return false if @response.nil?
+			# Skip validation with a failed response if we don't have settings
+			return false if @settings.nil?
+			return false if @response.validate(@settings, soft) == false
+			return true
+		end
+    protected
+      def document
+        REXML::Document.new(@response)
+      end
+    end
+  end
+end

data/lib/ciam/ruby-saml/metadata.rb ADDED

@@ -0,0 +1,509 @@
+require "rexml/document"
+require "rexml/xpath"
+require "net/https"
+require "uri"
+require "digest/md5"
+require "nokogiri"
+require_relative "../xml_security_new" #fa il require della nokogiri
+# Class to return SP metadata based on the settings requested.
+# Return this XML in a controller, then give that URL to the the
+# IdP administrator.  The IdP will poll the URL and your settings
+# will be updated automatically
+module Ciam
+  module Saml
+    class Metadata
+      include REXML
+      include Coding
+      # a few symbols for SAML class names
+      HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      HTTP_GET = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      attr_accessor :uuid
+      def initialize(settings=nil)
+        if settings
+          @settings = settings
+        end
+      end
+      def generate(settings)
+        #meta_doc = REXML::Document.new
+        meta_doc = Ciam::XMLSecurityNew::Document.new
+        if settings.aggregato
+          root = meta_doc.add_element "md:EntityDescriptor", {
+            "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
+            "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace",
+            "xmlns:ciam"        => "https://ciam.gov.it/saml-extensions",
+          }
+        else
+          root = meta_doc.add_element "md:EntityDescriptor", {
+            "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
+            "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace"
+          }
+        end
+        if settings.issuer != nil
+          root.attributes["entityID"] = settings.issuer
+        end
+        #Tolto per non far cambiare sempre il metadata
+        #uuid = "_" + UUID.new.generate
+        #genero l'id come hash dell'entityID
+        uuid = "_"+Digest::MD5.hexdigest(settings.issuer)
+        self.uuid = uuid
+        root.attributes["ID"] = uuid
+        sp_sso = root.add_element "md:SPSSODescriptor", {
+            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "WantAssertionsSigned"       => "true",
+            "AuthnRequestsSigned"         => "true"
+        }
+        # if settings.sp_cert != nil
+        #   keyDescriptor = sp_sso.add_element "md:KeyDescriptor", {
+        #     "use" => "signing"
+        #   }
+        #   keyInfo = keyDescriptor.add_element "ds:KeyInfo", {
+        #     "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"
+        #   }
+        #   x509Data = keyInfo.add_element "ds:X509Data"
+        #   x509Certificate = x509Data.add_element "ds:X509Certificate"
+        #   file = ""
+        #   File.foreach(settings.sp_cert){ |line|
+        #                                file  += line unless (line.include?("RSA PUBLIC KEY") || line.include?("CERTIFICATE"))
+        #                              }
+        #   x509Certificate.text = file
+        # end
+        # Add KeyDescriptor if messages will be signed / encrypted
+        #cert = settings.get_sp_cert
+        cert = settings.get_cert(settings.sp_cert)
+        if cert
+          if cert.is_a?(String)
+            cert = OpenSSL::X509::Certificate.new(cert)
+          end
+          cert_text = Base64.encode64(cert.to_der).to_s.gsub(/\n/, "").gsub(/\t/, "")
+          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+          xd = ki.add_element "ds:X509Data"
+          xc = xd.add_element "ds:X509Certificate"
+          xc.text = cert_text
+          # kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+          # ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+          # xd2 = ki2.add_element "ds:X509Data"
+          # xc2 = xd2.add_element "ds:X509Certificate"
+          # xc2.text = cert_text
+        end
+        if !settings.sp_external_consumer_cert.nil? && settings.sp_external_consumer_cert.length > 0
+          settings.sp_external_consumer_cert.each{ |cert_cons_external|
+            cert_ex = settings.get_cert(cert_cons_external)
+            if cert_ex
+              if cert_ex.is_a?(String)
+                cert_ex = OpenSSL::X509::Certificate.new(cert_ex)
+              end
+              cert_text = Base64.encode64(cert_ex.to_der).to_s.gsub(/\n/, "").gsub(/\t/, "")
+              kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+              ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+              xd = ki.add_element "ds:X509Data"
+              xc = xd.add_element "ds:X509Certificate"
+              xc.text = cert_text
+            end
+          }
+        end
+        if settings.single_logout_service_url != nil
+          sp_sso.add_element "md:SingleLogoutService", {
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+              "Location" => settings.single_logout_service_url
+          }
+          sp_sso.add_element "md:SingleLogoutService", {
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              "Location" => settings.single_logout_service_url
+          }
+        end
+        #Logout dei servizi esterni
+        unless settings.hash_assertion_consumer.blank?
+          settings.hash_assertion_consumer.each_pair{ |index, hash_service|
+            unless hash_service['logout'].blank?
+              sp_sso.add_element "md:SingleLogoutService", {
+                "Binding" => hash_service['logout']['binding'] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                "Location" => hash_service['logout']['location']
+              }
+            end
+          }
+        end
+        name_identifier_formats = settings.name_identifier_format
+        if name_identifier_formats != nil
+          name_id = []
+          name_identifier_formats.each_with_index{ |format, index|
+            name_id[index] = sp_sso.add_element "md:NameIDFormat"
+            name_id[index].text = format
+          }
+        end
+        if settings.assertion_consumer_service_url
+            #ciclo e creo i vari tag AssertionConsumerService
+            settings.hash_assertion_consumer.each_pair{ |index, hash_service|
+                sp_sso.add_element "md:AssertionConsumerService", {
+                  "Binding" => settings.assertion_consumer_service_binding,
+                  "Location" => (hash_service['external'] ? hash_service['url_consumer'] : settings.assertion_consumer_service_url ),
+                  "isDefault" => hash_service['default'],
+                  "index" => index
+                }
+            }
+            # #Caso con eidas
+            # sp_sso.add_element "md:AssertionConsumerService", {
+            #     "Binding" => settings.assertion_consumer_service_binding,
+            #     "Location" => settings.assertion_consumer_service_url,
+            #     "index" => 99
+            # }
+            # sp_sso.add_element "md:AssertionConsumerService", {
+            #     "Binding" => settings.assertion_consumer_service_binding,
+            #     "Location" => settings.assertion_consumer_service_url,
+            #     "index" => 100
+            # }
+            settings.hash_assertion_consumer.each_pair{ |index, hash_service|
+              #AttributeConsumingService
+              attr_cons_service = sp_sso.add_element "md:AttributeConsumingService", {
+                  "index" => index,
+              }
+              service_name = attr_cons_service.add_element "md:ServiceName", {
+                    "xml:lang" => "it"
+              }
+              service_name.text = hash_service['testo']
+              unless hash_service['description'].blank?
+                service_description = attr_cons_service.add_element "md:ServiceDescription", {
+                  "xml:lang" => "it"
+                }
+                service_description.text = hash_service['description']
+              end
+              if hash_service['array_campi'].is_a?(Array)
+                hash_service['array_campi'].each_with_index{ |attribute, index|
+                  attr_cons_service.add_element "md:RequestedAttribute", {
+                      "Name" => attribute
+                  }
+                }
+              else #hash
+                hash_service['array_campi'].each_pair{ |attribute, name_format|
+                  attr_cons_service.add_element "md:RequestedAttribute", {
+                      "Name" => attribute,
+                      "NameFormat" => name_format
+                  }
+                }
+              end
+            }
+        end
+        #organization
+        organization = root.add_element "md:Organization"
+        org_name = organization.add_element "md:OrganizationName", {
+            "xml:lang" => "it"
+        }
+        org_name.text = settings.organization['org_name']
+        org_display_name = organization.add_element "md:OrganizationDisplayName", {
+            "xml:lang" => "it"
+        }
+        org_display_name.text = settings.organization['org_display_name']+(settings.aggregato ? " tramite #{settings.hash_aggregatore['soggetto_aggregatore']}" : '')
+        org_url = organization.add_element "md:OrganizationURL", {
+            "xml:lang" => "it"
+        }
+        org_url.text = settings.organization['org_url']
+        #ContactPerson per sp aggregato
+        if settings.aggregato
+          contact_person_aggregatore = root.add_element "md:ContactPerson", {
+            "contactType" => "other",
+            "ciam:entityType" => "ciam:aggregator"
+          }
+          company = contact_person_aggregatore.add_element "md:Company"
+          company.text = settings.hash_aggregatore['soggetto_aggregatore']
+          extensions_aggregatore = contact_person_aggregatore.add_element "md:Extensions"
+          vat_number_aggregatore = extensions_aggregatore.add_element "ciam:VATNumber"
+          vat_number_aggregatore.text = settings.hash_aggregatore['piva_aggregatore']
+          ipa_code_aggregatore = extensions_aggregatore.add_element "ciam:IPACode"
+          ipa_code_aggregatore.text = settings.hash_aggregatore['cipa_aggregatore']
+          fiscal_code_aggregatore = extensions_aggregatore.add_element "ciam:FiscalCode"
+          fiscal_code_aggregatore.text = settings.hash_aggregatore['cf_aggregatore']
+          contact_person_aggregato = root.add_element "md:ContactPerson", {
+            "contactType" => "other",
+            "ciam:entityType" => "ciam:aggregated"
+          }
+          company = contact_person_aggregato.add_element "md:Company"
+          company.text = settings.organization['org_name']
+          extensions_aggregato = contact_person_aggregato.add_element "md:Extensions"
+          unless settings.hash_aggregatore['soggetto_aggregato']['vat_number'].blank?
+            vat_number_aggregato = extensions_aggregato.add_element "ciam:VATNumber"
+            vat_number_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['vat_number']
+          end
+          unless settings.hash_aggregatore['soggetto_aggregato']['ipa_code'].blank?
+            ipa_code_aggregato = extensions_aggregato.add_element "ciam:IPACode"
+            ipa_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['ipa_code']
+          end
+          unless settings.hash_aggregatore['soggetto_aggregato']['fiscal_code'].blank?
+            fiscal_code_aggregato = extensions_aggregato.add_element "ciam:FiscalCode"
+            fiscal_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['fiscal_code']
+          end
+        end
+        #meta_doc << REXML::XMLDecl.new(version='1.0', encoding='UTF-8')
+        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+        #SE SERVE ANCHE ENCRYPTION
+        # # Add KeyDescriptor if messages will be signed / encrypted
+        #
+        # if cert
+        #   cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
+        #   kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+        #   ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+        #   xd = ki.add_element "ds:X509Data"
+        #   xc = xd.add_element "ds:X509Certificate"
+        #   xc.text = cert_text
+        #   kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+        #   ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+        #   xd2 = ki2.add_element "ds:X509Data"
+        #   xc2 = xd2.add_element "ds:X509Certificate"
+        #   xc2.text = cert_text
+        # end
+        #cert = settings.get_sp_cert
+        cert = settings.get_cert(settings.sp_cert) #inserisco il certificato principale
+        # embed signature
+        if settings.metadata_signed && settings.sp_private_key && settings.sp_cert
+          private_key = settings.get_sp_key
+          meta_doc.sign_document(private_key, cert)
+        end
+        ret = ""
+        # stampo come stringa semplice i metadata per non avere problemi con validazione firma
+        ret = meta_doc.to_s
+        #Logging.debug "Generated metadata:\n#{ret}"
+        return ret
+      end
+      def create_sso_request(message, extra_parameters = {} )
+        build_message( :type => "SAMLRequest",
+            :service => "SingleSignOnService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      def create_sso_response(message, extra_parameters = {} )
+        build_message( :type => "SAMLResponse",
+            :service => "SingleSignOnService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      def create_slo_request(message, extra_parameters = {} )
+        build_message( :type => "SAMLRequest",
+            :service => "SingleLogoutService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      def create_slo_response(message, extra_parameters = {} )
+        build_message( :type => "SAMLResponse",
+            :service => "SingleLogoutService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      # Construct a SAML message using information in the IdP metadata.
+      # :type can be either "SAMLRequest" or "SAMLResponse"
+      # :service refers to the Binding method,
+      #    either "SingleLogoutService" or "SingleSignOnService"
+      # :message is the SAML message itself (XML)
+      # I've provided easy to use wrapper functions above
+      def build_message( options = {} )
+        opt = { :type => nil, :service => nil, :message => nil, :extra_parameters => nil }.merge(options)
+        url = binding_select( opt[:service] )
+        return message_get( opt[:type], url, opt[:message], opt[:extra_parameters] )
+      end
+      # get the IdP metadata, and select the appropriate SSO binding
+      # that we can support.  Currently this is HTTP-Redirect and HTTP-POST
+      # but more could be added in the future
+      def binding_select(service)
+        # first check if we're still using the old hard coded method for
+        # backwards compatability
+        if service == "SingleSignOnService" && @settings.idp_sso_target_url != nil
+            return @settings.idp_sso_target_url
+        end
+        if service == "SingleLogoutService" && @settings.idp_slo_target_url != nil
+            return  @settings.idp_slo_target_url
+        end
+        meta_doc = get_idp_metadata
+        return nil unless meta_doc
+        # first try GET (REDIRECT)
+        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
+        if !sso_element.nil?
+          @URL = sso_element.attributes["Location"]
+          Logging.debug "binding_select: GET from #{@URL}"
+          return @URL
+        end
+        # next try post
+        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_POST}']")
+        if !sso_element.nil?
+          @URL = sso_element.attributes["Location"]
+          #Logging.debug "binding_select: POST to #{@URL}"
+          return @URL
+        end
+        # other types we might want to add in the future:  SOAP, Artifact
+      end
+      def fetch(uri_str, limit = 10)
+        # You should choose a better exception.
+        raise ArgumentError, 'too many HTTP redirects' if limit == 0
+        uri = URI.parse(uri_str)
+        if uri.scheme == "http"
+          response = Net::HTTP.get_response(uri)
+        elsif uri.scheme == "https"
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          # Most IdPs will probably use self signed certs
+          #http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          get = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(get)
+        end
+        case response
+        when Net::HTTPSuccess then
+          response
+        when Net::HTTPRedirection then
+          location = response['location']
+          warn "redirected to #{location}"
+          fetch(location, limit - 1)
+        else
+          response.value
+        end
+      end
+      # Retrieve the remote IdP metadata from the URL or a cached copy
+      # returns a REXML document of the metadata
+      def get_idp_metadata
+        return false if @settings.idp_metadata.nil?
+        # Look up the metdata in cache first
+        id = Digest::MD5.hexdigest(@settings.idp_metadata)
+        response = fetch(@settings.idp_metadata)
+        #meta_text = response.body
+        #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
+        #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
+        doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
+        doc_noko.remove_namespaces!
+        extract_certificate(doc_noko)
+        doc_rexml = REXML::Document.new(doc_noko.to_xml)
+        return doc_rexml
+        # USE OF CACHE WITH CERTIFICATE
+        # lookup = @cache.read(id)
+        # if lookup != nil
+        #   Logging.debug "IdP metadata cached lookup for #{@settings.idp_metadata}"
+        #   doc = REXML::Document.new( lookup )
+        #   extract_certificate( doc )
+        #   return doc
+        # end
+        # Logging.debug "IdP metadata cache miss on #{@settings.idp_metadata}"
+        # # cache miss
+        # if File.exists?(@settings.idp_metadata)
+        #   fp = File.open( @settings.idp_metadata, "r")
+        #   meta_text = fp.read
+        # else
+        #   uri = URI.parse(@settings.idp_metadata)
+        #   if uri.scheme == "http"
+        #     response = Net::HTTP.get_response(uri)
+        #     meta_text = response.body
+        #   elsif uri.scheme == "https"
+        #     http = Net::HTTP.new(uri.host, uri.port)
+        #     http.use_ssl = true
+        #     # Most IdPs will probably use self signed certs
+        #     #http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        #     http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        #     get = Net::HTTP::Get.new(uri.request_uri)
+        #     response = http.request(get)
+        #     meta_text = response.body
+        #   end
+        # end
+        # # Add it to the cache
+        # @cache.write(id, meta_text, @settings.idp_metadata_ttl )
+        # doc = REXML::Document.new( meta_text )
+        # extract_certificate(doc)
+        # return doc
+      end
+      def extract_certificate(meta_doc)
+        #ricerco il certificato con nokogiri
+        # pull out the x509 tag
+        x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
+        #x509 = REXML::XPath.first(meta_doc, "/md:EntityDescriptor/md:IDPSSODescriptor"+"/md:KeyDescriptor"+"/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
+        # If the IdP didn't specify the use attribute
+        if x509.nil?
+          x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
+          # x509 = REXML::XPath.first(meta_doc,
+          #       "/EntityDescriptor/IDPSSODescriptor" +
+          #     "/KeyDescriptor" +
+          #     "/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
+          #   )
+        end
+        @settings.idp_cert = x509.children.to_s.gsub(/\n/, "").gsub(/\t/, "")
+      end
+      # construct the parameter list on the URL and return
+      def message_get( type, url, message, extra_parameters = {} )
+        params = Hash.new
+        if extra_parameters
+          params.merge!(extra_parameters)
+        end
+        # compress GET requests to try and stay under that 8KB request limit
+        #deflate of samlrequest
+        params[type] = encode( deflate( message ) )
+        #Logging.debug "#{type}=#{params[type]}"
+        uri = Addressable::URI.parse(url)
+        if uri.query_values == nil
+          uri.query_values = params
+        else
+          # solution to stevenwilkin's parameter merge
+          uri.query_values = params.merge(uri.query_values)
+        end
+        url = uri.to_s
+        #Logging.debug "Sending to URL #{url}"
+        return url
+      end
+    end
+  end
+end