RubyGems - ciam-es - Versions diffs - 0.0.1 - Mend

ciam-es 0.0.1

Files changed (48) hide show

checksums.yaml +7 -0
data/.document +5 -0
data/Gemfile +4 -0
data/README.md +127 -0
data/ciam-es.gemspec +23 -0
data/lib/ciam-es.rb +14 -0
data/lib/ciam/ruby-saml/authrequest.rb +206 -0
data/lib/ciam/ruby-saml/coding.rb +34 -0
data/lib/ciam/ruby-saml/error_handling.rb +27 -0
data/lib/ciam/ruby-saml/logging.rb +26 -0
data/lib/ciam/ruby-saml/logout_request.rb +126 -0
data/lib/ciam/ruby-saml/logout_response.rb +132 -0
data/lib/ciam/ruby-saml/metadata.rb +509 -0
data/lib/ciam/ruby-saml/request.rb +81 -0
data/lib/ciam/ruby-saml/response.rb +683 -0
data/lib/ciam/ruby-saml/settings.rb +89 -0
data/lib/ciam/ruby-saml/utils.rb +225 -0
data/lib/ciam/ruby-saml/validation_error.rb +7 -0
data/lib/ciam/ruby-saml/version.rb +5 -0
data/lib/ciam/xml_security.rb +166 -0
data/lib/ciam/xml_security_new.rb +373 -0
data/lib/schemas/saml20assertion_schema.xsd +283 -0
data/lib/schemas/saml20protocol_schema.xsd +302 -0
data/lib/schemas/xenc_schema.xsd +146 -0
data/lib/schemas/xmldsig_schema.xsd +318 -0
data/test/certificates/certificate1 +12 -0
data/test/logoutrequest_test.rb +98 -0
data/test/request_test.rb +53 -0
data/test/response_test.rb +219 -0
data/test/responses/adfs_response_sha1.xml +46 -0
data/test/responses/adfs_response_sha256.xml +46 -0
data/test/responses/adfs_response_sha384.xml +46 -0
data/test/responses/adfs_response_sha512.xml +46 -0
data/test/responses/no_signature_ns.xml +48 -0
data/test/responses/open_saml_response.xml +56 -0
data/test/responses/response1.xml.base64 +1 -0
data/test/responses/response2.xml.base64 +79 -0
data/test/responses/response3.xml.base64 +66 -0
data/test/responses/response4.xml.base64 +93 -0
data/test/responses/response5.xml.base64 +102 -0
data/test/responses/response_with_ampersands.xml +139 -0
data/test/responses/response_with_ampersands.xml.base64 +93 -0
data/test/responses/simple_saml_php.xml +71 -0
data/test/responses/wrapped_response_2.xml.base64 +150 -0
data/test/settings_test.rb +43 -0
data/test/test_helper.rb +65 -0
data/test/xml_security_test.rb +123 -0
metadata +145 -0

data/lib/ciam/ruby-saml/logging.rb ADDED

@@ -0,0 +1,26 @@
+# Simplistic log class when we're running in Rails
+module Ciam
+  module Saml
+    class Logging
+      def self.debug(message)
+        return if !!ENV["ruby-saml/testing"]
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+      def self.info(message)
+        return if !!ENV["ruby-saml/testing"]
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+  end
+end

data/lib/ciam/ruby-saml/logout_request.rb ADDED

@@ -0,0 +1,126 @@
+require 'uuid'
+module Ciam::Saml
+  class LogoutRequest
+    ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+    PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+    DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+    include Coding
+    include Request
+    attr_reader :transaction_id
+    attr_accessor :settings
+    def initialize( options = {} )
+      opt = {  :request => nil, :settings => nil  }.merge(options)
+      @settings = opt[:settings]
+      @issue_instant = Ciam::Saml::LogoutRequest.timestamp
+      @request_params = Hash.new
+       # We need to generate a LogoutRequest to send to the IdP
+      if opt[:request].nil?
+        @transaction_id = UUID.new.generate
+      # The IdP sent us a LogoutRequest (IdP initiated SLO)
+      else
+        begin
+          @request = Ciam::XMLSecurity::SignedDocument.new( decode( opt[:request] ))
+          raise if @request.nil?
+          raise if @request.root.nil?
+          raise if @request.root.namespace != PROTOCOL
+        rescue
+          @request = Ciam::XMLSecurity::SignedDocument.new( inflate( decode( opt[:request] ) ) )
+        end
+        Logging.debug "LogoutRequest is: \n#{@request}"
+      end
+    end
+    def create( options = {} )
+      opt = { :name_id => nil, :session_index => nil, :extra_parameters => nil  }.merge(options)
+      return nil unless opt[:name_id]
+      @request = REXML::Document.new
+      @request.context[:attribute_quote] = :quote
+      root = @request.add_element "saml2p:LogoutRequest", { "xmlns:saml2p" => PROTOCOL }
+      root.attributes['ID'] = @transaction_id
+      root.attributes['IssueInstant'] = @issue_instant
+      root.attributes['Version'] = "2.0"
+      root.attributes['Destination'] = @settings.single_logout_destination
+      issuer = root.add_element "saml2:Issuer", { "xmlns:saml2" => ASSERTION  }
+      issuer.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+      #issuer.text = @settings.issuer
+      #per la federazione trentina qui ci vanno i metadati...
+      issuer.text = @settings.idp_metadata
+      name_id = root.add_element "saml2:NameID", { "xmlns:saml2" => ASSERTION }
+      name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      name_id.attributes['NameQualifier'] = @settings.idp_name_qualifier
+      name_id.text = opt[:name_id]
+      # I believe the rest of these are optional
+      if @settings && @settings.sp_name_qualifier
+        name_id.attributes["SPNameQualifier"] = @settings.sp_name_qualifier
+      end
+      if opt[:session_index]
+        session_index = root.add_element "saml2p:SessionIndex" #, { "xmlns:samlp" => PROTOCOL }
+        session_index.text = opt[:session_index]
+      end
+      Logging.debug "Created LogoutRequest: #{@request}"
+      meta = Metadata.new(@settings)
+      return meta.create_slo_request( to_s, opt[:extra_parameters] )
+      #action, content =  binding_select("SingleLogoutService")
+      #Logging.debug "action: #{action} content: #{content}"
+      #return [action, content]
+     end
+  # function to return the created request as an XML document
+    def to_xml
+    text = ""
+    @request.write(text, 1)
+      return text
+    end
+   def to_s
+     @request.to_s
+   end
+    # Functions for pulling values out from an IdP initiated LogoutRequest
+  def name_id
+    element = REXML::XPath.first(@request, "/p:LogoutRequest/a:NameID", {
+        "p" => PROTOCOL, "a" => ASSERTION } )
+    return nil if element.nil?
+    # Can't seem to get this to work right...
+    #element.context[:compress_whitespace] = ["NameID"]
+    #element.context[:compress_whitespace] = :all
+    str = element.text.gsub(/^\s+/, "")
+    str.gsub!(/\s+$/, "")
+    return str
+  end
+  def transaction_id
+    return @transaction_id if @transaction_id
+    element = REXML::XPath.first(@request, "/p:LogoutRequest", {
+        "p" => PROTOCOL} )
+    return nil if element.nil?
+    return element.attributes["ID"]
+  end
+  def is_valid?
+    validate(soft = true)
+  end
+  def validate!
+    validate( soft = false )
+  end
+  def validate( soft = true )
+    return false if @request.nil?
+      return false if @request.validate(@settings, soft) == false
+    return true
+  end
+    private
+    def self.timestamp
+      Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+  end
+end

data/lib/ciam/ruby-saml/logout_response.rb ADDED

@@ -0,0 +1,132 @@
+#encoding: utf-8
+require "rexml/document"
+module Ciam
+  module Saml
+    class LogoutResponse
+      include Coding
+		include Request
+		ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+		PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+		DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+      def initialize( options = { } )
+			opt = { :response => nil, :settings => nil }.merge(options)
+			# We've recieved a LogoutResponse from the IdP
+			if opt[:response]
+				begin
+					@response = Ciam::XMLSecurity::SignedDocument.new(decode( opt[:response] ))
+					# Check to see if we have a root tag using the "protocol" namespace.
+					# If not, it means this is deflated text and we need to raise to
+					# the rescue below
+						raise if @response.nil?
+						raise if @response.root.nil?
+						raise if @response.root.namespace != PROTOCOL
+					document
+				rescue
+					@response = Ciam::XMLSecurity::SignedDocument.new( inflate(decode( opt[:response] ) ) )
+				end
+			end
+			# We plan to create() a new LogoutResponse
+			if opt[:settings]
+				@settings = opt[:settings]
+			end
+      end
+		# Create a LogoutResponse to to the IdP's LogoutRequest
+		#  (For IdP initiated SLO)
+		def create( options )
+			opt = { :transaction_id => nil,
+				:in_response_to => nil,
+				:status => "urn:oasis:names:tc:SAML:2.0:status:Success",
+				:extra_parameters => nil }.merge(options)
+			return nil if opt[:transaction_id].nil?
+			@response = REXML::Document.new
+			@response.context[:attribute_quote] = :quote
+			uuid = "_" + UUID.new.generate
+			time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+			root = @response.add_element "saml2p:LogoutResponse", { "xmlns:saml2p" => PROTOCOL }
+			root.attributes['ID'] = uuid
+			root.attributes['IssueInstant'] = time
+			root.attributes['Version'] = "2.0"
+			# Just convenient naming to accept both names as InResponseTo
+			if opt[:transaction_id]
+				root.attributes['InResponseTo'] = opt[:transaction_id]
+			elsif opt[:in_response_to]
+				root.attributes['InResponseTo'] = opt[:in_response_to]
+			end
+			if opt[:status]
+				status = root.add_element "saml2p:Status"
+				status_code = status.add_element "saml2p:StatusCode", {
+						"Value" => opt[:status]
+				}
+			end
+			if @settings && @settings.issuer
+				issuer = root.add_element "saml:Issuer", {
+					"xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+				}
+				issuer.text = @settings.issuer
+			end
+			meta = Metadata.new( @settings )
+			Logging.debug "Created LogoutResponse:\n#{@response}"
+			return meta.create_slo_response( to_s, opt[:extra_parameters] )
+			#root.attributes['Destination'] = action
+		end
+		# function to return the created request as an XML document
+		def to_xml
+			text = ""
+			@response.write(text, 1)
+			return text
+		end
+		def to_s
+			@response.to_s
+		end
+      def issuer
+			element = REXML::XPath.first(@response, "/p:LogoutResponse/a:Issuer", {
+						"p" => PROTOCOL, "a" => ASSERTION} )
+			return nil if element.nil?
+			element.text
+      end
+      def in_response_to
+			element = REXML::XPath.first(@response, "/p:LogoutResponse", {
+					 "p" => PROTOCOL })
+			return nil if element.nil?
+        element.attributes["InResponseTo"]
+      end
+      def success?
+			element = REXML::XPath.first(@response, "/p:LogoutResponse/p:Status/p:StatusCode", {
+					"p" => PROTOCOL })
+			return false if element.nil?
+        element.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
+      end
+		def is_valid?
+			validate(soft = true)
+		end
+		def validate!
+			validate( soft = false )
+		end
+		def validate( soft = true )
+			return false if @response.nil?
+			# Skip validation with a failed response if we don't have settings
+			return false if @settings.nil?
+			return false if @response.validate(@settings, soft) == false
+			return true
+		end
+    protected
+      def document
+        REXML::Document.new(@response)
+      end
+    end
+  end
+end

data/lib/ciam/ruby-saml/metadata.rb ADDED

@@ -0,0 +1,509 @@
+require "rexml/document"
+require "rexml/xpath"
+require "net/https"
+require "uri"
+require "digest/md5"
+require "nokogiri"
+require_relative "../xml_security_new" #fa il require della nokogiri
+# Class to return SP metadata based on the settings requested.
+# Return this XML in a controller, then give that URL to the the
+# IdP administrator.  The IdP will poll the URL and your settings
+# will be updated automatically
+module Ciam
+  module Saml
+    class Metadata
+      include REXML
+      include Coding
+      # a few symbols for SAML class names
+      HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      HTTP_GET = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      attr_accessor :uuid
+      def initialize(settings=nil)
+        if settings
+          @settings = settings
+        end
+      end
+      def generate(settings)
+        #meta_doc = REXML::Document.new
+        meta_doc = Ciam::XMLSecurityNew::Document.new
+        if settings.aggregato
+          root = meta_doc.add_element "md:EntityDescriptor", {
+            "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
+            "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace",
+            "xmlns:ciam"        => "https://ciam.gov.it/saml-extensions",
+          }
+        else
+          root = meta_doc.add_element "md:EntityDescriptor", {
+            "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
+            "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace"
+          }
+        end
+        if settings.issuer != nil
+          root.attributes["entityID"] = settings.issuer
+        end
+        #Tolto per non far cambiare sempre il metadata
+        #uuid = "_" + UUID.new.generate
+        #genero l'id come hash dell'entityID
+        uuid = "_"+Digest::MD5.hexdigest(settings.issuer)
+        self.uuid = uuid
+        root.attributes["ID"] = uuid
+        sp_sso = root.add_element "md:SPSSODescriptor", {
+            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "WantAssertionsSigned"       => "true",
+            "AuthnRequestsSigned"         => "true"
+        }
+        # if settings.sp_cert != nil
+        #   keyDescriptor = sp_sso.add_element "md:KeyDescriptor", {
+        #     "use" => "signing"
+        #   }
+        #   keyInfo = keyDescriptor.add_element "ds:KeyInfo", {
+        #     "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"
+        #   }
+        #   x509Data = keyInfo.add_element "ds:X509Data"
+        #   x509Certificate = x509Data.add_element "ds:X509Certificate"
+        #   file = ""
+        #   File.foreach(settings.sp_cert){ |line|
+        #                                file  += line unless (line.include?("RSA PUBLIC KEY") || line.include?("CERTIFICATE"))
+        #                              }
+        #   x509Certificate.text = file
+        # end
+        # Add KeyDescriptor if messages will be signed / encrypted
+        #cert = settings.get_sp_cert
+        cert = settings.get_cert(settings.sp_cert)
+        if cert
+          if cert.is_a?(String)
+            cert = OpenSSL::X509::Certificate.new(cert)
+          end
+          cert_text = Base64.encode64(cert.to_der).to_s.gsub(/\n/, "").gsub(/\t/, "")
+          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+          xd = ki.add_element "ds:X509Data"
+          xc = xd.add_element "ds:X509Certificate"
+          xc.text = cert_text
+          # kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+          # ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+          # xd2 = ki2.add_element "ds:X509Data"
+          # xc2 = xd2.add_element "ds:X509Certificate"
+          # xc2.text = cert_text
+        end
+        if !settings.sp_external_consumer_cert.nil? && settings.sp_external_consumer_cert.length > 0
+          settings.sp_external_consumer_cert.each{ |cert_cons_external|
+            cert_ex = settings.get_cert(cert_cons_external)
+            if cert_ex
+              if cert_ex.is_a?(String)
+                cert_ex = OpenSSL::X509::Certificate.new(cert_ex)
+              end
+              cert_text = Base64.encode64(cert_ex.to_der).to_s.gsub(/\n/, "").gsub(/\t/, "")
+              kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+              ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+              xd = ki.add_element "ds:X509Data"
+              xc = xd.add_element "ds:X509Certificate"
+              xc.text = cert_text
+            end
+          }
+        end
+        if settings.single_logout_service_url != nil
+          sp_sso.add_element "md:SingleLogoutService", {
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+              "Location" => settings.single_logout_service_url
+          }
+          sp_sso.add_element "md:SingleLogoutService", {
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              "Location" => settings.single_logout_service_url
+          }
+        end
+        #Logout dei servizi esterni
+        unless settings.hash_assertion_consumer.blank?
+          settings.hash_assertion_consumer.each_pair{ |index, hash_service|
+            unless hash_service['logout'].blank?
+              sp_sso.add_element "md:SingleLogoutService", {
+                "Binding" => hash_service['logout']['binding'] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                "Location" => hash_service['logout']['location']
+              }
+            end
+          }
+        end
+        name_identifier_formats = settings.name_identifier_format
+        if name_identifier_formats != nil
+          name_id = []
+          name_identifier_formats.each_with_index{ |format, index|
+            name_id[index] = sp_sso.add_element "md:NameIDFormat"
+            name_id[index].text = format
+          }
+        end
+        if settings.assertion_consumer_service_url
+            #ciclo e creo i vari tag AssertionConsumerService
+            settings.hash_assertion_consumer.each_pair{ |index, hash_service|
+                sp_sso.add_element "md:AssertionConsumerService", {
+                  "Binding" => settings.assertion_consumer_service_binding,
+                  "Location" => (hash_service['external'] ? hash_service['url_consumer'] : settings.assertion_consumer_service_url ),
+                  "isDefault" => hash_service['default'],
+                  "index" => index
+                }
+            }
+            # #Caso con eidas
+            # sp_sso.add_element "md:AssertionConsumerService", {
+            #     "Binding" => settings.assertion_consumer_service_binding,
+            #     "Location" => settings.assertion_consumer_service_url,
+            #     "index" => 99
+            # }
+            # sp_sso.add_element "md:AssertionConsumerService", {
+            #     "Binding" => settings.assertion_consumer_service_binding,
+            #     "Location" => settings.assertion_consumer_service_url,
+            #     "index" => 100
+            # }
+            settings.hash_assertion_consumer.each_pair{ |index, hash_service|
+              #AttributeConsumingService
+              attr_cons_service = sp_sso.add_element "md:AttributeConsumingService", {
+                  "index" => index,
+              }
+              service_name = attr_cons_service.add_element "md:ServiceName", {
+                    "xml:lang" => "it"
+              }
+              service_name.text = hash_service['testo']
+              unless hash_service['description'].blank?
+                service_description = attr_cons_service.add_element "md:ServiceDescription", {
+                  "xml:lang" => "it"
+                }
+                service_description.text = hash_service['description']
+              end
+              if hash_service['array_campi'].is_a?(Array)
+                hash_service['array_campi'].each_with_index{ |attribute, index|
+                  attr_cons_service.add_element "md:RequestedAttribute", {
+                      "Name" => attribute
+                  }
+                }
+              else #hash
+                hash_service['array_campi'].each_pair{ |attribute, name_format|
+                  attr_cons_service.add_element "md:RequestedAttribute", {
+                      "Name" => attribute,
+                      "NameFormat" => name_format
+                  }
+                }
+              end
+            }
+        end
+        #organization
+        organization = root.add_element "md:Organization"
+        org_name = organization.add_element "md:OrganizationName", {
+            "xml:lang" => "it"
+        }
+        org_name.text = settings.organization['org_name']
+        org_display_name = organization.add_element "md:OrganizationDisplayName", {
+            "xml:lang" => "it"
+        }
+        org_display_name.text = settings.organization['org_display_name']+(settings.aggregato ? " tramite #{settings.hash_aggregatore['soggetto_aggregatore']}" : '')
+        org_url = organization.add_element "md:OrganizationURL", {
+            "xml:lang" => "it"
+        }
+        org_url.text = settings.organization['org_url']
+        #ContactPerson per sp aggregato
+        if settings.aggregato
+          contact_person_aggregatore = root.add_element "md:ContactPerson", {
+            "contactType" => "other",
+            "ciam:entityType" => "ciam:aggregator"
+          }
+          company = contact_person_aggregatore.add_element "md:Company"
+          company.text = settings.hash_aggregatore['soggetto_aggregatore']
+          extensions_aggregatore = contact_person_aggregatore.add_element "md:Extensions"
+          vat_number_aggregatore = extensions_aggregatore.add_element "ciam:VATNumber"
+          vat_number_aggregatore.text = settings.hash_aggregatore['piva_aggregatore']
+          ipa_code_aggregatore = extensions_aggregatore.add_element "ciam:IPACode"
+          ipa_code_aggregatore.text = settings.hash_aggregatore['cipa_aggregatore']
+          fiscal_code_aggregatore = extensions_aggregatore.add_element "ciam:FiscalCode"
+          fiscal_code_aggregatore.text = settings.hash_aggregatore['cf_aggregatore']
+          contact_person_aggregato = root.add_element "md:ContactPerson", {
+            "contactType" => "other",
+            "ciam:entityType" => "ciam:aggregated"
+          }
+          company = contact_person_aggregato.add_element "md:Company"
+          company.text = settings.organization['org_name']
+          extensions_aggregato = contact_person_aggregato.add_element "md:Extensions"
+          unless settings.hash_aggregatore['soggetto_aggregato']['vat_number'].blank?
+            vat_number_aggregato = extensions_aggregato.add_element "ciam:VATNumber"
+            vat_number_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['vat_number']
+          end
+          unless settings.hash_aggregatore['soggetto_aggregato']['ipa_code'].blank?
+            ipa_code_aggregato = extensions_aggregato.add_element "ciam:IPACode"
+            ipa_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['ipa_code']
+          end
+          unless settings.hash_aggregatore['soggetto_aggregato']['fiscal_code'].blank?
+            fiscal_code_aggregato = extensions_aggregato.add_element "ciam:FiscalCode"
+            fiscal_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['fiscal_code']
+          end
+        end
+        #meta_doc << REXML::XMLDecl.new(version='1.0', encoding='UTF-8')
+        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+        #SE SERVE ANCHE ENCRYPTION
+        # # Add KeyDescriptor if messages will be signed / encrypted
+        #
+        # if cert
+        #   cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
+        #   kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+        #   ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+        #   xd = ki.add_element "ds:X509Data"
+        #   xc = xd.add_element "ds:X509Certificate"
+        #   xc.text = cert_text
+        #   kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+        #   ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+        #   xd2 = ki2.add_element "ds:X509Data"
+        #   xc2 = xd2.add_element "ds:X509Certificate"
+        #   xc2.text = cert_text
+        # end
+        #cert = settings.get_sp_cert
+        cert = settings.get_cert(settings.sp_cert) #inserisco il certificato principale
+        # embed signature
+        if settings.metadata_signed && settings.sp_private_key && settings.sp_cert
+          private_key = settings.get_sp_key
+          meta_doc.sign_document(private_key, cert)
+        end
+        ret = ""
+        # stampo come stringa semplice i metadata per non avere problemi con validazione firma
+        ret = meta_doc.to_s
+        #Logging.debug "Generated metadata:\n#{ret}"
+        return ret
+      end
+      def create_sso_request(message, extra_parameters = {} )
+        build_message( :type => "SAMLRequest",
+            :service => "SingleSignOnService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      def create_sso_response(message, extra_parameters = {} )
+        build_message( :type => "SAMLResponse",
+            :service => "SingleSignOnService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      def create_slo_request(message, extra_parameters = {} )
+        build_message( :type => "SAMLRequest",
+            :service => "SingleLogoutService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      def create_slo_response(message, extra_parameters = {} )
+        build_message( :type => "SAMLResponse",
+            :service => "SingleLogoutService",
+            :message => message, :extra_parameters => extra_parameters)
+      end
+      # Construct a SAML message using information in the IdP metadata.
+      # :type can be either "SAMLRequest" or "SAMLResponse"
+      # :service refers to the Binding method,
+      #    either "SingleLogoutService" or "SingleSignOnService"
+      # :message is the SAML message itself (XML)
+      # I've provided easy to use wrapper functions above
+      def build_message( options = {} )
+        opt = { :type => nil, :service => nil, :message => nil, :extra_parameters => nil }.merge(options)
+        url = binding_select( opt[:service] )
+        return message_get( opt[:type], url, opt[:message], opt[:extra_parameters] )
+      end
+      # get the IdP metadata, and select the appropriate SSO binding
+      # that we can support.  Currently this is HTTP-Redirect and HTTP-POST
+      # but more could be added in the future
+      def binding_select(service)
+        # first check if we're still using the old hard coded method for
+        # backwards compatability
+        if service == "SingleSignOnService" && @settings.idp_sso_target_url != nil
+            return @settings.idp_sso_target_url
+        end
+        if service == "SingleLogoutService" && @settings.idp_slo_target_url != nil
+            return  @settings.idp_slo_target_url
+        end
+        meta_doc = get_idp_metadata
+        return nil unless meta_doc
+        # first try GET (REDIRECT)
+        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
+        if !sso_element.nil?
+          @URL = sso_element.attributes["Location"]
+          Logging.debug "binding_select: GET from #{@URL}"
+          return @URL
+        end
+        # next try post
+        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_POST}']")
+        if !sso_element.nil?
+          @URL = sso_element.attributes["Location"]
+          #Logging.debug "binding_select: POST to #{@URL}"
+          return @URL
+        end
+        # other types we might want to add in the future:  SOAP, Artifact
+      end
+      def fetch(uri_str, limit = 10)
+        # You should choose a better exception.
+        raise ArgumentError, 'too many HTTP redirects' if limit == 0
+        uri = URI.parse(uri_str)
+        if uri.scheme == "http"
+          response = Net::HTTP.get_response(uri)
+        elsif uri.scheme == "https"
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          # Most IdPs will probably use self signed certs
+          #http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          get = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(get)
+        end
+        case response
+        when Net::HTTPSuccess then
+          response
+        when Net::HTTPRedirection then
+          location = response['location']
+          warn "redirected to #{location}"
+          fetch(location, limit - 1)
+        else
+          response.value
+        end
+      end
+      # Retrieve the remote IdP metadata from the URL or a cached copy
+      # returns a REXML document of the metadata
+      def get_idp_metadata
+        return false if @settings.idp_metadata.nil?
+        # Look up the metdata in cache first
+        id = Digest::MD5.hexdigest(@settings.idp_metadata)
+        response = fetch(@settings.idp_metadata)
+        #meta_text = response.body
+        #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
+        #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
+        doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
+        doc_noko.remove_namespaces!
+        extract_certificate(doc_noko)
+        doc_rexml = REXML::Document.new(doc_noko.to_xml)
+        return doc_rexml
+        # USE OF CACHE WITH CERTIFICATE
+        # lookup = @cache.read(id)
+        # if lookup != nil
+        #   Logging.debug "IdP metadata cached lookup for #{@settings.idp_metadata}"
+        #   doc = REXML::Document.new( lookup )
+        #   extract_certificate( doc )
+        #   return doc
+        # end
+        # Logging.debug "IdP metadata cache miss on #{@settings.idp_metadata}"
+        # # cache miss
+        # if File.exists?(@settings.idp_metadata)
+        #   fp = File.open( @settings.idp_metadata, "r")
+        #   meta_text = fp.read
+        # else
+        #   uri = URI.parse(@settings.idp_metadata)
+        #   if uri.scheme == "http"
+        #     response = Net::HTTP.get_response(uri)
+        #     meta_text = response.body
+        #   elsif uri.scheme == "https"
+        #     http = Net::HTTP.new(uri.host, uri.port)
+        #     http.use_ssl = true
+        #     # Most IdPs will probably use self signed certs
+        #     #http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        #     http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        #     get = Net::HTTP::Get.new(uri.request_uri)
+        #     response = http.request(get)
+        #     meta_text = response.body
+        #   end
+        # end
+        # # Add it to the cache
+        # @cache.write(id, meta_text, @settings.idp_metadata_ttl )
+        # doc = REXML::Document.new( meta_text )
+        # extract_certificate(doc)
+        # return doc
+      end
+      def extract_certificate(meta_doc)
+        #ricerco il certificato con nokogiri
+        # pull out the x509 tag
+        x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
+        #x509 = REXML::XPath.first(meta_doc, "/md:EntityDescriptor/md:IDPSSODescriptor"+"/md:KeyDescriptor"+"/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
+        # If the IdP didn't specify the use attribute
+        if x509.nil?
+          x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
+          # x509 = REXML::XPath.first(meta_doc,
+          #       "/EntityDescriptor/IDPSSODescriptor" +
+          #     "/KeyDescriptor" +
+          #     "/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
+          #   )
+        end
+        @settings.idp_cert = x509.children.to_s.gsub(/\n/, "").gsub(/\t/, "")
+      end
+      # construct the parameter list on the URL and return
+      def message_get( type, url, message, extra_parameters = {} )
+        params = Hash.new
+        if extra_parameters
+          params.merge!(extra_parameters)
+        end
+        # compress GET requests to try and stay under that 8KB request limit
+        #deflate of samlrequest
+        params[type] = encode( deflate( message ) )
+        #Logging.debug "#{type}=#{params[type]}"
+        uri = Addressable::URI.parse(url)
+        if uri.query_values == nil
+          uri.query_values = params
+        else
+          # solution to stevenwilkin's parameter merge
+          uri.query_values = params.merge(uri.query_values)
+        end
+        url = uri.to_s
+        #Logging.debug "Sending to URL #{url}"
+        return url
+      end
+    end
+  end
+end