cie-es 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1fddb69bc580ee945fdf740e072a06a43f13133bc821e65cd4c16ebde05a8490
+  data.tar.gz: 1ebb454f25165f5916887b4742eeaf0e8a1c9b823bd2377a8c5b12e70d4ac595
+SHA512:
+  metadata.gz: 5f6a34790df5ebf8d9d0bf06e71167e34550b2c972cf113c881d92a86dd96bae9b164b15c2891e20ab3a3f0c67a6c8f18906fcec5c8baca0cf287b352e209c0e
+  data.tar.gz: e352e080c27f29fc4b214d99466ff75d5e38f2d680fad4d60140865084038d89c308e60c44b804abafbddb961a6c4b4017eb6cbd00de9b1521521be028b531e5

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+
+gemspec
+

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,126 @@
+# CIE Euro Servizi
+
+La libreria è un fork della libreria Ruby SAML e serve per l'integrazione di un client (Service Provider) con l'autenticazione CIE (Carta d'Identità Elettronica)
+Utilizza lo standard SAML 2 come previsto dalla normativa 
+
+## Fase iniziale
+
+Azione di partenza in cui viene creata la request da inviare all'idp e viene fatto un redirect all'identity provider.
+
+```ruby
+    def init
+        #creo un istanza di Cie::Saml::Authrequest
+        saml_settings = get_saml_settings
+        #create an instance of Cie::Saml::Authrequest
+        request = Cie::Saml::Authrequest.new(saml_settings)
+        auth_request = request.create
+        # Based on the IdP metadata, select the appropriate binding 
+        # and return the action to perform to the controller
+        meta = Cie::Saml::Metadata.new(saml_settings)
+        signature = get_signature(auth_request.uuid,auth_request.request,"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
+        sso_request = meta.create_sso_request( auth_request.request, {  :RelayState   => request.uuid,
+                                                                        :SigAlg       => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+                                                                        :Signature    => signature } )
+        redirect_to sso_request
+    end
+
+```
+## Generazione della firma
+
+```ruby
+    def get_signature(relayState, request, sigAlg)
+        #url encode relayState
+        relayState_encoded = escape(relayState)
+        #deflate e base64 della samlrequest
+        deflate_request_B64 = encode(deflate(request))
+        #url encode della samlrequest
+        deflate_request_B64_encoded = escape(deflate_request_B64)
+        #url encode della sigAlg
+        sigAlg_encoded = escape(sigAlg)
+        querystring="SAMLRequest=#{deflate_request_B64_encoded}&RelayState=#{relayState_encoded}&SigAlg=#{sigAlg_encoded}"
+        #puts "**QUERYSTRING** = "+querystring
+        digest = OpenSSL::Digest::SHA256.new(querystring.strip) #sha2 a 256
+        chiave_privata = xxxxxx  #path della chiave privata con cui firmare 
+        pk = OpenSSL::PKey::RSA.new File.read(chiave_privata) #chiave privata
+        qssigned = pk.sign(digest,querystring.strip)
+        Base64.encode64(qssigned).gsub(/\n/, "")
+    end
+```
+
+
+Questo metodo è l'endpoint impostato a livello di metadata del service provider come 'assertion consumer', riceve la response saml con i dati della CIE degli utenti. 
+
+```ruby
+    def assertion_consumer
+        #id dell' idp che manda response (es: 'infocert','poste')
+        provider_id = @request.params['ProviderID']
+        #response saml inviata dall'idp
+        saml_response = @request.params['SAMLResponse'] 
+        if !saml_response.nil? 
+            #assegno i settaggi
+            settings = get_saml_settings
+            #creo un oggetto response
+            response = Cie::Saml::Response.new(saml_response)
+            #assegno alla response i settaggi
+            response.settings = settings
+            #estraggo dal Base64 l'xml
+            saml_response_dec = Base64.decode64(saml_response)
+            #puts "**SAML RESPONSE DECODIFICATA: #{saml_response_dec}"
+
+            #validation of response
+            if response.is_valid? 
+                attributi_utente = response.attributes
+                ...
+            else
+                #autenticazione fallita!
+            end
+      end
+    end  
+```
+
+Questo metodo va a impostare le varie configurazioni che servono per connettersi all'idp.
+
+```ruby
+    def get_saml_settings  
+        settings = Cie::Saml::Settings.new
+        settings.assertion_consumer_service_url    #= ...String, url dell' assertion consumer al quale arriva la response dell' idp.
+        settings.issuer                            #= ...String, host del service provider o url dei metadata.
+        settings.sp_cert                           #= ...String, path del certificato pubblico in formato pem.
+        settings.sp_private_key                    #= ...String, path della chiave privata in formato pem.
+        settings.single_logout_service_url         #= ...String, url del servizio di logout dell'idp.
+        settings.sp_name_qualifier                 #= ...String, nome qualificato del service provider o url dei metadata.
+        settings.idp_name_qualifier                #= ...String, nome qualificato dell' identity provider o url dei metadata dell' idp.
+        settings.name_identifier_format            #= ...Array, formato di nomi ( impostare: ["urn:oasis:names:tc:SAML:2.0:nameid-format:transient"] ).
+        settings.destination_service_url           #= ...String, url del servizio per l'identity provider, usato come proxy per il sso.
+        settings.single_logout_destination         #= ...String, url di destinazione per la request logout. 
+        settings.authn_context                     #= ...Array, tipi di autorizzazioni permesse (impostare: ["urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", 
+                                                                "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"]).
+        settings.requester_identificator           #= ...Array con id dei richiedenti (non usato).
+        settings.skip_validation                   #= ...Bool, imposta se evitare la validazione della response o delle asserzioni (false).
+        settings.idp_sso_target_url                #= ...String, url target del sso dell' identity provider.
+        settings.idp_metadata                      #= ...String, url dei metadata dell' idp.
+        settings.requested_attribute               #= ...Array, contiene i nomi dei campi richiesti dal servizio nei metadata.
+        settings.metadata_signed                   #= ...String, imposta se firmare i metadata.
+        settings.organization                      #= ...Hash, contiene nome breve (org_name), nome esteso (org_display_name) e url (org_url) 
+                                                               dell' organizzazione fornitore di servizi.
+        settings
+    end  
+```
+
+
+
+## Service Provider Metadata
+
+Per una relazione sicura con l'idp, il Service Provider deve fornire i metadata in formato xml.
+La classe Cie::Saml::Metadata legge i settaggi e fornisce l'xml richiesto dagli idp.
+
+```ruby
+    def sp_metadata
+        settings = get_saml_settings
+        meta = Cie::Saml::Metadata.new
+        
+        @response.headers['Content-Type'] = 'application/samlmetadata+xml'
+        $out << meta.generate(settings)
+    end
+```
+

data/Rakefile

@@ -0,0 +1,41 @@
+require 'rubygems'
+require 'rake'
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test
+
+task :default => :test
+
+# require 'rake/rdoctask'
+# Rake::RDocTask.new do |rdoc|
+#   if File.exist?('VERSION')
+#     version = File.read('VERSION')
+#   else
+#     version = ""
+#   end
+
+#   rdoc.rdoc_dir = 'rdoc'
+#   rdoc.title = "ruby-saml #{version}"
+#   rdoc.rdoc_files.include('README*')
+#   rdoc.rdoc_files.include('lib/**/*.rb')
+#end

data/cie-es.gemspec

@@ -0,0 +1,22 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+
+Gem::Specification.new do |s|
+  s.name = 'cie-es'
+  s.version = '0.0.1'
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Fabiano Pavan"]
+  s.date = Time.now.strftime("%Y-%m-%d")
+  s.description = "Libreria ruby per autenticazione con CIE"
+  s.email = %q{fabiano.pavan@soluzionipa.it}
+  s.files = `git ls-files`.split("\n")
+  s.homepage = %q{https://github.com/EuroServizi/cie-es}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.summary = %q{SAML Ruby Toolkit Cie}
+  s.license = "MIT"
+
+  s.add_runtime_dependency("canonix", ["0.1.1"])
+  s.add_runtime_dependency("uuid", ["~> 2.3"])
+
+end

data/lib/cie/ruby-saml/authrequest.rb

@@ -0,0 +1,205 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+require "rubygems"
+require "addressable/uri"
+
+module Cie::Saml
+  include REXML
+  class Authrequest
+    # a few symbols for SAML class names
+    HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+    HTTP_GET = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+    
+    attr_accessor :uuid, :request, :issue_instant
+
+    def initialize( settings )
+      @settings = settings
+      @request_params = Hash.new
+    end
+    
+    def create(params = {})
+      uuid = "_" + UUID.new.generate
+      self.uuid = uuid
+      time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+      self.issue_instant = time
+      # Create AuthnRequest root element using REXML 
+      request_doc = Cie::XMLSecurityNew::Document.new
+      request_doc.context[:attribute_quote] = :quote
+      root = request_doc.add_element "saml2p:AuthnRequest", { "xmlns:saml2p" => "urn:oasis:names:tc:SAML:2.0:protocol", 
+                                                              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+                                                             }
+      root.attributes['ID'] = uuid
+      root.attributes['IssueInstant'] = time
+      root.attributes['Version'] = "2.0"
+      #root.attributes['ProtocolBinding'] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      root.attributes['AttributeConsumingServiceIndex'] = @settings.assertion_consumer_service_index
+      root.attributes['ForceAuthn'] = "true"
+      #root.attributes['IsPassive'] = "false"
+      #usato AssertionConsumerServiceURL e ProtocolBinding in alternativa, pag 8 regole tecniche
+      root.attributes['AssertionConsumerServiceIndex'] = @settings.attribute_consuming_service_index
+
+      #Tolto, utilizzo AssertionConsumerServiceIndex
+      # # Conditionally defined elements based on settings
+      # if @settings.assertion_consumer_service_url != nil
+      #   root.attributes["AssertionConsumerServiceURL"] = @settings.assertion_consumer_service_url
+      # end
+
+      if @settings.destination_service_url != nil
+        root.attributes["Destination"] = @settings.destination_service_url
+      end
+
+      unless @settings.issuer.blank?
+        issuer = root.add_element "saml:Issuer"
+        issuer.attributes['NameQualifier'] =  @settings.issuer #non metto @settings.sp_name_qualifier, questo valore deve essere uguale al 
+        #entityID dei metadata che usa @settings.issuer
+        issuer.text = @settings.issuer
+      end
+
+      #opzionale
+      unless @settings.sp_name_qualifier.blank?
+        subject = root.add_element "saml:Subject"
+        name_id = subject.add_element "saml:NameID"
+        name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        name_id.attributes['NameQualifier'] = @settings.sp_name_qualifier
+        name_id.text = @settings.sp_name_identifier
+      end
+
+
+
+      if @settings.name_identifier_format != nil
+        root.add_element "saml2p:NameIDPolicy", { 
+            # Might want to make AllowCreate a setting?
+            #{}"AllowCreate"     => "true",
+            "Format"          => @settings.name_identifier_format[0]
+        }
+      end
+
+      # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+      # match required for authentication to succeed.  If this is not defined, 
+      # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+      if @settings.authn_context != nil
+        requested_context = root.add_element "saml2p:RequestedAuthnContext", { 
+          "Comparison" => "minimum"
+        }
+        context_class = []
+        @settings.authn_context.each_with_index{ |context, index|
+          context_class[index] = requested_context.add_element "saml:AuthnContextClassRef"
+          context_class[index].text = context
+        }
+        
+      end
+
+      if @settings.requester_identificator != nil
+        requester_identificator = root.add_element "saml2p:Scoping", { 
+          "ProxyCount" => "0"
+        }
+        identificators = []
+        @settings.requester_identificator.each_with_index{ |requester, index|
+          identificators[index] = requester_identificator.add_element "saml2p:RequesterID"
+          identificators[index].text = requester
+        }
+        
+      end
+
+      request_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+      
+      #LA FIRMA VA MESSA SOLO NEL CASO CON HTTP POST
+      # cert = @settings.get_sp_cert
+      #   # embed signature
+      #   if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+      #     private_key = @settings.get_sp_key
+      #     request_doc.sign_document(private_key, cert)
+      #   end
+
+      # stampo come stringa semplice i metadata per non avere problemi con validazione firma
+      #ret = request_doc.to_s
+
+      @request = request_doc.to_s
+
+      #Logging.debug "Created AuthnRequest: #{@request}"
+
+      return self
+
+    end
+  
+    # get the IdP metadata, and select the appropriate SSO binding
+    # that we can support.  Currently this is HTTP-Redirect and HTTP-POST
+    # but more could be added in the future
+    def binding_select
+      # first check if we're still using the old hard coded method for 
+      # backwards compatability
+      if @settings.idp_metadata == nil && @settings.idp_sso_target_url != nil
+        @URL = @settings.idp_sso_target_url
+        return "GET", content_get
+      end
+      # grab the metadata
+      metadata = Metadata::new
+      meta_doc = metadata.get_idp_metadata(@settings)
+      
+      # first try POST
+      sso_element = REXML::XPath.first(meta_doc,
+        "/EntityDescriptor/IDPSSODescriptor/SingleSignOnService[@Binding='#{HTTP_POST}']")
+      if sso_element 
+        @URL = sso_element.attributes["Location"]
+        #Logging.debug "binding_select: POST to #{@URL}"
+        return "POST", content_post
+      end
+      
+      # next try GET
+      sso_element = REXML::XPath.first(meta_doc,
+        "/EntityDescriptor/IDPSSODescriptor/SingleSignOnService[@Binding='#{HTTP_GET}']")
+      if sso_element 
+        @URL = sso_element.attributes["Location"]
+        Logging.debug "binding_select: GET from #{@URL}"
+        return "GET", content_get
+      end
+      # other types we might want to add in the future:  SOAP, Artifact
+    end
+    
+    # construct the the parameter list on the URL and return
+    def content_get
+      # compress GET requests to try and stay under that 8KB request limit
+      deflated_request  = Zlib::Deflate.deflate(@request, 9)[2..-5]
+      # strict_encode64() isn't available?  sub out the newlines
+      @request_params["SAMLRequest"] = Base64.encode64(deflated_request).gsub(/\n/, "")
+      
+      Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+      uri = Addressable::URI.parse(@URL)
+      if uri.query_values == nil
+        uri.query_values = @request_params
+      else
+        # solution to stevenwilkin's parameter merge
+        uri.query_values = @request_params.merge(uri.query_values)
+      end
+      url = uri.to_s
+      #Logging.debug "Sending to URL #{url}"
+      return url
+    end
+    # construct an HTML form (POST) and return the content
+    def content_post
+      # POST requests seem to bomb out when they're deflated
+      # and they probably don't need to be compressed anyway
+      @request_params["SAMLRequest"] = Base64.encode64(@request).gsub(/\n/, "")
+      
+      #Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+      # kind of a cheesy method of building an HTML, form since we can't rely on Rails too much,
+      # and REXML doesn't work well with quote characters
+      str = "<html><body onLoad=\"document.getElementById('form').submit();\">\n"
+      str += "<form id='form' name='form' method='POST' action=\"#{@URL}\">\n"
+      # we could change this in the future to associate a temp auth session ID
+      str += "<input name='RelayState' value='ruby-saml' type='hidden' />\n"
+      @request_params.each_pair do |key, value|
+        str += "<input name=\"#{key}\" value=\"#{value}\" type='hidden' />\n"
+        #str += "<input name=\"#{key}\" value=\"#{CGI.escape(value)}\" type='hidden' />\n"
+      end
+      str += "</form></body></html>\n"
+      
+      #Logging.debug "Created form:\n#{str}"
+      return str
+    end
+  end
+end

data/lib/cie/ruby-saml/coding.rb

@@ -0,0 +1,34 @@
+require "cgi"
+require 'zlib'
+
+module Cie
+  module Saml
+    module Coding
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def encode(encoded)
+        Base64.strict_encode64(encoded)
+      end
+
+      def escape(unescaped)
+        CGI.escape(unescaped)
+      end
+
+      def unescape(escaped)
+        CGI.unescape(escaped)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
+    end
+  end
+end

data/lib/cie/ruby-saml/error_handling.rb

@@ -0,0 +1,27 @@
+require "cie/ruby-saml/validation_error"
+
+module Cie
+  module Saml
+    module ErrorHandling
+      attr_accessor :errors
+
+      # Append the cause to the errors array, and based on the value of soft, return false or raise
+      # an exception. soft_override is provided as a means of overriding the object's notion of
+      # soft for just this invocation.
+      def append_error(error_msg, soft_override = nil)
+        @errors << error_msg
+
+        unless soft_override.nil? ? soft : soft_override
+          raise ValidationError.new(error_msg)
+        end
+
+        false
+      end
+
+      # Reset the errors array
+      def reset_errors!
+        @errors = []
+      end
+    end
+  end
+end

data/lib/cie/ruby-saml/logging.rb

@@ -0,0 +1,26 @@
+# Simplistic log class when we're running in Rails
+module Cie
+  module Saml
+    class Logging
+      def self.debug(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+
+      def self.info(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+  end
+end

data/lib/cie/ruby-saml/logout_request.rb

@@ -0,0 +1,126 @@
+require 'uuid'
+
+module Cie::Saml
+  class LogoutRequest
+    ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+    PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+    DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+    
+    include Coding
+    include Request
+    attr_reader :transaction_id
+    attr_accessor :settings
+  
+    def initialize( options = {} )
+      opt = {  :request => nil, :settings => nil  }.merge(options)
+      @settings = opt[:settings]
+      @issue_instant = Cie::Saml::LogoutRequest.timestamp
+      @request_params = Hash.new
+       # We need to generate a LogoutRequest to send to the IdP
+      if opt[:request].nil?
+        @transaction_id = UUID.new.generate
+      # The IdP sent us a LogoutRequest (IdP initiated SLO)
+      else
+        begin
+          @request = Cie::XMLSecurity::SignedDocument.new( decode( opt[:request] ))
+          raise if @request.nil?
+          raise if @request.root.nil?
+          raise if @request.root.namespace != PROTOCOL
+        rescue
+          @request = Cie::XMLSecurity::SignedDocument.new( inflate( decode( opt[:request] ) ) )
+        end
+        Logging.debug "LogoutRequest is: \n#{@request}"
+      end 
+    end
+
+    def create( options = {} )
+      opt = { :name_id => nil, :session_index => nil, :extra_parameters => nil  }.merge(options)
+      return nil unless opt[:name_id]
+      
+      @request = REXML::Document.new
+      @request.context[:attribute_quote] = :quote
+      
+                                
+      root = @request.add_element "saml2p:LogoutRequest", { "xmlns:saml2p" => PROTOCOL }
+      root.attributes['ID'] = @transaction_id
+      root.attributes['IssueInstant'] = @issue_instant
+      root.attributes['Version'] = "2.0"
+      root.attributes['Destination'] = @settings.single_logout_destination
+      
+      issuer = root.add_element "saml2:Issuer", { "xmlns:saml2" => ASSERTION  }
+      issuer.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+      #issuer.text = @settings.issuer
+      #per la federazione trentina qui ci vanno i metadati...
+      issuer.text = @settings.idp_metadata
+
+      name_id = root.add_element "saml2:NameID", { "xmlns:saml2" => ASSERTION }
+      name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      name_id.attributes['NameQualifier'] = @settings.idp_name_qualifier
+      name_id.text = opt[:name_id]
+      # I believe the rest of these are optional
+      if @settings && @settings.sp_name_qualifier
+        name_id.attributes["SPNameQualifier"] = @settings.sp_name_qualifier
+      end
+      if opt[:session_index] 
+        session_index = root.add_element "saml2p:SessionIndex" #, { "xmlns:samlp" => PROTOCOL }
+        session_index.text = opt[:session_index]
+      end
+      Logging.debug "Created LogoutRequest: #{@request}"
+      meta = Metadata.new(@settings)
+      return meta.create_slo_request( to_s, opt[:extra_parameters] )
+      #action, content =  binding_select("SingleLogoutService")
+      #Logging.debug "action: #{action} content: #{content}"
+      #return [action, content]
+     end
+
+  # function to return the created request as an XML document
+    def to_xml
+    text = ""
+    @request.write(text, 1)
+      return text
+    end
+   def to_s
+     @request.to_s
+   end
+    # Functions for pulling values out from an IdP initiated LogoutRequest
+  def name_id 
+    element = REXML::XPath.first(@request, "/p:LogoutRequest/a:NameID", { 
+        "p" => PROTOCOL, "a" => ASSERTION } )
+    return nil if element.nil?
+    # Can't seem to get this to work right...
+    #element.context[:compress_whitespace] = ["NameID"]
+    #element.context[:compress_whitespace] = :all
+    str = element.text.gsub(/^\s+/, "")
+    str.gsub!(/\s+$/, "")
+    return str
+  end
+  
+  def transaction_id
+    return @transaction_id if @transaction_id 
+    element = REXML::XPath.first(@request, "/p:LogoutRequest", { 
+        "p" => PROTOCOL} )
+    return nil if element.nil?
+    return element.attributes["ID"]
+  end
+  def is_valid?
+    validate(soft = true)
+  end
+  
+  def validate!
+    validate( soft = false )
+  end
+  def validate( soft = true )
+    return false if @request.nil?
+      return false if @request.validate(@settings, soft) == false
+    
+    return true
+    
+  end
+    private 
+    
+    def self.timestamp
+      Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+   
+  end
+end