RubyGems - kl-ruby-saml - Versions diffs - 0.0.1 - Mend

kl-ruby-saml 0.0.1

Files changed (137) hide show

checksums.yaml +7 -0
data/.document +5 -0
data/.gitignore +14 -0
data/.travis.yml +17 -0
data/Gemfile +9 -0
data/LICENSE +19 -0
data/README.md +575 -0
data/Rakefile +41 -0
data/changelog.md +75 -0
data/gemfiles/nokogiri-1.5.gemfile +5 -0
data/lib/onelogin/ruby-saml.rb +17 -0
data/lib/onelogin/ruby-saml/attribute_service.rb +57 -0
data/lib/onelogin/ruby-saml/attributes.rb +128 -0
data/lib/onelogin/ruby-saml/authrequest.rb +156 -0
data/lib/onelogin/ruby-saml/http_error.rb +7 -0
data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +161 -0
data/lib/onelogin/ruby-saml/logging.rb +30 -0
data/lib/onelogin/ruby-saml/logoutrequest.rb +131 -0
data/lib/onelogin/ruby-saml/logoutresponse.rb +241 -0
data/lib/onelogin/ruby-saml/metadata.rb +123 -0
data/lib/onelogin/ruby-saml/response.rb +722 -0
data/lib/onelogin/ruby-saml/saml_message.rb +158 -0
data/lib/onelogin/ruby-saml/settings.rb +165 -0
data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +258 -0
data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +136 -0
data/lib/onelogin/ruby-saml/utils.rb +172 -0
data/lib/onelogin/ruby-saml/validation_error.rb +7 -0
data/lib/onelogin/ruby-saml/version.rb +5 -0
data/lib/ruby-saml.rb +1 -0
data/lib/schemas/saml-schema-assertion-2.0.xsd +283 -0
data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
data/lib/schemas/saml-schema-metadata-2.0.xsd +337 -0
data/lib/schemas/saml-schema-protocol-2.0.xsd +302 -0
data/lib/schemas/sstc-metadata-attr.xsd +35 -0
data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
data/lib/schemas/xenc-schema.xsd +136 -0
data/lib/schemas/xml.xsd +287 -0
data/lib/schemas/xmldsig-core-schema.xsd +309 -0
data/lib/xml_security.rb +358 -0
data/ruby-saml.gemspec +57 -0
data/test/certificates/certificate1 +12 -0
data/test/certificates/certificate_without_head_foot +1 -0
data/test/certificates/formatted_certificate +14 -0
data/test/certificates/formatted_private_key +12 -0
data/test/certificates/formatted_rsa_private_key +12 -0
data/test/certificates/invalid_certificate1 +1 -0
data/test/certificates/invalid_certificate2 +1 -0
data/test/certificates/invalid_certificate3 +12 -0
data/test/certificates/invalid_private_key1 +1 -0
data/test/certificates/invalid_private_key2 +1 -0
data/test/certificates/invalid_private_key3 +10 -0
data/test/certificates/invalid_rsa_private_key1 +1 -0
data/test/certificates/invalid_rsa_private_key2 +1 -0
data/test/certificates/invalid_rsa_private_key3 +10 -0
data/test/certificates/ruby-saml.crt +14 -0
data/test/certificates/ruby-saml.key +15 -0
data/test/idp_metadata_parser_test.rb +95 -0
data/test/logging_test.rb +62 -0
data/test/logout_requests/invalid_slo_request.xml +6 -0
data/test/logout_requests/slo_request.xml +4 -0
data/test/logout_requests/slo_request.xml.base64 +1 -0
data/test/logout_requests/slo_request_deflated.xml.base64 +1 -0
data/test/logout_requests/slo_request_with_session_index.xml +5 -0
data/test/logout_responses/logoutresponse_fixtures.rb +67 -0
data/test/logoutrequest_test.rb +211 -0
data/test/logoutresponse_test.rb +258 -0
data/test/metadata_test.rb +203 -0
data/test/request_test.rb +282 -0
data/test/response_test.rb +1094 -0
data/test/responses/adfs_response_sha1.xml +46 -0
data/test/responses/adfs_response_sha256.xml +46 -0
data/test/responses/adfs_response_sha384.xml +46 -0
data/test/responses/adfs_response_sha512.xml +46 -0
data/test/responses/adfs_response_xmlns.xml +45 -0
data/test/responses/attackxee.xml +13 -0
data/test/responses/idp_descriptor.xml +3 -0
data/test/responses/invalids/invalid_audience.xml.base64 +1 -0
data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +1 -0
data/test/responses/invalids/invalid_issuer_message.xml.base64 +1 -0
data/test/responses/invalids/invalid_signature_position.xml.base64 +1 -0
data/test/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64 +1 -0
data/test/responses/invalids/invalid_subjectconfirmation_nb.xml.base64 +1 -0
data/test/responses/invalids/invalid_subjectconfirmation_noa.xml.base64 +1 -0
data/test/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64 +1 -0
data/test/responses/invalids/multiple_assertions.xml.base64 +2 -0
data/test/responses/invalids/multiple_signed.xml.base64 +1 -0
data/test/responses/invalids/no_id.xml.base64 +1 -0
data/test/responses/invalids/no_saml2.xml.base64 +1 -0
data/test/responses/invalids/no_signature.xml.base64 +1 -0
data/test/responses/invalids/no_status.xml.base64 +1 -0
data/test/responses/invalids/no_status_code.xml.base64 +1 -0
data/test/responses/invalids/no_subjectconfirmation_data.xml.base64 +1 -0
data/test/responses/invalids/no_subjectconfirmation_method.xml.base64 +1 -0
data/test/responses/invalids/response_encrypted_attrs.xml.base64 +1 -0
data/test/responses/invalids/response_invalid_signed_element.xml.base64 +1 -0
data/test/responses/invalids/status_code_responder.xml.base64 +1 -0
data/test/responses/invalids/status_code_responer_and_msg.xml.base64 +1 -0
data/test/responses/no_signature_ns.xml +48 -0
data/test/responses/open_saml_response.xml +56 -0
data/test/responses/response_assertion_wrapped.xml.base64 +93 -0
data/test/responses/response_encrypted_nameid.xml.base64 +1 -0
data/test/responses/response_eval.xml +7 -0
data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
data/test/responses/response_unsigned_xml_base64 +1 -0
data/test/responses/response_with_ampersands.xml +139 -0
data/test/responses/response_with_ampersands.xml.base64 +93 -0
data/test/responses/response_with_multiple_attribute_values.xml +67 -0
data/test/responses/response_with_saml2_namespace.xml.base64 +102 -0
data/test/responses/response_with_signed_assertion.xml.base64 +66 -0
data/test/responses/response_with_signed_assertion_2.xml.base64 +1 -0
data/test/responses/response_with_undefined_recipient.xml.base64 +1 -0
data/test/responses/response_without_attributes.xml.base64 +79 -0
data/test/responses/response_wrapped.xml.base64 +150 -0
data/test/responses/signed_message_encrypted_signed_assertion.xml.base64 +1 -0
data/test/responses/signed_message_encrypted_unsigned_assertion.xml.base64 +1 -0
data/test/responses/simple_saml_php.xml +71 -0
data/test/responses/starfield_response.xml.base64 +1 -0
data/test/responses/test_sign.xml +43 -0
data/test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64 +1 -0
data/test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64 +1 -0
data/test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64 +1 -0
data/test/responses/unsigned_message_des192_encrypted_signed_assertion.xml.base64 +1 -0
data/test/responses/unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64 +1 -0
data/test/responses/unsigned_message_encrypted_signed_assertion.xml.base64 +1 -0
data/test/responses/unsigned_message_encrypted_unsigned_assertion.xml.base64 +1 -0
data/test/responses/valid_response.xml.base64 +1 -0
data/test/saml_message_test.rb +56 -0
data/test/settings_test.rb +218 -0
data/test/slo_logoutrequest_test.rb +275 -0
data/test/slo_logoutresponse_test.rb +185 -0
data/test/test_helper.rb +252 -0
data/test/utils_test.rb +145 -0
data/test/xml_security_test.rb +329 -0
metadata +415 -0

data/test/metadata_test.rb ADDED Viewed

@@ -0,0 +1,203 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'onelogin/ruby-saml/metadata'
+class MetadataTest < Minitest::Test
+  describe 'Metadata' do
+    let(:settings)          { OneLogin::RubySaml::Settings.new }
+    let(:xml_text)          { OneLogin::RubySaml::Metadata.new.generate(settings, false) }
+    let(:xml_doc)           { REXML::Document.new(xml_text) }
+    let(:spsso_descriptor)  { REXML::XPath.first(xml_doc, "//md:SPSSODescriptor") }
+    let(:acs)               { REXML::XPath.first(xml_doc, "//md:AssertionConsumerService") }
+    before do
+      settings.issuer = "https://example.com"
+      settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
+    end
+    it "generates Pretty Print Service Provider Metadata" do
+      xml_text = OneLogin::RubySaml::Metadata.new.generate(settings, true)
+      # assert correct xml declaration
+      start = "<?xml version='1.0' encoding='UTF-8'?>\n<md:EntityDescriptor"
+      assert_equal xml_text[0..start.length-1],start
+      assert_equal "https://example.com", REXML::XPath.first(xml_doc, "//md:EntityDescriptor").attribute("entityID").value
+      assert_equal "urn:oasis:names:tc:SAML:2.0:protocol", spsso_descriptor.attribute("protocolSupportEnumeration").value
+      assert_equal "false", spsso_descriptor.attribute("AuthnRequestsSigned").value
+      assert_equal "false", spsso_descriptor.attribute("WantAssertionsSigned").value
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", REXML::XPath.first(xml_doc, "//md:NameIDFormat").text.strip
+      assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
+      assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value
+      assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+    end
+    it "generates Service Provider Metadata" do
+      settings.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      settings.single_logout_service_url = "https://foo.example/saml/sls"
+      xml_metadata = OneLogin::RubySaml::Metadata.new.generate(settings, false)
+      start = "<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor"
+      assert_equal xml_metadata[0..start.length-1],start
+      doc_metadata = REXML::Document.new(xml_metadata)
+      sls = REXML::XPath.first(doc_metadata, "//md:SingleLogoutService")
+      assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", sls.attribute("Binding").value
+      assert_equal "https://foo.example/saml/sls", sls.attribute("Location").value
+      assert_equal "https://foo.example/saml/sls", sls.attribute("ResponseLocation").value
+      assert_nil sls.attribute("isDefault")
+      assert_nil sls.attribute("index")
+      assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+    end
+    it "generates Service Provider Metadata with single logout service" do
+      start = "<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor"
+      assert_equal xml_text[0..start.length-1], start
+      assert_equal "https://example.com", REXML::XPath.first(xml_doc, "//md:EntityDescriptor").attribute("entityID").value
+      assert_equal "urn:oasis:names:tc:SAML:2.0:protocol", spsso_descriptor.attribute("protocolSupportEnumeration").value
+      assert_equal "false", spsso_descriptor.attribute("AuthnRequestsSigned").value
+      assert_equal "false", spsso_descriptor.attribute("WantAssertionsSigned").value
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", REXML::XPath.first(xml_doc, "//md:NameIDFormat").text.strip
+      assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
+      assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value
+      assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+    end
+    describe "when auth requests are signed" do
+      let(:key_descriptors) do
+        REXML::XPath.match(
+          xml_doc,
+          "//md:KeyDescriptor",
+          "md" => "urn:oasis:names:tc:SAML:2.0:metadata"
+        )
+      end
+      let(:cert_nodes) do
+        REXML::XPath.match(
+          xml_doc,
+          "//md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+          "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+          "ds" => "http://www.w3.org/2000/09/xmldsig#"
+        )
+      end
+      let(:cert)  { OpenSSL::X509::Certificate.new(Base64.decode64(cert_nodes[0].text)) }
+      before do
+        settings.certificate = ruby_saml_cert_text
+      end
+      it "generates Service Provider Metadata with AuthnRequestsSigned" do
+        settings.security[:authn_requests_signed] = true
+        assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+        assert_equal ruby_saml_cert.to_der, cert.to_der
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+      it "generates Service Provider Metadata with X509Certificate for sign and encrypt" do
+        assert_equal 2, key_descriptors.length
+        assert_equal "signing", key_descriptors[0].attribute("use").value
+        assert_equal "encryption", key_descriptors[1].attribute("use").value
+        assert_equal 2, cert_nodes.length
+        assert_equal ruby_saml_cert.to_der, cert.to_der
+        assert_equal cert_nodes[0].text, cert_nodes[1].text
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+    end
+    describe "when attribute service is configured" do
+      let(:attr_svc)  { REXML::XPath.first(xml_doc, "//md:AttributeConsumingService") }
+      let(:req_attr)  { REXML::XPath.first(xml_doc, "//md:RequestedAttribute") }
+      before do
+        settings.attribute_consuming_service.configure do
+          service_name "Test Service"
+          add_attribute(:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => "Attribute Value")
+        end
+      end
+      it "generates attribute service" do
+        assert_equal "true", attr_svc.attribute("isDefault").value
+        assert_equal "1", attr_svc.attribute("index").value
+        assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test Service"
+        assert_equal "Name", req_attr.attribute("Name").value
+        assert_equal "Name Format", req_attr.attribute("NameFormat").value
+        assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
+        assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//saml:AttributeValue").text.strip
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+      describe "#service_name" do
+        before do
+          settings.attribute_consuming_service.service_name("Test2 Service")
+        end
+        it "change service name" do
+          assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test2 Service"
+        end
+      end
+      describe "#service_index" do
+        before do
+          settings.attribute_consuming_service.service_index(2)
+        end
+        it "change service index" do
+          assert_equal "2", attr_svc.attribute("index").value
+        end
+      end
+    end
+    describe "when the settings indicate to sign (embedded) metadata" do
+      before do
+        settings.security[:metadata_signed] = true
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+      it "creates a signed metadata" do
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], xml_text
+        signed_metadata = XMLSecurity::SignedDocument.new(xml_text)
+        assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+      describe "when digest and signature methods are specified" do
+        before do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+          settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        end
+        it "creates a signed metadata with specified digest and signature methods" do
+          assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
+          assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
+          assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], xml_text
+          signed_metadata_2 = XMLSecurity::SignedDocument.new(xml_text)
+          assert signed_metadata_2.validate_document(ruby_saml_cert_fingerprint, false)
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+        end
+      end
+    end
+  end
+end

data/test/request_test.rb ADDED Viewed

@@ -0,0 +1,282 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'onelogin/ruby-saml/authrequest'
+class RequestTest < Minitest::Test
+  describe "Authrequest" do
+    let(:settings) { OneLogin::RubySaml::Settings.new }
+    before do
+      settings.idp_sso_target_url = "http://example.com"
+    end
+    it "create the deflated SAMLRequest URL parameter" do
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+      assert_match /^<samlp:AuthnRequest/, inflated
+    end
+    it "create the deflated SAMLRequest URL parameter including the Destination" do
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+      assert_match /<samlp:AuthnRequest[^<]* Destination='http:\/\/example.com'/, inflated
+    end
+    it "create the SAMLRequest URL parameter without deflating" do
+      settings.compress_request = false
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+      assert_match /^<samlp:AuthnRequest/, decoded
+    end
+    it "create the SAMLRequest URL parameter with IsPassive" do
+      settings.passive = true
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+      assert_match /<samlp:AuthnRequest[^<]* IsPassive='true'/, inflated
+    end
+    it "create the SAMLRequest URL parameter with ProtocolBinding" do
+      settings.protocol_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+      assert_match /<samlp:AuthnRequest[^<]* ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/, inflated
+    end
+    it "create the SAMLRequest URL parameter with AttributeConsumingServiceIndex" do
+      settings.attributes_index = 30
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+      assert_match /<samlp:AuthnRequest[^<]* AttributeConsumingServiceIndex='30'/, inflated
+    end
+    it "create the SAMLRequest URL parameter with ForceAuthn" do
+      settings.force_authn = true
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+      assert_match /<samlp:AuthnRequest[^<]* ForceAuthn='true'/, inflated
+    end
+    it "create the SAMLRequest URL parameter with NameID Format" do
+      settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+      assert_match /^http:\/\/example\.com\?SAMLRequest=/, auth_url
+      payload = CGI.unescape(auth_url.split("=").last)
+      decoded = Base64.decode64(payload)
+      zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+      assert_match /<samlp:NameIDPolicy[^<]* AllowCreate='true'/, inflated
+      assert_match /<samlp:NameIDPolicy[^<]* Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/, inflated
+    end
+    it "accept extra parameters" do
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings, { :hello => "there" })
+      assert_match /&hello=there$/, auth_url
+      auth_url = OneLogin::RubySaml::Authrequest.new.create(settings, { :hello => nil })
+      assert_match /&hello=$/, auth_url
+    end
+    describe "when the target url doesn't contain a query string" do
+      it "create the SAMLRequest parameter correctly" do
+        auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+        assert_match /^http:\/\/example.com\?SAMLRequest/, auth_url
+      end
+    end
+    describe "when the target url contains a query string" do
+      it "create the SAMLRequest parameter correctly" do
+        settings.idp_sso_target_url = "http://example.com?field=value"
+        auth_url = OneLogin::RubySaml::Authrequest.new.create(settings)
+        assert_match /^http:\/\/example.com\?field=value&SAMLRequest/, auth_url
+      end
+    end
+    it "create the saml:AuthnContextClassRef element correctly" do
+      settings.authn_context = 'secure/name/password/uri'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert_match /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/, auth_doc.to_s
+    end
+    it "create the saml:AuthnContextClassRef with comparison exact" do
+      settings.authn_context = 'secure/name/password/uri'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert_match /<samlp:RequestedAuthnContext[\S ]+Comparison='exact'/, auth_doc.to_s
+      assert_match /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/, auth_doc.to_s
+    end
+    it "create the saml:AuthnContextClassRef with comparison minimun" do
+      settings.authn_context = 'secure/name/password/uri'
+      settings.authn_context_comparison = 'minimun'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert_match /<samlp:RequestedAuthnContext[\S ]+Comparison='minimun'/, auth_doc.to_s
+      assert_match /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/, auth_doc.to_s
+    end
+    it "create the saml:AuthnContextDeclRef element correctly" do
+      settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert_match /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/, auth_doc.to_s
+    end
+    describe "#create_params when the settings indicate to sign (embebed) the request" do
+      before do
+        settings.compress_request = false
+        settings.idp_sso_target_url = "http://example.com?field=value"
+        settings.security[:authn_requests_signed] = true
+        settings.security[:embed_sign] = true
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+      it "create a signed request" do
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+        request_xml = Base64.decode64(params["SAMLRequest"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], request_xml
+      end
+      it "create a signed request with 256 digest and signature methods" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+        request_xml = Base64.decode64(params["SAMLRequest"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], request_xml
+      end
+    end
+    describe "#create_params when the settings indicate to sign the request" do
+      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+      before do
+        settings.compress_request = false
+        settings.idp_sso_target_url = "http://example.com?field=value"
+        settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+        settings.security[:authn_requests_signed] = true
+        settings.security[:embed_sign] = false
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
+      it "create a signature parameter with RSA_SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['SAMLRequest']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+      it "create a signature parameter with RSA_SHA256 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        params = OneLogin::RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+    end
+    it "create the saml:AuthnContextClassRef element correctly" do
+      settings.authn_context = 'secure/name/password/uri'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
+    end
+    it "create the saml:AuthnContextClassRef with comparison exact" do
+      settings.authn_context = 'secure/name/password/uri'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='exact'/
+      assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
+    end
+    it "create the saml:AuthnContextClassRef with comparison minimun" do
+      settings.authn_context = 'secure/name/password/uri'
+      settings.authn_context_comparison = 'minimun'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='minimun'/
+      assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
+    end
+    it "create the saml:AuthnContextDeclRef element correctly" do
+      settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
+    end
+  end
+end