ruby-saml 0.8.11 → 0.8.12

checksums.yaml

@@ -1,7 +1,7 @@
----
-SHA1:
-  metadata.gz: 10ec0e5a4a9fc6a7f65613599597cef7ae8b8293
-  data.tar.gz: 0b63798d5d6b78e3073ccb899e355e6aa0134648
-SHA512:
-  metadata.gz: 1883986a5fd1b3925e6745bf7d259a907c656d36958efe50dfb760192c8273a3723b76344ee542a3a07b84da677808fad850b8bd272d949c5ce7fcd8c171a881
-  data.tar.gz: 8538b7c75961e99186b320ff1425fb82fa0c759e3e7267eaad76659adf9f0ba98249207122092dbc383f464c1c600b03a37f010d5a3e8bfa7fbb6fba0aaa8915
+--- 
+SHA512: 
+  metadata.gz: 8a2479b6725a5a9e7fdc76a4bec612e2f0c66cf53cbb79ff7c1dc0343d1cc56c09e9fd3b2d3490bdacbb09b16b473702d42fa42fdb6fedff6e7fa5a44fa421a2
+  data.tar.gz: 43b1cfb12dc3fc14a2cbc139430e3ad15b975dca0d95d0d8c14363f362833de181a52ca10b8b607215c4b5aa23ffa62f2d8f3a3b2c9b5541e9387c635ca77150
+SHA256: 
+  metadata.gz: 694ade703ed05cc38aa2ca98cbfee57cc16223991ae6539422c136164cf29608
+  data.tar.gz: ee07b69a9391b26c9af95d0cfdbaa57c8991fa187b869660e15c549fcbbe47e3

data/Gemfile

@@ -7,10 +7,13 @@ gemspec
 
 if RUBY_VERSION < '1.9'
   gem 'nokogiri',   '~> 1.5.0'
+  gem 'minitest',  '~> 5.5', '<= 5.11.3'
 elsif RUBY_VERSION < '2.1'
   gem 'nokogiri',   '>= 1.5.0', '<= 1.6.8.1'
+  gem 'minitest',  '~> 5.5'
 else
   gem 'nokogiri',   '>= 1.5.0'
+  gem 'minitest',  '~> 5.5'
 end
 
 group :test do
@@ -30,6 +33,5 @@ group :test do
   gem 'shoulda',   '~> 2.11'
   gem 'systemu',   '~> 2'
   gem 'test-unit', '~> 3.0.9'
-  gem 'minitest',  '~> 5.5'
   gem 'timecop',   '<= 0.6.0'
 end

data/Rakefile

@@ -25,17 +25,3 @@ end
 task :test
 
 task :default => :test
-
-# require 'rake/rdoctask'
-# Rake::RDocTask.new do |rdoc|
-#   if File.exist?('VERSION')
-#     version = File.read('VERSION')
-#   else
-#     version = ""
-#   end
-
-#   rdoc.rdoc_dir = 'rdoc'
-#   rdoc.title = "ruby-saml #{version}"
-#   rdoc.rdoc_files.include('README*')
-#   rdoc.rdoc_files.include('lib/**/*.rb')
-#end

data/lib/onelogin/ruby-saml/response.rb

@@ -149,13 +149,13 @@ module OneLogin
       end
 
       def validate(soft = true)
-        validate_success_status       &&
-        validate_num_assertion        &&
-        validate_signed_elements      &&
-        validate_structure(soft)      &&
-        validate_response_state(soft) &&
-        validate_conditions(soft)     &&
-        validate_audience(soft)       &&
+        validate_structure(soft)       &&
+        validate_success_status(soft)  &&
+        validate_num_assertion         &&
+        validate_signed_elements(soft) &&
+        validate_response_state(soft)  &&
+        validate_conditions(soft)      &&
+        validate_audience(soft)        &&
         document.validate_document(get_fingerprint, soft) &&
         success?
       end
@@ -175,10 +175,6 @@ module OneLogin
           { "a" => ASSERTION }
         )
 
-        unless assertions.size != 0
-          return soft ? false : validation_error("Encrypted assertion is not supported")
-        end
-
         unless assertions.size + encrypted_assertions.size == 1
           return soft ? false : validation_error("SAML Response must contain 1 assertion")
         end
@@ -190,7 +186,7 @@ module OneLogin
       # @return [Boolean] True if there is 1 or 2 Elements signed in the SAML Response
       #                        an are a Response or an Assertion Element, otherwise False if soft=True
       #
-      def validate_signed_elements
+      def validate_signed_elements(soft)
         signature_nodes = REXML::XPath.match(
           document,
           "//ds:Signature",
@@ -249,7 +245,7 @@ module OneLogin
       # @return [Boolean] True if the SAML Response contains a Success code, otherwise False if soft == false
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate_success_status
+      def validate_success_status(soft = true)
         return true if success?
 
         return false unless soft
@@ -298,6 +294,21 @@ module OneLogin
         end
       end
 
+      # @return [String] the StatusMessage value from a SAML Response.
+      #
+      def status_message
+        @status_message ||= begin
+          nodes = REXML::XPath.match(
+            document,
+            "/p:Response/p:Status/p:StatusMessage",
+            { "p" => PROTOCOL }
+          )
+          if nodes.size == 1
+            Utils.element_text(nodes.first)
+          end
+        end
+      end
+
       def validate_structure(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.11'
+    VERSION = '0.8.12'
   end
 end

data/lib/xml_security.rb

@@ -212,10 +212,9 @@ module XMLSecurity
       # create a working copy so we don't modify the original
       @working_copy ||= REXML::Document.new(self.to_s).root
 
-      # store and remove signature node
+      # store signature node
       @sig_element ||= begin
         element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
-        element.remove
       end
 
       # verify signature

data/test/logoutrequest_test.rb

@@ -1,5 +1,4 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'uuid'
 
 class LogoutRequestTest < Minitest::Test
 
@@ -29,7 +28,7 @@ class LogoutRequestTest < Minitest::Test
     end
 
     it "set sessionindex" do
-      sessionidx = UUID.new.generate
+      sessionidx = random_id
       settings.sessionindex = sessionidx
 
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :name_id => "there" })
@@ -78,169 +77,168 @@ class LogoutRequestTest < Minitest::Test
         assert_match %r[ID='#{unauth_req.uuid}'], inflated
       end
     end
-  end
 
-  describe "when the settings indicate to sign (embedded) logout request" do
 
-    before do
-      # sign the logout request
-      settings.security[:logout_requests_signed] = true
-      settings.security[:embed_sign] = true
-      settings.certificate = ruby_saml_cert_text
-      settings.private_key = ruby_saml_key_text
-    end
+    describe "when the settings indicate to sign (embedded) logout request" do
 
-    it "doesn't sign through create_xml_document" do
-      unauth_req = OneLogin::RubySaml::Logoutrequest.new
-      inflated = unauth_req.create_xml_document(settings).to_s
+      before do
+        # sign the logout request
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = true
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
 
-      refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-      refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-      refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-    end
+      it "doesn't sign through create_xml_document" do
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        inflated = unauth_req.create_xml_document(settings).to_s
 
-    it "sign unsigned request" do
-      unauth_req = OneLogin::RubySaml::Logoutrequest.new
-      unauth_req_doc = unauth_req.create_xml_document(settings)
-      inflated = unauth_req_doc.to_s
+        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
 
-      refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-      refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-      refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      it "sign unsigned request" do
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        unauth_req_doc = unauth_req.create_xml_document(settings)
+        inflated = unauth_req_doc.to_s
 
-      inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
+        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
 
-      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-    end
+        inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
 
-    it "signs through create_logout_request_xml_doc" do
-      unauth_req = OneLogin::RubySaml::Logoutrequest.new
-      inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
 
-      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-    end
+      it "signs through create_logout_request_xml_doc" do
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
 
-    it "created a signed logout request" do
-      settings.compress_request = true
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
 
-      unauth_req = OneLogin::RubySaml::Logoutrequest.new
-      unauth_url = unauth_req.create(settings)
+      it "created a signed logout request" do
+        settings.compress_request = true
 
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-    end
+        unauth_req = OneLogin::RubySaml::Logoutrequest.new
+        unauth_url = unauth_req.create(settings)
+
+        inflated = decode_saml_request_payload(unauth_url)
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
+      end
 
-    it "create a signed logout request with 256 digest and signature method" do
-      settings.compress_request = false
-      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-      settings.security[:digest_method] = XMLSecurity::Document::SHA256
+      it "create a signed logout request with 256 digest and signature method" do
+        settings.compress_request = false
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA256
 
-      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-      request_xml = Base64.decode64(params["SAMLRequest"])
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+        request_xml = Base64.decode64(params["SAMLRequest"])
 
-      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
-    end
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
+      end
 
-    it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
-      settings.compress_request = false
-      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-      settings.security[:digest_method] = XMLSecurity::Document::SHA512
+      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
+        settings.compress_request = false
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        settings.security[:digest_method] = XMLSecurity::Document::SHA512
 
-      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-      request_xml = Base64.decode64(params["SAMLRequest"])
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
+        request_xml = Base64.decode64(params["SAMLRequest"])
 
-      assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-      assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-      assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+      end
     end
-  end
 
-  describe "#create_params when the settings indicate to sign the logout request" do
+    describe "#create_params when the settings indicate to sign the logout request" do
 
-    let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
 
-    before do
-      # sign the logout request
-      settings.security[:logout_requests_signed] = true
-      settings.security[:embed_sign] = false
-      settings.certificate = ruby_saml_cert_text
-      settings.private_key = ruby_saml_key_text
-    end
+      before do
+        # sign the logout request
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = false
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+      end
 
-    it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
-      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
 
-      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-      assert params['SAMLRequest']
-      assert params[:RelayState]
-      assert params['Signature']
-      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['SAMLRequest']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
 
-      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
 
-      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-      assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-    end
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
 
-    it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
-      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
 
-      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-      assert params['Signature']
-      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
 
-      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
 
-      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-      assert_equal signature_algorithm, OpenSSL::Digest::SHA256
-      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-    end
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
 
-    it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
-      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
 
-      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-      assert params['Signature']
-      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
 
-      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
 
-      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-      assert_equal signature_algorithm, OpenSSL::Digest::SHA384
-      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-    end
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
 
-    it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
-      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
+      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
 
-      params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-      assert params['Signature']
-      assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
 
-      query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-      query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-      query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
 
-      signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-      assert_equal signature_algorithm, OpenSSL::Digest::SHA512
-      assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
     end
-
   end
-
 end