ruby-saml 0.8.14 → 0.8.18

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f7f02b4fb1490e44140c1e24ea61bf0ef061f0da
+  data.tar.gz: 3b2fec942140bb2fd2e49a17fc29dd0d0327d814
+SHA512:
+  metadata.gz: a2dade6d6d672b213a3f8d3af088edfa208f3af4482aae033a40ff8ac9c500ca48fded7eee073e67dd6f37daa27786a6303777e0381a3338f987f87a63f460a2
+  data.tar.gz: 0cc6bb2264de5c688545bcb24794313758a97cca3c9bfa5c69b07331ffbc719acb1a69039ec39aa2e5e6817e8917e7495da7c07a41eff120d57f30e9708962bc

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -9,7 +9,7 @@ module OneLogin
 
     class Authrequest
       # AuthNRequest ID
-      attr_reader :uuid
+      attr_accessor :uuid
 
       # Initializes the AuthNRequest. An Authrequest Object.
       # Asigns an ID, a random uuid.
@@ -18,6 +18,10 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def request_id
+        @uuid
+      end
+
       def create(settings, params = {})
         params = create_params(settings, params)
         params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -10,12 +10,16 @@ module OneLogin
 
     class Logoutrequest
 
-      attr_reader :uuid # Can be obtained if neccessary
+      attr_accessor :uuid
 
       def initialize
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def request_id
+        @uuid
+      end
+
       def create(settings, params={})
         params = create_params(settings, params)
         params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
@@ -114,7 +118,8 @@ module OneLogin
 
         if settings.name_identifier_value
           name_id = root.add_element "saml:NameID", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
-          name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+          nameid.attributes['NameQualifier'] = settings.idp_name_qualifier if settings.idp_name_qualifier
+          nameid.attributes['SPNameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
           name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
           name_id.text = settings.name_identifier_value
         end

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -29,7 +29,18 @@ module OneLogin
 
         @options = options
         @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
-        @document = XMLSecurity::SignedDocument.new(response)
+        @document = XMLSecurity::SignedDocument.new(@response)
+      end
+
+      def response_id
+        @response_id ||= begin
+          node = REXML::XPath.first(
+            document,
+            "/p:LogoutResponse",
+            { "p" => PROTOCOL }
+          )
+          node.nil? ? nil : node.attributes['ID']
+        end
       end
 
       def validate!
@@ -37,7 +48,7 @@ module OneLogin
       end
 
       def validate(soft = true)
-        return false unless valid_saml?(soft) && valid_state?(soft)
+        return false unless validate_structure(soft)
 
         valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
       end
@@ -51,7 +62,7 @@ module OneLogin
 
       def in_response_to
         @in_response_to ||= begin
-          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL })
           node.nil? ? nil : node.attributes['InResponseTo']
         end
       end
@@ -59,7 +70,6 @@ module OneLogin
       def issuer
         @issuer ||= begin
           node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
-          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
           Utils.element_text(node)
         end
       end
@@ -73,7 +83,7 @@ module OneLogin
 
       private
 
-      def valid_saml?(soft = true)
+      def validate_structure(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
           @xml = Nokogiri::XML(self.document.to_s)
@@ -85,26 +95,6 @@ module OneLogin
         end
       end
 
-      def valid_state?(soft = true)
-        if response.empty?
-          return soft ? false : validation_error("Blank response")
-        end
-
-        if settings.nil?
-          return soft ? false : validation_error("No settings on response")
-        end
-
-        if settings.sp_entity_id.nil?
-          return soft ? false : validation_error("No sp_entity_id in settings")
-        end
-
-        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
-          return soft ? false : validation_error("No fingerprint or certificate on settings")
-        end
-
-        true
-      end
-
       def valid_in_response_to?(soft = true)
         return true unless self.options.has_key? :matches_request_id
 
@@ -116,8 +106,10 @@ module OneLogin
       end
 
       def valid_issuer?(soft = true)
-        unless URI.parse(issuer) == URI.parse(self.settings.sp_entity_id)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.sp_entity_id}>, but was: <#{issuer}>")
+        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
         end
         true
       end

data/lib/onelogin/ruby-saml/response.rb

@@ -27,6 +27,24 @@ module OneLogin
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
+      def response_id
+        @response_id ||= begin
+          node = REXML::XPath.first(
+            document,
+            "/p:Response",
+            { "p" => PROTOCOL }
+          )
+          node.nil? ? nil : node.attributes['ID']
+        end
+      end
+
+      def assertion_id
+        @assertion_id ||= begin
+          node = xpath_first_from_signed_assertion("")
+          node.nil? ? nil : node.attributes['ID']
+        end
+      end
+
       def is_valid?
         validate
       end
@@ -35,16 +53,48 @@ module OneLogin
         validate(false)
       end
 
-      # The value of the user identifier as designated by the initialization request response
-      def name_id
+      def name_id_node
         @name_id ||= begin
-          node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
-          Utils.element_text(node)
+          xpath_first_from_signed_assertion('/a:Subject/a:NameID')
         end
       end
 
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= Utils.element_text(name_id_node)
+      end
+
       alias nameid name_id
 
+      # @return [String] the NameID Format provided by the SAML response from the IdP.
+      #
+      def name_id_format
+        @name_id_format ||=
+          if name_id_node && name_id_node.attribute("Format")
+            name_id_node.attribute("Format").value
+          end
+      end
+
+      alias_method :nameid_format, :name_id_format
+
+      # @return [String] the NameID SPNameQualifier provided by the SAML response from the IdP.
+      #
+      def name_id_spnamequalifier
+        @name_id_spnamequalifier ||=
+          if name_id_node && name_id_node.attribute("SPNameQualifier")
+            name_id_node.attribute("SPNameQualifier").value
+          end
+      end
+
+      # @return [String] the NameID NameQualifier provided by the SAML response from the IdP.
+      #
+      def name_id_namequalifier
+        @name_id_namequalifier ||=
+          if name_id_node && name_id_node.attribute("NameQualifier")
+            name_id_node.attribute("NameQualifier").value
+          end
+      end
+
       def sessionindex
         @sessionindex ||= begin
           node = xpath_first_from_signed_assertion('/a:AuthnStatement')
@@ -134,6 +184,34 @@ module OneLogin
         end
       end
 
+      # Gets the Issuers (from Response and Assertion).
+      # (returns the first node that matches the supplied xpath from the Response and from the Assertion)
+      # @return [Array] Array with the Issuers (REXML::Element)
+      #
+      def issuers
+        @issuers ||= begin
+          issuer_response_nodes = REXML::XPath.match(
+            document,
+            "/p:Response/a:Issuer",
+            { "p" => PROTOCOL, "a" => ASSERTION }
+          )
+
+          unless issuer_response_nodes.size == 1
+            error_msg = "Issuer of the Response not found or multiple."
+            raise ValidationError.new(error_msg)
+          end
+
+          issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
+          unless issuer_assertion_nodes.size == 1
+            error_msg = "Issuer of the Assertion not found or multiple."
+            raise ValidationError.new(error_msg)
+          end
+
+          nodes = issuer_response_nodes + issuer_assertion_nodes
+          nodes.map { |node| Utils.element_text(node) }.compact.uniq
+        end
+      end
+
       # @return [Array] The Audience elements from the Contitions of the SAML Response.
       #
       def audiences
@@ -157,6 +235,7 @@ module OneLogin
         validate_response_state(soft)  &&
         validate_conditions(soft)      &&
         validate_audience(soft)        &&
+        validate_issuer(soft)          &&
         validate_signature(soft)       &&
         success?
       end
@@ -373,15 +452,6 @@ module OneLogin
         ))
       end
 
-      def get_fingerprint
-        if settings.idp_cert
-          cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-        else
-          settings.idp_cert_fingerprint
-        end
-      end
-
       def validate_conditions(soft = true)
         return true if conditions.nil?
         return true if options[:skip_conditions]
@@ -399,6 +469,25 @@ module OneLogin
         true
       end
 
+      def validate_issuer(soft = true)
+        return true if settings.idp_entity_id.nil?
+
+        begin
+          obtained_issuers = issuers
+        rescue ValidationError => e
+          return soft ? false : validation_error("Error while extracting issuers")
+        end
+
+        obtained_issuers.each do |issuer|
+          unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+            error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
+            return soft ? false : validation_error(error_msg)
+          end
+        end
+
+        true
+      end
+
       def validate_signature(soft = true)
         error_msg = "Invalid Signature on SAML Response"
 
@@ -430,8 +519,8 @@ module OneLogin
 
         opts = {}
         opts[:fingerprint_alg] = OpenSSL::Digest::SHA1.new
-        opts[:cert] = settings.idp_cert
-        fingerprint = get_fingerprint
+        opts[:cert] = settings.get_idp_cert
+        fingerprint = settings.get_fingerprint
 
         unless fingerprint
           return soft ? false : validation_error("No fingerprint or certificate on settings")

data/lib/onelogin/ruby-saml/settings.rb

@@ -27,16 +27,17 @@ module OneLogin
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert
       attr_accessor :idp_slo_target_url
+      attr_accessor :idp_entity_id
       #sp data
       attr_accessor :sp_entity_id
       attr_accessor :assertion_consumer_service_url
       attr_accessor :authn_context
       attr_accessor :sp_name_qualifier
+      attr_accessor :idp_name_qualifier
       attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
       attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
-      attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
@@ -117,21 +118,38 @@ module OneLogin
         @single_logout_service_binding = url
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
+      # Calculates the fingerprint of the IdP x509 certificate.
+      # @return [String] The fingerprint
       #
-      def get_sp_cert
-        return nil if certificate.nil? || certificate.empty?
+      def get_fingerprint
+        idp_cert_fingerprint || begin
+          idp_cert = get_idp_cert
+          if idp_cert
+            Digest::SHA1.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
 
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
-        OpenSSL::X509::Certificate.new(formatted_cert)
+      # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
+      #
+      def get_idp_cert
+        return nil if idp_cert.nil?
+
+        if idp_cert.respond_to?(:to_pem)
+          idp_cert
+        else
+          return nil if idp_cert.empty?
+          formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
+          OpenSSL::X509::Certificate.new(formatted_cert)
+        end
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
+      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
       #
-      def get_sp_cert_new
-        return nil if certificate_new.nil? || certificate_new.empty?
+      def get_sp_cert
+        return nil if certificate.nil? || certificate.empty?
 
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
         OpenSSL::X509::Certificate.new(formatted_cert)
       end
 

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -0,0 +1,112 @@
+require "xml_security"
+require "time"
+
+# Only supports SAML 2.0
+# SAML2 Logout Request (SLO IdP initiated, Parser)
+module OneLogin
+  module RubySaml
+    class SloLogoutrequest
+
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      # OneLogin::RubySaml::Settings Toolkit settings
+      attr_accessor :settings
+
+      attr_reader :document
+      attr_reader :request
+      attr_reader :options
+
+      def initialize(request, settings = nil, options = {})
+        raise ArgumentError.new("Request cannot be nil") if request.nil?
+        self.settings = settings
+
+        @options = options
+        @request = OneLogin::RubySaml::Utils.decode_raw_saml(request)
+        @document = XMLSecurity::SignedDocument.new(@request)
+      end
+
+      def request_id
+        @request_id ||= begin
+          node = REXML::XPath.first(
+            document,
+            "/p:LogoutRequest",
+            { "p" => PROTOCOL }
+          )
+          node.nil? ? nil : node.attributes['ID']
+        end
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      def validate(soft = true)
+        return false unless validate_structure(soft)
+
+        valid_issuer?(soft)
+      end
+
+      def name_id
+        @name_id ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          Utils.element_text(node)
+        end
+      end
+
+      alias_method :nameid, :name_id
+
+      def name_id_format
+        @name_id_node ||= REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+        @name_id_format ||=
+          if @name_id_node && @name_id_node.attribute("Format")
+            @name_id_node.attribute("Format").value
+          end
+      end
+
+      alias_method :nameid_format, :name_id_format
+
+      def id
+        @id ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest", { "p" => PROTOCOL } )
+          node.nil? ? nil : node.attributes['ID']
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          Utils.element_text(node)
+        end
+      end
+
+      private
+
+      def validate_structure(soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(self.document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+        end
+      end
+
+      def valid_issuer?(soft = true)
+        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
+        end
+        true
+      end
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -12,7 +12,7 @@ module OneLogin
     class SloLogoutresponse
 
       # Logout Response ID
-      attr_reader :uuid
+      attr_accessor :uuid
 
       # Initializes the Logout Response. A SloLogoutresponse Object.
       # Asigns an ID, a random uuid.
@@ -21,15 +21,20 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def response_id
+        @uuid
+      end
+
       # Creates the Logout Response string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [String] Logout Request string that includes the SAMLRequest
       #
-      def create(settings, request_id = nil, logout_message = nil, params = {})
-        params = create_params(settings, request_id, logout_message, params)
+      def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
+        params = create_params(settings, request_id, logout_message, params, logout_status_code)
         params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
         saml_response = CGI.escape(params.delete("SAMLResponse"))
         response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
@@ -45,9 +50,10 @@ module OneLogin
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [Hash] Parameters
       #
-      def create_params(settings, request_id = nil, logout_message = nil, params = {})
+      def create_params(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
         # The method expects :RelayState but sometimes we get 'RelayState' instead.
         # Based on the HashWithIndifferentAccess value in Rails we could experience
         # conflicts so this line will solve them.
@@ -58,7 +64,7 @@ module OneLogin
           params.delete('RelayState')
         end
 
-        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
+        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message, logout_status_code)
         response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
 
         response = ""
@@ -102,14 +108,15 @@ module OneLogin
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [String] The SAMLResponse String.
       #
-      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
-        document = create_xml_document(settings, request_id, logout_message)
+      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil, logout_status_code = nil)
+        document = create_xml_document(settings, request_id, logout_message, logout_status_code)
         sign_document(document, settings)
       end
 
-      def create_xml_document(settings, request_id = nil, logout_message = nil)
+      def create_xml_document(settings, request_id = nil, logout_message = nil, status_code = nil)
         time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
 
         response_doc = XMLSecurity::Document.new
@@ -127,14 +134,15 @@ module OneLogin
           issuer.text = settings.sp_entity_id
         end
 
-        # add success message
+        # add status
         status = root.add_element 'samlp:Status'
 
-        # success status code
-        status_code = status.add_element 'samlp:StatusCode'
-        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+        # status code
+        status_code ||= 'urn:oasis:names:tc:SAML:2.0:status:Success'
+        status_code_elem = status.add_element 'samlp:StatusCode'
+        status_code_elem.attributes['Value'] = status_code
 
-        # success status message
+        # status message
         logout_message ||= 'Successfully Signed Out'
         status_message = status.add_element 'samlp:StatusMessage'
         status_message.text = logout_message

data/lib/onelogin/ruby-saml/utils.rb

@@ -179,6 +179,33 @@ module OneLogin
         Zlib::Deflate.deflate(inflated, 9)[2..-5]
       end
 
+      # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,
+      # then the fully-qualified domain name and the host should performa a case-insensitive match, per the
+      # RFC for URIs.  If Rails can not parse the string in to URL pieces, return a boolean match of the
+      # two strings.  This maintains the previous functionality.
+      # @return [Boolean]
+      def self.uri_match?(destination_url, settings_url)
+        dest_uri = URI.parse(destination_url)
+        acs_uri = URI.parse(settings_url)
+
+        if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
+          raise URI::InvalidURIError
+        else
+          dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
+            dest_uri.host.downcase == acs_uri.host.downcase &&
+            dest_uri.path == acs_uri.path &&
+            dest_uri.query == acs_uri.query
+        end
+      rescue URI::InvalidURIError
+        original_uri_match?(destination_url, settings_url)
+      end
+
+      # If Rails' URI.parse can't match to valid URL, default back to the original matching service.
+      # @return [Boolean]
+      def self.original_uri_match?(destination_url, settings_url)
+        destination_url == settings_url
+      end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.14'
+    VERSION = '0.8.18'
   end
 end

data/lib/ruby-saml.rb

@@ -2,6 +2,7 @@ require 'onelogin/ruby-saml/logging'
 require 'onelogin/ruby-saml/authrequest'
 require 'onelogin/ruby-saml/logoutrequest'
 require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/slo_logoutrequest'
 require 'onelogin/ruby-saml/slo_logoutresponse'
 require 'onelogin/ruby-saml/response'
 require 'onelogin/ruby-saml/settings'

data/lib/xml_security.rb

@@ -222,7 +222,11 @@ module XMLSecurity
         end
       else
         if options[:cert]
-          base64_cert = Base64.encode64(options[:cert].to_pem)
+          cert = options[:cert]
+          if cert.is_a? String
+            cert = OpenSSL::X509::Certificate.new(cert)
+          end
+          base64_cert = Base64.encode64(cert.to_pem)
         else
           return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings"))
         end

data/test/certificates/formatted_certificate

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----