RubyGems - ruby-saml - Versions diffs - 0.8.16 → 0.9 - Mend

ruby-saml 0.8.16 → 0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.travis.yml +1 -6
data/Gemfile +2 -12
data/README.md +363 -35
data/Rakefile +14 -0
data/changelog.md +22 -9
data/lib/onelogin/ruby-saml/attribute_service.rb +34 -0
data/lib/onelogin/ruby-saml/attributes.rb +26 -64
data/lib/onelogin/ruby-saml/authrequest.rb +47 -89
data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +87 -0
data/lib/onelogin/ruby-saml/logoutrequest.rb +34 -93
data/lib/onelogin/ruby-saml/logoutresponse.rb +25 -24
data/lib/onelogin/ruby-saml/metadata.rb +46 -16
data/lib/onelogin/ruby-saml/response.rb +62 -322
data/lib/onelogin/ruby-saml/saml_message.rb +78 -0
data/lib/onelogin/ruby-saml/settings.rb +54 -121
data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +26 -61
data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +27 -84
data/lib/onelogin/ruby-saml/utils.rb +32 -199
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/ruby-saml.rb +5 -2
data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd} +283 -283
data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} +302 -302
data/lib/schemas/sstc-metadata-attr.xsd +35 -0
data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
data/lib/schemas/{xenc_schema.xsd → xenc-schema.xsd} +1 -11
data/lib/schemas/xml.xsd +287 -0
data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd} +0 -9
data/lib/xml_security.rb +83 -235
data/ruby-saml.gemspec +1 -0
data/test/idp_metadata_parser_test.rb +54 -0
data/test/logoutrequest_test.rb +68 -144
data/test/logoutresponse_test.rb +43 -25
data/test/metadata_test.rb +87 -0
data/test/request_test.rb +103 -90
data/test/response_test.rb +181 -471
data/test/responses/idp_descriptor.xml +3 -0
data/test/responses/logoutresponse_fixtures.rb +5 -5
data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
data/test/responses/response_with_multiple_attribute_values.xml +1 -1
data/test/responses/slo_request.xml +4 -0
data/test/settings_test.rb +25 -112
data/test/slo_logoutrequest_test.rb +41 -44
data/test/slo_logoutresponse_test.rb +87 -167
data/test/test_helper.rb +27 -102
data/test/xml_security_test.rb +114 -337
metadata +34 -84
data/lib/onelogin/ruby-saml/setting_error.rb +0 -6
data/test/certificates/certificate.der +0 -0
data/test/certificates/formatted_certificate +0 -14
data/test/certificates/formatted_chained_certificate +0 -42
data/test/certificates/formatted_private_key +0 -12
data/test/certificates/formatted_rsa_private_key +0 -12
data/test/certificates/invalid_certificate1 +0 -1
data/test/certificates/invalid_certificate2 +0 -1
data/test/certificates/invalid_certificate3 +0 -12
data/test/certificates/invalid_chained_certificate1 +0 -1
data/test/certificates/invalid_private_key1 +0 -1
data/test/certificates/invalid_private_key2 +0 -1
data/test/certificates/invalid_private_key3 +0 -10
data/test/certificates/invalid_rsa_private_key1 +0 -1
data/test/certificates/invalid_rsa_private_key2 +0 -1
data/test/certificates/invalid_rsa_private_key3 +0 -10
data/test/certificates/ruby-saml-2.crt +0 -15
data/test/requests/logoutrequest_fixtures.rb +0 -47
data/test/responses/encrypted_new_attack.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
data/test/responses/invalids/no_signature.xml.base64 +0 -1
data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
data/test/responses/response_node_text_attack.xml.base64 +0 -1
data/test/responses/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
data/test/responses/response_with_signed_assertion_3.xml +0 -30
data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
data/test/responses/response_wrapped.xml.base64 +0 -150
data/test/responses/valid_response.xml.base64 +0 -1
data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
data/test/utils_test.rb +0 -231

data/ruby-saml.gemspec CHANGED

@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
   s.date = Time.now.strftime("%Y-%m-%d")
   s.description = %q{SAML toolkit for Ruby on Rails}
   s.email = %q{support@onelogin.com}
+  s.license = 'MIT'
   s.extra_rdoc_files = [
     "LICENSE",
      "README.md"

data/test/idp_metadata_parser_test.rb ADDED

@@ -0,0 +1,54 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'net/http'
+require 'net/https'
+class IdpMetadataParserTest < Test::Unit::TestCase
+  class MockResponse
+    attr_accessor :body
+  end
+  context "parsing an IdP descriptor file" do
+    should "extract settings details from xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse(idp_metadata)
+      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+    end
+  end
+  context "download and parse IdP descriptor file" do
+    setup do
+      mock_response = MockResponse.new
+      mock_response.body = idp_metadata
+      @url = "https://example.com"
+      uri = URI(@url)
+      @http = Net::HTTP.new(uri.host, uri.port)
+      Net::HTTP.expects(:new).returns(@http)
+      @http.expects(:request).returns(mock_response)
+    end
+    should "extract settings from remote xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse_remote(@url)
+      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
+    end
+    should "accept self signed certificate if insturcted" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse_remote(@url, false)
+      assert_equal OpenSSL::SSL::VERIFY_NONE, @http.verify_mode
+    end
+  end
+end

data/test/logoutrequest_test.rb CHANGED

@@ -1,16 +1,14 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-class LogoutRequestTest < Minitest::Test
+class RequestTest < Test::Unit::TestCase
-  describe "Logoutrequest" do
-    let(:settings) { OneLogin::RubySaml::Settings.new }
+  context "Logoutrequest" do
+    settings = OneLogin::RubySaml::Settings.new
-    before do
+    should "create the deflated SAMLRequest URL parameter" do
       settings.idp_slo_target_url = "http://unauth.com/logout"
       settings.name_identifier_value = "f00f00"
-    end
-    it "create the deflated SAMLRequest URL parameter" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
       assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
@@ -19,7 +17,8 @@ class LogoutRequestTest < Minitest::Test
       assert_match /^<samlp:LogoutRequest/, inflated
     end
-    it "support additional params" do
+    should "support additional params" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
       assert unauth_url =~ /&hello=$/
@@ -27,8 +26,9 @@ class LogoutRequestTest < Minitest::Test
       assert unauth_url =~ /&foo=bar$/
     end
-    it "set sessionindex" do
-      sessionidx = random_id
+    should "set sessionindex" do
+      settings.idp_slo_target_url = "http://example.com"
+      sessionidx = UUID.new.generate
       settings.sessionindex = sessionidx
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :name_id => "there" })
@@ -38,7 +38,9 @@ class LogoutRequestTest < Minitest::Test
       assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
     end
-    it "set name_identifier_value" do
+    should "set name_identifier_value" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_slo_target_url = "http://example.com"
       settings.name_identifier_format = "transient"
       name_identifier_value = "abc123"
       settings.name_identifier_value = name_identifier_value
@@ -50,25 +52,33 @@ class LogoutRequestTest < Minitest::Test
       assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
     end
-    describe "when the target url doesn't contain a query string" do
-      it "create the SAMLRequest parameter correctly" do
+    context "when the target url doesn't contain a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com"
+        settings.name_identifier_value = "f00f00"
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
       end
     end
-    describe "when the target url contains a query string" do
-      it "create the SAMLRequest parameter correctly" do
+    context "when the target url contains a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end
     end
-    describe "consumation of logout may need to track the transaction" do
-      it "have access to the request uuid" do
+    context "consumation of logout may need to track the transaction" do
+      should "have access to the request uuid" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
@@ -78,167 +88,81 @@ class LogoutRequestTest < Minitest::Test
       end
     end
-    describe "when the settings indicate to sign (embedded) logout request" do
-      before do
+    context "when the settings indicate to sign (embebed) the logout request" do
+      should "created a signed logout request" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         # sign the logout request
         settings.security[:logout_requests_signed] = true
         settings.security[:embed_sign] = true
         settings.certificate = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
-      end
-      it "doesn't sign through create_xml_document" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_xml_document(settings).to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "sign unsigned request" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_req_doc = unauth_req.create_xml_document(settings)
-        inflated = unauth_req_doc.to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-        inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "signs through create_logout_request_xml_doc" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "created a signed logout request" do
-        settings.compress_request = true
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
         inflated = decode_saml_request_payload(unauth_url)
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
       end
-      it "create a signed logout request with 256 digest and signature method" do
+      should "create a signed logout request with 256 digest and signature methods" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        settings.security[:digest_method] = XMLSecurity::Document::SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
-      end
-      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
+        # sign the logout request
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = true
+        settings.security[:signature_method] = XMLSecurity::Document::SHA256
         settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        settings.certificate  = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
         params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         request_xml = Base64.decode64(params["SAMLRequest"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
+        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
       end
     end
-    describe "#create_params when the settings indicate to sign the logout request" do
-      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
-      before do
-        # sign the logout request
+    context "when the settings indicate to sign the logout request" do
+      should "create a signature parameter" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.compress_request = false
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         settings.security[:logout_requests_signed] = true
         settings.security[:embed_sign] = false
-        settings.certificate = ruby_saml_cert_text
+        settings.security[:signature_method] = XMLSecurity::Document::SHA1
+        settings.certificate  = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
-      end
-      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['SAMLRequest']
-        assert params[:RelayState]
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        assert params['SigAlg'] == XMLSecurity::Document::SHA1
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        # signature_method only affects the embedeed signature
+        settings.security[:signature_method] = XMLSecurity::Document::SHA256
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+        assert params['SigAlg'] == XMLSecurity::Document::SHA1
       end
+    end
-      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+  end
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-    end
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
   end
 end

data/test/logoutresponse_test.rb CHANGED

@@ -1,27 +1,26 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require File.expand_path(File.join(File.dirname(__FILE__), "responses/logoutresponse_fixtures"))
+require 'rexml/document'
+require 'responses/logoutresponse_fixtures'
+class RubySamlTest < Test::Unit::TestCase
-class LogoutResponseTest < Minitest::Test
-  describe "Logoutresponse" do
-    describe "#new" do
-      it "raise an exception when response is initialized with nil" do
+  context "Logoutresponse" do
+    context "#new" do
+      should "raise an exception when response is initialized with nil" do
         assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
       end
-      it "default to empty settings" do
+      should "default to empty settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new( valid_response)
-        assert logoutresponse.settings.nil?
+        assert_nil logoutresponse.settings
       end
-      it "accept constructor-injected settings" do
+      should "accept constructor-injected settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings)
-        assert !logoutresponse.settings.nil?
+        assert_not_nil logoutresponse.settings
       end
-      it "accept constructor-injected options" do
+      should "accept constructor-injected options" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
         assert !logoutresponse.options.empty?
       end
-      it "support base64 encoded responses" do
+      should "support base64 encoded responses" do
         expected_response = valid_response
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(expected_response), settings)
@@ -29,21 +28,21 @@ class LogoutResponseTest < Minitest::Test
       end
     end
-    describe "#validate" do
-      it "validate the response" do
+    context "#validate" do
+      should "validate the response" do
         in_relation_to_request_id = random_id
-        settings.idp_entity_id = "https://example.com/idp"
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
         assert logoutresponse.validate
-        assert_equal settings.idp_entity_id, logoutresponse.issuer
+        assert_equal settings.issuer, logoutresponse.issuer
         assert_equal in_relation_to_request_id, logoutresponse.in_response_to
         assert logoutresponse.success?
       end
-      it "invalidate responses with wrong id when given option :matches_uuid" do
+      should "invalidate responses with wrong id when given option :matches_uuid" do
         expected_request_id = "_some_other_expected_uuid"
         opts = { :matches_request_id => expected_request_id}
@@ -51,10 +50,10 @@ class LogoutResponseTest < Minitest::Test
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings, opts)
         assert !logoutresponse.validate
-        assert expected_request_id != logoutresponse.in_response_to
+        assert_not_equal expected_request_id, logoutresponse.in_response_to
       end
-      it "invalidate responses with wrong request status" do
+      should "invalidate responses with wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
         assert !logoutresponse.validate
@@ -62,8 +61,8 @@ class LogoutResponseTest < Minitest::Test
       end
     end
-    describe "#validate!" do
-      it "validates good responses" do
+    context "#validate!" do
+      should "validates good responses" do
         in_relation_to_request_id = random_id
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
@@ -71,7 +70,7 @@ class LogoutResponseTest < Minitest::Test
         logoutresponse.validate!
       end
-      it "raises validation error when matching for wrong request id" do
+      should "raises validation error when matching for wrong request id" do
         expected_request_id = "_some_other_expected_id"
         opts = { :matches_request_id => expected_request_id}
@@ -81,13 +80,26 @@ class LogoutResponseTest < Minitest::Test
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      it "raise validation error for wrong request status" do
+      should "raise validation error for wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      it "raise error for invalid xml" do
+      should "raise validation error when in bad state" do
+        # no settings
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response)
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
+      end
+      should "raise validation error when in lack of issuer setting" do
+        bad_settings = settings
+        bad_settings.issuer = nil
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
+      end
+      should "raise error for invalid xml" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
@@ -95,4 +107,10 @@ class LogoutResponseTest < Minitest::Test
     end
   end
+  # logoutresponse fixtures
+  def random_id
+    "_#{UUID.new.generate}"
+  end
 end