RubyGems - ruby-saml - Versions diffs - 0.8.16 → 0.9 - Mend

ruby-saml 0.8.16 → 0.9

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (90) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.travis.yml +1 -6
data/Gemfile +2 -12
data/README.md +363 -35
data/Rakefile +14 -0
data/changelog.md +22 -9
data/lib/onelogin/ruby-saml/attribute_service.rb +34 -0
data/lib/onelogin/ruby-saml/attributes.rb +26 -64
data/lib/onelogin/ruby-saml/authrequest.rb +47 -89
data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +87 -0
data/lib/onelogin/ruby-saml/logoutrequest.rb +34 -93
data/lib/onelogin/ruby-saml/logoutresponse.rb +25 -24
data/lib/onelogin/ruby-saml/metadata.rb +46 -16
data/lib/onelogin/ruby-saml/response.rb +62 -322
data/lib/onelogin/ruby-saml/saml_message.rb +78 -0
data/lib/onelogin/ruby-saml/settings.rb +54 -121
data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +26 -61
data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +27 -84
data/lib/onelogin/ruby-saml/utils.rb +32 -199
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/ruby-saml.rb +5 -2
data/lib/schemas/{saml20assertion_schema.xsd → saml-schema-assertion-2.0.xsd} +283 -283
data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
data/lib/schemas/{saml20protocol_schema.xsd → saml-schema-protocol-2.0.xsd} +302 -302
data/lib/schemas/sstc-metadata-attr.xsd +35 -0
data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
data/lib/schemas/{xenc_schema.xsd → xenc-schema.xsd} +1 -11
data/lib/schemas/xml.xsd +287 -0
data/lib/schemas/{xmldsig_schema.xsd → xmldsig-core-schema.xsd} +0 -9
data/lib/xml_security.rb +83 -235
data/ruby-saml.gemspec +1 -0
data/test/idp_metadata_parser_test.rb +54 -0
data/test/logoutrequest_test.rb +68 -144
data/test/logoutresponse_test.rb +43 -25
data/test/metadata_test.rb +87 -0
data/test/request_test.rb +103 -90
data/test/response_test.rb +181 -471
data/test/responses/idp_descriptor.xml +3 -0
data/test/responses/logoutresponse_fixtures.rb +5 -5
data/test/responses/response_no_cert_and_encrypted_attrs.xml +29 -0
data/test/responses/response_with_multiple_attribute_values.xml +1 -1
data/test/responses/slo_request.xml +4 -0
data/test/settings_test.rb +25 -112
data/test/slo_logoutrequest_test.rb +41 -44
data/test/slo_logoutresponse_test.rb +87 -167
data/test/test_helper.rb +27 -102
data/test/xml_security_test.rb +114 -337
metadata +34 -84
data/lib/onelogin/ruby-saml/setting_error.rb +0 -6
data/test/certificates/certificate.der +0 -0
data/test/certificates/formatted_certificate +0 -14
data/test/certificates/formatted_chained_certificate +0 -42
data/test/certificates/formatted_private_key +0 -12
data/test/certificates/formatted_rsa_private_key +0 -12
data/test/certificates/invalid_certificate1 +0 -1
data/test/certificates/invalid_certificate2 +0 -1
data/test/certificates/invalid_certificate3 +0 -12
data/test/certificates/invalid_chained_certificate1 +0 -1
data/test/certificates/invalid_private_key1 +0 -1
data/test/certificates/invalid_private_key2 +0 -1
data/test/certificates/invalid_private_key3 +0 -10
data/test/certificates/invalid_rsa_private_key1 +0 -1
data/test/certificates/invalid_rsa_private_key2 +0 -1
data/test/certificates/invalid_rsa_private_key3 +0 -10
data/test/certificates/ruby-saml-2.crt +0 -15
data/test/requests/logoutrequest_fixtures.rb +0 -47
data/test/responses/encrypted_new_attack.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
data/test/responses/invalids/no_signature.xml.base64 +0 -1
data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
data/test/responses/response_node_text_attack.xml.base64 +0 -1
data/test/responses/response_with_concealed_signed_assertion.xml +0 -51
data/test/responses/response_with_doubled_signed_assertion.xml +0 -49
data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
data/test/responses/response_with_signed_assertion_3.xml +0 -30
data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
data/test/responses/response_wrapped.xml.base64 +0 -150
data/test/responses/valid_response.xml.base64 +0 -1
data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
data/test/utils_test.rb +0 -231

@@ -10,6 +10,7 @@ Gem::Specification.new do |s|
   s.date = Time.now.strftime("%Y-%m-%d")
   s.description = %q{SAML toolkit for Ruby on Rails}
   s.email = %q{support@onelogin.com}
+  s.license = 'MIT'
   s.extra_rdoc_files = [
     "LICENSE",
      "README.md"

data/test/idp_metadata_parser_test.rb ADDED

@@ -0,0 +1,54 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'net/http'
+require 'net/https'
+class IdpMetadataParserTest < Test::Unit::TestCase
+  class MockResponse
+    attr_accessor :body
+  end
+  context "parsing an IdP descriptor file" do
+    should "extract settings details from xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse(idp_metadata)
+      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+    end
+  end
+  context "download and parse IdP descriptor file" do
+    setup do
+      mock_response = MockResponse.new
+      mock_response.body = idp_metadata
+      @url = "https://example.com"
+      uri = URI(@url)
+      @http = Net::HTTP.new(uri.host, uri.port)
+      Net::HTTP.expects(:new).returns(@http)
+      @http.expects(:request).returns(mock_response)
+    end
+    should "extract settings from remote xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse_remote(@url)
+      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
+    end
+    should "accept self signed certificate if insturcted" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      settings = idp_metadata_parser.parse_remote(@url, false)
+      assert_equal OpenSSL::SSL::VERIFY_NONE, @http.verify_mode
+    end
+  end
+end

data/test/logoutrequest_test.rb CHANGED

@@ -1,16 +1,14 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-class LogoutRequestTest < Minitest::Test
+class RequestTest < Test::Unit::TestCase
-  describe "Logoutrequest" do
-    let(:settings) { OneLogin::RubySaml::Settings.new }
+  context "Logoutrequest" do
+    settings = OneLogin::RubySaml::Settings.new
-    before do
+    should "create the deflated SAMLRequest URL parameter" do
       settings.idp_slo_target_url = "http://unauth.com/logout"
       settings.name_identifier_value = "f00f00"
-    end
-    it "create the deflated SAMLRequest URL parameter" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
       assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
@@ -19,7 +17,8 @@ class LogoutRequestTest < Minitest::Test
       assert_match /^<samlp:LogoutRequest/, inflated
     end
-    it "support additional params" do
+    should "support additional params" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
       assert unauth_url =~ /&hello=$/
@@ -27,8 +26,9 @@ class LogoutRequestTest < Minitest::Test
       assert unauth_url =~ /&foo=bar$/
     end
-    it "set sessionindex" do
-      sessionidx = random_id
+    should "set sessionindex" do
+      settings.idp_slo_target_url = "http://example.com"
+      sessionidx = UUID.new.generate
       settings.sessionindex = sessionidx
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :name_id => "there" })
@@ -38,7 +38,9 @@ class LogoutRequestTest < Minitest::Test
       assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
     end
-    it "set name_identifier_value" do
+    should "set name_identifier_value" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_slo_target_url = "http://example.com"
       settings.name_identifier_format = "transient"
       name_identifier_value = "abc123"
       settings.name_identifier_value = name_identifier_value
@@ -50,25 +52,33 @@ class LogoutRequestTest < Minitest::Test
       assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
     end
-    describe "when the target url doesn't contain a query string" do
-      it "create the SAMLRequest parameter correctly" do
+    context "when the target url doesn't contain a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com"
+        settings.name_identifier_value = "f00f00"
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
       end
     end
-    describe "when the target url contains a query string" do
-      it "create the SAMLRequest parameter correctly" do
+    context "when the target url contains a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end
     end
-    describe "consumation of logout may need to track the transaction" do
-      it "have access to the request uuid" do
+    context "consumation of logout may need to track the transaction" do
+      should "have access to the request uuid" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
@@ -78,167 +88,81 @@ class LogoutRequestTest < Minitest::Test
       end
     end
-    describe "when the settings indicate to sign (embedded) logout request" do
-      before do
+    context "when the settings indicate to sign (embebed) the logout request" do
+      should "created a signed logout request" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         # sign the logout request
         settings.security[:logout_requests_signed] = true
         settings.security[:embed_sign] = true
         settings.certificate = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
-      end
-      it "doesn't sign through create_xml_document" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_xml_document(settings).to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "sign unsigned request" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_req_doc = unauth_req.create_xml_document(settings)
-        inflated = unauth_req_doc.to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-        inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "signs through create_logout_request_xml_doc" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "created a signed logout request" do
-        settings.compress_request = true
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
         inflated = decode_saml_request_payload(unauth_url)
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
       end
-      it "create a signed logout request with 256 digest and signature method" do
+      should "create a signed logout request with 256 digest and signature methods" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        settings.security[:digest_method] = XMLSecurity::Document::SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
-      end
-      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
+        # sign the logout request
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = true
+        settings.security[:signature_method] = XMLSecurity::Document::SHA256
         settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        settings.certificate  = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
         params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         request_xml = Base64.decode64(params["SAMLRequest"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
+        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
       end
     end
-    describe "#create_params when the settings indicate to sign the logout request" do
-      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
-      before do
-        # sign the logout request
+    context "when the settings indicate to sign the logout request" do
+      should "create a signature parameter" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.compress_request = false
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         settings.security[:logout_requests_signed] = true
         settings.security[:embed_sign] = false
-        settings.certificate = ruby_saml_cert_text
+        settings.security[:signature_method] = XMLSecurity::Document::SHA1
+        settings.certificate  = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
-      end
-      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['SAMLRequest']
-        assert params[:RelayState]
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        assert params['SigAlg'] == XMLSecurity::Document::SHA1
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        # signature_method only affects the embedeed signature
+        settings.security[:signature_method] = XMLSecurity::Document::SHA256
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+        assert params['SigAlg'] == XMLSecurity::Document::SHA1
       end
+    end
-      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+  end
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-    end
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
   end
 end

data/test/logoutresponse_test.rb CHANGED

@@ -1,27 +1,26 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require File.expand_path(File.join(File.dirname(__FILE__), "responses/logoutresponse_fixtures"))
+require 'rexml/document'
+require 'responses/logoutresponse_fixtures'
+class RubySamlTest < Test::Unit::TestCase
-class LogoutResponseTest < Minitest::Test
-  describe "Logoutresponse" do
-    describe "#new" do
-      it "raise an exception when response is initialized with nil" do
+  context "Logoutresponse" do
+    context "#new" do
+      should "raise an exception when response is initialized with nil" do
         assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
       end
-      it "default to empty settings" do
+      should "default to empty settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new( valid_response)
-        assert logoutresponse.settings.nil?
+        assert_nil logoutresponse.settings
       end
-      it "accept constructor-injected settings" do
+      should "accept constructor-injected settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings)
-        assert !logoutresponse.settings.nil?
+        assert_not_nil logoutresponse.settings
       end
-      it "accept constructor-injected options" do
+      should "accept constructor-injected options" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
         assert !logoutresponse.options.empty?
       end
-      it "support base64 encoded responses" do
+      should "support base64 encoded responses" do
         expected_response = valid_response
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(expected_response), settings)
@@ -29,21 +28,21 @@ class LogoutResponseTest < Minitest::Test
       end
     end
-    describe "#validate" do
-      it "validate the response" do
+    context "#validate" do
+      should "validate the response" do
         in_relation_to_request_id = random_id
-        settings.idp_entity_id = "https://example.com/idp"
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
         assert logoutresponse.validate
-        assert_equal settings.idp_entity_id, logoutresponse.issuer
+        assert_equal settings.issuer, logoutresponse.issuer
         assert_equal in_relation_to_request_id, logoutresponse.in_response_to
         assert logoutresponse.success?
       end
-      it "invalidate responses with wrong id when given option :matches_uuid" do
+      should "invalidate responses with wrong id when given option :matches_uuid" do
         expected_request_id = "_some_other_expected_uuid"
         opts = { :matches_request_id => expected_request_id}
@@ -51,10 +50,10 @@ class LogoutResponseTest < Minitest::Test
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings, opts)
         assert !logoutresponse.validate
-        assert expected_request_id != logoutresponse.in_response_to
+        assert_not_equal expected_request_id, logoutresponse.in_response_to
       end
-      it "invalidate responses with wrong request status" do
+      should "invalidate responses with wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
         assert !logoutresponse.validate
@@ -62,8 +61,8 @@ class LogoutResponseTest < Minitest::Test
       end
     end
-    describe "#validate!" do
-      it "validates good responses" do
+    context "#validate!" do
+      should "validates good responses" do
         in_relation_to_request_id = random_id
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
@@ -71,7 +70,7 @@ class LogoutResponseTest < Minitest::Test
         logoutresponse.validate!
       end
-      it "raises validation error when matching for wrong request id" do
+      should "raises validation error when matching for wrong request id" do
         expected_request_id = "_some_other_expected_id"
         opts = { :matches_request_id => expected_request_id}
@@ -81,13 +80,26 @@ class LogoutResponseTest < Minitest::Test
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      it "raise validation error for wrong request status" do
+      should "raise validation error for wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-      it "raise error for invalid xml" do
+      should "raise validation error when in bad state" do
+        # no settings
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response)
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
+      end
+      should "raise validation error when in lack of issuer setting" do
+        bad_settings = settings
+        bad_settings.issuer = nil
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
+      end
+      should "raise error for invalid xml" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
@@ -95,4 +107,10 @@ class LogoutResponseTest < Minitest::Test
     end
   end
+  # logoutresponse fixtures
+  def random_id
+    "_#{UUID.new.generate}"
+  end
 end