ruby-saml 0.8.18 → 0.9

data/test/logoutrequest_test.rb

@@ -1,16 +1,14 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
-class LogoutRequestTest < Minitest::Test
+class RequestTest < Test::Unit::TestCase
 
-  describe "Logoutrequest" do
-    let(:settings) { OneLogin::RubySaml::Settings.new }
+  context "Logoutrequest" do
+    settings = OneLogin::RubySaml::Settings.new
 
-    before do
+    should "create the deflated SAMLRequest URL parameter" do
       settings.idp_slo_target_url = "http://unauth.com/logout"
       settings.name_identifier_value = "f00f00"
-    end
 
-    it "create the deflated SAMLRequest URL parameter" do
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
       assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
 
@@ -19,7 +17,8 @@ class LogoutRequestTest < Minitest::Test
       assert_match /^<samlp:LogoutRequest/, inflated
     end
 
-    it "support additional params" do
+    should "support additional params" do
+
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
       assert unauth_url =~ /&hello=$/
 
@@ -27,8 +26,9 @@ class LogoutRequestTest < Minitest::Test
       assert unauth_url =~ /&foo=bar$/
     end
 
-    it "set sessionindex" do
-      sessionidx = random_id
+    should "set sessionindex" do
+      settings.idp_slo_target_url = "http://example.com"
+      sessionidx = UUID.new.generate
       settings.sessionindex = sessionidx
 
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :name_id => "there" })
@@ -38,7 +38,9 @@ class LogoutRequestTest < Minitest::Test
       assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
     end
 
-    it "set name_identifier_value" do
+    should "set name_identifier_value" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.idp_slo_target_url = "http://example.com"
       settings.name_identifier_format = "transient"
       name_identifier_value = "abc123"
       settings.name_identifier_value = name_identifier_value
@@ -50,25 +52,33 @@ class LogoutRequestTest < Minitest::Test
       assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
     end
 
-    describe "when the target url doesn't contain a query string" do
-      it "create the SAMLRequest parameter correctly" do
+    context "when the target url doesn't contain a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com"
+        settings.name_identifier_value = "f00f00"
+
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
       end
     end
 
-    describe "when the target url contains a query string" do
-      it "create the SAMLRequest parameter correctly" do
+    context "when the target url contains a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
+
         unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
       end
     end
 
-    describe "consumation of logout may need to track the transaction" do
-      it "have access to the request uuid" do
+    context "consumation of logout may need to track the transaction" do
+      should "have access to the request uuid" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
 
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
@@ -78,178 +88,81 @@ class LogoutRequestTest < Minitest::Test
       end
     end
 
-
-    describe "when the settings indicate to sign (embedded) logout request" do
-
-      before do
+    context "when the settings indicate to sign (embebed) the logout request" do
+      should "created a signed logout request" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         # sign the logout request
         settings.security[:logout_requests_signed] = true
         settings.security[:embed_sign] = true
         settings.certificate = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
-      end
-
-      it "doesn't sign through create_xml_document" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_xml_document(settings).to_s
-
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-
-      it "sign unsigned request" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_req_doc = unauth_req.create_xml_document(settings)
-        inflated = unauth_req_doc.to_s
-
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-
-        inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
-
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-
-      it "signs through create_logout_request_xml_doc" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
-
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-
-      it "created a signed logout request" do
-        settings.compress_request = true
 
         unauth_req = OneLogin::RubySaml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)
 
         inflated = decode_saml_request_payload(unauth_url)
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
       end
 
-      it "create a signed logout request with 256 digest and signature method" do
+      should "create a signed logout request with 256 digest and signature methods" do
+        settings = OneLogin::RubySaml::Settings.new
         settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        settings.security[:digest_method] = XMLSecurity::Document::SHA256
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
-      end
-
-      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
+        # sign the logout request
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = true
+        settings.security[:signature_method] = XMLSecurity::Document::SHA256
         settings.security[:digest_method] = XMLSecurity::Document::SHA512
+        settings.certificate  = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
 
         params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         request_xml = Base64.decode64(params["SAMLRequest"])
 
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
+        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
+        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
       end
     end
 
-    describe "#create_params when the settings indicate to sign the logout request" do
-
-      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
-
-      before do
-        # sign the logout request
+    context "when the settings indicate to sign the logout request" do
+      should "create a signature parameter" do
+        settings = OneLogin::RubySaml::Settings.new
+        settings.compress_request = false
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
         settings.security[:logout_requests_signed] = true
         settings.security[:embed_sign] = false
-        settings.certificate = ruby_saml_cert_text
+        settings.security[:signature_method] = XMLSecurity::Document::SHA1
+        settings.certificate  = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
-      end
-
-      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['SAMLRequest']
-        assert params[:RelayState]
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
-
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
 
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-
-      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+        assert params['SigAlg'] == XMLSecurity::Document::SHA1
 
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-
-      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        # signature_method only affects the embedeed signature
+        settings.security[:signature_method] = XMLSecurity::Document::SHA256
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
         assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
-
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+        assert params['SigAlg'] == XMLSecurity::Document::SHA1
       end
+    end
 
-      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
-
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
-
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+  end
 
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-    end
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
 
-    describe "#manipulate request_id" do
-      it "be able to modify the request id" do
-        logoutrequest = OneLogin::RubySaml::Logoutrequest.new
-        request_id = logoutrequest.request_id
-        assert_equal request_id, logoutrequest.uuid
-        logoutrequest.uuid = "new_uuid"
-        assert_equal logoutrequest.request_id, logoutrequest.uuid
-        assert_equal "new_uuid", logoutrequest.request_id
-      end
-    end
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
   end
+
 end

data/test/logoutresponse_test.rb

@@ -1,27 +1,26 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require File.expand_path(File.join(File.dirname(__FILE__), "responses/logoutresponse_fixtures"))
+require 'rexml/document'
+require 'responses/logoutresponse_fixtures'
+class RubySamlTest < Test::Unit::TestCase
 
-class LogoutResponseTest < Minitest::Test
-
-  describe "Logoutresponse" do
-
-    describe "#new" do
-      it "raise an exception when response is initialized with nil" do
+  context "Logoutresponse" do
+    context "#new" do
+      should "raise an exception when response is initialized with nil" do
         assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
       end
-      it "default to empty settings" do
+      should "default to empty settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new( valid_response)
-        assert logoutresponse.settings.nil?
+        assert_nil logoutresponse.settings
       end
-      it "accept constructor-injected settings" do
+      should "accept constructor-injected settings" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings)
-        assert !logoutresponse.settings.nil?
+        assert_not_nil logoutresponse.settings
       end
-      it "accept constructor-injected options" do
+      should "accept constructor-injected options" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
         assert !logoutresponse.options.empty?
       end
-      it "support base64 encoded responses" do
+      should "support base64 encoded responses" do
         expected_response = valid_response
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(expected_response), settings)
 
@@ -29,21 +28,21 @@ class LogoutResponseTest < Minitest::Test
       end
     end
 
-    describe "#validate" do
-      it "validate the response" do
+    context "#validate" do
+      should "validate the response" do
         in_relation_to_request_id = random_id
-        settings.idp_entity_id = "https://example.com/idp"
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid2 => in_relation_to_request_id}), settings)
+
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
 
         assert logoutresponse.validate
 
-        assert_equal settings.idp_entity_id, logoutresponse.issuer
+        assert_equal settings.issuer, logoutresponse.issuer
         assert_equal in_relation_to_request_id, logoutresponse.in_response_to
 
         assert logoutresponse.success?
       end
 
-      it "invalidate responses with wrong id when given option :matches_uuid" do
+      should "invalidate responses with wrong id when given option :matches_uuid" do
 
         expected_request_id = "_some_other_expected_uuid"
         opts = { :matches_request_id => expected_request_id}
@@ -51,10 +50,10 @@ class LogoutResponseTest < Minitest::Test
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings, opts)
 
         assert !logoutresponse.validate
-        assert expected_request_id != logoutresponse.in_response_to
+        assert_not_equal expected_request_id, logoutresponse.in_response_to
       end
 
-      it "invalidate responses with wrong request status" do
+      should "invalidate responses with wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
 
         assert !logoutresponse.validate
@@ -62,8 +61,8 @@ class LogoutResponseTest < Minitest::Test
       end
     end
 
-    describe "#validate!" do
-      it "validates good responses" do
+    context "#validate!" do
+      should "validates good responses" do
         in_relation_to_request_id = random_id
 
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
@@ -71,7 +70,7 @@ class LogoutResponseTest < Minitest::Test
         logoutresponse.validate!
       end
 
-      it "raises validation error when matching for wrong request id" do
+      should "raises validation error when matching for wrong request id" do
 
         expected_request_id = "_some_other_expected_id"
         opts = { :matches_request_id => expected_request_id}
@@ -81,25 +80,37 @@ class LogoutResponseTest < Minitest::Test
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
 
-      it "raise validation error for wrong request status" do
+      should "raise validation error for wrong request status" do
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
 
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
 
-      it "raise error for invalid xml" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
+      should "raise validation error when in bad state" do
+        # no settings
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response)
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
+      end
 
+      should "raise validation error when in lack of issuer setting" do
+        bad_settings = settings
+        bad_settings.issuer = nil
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
-    end
 
-    describe "#response_id" do
-      it "extract the value of the Response ID" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings)
-        assert_equal "_28024690-000e-0130-b6d2-38f6b112be8b", logoutresponse.response_id
+      should "raise error for invalid xml" do
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
+
+        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
     end
 
   end
+
+  # logoutresponse fixtures
+  def random_id
+    "_#{UUID.new.generate}"
+  end
+
 end

data/test/metadata_test.rb

@@ -0,0 +1,87 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class MetadataTest < Test::Unit::TestCase
+
+  def setup
+    @settings = OneLogin::RubySaml::Settings.new
+    @settings.issuer = "https://example.com"
+    @settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    @settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
+    @settings.security[:authn_requests_signed] = false
+  end
+
+  should "generate Service Provider Metadata with X509Certificate" do
+    @settings.security[:authn_requests_signed] = true
+    @settings.certificate = ruby_saml_cert_text
+
+    xml_text = OneLogin::RubySaml::Metadata.new.generate(@settings)
+
+    # assert xml_text can be parsed into an xml doc
+    xml_doc = REXML::Document.new(xml_text)
+
+    spsso_descriptor = REXML::XPath.first(xml_doc, "//md:SPSSODescriptor")
+    assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
+
+    cert_node = REXML::XPath.first(xml_doc, "//md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate", {
+      "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+      "ds" => "http://www.w3.org/2000/09/xmldsig#"
+    })
+    cert_text = cert_node.text
+    cert = OpenSSL::X509::Certificate.new(Base64.decode64(cert_text))
+    assert_equal ruby_saml_cert.to_der, cert.to_der
+  end
+
+  should "should generate Service Provider Metadata" do
+    settings = OneLogin::RubySaml::Settings.new
+    settings.issuer = "https://example.com"
+    settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
+    settings.security[:authn_requests_signed] = false
+
+    xml_text = OneLogin::RubySaml::Metadata.new.generate(settings)
+
+    # assert correct xml declaration
+    start = "<?xml version='1.0' encoding='UTF-8'?>\n<md:EntityDescriptor"
+    assert xml_text[0..start.length-1] == start
+
+    # assert xml_text can be parsed into an xml doc
+    xml_doc = REXML::Document.new(xml_text)
+
+    assert_equal "https://example.com", REXML::XPath.first(xml_doc, "//md:EntityDescriptor").attribute("entityID").value
+
+    spsso_descriptor = REXML::XPath.first(xml_doc, "//md:SPSSODescriptor")
+    assert_equal "urn:oasis:names:tc:SAML:2.0:protocol", spsso_descriptor.attribute("protocolSupportEnumeration").value
+    assert_equal "false", spsso_descriptor.attribute("AuthnRequestsSigned").value
+    assert_equal "false", spsso_descriptor.attribute("WantAssertionsSigned").value
+
+    assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", REXML::XPath.first(xml_doc, "//md:NameIDFormat").text.strip
+
+    acs = REXML::XPath.first(xml_doc, "//md:AssertionConsumerService")
+    assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
+    assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value
+  end
+
+  should "generate attribute service if configured" do
+    settings = OneLogin::RubySaml::Settings.new
+    settings.issuer = "https://example.com"
+    settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
+    settings.attribute_consuming_service.configure do
+      service_name "Test Service"
+      add_attribute(:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => "Attribute Value")
+    end
+
+    xml_text = OneLogin::RubySaml::Metadata.new.generate(settings)
+    xml_doc = REXML::Document.new(xml_text)
+    acs = REXML::XPath.first(xml_doc, "//md:AttributeConsumingService")
+    assert_equal "true", acs.attribute("isDefault").value
+    assert_equal "1", acs.attribute("index").value
+    assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test Service"
+    req_attr = REXML::XPath.first(xml_doc, "//md:RequestedAttribute")
+    assert_equal "Name", req_attr.attribute("Name").value
+    assert_equal "Name Format", req_attr.attribute("NameFormat").value
+    assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
+    assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//md:AttributeValue").text.strip
+  end
+
+end