ruby-saml 0.8.18 → 0.9

data/lib/onelogin/ruby-saml/attributes.rb

@@ -1,118 +1,91 @@
 module OneLogin
   module RubySaml
-
-    # SAML2 Attributes. Parse the Attributes from the AttributeStatement of the SAML Response. 
-    #
+    # Wraps all attributes and provides means to query them for single or multiple values.
+    # 
+    # For backwards compatibility Attributes#[] returns *first* value for the attribute.
+    # Turn off compatibility to make it return all values as an array:
+    #    Attributes.single_value_compatibility = false
     class Attributes
       include Enumerable
 
-      attr_reader :attributes
-
       # By default Attributes#[] is backwards compatible and
       # returns only the first value for the attribute
       # Setting this to `false` returns all values for an attribute
       @@single_value_compatibility = true
 
-      # @return [Boolean] Get current status of backwards compatibility mode.
-      #
+      # Get current status of backwards compatibility mode.
       def self.single_value_compatibility
         @@single_value_compatibility
       end
 
       # Sets the backwards compatibility mode on/off.
-      # @param value [Boolean]
-      #
       def self.single_value_compatibility=(value)
         @@single_value_compatibility = value
       end
 
-      # @param attrs [Hash] The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
+      # Initialize Attributes collection, optionally taking a Hash of attribute names and values.
+      #
+      # The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
       #    Attributes.new({
       #      'name' => ['value1', 'value2'],
       #      'mail' => ['value1'],
       #    })
-      #
       def initialize(attrs = {})
         @attributes = attrs
       end
 
 
       # Iterate over all attributes
-      #
       def each
         attributes.each{|name, values| yield name, values}
       end
 
-      
       # Test attribute presence by name
-      # @param name [String] The attribute name to be checked
-      #
       def include?(name)
-        attributes.has_key?(canonize_name(name)) || attributes.has_key?(name)
+        attributes.has_key?(canonize_name(name))
       end
       
       # Return first value for an attribute
-      # @param name [String] The attribute name
-      # @return [String] The value (First occurrence)
-      #
       def single(name)
-        multi(name).first if include?(name)
+        attributes[canonize_name(name)].first if include?(name)
       end
 
       # Return all values for an attribute
-      # @param name [String] The attribute name
-      # @return [Array] Values of the attribute
-      #
       def multi(name)
-        values = attributes[canonize_name(name)] || attributes[name]
-        
-        if values.is_a?(Array)
-          values
-        elsif !values.nil?
-          Array(values)
-        else
-          nil
-        end
+        attributes[canonize_name(name)]
       end
 
-      # Retrieve attribute value(s)
-      # @param name [String] The attribute name
-      # @return [String|Array] Depending on the single value compatibility status this returns:
-      #                        - First value if single_value_compatibility = true
-      #                          response.attributes['mail']  # => 'user@example.com'
-      #                        - All values if single_value_compatibility = false
-      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      # By default returns first value for an attribute.
+      #
+      # Depending on the single value compatibility status this returns first value
+      #    Attributes.single_value_compatibility = true # Default
+      #    response.attributes['mail']  # => 'user@example.com'
       #
+      # Or all values:
+      #    Attributes.single_value_compatibility = false
+      #    response.attributes['mail']  # => ['user@example.com','user@example.net']
       def [](name)
-        self.class.single_value_compatibility ? single(name) : multi(name)
+        self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
       end
 
-      # @return [Array] Return all attributes as an array
-      #
+      # Return all attributes as an array
       def all
         attributes
       end
 
-      # @param name [String] The attribute name
-      # @param values [Array] The values
-      #
+      # Set values for an attribute, overwriting all existing values
       def set(name, values)
         attributes[canonize_name(name)] = values
       end
       alias_method :[]=, :set
 
-      # @param name [String] The attribute name
-      # @param values [Array] The values
-      #
+      # Add new attribute or new value(s) to an existing attribute
       def add(name, values = [])
         attributes[canonize_name(name)] ||= []
         attributes[canonize_name(name)] += Array(values)
       end
 
       # Make comparable to another Attributes collection based on attributes
-      # @param other [Attributes] An Attributes object to compare with
-      # @return [Boolean] True if are contains the same attributes and values
-      #
       def ==(other)
         if other.is_a?(Attributes)
           all == other.all
@@ -121,26 +94,15 @@ module OneLogin
         end
       end
 
-      def respond_to?(name)
-        attributes.respond_to?(name) || super
-      end
-
       protected
 
       # stringifies all names so both 'email' and :email return the same result
-      # @param name [String] The attribute name
-      # @return [String] stringified name
-      #
       def canonize_name(name)
         name.to_s
       end
 
-      def method_missing(name, *args, &block)
-        if attributes.respond_to?(name)
-          attributes.send(name, *args, &block)
-        else
-          super
-        end
+      def attributes
+        @attributes
       end
     end
   end

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -1,25 +1,16 @@
-require "base64"
-require "zlib"
-require "cgi"
-require "onelogin/ruby-saml/utils"
-require "onelogin/ruby-saml/setting_error"
+require "uuid"
+
+require "onelogin/ruby-saml/logging"
 
 module OneLogin
   module RubySaml
+  include REXML
+    class Authrequest < SamlMessage
 
-    class Authrequest
-      # AuthNRequest ID
-      attr_accessor :uuid
+      attr_reader :uuid # Can be obtained if neccessary
 
-      # Initializes the AuthNRequest. An Authrequest Object.
-      # Asigns an ID, a random uuid.
-      #
       def initialize
-        @uuid = OneLogin::RubySaml::Utils.uuid
-      end
-
-      def request_id
-        @uuid
+        @uuid = "_" + UUID.new.generate
       end
 
       def create(settings, params = {})
@@ -30,25 +21,11 @@ module OneLogin
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise SettingError.new "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
         @login_url = settings.idp_sso_target_url + request_params
       end
 
-      # Creates the Get parameters for the request.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
-      # @return [Hash] Parameters
-      #
       def create_params(settings, params={})
-        # The method expects :RelayState but sometimes we get 'RelayState' instead.
-        # Based on the HashWithIndifferentAccess value in Rails we could experience
-        # conflicts so this line will solve them.
-        relay_state = params[:RelayState] || params['RelayState']
-
-        if relay_state.nil?
-          params.delete(:RelayState)
-          params.delete('RelayState')
-        end
+        params = {} if params.nil?
 
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -58,30 +35,18 @@ module OneLogin
 
         Logging.debug "Created AuthnRequest: #{request}"
 
-        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
-        if Base64.respond_to?('strict_encode64')
-          base64_request = Base64.strict_encode64(request)
-        else
-          base64_request = Base64.encode64(request).gsub(/\n/, "")
-        end
-
+        request = deflate(request) if settings.compress_request
+        base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
-          url_string = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLRequest',
-            :data => base64_request,
-            :relay_state => relay_state,
-            :sig_alg => params['SigAlg']
-          )
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
-          if Base64.respond_to?('strict_encode64')
-            params['Signature'] = Base64.strict_encode64(signature)
-          else
-            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          end
+          params['SigAlg']    = XMLSecurity::Document::SHA1
+          url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
+          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
+          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          private_key         = settings.get_sp_key()
+          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          params['Signature'] = encode(signature)
         end
 
         params.each_pair do |key, value|
@@ -92,12 +57,7 @@ module OneLogin
       end
 
       def create_authentication_xml_doc(settings)
-        document = create_xml_document(settings)
-        sign_document(document, settings)
-      end
-
-      def create_xml_document(settings)
-        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
         request_doc = XMLSecurity::Document.new
         request_doc.uuid = uuid
@@ -106,65 +66,59 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
+        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
         root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
+        root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
         root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
 
         # Conditionally defined elements based on settings
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.sp_entity_id != nil
+        if settings.issuer != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.sp_entity_id
-        end
-
-        if settings.name_identifier_value_requested != nil
-          subject = root.add_element "saml:Subject"
-
-          nameid = subject.add_element "saml:NameID"
-          nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
-          nameid.text = settings.name_identifier_value_requested
-
-          subject_confirmation = subject.add_element "saml:SubjectConfirmation"
-          subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+          issuer.text = settings.issuer
         end
-
         if settings.name_identifier_format != nil
           root.add_element "samlp:NameIDPolicy", {
-              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
               # Might want to make AllowCreate a setting?
               "AllowCreate" => "true",
               "Format" => settings.name_identifier_format
           }
         end
 
-        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
-        # match required for authentication to succeed.  If this is not defined,
-        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
-        if settings.authn_context != nil
+        if settings.authn_context || settings.authn_context_decl_ref
+
+          if settings.authn_context_comparison != nil
+            comparison = settings.authn_context_comparison
+          else
+            comparison = 'exact'
+          end
+
           requested_context = root.add_element "samlp:RequestedAuthnContext", {
-            "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
-            "Comparison" => "exact",
-          }
-          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
-            "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+            "Comparison" => comparison,
           }
-          class_ref.text = settings.authn_context
+
+          if settings.authn_context != nil
+            class_ref = requested_context.add_element "saml:AuthnContextClassRef"
+            class_ref.text = settings.authn_context
+          end
+          # add saml:AuthnContextDeclRef element
+          if settings.authn_context_decl_ref != nil
+            class_ref = requested_context.add_element "saml:AuthnContextDeclRef"
+            class_ref.text = settings.authn_context_decl_ref
+          end
         end
-        request_doc
-      end
 
-      def sign_document(document, settings)
-        # embed signature
-        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
-          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        # embebed sign
+        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
+          private_key = settings.get_sp_key()
+          cert = settings.get_sp_cert()
+          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 
-        document
+        request_doc
       end
 
     end

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -0,0 +1,87 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+
+module OneLogin
+  module RubySaml
+    include REXML
+
+    class IdpMetadataParser
+
+      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+      DSIG     = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_reader :document
+
+      def parse_remote(url, validate_cert = true)
+        idp_metadata = get_idp_metadata(url, validate_cert)
+        parse(idp_metadata)
+      end
+
+      def parse(idp_metadata)
+        @document = REXML::Document.new(idp_metadata)
+
+        OneLogin::RubySaml::Settings.new.tap do |settings|
+
+          settings.idp_sso_target_url = single_signon_service_url
+          settings.idp_slo_target_url = single_logout_service_url
+          settings.idp_cert_fingerprint = fingerprint
+        end
+      end
+
+      private
+
+      # Retrieve the remote IdP metadata from the URL or a cached copy
+      # # returns a REXML document of the metadata
+      def get_idp_metadata(url, validate_cert)
+        uri = URI.parse(url)
+        if uri.scheme == "http"
+          response = Net::HTTP.get_response(uri)
+          meta_text = response.body
+        elsif uri.scheme == "https"
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          # Most IdPs will probably use self signed certs
+          if validate_cert
+            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          else
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          end
+          get = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(get)
+          meta_text = response.body
+        end
+        meta_text
+      end
+
+      def single_signon_service_url
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location", { "md" => METADATA })
+        node.value if node
+      end
+
+      def single_logout_service_url
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location", { "md" => METADATA })
+        node.value if node
+      end
+
+      def certificate
+        @certificate ||= begin
+          node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate", { "md" => METADATA, "ds" => DSIG })
+          Base64.decode64(node.text) if node
+        end
+      end
+
+      def fingerprint
+        @fingerprint ||= begin
+          if certificate
+            cert = OpenSSL::X509::Certificate.new(certificate)
+            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,23 +1,15 @@
-require "base64"
-require "zlib"
-require "cgi"
-require 'rexml/document'
-require "onelogin/ruby-saml/utils"
-require "onelogin/ruby-saml/setting_error"
+require "uuid"
+
+require "onelogin/ruby-saml/logging"
 
 module OneLogin
   module RubySaml
+    class Logoutrequest < SamlMessage
 
-    class Logoutrequest
-
-      attr_accessor :uuid
+      attr_reader :uuid # Can be obtained if neccessary
 
       def initialize
-        @uuid = OneLogin::RubySaml::Utils.uuid
-      end
-
-      def request_id
-        @uuid
+        @uuid = "_" + UUID.new.generate
       end
 
       def create(settings, params={})
@@ -28,25 +20,11 @@ module OneLogin
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
         @logout_url = settings.idp_slo_target_url + request_params
       end
 
-      # Creates the Get parameters for the logout request.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
-      # @return [Hash] Parameters
-      #
       def create_params(settings, params={})
-        # The method expects :RelayState but sometimes we get 'RelayState' instead.
-        # Based on the HashWithIndifferentAccess value in Rails we could experience
-        # conflicts so this line will solve them.
-        relay_state = params[:RelayState] || params['RelayState']
-
-        if relay_state.nil?
-          params.delete(:RelayState)
-          params.delete('RelayState')
-        end
+        params = {} if params.nil?
 
         request_doc = create_logout_request_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -56,29 +34,18 @@ module OneLogin
 
         Logging.debug "Created SLO Logout Request: #{request}"
 
-        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
-        if Base64.respond_to?('strict_encode64')
-          base64_request = Base64.strict_encode64(request)
-        else
-          base64_request = Base64.encode64(request).gsub(/\n/, "")
-        end
+        request = deflate(request) if settings.compress_request
+        base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
-          url_string = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLRequest',
-            :data => base64_request,
-            :relay_state => relay_state,
-            :sig_alg => params['SigAlg']
-          )
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
-          if Base64.respond_to?('strict_encode64')
-            params['Signature'] = Base64.strict_encode64(signature)
-          else
-            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          end
+          params['SigAlg']    = XMLSecurity::Document::SHA1
+          url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
+          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
+          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          private_key         = settings.get_sp_key()
+          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          params['Signature'] = encode(signature)
         end
 
         params.each_pair do |key, value|
@@ -88,78 +55,47 @@ module OneLogin
         request_params
       end
 
-      # Creates the SAMLRequest String.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @return [String] The SAMLRequest String.
-      #
       def create_logout_request_xml_doc(settings)
-        document = create_xml_document(settings)
-        sign_document(document, settings)
-      end
-
-      def create_xml_document(settings, request_doc=nil)
-        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
-        if request_doc.nil?
-          request_doc = XMLSecurity::Document.new
-          request_doc.uuid = uuid
-        end
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
 
-        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
 
-        if settings.sp_entity_id
-          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
-          issuer.text = settings.sp_entity_id
+        if settings.issuer
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
         end
 
+        name_id = root.add_element "saml:NameID"
         if settings.name_identifier_value
-          name_id = root.add_element "saml:NameID", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
-          nameid.attributes['NameQualifier'] = settings.idp_name_qualifier if settings.idp_name_qualifier
-          nameid.attributes['SPNameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+          name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
           name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
           name_id.text = settings.name_identifier_value
+        else
+          # If no NameID is present in the settings we generate one
+          name_id.text = "_" + UUID.new.generate
+          name_id.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
         end
 
         if settings.sessionindex
-          sessionindex = root.add_element "samlp:SessionIndex", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+          sessionindex = root.add_element "samlp:SessionIndex"
           sessionindex.text = settings.sessionindex
         end
 
-        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
-        # match required for authentication to succeed.  If this is not defined,
-        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
-        if settings.authn_context != nil
-          requested_context = root.add_element "samlp:RequestedAuthnContext", {
-              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
-              "Comparison" => "exact",
-          }
-          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
-              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
-          }
-          class_ref.text = settings.authn_context
-        end
-        request_doc
-      end
-
-      def sign_document(document, settings)
-        # embed signature
+        # embebed sign
         if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
-          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+          private_key = settings.get_sp_key()
+          cert = settings.get_sp_cert()
+          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 
-        document
-      end
-
-      # Leave due compatibility
-      def create_unauth_xml_doc(settings, params)
-        request_doc = ReXML::Document.new
-        create_xml_document(settings, request_doc)
+        request_doc
       end
     end
   end