ruby-saml 0.9.1 → 0.9.2

data/test/request_test.rb

@@ -1,5 +1,7 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
+require 'onelogin/ruby-saml/authrequest'
+
 class RequestTest < Minitest::Test
 
   describe "Authrequest" do
@@ -143,7 +145,7 @@ class RequestTest < Minitest::Test
       end
     end
 
-    describe "when the settings indicate to sign (embebed) the request" do
+    describe "#create_params when the settings indicate to sign (embebed) the request" do
       it "create a signed request" do
         settings = OneLogin::RubySaml::Settings.new
         settings.compress_request = false
@@ -156,8 +158,8 @@ class RequestTest < Minitest::Test
         params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
         request_xml = Base64.decode64(params["SAMLRequest"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
-        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], request_xml
       end
 
       it "create a signed request with 256 digest and signature methods" do
@@ -166,7 +168,7 @@ class RequestTest < Minitest::Test
         settings.idp_sso_target_url = "http://example.com?field=value"
         settings.security[:authn_requests_signed] = true
         settings.security[:embed_sign] = true
-        settings.security[:signature_method] = XMLSecurity::Document::SHA256
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
         settings.security[:digest_method] = XMLSecurity::Document::SHA512
         settings.certificate  = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
@@ -174,33 +176,56 @@ class RequestTest < Minitest::Test
         params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
         request_xml = Base64.decode64(params["SAMLRequest"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
-        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], request_xml
       end
     end
 
+    describe "#create_params when the settings indicate to sign the request" do
+      def setup
+        @settings = OneLogin::RubySaml::Settings.new
+        @settings.compress_request = false
+        @settings.idp_sso_target_url = "http://example.com?field=value"
+        @settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+        @settings.security[:authn_requests_signed] = true
+        @settings.security[:embed_sign] = false
+        @settings.certificate  = ruby_saml_cert_text
+        @settings.private_key = ruby_saml_key_text
+        @cert = OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
+      end
+      
+      it "create a signature parameter with RSA_SHA1 and validate it" do
+        @settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
 
-    describe "when the settings indicate to sign the request" do
-      it "create a signature parameter" do
-        settings = OneLogin::RubySaml::Settings.new
-        settings.compress_request = false
-        settings.idp_sso_target_url = "http://example.com?field=value"
-        settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
-        settings.security[:authn_requests_signed] = true
-        settings.security[:embed_sign] = false
-        settings.security[:signature_method] = XMLSecurity::Document::SHA1
-        settings.certificate  = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-
-        params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+        params = OneLogin::RubySaml::Authrequest.new.create_params(@settings, :RelayState => 'http://example.com')
+        assert params['SAMLRequest']
+        assert params[:RelayState]
         assert params['Signature']
-        assert params['SigAlg'] == XMLSecurity::Document::SHA1
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
 
-        # signature_method only affects the embedeed signature
-        settings.security[:signature_method] = XMLSecurity::Document::SHA256
-        params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA256 and validate it" do
+        @settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+        params = OneLogin::RubySaml::Authrequest.new.create_params(@settings, :RelayState => 'http://example.com')
         assert params['Signature']
-        assert params['SigAlg'] == XMLSecurity::Document::SHA1
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+
+        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)        
       end
     end
 

data/test/response_test.rb

@@ -1,5 +1,7 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
+require 'onelogin/ruby-saml/response'
+
 class RubySamlTest < Minitest::Test
 
   describe "Response" do
@@ -119,7 +121,7 @@ class RubySamlTest < Minitest::Test
         settings.idp_cert_fingerprint = signature_fingerprint_1
         response.settings = settings
         assert response.is_valid?
-        assert response.name_id == "test@onelogin.com"
+        assert_equal response.name_id, "test@onelogin.com"
       end
 
       it "support dynamic namespace resolution on signature elements" do
@@ -193,15 +195,23 @@ class RubySamlTest < Minitest::Test
         assert response.send(:validate_conditions, true)
       end
 
-      it "optionally allow for clock drift" do
+      it "optionally allows for clock drift" do
         # The NotBefore condition in the document is 2011-06-14T18:21:01.516Z
-        Time.stubs(:now).returns(Time.parse("2011-06-14T18:21:01Z"))
-        response = OneLogin::RubySaml::Response.new(response_document_5, :allowed_clock_drift => 0.515)
-        assert !response.send(:validate_conditions, true)
+        Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
+          response = OneLogin::RubySaml::Response.new(
+            response_document_5,
+            :allowed_clock_drift => 0.515
+          )
+          assert !response.send(:validate_conditions, true)
+        end
 
-        Time.stubs(:now).returns(Time.parse("2011-06-14T18:21:01Z"))
-        response = OneLogin::RubySaml::Response.new(response_document_5, :allowed_clock_drift => 0.516)
-        assert response.send(:validate_conditions, true)
+        Timecop.freeze(Time.parse("2011-06-14T18:21:01Z")) do
+          response = OneLogin::RubySaml::Response.new(
+            response_document_5,
+            :allowed_clock_drift => 0.516
+          )
+          assert response.send(:validate_conditions, true)
+        end
       end
     end
 
@@ -376,5 +386,28 @@ class RubySamlTest < Minitest::Test
         assert_equal($evalled, nil)
       end
     end
+
+    describe '#sign_document' do
+      it 'Sign an unsigned SAML Response XML and initiate the SAML object with it' do
+        xml = Base64.decode64(fixture("test_sign.xml"))
+
+        document = XMLSecurity::Document.new(xml)
+
+        formated_cert = OneLogin::RubySaml::Utils.format_cert(ruby_saml_cert_text)
+        cert = OpenSSL::X509::Certificate.new(formated_cert)
+
+        formated_private_key = OneLogin::RubySaml::Utils.format_private_key(ruby_saml_key_text)
+        private_key = OpenSSL::PKey::RSA.new(formated_private_key)
+        document.sign_document(private_key, cert)
+
+        saml_response = OneLogin::RubySaml::Response.new(document.to_s)
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert = ruby_saml_cert_text
+        saml_response.settings = settings
+        time = Time.parse("2015-03-18T04:50:24Z")
+        Time.stubs(:now).returns(time)
+        saml_response.validate!
+      end
+    end
   end
 end

data/test/responses/test_sign.xml

@@ -0,0 +1,43 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<samlp:Response Destination='http://recipient' ID='R6fa6c6bfb42798aa6d2893740f1e8d0fc361ac23' InResponseTo='_36387b60-af58-0132-6be9-6c4008ad82d2' IssueInstant='2015-03-18T04:50:24Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'>
+  <saml:Issuer>https://app.onelogin.com/saml/metadata/433789</saml:Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value='urn:oasis:names:tc:SAML:2.0:status:Success'/>
+  </samlp:Status>
+  <saml:Assertion ID='pfxcb6907fc-cd01-59eb-a50f-513689085a71' IssueInstant='2015-03-18T04:50:24Z' Version='2.0' xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' xmlns:xs='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
+    <saml:Issuer>https://app.onelogin.com/saml/metadata/433789</saml:Issuer>
+    <saml:Subject>
+      <saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>jane.doe@example.com</saml:NameID>
+      <saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'>
+        <saml:SubjectConfirmationData InResponseTo='_36387b60-af58-0132-6be9-6c4008ad82d2' NotOnOrAfter='2015-03-19T17:57:12Z' Recipient='http://recipient'/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore='2015-03-18T04:47:24Z' NotOnOrAfter='2015-03-19T17:57:12Z'>
+      <saml:AudienceRestriction>
+        <saml:Audience>http://audience</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant='2015-03-18T04:50:23Z' SessionIndex='_f4610090-af35-0132-899e-38ca3a662f1c' SessionNotOnOrAfter='2015-03-19T04:50:24Z'>
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name='User.email' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'>
+        <saml:AttributeValue xsi:type='xs:string' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>jane.doe@example.com</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name='User.FirstName' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'>
+        <saml:AttributeValue xsi:type='xs:string' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>Jane</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name='User.LastName' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'>
+        <saml:AttributeValue xsi:type='xs:string' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>Doe</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name='PersonImmutableID' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'>
+        <saml:AttributeValue xsi:type='xs:string' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'/>
+      </saml:Attribute>
+      <saml:Attribute Name='memberOf' NameFormat='urn:oasis:names:tc:SAML:2.0:attrname-format:basic'>
+        <saml:AttributeValue xsi:type='xs:string' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'/>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>

data/test/settings_test.rb

@@ -1,5 +1,7 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
+require 'onelogin/ruby-saml/settings'
+
 class SettingsTest < Minitest::Test
 
   describe "Settings" do
@@ -61,5 +63,19 @@ class SettingsTest < Minitest::Test
       assert_equal @settings.attribute_consuming_service.name, "Test Service"
       assert_equal @settings.attribute_consuming_service.attributes, [{:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name" }]
     end
+
+    it "does not modify default security settings" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.security[:authn_requests_signed] = true
+      settings.security[:embed_sign] = true
+      settings.security[:digest_method] = XMLSecurity::Document::SHA256
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+      new_settings = OneLogin::RubySaml::Settings.new
+      assert_equal new_settings.security[:authn_requests_signed], false
+      assert_equal new_settings.security[:embed_sign], false
+      assert_equal new_settings.security[:digest_method], XMLSecurity::Document::SHA1
+      assert_equal new_settings.security[:signature_method], XMLSecurity::Document::RSA_SHA1
+    end
   end
 end

data/test/slo_logoutrequest_test.rb

@@ -1,6 +1,8 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 require 'responses/logoutresponse_fixtures'
 
+require 'onelogin/ruby-saml/slo_logoutrequest'
+
 class RubySamlTest < Minitest::Test
 
   describe "SloLogoutrequest" do

data/test/slo_logoutresponse_test.rb

@@ -1,5 +1,7 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
+require 'onelogin/ruby-saml/slo_logoutresponse'
+
 class SloLogoutresponseTest < Minitest::Test
 
   describe "SloLogoutresponse" do
@@ -65,7 +67,7 @@ class SloLogoutresponseTest < Minitest::Test
       assert_match /<samlp:StatusMessage>Custom Logout Message<\/samlp:StatusMessage>/, inflated
     end
 
-    describe "when the settings indicate to sign (embebed) the logout response" do
+    describe "when the settings indicate to sign (embedded) logout response" do
       it "create a signed logout response" do
         settings = OneLogin::RubySaml::Settings.new
         settings.compress_response = false
@@ -81,7 +83,7 @@ class SloLogoutresponseTest < Minitest::Test
         response_xml = Base64.decode64(params["SAMLResponse"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
         response_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
-        response_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
+        response_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1'\/>/
       end
 
       it "create a signed logout response with 256 digest and signature methods" do
@@ -90,7 +92,7 @@ class SloLogoutresponseTest < Minitest::Test
         settings.idp_slo_target_url = "http://example.com?field=value"
         settings.security[:logout_responses_signed] = true
         settings.security[:embed_sign] = true
-        settings.security[:signature_method] = XMLSecurity::Document::SHA256
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
         settings.security[:digest_method] = XMLSecurity::Document::SHA512
         settings.certificate  = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
@@ -105,29 +107,57 @@ class SloLogoutresponseTest < Minitest::Test
       end
     end
 
-    describe "when the settings indicate to sign the logout response" do
-      it "create a signature parameter" do
-        settings = OneLogin::RubySaml::Settings.new
-        settings.compress_response = false
-        settings.idp_slo_target_url = "http://example.com?field=value"
-        settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
-        settings.security[:logout_responses_signed] = true
-        settings.security[:embed_sign] = false
-        settings.security[:signature_method] = XMLSecurity::Document::SHA1
-        settings.certificate  = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
+    describe "#create_params when the settings indicate to sign the logout response" do
+      def setup
+        @settings = OneLogin::RubySaml::Settings.new
+        @settings.compress_response = false
+        @settings.idp_slo_target_url = "http://example.com?field=value"
+        @settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
+        @settings.security[:logout_responses_signed] = true
+        @settings.security[:embed_sign] = false
+        @settings.certificate  = ruby_saml_cert_text
+        @settings.private_key = ruby_saml_key_text
+        @cert = OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
+        @request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
+      end
 
-        request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
-        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, request.id, "Custom Logout Message")
+      it "create a signature parameter with RSA_SHA1 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(@settings, @request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
         assert params['Signature']
-        assert params['SigAlg'] == XMLSecurity::Document::SHA1
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
 
-        # signature_method only affects the embedeed signature
-        settings.security[:signature_method] = XMLSecurity::Document::SHA256
-        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, request.id, "Custom Logout Message")
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
+        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+
+      it "create a signature parameter with RSA_SHA256 and validate it" do
+        @settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(@settings, @request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
         assert params['Signature']
-        assert params['SigAlg'] == XMLSecurity::Document::SHA1
+
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
+
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
+        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
       end
+
     end
   end
 end

data/test/test_helper.rb

@@ -7,7 +7,6 @@ Bundler.require :default, :test
 
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
-require 'ruby-saml'
 
 ENV["ruby-saml/testing"] = "1"
 

data/test/xml_security_test.rb

@@ -78,7 +78,44 @@ class XmlSecurityTest < Minitest::Test
     end
   end
 
-  describe "Algorithms" do
+  describe "Fingerprint Algorithms" do
+    let(:response_fingerprint_test) { OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha1, false)) }
+
+    it "validate using SHA1" do
+      sha1_fingerprint = "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72"
+      sha1_fingerprint_downcase = "f13c6b80905a030e6c913e5d15faddb016454872"
+
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA1)
+
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase)
+      assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase, true, :fingerprint_alg => XMLSecurity::Document::SHA1)
+    end
+
+    it "validate using SHA256" do
+      sha256_fingerprint = "C4:C6:BD:41:EC:AD:57:97:CE:7B:7D:80:06:C3:E4:30:53:29:02:0B:DD:2D:47:02:9E:BD:85:AD:93:02:45:21"
+
+      assert !response_fingerprint_test.document.validate_document(sha256_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha256_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA256)
+    end
+
+    it "validate using SHA384" do
+      sha384_fingerprint = "98:FE:17:90:31:E7:68:18:8A:65:4D:DA:F5:76:E2:09:97:BE:8B:E3:7E:AA:8D:63:64:7C:0C:38:23:9A:AC:A2:EC:CE:48:A6:74:4D:E0:4C:50:80:40:B4:8D:55:14:14"
+
+      assert !response_fingerprint_test.document.validate_document(sha384_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha384_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA384)
+    end
+
+    it "validate using SHA512" do
+      sha512_fingerprint = "5A:AE:BA:D0:BA:9D:1E:25:05:01:1E:1A:C9:E9:FF:DB:ED:FA:6E:F7:52:EB:45:49:BD:DB:06:D8:A3:7E:CC:63:3A:04:A2:DD:DF:EE:61:05:D9:58:95:2A:77:17:30:4B:EB:4A:9F:48:4A:44:1C:D0:9E:0B:1E:04:77:FD:A3:D2"
+
+      assert !response_fingerprint_test.document.validate_document(sha512_fingerprint)
+      assert response_fingerprint_test.document.validate_document(sha512_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA512)
+    end
+
+  end
+
+  describe "Signature Algorithms" do
     it "validate using SHA1" do
       @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
       assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
@@ -157,7 +194,7 @@ class XmlSecurityTest < Minitest::Test
 
         # verify our signature
         signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
-        signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
       end
 
       it "sign a LogoutRequest" do
@@ -173,7 +210,7 @@ class XmlSecurityTest < Minitest::Test
 
         # verify our signature
         signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
-        signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
       end
 
       it "sign a LogoutResponse" do
@@ -189,7 +226,7 @@ class XmlSecurityTest < Minitest::Test
 
         # verify our signature
         signed_doc = XMLSecurity::SignedDocument.new(response.to_s)
-        signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
+        assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
       end
     end