ruby-saml 1.1.2 → 1.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 162de30b9475ee4bc219f26c544304d051ab5c34
+  data.tar.gz: 685afabca84ac713ab43a2c848cfdb20dd92f579
+SHA512:
+  metadata.gz: e5a3f645b2cf71452e7f22a2bbc853f393978516e1abc185b3cbbfe4aa19403b3b3760c839d72f81fd36128241e09c58dff8c84c5b1b2dc1b0177a85b235cf81
+  data.tar.gz: 7ef80e8936bda82946041ebc220002b7d7a745819a2a419f190c6a0980449cd00516338df8879dcb67b13dd882ba155a665ed31154113fc2826112629fbbedcc

data/README.md

@@ -1,12 +1,17 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.1.x to 1.2.X
 
-## Updating from 1.0.x to 1.1.X
+Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom, refactor error handling and some minor improvements
 
-Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+There is no compatibility issue detected.
 
 For more details, please review [the changelog](changelog.md).
 
+## Updating from 1.0.x to 1.1.X
+
+Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+
 ## Updating from 0.9.x to 1.0.X
 
 Version `1.0` is a recommended update for all Ruby SAML users as it includes security fixes.
@@ -33,6 +38,7 @@ We created a demo project for Rails4 that uses the latest version of this librar
 ### Supported versions of Ruby
 * 1.8.7
 * 1.9.x
+* 2.0.x
 * 2.1.x
 * 2.2.x
 * JRuby 1.7.19
@@ -254,7 +260,7 @@ end
 The following attributes are set:
   * idp_sso_target_url
   * idp_slo_target_url
-  * idp_cert_fingerpint
+  * idp_cert_fingerprint
 
 If you are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
 `single_value_compatibility` (when activate, only one value returned, the first one)
@@ -386,7 +392,10 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```ruby
   settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
   settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
-  settings.security[:logout_responses_signed] = true     # Enable or not signature on Logout Response
+  settings.security[:logout_responses_signed] = true     # Enable or not 
+  signature on Logout Response
+  settings.security[:want_assertions_signed]  = true     # Enable or not 
+  the requirement of signed assertion
   settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
   settings.security[:digest_method]    = XMLSecurity::Document::SHA1
@@ -466,8 +475,8 @@ and this method process the SAML Logout Response sent by the IdP as reply of the
 def process_logout_response
   settings = Account.get_saml_settings
 
-  if session.has_key? :transation_id
-    logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => session[:transation_id])
+  if session.has_key? :transaction_id
+    logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => session[:transaction_id])
   else
     logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings)
   end

data/changelog.md

@@ -1,6 +1,20 @@
 # RubySaml Changelog
 
-### 1.1.2 (February 15, 2015)
+### 1.2.0 (April 29, 2016)
+* [#269](https://github.com/onelogin/ruby-saml/pull/269) Refactor error handling; allow collect error messages when soft=true (normal validation stop after find first error)
+* [#289](https://github.com/onelogin/ruby-saml/pull/289) Remove uuid gem in favor of SecureRandom
+* [#297](https://github.com/onelogin/ruby-saml/pull/297) Implement EncryptedKey RetrievalMethod support
+* [#298](https://github.com/onelogin/ruby-saml/pull/298) IDP metadata parsing improved: binding parsing, fingerprint_algorithm support)
+* [#299](https://github.com/onelogin/ruby-saml/pull/299) Make 'signing' at KeyDescriptor optional
+* [#308](https://github.com/onelogin/ruby-saml/pull/308) Support name_id_format on SAMLResponse
+* [#315](https://github.com/onelogin/ruby-saml/pull/315) Support for canonicalization with comments
+* [#316](https://github.com/onelogin/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
+* [#321](https://github.com/onelogin/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
+* Changes on empty URI of Signature reference management
+* [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI 
+* [#306](https://github.com/onelogin/ruby-saml/pull/306) Support WantAssertionsSigned
+
+### 1.1.2 (February 15, 2016)
 * Improve signature validation. Add tests.
  [#302](https://github.com/onelogin/ruby-saml/pull/302) Add Destination validation.
 * [#292](https://github.com/onelogin/ruby-saml/pull/292) Improve the error message when validating the audience.

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -1,8 +1,8 @@
-require "uuid"
 require "rexml/document"
 
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -20,7 +20,7 @@ module OneLogin
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the AuthNRequest string.

data/lib/onelogin/ruby-saml/error_handling.rb

@@ -0,0 +1,27 @@
+require "onelogin/ruby-saml/validation_error"
+
+module OneLogin
+  module RubySaml
+    module ErrorHandling
+      attr_accessor :errors
+
+      # Append the cause to the errors array, and based on the value of soft, return false or raise
+      # an exception. soft_override is provided as a means of overriding the object's notion of
+      # soft for just this invocation.
+      def append_error(error_msg, soft_override = nil)
+        @errors << error_msg
+
+        unless soft_override.nil? ? soft : soft_override
+          raise ValidationError.new(error_msg)
+        end
+
+        false
+      end
+
+      # Reset the errors array
+      def reset_errors!
+        @errors = []
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -1,5 +1,4 @@
 require "base64"
-require "uuid"
 require "zlib"
 require "cgi"
 require "net/http"
@@ -16,8 +15,10 @@ module OneLogin
     #
     class IdpMetadataParser
 
-      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
-      DSIG     = "http://www.w3.org/2000/09/xmldsig#"
+      METADATA       = "urn:oasis:names:tc:SAML:2.0:metadata"
+      DSIG           = "http://www.w3.org/2000/09/xmldsig#"
+      NAME_FORMAT    = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
+      SAML_ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
 
       attr_reader :document
       attr_reader :response
@@ -26,26 +27,30 @@ module OneLogin
       # IdP values
       #
       # @param (see IdpMetadataParser#get_idp_metadata)
+      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object
       # @return (see IdpMetadataParser#get_idp_metadata)
       # @raise (see IdpMetadataParser#get_idp_metadata)
-      def parse_remote(url, validate_cert = true)
+      def parse_remote(url, validate_cert = true, options = {})
         idp_metadata = get_idp_metadata(url, validate_cert)
-        parse(idp_metadata)
+        parse(idp_metadata, options)
       end
 
       # Parse the Identity Provider metadata and update the settings with the IdP values
       # @param idp_metadata [String] 
+      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object
       #
-      def parse(idp_metadata)
+      def parse(idp_metadata, options = {})
         @document = REXML::Document.new(idp_metadata)
 
-        OneLogin::RubySaml::Settings.new.tap do |settings|
+        (options[:settings] || OneLogin::RubySaml::Settings.new).tap do |settings|
           settings.idp_entity_id = idp_entity_id
           settings.name_identifier_format = idp_name_id_format
-          settings.idp_sso_target_url = single_signon_service_url
-          settings.idp_slo_target_url = single_logout_service_url
+          settings.idp_sso_target_url = single_signon_service_url(options)
+          settings.idp_slo_target_url = single_logout_service_url(options)
           settings.idp_cert = certificate_base64
-          settings.idp_cert_fingerprint = fingerprint
+          settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
+          settings.idp_attribute_names = attribute_names
+          settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
         end
       end
 
@@ -112,23 +117,61 @@ module OneLogin
         node.text if node
       end
 
+      # @param binding_priority [Array]
+      # @return [String|nil] SingleSignOnService binding if exists
+      #
+      def single_signon_service_binding(binding_priority = nil)
+        nodes = REXML::XPath.match(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Binding",
+          { "md" => METADATA }
+        )
+        if binding_priority
+          values = nodes.map(&:value)
+          binding_priority.detect{ |binding| values.include? binding }
+        else
+          nodes.first.value if nodes.any?
+        end
+      end
+
+      # @param options [Hash]
       # @return [String|nil] SingleSignOnService endpoint if exists
       #
-      def single_signon_service_url
+      def single_signon_service_url(options = {})
+        binding = options[:sso_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         node = REXML::XPath.first(
           document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location",
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
           { "md" => METADATA }
         )
         node.value if node
       end
 
+      # @param binding_priority [Array]
+      # @return [String|nil] SingleLogoutService binding if exists
+      #
+      def single_logout_service_binding(binding_priority = nil)
+        nodes = REXML::XPath.match(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Binding",
+          { "md" => METADATA }
+        )
+        if binding_priority
+          values = nodes.map(&:value)
+          binding_priority.detect{ |binding| values.include? binding }
+        else
+          nodes.first.value if nodes.any?
+        end
+      end
+
+      # @param options [Hash]
       # @return [String|nil] SingleLogoutService endpoint if exists
       #
-      def single_logout_service_url
+      def single_logout_service_url(options = {})
+        binding = options[:slo_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         node = REXML::XPath.first(
           document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location",
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
           { "md" => METADATA }
         )
         node.value if node
@@ -143,6 +186,14 @@ module OneLogin
               "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
               { "md" => METADATA, "ds" => DSIG }
           )
+
+          unless node
+            node = REXML::XPath.first(
+                document,
+                "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+                { "md" => METADATA, "ds" => DSIG }
+            )
+          end
           node.text if node
         end
       end
@@ -158,14 +209,27 @@ module OneLogin
 
       # @return [String|nil] the SHA-1 fingerpint of the X509Certificate if it exists
       #
-      def fingerprint
+      def fingerprint(fingerprint_algorithm)
         @fingerprint ||= begin
           if certificate
             cert = OpenSSL::X509::Certificate.new(certificate)
-            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+
+            fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
+            fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
           end
         end
       end
+
+      # @return [Array] the names of all SAML attributes if any exist
+      #
+      def attribute_names
+        nodes = REXML::XPath.match(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/saml:Attribute/@Name",
+          { "md" => METADATA, "NameFormat" => NAME_FORMAT, "saml" => SAML_ASSERTION }
+        )
+        nodes.map(&:value)
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,7 +1,6 @@
-require "uuid"
-
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -18,7 +17,7 @@ module OneLogin
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the Logout Request string.
@@ -108,7 +107,7 @@ module OneLogin
           nameid.text = settings.name_identifier_value
         else
           # If no NameID is present in the settings we generate one
-          nameid.text = "_" + UUID.new.generate
+          nameid.text = OneLogin::RubySaml::Utils.uuid
           nameid.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
         end
 

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -10,13 +10,11 @@ module OneLogin
     # SAML2 Logout Response (SLO IdP initiated, Parser)
     #
     class Logoutresponse < SamlMessage
+      include ErrorHandling
 
       # OneLogin::RubySaml::Settings Toolkit settings
       attr_accessor :settings
 
-      # Array with the causes
-      attr_accessor :errors
-
       attr_reader :document
       attr_reader :response
       attr_reader :options
@@ -47,18 +45,6 @@ module OneLogin
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
-      # Append the cause to the errors array, and based on the value of soft, return false or raise
-      # an exception
-      def append_error(error_msg)
-        @errors << error_msg
-        return soft ? false : validation_error(error_msg)
-      end
-
-      # Reset the errors array
-      def reset_errors!
-        @errors = []
-      end
-
       # Checks if the Status has the "Success" code
       # @return [Boolean] True if the StatusCode is Sucess
       # @raise [ValidationError] if soft == false and validation fails
@@ -117,18 +103,30 @@ module OneLogin
       end
 
       # Aux function to validate the Logout Response
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the SAML Response is valid
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate
+      def validate(collect_errors = false)
         reset_errors!
 
-        valid_state? &&
-        validate_success_status &&
-        validate_structure &&
-        valid_in_response_to? &&
-        valid_issuer? &&
-        validate_signature
+        if collect_errors
+          valid_state?
+          validate_success_status
+          validate_structure
+          valid_in_response_to?
+          valid_issuer?
+          validate_signature
+
+          @errors.empty?
+        else
+          valid_state? &&
+          validate_success_status &&
+          validate_structure &&
+          valid_in_response_to? &&
+          valid_issuer? &&
+          validate_signature
+        end
       end
 
       private

data/lib/onelogin/ruby-saml/metadata.rb

@@ -1,7 +1,7 @@
 require "uri"
-require "uuid"
 
 require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -29,8 +29,7 @@ module OneLogin
         sp_sso = root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
             "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
-            # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
-            "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert)
+            "WantAssertionsSigned" => settings.security[:want_assertions_signed],
         }
 
         # Add KeyDescriptor if messages will be signed / encrypted
@@ -50,7 +49,7 @@ module OneLogin
           xc2.text = cert_text
         end
 
-        root.attributes["ID"] = "_" + UUID.new.generate
+        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
         if settings.issuer
           root.attributes["entityID"] = settings.issuer
         end

data/lib/onelogin/ruby-saml/response.rb

@@ -11,6 +11,8 @@ module OneLogin
     # SAML2 Authentication Response. SAML Response
     #
     class Response < SamlMessage
+      include ErrorHandling
+
       ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
@@ -21,9 +23,6 @@ module OneLogin
       # OneLogin::RubySaml::Settings Toolkit settings
       attr_accessor :settings
 
-      # Array with the causes [Array of strings]
-      attr_accessor :errors
-
       attr_reader :document
       attr_reader :decrypted_document
       attr_reader :response
@@ -39,16 +38,15 @@ module OneLogin
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
       #                          or skip the subject confirmation validation with the :skip_subject_confirmation option
       def initialize(response, options = {})
-        @errors = []
-
         raise ArgumentError.new("Response cannot be nil") if response.nil?
-        @options = options
 
+        @errors = []
+        @options = options
         @soft = true
-        if !options.empty? && !options[:settings].nil?
+        unless options[:settings].nil?
           @settings = options[:settings]
-          if !options[:settings].soft.nil? 
-            @soft = options[:settings].soft
+          unless @settings.soft.nil?
+            @soft = @settings.soft
           end
         end
 
@@ -60,41 +58,36 @@ module OneLogin
         end
       end
 
-      # Append the cause to the errors array, and based on the value of soft, return false or raise
-      # an exception
-      def append_error(error_msg)
-        @errors << error_msg
-        return soft ? false : validation_error(error_msg)
-      end
-
-      # Reset the errors array
-      def reset_errors!
-        @errors = []
-      end
-
       # Validates the SAML Response with the default values (soft = true)
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the SAML Response is valid
       #
-      def is_valid?
-        validate
+      def is_valid?(collect_errors = false)
+        validate(collect_errors)
       end
 
       # @return [String] the NameID provided by the SAML response from the IdP.
       #
       def name_id
-        @name_id ||= begin
-          encrypted_node = xpath_first_from_signed_assertion('/a:Subject/a:EncryptedID')
-          if encrypted_node
-            node = decrypt_nameid(encrypted_node)
-          else
-            node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
+        @name_id ||=
+          if name_id_node
+            name_id_node.text
           end
-          node.nil? ? nil : node.text
-        end
       end
 
       alias_method :nameid, :name_id
 
+      # @return [String] the NameID Format provided by the SAML response from the IdP.
+      #
+      def name_id_format
+        @name_id_format ||=
+          if name_id_node && name_id_node.attribute("Format")
+            name_id_node.attribute("Format").value
+          end
+      end
+
+      alias_method :nameid_format, :name_id_format
+
 
       # Gets the SessionIndex from the AuthnStatement.
       # Could be used to be stored in the local session in order
@@ -291,28 +284,48 @@ module OneLogin
       private
 
       # Validates the SAML Response (calls several validation methods)
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] True if the SAML Response is valid, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate
+      def validate(collect_errors = false)
         reset_errors!
 
-        validate_response_state &&
-        validate_version &&
-        validate_id &&
-        validate_success_status &&
-        validate_num_assertion &&
-        validate_no_encrypted_attributes &&
-        validate_signed_elements &&
-        validate_structure &&
-        validate_in_response_to &&
-        validate_conditions &&
-        validate_audience &&
-        validate_destination &&
-        validate_issuer &&
-        validate_session_expiration &&
-        validate_subject_confirmation &&
-        validate_signature
+        if collect_errors
+          return false unless validate_response_state
+          validate_version
+          validate_id
+          validate_success_status
+          validate_num_assertion
+          validate_no_encrypted_attributes
+          validate_signed_elements
+          validate_structure
+          validate_in_response_to
+          validate_conditions
+          validate_audience
+          validate_issuer
+          validate_session_expiration
+          validate_subject_confirmation
+          validate_signature
+          @errors.empty?
+        else
+          validate_response_state &&
+          validate_version &&
+          validate_id &&
+          validate_success_status &&
+          validate_num_assertion &&
+          validate_no_encrypted_attributes &&
+          validate_signed_elements &&
+          validate_structure &&
+          validate_in_response_to &&
+          validate_conditions &&
+          validate_audience &&
+          validate_destination &&
+          validate_issuer &&
+          validate_session_expiration &&
+          validate_subject_confirmation &&
+          validate_signature
+        end
       end
 
 
@@ -442,6 +455,10 @@ module OneLogin
           return append_error("Found an unexpected number of Signature Element. SAML Response rejected")
         end
 
+        if settings.security[:want_assertions_signed] && !(signed_elements.include? "Assertion")
+          return append_error("The Assertion of the Response is not signed and the SP requires it")
+        end
+
         true
       end
 
@@ -638,6 +655,18 @@ module OneLogin
         true
       end
 
+      def name_id_node
+        @name_id_node ||=
+          begin
+            encrypted_node = xpath_first_from_signed_assertion('/a:Subject/a:EncryptedID')
+            if encrypted_node
+              node = decrypt_nameid(encrypted_node)
+            else
+              node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
+            end
+          end
+      end
+
       # Extracts the first appearance that matchs the subelt (pattern)
       # Search on any Assertion that is signed, or has a Response parent signed
       # @param subelt [String] The XPath pattern
@@ -686,7 +715,7 @@ module OneLogin
       #
       def generate_decrypted_document
         if settings.nil? || !settings.get_sp_key
-          validation_error('An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method')
+          raise ValidationError.new('An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method')
         end
 
         # Marshal at Ruby 1.8.7 throw an Exception
@@ -752,7 +781,7 @@ module OneLogin
       #
       def decrypt_element(encrypt_node, rgrex)
         if settings.nil? || !settings.get_sp_key
-          return validation_error('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
+          raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
         end
 
         elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)