ruby-saml 1.1.2 → 1.2.0

data/test/logoutrequest_test.rb

@@ -29,7 +29,8 @@ class RequestTest < Minitest::Test
     end
 
     it "set sessionindex" do
-      sessionidx = UUID.new.generate
+      settings.idp_slo_target_url = "http://example.com"
+      sessionidx = OneLogin::RubySaml::Utils.uuid
       settings.sessionindex = sessionidx
 
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })

data/test/logoutresponse_test.rb

@@ -131,6 +131,15 @@ class RubySamlTest < Minitest::Test
           assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
         end
 
+        it "collect errors when collect_errors=true" do          
+          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
+          collect_errors = true
+          assert !logoutresponse.validate(collect_errors)
+          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
+          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
+        end
+
       end
 
       describe "when soft=false" do

data/test/metadata_test.rb

@@ -75,6 +75,20 @@ class MetadataTest < Minitest::Test
       assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
     end
 
+    describe "WantAssertionsSigned" do
+      it "generates Service Provider Metadata with WantAssertionsSigned = false" do
+        settings.security[:want_assertions_signed] = false
+        assert_equal "false", spsso_descriptor.attribute("WantAssertionsSigned").value
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+
+      it "generates Service Provider Metadata with WantAssertionsSigned = true" do
+        settings.security[:want_assertions_signed] = true
+        assert_equal "true", spsso_descriptor.attribute("WantAssertionsSigned").value
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+    end
+
     describe "when auth requests are signed" do
       let(:key_descriptors) do
         REXML::XPath.match(

data/test/response_test.rb

@@ -389,12 +389,22 @@ class RubySamlTest < Minitest::Test
         end
 
         it "return true when a nil URI is given in the ds:Reference" do
-
-          response_without_reference_uri.stubs(:conditions).returns(nil)
+          settings.idp_cert = ruby_saml_cert_text
           response_without_reference_uri.settings = settings
-          response_without_reference_uri.settings.idp_cert_fingerprint = "19:4D:97:E4:D8:C9:C8:CF:A4:B7:21:E5:EE:49:7F:D9:66:0E:52:13"
-          assert response_without_reference_uri.is_valid?
+          response_without_reference_uri.stubs(:conditions).returns(nil)
+          response_without_reference_uri.is_valid?
           assert_empty response_without_reference_uri.errors
+          assert 'saml@user.com', response_without_reference_uri.attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']
+        end
+
+        it "collect errors when collect_errors=true" do
+          settings.idp_cert = ruby_saml_cert_text
+          settings.issuer = 'invalid'
+          response_invalid_subjectconfirmation_recipient.settings = settings
+          collect_errors = true
+          response_invalid_subjectconfirmation_recipient.is_valid?(collect_errors)
+          assert_includes response_invalid_subjectconfirmation_recipient.errors, "invalid is not a valid audience for this Response - Valid audiences: http://stuff.com/endpoints/metadata.php"
+          assert_includes response_invalid_subjectconfirmation_recipient.errors, "Invalid Signature on SAML Response"
         end
       end
     end
@@ -668,7 +678,7 @@ class RubySamlTest < Minitest::Test
         assert !response.send(:validate_session_expiration)
         assert_includes response.errors, "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response"
       end
-      
+
       it "returns true when the session has expired, but is still within the allowed_clock_drift" do
         drift = (Time.now - Time.parse("2010-11-19T21:57:37Z")) * 60 # seconds ago that this assertion expired
         drift += 10 # add a buffer of 10 seconds to make sure the test passes
@@ -734,7 +744,7 @@ class RubySamlTest < Minitest::Test
         settings.idp_cert = signature_1
         response_valid_signed_without_x509certificate.settings = settings
         assert !response_valid_signed_without_x509certificate.send(:validate_signature)
-        assert_includes response_valid_signed_without_x509certificate.errors, "Invalid Signature on SAML Response"        
+        assert_includes response_valid_signed_without_x509certificate.errors, "Invalid Signature on SAML Response"
       end
 
       it "return true when no X509Certificate and the cert provided at settings matches" do
@@ -774,6 +784,13 @@ class RubySamlTest < Minitest::Test
       end
     end
 
+    describe "#name_id_format" do
+      it "extract the value of the name id element" do
+        assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", response.name_id_format
+        assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", response_with_signed_assertion.name_id_format
+      end
+    end
+
     describe "#sessionindex" do
       it "extract the value of the sessionindex element" do
         response = OneLogin::RubySaml::Response.new(fixture(:simple_saml_php))
@@ -990,6 +1007,26 @@ class RubySamlTest < Minitest::Test
       end
     end
 
+    describe '#want_assertion_signed' do
+      before do
+        settings.security[:want_assertions_signed] = true
+        @signed_assertion = OneLogin::RubySaml::Response.new(response_document_with_signed_assertion, :settings => settings)
+        @no_signed_assertion = OneLogin::RubySaml::Response.new(response_document_valid_signed, :settings => settings)
+      end
+
+
+      it 'returns false if :want_assertion_signed enabled and Assertion not signed' do
+        assert !@no_signed_assertion.send(:validate_signed_elements)
+        assert_includes @no_signed_assertion.errors, "The Assertion of the Response is not signed and the SP requires it"
+
+      end
+
+      it 'returns true if :want_assertion_signed enabled and Assertion is signed' do
+        assert @signed_assertion.send(:validate_signed_elements)
+        assert_empty @signed_assertion.errors
+      end
+    end
+
     describe "retrieve nameID" do
       it 'is possible  when nameID inside the assertion' do
         response_valid_signed.settings = settings
@@ -1001,12 +1038,17 @@ class RubySamlTest < Minitest::Test
           assert_raises(OneLogin::RubySaml::ValidationError, "An EncryptedID found and no SP private key found on the settings to decrypt it") do
             assert_equal "test@onelogin.com", response_encrypted_nameid.nameid
           end
+
+          assert_raises(OneLogin::RubySaml::ValidationError, "An EncryptedID found and no SP private key found on the settings to decrypt it") do
+            assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", response_encrypted_nameid.name_id_format
+          end
       end
 
       it 'is possible when encryptID inside the assertion and settings has the private key' do
         settings.private_key = ruby_saml_key_text
         response_encrypted_nameid.settings = settings
         assert_equal "test@onelogin.com", response_encrypted_nameid.nameid
+        assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", response_encrypted_nameid.name_id_format
       end
 
     end
@@ -1152,6 +1194,28 @@ class RubySamlTest < Minitest::Test
         assert decrypted.name, "Assertion"
       end
 
+      it "is possible to decrypt the assertion if private key provided and EncryptedKey RetrievalMethod presents in response" do
+        settings.private_key = ruby_saml_key_text
+        resp = read_response('response_with_retrieval_method.xml')
+        response = OneLogin::RubySaml::Response.new(resp, :settings => settings)
+
+        encrypted_assertion_node = REXML::XPath.first(
+          response.document,
+          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+          { "p" => "urn:oasis:names:tc:SAML:2.0:protocol", "a" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        )
+        decrypted = response.send(:decrypt_assertion, encrypted_assertion_node)
+
+        encrypted_assertion_node2 = REXML::XPath.first(
+          decrypted,
+          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+          { "p" => "urn:oasis:names:tc:SAML:2.0:protocol", "a" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        )
+
+        assert_nil encrypted_assertion_node2
+        assert decrypted.name, "Assertion"
+      end
+
       it "is possible to decrypt the assertion if private key but no saml namespace on the Assertion Element that is inside the EncryptedAssertion" do
         unsigned_message_encrypted_assertion_without_saml_namespace = read_response('unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64')
         response = OneLogin::RubySaml::Response.new(unsigned_message_encrypted_assertion_without_saml_namespace, :settings => settings)

data/test/responses/idp_descriptor.xml

@@ -1,3 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <md:EntityDescriptor entityID="https://example.hello.com/access/saml/idp.xml" validUntil="2014-04-17T18:02:33.910Z" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/logout" ResponseLocation="https://example.hello.com/access/saml/logout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/login"/></md:IDPSSODescriptor></md:EntityDescriptor>
+</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/logout" ResponseLocation="https://example.hello.com/access/saml/logout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.hello.com/access/saml/login"/><saml:Attribute Name="AuthToken" NameFormat="urn:oasis:names:tc:SAML:2.0:att rname-format:basic" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/><saml:Attribute Name="SSOStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/></md:IDPSSODescriptor></md:EntityDescriptor>

data/test/responses/response_with_retrieval_method.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?><saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://sp.example.com/saml/acs" ID="id24448663616025051347254621" InResponseTo="_a20019d0-ccdb-0133-0c29-3888e3304166" IssueInstant="2016-03-15T12:59:11.520Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/exk4jkh2xxJIrTmGP0x7</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#id24448663616025051347254621"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>48q4xnELjn82APp25kO4+wAdOCLN3BdNvZP7IGP2yW8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>IisXGT9N0ewlZfvkrfNqqhXHnFkfXG8Z9zIybYIBrJ2WtkBh2gJiEmLGFwnaMyJmDhvrk42jlied6UrxpbZK9jwugJoVsj1CFJ7VHYkqX21yYXs0fwW7xKUvYyMDD0BS6FN96mdM8PD4RUNoxh6UymRs/akwPXCNYZqur2Sz/imEnRjP5SGA8RIpSYpva2vVqzwsDSRMRe2P18LH0fegDxOa81OEClYucSfvtZwgHopsSL3d+KsOH5zvnVngL7UxjxT2L8fEzy5LQl2kM28P6eZ/QccP8ACtUdVYZz0xGUF8I7IwV0HmouMjj1BYfiXVWLaiSZ5C1J4AA4KK1t2hGg==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDmjCCAoKgAwIBAgIGAVH33Q1VMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzETMBEG
+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
+MBIGA1UECwwLU1NPUHJvdmlkZXIxDjAMBgNVBAMMBWZsYW50MRwwGgYJKoZIhvcNAQkBFg1pbmZv
+QG9rdGEuY29tMB4XDTE1MTIzMTExNDYxN1oXDTI1MTIzMTExNDcxN1owgY0xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARP
+a3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjEOMAwGA1UEAwwFZmxhbnQxHDAaBgkqhkiG9w0BCQEW
+DWluZm9Ab2t0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCLjrnxEq1yqaEk
+JPgqWeVxicFC9PnXCmrDtoOnhz/9AJbks5/cDRYFGMRYrS2a8EX8I4FAa2DPrKwjyk6YqzzR9jY/
+Il3x6PTSUEQh5cvCE/Vb9C7iJAInazZ4MTI5xdEwtNt3UD/aVaAfW8k64DquTZnWK4Wtg9igS2ne
+pzYbmAma015O1oxggs4wv3JVgl5vCLdlMLj/kvBjx8XCXKOtVJVpHkJEI/pAE3s+XeVP3WBWbgEK
+NAcjRnWJ3igXlNir3O2ee1+dcDkoVmpXILBmClMu/JEdQWvIfnXYZOYv9GUzS/EODQIbOYm8wsan
++ErfrVDAAr30zDa7pG823JwFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAHTU2NZ3tgIcZNtx8QP8
+WMtJ0038nzGmttx+oBc3zFu1+z8XBGRGW27ISL3vncWSAxeuFFzFWjWpBmMU2piM6MFvOYciI3vu
+iM6fpGCUKCojvKCfwZ/pQKP5RIk92vWlDl5USSr48NH4BUjC4qTIvQSaWrvZu+qlJ1h/JISPVy1J
+ftZSshAYaZTChmnqp/KtKQq7DOPVc14HR3gBkyoakQKjtQ9TBHAENJV3N1FOPJ3/D/Y85EzecLdT
+3fiT0RZZ7W/HsG2LLIQsTnsnBP018KEG2aqLFLxO67dVy2UchrxvwBjiyvoHVAdUdditoL5WKhAc
+KhT/MUKMlzqzYa17eww=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_3b5e1926678d4654409a579b245af8c5" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_86dc490e2ef641df2302e7e214b1a333"/></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>xgq5YG2k+6fI0+DeqrWlEHcxl3C+ujuFwMVD2th9d6H5bIvtAy52fFuKcYGAtGD9C/MqJkhA6L+EmpOhn1wUgA/lujmb9Od1ZkfMiI54WaX4gflahQ21YpXqvH5Ucp+XmG0AEiO++pSQ1tMf0L4SHMH60MXVGbKF4WPXNgHvGSvny5MTstoeYqM0jOpya9SrBjW29/DnjSw6VDIwZC89ZibIjLsxNY4aYGK2b0IwBRpo9YHtaD39CYQY8GMBtUNQFi6K8VPIGMihvrbyVNd1VMK3DD2iZTgF/wS2914K9WAZaGNCaeLuJD9rs4Sz7OIOYIrXQSOhfgI4O9azHpfUHRmrKor3AV6uL+8VkyMQQELXtrbWehs8O79qlZs2tfJuqSohkRDx0Z0MFvRw6YWqa4fF1AR7Ng/Z90FWNZJ0mzrVdztxdUnwa9t4bm07GNJtlhEELI1l0D1dzJLhdyVVVgJnm/Y8tv6EXz5lfUvfOj3XZcfuH51iYRaKD0LUxXwGIgIV7PoEanR0zSFC+wlYsYpqZuUSyFeAafKLEyE+Gmo7up/YXHSDhYyJx1UxUjyqr2lxVm36QWIdAhsQ7I/9Ew94IopuUydDD4lI0FezuRsphklv5wMxHon+49BEP8ZN3zK8E3csuxHXH0kESue0nkodTH9dJskpDUDtF68BxmVyLDTyq/9JOV++H5tHOXatWRfu74k+GUQvvRgRx/5dr8NO2QQ3r2pVtP19hScuZLVGpf9DV8RQRI/icyxJBz/OnmMGJoOU+t6tyvu5q2kSPZi/9Ipz4cFO6m11YFa5Kernuey6PGL6J0y9yFGtEs4nR0msYM6M8gBn1XRLvYCMVUcaUHXFiLZcvsOTNuLjiaes4gj6ONBfAcX98IZYPVLq1McQI+Izt0dNquU9yiMBG1GjJ0RUF4VR0naQezTixafugGNovgs2awDrRY5QJL2ffVzlxG3DZFRrcs2qGXQ7Gm9eja/j08xRfIs7wYqusCSFfmgqXcGQ41NkSszu91HOt49c5S35jvySU95aPcEhmN86O2NFZOpGKwnPbBAf2e1vglUcRZkljzw0mbUja26RULKog0IJlSe43yPBC4aof1Eher6x587YZ6vwmibN/aZLxRGe2ybm8HEDPt0VphG8Z17Kw9z5b1Uc0UjsWYYW9cEh/lRs3DdE40onwYgjggM6/cieSigEMw2kqoAYeVNd4O9nq1Uek9ejGEuuIpuiPdCnOufejmsIqVC3x6xHMdVkbojD/l7pESo48Qvqa1/bpzh58Law8VWByFnPpmM+dIK/FPy/0KjaXzcs8T4x/spH/hmNPO5tUTIt+dZIQtGrQQda7mnZ1SLOnNX3lLoQcaXDuXqG5OgXRC9zSXtFl6/0h7nHwP5vOCDKahlcu2Cm5L03WCGxcwqGb/rcZeFHjJhNkbqWvYAW+ouWz/aEQVbHc9Gf7OAxX6Xs/y5LTwW/TpySmGDZBlgmX6JE7yaQYORuhglXFiQkMAemzthrj8FWf+XejleSfbVZcM+rWd6sbzy2eXo665Q1gO+8S4jQfWwz/GP5N08ESdTbH2XhclWAYbEKP2JtO+rQAjFgWVraV2tnNKquVcEITDn3BqzHxkShfafpPpccYbnYFfSVRcy3laU1hRM+TbQz0KsmwjjaT8uJUj4A94eaxpPuUFxnh0TQjyIJKzcfa1KW8Hb155eUuYsjJG4fFliyFQweZEcn88RusCeXqQlmEkUNRl8qf2UwrdnCuMQpLSnMZvLClvJ5zTKQ2MevvCBTb8mXejyYfvdoF/9hjiXWOvARWiFHMhleaNV3ti2calnQh4XVO7PyogFoqp/ou98KRsyHdSp6ISTk08hOd2cinc1r8N0HUMrhl/14FItwky0MzRJeNomMRX7ggdpZr10Ytc1PrN7PYqslMRXqTe6U9mRteUYSxZqt1VwzPWDEe02sS+t2RIWwWvUU/TMId2mvNmBGUGNuBp7sIU0Y6OLSyPn9E3w/d2t8QcJcD1xFDehfOQshl+de/dx9VwwCJxQQ1px8fephOPvOatdW4FCPM9+gMKzCoiZvyc3uD7VOawV54+nMeL/5iTLLsVsCDSOKCh0RTZbg9aTOSK8E2UV9JVJ/BxtqR3I72Kl6B1CJFbQCPmjftCEK3oJpF6Hj7lcbYCRwF6dnhML7oJS92P8byznuKNqybAxGLqv4ijhuLvhN96Nr3TcH2rBaw0JXZlUVnSBrvHnqmfFnJBl/o5XrZux0sKHdaQBJXuFC3hquKTomCczlBMQcNaq1t79NYY2EiA/Q/zslUOcfIu9QEZCA8LpwTRAxIjjH3ebRn7rxyyqomnOXC4JI5WkJCwhFMEAexGLvqtBM7pWoNcEPn5J46El7TjRFuO7ypKpH388PkLGWrMPdD8I1EZM7pe0p4FIxLrIY9n5YH6iN0QPyZ2nCjl+ffCSwcxOBPxeFmkbZOZOGrSWiRUnBeK8Yf7+TVV4m7iOrLVazCqngcscFoax1O5kOitVbMO6biHtxNHTYccd6TsrnmGuOifpx2JMm4kiG562u259Bu4eld1MqmUt8vKk/3aVf3/8QqKqjDOFrcnF3JiXzEkbxstpiSG2ZW+a4GW+KKinFDq7AQsyTP74m2NonxHgt+ETLYjcPIiTL0iH5YaVAZfrDo+R1bXl0WYpo5Xd6yihKRZiR7mCt4zTFXpZLppTpJvngwT5qoyBgBmXFeh1zz75aEgibwQ8NimWSm3x4F+w7caiax/CUsBH8dxwGBFnuS3yxZ/8pNBgmZC5ZT2tLdSKydRXkWRcl4/BLmwuMQ9DiKaGbk9+3AbmoE3avFHcrtQZPDw+Xu0j7M93Lq6wPcku7KJnB9EboGcQZ0Iw4TPIFmNayrklXAMZRKRCFrQ/lYhftF5KgLq6/um8ult1ufodYMRnVKegR6I9q+RD4zmfEzmo7EPkY+47NzM+h0H1a9N64bUsYIHo170KO61zQlg1eqVTeiKqK227CK06Fqp8Hyuq3eZbac+6fST2sMVfgAzfNnFyQ7gOyo/7RMZzlYAcacPMNXgcqxCnBN+3dH8wmPstAB7lhNZRz9o/n2X4DI+o2RP/n4riy2TTOOrEuWxpSKcjtOj0PnDVBrsUcv+qXPO9oxbAfLCcieYwzWZOPKlVd4hqint4sHlrtX55Ga00fgVAHxbEEkDCRUgE09YVn4d590r/Pr5W3tyOBAc3qqgJMVqDT//huGuyfqCDvYqrMhcyKiLBNlzkUWTOqywrmp6CTGq6WZZ5lmK5ISrcyNrkPEWN7Uwm4XGUGYbfUicN1IEK1XcxWjRwo1Y8U4ooj7SHN8xu+6+3k+5zi5ZitgDWao+e7n/yHhADdJukdYGMe7H0IiKK8XpjYpcQ/DoEdqB6VV6Agu/4C8cBvzSi8/K/9tuyvPnLD1qMG6ajKpnP0885TxBEajx4/JZ+tNt39H0cOxPT7tAEBxMj0V4+IXaG3+35uxxUN7ZqqGZb9BWGNKF5xHfcM4G6mLSUHcdyJD1yfHT6sv/TpF9rhDxebirZYEkkUMZDu8v4Yy21lVg9GqRNJdqmn647xGT/8GF4fNV1uldQAXL9wi++hCCqNmfz24dMm2GfOr/0Zc1l9SCrbOQPi+YHgnWENzViqB4MZZzuinlHY8xu7CT/J5PjSCxzfMUHBEjKCd+/Wov3eSWiIX2tLA3W97OTzBpPS87/lLUzSY61Psh2pWUpmiaoiIGwer/YliigQEhNC2UVLj08aNiEkPge1a8HlrqyO/fO2Z1tv6eaMGoCdq7jAibgkPVeu9jKk0SQrQFlfkG8vRKhQ4s6pGVwNzdMFYUqZnccwz1rbiiKXGUfNdiZ5urtwXV3N2Ow3bt+EG/Qzu67njazYTVg6QVN1DwXw/DVNxnYLphwT+6CnO90J4dAu/OoiJGqVb6GaarAuedakEVKpMu8ZoifezZ9l3/xHbnHnck2ucvbeqAEaUPCG8f6/DD0Lga1ThG1Lbkfoqo4jXXARQZVF8nRWJtslZzQ39iAPS1dQS5kwd5GA/g0JFLDBQz+DNOERg5OqErMGcXmq8U68VAt5zhoo+m/GY44nqorILIkuS6H7vr8YSmd3QefPsptTjdKWXigU4+2U7Hgpj8LnG866ya0ZYLkybCGWlHt3QhrABsTQms9Yuw2GY/PALG08UTTYs+CHbjYTVAqz3evd+VMXN6iFeVOU3pwBCbGUY/WqtTmeBoeThWd/JfhbRss0cPLBiOwu2OFiXyKebiDbrW9FuoY9mpHcle9MeB2Ny7e3ht+PuKxlDsqqejEdRAszVrXAgz/ktstviLJRPGixxJfDqhJBOOSLEehRs9EmHEWZ2N+UQYRFGbzgk5uRALhX7M76twJR2APlkTqXB1UGaEjlKkWDuIu7NLV2ss9OhO7LmjXe6ETl76/ZeMDvA6V7MVXpI6nwwTRD649DJlkMtNeA8k39Jel3W9mWXlhlNGrlSUsfI/NeDqNW8DP8mmPWvoSrf6k4lu2TTAoxZ/esVN2xRhiRxMxpKPEn6AOOwL3RftcOOjRWdxsDBA4sjdiAJC1gADVJwIu8XOSLL5wc8HekHcgGzHoT60CJ+yhcI+ztQPDqtt7Pb9Oe1V9sKACQ1ymNzHLLnBawEN/VvL0WedGW0cTiO4Ydv8IfS/F8Clk6Bhyswg6hKQ8VHSwh8NrXK3FE3dM+gGQDAEJtWkL0XPGFNDdJvu/qE7MuHSqaad3uD3RUnkJB3KybnC3wBjJHSfC6cTf0z6vPQd3LKe8B4GdSZ2IQ0vGrwN1C9+qf63DQ45tpEoUp78JJaX/J1ag2QP2jYhbPMxGTxiAFo68NZaTjS+eR2FRTlbankQhs+u78oksenPo19d9Hz8GzAgU4Yk61VK2RqM0LsiSzjrFO5J3IkR78sSaai/93VFCPqw5rP8n0G40mpb8vYSFaFIy0MwudKrJRDBluNGVAmp9QAQDEt+ygzsifaO+SoY+AuL+LTXv53GAYB0W/C6yNDDuL0gvgp0VAnWw1sp66RLHKEy3L667NZzkSamxdxWaYu7+Lq8R2KiXSgiORo6FO3xFeXPbbNnDAzP25/4Lk0pY8buLWWctzgG8jfLikQRttj47AzAnfsxUDqes4/ln1D/HJZd8TpcjCbnqfXzkZRVezw5lP6k+R48CUHlZpVzS5o+BvCE585eS+CHPcQZ7G8qVlCryp17MCjWuvAm5oJFvH2QyAVe008tVgzn5LU11hjMsSXQ0xBHeSObIaVMKiyeKhETB1gLA/l7E9SOCoJ2e6Lo1WLOmy6l0k52WVIgC0alueeFBsYQ2n/7SWx25FIGUPlWea11mmcCwsmNeQvr4pgCSi7/n/cSFNKb/SdZgptfvXWdi3uJGNBclfktru4Nz8PxKrxyyP71XcLMN2gaEAFCLlpRGI+ow0s54BY8YxiqOHn6uUc8RZe8hjfLqKd5neWerFmswK0JH0JsmLfyrkFi7L8KeEjp8+UYOJD6wpR6ZCJETucI9pM37FP6zro4GD77Kt8QLoEvaUiIKve7dv9rMFzQxgvdyl7iyydNi09GxOnEaikasZ7xYMftCsKWOhnyUcwPjuStsQLME5vJbvsQh5eK44J+cHgw6lWk54r1ZyUxMPRbrBVojhTHBxXbz/MOgRipWdQo6UbPwBMNovD+MeWeORjZjbuDJVna29JEbaNMzkp60xV7BhKKTbus1yHItwKjYtAYQohFdAJJboMZnMqBZl62M1FnrqXODJMcW5amBXURHy56PZrkigCNeZXs4Uf+j0Bn2+rcoORgJmLS8+wt5NC/P+ug6xxxXpI3jzns9yp7rZpjeGQ6n6aCTcQbkMkhj2aeE7kZWntC9RoS6/52td7/h1VrUBY9o5GSD+Hiepd++ugyLssoCaafVbBw5vI7h4XaeFwfgugKTWXev2unFqaGW8zdi4b1d8L0Wx6BgdzOUBY6NBwVU2EN1JGmnEqyipTc8VIURJ/UjwepjWtuX4+Q6govcXvvJM3g3VRbO4Adsp6ozARg9smGx3bEHJqRsFpHfbFwJRqe51PN1lD3F5AjF37eYDViWm2NZVMUQqnekLL1HWhmSSFUzyxKrygdGO8CzrqmrxnSuXClGziCceHv6N0jiix6DwWYW+LsJkP7rdl1ttJFw+JlCthtu+oTQ2TBsDcGGnCU4fIoBCWyCsHh4sNfsIH9TJdeIovrEZQyxjK5YopbDxeGJ5RayfRdLQ428xNro1ZK9zrr3cneWvcgfVP+rScp+xRiRnxa+kH6I/FBZmpUNk2tUPTZKe3GQBEqGKco2noT+ukYFaBqDEc+1P6bhN6IGY8ZMKoLJVCYLYFnH/zUVu9bfj3MdYAhoyJS6hDYIgt4fdXAyIOlHlcPYk4qD9R0Cs/nM68UJQEK4eGVOjowMbeP2K1A==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_86dc490e2ef641df2302e7e214b1a333"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/></xenc:EncryptionMethod><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzELMAkGA1UE
+CBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMIT25lTG9naW4xDDAKBgNVBAsT
+A0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMxODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYD
+VQQIEwJJTjEVMBMGA1UEBxMMSW5kaWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UE
+CxMDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5
+PckwsNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MP
+dyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQABMA0G
+CSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zdqHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZF
+hdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUS
+XxnzQxwcm/9PwAqrQaA3QpQkH57ybF/OoryPe+2h</ds:X509Certificate></ds:X509Data></ds:KeyInfo><xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:CipherValue>uP8XSbkSQsgkyq9Gu52VifiVDD1z5Utof7Tytz36ObJNb6DQCaKMbKSq9aIVF9LUn0JMkTFnTaLSq749P76XBmiZRuD1OZOlUYt1vXAviiQ6+6fgIt7tpfDl8MxVPoMAV53c7mhIgxHSalONunVlKVnk0P2XaGHKK2EZloXK408=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#_3b5e1926678d4654409a579b245af8c5"/></xenc:ReferenceList></xenc:EncryptedKey></saml2:EncryptedAssertion></saml2p:Response>

data/test/responses/response_without_reference_uri.xml.base64

@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGQ1OTQzNDdkLTQ5NWYtYjhkMS0wZWUyLTQxY2ZkYTE0ZGQzNSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDAxL3YxL3VzZXJzL2F1dGhvcml6ZS9zYW1sIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3Ij4NCiAgPElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL2V4YW1wbGUuY29tPC9Jc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5qQ2dlWENQREZsd2pUZ3FnUHAwbVUyVHF3OWc9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPkRmdXByMTh3UityRGFndENQRWZRbFNHSHp3NE5kZlBIWjRIc3pGZTFKUENKWGpmYnlFTTFmZytqemdHYk1NdDZYemdDWGNLSk03RS9DUFNURGt2TWUzRFVKbEh1NERodURPQXovRHN5b0J3V3VWK1JmM1dpTmNGNFhDYzl3QlF6dm4vYXREN3pXNnh3TzdOL2hrQVpKcWZ2SmRkbnBNTUhLR1hxRy9aSFpBdz08L2RzOlNpZ25hdHVyZVZhbHVlPg0KPGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ3FEQ0NBaEdnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVEwRkFEQnhNUXN3Q1FZRFZRUUdFd0oxY3pFVE1CRUdBMVVFQ0F3S1YyRnphR2x1WjNSdmJqRWlNQ0FHQTFVRUNnd1pSbXhoZENCWGIzSnNaQ0JMYm05M2JHVmtaMlVzSUVsdVl6RWNNQm9HQTFVRUF3d1RiR1ZoY200dVpteGhkSGR2Y214a0xtTnZiVEVMTUFrR0ExVUVCd3dDUkVNd0hoY05NVFV3TnpBNE1EazFPVEF6V2hjTk1qVXdOekExTURrMU9UQXpXakJ4TVFzd0NRWURWUVFHRXdKMWN6RVRNQkVHQTFVRUNBd0tWMkZ6YUdsdVozUnZiakVpTUNBR0ExVUVDZ3daUm14aGRDQlhiM0pzWkNCTGJtOTNiR1ZrWjJVc0lFbHVZekVjTUJvR0ExVUVBd3dUYkdWaGNtNHVabXhoZEhkdmNteGtMbU52YlRFTE1Ba0dBMVVFQnd3Q1JFTXdnWjh3RFFZSktvWklodmNOQVFFQkJRQURnWTBBTUlHSkFvR0JBTVBEd3NsNW82eDJRb3VOaTEvRTdJVXFSWWoyWW9jSlJGc3VFR1RldnlVKzJhRkNhQk5WL3R0NnNBYk05V1N1dEx1cWpFL2hmYm5sRWNaMDMrZ24wQ29MbDZZbXdiS0tlUnBrSXplVmhveUoxWVlNUUVBVmhMcmR5OFBvd3U4VUNaMFBiQXorbjlka2lSek01cENDTzc3K2d5Y0ZUQkZLSEFBOXFJcFVaWmtQQWdNQkFBR2pVREJPTUIwR0ExVWREZ1FXQkJRSFU1OGl1R3hGbFp1ckJVSndvbGFsSnIrRlJ6QWZCZ05WSFNNRUdEQVdnQlFIVTU4aXVHeEZsWnVyQlVKd29sYWxKcitGUnpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCRFFVQUE0R0JBQzZpSGZNbWQraE1TUnpma29zaTNDK3d2cUhDTEVVc2czSEZwa1ptNWp4bVREbEY1cU8rQnQwbjB4bWZvcVdCekJNbE5DOFRzR3JhZmhKM3p1OEdORjBMZW8xMXJmYzFHTUdCdnI1SG9aM1dBQXltbkJFREFBb3N4TjZXWlJtajF4YWdhMTMrNnBXZkdCKysyblB3Y1pXUC84ZGtQY1JvZ2V2VjB4MHA1Njg2PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+DQogIDxzYW1scDpTdGF0dXM+DQogICAgPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPg0KICA8L3NhbWxwOlN0YXR1cz4NCg0KICA8QXNzZXJ0aW9uIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzcwMGFjMzIwLTc0ZmYtMDEzMi01YjE0LTQ4ZTBlYjE0YTFjNyIgSXNzdWVJbnN0YW50PSIyMDE1LTAxLTAyVDIyOjQ4OjQ4WiIgVmVyc2lvbj0iMi4wIj4NCiAgICA8SXNzdWVyPmh0dHA6Ly9leGFtcGxlLmNvbTwvSXNzdWVyPg0KICAgIDxTdWJqZWN0Pg0KICAgICAgPE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c2FtbEB1c2VyLmNvbTwvTmFtZUlEPg0KICAgICAgPFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iX2VkOTE1YTQwLTc0ZmItMDEzMi01YjE2LTQ4ZTBlYjE0YTFjNyIgTm90T25PckFmdGVyPSIyMDM4LTAxLTAyVDIyOjUxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjkwMDEvdjEvdXNlcnMvYXV0aG9yaXplL3NhbWwiLz4NCiAgICAgIDwvU3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L1N1YmplY3Q+DQogICAgPENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTAxLTAyVDIyOjQ4OjQzWiIgTm90T25PckFmdGVyPSIyMDM4LTAxLTAyVDIzOjQ4OjQ4WiI+DQogICAgICA8QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPEF1ZGllbmNlPmh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS88L0F1ZGllbmNlPg0KICAgICAgICA8QXVkaWVuY2U+ZmxhdF93b3JsZDwvQXVkaWVuY2U+DQogICAgICA8L0F1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9Db25kaXRpb25zPg0KICAgIDxBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL2VtYWlsYWRkcmVzcyI+DQogICAgICAgIDxBdHRyaWJ1dGVWYWx1ZT5zYW1sQHVzZXIuY29tPC9BdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvQXR0cmlidXRlPg0KICAgIDwvQXR0cmlidXRlU3RhdGVtZW50Pg0KICAgIDxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBTZXNzaW9uSW5kZXg9Il83MDBhYzMyMC03NGZmLTAxMzItNWIxNC00OGUwZWIxNGExYzciPg0KICAgICAgPEF1dGhuQ29udGV4dD4NCiAgICAgICAgPEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9BdXRobkNvbnRleHQ+DQogICAgPC9BdXRoblN0YXRlbWVudD4NCiAgPC9Bc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGQ1OTQzNDdkLTQ5NWYtYjhkMS0wZWUyLTQxY2ZkYTE0ZGQzNSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDAxL3YxL3VzZXJzL2F1dGhvcml6ZS9zYW1sIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3Ij4NCiAgPElzc3VlciB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL2V4YW1wbGUuY29tPC9Jc3N1ZXI+DQogIDxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KCQk8U2lnbmVkSW5mbz4gPENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIvPg0KCQkJPFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KCQkJCTxSZWZlcmVuY2UgVVJJPSIiPg0KCQkJCQk8VHJhbnNmb3Jtcz4NCgkJCQkJCTxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPg0KCQkJCQk8L1RyYW5zZm9ybXM+DQoJCQkJCTxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPg0KCQkJCQk8RGlnZXN0VmFsdWU+Wjl5SWFjZ2Q3dlBzR25LNlgvVVdDWFlYRWtvPTwvRGlnZXN0VmFsdWU+DQoJCQkJPC9SZWZlcmVuY2U+DQoJCTwvU2lnbmVkSW5mbz4NCgkJPFNpZ25hdHVyZVZhbHVlPldFL1U5MytzZ0Vna3lYTHIyNTRXQnRTM1BVTHR5cFd4MVlYYlRGSzRmQXRBT094SXA1bG9janIzdnZxVXUyV1YNCnJyeDFGNnV1Mjk4UVFXUmxXVHo2L3VJUVZ1ZGlNd2dIQjBSYkZWemlaenVkcjJaTUw1Si9qWTRoM2tGVWZQU2kNCjFVNlBkZ0xUcS9rZHVCMHlqYnpFUy85Y2gzVU4yMUdtQW1IRXJRK0ZLbjg9PC9TaWduYXR1cmVWYWx1ZT4NCgk8L1NpZ25hdHVyZT4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+DQogIDwvc2FtbHA6U3RhdHVzPg0KICA8QXNzZXJ0aW9uIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzcwMGFjMzIwLTc0ZmYtMDEzMi01YjE0LTQ4ZTBlYjE0YTFjNyIgSXNzdWVJbnN0YW50PSIyMDE1LTAxLTAyVDIyOjQ4OjQ4WiIgVmVyc2lvbj0iMi4wIj4NCiAgICA8SXNzdWVyPmh0dHA6Ly9leGFtcGxlLmNvbTwvSXNzdWVyPg0KICAgIDxTdWJqZWN0Pg0KICAgICAgPE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+c2FtbEB1c2VyLmNvbTwvTmFtZUlEPg0KICAgICAgPFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPFN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iX2VkOTE1YTQwLTc0ZmItMDEzMi01YjE2LTQ4ZTBlYjE0YTFjNyIgTm90T25PckFmdGVyPSIyMDM4LTAxLTAyVDIyOjUxOjQ4WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjkwMDEvdjEvdXNlcnMvYXV0aG9yaXplL3NhbWwiLz4NCiAgICAgIDwvU3ViamVjdENvbmZpcm1hdGlvbj4NCiAgICA8L1N1YmplY3Q+DQogICAgPENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTAxLTAyVDIyOjQ4OjQzWiIgTm90T25PckFmdGVyPSIyMDM4LTAxLTAyVDIzOjQ4OjQ4WiI+DQogICAgICA8QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICAgICAgPEF1ZGllbmNlPmh0dHA6Ly9sb2NhbGhvc3Q6OTAwMS88L0F1ZGllbmNlPg0KICAgICAgICA8QXVkaWVuY2U+ZmxhdF93b3JsZDwvQXVkaWVuY2U+DQogICAgICA8L0F1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9Db25kaXRpb25zPg0KICAgIDxBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL2VtYWlsYWRkcmVzcyI+DQogICAgICAgIDxBdHRyaWJ1dGVWYWx1ZT5zYW1sQHVzZXIuY29tPC9BdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvQXR0cmlidXRlPg0KICAgIDwvQXR0cmlidXRlU3RhdGVtZW50Pg0KICAgIDxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBTZXNzaW9uSW5kZXg9Il83MDBhYzMyMC03NGZmLTAxMzItNWIxNC00OGUwZWIxNGExYzciPg0KICAgICAgPEF1dGhuQ29udGV4dD4NCiAgICAgICAgPEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpmZWRlcmF0aW9uOmF1dGhlbnRpY2F0aW9uOndpbmRvd3M8L0F1dGhuQ29udGV4dENsYXNzUmVmPg0KICAgICAgPC9BdXRobkNvbnRleHQ+DQogICAgPC9BdXRoblN0YXRlbWVudD4NCiAgPC9Bc3NlcnRpb24+DQo8L3NhbWxwOlJlc3BvbnNlPg==

data/test/settings_test.rb

@@ -11,7 +11,7 @@ class SettingsTest < Minitest::Test
 
     it "should provide getters and settings" do
       accessors = [
-        :idp_entity_id, :idp_sso_target_url, :idp_slo_target_url, :idp_cert, :idp_cert_fingerprint,
+        :idp_entity_id, :idp_sso_target_url, :idp_slo_target_url, :idp_cert, :idp_cert_fingerprint, :idp_cert_fingerprint_algorithm, :idp_attribute_names,
         :issuer, :assertion_consumer_service_url, :assertion_consumer_service_binding,
         :single_logout_service_url, :single_logout_service_binding,
         :sp_name_qualifier, :name_identifier_format, :name_identifier_value,

data/test/slo_logoutrequest_test.rb

@@ -52,10 +52,37 @@ class RubySamlTest < Minitest::Test
         assert_empty logout_request.errors
       end
 
+      it "collect errors when collect_errors=true" do
+        settings.idp_entity_id = 'http://idp.example.com/invalid'
+        settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.security[:logout_requests_signed] = true
+        settings.security[:embed_sign] = false
+        settings.certificate = ruby_saml_cert_text
+        settings.private_key = ruby_saml_key_text
+        settings.idp_cert = ruby_saml_cert_text
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+        params = {}
+        params['SAMLRequest'] = logout_request_deflated_base64
+        params['RelayState'] = 'http://invalid.example.com'
+        params['Signature'] = 'invalid_signature'
+        params['SigAlg'] = XMLSecurity::Document::RSA_SHA1
+        options = {}
+        options[:get_params] = params
+
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        logout_request_sign_test.settings = settings
+
+        collect_errors = true
+        assert !logout_request_sign_test.is_valid?(collect_errors)
+        assert_includes logout_request_sign_test.errors,  "Invalid Signature on Logout Request"
+        assert_includes logout_request_sign_test.errors,  "Doesn't match the issuer, expected: <http://idp.example.com/invalid>, but was: <https://app.onelogin.com/saml/metadata/SOMEACCOUNT>"
+      end
+
       it "raise error for invalid xml" do
         invalid_logout_request.soft = false
         assert_raises(OneLogin::RubySaml::ValidationError) { invalid_logout_request.is_valid? }
       end
+
     end
 
     describe "#nameid" do
@@ -245,7 +272,7 @@ class RubySamlTest < Minitest::Test
       it "return false when invalid RSA_SHA1 Signature" do
         settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
         params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        params['RelayState'] = 'http://invalid.exampcle.com'
+        params['RelayState'] = 'http://invalid.example.com'
         params[:RelayState] = params['RelayState']
         options = {}
         options[:get_params] = params
@@ -259,7 +286,7 @@ class RubySamlTest < Minitest::Test
         settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
         settings.soft = false
         params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        params['RelayState'] = 'http://invalid.exampcle.com'
+        params['RelayState'] = 'http://invalid.example.com'
         params[:RelayState] = params['RelayState']
         options = {}
         options[:get_params] = params

data/test/test_helper.rb

@@ -203,7 +203,7 @@ class Minitest::Test
   # logoutresponse fixtures
   #
   def random_id
-    "_#{UUID.new.generate}"
+    "_#{OneLogin::RubySaml::Utils.uuid}"
   end
 
   #

data/test/utils_test.rb

@@ -142,4 +142,17 @@ class UtilsTest < Minitest::Test
       assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
     end
   end
-end
+
+  describe "Utils" do
+
+    describe ".uuid" do
+      it "returns a uuid starting with an underscore" do
+        assert_match /^_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, OneLogin::RubySaml::Utils.uuid
+      end
+
+      it "doesn't return the same value twice" do
+        refute_equal OneLogin::RubySaml::Utils.uuid, OneLogin::RubySaml::Utils.uuid
+      end
+    end
+  end
+end

data/test/xml_security_test.rb

@@ -96,11 +96,13 @@ class XmlSecurityTest < Minitest::Test
     it "C14N_1_0" do
       canon_algorithm = Nokogiri::XML::XML_C14N_1_0
       assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments")
     end
 
     it "XML_C14N_1_1" do
       canon_algorithm = Nokogiri::XML::XML_C14N_1_1
       assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11")
+      assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11#WithComments")
     end
   end
 

metadata

@@ -1,188 +1,152 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: ruby-saml
-version: !ruby/object:Gem::Version 
-  hash: 23
-  prerelease: false
-  segments: 
-  - 1
-  - 1
-  - 2
-  version: 1.1.2
+version: !ruby/object:Gem::Version
+  version: 1.2.0
 platform: ruby
-authors: 
+authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2016-02-15 00:00:00 +01:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
-  name: uuid
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 5
-        segments: 
-        - 2
-        - 3
-        version: "2.3"
-  type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
+date: 2016-04-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: nokogiri
-  prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 23
-        segments: 
-        - 1
-        - 5
-        - 10
+      - !ruby/object:Gem::Version
         version: 1.5.10
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: minitest
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 21
-        segments: 
-        - 5
-        - 5
-        version: "5.5"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.10
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.5'
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: mocha
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 23
-        segments: 
-        - 0
-        - 14
-        version: "0.14"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.5'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
   type: :development
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: rake
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 23
-        segments: 
-        - 10
-        version: "10"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10'
   type: :development
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: shoulda
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 21
-        segments: 
-        - 2
-        - 11
-        version: "2.11"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10'
+- !ruby/object:Gem::Dependency
+  name: shoulda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.11'
   type: :development
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency 
-  name: simplecov
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 59
-        segments: 
-        - 0
-        - 9
-        - 0
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.11'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
         version: 0.9.0
   type: :development
-  version_requirements: *id007
-- !ruby/object:Gem::Dependency 
-  name: systemu
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 7
-        segments: 
-        - 2
-        version: "2"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+- !ruby/object:Gem::Dependency
+  name: systemu
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
   type: :development
-  version_requirements: *id008
-- !ruby/object:Gem::Dependency 
-  name: timecop
   prerelease: false
-  requirement: &id009 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - <=
-      - !ruby/object:Gem::Version 
-        hash: 7
-        segments: 
-        - 0
-        - 6
-        - 0
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<="
+      - !ruby/object:Gem::Version
         version: 0.6.0
   type: :development
-  version_requirements: *id009
-- !ruby/object:Gem::Dependency 
-  name: ruby-debug
   prerelease: false
-  requirement: &id010 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 63
-        segments: 
-        - 0
-        - 10
-        - 4
-        version: 0.10.4
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id010
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: SAML toolkit for Ruby on Rails
 email: support@onelogin.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - LICENSE
 - README.md
-files: 
-- .document
-- .gitignore
-- .travis.yml
+files:
+- ".document"
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -193,6 +157,7 @@ files:
 - lib/onelogin/ruby-saml/attribute_service.rb
 - lib/onelogin/ruby-saml/attributes.rb
 - lib/onelogin/ruby-saml/authrequest.rb
+- lib/onelogin/ruby-saml/error_handling.rb
 - lib/onelogin/ruby-saml/http_error.rb
 - lib/onelogin/ruby-saml/idp_metadata_parser.rb
 - lib/onelogin/ruby-saml/logging.rb
@@ -291,6 +256,7 @@ files:
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/response_with_ds_namespace_at_the_root.xml.base64
 - test/responses/response_with_multiple_attribute_values.xml
+- test/responses/response_with_retrieval_method.xml
 - test/responses/response_with_saml2_namespace.xml.base64
 - test/responses/response_with_signed_assertion.xml.base64
 - test/responses/response_with_signed_assertion_2.xml.base64
@@ -322,43 +288,32 @@ files:
 - test/test_helper.rb
 - test/utils_test.rb
 - test/xml_security_test.rb
-has_rdoc: true
 homepage: http://github.com/onelogin/ruby-saml
-licenses: 
+licenses:
 - MIT
+metadata: {}
 post_install_message: 
-rdoc_options: 
-- --charset=UTF-8
-require_paths: 
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 57
-      segments: 
-      - 1
-      - 8
-      - 7
+    - !ruby/object:Gem::Version
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 1.3.7
+rubygems_version: 2.2.2
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: SAML Ruby Tookit
-test_files: 
+test_files:
 - test/certificates/certificate1
 - test/certificates/certificate_without_head_foot
 - test/certificates/formatted_certificate
@@ -428,6 +383,7 @@ test_files:
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/response_with_ds_namespace_at_the_root.xml.base64
 - test/responses/response_with_multiple_attribute_values.xml
+- test/responses/response_with_retrieval_method.xml
 - test/responses/response_with_saml2_namespace.xml.base64
 - test/responses/response_with_signed_assertion.xml.base64
 - test/responses/response_with_signed_assertion_2.xml.base64