ruby-saml 1.11.0 → 1.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: afcd8a95f66ec94e3bb68b5a5264a651ae623923
-  data.tar.gz: eb05bc60959fde11ac20b0af0d14c07b7c5c1b38
+SHA256:
+  metadata.gz: 43bc92cf8a14835577d9bb32d1bdcef71fd5ffccb351dd41ac9b56863fb173c7
+  data.tar.gz: e7975fcf413d9c64801f7b5190246685548205034dc74315bc169738697e1006
 SHA512:
-  metadata.gz: e85dc90f8f4bd5433f0078a6b5e316109dc7bbbe1ba60d5f8075d1f5047a71c208144d1da51157cf7220f2c56fb8b421e7b70ac5c828bea713146fc6bc774a29
-  data.tar.gz: 7cce3fd10ff5d7753d518b847b7f0ff0976b4ef5a1b7cc39c6e6cd3c8b32df7649e95ab929631b9838df5a4fb3eb3f3c50479f54253094b457a484710381b8f1
+  metadata.gz: 0a09fcb8777969eb6d54b29d20520c7e17e3f7dc128cfc81475eba8c9b31f5926f2b64d308b18268762b43fb60cf7956f6e266c1f5343d2b9d58e545be0c3392
+  data.tar.gz: 8e9008647a610935764b2f578b76c5eb72d09be482d76b5f4d8ab51fd29d4569a3ba2e2db61f63fbdde27bd1be14bf4afdeffe1c7f699afc0b7d5e1c85d0fe09

data/.travis.yml

@@ -1,18 +1,18 @@
 language: ruby
 rvm:
-  - 1.8.7
   - 1.9.3
   - 2.0.0
   - 2.1.10
   - 2.2.10
   - 2.3.8
   - 2.4.6
-  - 2.5.5
-  - 2.6.3
-  - ree
+  - 2.5.8
+  - 2.6.6
+  - 2.7.2
+  - 3.0.0
   - jruby-1.7.27
   - jruby-9.1.17.0
-  - jruby-9.2.7.0
+  - jruby-9.2.13.0
 gemfile:
   - Gemfile
   - gemfiles/nokogiri-1.5.gemfile
@@ -20,27 +20,29 @@ before_install:
   - gem update bundler
 matrix:
   exclude:
-    - rvm: 1.8.7
-      gemfile: Gemfile
-    - rvm: ree
-      gemfile: Gemfile
     - rvm: jruby-1.7.27
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: jruby-9.1.17.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.2.7.0
+    - rvm: jruby-9.2.13.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: 2.1.5
       gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.1.10
+      gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: 2.2.10
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: 2.3.8
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: 2.4.6
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.5.5
+    - rvm: 2.5.8
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.6.6
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.7.2
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.6.3
+    - rvm: 3.0.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
 env:
   - JRUBY_OPTS="--debug"

data/README.md

@@ -1,6 +1,18 @@
-# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
+# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master)](https://coveralls.io/r/onelogin/ruby-saml?branch=master)
 
-# Updating from 1.9.0 to 1.10.0
+## Updating from 1.11.x to 1.12.0
+Version `1.12.0` adds support for gcm algorithm and
+change/adds specific error messages for signature validations
+
+## Updating from 1.10.x to 1.11.0
+Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
+There are two new security settings: `settings.security[:check_idp_cert_expiration]` and `settings.security[:check_sp_cert_expiration]` (both false by default) that check if the IdP or SP X.509 certificate has expired, respectively.
+
+Version `1.10.2` includes the `valid_until` attribute in parsed IdP metadata.
+
+Version `1.10.1` improves Ruby 1.8.7 support.
+
+## Updating from 1.9.0 to 1.10.0
 Version `1.10.0` improves IdpMetadataParser to allow parse multiple IDPSSODescriptor, Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user to be authenticated and updates the format_cert method to accept certs with /\x0d/
 
 ## Updating from 1.8.0 to 1.9.0
@@ -107,6 +119,7 @@ We created a demo project for Rails4 that uses the latest version of this librar
 * 2.4.x
 * 2.5.x
 * 2.6.x
+* 2.7.x
 * JRuby 1.7.19
 * JRuby 9.0.0.0
 * JRuby 9.2.0.0
@@ -141,7 +154,7 @@ Using `Gemfile`
 
 ```ruby
 # latest stable
-gem 'ruby-saml', '~> 1.9.0'
+gem 'ruby-saml', '~> 1.11.0'
 
 # or track master for bleeding-edge
 gem 'ruby-saml', :github => 'onelogin/ruby-saml'
@@ -228,6 +241,7 @@ def consume
      session[:attributes] = response.attributes
   else
     authorize_failure  # This method shows an error message
+    # List of errors is available in response.errors array
   end
 end
 ```
@@ -251,8 +265,8 @@ def saml_settings
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
   settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.idp_entity_id                  = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
-  settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
-  settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
+  settings.idp_sso_service_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
+  settings.idp_slo_service_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
   settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -273,7 +287,7 @@ def saml_settings
 end
 ```
 
-The use of settings.issuer is deprecated in favour of settings.sp_entity_id
+The use of settings.issuer is deprecated in favour of settings.sp_entity_id since version 1.11.0
 
 Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `AuthnStatement`, `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
 
@@ -282,6 +296,7 @@ response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_authnst
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doens't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_audience: true}) # skips audience check
 ```
 
 All that's left is to wrap everything in a controller and reference it in the initialization and consumption URLs in OneLogin. A full controller example could look like this:
@@ -305,6 +320,7 @@ class SamlController < ApplicationController
        session[:attributes] = response.attributes
     else
       authorize_failure  # This method shows an error message
+      # List of errors is available in response.errors array
     end
   end
 
@@ -315,7 +331,7 @@ class SamlController < ApplicationController
 
     settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
     settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
-    settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+    settings.idp_sso_service_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
     settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 
@@ -388,8 +404,8 @@ end
 The following attributes are set:
   * idp_entity_id
   * name_identifier_format
-  * idp_sso_target_url
-  * idp_slo_target_url
+  * idp_sso_service_url
+  * idp_slo_service_url
   * idp_attribute_names
   * idp_cert
   * idp_cert_fingerprint
@@ -455,6 +471,9 @@ Imagine this `saml:AttributeStatement`
       <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
       <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1"/>
     </saml:Attribute>
+    <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
+      <saml:AttributeValue>usersName</saml:AttributeValue>
+    </saml:Attribute>
   </saml:AttributeStatement>
 ```
 
@@ -465,7 +484,8 @@ pp(response.attributes)   # is an OneLogin::RubySaml::Attributes object
    "another_value"=>["value1", "value2"],
    "role"=>["role1", "role2", "role3"],
    "attribute_with_nil_value"=>[nil],
-   "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]}>
+   "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]
+   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"=>["usersName"]}>
 
 # Active single_value_compatibility
 OneLogin::RubySaml::Attributes.single_value_compatibility = true
@@ -482,6 +502,9 @@ pp(response.attributes.single(:role))
 pp(response.attributes.multi(:role))
 # => ["role1", "role2", "role3"]
 
+pp(response.attributes.fetch(:role))
+# => "role1"
+
 pp(response.attributes[:attribute_with_nil_value])
 # => nil
 
@@ -497,6 +520,9 @@ pp(response.attributes.single(:not_exists))
 pp(response.attributes.multi(:not_exists))
 # => nil
 
+pp(response.attributes.fetch(/givenname/))
+# => "usersName"
+
 # Deactive single_value_compatibility
 OneLogin::RubySaml::Attributes.single_value_compatibility = false
 
@@ -512,6 +538,9 @@ pp(response.attributes.single(:role))
 pp(response.attributes.multi(:role))
 # => ["role1", "role2", "role3"]
 
+pp(response.attributes.fetch(:role))
+# => ["role1", "role2", "role3"]
+
 pp(response.attributes[:attribute_with_nil_value])
 # => [nil]
 
@@ -526,12 +555,15 @@ pp(response.attributes.single(:not_exists))
 
 pp(response.attributes.multi(:not_exists))
 # => nil
+
+pp(response.attributes.fetch(/givenname/))
+# => ["usersName"]
 ```
 
 The `saml:AuthnContextClassRef` of the AuthNRequest can be provided by `settings.authn_context`; possible values are described at [SAMLAuthnCxt]. The comparison method can be set using `settings.authn_context_comparison` parameter. Possible values include: 'exact', 'better', 'maximum' and 'minimum' (default value is 'exact').
 To add a `saml:AuthnContextDeclRef`, define `settings.authn_context_decl_ref`.
 
-In a SP-initiaited flow, the SP can indicate to the IdP the subject that should be authenticated. This is done by defining the `settings.name_identifier_value_requested` before
+In a SP-initiated flow, the SP can indicate to the IdP the subject that should be authenticated. This is done by defining the `settings.name_identifier_value_requested` before
 building the authrequest object.
 
 
@@ -570,7 +602,7 @@ Remember to provide it to the Signature builder if you are sending a `GET RelayS
 signature validation process will fail at the Identity Provider.
 
 The Service Provider will sign the request/responses with its private key.
-The Identity Provider will validate the sign of the received request/responses with the public x500 cert of the
+The Identity Provider will validate the sign of the received request/responses with the public x509 cert of the
 Service Provider.
 
 Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and decrypt processes.
@@ -611,21 +643,27 @@ def sp_logout_request
   # LogoutRequest accepts plain browser requests w/o paramters
   settings = saml_settings
 
-  if settings.idp_slo_target_url.nil?
+  if settings.idp_slo_service_url.nil?
     logger.info "SLO IdP Endpoint not found in settings, executing then a normal logout'"
     delete_session
   else
 
-    # Since we created a new SAML request, save the transaction_id
-    # to compare it with the response we get back
     logout_request = OneLogin::RubySaml::Logoutrequest.new()
-    session[:transaction_id] = logout_request.uuid
-    logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{session[:transaction_id]}'"
+    logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{logout_request.uuid}'"
 
     if settings.name_identifier_value.nil?
       settings.name_identifier_value = session[:userid]
     end
 
+    # Ensure user is logged out before redirect to IdP, in case anything goes wrong during single logout process (as recommended by saml2int [SDP-SP34])
+    logged_user = session[:userid]
+    logger.info "Delete session for '#{session[:userid]}'"
+    delete_session
+
+    # Save the transaction_id to compare it with the response we get back
+    session[:transaction_id] = logout_request.uuid
+    session[:logged_out_user] = logged_user
+
     relayState =  url_for controller: 'saml', action: 'index'
     redirect_to(logout_request.create(settings, :RelayState => relayState))
   end
@@ -653,7 +691,7 @@ def process_logout_response
     logger.error "The SAML Logout Response is invalid"
   else
     # Actually log out this session
-    logger.info "Delete session for '#{session[:userid]}'"
+    logger.info "SLO completed for '#{session[:logged_out_user]}'"
     delete_session
   end
 end
@@ -662,6 +700,8 @@ end
 def delete_session
   session[:userid] = nil
   session[:attributes] = nil
+  session[:transaction_id] = nil
+  session[:logged_out_user] = nil
 end
 ```
 
@@ -674,7 +714,7 @@ def idp_logout_request
   logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest])
   if !logout_request.is_valid?
     logger.error "IdP initiated LogoutRequest was not valid!"
-    render :inline => logger.error
+    return render :inline => logger.error
   end
   logger.info "IdP initiated Logout for #{logout_request.name_id}"
 
@@ -729,6 +769,14 @@ class SamlController < ApplicationController
 end
 ```
 
+You can add ValidUntil and CacheDuration to the XML Metadata using instead
+```ruby
+  # Valid until => 2 days from now
+  # Cache duration = 604800s = 1 week
+  valid_until = Time.now + 172800
+  cache_duration = 604800
+  meta.generate(settings, false, valid_until, cache_duration)
+```
 
 ## Clock Drift
 

data/changelog.md

@@ -1,5 +1,28 @@
 # RubySaml Changelog
 
+### 1.12.0 (Feb 18, 2021)
+* Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
+* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings 
+* Adding idp_sso_service_url and idp_slo_service_url settings
+* [#536](https://github.com/onelogin/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
+* Reduce size of built gem by excluding the test folder
+* Improve protection on Zlib deflate decompression bomb attack.
+* Add ValidUntil and cacheDuration support on Metadata generator
+* Add support for cacheDuration at the IdpMetadataParser
+* Support customizable statusCode on generated LogoutResponse
+* [#545](https://github.com/onelogin/ruby-saml/pull/545) More specific error messages for signature validation
+* Support Process Transform
+* Raise SettingError if invoking an action with no endpoint defined on the settings
+* Made IdpMetadataParser more extensible for subclasses
+*[#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
+* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
+* Improve documentation
+
+### 1.11.0 (Jul 24, 2019)
+
+* Deprecate settings.issuer in favor of settings.sp_entity_id
+* Add support for certification expiration
+
 ### 1.10.2 (Apr 29, 2019)
 
 * Add valid until, accessor

data/lib/onelogin/ruby-saml/attributes.rb

@@ -79,7 +79,7 @@ module OneLogin
         self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
       end
 
-      # @return [Array] Return all attributes as an array
+      # @return [Hash] Return all attributes as a hash
       #
       def all
         attributes
@@ -113,6 +113,29 @@ module OneLogin
         end
       end
 
+      # Fetch attribute value using name or regex
+      # @param name [String|Regexp] The attribute name
+      # @return [String|Array] Depending on the single value compatibility status this returns:
+      #                        - First value if single_value_compatibility = true
+      #                          response.attributes['mail']  # => 'user@example.com'
+      #                        - All values if single_value_compatibility = false
+      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      #
+      def fetch(name)
+        attributes.each_key do |attribute_key|
+          if name.is_a?(Regexp)
+            if name.method_exists? :match?
+              return self[attribute_key] if name.match?(attribute_key)
+            else 
+              return self[attribute_key] if name.match(attribute_key)
+            end
+          elsif canonize_name(name) == canonize_name(attribute_key)
+            return self[attribute_key]
+          end
+        end
+        nil
+      end
+
       protected
 
       # stringifies all names so both 'email' and :email return the same result

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -3,6 +3,7 @@ require "rexml/document"
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -23,6 +24,10 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def request_id
+        @uuid
+      end
+
       # Creates the AuthNRequest string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
@@ -30,14 +35,14 @@ module OneLogin
       #
       def create(settings, params = {})
         params = create_params(settings, params)
-        params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        params_prefix = (settings.idp_sso_service_url =~ /\?/) ? '&' : '?'
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil?
-        @login_url = settings.idp_sso_target_url + request_params
+        raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
+        @login_url = settings.idp_sso_service_url + request_params
       end
 
       # Creates the Get parameters for the request.
@@ -107,7 +112,7 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
+        root.attributes['Destination'] = settings.idp_sso_service_url unless settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
         root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
         root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -15,10 +15,10 @@ module OneLogin
 
       module SamlMetadata
         module Vocabulary
-          METADATA       = "urn:oasis:names:tc:SAML:2.0:metadata"
-          DSIG           = "http://www.w3.org/2000/09/xmldsig#"
-          NAME_FORMAT    = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
-          SAML_ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+          METADATA       = "urn:oasis:names:tc:SAML:2.0:metadata".freeze
+          DSIG           = "http://www.w3.org/2000/09/xmldsig#".freeze
+          NAME_FORMAT    = "urn:oasis:names:tc:SAML:2.0:attrname-format:*".freeze
+          SAML_ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion".freeze
         end
 
         NAMESPACE = {
@@ -26,7 +26,7 @@ module OneLogin
           "NameFormat" => Vocabulary::NAME_FORMAT,
           "saml" => Vocabulary::SAML_ASSERTION,
           "ds" => Vocabulary::DSIG
-        }
+        }.freeze
       end
 
       include SamlMetadata::Vocabulary
@@ -34,6 +34,16 @@ module OneLogin
       attr_reader :response
       attr_reader :options
 
+      # fetch IdP descriptors from a metadata document
+      def self.get_idps(metadata_document, only_entity_id=nil)
+        path = "//md:EntityDescriptor#{only_entity_id && '[@entityID="' + only_entity_id + '"]'}/md:IDPSSODescriptor"
+        REXML::XPath.match(
+          metadata_document,
+          path,
+          SamlMetadata::NAMESPACE
+        )
+      end
+        
       # Parse the Identity Provider metadata and update the settings with the
       # IdP values
       #
@@ -103,6 +113,16 @@ module OneLogin
       def parse(idp_metadata, options = {})
         parsed_metadata = parse_to_hash(idp_metadata, options)
 
+        unless parsed_metadata[:cache_duration].nil?
+          cache_valid_until_timestamp = OneLogin::RubySaml::Utils.parse_duration(parsed_metadata[:cache_duration])
+          if parsed_metadata[:valid_until].nil? || cache_valid_until_timestamp < Time.parse(parsed_metadata[:valid_until], Time.now.utc).to_i
+            parsed_metadata[:valid_until] = Time.at(cache_valid_until_timestamp).utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+          end
+        end
+        # Remove the cache_duration because on the settings
+        # we only gonna suppot valid_until 
+        parsed_metadata.delete(:cache_duration)
+
         settings = options[:settings]
 
         if settings.nil?
@@ -139,17 +159,21 @@ module OneLogin
       #
       # @return [Array<Hash>]
       def parse_to_array(idp_metadata, options = {})
+        parse_to_idp_metadata_array(idp_metadata, options).map{|idp_md| idp_md.to_hash(options)}
+      end
+
+      def parse_to_idp_metadata_array(idp_metadata, options = {})
         @document = REXML::Document.new(idp_metadata)
         @options = options
 
-        idpsso_descriptors = IdpMetadata::get_idps(@document, options[:entity_id])
+        idpsso_descriptors = self.class.get_idps(@document, options[:entity_id])
         if !idpsso_descriptors.any?
           raise ArgumentError.new("idp_metadata must contain an IDPSSODescriptor element")
         end
 
-        return idpsso_descriptors.map{|id| IdpMetadata.new(id, id.parent.attributes["entityID"]).to_hash(options)}
+        return idpsso_descriptors.map{|id| IdpMetadata.new(id, id.parent.attributes["entityID"])}
       end
-
+      
       private
 
       # Retrieve the remote IdP metadata from the URL or a cached copy.
@@ -175,6 +199,7 @@ module OneLogin
         end
 
         get = Net::HTTP::Get.new(uri.request_uri)
+        get.basic_auth uri.user, uri.password if uri.user
         @response = http.request(get)
         return response.body if response.is_a? Net::HTTPSuccess
 
@@ -184,15 +209,8 @@ module OneLogin
       end
 
       class IdpMetadata
-        def self.get_idps(metadata_document, only_entity_id=nil)
-          path = "//md:EntityDescriptor#{only_entity_id && '[@entityID="' + only_entity_id + '"]'}/md:IDPSSODescriptor"
-          REXML::XPath.match(
-            metadata_document,
-            path,
-            SamlMetadata::NAMESPACE
-          )
-        end
-
+        attr_reader :idpsso_descriptor, :entity_id
+        
         def initialize(idpsso_descriptor, entity_id)
           @idpsso_descriptor = idpsso_descriptor
           @entity_id = entity_id
@@ -202,13 +220,15 @@ module OneLogin
           {
             :idp_entity_id => @entity_id,
             :name_identifier_format => idp_name_id_format,
-            :idp_sso_target_url => single_signon_service_url(options),
-            :idp_slo_target_url => single_logout_service_url(options),
+            :idp_sso_service_url => single_signon_service_url(options),
+            :idp_slo_service_url => single_logout_service_url(options),
+            :idp_slo_response_service_url => single_logout_response_service_url(options),
             :idp_attribute_names => attribute_names,
             :idp_cert => nil,
             :idp_cert_fingerprint => nil,
             :idp_cert_multi => nil,
-            :valid_until => valid_until
+            :valid_until => valid_until,
+            :cache_duration => cache_duration,
           }.tap do |response_hash|
             merge_certificates_into(response_hash) unless certificates.nil?
           end
@@ -232,6 +252,13 @@ module OneLogin
           root.attributes['validUntil'] if root && root.attributes
         end
 
+        # @return [String|nil] 'cacheDuration' attribute of metadata
+        #
+        def cache_duration
+          root = @idpsso_descriptor.root
+          root.attributes['cacheDuration'] if root && root.attributes
+        end
+
         # @param binding_priority [Array]
         # @return [String|nil] SingleSignOnService binding if exists
         #
@@ -296,6 +323,21 @@ module OneLogin
           return node.value if node
         end
 
+        # @param options [Hash]
+        # @return [String|nil] SingleLogoutService response url if exists
+        #
+        def single_logout_response_service_url(options = {})
+          binding = single_logout_service_binding(options[:slo_binding])
+          return if binding.nil?
+
+          node = REXML::XPath.first(
+            @idpsso_descriptor,
+            "md:SingleLogoutService[@Binding=\"#{binding}\"]/@ResponseLocation",
+            SamlMetadata::NAMESPACE
+          )
+          return node.value if node
+        end
+
         # @return [String|nil] Unformatted Certificate if exists
         #
         def certificates
@@ -393,10 +435,6 @@ module OneLogin
 
         settings
       end
-
-      if self.respond_to?(:private_constant)
-        private_constant :SamlMetadata, :IdpMetadata
-      end
     end
   end
 end