ruby-saml 1.12.0 → 1.14.0

data/lib/onelogin/ruby-saml/metadata.rb

@@ -21,21 +21,50 @@ module OneLogin
       #
       def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
         meta_doc = XMLSecurity::Document.new
+        add_xml_declaration(meta_doc)
+        root = add_root_element(meta_doc, settings, valid_until, cache_duration)
+        sp_sso = add_sp_sso_element(root, settings)
+        add_sp_certificates(sp_sso, settings)
+        add_sp_service_elements(sp_sso, settings)
+        add_extras(root, settings)
+        embed_signature(meta_doc, settings)
+        output_xml(meta_doc, pretty_print)
+      end
+
+      protected
+
+      def add_xml_declaration(meta_doc)
+        meta_doc << REXML::XMLDecl.new('1.0', 'UTF-8')
+      end
+
+      def add_root_element(meta_doc, settings, valid_until, cache_duration)
         namespaces = {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
         }
+
         if settings.attribute_consuming_service.configured?
           namespaces["xmlns:saml"] = "urn:oasis:names:tc:SAML:2.0:assertion"
         end
-        root = meta_doc.add_element "md:EntityDescriptor", namespaces
-        sp_sso = root.add_element "md:SPSSODescriptor", {
+
+        root = meta_doc.add_element("md:EntityDescriptor", namespaces)
+        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
+        root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
+        root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z') if valid_until
+        root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
+        root
+      end
+
+      def add_sp_sso_element(root, settings)
+        root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
             "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
             "WantAssertionsSigned" => settings.security[:want_assertions_signed],
         }
+      end
 
-        # Add KeyDescriptor if messages will be signed / encrypted
-        # with SP certificate, and new SP certificate if any
+      # Add KeyDescriptor if messages will be signed / encrypted
+      # with SP certificate, and new SP certificate if any
+      def add_sp_certificates(sp_sso, settings)
         cert = settings.get_sp_cert
         cert_new = settings.get_sp_cert_new
 
@@ -58,16 +87,10 @@ module OneLogin
           end
         end
 
-        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
-        if settings.sp_entity_id
-          root.attributes["entityID"] = settings.sp_entity_id
-        end
-        if valid_until
-          root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z')
-        end
-        if cache_duration
-          root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S"
-        end
+        sp_sso
+      end
+
+      def add_sp_service_elements(sp_sso, settings)
         if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
               "Binding" => settings.single_logout_service_binding,
@@ -75,10 +98,12 @@ module OneLogin
               "ResponseLocation" => settings.single_logout_service_url
           }
         end
+
         if settings.name_identifier_format
           nameid = sp_sso.add_element "md:NameIDFormat"
           nameid.text = settings.name_identifier_format
         end
+
         if settings.assertion_consumer_service_url
           sp_sso.add_element "md:AssertionConsumerService", {
               "Binding" => settings.assertion_consumer_service_binding,
@@ -117,15 +142,27 @@ module OneLogin
         #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
-        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+        sp_sso
+      end
 
-        # embed signature
-        if settings.security[:metadata_signed] && settings.private_key && settings.certificate
-          private_key = settings.get_sp_key
-          meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
-        end
+      # can be overridden in subclass
+      def add_extras(root, _settings)
+        root
+      end
+
+      def embed_signature(meta_doc, settings)
+        return unless settings.security[:metadata_signed]
+
+        private_key = settings.get_sp_key
+        cert = settings.get_sp_cert
+        return unless private_key && cert
+
+        meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+      end
+
+      def output_xml(meta_doc, pretty_print)
+        ret = ''
 
-        ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
         if pretty_print
           meta_doc.write(ret, 1)
@@ -133,7 +170,7 @@ module OneLogin
           ret = meta_doc.to_s
         end
 
-        return ret
+        ret
       end
     end
   end

data/lib/onelogin/ruby-saml/response.rb

@@ -63,7 +63,7 @@ module OneLogin
           end
         end
 
-        @response = decode_raw_saml(response)
+        @response = decode_raw_saml(response, settings)
         @document = XMLSecurity::SignedDocument.new(@response, @errors)
 
         if assertion_encrypted?
@@ -227,11 +227,10 @@ module OneLogin
               statuses = nodes.collect do |inner_node|
                 inner_node.attributes["Value"]
               end
-              extra_code = statuses.join(" | ")
-              if extra_code
-                code = "#{code} | #{extra_code}"
-              end
+
+              code = [code, statuses].flatten.join(" | ")
             end
+
             code
           end
         end
@@ -338,9 +337,9 @@ module OneLogin
       end
 
       # returns the allowed clock drift on timing validation
-      # @return [Integer]
+      # @return [Float]
       def allowed_clock_drift
-        return options[:allowed_clock_drift].to_f
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
       end
 
       # Checks if the SAML Response contains or not an EncryptedAssertion element
@@ -377,7 +376,6 @@ module OneLogin
         return false unless validate_response_state
 
         validations = [
-          :validate_response_state,
           :validate_version,
           :validate_id,
           :validate_success_status,
@@ -615,7 +613,12 @@ module OneLogin
       #
       def validate_audience
         return true if options[:skip_audience]
-        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+        return true if settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+
+        if audiences.empty?
+          return true unless settings.security[:strict_audience_validation]
+          return append_error("Invalid Audiences. The <AudienceRestriction> element contained only empty <Audience> elements. Expected audience #{settings.sp_entity_id}.")
+        end
 
         unless audiences.include? settings.sp_entity_id
           s = audiences.count > 1 ? 's' : '';
@@ -694,13 +697,13 @@ module OneLogin
 
         now = Time.now.utc
 
-        if not_before && (now_with_drift = now + allowed_clock_drift) < not_before
-          error_msg = "Current time is earlier than NotBefore condition (#{now_with_drift} < #{not_before})"
+        if not_before && now < (not_before - allowed_clock_drift)
+          error_msg = "Current time is earlier than NotBefore condition (#{now} < #{not_before}#{" - #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
-        if not_on_or_after && now >= (not_on_or_after_with_drift = not_on_or_after + allowed_clock_drift)
-          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after_with_drift})"
+        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
@@ -742,7 +745,7 @@ module OneLogin
         return true if session_expires_at.nil?
 
         now = Time.now.utc
-        unless (session_expires_at + allowed_clock_drift) > now
+        unless now < (session_expires_at + allowed_clock_drift)
           error_msg = "The attributes have expired, based on the SessionNotOnOrAfter of the AuthnStatement of this Response"
           return append_error(error_msg)
         end
@@ -780,8 +783,8 @@ module OneLogin
 
           attrs = confirmation_data_node.attributes
           next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
-                  (attrs.include? "NotOnOrAfter" and (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift) <= now) ||
-                  (attrs.include? "NotBefore" and parse_time(confirmation_data_node, "NotBefore") > (now + allowed_clock_drift)) ||
+                  (attrs.include? "NotBefore" and now < (parse_time(confirmation_data_node, "NotBefore") - allowed_clock_drift)) ||
+                  (attrs.include? "NotOnOrAfter" and now >= (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift)) ||
                   (attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.assertion_consumer_service_url)
 
           valid_subject_confirmation = true
@@ -828,7 +831,7 @@ module OneLogin
         # otherwise, review if the decrypted assertion contains a signature
         sig_elements = REXML::XPath.match(
           document,
-          "/p:Response[@ID=$id]/ds:Signature]",
+          "/p:Response[@ID=$id]/ds:Signature",
           { "p" => PROTOCOL, "ds" => DSIG },
           { 'id' => document.signed_element_id }
         )

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -16,14 +16,12 @@ module OneLogin
     class SamlMessage
       include REXML
 
-      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion".freeze
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol".freeze
 
       BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
       @@mutex = Mutex.new
 
-      MAX_BYTE_SIZE = 250000
-
       # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
       #
       def self.schema
@@ -88,11 +86,12 @@ module OneLogin
       # @param saml [String] The deflated and encoded SAML Message
       # @return [String] The plain SAML Message
       #
-      def decode_raw_saml(saml)
+      def decode_raw_saml(saml, settings = nil)
         return saml unless base64_encoded?(saml)
 
-        if saml.bytesize > MAX_BYTE_SIZE
-          raise ValidationError.new("Encoded SAML Message exceeds " + MAX_BYTE_SIZE.to_s + " bytes, so was rejected")
+        settings = OneLogin::RubySaml::Settings.new if settings.nil?
+        if saml.bytesize > settings.message_max_bytesize
+          raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
         end
 
         decoded = decode(saml)

data/lib/onelogin/ruby-saml/settings.rb

@@ -31,9 +31,8 @@ module OneLogin
 
       # IdP Data
       attr_accessor :idp_entity_id
-
-      attr_accessor :idp_sso_service_url
-      attr_accessor :idp_slo_service_url
+      attr_writer   :idp_sso_service_url
+      attr_writer   :idp_slo_service_url
       attr_accessor :idp_slo_response_service_url
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
@@ -43,8 +42,10 @@ module OneLogin
       attr_accessor :idp_name_qualifier
       attr_accessor :valid_until
       # SP Data
+      attr_writer   :sp_entity_id
       attr_accessor :assertion_consumer_service_url
-      attr_accessor :assertion_consumer_service_binding
+      attr_reader   :assertion_consumer_service_binding
+      attr_writer   :single_logout_service_url
       attr_accessor :sp_name_qualifier
       attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
@@ -53,8 +54,9 @@ module OneLogin
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
+      attr_accessor :message_max_bytesize
       attr_accessor :passive
-      attr_accessor :protocol_binding
+      attr_reader   :protocol_binding
       attr_accessor :attributes_index
       attr_accessor :force_authn
       attr_accessor :certificate
@@ -67,9 +69,9 @@ module OneLogin
       # Work-flow
       attr_accessor :security
       attr_accessor :soft
-      # Compability
+      # Deprecated
       attr_accessor :assertion_consumer_logout_service_url
-      attr_accessor :assertion_consumer_logout_service_binding
+      attr_reader   :assertion_consumer_logout_service_binding
       attr_accessor :issuer
       attr_accessor :idp_sso_target_url
       attr_accessor :idp_slo_target_url
@@ -77,94 +79,89 @@ module OneLogin
       # @return [String] IdP Single Sign On Service URL
       #
       def idp_sso_service_url
-        val = nil
-        if @idp_sso_service_url.nil?
-          if @idp_sso_target_url
-            val = @idp_sso_target_url
-          end
-        else
-          val = @idp_sso_service_url
-        end
-        val
+        @idp_sso_service_url || @idp_sso_target_url
       end
 
       # @return [String] IdP Single Logout Service URL
       #
       def idp_slo_service_url
-        val = nil
-        if @idp_slo_service_url.nil?
-          if @idp_slo_target_url
-            val = @idp_slo_target_url
-          end
-        else
-          val = @idp_slo_service_url
-        end
-        val
+        @idp_slo_service_url || @idp_slo_target_url
+      end
+
+      # @return [String] IdP Single Sign On Service Binding
+      #
+      def idp_sso_service_binding
+        @idp_sso_service_binding || idp_binding_from_embed_sign
+      end
+
+      # Setter for IdP Single Sign On Service Binding
+      # @param value [String, Symbol].
+      #
+      def idp_sso_service_binding=(value)
+        @idp_sso_service_binding = get_binding(value)
+      end
+
+      # @return [String] IdP Single Logout Service Binding
+      #
+      def idp_slo_service_binding
+        @idp_slo_service_binding || idp_binding_from_embed_sign
+      end
+
+      # Setter for IdP Single Logout Service Binding
+      # @param value [String, Symbol].
+      #
+      def idp_slo_service_binding=(value)
+        @idp_slo_service_binding = get_binding(value)
       end
 
       # @return [String] SP Entity ID
       #
       def sp_entity_id
-        val = nil
-        if @sp_entity_id.nil?
-          if @issuer
-            val = @issuer
-          end
-        else
-          val = @sp_entity_id
-        end
-        val
+        @sp_entity_id || @issuer
       end
 
-      # Setter for SP Entity ID.
-      # @param val [String].
+      # Setter for SP Protocol Binding
+      # @param value [String, Symbol].
       #
-      def sp_entity_id=(val)
-        @sp_entity_id = val
+      def protocol_binding=(value)
+        @protocol_binding = get_binding(value)
       end
 
-      # @return [String] Single Logout Service URL.
+      # Setter for SP Assertion Consumer Service Binding
+      # @param value [String, Symbol].
       #
-      def single_logout_service_url
-        val = nil
-        if @single_logout_service_url.nil?
-          if @assertion_consumer_logout_service_url
-            val = @assertion_consumer_logout_service_url
-          end
-        else
-          val = @single_logout_service_url
-        end
-        val
+      def assertion_consumer_service_binding=(value)
+        @assertion_consumer_service_binding = get_binding(value)
       end
 
-      # Setter for the Single Logout Service URL.
-      # @param url [String].
+      # @return [String] Single Logout Service URL.
       #
-      def single_logout_service_url=(url)
-        @single_logout_service_url = url
+      def single_logout_service_url
+        @single_logout_service_url || @assertion_consumer_logout_service_url
       end
 
       # @return [String] Single Logout Service Binding.
       #
       def single_logout_service_binding
-        val = nil
-        if @single_logout_service_binding.nil?
-          if @assertion_consumer_logout_service_binding
-            val = @assertion_consumer_logout_service_binding
-          end
-        else
-          val = @single_logout_service_binding
-        end
-        val
+        @single_logout_service_binding || @assertion_consumer_logout_service_binding
       end
 
       # Setter for Single Logout Service Binding.
       #
       # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
-      # @param url [String]
+      # @param value [String, Symbol]
       #
-      def single_logout_service_binding=(url)
-        @single_logout_service_binding = url
+      def single_logout_service_binding=(value)
+        @single_logout_service_binding = get_binding(value)
+      end
+
+      # @deprecated Setter for legacy Single Logout Service Binding parameter.
+      #
+      # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
+      # @param value [String, Symbol]
+      #
+      def assertion_consumer_logout_service_binding=(value)
+        @assertion_consumer_logout_service_binding = get_binding(value)
       end
 
       # Calculates the fingerprint of the IdP x509 certificate.
@@ -252,12 +249,23 @@ module OneLogin
 
       private
 
+      def idp_binding_from_embed_sign
+        security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
+      end
+
+      def get_binding(value)
+        return unless value
+
+        Utils::BINDINGS[value.to_sym] || value
+      end
+
       DEFAULTS = {
-        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
-        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :assertion_consumer_service_binding        => Utils::BINDINGS[:post],
+        :single_logout_service_binding             => Utils::BINDINGS[:redirect],
         :idp_cert_fingerprint_algorithm            => XMLSecurity::Document::SHA1,
         :compress_request                          => true,
         :compress_response                         => true,
+        :message_max_bytesize                      => 250000,
         :soft                                      => true,
         :double_quote_xml_attribute_values         => false,
         :security                                  => {
@@ -268,11 +276,13 @@ module OneLogin
           :want_assertions_encrypted  => false,
           :want_name_id               => false,
           :metadata_signed            => false,
-          :embed_sign                 => false,
+          :embed_sign                 => false, # Deprecated
           :digest_method              => XMLSecurity::Document::SHA1,
           :signature_method           => XMLSecurity::Document::RSA_SHA1,
           :check_idp_cert_expiration  => false,
-          :check_sp_cert_expiration   => false
+          :check_sp_cert_expiration   => false,
+          :strict_audience_validation => false,
+          :lowercase_url_encoding     => false
         }.freeze
       }.freeze
     end

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -43,7 +43,7 @@ module OneLogin
           end
         end
 
-        @request = decode_raw_saml(request)
+        @request = decode_raw_saml(request, settings)
         @document = REXML::Document.new(@request)
       end
 
@@ -130,6 +130,12 @@ module OneLogin
 
       private
 
+      # returns the allowed clock drift on timing validation
+      # @return [Float]
+      def allowed_clock_drift
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
+      end
+
       # Hard aux function to validate the Logout Request
       # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the Logout Request is valid
@@ -180,15 +186,17 @@ module OneLogin
         true
       end
 
-      # Validates the time. (If the logout request was initialized with the :allowed_clock_drift option, the timing validations are relaxed by the allowed_clock_drift value)
+      # Validates the time. (If the logout request was initialized with the :allowed_clock_drift
+      # option, the timing validations are relaxed by the allowed_clock_drift value)
       # If fails, the error is added to the errors array
       # @return [Boolean] True if satisfies the conditions, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_not_on_or_after
         now = Time.now.utc
-        if not_on_or_after && now >= (not_on_or_after + (options[:allowed_clock_drift] || 0))
-          return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after})")
+
+        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+          return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})")
         end
 
         true
@@ -240,32 +248,8 @@ module OneLogin
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
 
-        # SAML specifies that the signature should be derived from a concatenation
-        # of URI-encoded values _as sent by the IDP_:
-        #
-        # > Further, note that URL-encoding is not canonical; that is, there are multiple legal encodings for a given
-        # > value. The relying party MUST therefore perform the verification step using the original URL-encoded
-        # > values it received on the query string. It is not sufficient to re-encode the parameters after they have been
-        # > processed by software because the resulting encoding may not match the signer's encoding.
-        #
-        # <http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>
-        #
-        # If we don't have the original parts (for backward compatibility) required to correctly verify the signature,
-        # then fabricate them by re-encoding the parsed URI parameters, and hope that we're lucky enough to use
-        # the exact same URI-encoding as the IDP. (This is not the case if the IDP is ADFS!)
-        options[:raw_get_params] ||= {}
-        if options[:raw_get_params]['SAMLRequest'].nil? && !options[:get_params]['SAMLRequest'].nil?
-          options[:raw_get_params]['SAMLRequest'] = CGI.escape(options[:get_params]['SAMLRequest'])
-        end
-        if options[:raw_get_params]['RelayState'].nil? && !options[:get_params]['RelayState'].nil?
-          options[:raw_get_params]['RelayState'] = CGI.escape(options[:get_params]['RelayState'])
-        end
-        if options[:raw_get_params]['SigAlg'].nil? && !options[:get_params]['SigAlg'].nil?
-          options[:raw_get_params]['SigAlg'] = CGI.escape(options[:get_params]['SigAlg'])
-        end
+        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params], settings.security[:lowercase_url_encoding])
 
-        # If we only received the raw version of SigAlg,
-        # then parse it back into the decoded params hash for convenience.
         if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
           options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
         end
@@ -327,7 +311,6 @@ module OneLogin
 
         true
       end
-
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -13,7 +13,7 @@ module OneLogin
     class SloLogoutresponse < SamlMessage
 
       # Logout Response ID
-      attr_reader :uuid
+      attr_accessor :uuid
 
       # Initializes the Logout Response. A SloLogoutresponse Object that is an extension of the SamlMessage class.
       # Asigns an ID, a random uuid.
@@ -36,15 +36,15 @@ module OneLogin
       #
       def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
         params = create_params(settings, request_id, logout_message, params, logout_status_code)
-        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
-        url = settings.idp_slo_response_service_url || settings.idp_slo_target_url
+        params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
+        url = settings.idp_slo_response_service_url || settings.idp_slo_service_url
         saml_response = CGI.escape(params.delete("SAMLResponse"))
         response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
         params.each_pair do |key, value|
           response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
 
-        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if url.nil? or url.empty?
+        raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?
         @logout_url = url + response_params
       end
 
@@ -79,7 +79,7 @@ module OneLogin
         base64_response = encode(response)
         response_params = {"SAMLResponse" => base64_response}
 
-        if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && settings.private_key
           params['SigAlg']    = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLResponse',
@@ -117,7 +117,8 @@ module OneLogin
         response_doc = XMLSecurity::Document.new
         response_doc.uuid = uuid
 
-        destination = settings.idp_slo_response_service_url || settings.idp_slo_target_url
+        destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url
+
 
         root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
@@ -149,7 +150,7 @@ module OneLogin
 
       def sign_document(document, settings)
         # embed signature
-        if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.private_key && settings.certificate
           private_key = settings.get_sp_key
           cert = settings.get_sp_cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])