ruby-saml 1.12.1 → 1.13.0

data/lib/onelogin/ruby-saml/metadata.rb

@@ -21,21 +21,50 @@ module OneLogin
       #
       def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
         meta_doc = XMLSecurity::Document.new
+        add_xml_declaration(meta_doc)
+        root = add_root_element(meta_doc, settings, valid_until, cache_duration)
+        sp_sso = add_sp_sso_element(root, settings)
+        add_sp_certificates(sp_sso, settings)
+        add_sp_service_elements(sp_sso, settings)
+        add_extras(root, settings)
+        embed_signature(meta_doc, settings)
+        output_xml(meta_doc, pretty_print)
+      end
+
+      protected
+
+      def add_xml_declaration(meta_doc)
+        meta_doc << REXML::XMLDecl.new('1.0', 'UTF-8')
+      end
+
+      def add_root_element(meta_doc, settings, valid_until, cache_duration)
         namespaces = {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
         }
+
         if settings.attribute_consuming_service.configured?
           namespaces["xmlns:saml"] = "urn:oasis:names:tc:SAML:2.0:assertion"
         end
-        root = meta_doc.add_element "md:EntityDescriptor", namespaces
-        sp_sso = root.add_element "md:SPSSODescriptor", {
+
+        root = meta_doc.add_element("md:EntityDescriptor", namespaces)
+        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
+        root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
+        root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z') if valid_until
+        root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
+        root
+      end
+
+      def add_sp_sso_element(root, settings)
+        root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
             "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
             "WantAssertionsSigned" => settings.security[:want_assertions_signed],
         }
+      end
 
-        # Add KeyDescriptor if messages will be signed / encrypted
-        # with SP certificate, and new SP certificate if any
+      # Add KeyDescriptor if messages will be signed / encrypted
+      # with SP certificate, and new SP certificate if any
+      def add_sp_certificates(sp_sso, settings)
         cert = settings.get_sp_cert
         cert_new = settings.get_sp_cert_new
 
@@ -58,16 +87,10 @@ module OneLogin
           end
         end
 
-        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
-        if settings.sp_entity_id
-          root.attributes["entityID"] = settings.sp_entity_id
-        end
-        if valid_until
-          root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z')
-        end
-        if cache_duration
-          root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S"
-        end
+        sp_sso
+      end
+
+      def add_sp_service_elements(sp_sso, settings)
         if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
               "Binding" => settings.single_logout_service_binding,
@@ -75,10 +98,12 @@ module OneLogin
               "ResponseLocation" => settings.single_logout_service_url
           }
         end
+
         if settings.name_identifier_format
           nameid = sp_sso.add_element "md:NameIDFormat"
           nameid.text = settings.name_identifier_format
         end
+
         if settings.assertion_consumer_service_url
           sp_sso.add_element "md:AssertionConsumerService", {
               "Binding" => settings.assertion_consumer_service_binding,
@@ -117,15 +142,27 @@ module OneLogin
         #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
-        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+        sp_sso
+      end
 
-        # embed signature
-        if settings.security[:metadata_signed] && settings.private_key && settings.certificate
-          private_key = settings.get_sp_key
-          meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
-        end
+      # can be overridden in subclass
+      def add_extras(root, _settings)
+        root
+      end
+
+      def embed_signature(meta_doc, settings)
+        return unless settings.security[:metadata_signed]
+
+        private_key = settings.get_sp_key
+        cert = settings.get_sp_cert
+        return unless private_key && cert
+
+        meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+      end
+
+      def output_xml(meta_doc, pretty_print)
+        ret = ''
 
-        ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
         if pretty_print
           meta_doc.write(ret, 1)
@@ -133,7 +170,7 @@ module OneLogin
           ret = meta_doc.to_s
         end
 
-        return ret
+        ret
       end
     end
   end

data/lib/onelogin/ruby-saml/response.rb

@@ -63,7 +63,7 @@ module OneLogin
           end
         end
 
-        @response = decode_raw_saml(response)
+        @response = decode_raw_saml(response, settings)
         @document = XMLSecurity::SignedDocument.new(@response, @errors)
 
         if assertion_encrypted?
@@ -227,11 +227,10 @@ module OneLogin
               statuses = nodes.collect do |inner_node|
                 inner_node.attributes["Value"]
               end
-              extra_code = statuses.join(" | ")
-              if extra_code
-                code = "#{code} | #{extra_code}"
-              end
+
+              code = [code, statuses].flatten.join(" | ")
             end
+
             code
           end
         end
@@ -338,9 +337,9 @@ module OneLogin
       end
 
       # returns the allowed clock drift on timing validation
-      # @return [Integer]
+      # @return [Float]
       def allowed_clock_drift
-        return options[:allowed_clock_drift].to_f
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
       end
 
       # Checks if the SAML Response contains or not an EncryptedAssertion element
@@ -377,7 +376,6 @@ module OneLogin
         return false unless validate_response_state
 
         validations = [
-          :validate_response_state,
           :validate_version,
           :validate_id,
           :validate_success_status,
@@ -694,13 +692,13 @@ module OneLogin
 
         now = Time.now.utc
 
-        if not_before && (now_with_drift = now + allowed_clock_drift) < not_before
-          error_msg = "Current time is earlier than NotBefore condition (#{now_with_drift} < #{not_before})"
+        if not_before && now < (not_before - allowed_clock_drift)
+          error_msg = "Current time is earlier than NotBefore condition (#{now} < #{not_before}#{" - #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
-        if not_on_or_after && now >= (not_on_or_after_with_drift = not_on_or_after + allowed_clock_drift)
-          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after_with_drift})"
+        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
@@ -742,7 +740,7 @@ module OneLogin
         return true if session_expires_at.nil?
 
         now = Time.now.utc
-        unless (session_expires_at + allowed_clock_drift) > now
+        unless now < (session_expires_at + allowed_clock_drift)
           error_msg = "The attributes have expired, based on the SessionNotOnOrAfter of the AuthnStatement of this Response"
           return append_error(error_msg)
         end
@@ -780,8 +778,8 @@ module OneLogin
 
           attrs = confirmation_data_node.attributes
           next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
-                  (attrs.include? "NotOnOrAfter" and (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift) <= now) ||
-                  (attrs.include? "NotBefore" and parse_time(confirmation_data_node, "NotBefore") > (now + allowed_clock_drift)) ||
+                  (attrs.include? "NotBefore" and now < (parse_time(confirmation_data_node, "NotBefore") - allowed_clock_drift)) ||
+                  (attrs.include? "NotOnOrAfter" and now >= (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift)) ||
                   (attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.assertion_consumer_service_url)
 
           valid_subject_confirmation = true

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -16,14 +16,12 @@ module OneLogin
     class SamlMessage
       include REXML
 
-      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion".freeze
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol".freeze
 
       BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
       @@mutex = Mutex.new
 
-      MAX_BYTE_SIZE = 250000
-
       # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
       #
       def self.schema
@@ -88,11 +86,12 @@ module OneLogin
       # @param saml [String] The deflated and encoded SAML Message
       # @return [String] The plain SAML Message
       #
-      def decode_raw_saml(saml)
+      def decode_raw_saml(saml, settings = nil)
         return saml unless base64_encoded?(saml)
 
-        if saml.bytesize > MAX_BYTE_SIZE
-          raise ValidationError.new("Encoded SAML Message exceeds " + MAX_BYTE_SIZE.to_s + " bytes, so was rejected")
+        settings = OneLogin::RubySaml::Settings.new if settings.nil?
+        if saml.bytesize > settings.message_max_bytesize
+          raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
         end
 
         decoded = decode(saml)

data/lib/onelogin/ruby-saml/settings.rb

@@ -31,9 +31,8 @@ module OneLogin
 
       # IdP Data
       attr_accessor :idp_entity_id
-
-      attr_accessor :idp_sso_service_url
-      attr_accessor :idp_slo_service_url
+      attr_writer   :idp_sso_service_url
+      attr_writer   :idp_slo_service_url
       attr_accessor :idp_slo_response_service_url
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
@@ -43,8 +42,10 @@ module OneLogin
       attr_accessor :idp_name_qualifier
       attr_accessor :valid_until
       # SP Data
+      attr_writer   :sp_entity_id
       attr_accessor :assertion_consumer_service_url
-      attr_accessor :assertion_consumer_service_binding
+      attr_reader   :assertion_consumer_service_binding
+      attr_writer   :single_logout_service_url
       attr_accessor :sp_name_qualifier
       attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
@@ -53,8 +54,9 @@ module OneLogin
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
+      attr_accessor :message_max_bytesize
       attr_accessor :passive
-      attr_accessor :protocol_binding
+      attr_reader   :protocol_binding
       attr_accessor :attributes_index
       attr_accessor :force_authn
       attr_accessor :certificate
@@ -67,9 +69,9 @@ module OneLogin
       # Work-flow
       attr_accessor :security
       attr_accessor :soft
-      # Compability
+      # Deprecated
       attr_accessor :assertion_consumer_logout_service_url
-      attr_accessor :assertion_consumer_logout_service_binding
+      attr_reader   :assertion_consumer_logout_service_binding
       attr_accessor :issuer
       attr_accessor :idp_sso_target_url
       attr_accessor :idp_slo_target_url
@@ -77,94 +79,89 @@ module OneLogin
       # @return [String] IdP Single Sign On Service URL
       #
       def idp_sso_service_url
-        val = nil
-        if @idp_sso_service_url.nil?
-          if @idp_sso_target_url
-            val = @idp_sso_target_url
-          end
-        else
-          val = @idp_sso_service_url
-        end
-        val
+        @idp_sso_service_url || @idp_sso_target_url
       end
 
       # @return [String] IdP Single Logout Service URL
       #
       def idp_slo_service_url
-        val = nil
-        if @idp_slo_service_url.nil?
-          if @idp_slo_target_url
-            val = @idp_slo_target_url
-          end
-        else
-          val = @idp_slo_service_url
-        end
-        val
+        @idp_slo_service_url || @idp_slo_target_url
+      end
+
+      # @return [String] IdP Single Sign On Service Binding
+      #
+      def idp_sso_service_binding
+        @idp_sso_service_binding || idp_binding_from_embed_sign
+      end
+
+      # Setter for IdP Single Sign On Service Binding
+      # @param value [String, Symbol].
+      #
+      def idp_sso_service_binding=(value)
+        @idp_sso_service_binding = get_binding(value)
+      end
+
+      # @return [String] IdP Single Logout Service Binding
+      #
+      def idp_slo_service_binding
+        @idp_slo_service_binding || idp_binding_from_embed_sign
+      end
+
+      # Setter for IdP Single Logout Service Binding
+      # @param value [String, Symbol].
+      #
+      def idp_slo_service_binding=(value)
+        @idp_slo_service_binding = get_binding(value)
       end
 
       # @return [String] SP Entity ID
       #
       def sp_entity_id
-        val = nil
-        if @sp_entity_id.nil?
-          if @issuer
-            val = @issuer
-          end
-        else
-          val = @sp_entity_id
-        end
-        val
+        @sp_entity_id || @issuer
       end
 
-      # Setter for SP Entity ID.
-      # @param val [String].
+      # Setter for SP Protocol Binding
+      # @param value [String, Symbol].
       #
-      def sp_entity_id=(val)
-        @sp_entity_id = val
+      def protocol_binding=(value)
+        @protocol_binding = get_binding(value)
       end
 
-      # @return [String] Single Logout Service URL.
+      # Setter for SP Assertion Consumer Service Binding
+      # @param value [String, Symbol].
       #
-      def single_logout_service_url
-        val = nil
-        if @single_logout_service_url.nil?
-          if @assertion_consumer_logout_service_url
-            val = @assertion_consumer_logout_service_url
-          end
-        else
-          val = @single_logout_service_url
-        end
-        val
+      def assertion_consumer_service_binding=(value)
+        @assertion_consumer_service_binding = get_binding(value)
       end
 
-      # Setter for the Single Logout Service URL.
-      # @param url [String].
+      # @return [String] Single Logout Service URL.
       #
-      def single_logout_service_url=(url)
-        @single_logout_service_url = url
+      def single_logout_service_url
+        @single_logout_service_url || @assertion_consumer_logout_service_url
       end
 
       # @return [String] Single Logout Service Binding.
       #
       def single_logout_service_binding
-        val = nil
-        if @single_logout_service_binding.nil?
-          if @assertion_consumer_logout_service_binding
-            val = @assertion_consumer_logout_service_binding
-          end
-        else
-          val = @single_logout_service_binding
-        end
-        val
+        @single_logout_service_binding || @assertion_consumer_logout_service_binding
       end
 
       # Setter for Single Logout Service Binding.
       #
       # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
-      # @param url [String]
+      # @param value [String, Symbol]
       #
-      def single_logout_service_binding=(url)
-        @single_logout_service_binding = url
+      def single_logout_service_binding=(value)
+        @single_logout_service_binding = get_binding(value)
+      end
+
+      # @deprecated Setter for legacy Single Logout Service Binding parameter.
+      #
+      # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
+      # @param value [String, Symbol]
+      #
+      def assertion_consumer_logout_service_binding=(value)
+        @assertion_consumer_logout_service_binding = get_binding(value)
       end
 
       # Calculates the fingerprint of the IdP x509 certificate.
@@ -252,12 +249,23 @@ module OneLogin
 
       private
 
+      def idp_binding_from_embed_sign
+        security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
+      end
+
+      def get_binding(value)
+        return unless value
+
+        Utils::BINDINGS[value.to_sym] || value
+      end
+
       DEFAULTS = {
-        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
-        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :assertion_consumer_service_binding        => Utils::BINDINGS[:post],
+        :single_logout_service_binding             => Utils::BINDINGS[:redirect],
         :idp_cert_fingerprint_algorithm            => XMLSecurity::Document::SHA1,
         :compress_request                          => true,
         :compress_response                         => true,
+        :message_max_bytesize                      => 250000,
         :soft                                      => true,
         :double_quote_xml_attribute_values         => false,
         :security                                  => {
@@ -268,7 +276,7 @@ module OneLogin
           :want_assertions_encrypted  => false,
           :want_name_id               => false,
           :metadata_signed            => false,
-          :embed_sign                 => false,
+          :embed_sign                 => false, # Deprecated
           :digest_method              => XMLSecurity::Document::SHA1,
           :signature_method           => XMLSecurity::Document::RSA_SHA1,
           :check_idp_cert_expiration  => false,

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -43,7 +43,7 @@ module OneLogin
           end
         end
 
-        @request = decode_raw_saml(request)
+        @request = decode_raw_saml(request, settings)
         @document = REXML::Document.new(@request)
       end
 
@@ -130,6 +130,12 @@ module OneLogin
 
       private
 
+      # returns the allowed clock drift on timing validation
+      # @return [Float]
+      def allowed_clock_drift
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
+      end
+
       # Hard aux function to validate the Logout Request
       # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the Logout Request is valid
@@ -180,15 +186,17 @@ module OneLogin
         true
       end
 
-      # Validates the time. (If the logout request was initialized with the :allowed_clock_drift option, the timing validations are relaxed by the allowed_clock_drift value)
+      # Validates the time. (If the logout request was initialized with the :allowed_clock_drift
+      # option, the timing validations are relaxed by the allowed_clock_drift value)
       # If fails, the error is added to the errors array
       # @return [Boolean] True if satisfies the conditions, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_not_on_or_after
         now = Time.now.utc
-        if not_on_or_after && now >= (not_on_or_after + (options[:allowed_clock_drift] || 0))
-          return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after})")
+
+        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+          return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})")
         end
 
         true

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -36,15 +36,15 @@ module OneLogin
       #
       def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
         params = create_params(settings, request_id, logout_message, params, logout_status_code)
-        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
-        url = settings.idp_slo_response_service_url || settings.idp_slo_target_url
+        params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
+        url = settings.idp_slo_response_service_url || settings.idp_slo_service_url
         saml_response = CGI.escape(params.delete("SAMLResponse"))
         response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
         params.each_pair do |key, value|
           response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
 
-        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if url.nil? or url.empty?
+        raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?
         @logout_url = url + response_params
       end
 
@@ -79,7 +79,7 @@ module OneLogin
         base64_response = encode(response)
         response_params = {"SAMLResponse" => base64_response}
 
-        if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && settings.private_key
           params['SigAlg']    = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLResponse',
@@ -117,7 +117,8 @@ module OneLogin
         response_doc = XMLSecurity::Document.new
         response_doc.uuid = uuid
 
-        destination = settings.idp_slo_response_service_url || settings.idp_slo_target_url
+        destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url
+
 
         root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
@@ -149,7 +150,7 @@ module OneLogin
 
       def sign_document(document, settings)
         # embed signature
-        if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.private_key && settings.certificate
           private_key = settings.get_sp_key
           cert = settings.get_sp_cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])

data/lib/onelogin/ruby-saml/utils.rb

@@ -13,9 +13,25 @@ module OneLogin
     class Utils
       @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
 
-      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
-      XENC      = "http://www.w3.org/2001/04/xmlenc#"
-      DURATION_FORMAT = %r(^(-?)P(?:(?:(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+)S)?)?)|(?:(\d+)W))$)
+      BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+                   :redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
+      DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
+      XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
+      DURATION_FORMAT = %r(^
+        (-?)P                       # 1: Duration sign
+        (?:
+          (?:(\d+)Y)?               # 2: Years
+          (?:(\d+)M)?               # 3: Months
+          (?:(\d+)D)?               # 4: Days
+          (?:T
+            (?:(\d+)H)?             # 5: Hours
+            (?:(\d+)M)?             # 6: Minutes
+            (?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
+          )?
+          |
+          (\d+)W                    # 8: Weeks
+        )
+      $)x.freeze
 
       # Checks if the x509 cert provided is expired
       #
@@ -37,31 +53,20 @@ module OneLogin
       #                            current time.
       #
       # @return [Integer] The new timestamp, after the duration is applied.
-      # 
+      #
       def self.parse_duration(duration, timestamp=Time.now.utc)
+        return nil if RUBY_VERSION < '1.9'  # 1.8.7 not supported
+
         matches = duration.match(DURATION_FORMAT)
-      
+
         if matches.nil?
           raise Exception.new("Invalid ISO 8601 duration")
         end
 
-        durYears = matches[2].to_i
-        durMonths = matches[3].to_i
-        durDays = matches[4].to_i
-        durHours = matches[5].to_i
-        durMinutes = matches[6].to_i
-        durSeconds = matches[7].to_f
-        durWeeks = matches[8].to_i
-
-        if matches[1] == "-"
-          durYears = -durYears
-          durMonths = -durMonths
-          durDays = -durDays
-          durHours = -durHours
-          durMinutes = -durMinutes
-          durSeconds = -durSeconds
-          durWeeks = -durWeeks
-        end
+        sign = matches[1] == '-' ? -1 : 1
+
+        durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
+          matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
 
         initial_datetime = Time.at(timestamp).utc.to_datetime
         final_datetime = initial_datetime.next_year(durYears)

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.12.1'
+    VERSION = '1.13.0'
   end
 end

data/lib/xml_security.rb

@@ -159,15 +159,13 @@ module XMLSecurity
       x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
 
       # add the signature
-      issuer_element = self.elements["//saml:Issuer"]
+      issuer_element = elements["//saml:Issuer"]
       if issuer_element
-        self.root.insert_after issuer_element, signature_element
+        root.insert_after(issuer_element, signature_element)
+      elsif first_child = root.children[0]
+        root.insert_before(first_child, signature_element)
       else
-        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
-          self.root.insert_before sp_sso_descriptor, signature_element
-        else
-          self.root.add_element(signature_element)
-        end
+        root.add_element(signature_element)
       end
     end