ruby-saml 1.12.2 → 1.13.0

data/UPGRADING.md

@@ -0,0 +1,149 @@
+# Ruby SAML Migration Guide
+
+## Updating from 1.12.x to 1.13.0 (NOT YET RELEASED)
+
+Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and
+deprecates `settings.security[:embed_sign]`. If specified, new binding parameters will be used in place of `:embed_sign`
+to determine how to handle SAML message signing (`HTTP-POST` embeds signature and `HTTP-Redirect` does not.)
+
+In addition, the `IdpMetadataParser#parse`, `#parse_to_hash` and `#parse_to_array` methods now retrieve
+`idp_sso_service_binding` and `idp_slo_service_binding`.
+
+Lastly, for convenience you may now use the Symbol aliases `:post` and `:redirect` for any `settings.*_binding` parameter.
+
+## Upgrading from 1.11.x to 1.12.0
+
+Version `1.12.0` adds support for gcm algorithm and
+change/adds specific error messages for signature validations
+
+`idp_sso_target_url` and `idp_slo_target_url` attributes of the Settings class deprecated
+in favor of `idp_sso_service_url` and `idp_slo_service_url`. The `IdpMetadataParser#parse`,
+`#parse_to_hash` and `#parse_to_array` methods now retrieve SSO URL and SLO URL endpoints with
+`idp_sso_service_url` and `idp_slo_service_url` (previously `idp_sso_target_url` and
+`idp_slo_target_url` respectively).
+
+## Upgrading from 1.10.x to 1.11.0
+
+Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
+There are two new security settings: `settings.security[:check_idp_cert_expiration]` and
+`settings.security[:check_sp_cert_expiration]` (both false by default) that check if the
+IdP or SP X.509 certificate has expired, respectively.
+
+Version `1.10.2` includes the `valid_until` attribute in parsed IdP metadata.
+
+Version `1.10.1` improves Ruby 1.8.7 support.
+
+## Upgrading from 1.9.0 to 1.10.0
+
+Version `1.10.0` improves IdpMetadataParser to allow parse multiple IDPSSODescriptor,
+Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user
+to be authenticated and updates the format_cert method to accept certs with /\x0d/
+
+## Upgrading from 1.8.0 to 1.9.0
+
+Version `1.9.0` better supports Ruby 2.4+ and JRuby 9.2.0.0. `Settings` initialization
+now has a second parameter, `keep_security_settings` (default: false), which saves security
+settings attributes that are not explicitly overridden, if set to true.
+
+## Upgrading from 1.7.x to 1.8.0
+
+On Version `1.8.0`, creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState
+param will not generate a URL with an empty RelayState parameter anymore. It also changes
+the invalid audience error message.
+
+## Upgrading from 1.6.0 to 1.7.0
+
+Version `1.7.0` is a recommended update for all Ruby SAML users as it includes a fix for
+the [CVE-2017-11428](https://www.cvedetails.com/cve/CVE-2017-11428/) vulnerability.
+
+## Upgrading from 1.5.0 to 1.6.0
+
+Version `1.6.0` changes the preferred way to construct instances of `Logoutresponse` and
+`SloLogoutrequest`. Previously the _SAMLResponse_, _RelayState_, and _SigAlg_ parameters
+of these message types were provided via the constructor's `options[:get_params]` parameter.
+Unfortunately this can result in incompatibility with other SAML implementations; signatures
+are specified to be computed based on the _sender's_ URI-encoding of the message, which can
+differ from that of Ruby SAML. In particular, Ruby SAML's URI-encoding does not match that
+of Microsoft ADFS, so messages from ADFS can fail signature validation.
+
+The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is via the
+`options[:raw_get_params]` parameter. For example:
+
+```ruby
+# In this example `query_params` is assumed to contain decoded query parameters,
+# and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
+settings = {
+  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.soft = false
+}
+options = {
+  get_params: {
+    "Signature" => query_params["Signature"],
+  },
+  raw_get_params: {
+    "SAMLRequest" => raw_query_params["SAMLRequest"],
+    "SigAlg" => raw_query_params["SigAlg"],
+    "RelayState" => raw_query_params["RelayState"],
+  },
+}
+slo_logout_request = OneLogin::RubySaml::SloLogoutrequest.new(query_params["SAMLRequest"], settings, options)
+raise "Invalid Logout Request" unless slo_logout_request.is_valid?
+```
+
+The old form is still supported for backward compatibility, but all Ruby SAML users
+should prefer `options[:raw_get_params]` where possible to ensure compatibility with
+other SAML implementations.
+
+## Upgrading from 1.4.2 to 1.4.3
+
+Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
+The 'Recipient' value is compared with the settings.assertion_consumer_service_url
+value.
+
+If you want to skip that validation, add the :skip_recipient_check option to the
+initialize method of the Response object.
+
+Parsing metadata that contains more than one certificate will propagate the
+idp_cert_multi property rather than idp_cert. See [signature validation
+section](#signature-validation) for details.
+
+## Upgrading from 1.3.x to 1.4.x
+
+Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.
+
+## Upgrading from 1.2.x to 1.3.x
+
+Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes.
+It adds security improvements in order to prevent Signature wrapping attacks.
+[CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
+
+## Upgrading from 1.1.x to 1.2.x
+
+Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom,
+refactor error handling and some minor improvements.
+
+There is no compatibility issue detected.
+
+For more details, please review [CHANGELOG.md](CHANGELOG.md).
+
+## Upgrading from 1.0.x to 1.1.x
+
+Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+
+## Upgrading from 0.9.x to 1.0.x
+
+Version `1.0` is a recommended update for all Ruby SAML users as it includes security fixes.
+
+Version `1.0` adds security improvements like entity expansion limitation, more SAML message validations, and other important improvements like decrypt support.
+
+### Important Changes
+
+Please note the `get_idp_metadata` method raises an exception when it is not able to fetch the idp metadata, so review your integration if you are using this functionality.
+
+## Upgrading from 0.8.x to 0.9.x
+
+Version `0.9` adds many new features and improvements.
+
+## Upgrading from 0.7.x to 0.8.x
+
+Version `0.8.x` changes the namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -73,7 +73,7 @@ module OneLogin
         base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
 
-        if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+        if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && settings.private_key
           params['SigAlg']    = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLRequest',
@@ -179,8 +179,7 @@ module OneLogin
       end
 
       def sign_document(document, settings)
-        # embed signature
-        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+        if settings.idp_sso_service_binding == Utils::BINDINGS[:post] && settings.security[:authn_requests_signed] && settings.private_key && settings.certificate
           private_key = settings.get_sp_key
           cert = settings.get_sp_cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -11,6 +11,10 @@ module OneLogin
 
     # Auxiliary class to retrieve and parse the Identity Provider Metadata
     #
+    # This class does not validate in any way the URL that is introduced,
+    # make sure to validate it properly before use it in a parse_remote method.
+    # Read the `Security warning` section of the README.md file to get more info
+    #
     class IdpMetadataParser
 
       module SamlMetadata
@@ -43,7 +47,7 @@ module OneLogin
           SamlMetadata::NAMESPACE
         )
       end
-        
+
       # Parse the Identity Provider metadata and update the settings with the
       # IdP values
       #
@@ -52,9 +56,10 @@ module OneLogin
       #
       # @param options [Hash] options used for parsing the metadata and the returned Settings instance
       # @option options [OneLogin::RubySaml::Settings, Hash] :settings the OneLogin::RubySaml::Settings object which gets the parsed metadata merged into or an hash for Settings overrides.
-      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+      # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
       #
       # @return [OneLogin::RubySaml::Settings]
       #
@@ -70,9 +75,10 @@ module OneLogin
       # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
       #
       # @param options [Hash] options used for parsing the metadata
-      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+      # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
       #
       # @return [Hash]
       #
@@ -87,9 +93,10 @@ module OneLogin
       # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
       #
       # @param options [Hash] options used for parsing the metadata
-      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, all found IdPs are returned.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, all found IdPs are returned.
+      # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
       #
       # @return [Array<Hash>]
       #
@@ -105,9 +112,10 @@ module OneLogin
       #
       # @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
       # @option options [OneLogin::RubySaml::Settings, Hash] :settings the OneLogin::RubySaml::Settings object which gets the parsed metadata merged into or an hash for Settings overrides.
-      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+      # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
       #
       # @return [OneLogin::RubySaml::Settings]
       def parse(idp_metadata, options = {})
@@ -115,8 +123,10 @@ module OneLogin
 
         unless parsed_metadata[:cache_duration].nil?
           cache_valid_until_timestamp = OneLogin::RubySaml::Utils.parse_duration(parsed_metadata[:cache_duration])
-          if parsed_metadata[:valid_until].nil? || cache_valid_until_timestamp < Time.parse(parsed_metadata[:valid_until], Time.now.utc).to_i
-            parsed_metadata[:valid_until] = Time.at(cache_valid_until_timestamp).utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+          unless cache_valid_until_timestamp.nil?
+            if parsed_metadata[:valid_until].nil? || cache_valid_until_timestamp < Time.parse(parsed_metadata[:valid_until], Time.now.utc).to_i
+              parsed_metadata[:valid_until] = Time.at(cache_valid_until_timestamp).utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+            end
           end
         end
         # Remove the cache_duration because on the settings
@@ -139,9 +149,10 @@ module OneLogin
       # @param idp_metadata [String]
       #
       # @param options [Hash] options used for parsing the metadata and the returned Settings instance
-      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+      # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
       #
       # @return [Hash]
       def parse_to_hash(idp_metadata, options = {})
@@ -153,13 +164,14 @@ module OneLogin
       # @param idp_metadata [String]
       #
       # @param options [Hash] options used for parsing the metadata and the returned Settings instance
-      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
-      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, all found IdPs are returned.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, all found IdPs are returned.
+      # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
       #
       # @return [Array<Hash>]
       def parse_to_array(idp_metadata, options = {})
-        parse_to_idp_metadata_array(idp_metadata, options).map{|idp_md| idp_md.to_hash(options)}
+        parse_to_idp_metadata_array(idp_metadata, options).map { |idp_md| idp_md.to_hash(options) }
       end
 
       def parse_to_idp_metadata_array(idp_metadata, options = {})
@@ -171,9 +183,9 @@ module OneLogin
           raise ArgumentError.new("idp_metadata must contain an IDPSSODescriptor element")
         end
 
-        return idpsso_descriptors.map{|id| IdpMetadata.new(id, id.parent.attributes["entityID"])}
+        idpsso_descriptors.map {|id| IdpMetadata.new(id, id.parent.attributes["entityID"])}
       end
-      
+
       private
 
       # Retrieve the remote IdP metadata from the URL or a cached copy.
@@ -210,19 +222,23 @@ module OneLogin
 
       class IdpMetadata
         attr_reader :idpsso_descriptor, :entity_id
-        
+
         def initialize(idpsso_descriptor, entity_id)
           @idpsso_descriptor = idpsso_descriptor
           @entity_id = entity_id
         end
 
         def to_hash(options = {})
+          sso_binding = options[:sso_binding]
+          slo_binding = options[:slo_binding]
           {
             :idp_entity_id => @entity_id,
-            :name_identifier_format => idp_name_id_format,
-            :idp_sso_service_url => single_signon_service_url(options),
-            :idp_slo_service_url => single_logout_service_url(options),
-            :idp_slo_response_service_url => single_logout_response_service_url(options),
+            :name_identifier_format => idp_name_id_format(options[:name_id_format]),
+            :idp_sso_service_url => single_signon_service_url(sso_binding),
+            :idp_sso_service_binding => single_signon_service_binding(sso_binding),
+            :idp_slo_service_url => single_logout_service_url(slo_binding),
+            :idp_slo_service_binding => single_logout_service_binding(slo_binding),
+            :idp_slo_response_service_url => single_logout_response_service_url(slo_binding),
             :idp_attribute_names => attribute_names,
             :idp_cert => nil,
             :idp_cert_fingerprint => nil,
@@ -234,17 +250,6 @@ module OneLogin
           end
         end
 
-        # @return [String|nil] IdP Name ID Format value if exists
-        #
-        def idp_name_id_format
-          node = REXML::XPath.first(
-            @idpsso_descriptor,
-            "md:NameIDFormat",
-            SamlMetadata::NAMESPACE
-          )
-          Utils.element_text(node)
-        end
-
         # @return [String|nil] 'validUntil' attribute of metadata
         #
         def valid_until
@@ -259,39 +264,31 @@ module OneLogin
           root.attributes['cacheDuration'] if root && root.attributes
         end
 
-        # @param binding_priority [Array]
-        # @return [String|nil] SingleSignOnService binding if exists
+        # @param name_id_priority [String|Array<String>] The prioritized list of NameIDFormat values to select. Will select first value if nil.
+        # @return [String|nil] IdP NameIDFormat value if exists
         #
-        def single_signon_service_binding(binding_priority = nil)
+        def idp_name_id_format(name_id_priority = nil)
           nodes = REXML::XPath.match(
             @idpsso_descriptor,
-            "md:SingleSignOnService/@Binding",
+            "md:NameIDFormat",
             SamlMetadata::NAMESPACE
           )
-          if binding_priority
-            values = nodes.map(&:value)
-            binding_priority.detect{ |binding| values.include? binding }
-          else
-            nodes.first.value if nodes.any?
-          end
+          first_ranked_text(nodes, name_id_priority)
         end
 
-        # @param options [Hash]
-        # @return [String|nil] SingleSignOnService endpoint if exists
+        # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
+        # @return [String|nil] SingleSignOnService binding if exists
         #
-        def single_signon_service_url(options = {})
-          binding = single_signon_service_binding(options[:sso_binding])
-          return if binding.nil?
-
-          node = REXML::XPath.first(
+        def single_signon_service_binding(binding_priority = nil)
+          nodes = REXML::XPath.match(
             @idpsso_descriptor,
-            "md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
+            "md:SingleSignOnService/@Binding",
             SamlMetadata::NAMESPACE
           )
-          return node.value if node
+          first_ranked_value(nodes, binding_priority)
         end
 
-        # @param binding_priority [Array]
+        # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
         # @return [String|nil] SingleLogoutService binding if exists
         #
         def single_logout_service_binding(binding_priority = nil)
@@ -300,19 +297,29 @@ module OneLogin
             "md:SingleLogoutService/@Binding",
             SamlMetadata::NAMESPACE
           )
-          if binding_priority
-            values = nodes.map(&:value)
-            binding_priority.detect{ |binding| values.include? binding }
-          else
-            nodes.first.value if nodes.any?
-          end
+          first_ranked_value(nodes, binding_priority)
+        end
+
+        # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
+        # @return [String|nil] SingleSignOnService endpoint if exists
+        #
+        def single_signon_service_url(binding_priority = nil)
+          binding = single_signon_service_binding(binding_priority)
+          return if binding.nil?
+
+          node = REXML::XPath.first(
+            @idpsso_descriptor,
+            "md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
+            SamlMetadata::NAMESPACE
+          )
+          node.value if node
         end
 
-        # @param options [Hash]
+        # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
         # @return [String|nil] SingleLogoutService endpoint if exists
         #
-        def single_logout_service_url(options = {})
-          binding = single_logout_service_binding(options[:slo_binding])
+        def single_logout_service_url(binding_priority = nil)
+          binding = single_logout_service_binding(binding_priority)
           return if binding.nil?
 
           node = REXML::XPath.first(
@@ -320,14 +327,14 @@ module OneLogin
             "md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
             SamlMetadata::NAMESPACE
           )
-          return node.value if node
+          node.value if node
         end
 
-        # @param options [Hash]
+        # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
         # @return [String|nil] SingleLogoutService response url if exists
         #
-        def single_logout_response_service_url(options = {})
-          binding = single_logout_service_binding(options[:slo_binding])
+        def single_logout_response_service_url(binding_priority = nil)
+          binding = single_logout_service_binding(binding_priority)
           return if binding.nil?
 
           node = REXML::XPath.first(
@@ -335,7 +342,7 @@ module OneLogin
             "md:SingleLogoutService[@Binding=\"#{binding}\"]/@ResponseLocation",
             SamlMetadata::NAMESPACE
           )
-          return node.value if node
+          node.value if node
         end
 
         # @return [String|nil] Unformatted Certificate if exists
@@ -417,15 +424,41 @@ module OneLogin
                 parsed_metadata[:idp_cert_fingerprint_algorithm]
               )
             end
-          else
-            # symbolize keys of certificates and pass it on
-            parsed_metadata[:idp_cert_multi] = Hash[certificates.map { |k, v| [k.to_sym, v] }]
           end
+
+          # symbolize keys of certificates and pass it on
+          parsed_metadata[:idp_cert_multi] = Hash[certificates.map { |k, v| [k.to_sym, v] }]
         end
 
         def certificates_has_one(key)
           certificates.key?(key) && certificates[key].size == 1
         end
+
+        private
+
+        def first_ranked_text(nodes, priority = nil)
+          return unless nodes.any?
+
+          priority = Array(priority)
+          if priority.any?
+            values = nodes.map(&:text)
+            Array(priority).detect { |candidate| values.include?(candidate) }
+          else
+            nodes.first.text
+          end
+        end
+
+        def first_ranked_value(nodes, priority = nil)
+          return unless nodes.any?
+
+          priority = Array(priority)
+          if priority.any?
+            values = nodes.map(&:value)
+            priority.detect { |candidate| values.include?(candidate) }
+          else
+            nodes.first.value
+          end
+        end
       end
 
       def merge_parsed_metadata_into(settings, parsed_metadata)