ruby-saml 1.3.1 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ebddaf61706d9ea22f5dfe8f8857d38633bd8b34
-  data.tar.gz: 17e92a96f7ad6fde5764d5238f6c7abe165b2f9d
+  metadata.gz: 268a395d4ed90393709bec460cd818d644bd7269
+  data.tar.gz: 0507a8928e591569b9be618d2dac54b8c83a1847
 SHA512:
-  metadata.gz: 340ffba316ae676dc6b12049f3e4936c74e6b296ab0fbbdc86906dcb322c5eb6430eabbe930bb3dc114bb0e8cfe7b0220e0c1ddbb31b98178a9f71318cfdf812
-  data.tar.gz: e690b29654a0d1389278f7feee2d65d6ebba3118a634e727486845607c46a9460a546935f4fc78f89c4ce6cc339af555f35aa447f3f74ebab62714de0f917693
+  metadata.gz: 59e8e5300dcd4f521c19216686753cd2ce1a2480383bf6c873601a1031d96ef59241e13076a6b2e89cee61cc43f64c2afc383d6c985a8186cee0a7efe433aabd
+  data.tar.gz: 00dfd3b12d124c41282b7edce5ae4214f96d696314120776f0cbeadc6c86c35cfac1279b8d3ef0b23ff6559ffec6365681254da2784d86b8fa659a825989ba02

data/README.md

@@ -1,5 +1,9 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.3.x to 1.4.X
+
+Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.
+
 ## Updating from 1.2.x to 1.3.X
 
 Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes. It  adds security improvements in order to prevent Signature wrapping attacks. [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
@@ -92,7 +96,7 @@ require 'onelogin/ruby-saml/authrequest'
 
 ### Installation on Ruby 1.8.7
 
-This gem has a dependency on Nokogiri, which dropped support for Ruby 1.8.x in Nokogiri 1.6. When installing this gem on Ruby 1.8.7, you will need to make sure a version of Nokogiri prior to 1.6 is installed or specified if it hasn't been already.
+This gem uses Nokogiri as a dependency, which dropped support for Ruby 1.8.x in Nokogiri 1.6. When installing this gem on Ruby 1.8.7, you will need to make sure a version of Nokogiri prior to 1.6 is installed or specified if it hasn't been already.
 
 Using `Gemfile`
 
@@ -121,7 +125,7 @@ OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.lo
 
 ## The Initialization Phase
 
-This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
+This is the first request you will get from the identity provider. It will hit your application at a specific URL that you've announced as your SAML initialization point. The response to this initialization is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
 
 ```ruby
 def init
@@ -130,7 +134,7 @@ def init
 end
 ```
 
-Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption, this is can look something like this (the authorize_success and authorize_failure methods are specific to your application):
+Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption. This can look something like this (the `authorize_success` and `authorize_failure` methods are specific to your application):
 
 ```ruby
 def consume
@@ -147,17 +151,17 @@ def consume
 end
 ```
 
-In the above there are a few assumptions in place, one being that the response.nameid is an email address. This is all handled with how you specify the settings that are in play via the saml_settings method. That could be implemented along the lines of this:
-
-If the assertion of the SAMLResponse is not encrypted, you can initialize the Response without the :settings parameter and set it later,
+In the above there are a few assumptions, one being that `response.nameid` is an email address. This is all handled with how you specify the settings that are in play via the `saml_settings` method. That could be implemented along the lines of this:
 
 ```
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
 response.settings = saml_settings
 ```
-but if the SAMLResponse contains an encrypted assertion, you need to provide the settings in the
-initialize method in order to be able to obtain the decrypted assertion, using the service provider private key in order to decrypt.
-If you don't know what expect, use always the first proposed way (always set the settings on the initialize method).
+
+If the assertion of the SAMLResponse is not encrypted, you can initialize the Response without the `:settings` parameter and set it later.
+If the SAMLResponse contains an encrypted assertion, you need to provide the settings in the
+initialize method in order to obtain the decrypted assertion, using the service provider private key in order to decrypt.
+If you don't know what expect, always use the former (set the settings on initialize).
 
 ```ruby
 def saml_settings
@@ -175,6 +179,11 @@ def saml_settings
 
   # Optional for most SAML IdPs
   settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+  # or as an array
+  settings.authn_context = [
+    "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
+    "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+  ]
 
   # Optional bindings (defaults to Redirect for logout POST for acs)
   settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
@@ -184,14 +193,14 @@ def saml_settings
 end
 ```
 
-Some assertion validations can be skipped by passing parameters to OneLogin::RubySaml::Response.new().  For example, you can skip the Conditions validation or the SubjectConfirmation validations by initializing the response with different options:
+Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `Conditions` validation or the `SubjectConfirmation` validations by initializing the response with different options:
 
 ```ruby
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
 ```
 
-What's left at this point, is to wrap it all up in a controller and point the initialization and consumption URLs in OneLogin at that. A full controller example could look like this:
+All that's left is to wrap everything in a controller and reference it in the initialization and consumption URLs in OneLogin. A full controller example could look like this:
 
 ```ruby
 # This controller expects you to use the URLs /saml/init and /saml/consume in your OneLogin application.
@@ -270,8 +279,10 @@ The following attributes are set:
   * idp_slo_target_url
   * idp_cert_fingerprint
 
-If you are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
-`single_value_compatibility` (when activate, only one value returned, the first one)
+## Retrieving Attributes
+
+If you are using `saml:AttributeStatement` to transfer data like the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the
+`single_value_compatibility` (when activated, only the first value is returned)
 
 ```ruby
 response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
@@ -280,7 +291,7 @@ response.settings = saml_settings
 response.attributes[:username]
 ```
 
-Imagine this saml:AttributeStatement
+Imagine this `saml:AttributeStatement`
 
 ```xml
   <saml:AttributeStatement>
@@ -380,15 +391,15 @@ pp(response.attributes.multi(:not_exists))
 # => nil
 ```
 
-The saml:AuthnContextClassRef of the AuthNRequest can be provided by `settings.authn_context` , possible values are described at [SAMLAuthnCxt]. The comparison method can be set using the parameter `settings.authn_context_comparison` (the possible values are: 'exact', 'better', 'maximum' and 'minimum'), 'exact' is the default value.
-If we want to add a saml:AuthnContextDeclRef, define a `settings.authn_context_decl_ref`.
+The `saml:AuthnContextClassRef` of the AuthNRequest can be provided by `settings.authn_context`; possible values are described at [SAMLAuthnCxt]. The comparison method can be set using `settings.authn_context_comparison` parameter. Possible values include: 'exact', 'better', 'maximum' and 'minimum' (default value is 'exact').
+To add a `saml:AuthnContextDeclRef`, define `settings.authn_context_decl_ref`.
 
 
 ## Signing
 
-The Ruby Toolkit supports 2 different kinds of signature: Embeded and as GET parameter
+The Ruby Toolkit supports 2 different kinds of signature: Embeded and `GET` parameters
 
-In order to be able to sign we need first to define the private key and the public cert of the service provider
+In order to be able to sign, define the private key and the public cert of the service provider:
 
 ```ruby
   settings.certificate = "CERTIFICATE TEXT WITH HEAD AND FOOT"
@@ -414,23 +425,23 @@ The settings related to sign are stored in the `security` attribute of the setti
   settings.security[:embed_sign] = false
 ```
 
-Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding,
-remember to provide it to the Signature builder if you are sending a GET RelayState parameter or
-Signature validation process will fail at the Identity Provider.
+Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding.
+Remember to provide it to the Signature builder if you are sending a `GET RelayState` parameter or the 
+signature validation process will fail at the Identity Provider.
 
 The Service Provider will sign the request/responses with its private key.
 The Identity Provider will validate the sign of the received request/responses with the public x500 cert of the
 Service Provider.
 
-Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and the decrypt process.
+Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and decrypt processes.
 
-Enable/disable the soft mode by the settings.soft parameter. When is set false, the saml validations errors will raise an exception.
+Enable/disable the soft mode with the `settings.soft` parameter. When set to `false`, saml validations errors will raise an exception.
 
 ## Decrypting
 
 The Ruby Toolkit supports EncryptedAssertion.
 
-In order to be able to decrypt a SAML Response that contains a EncryptedAssertion we need first to define the private key and the public cert of the service provider, and share this with the Identity Provider.
+In order to be able to decrypt a SAML Response that contains a EncryptedAssertion you need define the private key and the public cert of the service provider, then share this with the Identity Provider.
 
 ```ruby
   settings.certificate = "CERTIFICATE TEXT WITH HEAD AND FOOT"
@@ -440,13 +451,13 @@ In order to be able to decrypt a SAML Response that contains a EncryptedAssertio
 The Identity Provider will encrypt the Assertion with the public cert of the Service Provider.
 The Service Provider will decrypt the EncryptedAssertion with its private key.
 
-Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and the decrypt process.
+Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and decrypt processes.
 
 ## Single Log Out
 
 The Ruby Toolkit supports SP-initiated Single Logout and IdP-Initiated Single Logout.
 
-Here is an example that we could add to our previous controller to generate and send a SAML Logout Request to the IdP
+Here is an example that we could add to our previous controller to generate and send a SAML Logout Request to the IdP:
 
 ```ruby
 # Create a SP initiated SLO
@@ -475,7 +486,7 @@ def sp_logout_request
 end
 ```
 
-and this method process the SAML Logout Response sent by the IdP as reply of the SAML Logout Request
+This method processes the SAML Logout Response sent by the IdP as the reply of the SAML Logout Request:
 
 ```ruby
 # After sending an SP initiated LogoutRequest to the IdP, we need to accept
@@ -510,7 +521,7 @@ def delete_session
 end
 ```
 
-Here is an example that we could add to our previous controller to process a SAML Logout Request from the IdP and reply a SAML Logout Response to the IdP
+Here is an example that we could add to our previous controller to process a SAML Logout Request from the IdP and reply with a SAML Logout Response to the IdP:
 
 ```ruby
 # Method to handle IdP initiated logouts
@@ -576,11 +587,11 @@ end
 
 ## Clock Drift
 
-Server clocks tend to drift naturally. If during validation of the response you get the error "Current time is earlier than NotBefore condition" then this may be due to clock differences between your system and that of the Identity Provider.
+Server clocks tend to drift naturally. If during validation of the response you get the error "Current time is earlier than NotBefore condition", this may be due to clock differences between your system and that of the Identity Provider.
 
 First, ensure that both systems synchronize their clocks, using for example the industry standard [Network Time Protocol (NTP)](http://en.wikipedia.org/wiki/Network_Time_Protocol).
 
-Even then you may experience intermittent issues though, because the clock of the Identity Provider may drift slightly ahead of your system clocks. To allow for a small amount of clock drift you can initialize the response passing in an option named `:allowed_clock_drift`. Its value must be given in a number (and/or fraction) of seconds. The value given is added to the current time at which the response is validated before it's tested against the `NotBefore` assertion. For example:
+Even then you may experience intermittent issues, as the clock of the Identity Provider may drift slightly ahead of your system clocks. To allow for a small amount of clock drift, you can initialize the response by passing in an option named `:allowed_clock_drift`. Its value must be given in a number (and/or fraction) of seconds. The value given is added to the current time at which the response is validated before it's tested against the `NotBefore` assertion. For example:
 
 ```ruby
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :allowed_clock_drift => 1.second)

data/changelog.md

@@ -1,5 +1,29 @@
 # RubySaml Changelog
 
+### 1.4.0 (October 13, 2016)
+* Several security improvements:
+  * Conditions element required and unique.
+  * AuthnStatement element required and unique.
+  * SPNameQualifier must math the SP EntityID
+  * Reject saml:Attribute element with same “Name” attribute
+  * Reject empty nameID
+  * Require Issuer element. (Must match IdP EntityID).
+  * Destination value can't be blank (if present must match ACS URL).
+  * Check that the EncryptedAssertion element only contains 1 Assertion element.
+
+* [#335](https://github.com/onelogin/ruby-saml/pull/335) Explicitly parse as XML and fix setting of Nokogiri options.
+* [#345](https://github.com/onelogin/ruby-saml/pull/345)Support multiple settings.auth_context
+* More tests to prevent XML Signature Wrapping
+* [#342](https://github.com/onelogin/ruby-saml/pull/342) Correct the usage of Mutex
+* [352](https://github.com/onelogin/ruby-saml/pull/352) Support multiple AttributeStatement tags
+
+
+### 1.3.1 (July 10, 2016)
+* Fix response_test.rb of gem 1.3.0
+* Add reference to Security Guidelines
+* Update License
+* [#334](https://github.com/onelogin/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method. 
+
 ### 1.3.0 (June 24, 2016)
 * [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
 * Fix XMLSecurity SHA256 and SHA512 uris

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -136,8 +136,11 @@ module OneLogin
           }
 
           if settings.authn_context != nil
-            class_ref = requested_context.add_element "saml:AuthnContextClassRef"
-            class_ref.text = settings.authn_context
+            authn_contexts = settings.authn_context.is_a?(Array) ? settings.authn_context : [settings.authn_context]
+            authn_contexts.each do |authn_context|
+              class_ref = requested_context.add_element "saml:AuthnContextClassRef"
+              class_ref.text = authn_context
+            end
           end
           # add saml:AuthnContextDeclRef element
           if settings.authn_context_decl_ref != nil

data/lib/onelogin/ruby-saml/response.rb

@@ -88,6 +88,23 @@ module OneLogin
 
       alias_method :nameid_format, :name_id_format
 
+      # @return [String] the NameID SPNameQualifier provided by the SAML response from the IdP.
+      #
+      def name_id_spnamequalifier
+        @name_id_spnamequalifier ||=
+          if name_id_node && name_id_node.attribute("SPNameQualifier")
+            name_id_node.attribute("SPNameQualifier").value
+          end
+      end
+
+      # @return [String] the NameID NameQualifier provided by the SAML response from the IdP.
+      #
+      def name_id_namequalifier
+        @name_id_namequalifier ||=
+          if name_id_node && name_id_node.attribute("NameQualifier")
+            name_id_node.attribute("NameQualifier").value
+          end
+      end
 
       # Gets the SessionIndex from the AuthnStatement.
       # Could be used to be stored in the local session in order
@@ -115,35 +132,34 @@ module OneLogin
       #    attributes['name']
       #
       # @return [Attributes] OneLogin::RubySaml::Attributes enumerable collection.
-      #      
+      #
       def attributes
         @attr_statements ||= begin
           attributes = Attributes.new
 
-          stmt_element = xpath_first_from_signed_assertion('/a:AttributeStatement')
-          return attributes if stmt_element.nil?
-
-          stmt_element.elements.each do |attr_element|
-            name  = attr_element.attributes["Name"]
-            values = attr_element.elements.collect{|e|
-              if (e.elements.nil? || e.elements.size == 0)
-                # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
-                # otherwise the value is to be regarded as empty.
-                ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : e.text.to_s
-              # explicitly support saml2:NameID with saml2:NameQualifier if supplied in attributes
-              # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to 
-              # identify the subject in an SP rather than email or other less opaque attributes
-              # NameQualifier, if present is prefixed with a "/" to the value
-              else 
-               REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect{|n|
-                  (n.attributes['NameQualifier'] ? n.attributes['NameQualifier'] +"/" : '') + n.text.to_s
-                }
-              end
-            }
-
-            attributes.add(name, values.flatten)
+          stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
+          stmt_elements.each do |stmt_element|
+            stmt_element.elements.each do |attr_element|
+              name = attr_element.attributes["Name"]
+              values = attr_element.elements.collect{|e|
+                if (e.elements.nil? || e.elements.size == 0)
+                  # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
+                  # otherwise the value is to be regarded as empty.
+                  ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : e.text.to_s
+                # explicitly support saml2:NameID with saml2:NameQualifier if supplied in attributes
+                # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to
+                # identify the subject in an SP rather than email or other less opaque attributes
+                # NameQualifier, if present is prefixed with a "/" to the value
+                else
+                 REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect{|n|
+                    (n.attributes['NameQualifier'] ? n.attributes['NameQualifier'] +"/" : '') + n.text.to_s
+                  }
+                end
+              }
+
+              attributes.add(name, values.flatten)
+            end
           end
-
           attributes
         end
       end
@@ -170,12 +186,15 @@ module OneLogin
       #
       def status_code
         @status_code ||= begin
-          node = REXML::XPath.first(
+          nodes = REXML::XPath.match(
             document,
             "/p:Response/p:Status/p:StatusCode",
             { "p" => PROTOCOL }
           )
-          node.attributes["Value"] if node && node.attributes
+          if nodes.size == 1
+            node = nodes[0]
+            node.attributes["Value"] if node && node.attributes
+          end
         end
       end
 
@@ -183,12 +202,15 @@ module OneLogin
       #
       def status_message
         @status_message ||= begin
-          node = REXML::XPath.first(
+          nodes = REXML::XPath.match(
             document,
             "/p:Response/p:Status/p:StatusMessage",
             { "p" => PROTOCOL }
           )
-          node.text if node
+          if nodes.size == 1
+            node = nodes[0]
+            node.text if node
+          end
         end
       end
 
@@ -214,26 +236,6 @@ module OneLogin
         @not_on_or_after ||= parse_time(conditions, "NotOnOrAfter")
       end
 
-      # Gets the Issuers (from Response and Assertion).
-      # (returns the first node that matches the supplied xpath from the Response and from the Assertion)
-      # @return [Array] Array with the Issuers (REXML::Element)
-      #
-      def issuers
-        @issuers ||= begin
-          issuers = []
-          nodes = REXML::XPath.match(
-            document,
-            "/p:Response/a:Issuer",
-            { "p" => PROTOCOL, "a" => ASSERTION }
-          )
-          nodes += xpath_from_signed_assertion("/a:Issuer")
-          nodes.each do |node|
-            issuers << node.text if node.text
-          end
-          issuers.uniq
-        end
-      end
-
       # @return [String|nil] The InResponseTo attribute from the SAML Response.
       #
       def in_response_to
@@ -299,15 +301,19 @@ module OneLogin
           :validate_success_status,
           :validate_num_assertion,
           :validate_no_encrypted_attributes,
+          :validate_no_duplicated_attributes,
           :validate_signed_elements,
           :validate_structure,
           :validate_in_response_to,
+          :validate_one_conditions,
           :validate_conditions,
+          :validate_one_authnstatement,
           :validate_audience,
           :validate_destination,
           :validate_issuer,
           :validate_session_expiration,
           :validate_subject_confirmation,
+          :validate_name_id,
           :validate_signature
         ]
 
@@ -396,6 +402,7 @@ module OneLogin
       # @return [Boolean] True if the SAML Response contains one unique Assertion, otherwise False
       #
       def validate_num_assertion
+        error_msg = "SAML Response must contain 1 assertion"
         assertions = REXML::XPath.match(
           document,
           "//a:Assertion",
@@ -408,7 +415,18 @@ module OneLogin
         )
 
         unless assertions.size + encrypted_assertions.size == 1
-          return append_error("SAML Response must contain 1 assertion")
+          return append_error(error_msg)
+        end
+
+        unless decrypted_document.nil?
+          assertions = REXML::XPath.match(
+            decrypted_document,
+            "//a:Assertion",
+            { "a" => ASSERTION }
+          )
+          unless assertions.size == 1
+            return append_error(error_msg)
+          end
         end
 
         true
@@ -428,6 +446,28 @@ module OneLogin
         true
       end
 
+      # Validates that there are not duplicated attributes
+      # If fails, the error is added to the errors array
+      # @return [Boolean] True if there are no duplicated attribute elements, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def validate_no_duplicated_attributes
+        if options[:check_duplicated_attributes]
+          processed_names = []
+          stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
+          stmt_elements.each do |stmt_element|
+            stmt_element.elements.each do |attr_element|
+              name = attr_element.attributes["Name"]
+              if attributes.include?(name)
+                return append_error("Found an Attribute element with duplicated Name")
+              end
+              processed_names.add(name)
+            end
+          end
+        end
+
+        true
+      end
 
       # Validates the Signed elements
       # If fails, the error is added to the errors array
@@ -527,7 +567,14 @@ module OneLogin
       # @return [Boolean] True if there is a Destination element that matches the Consumer Service URL, otherwise False
       #
       def validate_destination
-        return true if destination.nil? || destination.empty? || settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
+        return true if destination.nil?
+
+        if destination.empty?
+          error_msg = "The response has an empty Destination value"
+          return append_error(error_msg)
+        end
+
+        return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
 
         unless destination == settings.assertion_consumer_service_url
           error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
@@ -537,6 +584,34 @@ module OneLogin
         true
       end
 
+      # Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.
+      # If fails, the error is added to the errors array
+      # @return [Boolean] True if there is a conditions element and is unique
+      #
+      def validate_one_conditions
+        conditions_nodes = xpath_from_signed_assertion('/a:Conditions')
+        unless conditions_nodes.size == 1
+          error_msg = "The Assertion must include one Conditions element"
+          return append_error(error_msg)
+        end
+
+        true
+      end
+
+      # Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.
+      # If fails, the error is added to the errors array
+      # @return [Boolean] True if there is a authnstatement element and is unique
+      #
+      def validate_one_authnstatement
+        authnstatement_nodes = xpath_from_signed_assertion('/a:AuthnStatement')
+        unless authnstatement_nodes.size == 1
+          error_msg = "The Assertion must include one AuthnStatement element"
+          return append_error(error_msg)
+        end
+
+        true
+      end
+
       # Validates the Conditions. (If the response was initialized with the :skip_conditions option, this validation is skipped,
       # If the response was initialized with the :allowed_clock_drift option, the timing validations are relaxed by the allowed_clock_drift value)
       # @return [Boolean] True if satisfies the conditions, otherwise False if soft=True
@@ -569,6 +644,31 @@ module OneLogin
       def validate_issuer
         return true if settings.idp_entity_id.nil?
 
+        issuers = []
+        issuer_response_nodes = REXML::XPath.match(
+          document,
+          "/p:Response/a:Issuer",
+          { "p" => PROTOCOL, "a" => ASSERTION }
+        )
+
+        unless issuer_response_nodes.size == 1
+          error_msg = "Issuer of the Response not found or multiple."
+          return append_error(error_msg)
+        end
+
+        doc = decrypted_document.nil? ? document : decrypted_document
+        issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
+        unless issuer_assertion_nodes.size == 1
+          error_msg = "Issuer of the Assertion not found or multiple."
+          return append_error(error_msg)
+        end
+
+        nodes = issuer_response_nodes + issuer_assertion_nodes
+        nodes.each do |node|
+          issuers << node.text if node.text
+        end
+        issuers.uniq
+
         issuers.each do |issuer|
           unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
             error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
@@ -642,6 +742,27 @@ module OneLogin
         true
       end
 
+      # Validates the NameID element
+      def validate_name_id
+        if name_id_node.nil?
+          if settings.security[:want_name_id]
+            return append_error("No NameID element found in the assertion of the Response")
+          end
+        else
+          if name_id.nil? || name_id.empty?
+            return append_error("An empty NameID value found")
+          end
+
+          unless settings.issuer.nil? || settings.issuer.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
+            if name_id_spnamequalifier != settings.issuer
+              return append_error("The SPNameQualifier value mistmatch the SP entityID value.")
+            end
+          end
+        end
+
+        true
+      end
+
       # Validates the Signature
       # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails