ruby-saml 1.4.2 → 1.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 639540398f041bbcc593b2d2fdb14cf93028ce45
-  data.tar.gz: ab5128758b3789b7354906a8f9145af07ac873e5
+  metadata.gz: 455ea502cffeb8d8b1c0bc673de3495e0e1b070a
+  data.tar.gz: f5327bfb4d61922b77444f397a8347910a6bab33
 SHA512:
-  metadata.gz: 6ff40b3269727503ec6977fec4697e3babe3742cf6bc214281a156745057f581df8cfd7b93ec3499e23bf3ed99d806abe38bc03d4e7784b83ccb0b617494d883
-  data.tar.gz: 3fe0c819cb2183ed1c574f4a2d02db01894a69bc1c4673582d4646fc80217ed88504de2ae0c59bbe22cc209212e9aa5a895a7d22c5be83fc10589be713247c50
+  metadata.gz: a3842b07e3f0da562c0302a7a399f63901bbe0a7ae88a68f60dce296fc0d7a9eebed08544db2cfcea2857a76dfed58cc158d6dacba10671135a804d899d8edad
+  data.tar.gz: 0ce3cc58921b2d384983cca9a29a75890e39a25e0b62da97e27f3a4c32baabf15b338ff9cd83b5aeb8d980ff69f10f094b72afab8a047c917ac775b7f4a1b896

data/README.md

@@ -1,4 +1,4 @@
-# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
+# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
 ## Updating from 1.3.x to 1.4.X
 
@@ -186,18 +186,19 @@ def saml_settings
   ]
 
   # Optional bindings (defaults to Redirect for logout POST for acs)
+  settings.single_logout_service_binding      = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
   settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-  settings.assertion_consumer_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 
   settings
 end
 ```
 
-Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `Conditions` validation or the `SubjectConfirmation` validations by initializing the response with different options:
+Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
 
 ```ruby
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doens't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
 ```
 
 All that's left is to wrap everything in a controller and reference it in the initialization and consumption URLs in OneLogin. A full controller example could look like this:
@@ -251,12 +252,37 @@ class SamlController < ApplicationController
   end
 end
 ```
+
+
+## Signature validation
+
+On the ruby-saml toolkit there are different ways to validate the signature of the SAMLResponse:
+- You can provide the IdP x509 public certificate at the 'idp_cert' setting.
+- You can provide the IdP x509 public certificate in fingerprint format using the 'idp_cert_fingerprint' setting parameter and additionally the 'idp_cert_fingerprint_algorithm' parameter.
+
+When validating the signature of redirect binding, the fingerprint is useless and the certficate of the IdP is required in order to execute the validation.
+You can pass the option :relax_signature_validation to SloLogoutrequest and Logoutresponse if want to avoid signature validation if no certificate of the IdP is provided.
+
+In some scenarios the IdP uses different certificates for signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.
+
+In order to handle that the toolkit offers the 'idp_cert_multi' parameter.
+When used, 'idp_cert' and 'idp_cert_fingerprint' values are ignored.
+
+That 'idp_cert_multi' must be a Hash as follows:
+{
+  :signing => [],
+  :encryption => []
+}
+
+And on 'signing' and 'encryption' arrays, add the different IdP x509 public certificates published on the IdP metadata.
+
+
 ## Metadata Based Configuration
 
 The method above requires a little extra work to manually specify attributes about the IdP.  (And your SP application)  There's an easier method -- use a metadata exchange.  Metadata is just an XML file that defines the capabilities of both the IdP and the SP application.  It also contains the X.509 public
 key certificates which add to the trusted relationship.  The IdP administrator can also configure custom settings for an SP based on the metadata.
 
-Using ```idp_metadata_parser.parse_remote``` IdP metadata will be added to the settings withouth further ado.
+Using ```idp_metadata_parser.parse_remote``` IdP metadata will be added to the settings without further ado.
 
 ```ruby
 def saml_settings
@@ -275,9 +301,35 @@ def saml_settings
 end
 ```
 The following attributes are set:
+  * idp_entity_id
+  * name_identifier_format
   * idp_sso_target_url
   * idp_slo_target_url
-  * idp_cert_fingerprint
+  * idp_attribute_names
+  * idp_cert 
+  * idp_cert_fingerprint 
+  * idp_cert_multi
+
+### Retrieve one Entity Descriptor when many exist in Metadata
+
+If the Metadata contains several entities, the relevant Entity
+Descriptor can be specified when retrieving the settings from the
+IdpMetadataParser by its Entity Id value:
+
+```ruby
+  validate_cert = true
+  settings =  idp_metadata_parser.parse_remote(
+                "https://example.com/auth/saml2/idp/metadata",
+                validate_cert,
+                entity_id: "http//example.com/target/entity"
+              )
+```
+
+### Parsing Metadata into an Hash
+
+The `OneLogin::RubySaml::IdpMetadataParser` also provides the methods `#parse_to_hash` and `#parse_remote_to_hash`.
+Those return an Hash instead of a `Settings` object, which may be useful for configuring
+[omniauth-saml](https://github.com/omniauth/omniauth-saml), for instance.
 
 ## Retrieving Attributes
 
@@ -411,9 +463,9 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```ruby
   settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
   settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
-  settings.security[:logout_responses_signed] = true     # Enable or not 
+  settings.security[:logout_responses_signed] = true     # Enable or not
   signature on Logout Response
-  settings.security[:want_assertions_signed]  = true     # Enable or not 
+  settings.security[:want_assertions_signed]  = true     # Enable or not
   the requirement of signed assertion
   settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
@@ -426,7 +478,7 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```
 
 Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding.
-Remember to provide it to the Signature builder if you are sending a `GET RelayState` parameter or the 
+Remember to provide it to the Signature builder if you are sending a `GET RelayState` parameter or the
 signature validation process will fail at the Identity Provider.
 
 The Service Provider will sign the request/responses with its private key.
@@ -453,6 +505,12 @@ The Service Provider will decrypt the EncryptedAssertion with its private key.
 
 Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and decrypt processes.
 
+
+## Key rollover
+
+If you plan to update the SP x509cert and privateKey you can define the parameter 'certificate_new' at the settings and that new SP public certificate will be published on the SP metadata so Identity Providers can read them and get ready for rollover.
+
+
 ## Single Log Out
 
 The Ruby Toolkit supports SP-initiated Single Logout and IdP-Initiated Single Logout.
@@ -507,10 +565,8 @@ def process_logout_response
     logger.error "The SAML Logout Response is invalid"
   else
     # Actually log out this session
-    if logout_response.success?
-      logger.info "Delete session for '#{session[:userid]}'"
-      delete_session
-    end
+    logger.info "Delete session for '#{session[:userid]}'"
+    delete_session
   end
 end
 
@@ -571,7 +627,7 @@ to the IdP for various good reasons.  (Caching, certificate lookups, relaying pa
 
 The class `OneLogin::RubySaml::Metadata` takes care of this by reading the Settings and returning XML.  All you have to do is add a controller to return the data, then give this URL to the IdP administrator.
 
-The metdata will be polled by the IdP every few minutes, so updating your settings should propagate
+The metadata will be polled by the IdP every few minutes, so updating your settings should propagate
 to the IdP settings.
 
 ```ruby
@@ -585,6 +641,7 @@ class SamlController < ApplicationController
 end
 ```
 
+
 ## Clock Drift
 
 Server clocks tend to drift naturally. If during validation of the response you get the error "Current time is earlier than NotBefore condition", this may be due to clock differences between your system and that of the Identity Provider.

data/changelog.md

@@ -1,9 +1,22 @@
 # RubySaml Changelog
+### 1.4.3 (May 18, 2017)
+* Added SubjectConfirmation Recipient validation
+* [#393](https://github.com/onelogin/ruby-saml/pull/393) Implement IdpMetadataParser#parse_to_hash
+* Adapt IdP XML metadata parser to take care of multiple IdP certificates and be able to inject the data obtained on the settings.
+* Improve binding detection on idp metadata parser
+* [#373](https://github.com/onelogin/ruby-saml/pull/373) Allow metadata to be retrieved from source containing data for multiple entities
+* Be able to register future SP x509cert on the settings and publish it on SP metadata
+* Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption.
+* Improve regex to detect base64 encoded messages
+* Fix binding configuration example in README.md
+* Add Fix SLO request. Correct NameQualifier/SPNameQualifier values.
+* Validate serial number as string to work around libxml2 limitation
+* Propagate isRequired on md:RequestedAttribute when generating SP metadata
 
 ### 1.4.2 (January 11, 2017)
 * Improve tests format
 * Fix nokogiri requirements based on ruby version
-* Only publish KeyDescriptor[use="encryption"] at SP metadata if security[:want_assertions_encrypted] is true
+* Only publish `KeyDescriptor[use="encryption"]` at SP metadata if `security[:want_assertions_encrypted]` is true
 * Be able to skip destination validation
 * Improved inResponse validation on SAMLResponses and LogoutResponses
 * [#354](https://github.com/onelogin/ruby-saml/pull/354) Allow scheme and domain to match ignoring case

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -22,39 +22,97 @@ module OneLogin
 
       attr_reader :document
       attr_reader :response
+      attr_reader :options
 
       # Parse the Identity Provider metadata and update the settings with the
       # IdP values
       #
-      # @param (see IdpMetadataParser#get_idp_metadata)
-      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
-      # @return (see IdpMetadataParser#get_idp_metadata)
-      # @raise (see IdpMetadataParser#get_idp_metadata)
+      # @param url [String] Url where the XML of the Identity Provider Metadata is published.
+      # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
+      #
+      # @param options [Hash] options used for parsing the metadata and the returned Settings instance
+      # @option options [OneLogin::RubySaml::Settings, Hash] :settings the OneLogin::RubySaml::Settings object which gets the parsed metadata merged into or an hash for Settings overrides.
+      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      #
+      # @return [OneLogin::RubySaml::Settings]
+      #
+      # @raise [HttpError] Failure to fetch remote IdP metadata
       def parse_remote(url, validate_cert = true, options = {})
         idp_metadata = get_idp_metadata(url, validate_cert)
         parse(idp_metadata, options)
       end
 
+      # Parse the Identity Provider metadata and return the results as Hash
+      #
+      # @param url [String] Url where the XML of the Identity Provider Metadata is published.
+      # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
+      #
+      # @param options [Hash] options used for parsing the metadata
+      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      #
+      # @return [Hash]
+      #
+      # @raise [HttpError] Failure to fetch remote IdP metadata
+      def parse_remote_to_hash(url, validate_cert = true, options = {})
+        idp_metadata = get_idp_metadata(url, validate_cert)
+        parse_to_hash(idp_metadata, options)
+      end
+
       # Parse the Identity Provider metadata and update the settings with the IdP values
-      # @param idp_metadata [String] 
-      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
       #
+      # @param idp_metadata [String]
+      #
+      # @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
+      # @option options [OneLogin::RubySaml::Settings, Hash] :settings the OneLogin::RubySaml::Settings object which gets the parsed metadata merged into or an hash for Settings overrides.
+      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      #
+      # @return [OneLogin::RubySaml::Settings]
       def parse(idp_metadata, options = {})
-        @document = REXML::Document.new(idp_metadata)
+        parsed_metadata = parse_to_hash(idp_metadata, options)
 
         settings = options[:settings]
-        if settings.nil? || settings.is_a?(Hash)
-          settings = OneLogin::RubySaml::Settings.new(settings || {})
+
+        if settings.nil?
+          OneLogin::RubySaml::Settings.new(parsed_metadata)
+        elsif settings.is_a?(Hash)
+          OneLogin::RubySaml::Settings.new(settings.merge(parsed_metadata))
+        else
+          merge_parsed_metadata_into(settings, parsed_metadata)
         end
+      end
 
-        settings.tap do |settings|
-          settings.idp_entity_id = idp_entity_id
-          settings.name_identifier_format = idp_name_id_format
-          settings.idp_sso_target_url = single_signon_service_url(options)
-          settings.idp_slo_target_url = single_logout_service_url(options)
-          settings.idp_cert = certificate_base64
-          settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
-          settings.idp_attribute_names = attribute_names
+      # Parse the Identity Provider metadata and return the results as Hash
+      #
+      # @param idp_metadata [String]
+      #
+      # @param options [Hash] options used for parsing the metadata and the returned Settings instance
+      # @option options [Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+      # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When ommitted, the first entity descriptor is used.
+      #
+      # @return [Hash]
+      def parse_to_hash(idp_metadata, options = {})
+        @document = REXML::Document.new(idp_metadata)
+        @options = options
+        @entity_descriptor = nil
+
+        {
+          :idp_entity_id => idp_entity_id,
+          :name_identifier_format => idp_name_id_format,
+          :idp_sso_target_url => single_signon_service_url(options),
+          :idp_slo_target_url => single_logout_service_url(options),
+          :idp_attribute_names => attribute_names,
+          :idp_cert => nil,
+          :idp_cert_fingerprint => nil,
+          :idp_cert_multi => nil
+        }.tap do |response_hash|
+          merge_certificates_into(response_hash) unless certificates.nil?
         end
       end
 
@@ -67,56 +125,58 @@ module OneLogin
       # @raise [HttpError] Failure to fetch remote IdP metadata
       def get_idp_metadata(url, validate_cert)
         uri = URI.parse(url)
-        if uri.scheme == "http"
-          response = Net::HTTP.get_response(uri)
-          meta_text = response.body
-        elsif uri.scheme == "https"
-          http = Net::HTTP.new(uri.host, uri.port)
+        raise ArgumentError.new("url must begin with http or https") unless /^https?/ =~ uri.scheme
+        http = Net::HTTP.new(uri.host, uri.port)
+
+        if uri.scheme == "https"
           http.use_ssl = true
           # Most IdPs will probably use self signed certs
-          if validate_cert
-            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          http.verify_mode = validate_cert ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
 
-            # Net::HTTP in Ruby 1.8 did not set the default certificate store
-            # automatically when VERIFY_PEER was specified.
-            if RUBY_VERSION < '1.9' && !http.ca_file && !http.ca_path && !http.cert_store
-              http.cert_store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
-            end
-          else
-            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          # Net::HTTP in Ruby 1.8 did not set the default certificate store
+          # automatically when VERIFY_PEER was specified.
+          if RUBY_VERSION < '1.9' && !http.ca_file && !http.ca_path && !http.cert_store
+            http.cert_store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
           end
-          get = Net::HTTP::Get.new(uri.request_uri)
-          response = http.request(get)
-          meta_text = response.body
-        else
-          raise ArgumentError.new("url must begin with http or https")
         end
 
-        unless response.is_a? Net::HTTPSuccess
-          raise OneLogin::RubySaml::HttpError.new("Failed to fetch idp metadata")
-        end
+        get = Net::HTTP::Get.new(uri.request_uri)
+        response = http.request(get)
+        return response.body if response.is_a? Net::HTTPSuccess
 
-        meta_text
+        raise OneLogin::RubySaml::HttpError.new(
+          "Failed to fetch idp metadata: #{response.code}: #{response.message}"
+        )
+      end
+
+      def entity_descriptor
+        @entity_descriptor ||= REXML::XPath.first(
+          document,
+          entity_descriptor_path,
+          namespace
+        )
+      end
+
+      def entity_descriptor_path
+        path = "//md:EntityDescriptor"
+        entity_id = options[:entity_id]
+        return path unless entity_id
+        path << "[@entityID=\"#{entity_id}\"]"
       end
 
       # @return [String|nil] IdP Entity ID value if exists
       #
       def idp_entity_id
-        node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/@entityID",
-          { "md" => METADATA }
-        )
-        node.value if node
+        entity_descriptor.attributes["entityID"]
       end
 
       # @return [String|nil] IdP Name ID Format value if exists
       #
       def idp_name_id_format
         node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:NameIDFormat",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:NameIDFormat",
+          namespace
         )
         node.text if node
       end
@@ -126,9 +186,9 @@ module OneLogin
       #
       def single_signon_service_binding(binding_priority = nil)
         nodes = REXML::XPath.match(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Binding",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:SingleSignOnService/@Binding",
+          namespace
         )
         if binding_priority
           values = nodes.map(&:value)
@@ -142,13 +202,15 @@ module OneLogin
       # @return [String|nil] SingleSignOnService endpoint if exists
       #
       def single_signon_service_url(options = {})
-        binding = options[:sso_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
-          { "md" => METADATA }
-        )
-        node.value if node
+        binding = single_signon_service_binding(options[:sso_binding])
+        unless binding.nil?
+          node = REXML::XPath.first(
+            entity_descriptor,
+            "md:IDPSSODescriptor/md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
+            namespace
+          )
+          return node.value if node
+        end
       end
 
       # @param binding_priority [Array]
@@ -156,9 +218,9 @@ module OneLogin
       #
       def single_logout_service_binding(binding_priority = nil)
         nodes = REXML::XPath.match(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Binding",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:SingleLogoutService/@Binding",
+          namespace
         )
         if binding_priority
           values = nodes.map(&:value)
@@ -172,51 +234,60 @@ module OneLogin
       # @return [String|nil] SingleLogoutService endpoint if exists
       #
       def single_logout_service_url(options = {})
-        binding = options[:slo_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
-          { "md" => METADATA }
-        )
-        node.value if node
+        binding = single_logout_service_binding(options[:slo_binding])
+        unless binding.nil?
+          node = REXML::XPath.first(
+            entity_descriptor,
+            "md:IDPSSODescriptor/md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
+            namespace
+          )
+          return node.value if node
+        end
       end
 
       # @return [String|nil] Unformatted Certificate if exists
       #
-      def certificate_base64
-        @certificate_base64 ||= begin
-          node = REXML::XPath.first(
-              document,
-              "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-              { "md" => METADATA, "ds" => DSIG }
+      def certificates
+        @certificates ||= begin
+          signing_nodes = REXML::XPath.match(
+            entity_descriptor,
+            "md:IDPSSODescriptor/md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+            namespace
           )
 
-          unless node
-            node = REXML::XPath.first(
-                document,
-                "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-                { "md" => METADATA, "ds" => DSIG }
-            )
-          end
-          node.text if node
-        end
-      end
+          encryption_nodes = REXML::XPath.match(
+            entity_descriptor,
+            "md:IDPSSODescriptor/md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+            namespace
+          )
 
-      # @return [String|nil] X509Certificate if exists
-      #
-      def certificate
-        @certificate ||= begin
-          Base64.decode64(certificate_base64) if certificate_base64
+          certs = nil
+          unless signing_nodes.empty? && encryption_nodes.empty?
+            certs = {}
+            unless signing_nodes.empty?
+              certs['signing'] = []
+              signing_nodes.each do |cert_node|
+                certs['signing'] << cert_node.text
+              end
+            end
+
+            unless encryption_nodes.empty?
+              certs['encryption'] = []
+              encryption_nodes.each do |cert_node|
+                certs['encryption'] << cert_node.text
+              end
+            end
+          end
+          certs
         end
       end
 
-
-      # @return [String|nil] the SHA-1 fingerpint of the X509Certificate if it exists
+      # @return [String|nil] the fingerpint of the X509Certificate if it exists
       #
-      def fingerprint(fingerprint_algorithm = XMLSecurity::Document::SHA1)
+      def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1)
         @fingerprint ||= begin
           if certificate
-            cert = OpenSSL::X509::Certificate.new(certificate)
+            cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
 
             fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
             fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
@@ -228,12 +299,53 @@ module OneLogin
       #
       def attribute_names
         nodes = REXML::XPath.match(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/saml:Attribute/@Name",
-          { "md" => METADATA, "NameFormat" => NAME_FORMAT, "saml" => SAML_ASSERTION }
+          entity_descriptor,
+          "md:IDPSSODescriptor/saml:Attribute/@Name",
+          namespace
         )
         nodes.map(&:value)
       end
+
+      def namespace
+        {
+          "md" => METADATA,
+          "NameFormat" => NAME_FORMAT,
+          "saml" => SAML_ASSERTION,
+          "ds" => DSIG
+        }
+      end
+
+      def merge_certificates_into(parsed_metadata)
+        if certificates.size == 1 ||
+          ((certificates.key?("signing") && certificates["signing"].size == 1) &&
+            (certificates.key?("encryption") && certificates["encryption"].size == 1) &&
+            certificates["signing"][0] == certificates["encryption"][0])
+
+          if certificates.key?("signing")
+            parsed_metadata[:idp_cert] = certificates["signing"][0]
+            parsed_metadata[:idp_cert_fingerprint] = fingerprint(
+              parsed_metadata[:idp_cert],
+              parsed_metadata[:idp_cert_fingerprint_algorithm]
+            )
+          else
+            parsed_metadata[:idp_cert] = certificates["encryption"][0]
+            parsed_metadata[:idp_cert_fingerprint] = fingerprint(
+              parsed_metadata[:idp_cert],
+              parsed_metadata[:idp_cert_fingerprint_algorithm]
+            )
+          end
+        else
+          parsed_metadata[:idp_cert_multi] = certificates
+        end
+      end
+
+      def merge_parsed_metadata_into(settings, parsed_metadata)
+        parsed_metadata.each do |key, value|
+          settings.send("#{key}=".to_sym, value)
+        end
+
+        settings
+      end
     end
   end
 end