ruby-saml 1.4.2 → 1.4.3

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -102,7 +102,8 @@ module OneLogin
 
         nameid = root.add_element "saml:NameID"
         if settings.name_identifier_value
-          nameid.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+          nameid.attributes['NameQualifier'] = settings.idp_name_qualifier if settings.idp_name_qualifier
+          nameid.attributes['SPNameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
           nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
           nameid.text = settings.name_identifier_value
         else

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -27,6 +27,8 @@ module OneLogin
       # @param options   [Hash] Extra parameters. 
       #                    :matches_request_id It will validate that the logout response matches the ID of the request.
       #                    :get_params GET Parameters, including the SAMLResponse
+      #                    :relax_signature_validation to accept signatures if no idp certificate registered on settings
+      #
       # @raise [ArgumentError] if response is nil
       #
       def initialize(response, settings = nil, options = {})
@@ -208,8 +210,14 @@ module OneLogin
         return true unless !options.nil?
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
-        return true if settings.nil? || settings.get_idp_cert.nil?
-        
+
+        idp_cert = settings.get_idp_cert
+        idp_certs = settings.get_idp_cert_multi
+
+        if idp_cert.nil? && (idp_certs.nil? || idp_certs[:signing].empty?)
+          return options.has_key? :relax_signature_validation
+        end
+
         query_string = OneLogin::RubySaml::Utils.build_query(
           :type        => 'SAMLResponse',
           :data        => options[:get_params]['SAMLResponse'],
@@ -217,12 +225,27 @@ module OneLogin
           :sig_alg     => options[:get_params]['SigAlg']
         )
 
-        valid = OneLogin::RubySaml::Utils.verify_signature(
-          :cert         => settings.get_idp_cert,
-          :sig_alg      => options[:get_params]['SigAlg'],
-          :signature    => options[:get_params]['Signature'],
-          :query_string => query_string
-        )
+        if idp_certs.nil? || idp_certs[:signing].empty?
+          valid = OneLogin::RubySaml::Utils.verify_signature(
+            :cert         => settings.get_idp_cert,
+            :sig_alg      => options[:get_params]['SigAlg'],
+            :signature    => options[:get_params]['Signature'],
+            :query_string => query_string
+          )
+        else
+          valid = false
+          idp_certs[:signing].each do |idp_cert|
+            valid = OneLogin::RubySaml::Utils.verify_signature(
+              :cert         => idp_cert,
+              :sig_alg      => options[:get_params]['SigAlg'],
+              :signature    => options[:get_params]['Signature'],
+              :query_string => query_string
+            )
+            if valid
+              break
+            end
+          end
+        end
 
         unless valid
           error_msg = "Invalid Signature on Logout Response"

data/lib/onelogin/ruby-saml/metadata.rb

@@ -33,21 +33,26 @@ module OneLogin
         }
 
         # Add KeyDescriptor if messages will be signed / encrypted
+        # with SP certificate, and new SP certificate if any
         cert = settings.get_sp_cert
-        if cert
-          cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
-          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
-          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-          xd = ki.add_element "ds:X509Data"
-          xc = xd.add_element "ds:X509Certificate"
-          xc.text = cert_text
+        cert_new = settings.get_sp_cert_new
 
-          if settings.security[:want_assertions_encrypted]
-            kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
-            ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
-            xd2 = ki2.add_element "ds:X509Data"
-            xc2 = xd2.add_element "ds:X509Certificate"
-            xc2.text = cert_text
+        for sp_cert in [cert, cert_new]
+          if sp_cert
+            cert_text = Base64.encode64(sp_cert.to_der).gsub("\n", '')
+            kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+            ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+            xd = ki.add_element "ds:X509Data"
+            xc = xd.add_element "ds:X509Certificate"
+            xc.text = cert_text
+
+            if settings.security[:want_assertions_encrypted]
+              kd2 = sp_sso.add_element "md:KeyDescriptor", { "use" => "encryption" }
+              ki2 = kd2.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+              xd2 = ki2.add_element "ds:X509Data"
+              xc2 = xd2.add_element "ds:X509Certificate"
+              xc2.text = cert_text
+            end
           end
         end
 
@@ -88,7 +93,8 @@ module OneLogin
             sp_req_attr = sp_acs.add_element "md:RequestedAttribute", {
               "NameFormat" => attribute[:name_format],
               "Name" => attribute[:name], 
-              "FriendlyName" => attribute[:friendly_name]
+              "FriendlyName" => attribute[:friendly_name],
+              "isRequired" => attribute[:is_required] || false
             }
             unless attribute[:attribute_value].nil?
               Array(attribute[:attribute_value]).each do |value|

data/lib/onelogin/ruby-saml/response.rb

@@ -32,7 +32,7 @@ module OneLogin
 
       # Constructs the SAML Response. A Response Object that is an extension of the SamlMessage class.
       # @param response [String] A UUEncoded SAML response from the IdP.
-      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object 
+      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object
       #                          Or some options for the response validation process like skip the conditions validation
       #                          with the :skip_conditions, or allow a clock_drift when checking dates with :allowed_clock_drift
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
@@ -41,6 +41,7 @@ module OneLogin
         raise ArgumentError.new("Response cannot be nil") if response.nil?
 
         @errors = []
+
         @options = options
         @soft = true
         unless options[:settings].nil?
@@ -189,7 +190,7 @@ module OneLogin
 
       # Checks if the Status has the "Success" code
       # @return [Boolean] True if the StatusCode is Sucess
-      # 
+      #
       def success?
         status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
       end
@@ -376,7 +377,7 @@ module OneLogin
       #
       def validate_success_status
         return true if success?
-          
+
         error_msg = 'The status code of the Response was not Success'
         status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
         append_error(status_error_msg)
@@ -384,7 +385,7 @@ module OneLogin
 
       # Validates the SAML Response against the specified schema.
       # @return [Boolean] True if the XML is valid, otherwise False if soft=True
-      # @raise [ValidationError] if soft == false and validation fails 
+      # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
         structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
@@ -417,7 +418,7 @@ module OneLogin
         true
       end
 
-      # Validates that the SAML Response contains an ID 
+      # Validates that the SAML Response contains an ID
       # If fails, the error is added to the errors array.
       # @return [Boolean] True if the SAML Response contains an ID, otherwise returns False
       #
@@ -706,8 +707,9 @@ module OneLogin
       end
 
       # Validates if exists valid SubjectConfirmation (If the response was initialized with the :allowed_clock_drift option,
-      # timimg validation are relaxed by the allowed_clock_drift value. If the response was initialized with the 
+      # timimg validation are relaxed by the allowed_clock_drift value. If the response was initialized with the
       # :skip_subject_confirmation option, this validation is skipped)
+      # There is also an optional Recipient check
       # If fails, the error is added to the errors array
       # @return [Boolean] True if exists a valid SubjectConfirmation, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
@@ -717,7 +719,7 @@ module OneLogin
         valid_subject_confirmation = false
 
         subject_confirmation_nodes = xpath_from_signed_assertion('/a:Subject/a:SubjectConfirmation')
-        
+
         now = Time.now.utc
         subject_confirmation_nodes.each do |subject_confirmation|
           if subject_confirmation.attributes.include? "Method" and subject_confirmation.attributes['Method'] != 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
@@ -735,8 +737,9 @@ module OneLogin
           attrs = confirmation_data_node.attributes
           next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
                   (attrs.include? "NotOnOrAfter" and (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift) <= now) ||
-                  (attrs.include? "NotBefore" and parse_time(confirmation_data_node, "NotBefore") > (now + allowed_clock_drift))
-          
+                  (attrs.include? "NotBefore" and parse_time(confirmation_data_node, "NotBefore") > (now + allowed_clock_drift)) ||
+                  (attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.assertion_consumer_service_url)
+
           valid_subject_confirmation = true
           break
         end
@@ -803,13 +806,27 @@ module OneLogin
           return append_error(error_msg)
         end
 
-        opts = {}
-        opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
-        opts[:cert] = settings.get_idp_cert
-        fingerprint = settings.get_fingerprint
+        idp_certs = settings.get_idp_cert_multi
+        if idp_certs.nil? || idp_certs[:signing].empty?
+          opts = {}
+          opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
+          opts[:cert] = settings.get_idp_cert
+          fingerprint = settings.get_fingerprint
 
-        unless fingerprint && doc.validate_document(fingerprint, @soft, opts)          
-          return append_error(error_msg)
+          unless fingerprint && doc.validate_document(fingerprint, @soft, opts)          
+            return append_error(error_msg)
+          end
+        else
+          valid = false
+          idp_certs[:signing].each do |idp_cert|
+            valid = doc.validate_document_with_cert(idp_cert)
+            if valid
+              break
+            end
+          end
+          unless valid
+            return append_error(error_msg)
+          end
         end
 
         true

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -19,8 +19,7 @@ module OneLogin
       ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
 
-      BASE64_FORMAT = %r(\A[A-Za-z0-9+/]{4}*[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=?\Z)
-
+      BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
       @@mutex = Mutex.new
 
       # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema

data/lib/onelogin/ruby-saml/settings.rb

@@ -28,7 +28,9 @@ module OneLogin
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert_fingerprint_algorithm
+      attr_accessor :idp_cert_multi
       attr_accessor :idp_attribute_names
+      attr_accessor :idp_name_qualifier
       # SP Data
       attr_accessor :issuer
       attr_accessor :assertion_consumer_service_url
@@ -45,6 +47,7 @@ module OneLogin
       attr_accessor :attributes_index
       attr_accessor :force_authn
       attr_accessor :certificate
+      attr_accessor :certificate_new
       attr_accessor :private_key
       attr_accessor :authn_context
       attr_accessor :authn_context_comparison
@@ -93,7 +96,7 @@ module OneLogin
       end
 
       # Setter for Single Logout Service Binding.
-      # 
+      #
       # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
       # @param url [String]
       #
@@ -123,6 +126,32 @@ module OneLogin
         OpenSSL::X509::Certificate.new(formatted_cert)
       end
 
+      # @return [Hash with 2 arrays of OpenSSL::X509::Certificate] Build multiple IdP certificates from the settings.
+      #
+      def get_idp_cert_multi
+        return nil if idp_cert_multi.nil? || idp_cert_multi.empty?
+
+        raise ArgumentError.new("Invalid value for idp_cert_multi") if not idp_cert_multi.is_a?(Hash)
+
+        certs = {:signing => [], :encryption => [] }
+
+        if idp_cert_multi.key?(:signing) and not idp_cert_multi[:signing].empty?
+          idp_cert_multi[:signing].each do |idp_cert|
+            formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
+            certs[:signing].push(OpenSSL::X509::Certificate.new(formatted_cert))
+          end
+        end
+
+        if idp_cert_multi.key?(:encryption) and not idp_cert_multi[:encryption].empty?
+          idp_cert_multi[:encryption].each do |idp_cert|
+            formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
+            certs[:encryption].push(OpenSSL::X509::Certificate.new(formatted_cert))
+          end
+        end
+
+        certs
+      end
+
       # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
       #
       def get_sp_cert
@@ -132,6 +161,15 @@ module OneLogin
         OpenSSL::X509::Certificate.new(formatted_cert)
       end
 
+      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert_new
+        return nil if certificate_new.nil? || certificate_new.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
       # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
       #
       def get_sp_key

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -26,6 +26,7 @@ module OneLogin
       # @param request [String] A UUEncoded Logout Request from the IdP.
       # @param options [Hash]  :settings to provide the OneLogin::RubySaml::Settings object 
       #                        Or :allowed_clock_drift for the logout request validation process to allow a clock drift when checking dates with
+      #                        Or :relax_signature_validation to accept signatures if no idp certificate registered on settings 
       #
       # @raise [ArgumentError] If Request is nil
       #
@@ -227,7 +228,13 @@ module OneLogin
         return true if options.nil?
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
-        return true if settings.get_idp_cert.nil?
+
+        idp_cert = settings.get_idp_cert
+        idp_certs = settings.get_idp_cert_multi
+
+        if idp_cert.nil? && (idp_certs.nil? || idp_certs[:signing].empty?)
+          return options.has_key? :relax_signature_validation
+        end
 
         query_string = OneLogin::RubySaml::Utils.build_query(
           :type        => 'SAMLRequest',
@@ -236,12 +243,27 @@ module OneLogin
           :sig_alg     => options[:get_params]['SigAlg']
         )
 
-        valid = OneLogin::RubySaml::Utils.verify_signature(
-          :cert         => settings.get_idp_cert,
-          :sig_alg      => options[:get_params]['SigAlg'],
-          :signature    => options[:get_params]['Signature'],
-          :query_string => query_string
-        )
+        if idp_certs.nil? || idp_certs[:signing].empty?
+          valid = OneLogin::RubySaml::Utils.verify_signature(
+            :cert         => settings.get_idp_cert,
+            :sig_alg      => options[:get_params]['SigAlg'],
+            :signature    => options[:get_params]['Signature'],
+            :query_string => query_string
+          )
+        else
+          valid = false
+          idp_certs[:signing].each do |idp_cert|
+            valid = OneLogin::RubySaml::Utils.verify_signature(
+              :cert         => idp_cert,
+              :sig_alg      => options[:get_params]['SigAlg'],
+              :signature    => options[:get_params]['Signature'],
+              :query_string => query_string
+            )
+            if valid
+              break
+            end
+          end
+        end
 
         unless valid
           return append_error("Invalid Signature on Logout Request")

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.4.2'
+    VERSION = '1.4.3'
   end
 end

data/lib/schemas/xmldsig-core-schema.xsd

@@ -188,7 +188,7 @@
 <complexType name="X509IssuerSerialType"> 
   <sequence> 
     <element name="X509IssuerName" type="string"/> 
-    <element name="X509SerialNumber" type="integer"/> 
+    <element name="X509SerialNumber" type="string"/>
   </sequence>
 </complexType>
 

data/lib/xml_security.rb

@@ -240,6 +240,31 @@ module XMLSecurity
       validate_signature(base64_cert, soft)
     end
 
+    def validate_document_with_cert(idp_cert)
+      # get cert from response
+      cert_element = REXML::XPath.first(
+        self,
+        "//ds:X509Certificate",
+        { "ds"=>DSIG }
+      )
+
+      if cert_element
+        base64_cert = cert_element.text
+        cert_text = Base64.decode64(base64_cert)
+        begin
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+        rescue OpenSSL::X509::CertificateError => e
+          return append_error("Certificate Error", soft)
+        end
+
+        # check saml response cert matches provided idp cert
+        if idp_cert.to_pem != cert.to_pem
+          return false
+      end
+        validate_signature(base64_cert, true)
+      end
+    end
+
     def validate_signature(base64_cert, soft = true)
 
       document = Nokogiri::XML(self.to_s) do |config|

data/test/certificates/ruby-saml-2.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVDCCAb2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBHMQswCQYDVQQGEwJ1czEQ
+MA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIGA1UEAwwLZXhh
+bXBsZS5jb20wHhcNMTcwNDA3MDgzMDAzWhcNMjcwNDA1MDgzMDAzWjBHMQswCQYD
+VQQGEwJ1czEQMA4GA1UECAwHZXhhbXBsZTEQMA4GA1UECgwHZXhhbXBsZTEUMBIG
+A1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKhP
+S4/0azxbQekHHewQGKD7Pivr3CDpsrKxY3xlVanxj427OwzOb5KUVzsDEazumt6s
+ZFY8HfidsjXY4EYA4ZzyL7ciIAR5vlAsIYN9nJ4AwVDnN/RjVwj+TN6BqWPLpVIp
+Hc6Dl005HyE0zJnk1DZDn2tQVrIzbD3FhCp7YeotAgMBAAGjUDBOMB0GA1UdDgQW
+BBRYZx4thASfNvR/E7NsCF2IaZ7wIDAfBgNVHSMEGDAWgBRYZx4thASfNvR/E7Ns
+CF2IaZ7wIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBACz4aobx9aG3
+kh+rNyrlgM3K6dYfnKG1/YH5sJCAOvg8kDr0fQAQifH8lFVWumKUMoAe0bFTfwWt
+p/VJ8MprrEJth6PFeZdczpuv+fpLcNj2VmNVJqvQYvS4m36OnBFh1QFZW8UrbFIf
+dtm2nuZ+twSKqfKwjLdqcoX0p39h7Uw/
+-----END CERTIFICATE-----

data/test/idp_metadata_parser_test.rb

@@ -21,27 +21,26 @@ class IdpMetadataParserTest < Minitest::Test
     it "extract settings details from xml" do
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
 
-      settings = idp_metadata_parser.parse(idp_metadata)
+      settings = idp_metadata_parser.parse(idp_metadata_descriptor)
 
-      assert_equal "https://example.hello.com/access/saml/idp.xml", settings.idp_entity_id
-      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "https://hello.example.com/access/saml/idp.xml", settings.idp_entity_id
+      assert_equal "https://hello.example.com/access/saml/login", settings.idp_sso_target_url
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
-      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal "https://hello.example.com/access/saml/logout", settings.idp_slo_target_url
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
       assert_equal ["AuthToken", "SSOStartPage"], settings.idp_attribute_names
-      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
     end
 
     it "extract certificate from md:KeyDescriptor[@use='signing']" do
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
-      idp_metadata = read_response("idp_descriptor.xml")
+      idp_metadata = idp_metadata_descriptor
       settings = idp_metadata_parser.parse(idp_metadata)
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
     end
 
     it "extract certificate from md:KeyDescriptor[@use='encryption']" do
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
-      idp_metadata = read_response("idp_descriptor.xml")
+      idp_metadata = idp_metadata_descriptor
       idp_metadata = idp_metadata.sub(/<md:KeyDescriptor use="signing">(.*?)<\/md:KeyDescriptor>/m, "")
       settings = idp_metadata_parser.parse(idp_metadata)
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
@@ -49,16 +48,40 @@ class IdpMetadataParserTest < Minitest::Test
 
     it "extract certificate from md:KeyDescriptor" do
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
-      idp_metadata = read_response("idp_descriptor.xml")
+      idp_metadata = idp_metadata_descriptor
       idp_metadata = idp_metadata.sub(/<md:KeyDescriptor use="signing">(.*?)<\/md:KeyDescriptor>/m, "")
       idp_metadata = idp_metadata.sub('<md:KeyDescriptor use="encryption">', '<md:KeyDescriptor>')
       settings = idp_metadata_parser.parse(idp_metadata)
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
     end
 
+    it "extract SSO endpoint with no specific binding, it takes the first" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor3
+      settings = idp_metadata_parser.parse(idp_metadata)
+      assert_equal "https://idp.example.com/idp/profile/Shibboleth/SSO", settings.idp_sso_target_url
+    end
+
+    it "extract SSO endpoint with specific binding" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor3
+      options = {}
+      options[:sso_binding] = ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+      settings = idp_metadata_parser.parse(idp_metadata, options)
+      assert_equal "https://idp.example.com/idp/profile/SAML2/POST/SSO", settings.idp_sso_target_url
+
+      options[:sso_binding] = ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+      settings = idp_metadata_parser.parse(idp_metadata, options)
+      assert_equal "https://idp.example.com/idp/profile/SAML2/Redirect/SSO", settings.idp_sso_target_url
+
+      options[:sso_binding] = ['invalid_binding', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+      settings = idp_metadata_parser.parse(idp_metadata, options)
+      assert_equal "https://idp.example.com/idp/profile/SAML2/Redirect/SSO", settings.idp_sso_target_url      
+    end
+
     it "uses settings options as hash for overrides" do
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
-      idp_metadata = read_response("idp_descriptor.xml")
+      idp_metadata = idp_metadata_descriptor
       settings = idp_metadata_parser.parse(idp_metadata, {
         :settings => {
           :security => {
@@ -72,12 +95,124 @@ class IdpMetadataParserTest < Minitest::Test
       assert_equal XMLSecurity::Document::RSA_SHA256, settings.security[:signature_method]
     end
 
+    it "merges results into given settings object" do
+      settings = OneLogin::RubySaml::Settings.new(:security => {
+        :digest_method => XMLSecurity::Document::SHA256,
+        :signature_method => XMLSecurity::Document::RSA_SHA256
+      })
+
+      OneLogin::RubySaml::IdpMetadataParser.new.parse(idp_metadata_descriptor, :settings => settings)
+
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+      assert_equal XMLSecurity::Document::SHA256, settings.security[:digest_method]
+      assert_equal XMLSecurity::Document::RSA_SHA256, settings.security[:signature_method]
+    end
+  end
+
+  describe "parsing an IdP descriptor file into an Hash" do
+    it "extract settings details from xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+
+      metadata = idp_metadata_parser.parse_to_hash(idp_metadata_descriptor)
+
+      assert_equal "https://hello.example.com/access/saml/idp.xml", metadata[:idp_entity_id]
+      assert_equal "https://hello.example.com/access/saml/login", metadata[:idp_sso_target_url]
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", metadata[:idp_cert_fingerprint]
+      assert_equal "https://hello.example.com/access/saml/logout", metadata[:idp_slo_target_url]
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", metadata[:name_identifier_format]
+      assert_equal ["AuthToken", "SSOStartPage"], metadata[:idp_attribute_names]
+    end
+
+    it "extract certificate from md:KeyDescriptor[@use='signing']" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor
+      metadata = idp_metadata_parser.parse_to_hash(idp_metadata)
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", metadata[:idp_cert_fingerprint]
+    end
+
+    it "extract certificate from md:KeyDescriptor[@use='encryption']" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor
+      idp_metadata = idp_metadata.sub(/<md:KeyDescriptor use="signing">(.*?)<\/md:KeyDescriptor>/m, "")
+      parsed_metadata = idp_metadata_parser.parse_to_hash(idp_metadata)
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", parsed_metadata[:idp_cert_fingerprint]
+    end
+
+    it "extract certificate from md:KeyDescriptor" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor
+      idp_metadata = idp_metadata.sub(/<md:KeyDescriptor use="signing">(.*?)<\/md:KeyDescriptor>/m, "")
+      idp_metadata = idp_metadata.sub('<md:KeyDescriptor use="encryption">', '<md:KeyDescriptor>')
+      parsed_metadata = idp_metadata_parser.parse_to_hash(idp_metadata)
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", parsed_metadata[:idp_cert_fingerprint]
+    end
+
+    it "extract SSO endpoint with no specific binding, it takes the first" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor3
+      metadata = idp_metadata_parser.parse_to_hash(idp_metadata)
+      assert_equal "https://idp.example.com/idp/profile/Shibboleth/SSO", metadata[:idp_sso_target_url]
+    end
+
+    it "extract SSO endpoint with specific binding" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor3
+      options = {}
+      options[:sso_binding] = ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+      parsed_metadata = idp_metadata_parser.parse_to_hash(idp_metadata, options)
+      assert_equal "https://idp.example.com/idp/profile/SAML2/POST/SSO", parsed_metadata[:idp_sso_target_url]
+
+      options[:sso_binding] = ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+      parsed_metadata = idp_metadata_parser.parse_to_hash(idp_metadata, options)
+      assert_equal "https://idp.example.com/idp/profile/SAML2/Redirect/SSO", parsed_metadata[:idp_sso_target_url]
+
+      options[:sso_binding] = ['invalid_binding', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+      parsed_metadata = idp_metadata_parser.parse_to_hash(idp_metadata, options)
+      assert_equal "https://idp.example.com/idp/profile/SAML2/Redirect/SSO", parsed_metadata[:idp_sso_target_url]
+    end
+
+    it "ignores a given :settings hash" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = idp_metadata_descriptor
+      parsed_metadata = idp_metadata_parser.parse_to_hash(idp_metadata, {
+        :settings => {
+          :security => {
+            :digest_method => XMLSecurity::Document::SHA256,
+            :signature_method => XMLSecurity::Document::RSA_SHA256
+          }
+        }
+      })
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", parsed_metadata[:idp_cert_fingerprint]
+      assert_nil parsed_metadata[:security]
+    end
+  end
+
+  describe "parsing an IdP descriptor file with multiple signing certs" do
+    it "extract settings details from xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+
+      settings = idp_metadata_parser.parse(idp_metadata_descriptor2)
+
+      assert_equal "https://hello.example.com/access/saml/idp.xml", settings.idp_entity_id
+      assert_equal "https://hello.example.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "https://hello.example.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
+      assert_equal ["AuthToken", "SSOStartPage"], settings.idp_attribute_names
+
+      assert_nil settings.idp_cert_fingerprint
+      assert_nil settings.idp_cert
+      assert_equal 2, settings.idp_cert_multi.size
+      assert settings.idp_cert_multi.key?("signing")
+      assert_equal 2, settings.idp_cert_multi["signing"].size
+      assert settings.idp_cert_multi.key?("encryption")
+      assert_equal 1, settings.idp_cert_multi["encryption"].size
+    end
   end
 
   describe "download and parse IdP descriptor file" do
     before do
       mock_response = MockSuccessResponse.new
-      mock_response.body = idp_metadata
+      mock_response.body = idp_metadata_descriptor
       @url = "https://example.com"
       uri = URI(@url)
 
@@ -90,10 +225,10 @@ class IdpMetadataParserTest < Minitest::Test
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
       settings = idp_metadata_parser.parse_remote(@url)
 
-      assert_equal "https://example.hello.com/access/saml/idp.xml", settings.idp_entity_id
-      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "https://hello.example.com/access/saml/idp.xml", settings.idp_entity_id
+      assert_equal "https://hello.example.com/access/saml/login", settings.idp_sso_target_url
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
-      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal "https://hello.example.com/access/saml/logout", settings.idp_slo_target_url
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
       assert_equal ["AuthToken", "SSOStartPage"], settings.idp_attribute_names
       assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
@@ -107,6 +242,39 @@ class IdpMetadataParserTest < Minitest::Test
     end
   end
 
+  describe "download and parse IdP descriptor file into an Hash" do
+    before do
+      mock_response = MockSuccessResponse.new
+      mock_response.body = idp_metadata_descriptor
+      @url = "https://example.com"
+      uri = URI(@url)
+
+      @http = Net::HTTP.new(uri.host, uri.port)
+      Net::HTTP.expects(:new).returns(@http)
+      @http.expects(:request).returns(mock_response)
+    end
+
+    it "extract settings from remote xml" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      parsed_metadata = idp_metadata_parser.parse_remote_to_hash(@url)
+
+      assert_equal "https://hello.example.com/access/saml/idp.xml", parsed_metadata[:idp_entity_id]
+      assert_equal "https://hello.example.com/access/saml/login", parsed_metadata[:idp_sso_target_url]
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", parsed_metadata[:idp_cert_fingerprint]
+      assert_equal "https://hello.example.com/access/saml/logout", parsed_metadata[:idp_slo_target_url]
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", parsed_metadata[:name_identifier_format]
+      assert_equal ["AuthToken", "SSOStartPage"], parsed_metadata[:idp_attribute_names]
+      assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
+    end
+
+    it "accept self signed certificate if insturcted" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata_parser.parse_remote_to_hash(@url, false)
+
+      assert_equal OpenSSL::SSL::VERIFY_NONE, @http.verify_mode
+    end
+  end
+
   describe "download failure cases" do
     it "raises an exception when the url has no scheme" do
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
@@ -130,10 +298,38 @@ class IdpMetadataParserTest < Minitest::Test
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
 
       exception = assert_raises(OneLogin::RubySaml::HttpError) do
-        idp_metadata_parser.parse_remote("https://example.hello.com/access/saml/idp.xml")
+        idp_metadata_parser.parse_remote("https://hello.example.com/access/saml/idp.xml")
       end
 
-      assert_equal("Failed to fetch idp metadata", exception.message)
+      assert_match("Failed to fetch idp metadata", exception.message)
+    end
+  end
+
+  describe "parsing metadata with many entity descriptors" do
+    before do
+      @idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      @idp_metadata = idp_metadata_multiple_descriptors
+      @settings = @idp_metadata_parser.parse(@idp_metadata)
+    end
+
+    it "should find first descriptor" do
+      assert_equal "https://foo.example.com/access/saml/idp.xml", @settings.idp_entity_id
+    end
+
+    it "should find named descriptor" do
+      entity_id = "https://bar.example.com/access/saml/idp.xml"
+      settings = @idp_metadata_parser.parse(
+        @idp_metadata, :entity_id => entity_id
+      )
+      assert_equal entity_id, settings.idp_entity_id
+    end
+
+    it "should retreive data" do
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", @settings.name_identifier_format
+      assert_equal "https://hello.example.com/access/saml/login", @settings.idp_sso_target_url
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", @settings.idp_cert_fingerprint
+      assert_equal "https://hello.example.com/access/saml/logout", @settings.idp_slo_target_url
+      assert_equal ["AuthToken", "SSOStartPage"], @settings.idp_attribute_names
     end
   end
 end