ruby-saml 1.4.3 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 455ea502cffeb8d8b1c0bc673de3495e0e1b070a
-  data.tar.gz: f5327bfb4d61922b77444f397a8347910a6bab33
+  metadata.gz: d6958524060034d6eaaf5c0f968711ecdc45e2bd
+  data.tar.gz: f1714aa26982ce596b8e07f2e20a8637611d7523
 SHA512:
-  metadata.gz: a3842b07e3f0da562c0302a7a399f63901bbe0a7ae88a68f60dce296fc0d7a9eebed08544db2cfcea2857a76dfed58cc158d6dacba10671135a804d899d8edad
-  data.tar.gz: 0ce3cc58921b2d384983cca9a29a75890e39a25e0b62da97e27f3a4c32baabf15b338ff9cd83b5aeb8d980ff69f10f094b72afab8a047c917ac775b7f4a1b896
+  metadata.gz: 1cb2ee3fefaec17210a0087dbadc68698b4fa9969d20c81512c9d1904bf941a59179a73b2d46ed52c38867f0c201b82e9f8cdd0f50b114103b7fe72cfcbb7bdc
+  data.tar.gz: ed45f61f08919d846edb627699ed1679f5d7e8c1c5136a4703d3c9129bc7259e9f761a1a8fc12bb439bd5e96128069c5c0b3b9115e1f8d38e55a874523793cec

data/README.md

@@ -1,5 +1,13 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.4.2 to 1.4.3
+
+Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
+The 'Recipient' value is compared with the settings.assertion_consumer_service_url
+value.
+If you want to skip that validation, add the :skip_recipient_check option to the
+initialize method of the Response object.
+
 ## Updating from 1.3.x to 1.4.X
 
 Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.
@@ -169,7 +177,6 @@ def saml_settings
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
   settings.issuer                         = "http://#{request.host}/saml/metadata"
-  settings.idp_sso_target_url             = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
   settings.idp_entity_id                  = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
   settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
   settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"

data/changelog.md

@@ -1,4 +1,13 @@
 # RubySaml Changelog
+### 1.5.0 (August 31, 2017)
+* [#400](https://github.com/onelogin/ruby-saml/pull/400) When validating Signature use stored IdP certficate if Signature contains no info about Certificate
+* [#402](https://github.com/onelogin/ruby-saml/pull/402)  Fix validate_response_state method that rejected SAMLResponses when using idp_cert_multi and idp_cert and idp_cert_fingerprint were not provided.
+* [#411](https://github.com/onelogin/ruby-saml/pull/411) Allow space in Base64 string
+* [#407](https://github.com/onelogin/ruby-saml/issues/407) Improve IdpMetadataParser raising an ArgumentError when parser method receive a metadata string with no IDPSSODescriptor element.
+* [#374](https://github.com/onelogin/ruby-saml/issues/374) Support more than one level of StatusCode
+* [#405](https://github.com/onelogin/ruby-saml/pull/405) Support ADFS encrypted key (Accept KeyInfo nodes with no ds namespace)
+
+
 ### 1.4.3 (May 18, 2017)
 * Added SubjectConfirmation Recipient validation
 * [#393](https://github.com/onelogin/ruby-saml/pull/393) Implement IdpMetadataParser#parse_to_hash

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -102,6 +102,10 @@ module OneLogin
         @options = options
         @entity_descriptor = nil
 
+        if idpsso_descriptor.nil?
+          raise ArgumentError.new("idp_metadata may contain an IDPSSODescriptor element")
+        end
+
         {
           :idp_entity_id => idp_entity_id,
           :name_identifier_format => idp_name_id_format,
@@ -164,6 +168,16 @@ module OneLogin
         path << "[@entityID=\"#{entity_id}\"]"
       end
 
+      def idpsso_descriptor
+        unless entity_descriptor.nil?
+          return REXML::XPath.first(
+            entity_descriptor,
+            "md:IDPSSODescriptor",
+            namespace
+          )
+        end
+      end 
+
       # @return [String|nil] IdP Entity ID value if exists
       #
       def idp_entity_id
@@ -335,7 +349,8 @@ module OneLogin
             )
           end
         else
-          parsed_metadata[:idp_cert_multi] = certificates
+          # symbolize keys of certificates and pass it on
+          parsed_metadata[:idp_cert_multi] = Hash[certificates.map { |k, v| [k.to_sym, v] }]
         end
       end
 

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -168,7 +168,7 @@ module OneLogin
 
         return append_error("No issuer in settings of the logout response") if settings.issuer.nil?
 
-        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil?
           return append_error("No fingerprint or certificate on settings of the logout response")
         end
 

data/lib/onelogin/ruby-saml/response.rb

@@ -37,6 +37,7 @@ module OneLogin
       #                          with the :skip_conditions, or allow a clock_drift when checking dates with :allowed_clock_drift
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
       #                          or skip the subject confirmation validation with the :skip_subject_confirmation option
+      #                          or skip the recipient validation of the subject confirmation element with :skip_recipient_check option
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
 
@@ -206,7 +207,23 @@ module OneLogin
           )
           if nodes.size == 1
             node = nodes[0]
-            node.attributes["Value"] if node && node.attributes
+            code = node.attributes["Value"] if node && node.attributes
+
+            unless code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+              nodes = REXML::XPath.match(
+                document,
+                "/p:Response/p:Status/p:StatusCode/p:StatusCode",
+                { "p" => PROTOCOL }
+              )
+              statuses = nodes.collect do |node|
+                node.attributes["Value"]
+              end
+              extra_code = statuses.join(" | ")
+              if extra_code
+                code = "#{code} | #{extra_code}"
+              end
+            end
+            code
           end
         end
       end
@@ -411,7 +428,7 @@ module OneLogin
 
         return append_error("No settings on response") if settings.nil?
 
-        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil?
           return append_error("No fingerprint or certificate on settings")
         end
 
@@ -650,13 +667,13 @@ module OneLogin
 
         now = Time.now.utc
 
-        if not_before && (now + allowed_clock_drift) < not_before
-          error_msg = "Current time is earlier than NotBefore condition #{(now + allowed_clock_drift)} < #{not_before})"
+        if not_before && (now_with_drift = now + allowed_clock_drift) < not_before
+          error_msg = "Current time is earlier than NotBefore condition (#{now_with_drift} < #{not_before})"
           return append_error(error_msg)
         end
 
-        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
-          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after + allowed_clock_drift})"
+        if not_on_or_after && now >= (not_on_or_after_with_drift = not_on_or_after + allowed_clock_drift)
+          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after_with_drift})"
           return append_error(error_msg)
         end
 
@@ -813,7 +830,7 @@ module OneLogin
           opts[:cert] = settings.get_idp_cert
           fingerprint = settings.get_fingerprint
 
-          unless fingerprint && doc.validate_document(fingerprint, @soft, opts)          
+          unless fingerprint && doc.validate_document(fingerprint, @soft, opts)
             return append_error(error_msg)
           end
         else

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -129,7 +129,7 @@ module OneLogin
       # @return [true, false] whether or not the string is base64 encoded
       #
       def base64_encoded?(string)
-        !!string.gsub(/[\r\n]|\\r|\\n/, "").match(BASE64_FORMAT)
+        !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)
       end
 
       # Inflate method

data/lib/onelogin/ruby-saml/utils.rb

@@ -87,7 +87,15 @@ module OneLogin
       # @return [String] The status error message
       def self.status_error_msg(error_msg, status_code = nil, status_message = nil)
         unless status_code.nil?
-          printable_code = status_code.split(':').last
+          if status_code.include? "|"
+            status_codes = status_code.split(' | ')
+            values = status_codes.collect do |status_code|
+              status_code.split(':').last
+            end
+            printable_code = values.join(" => ")
+          else
+            printable_code = status_code.split(':').last
+          end
           error_msg << ', was ' + printable_code
         end
 
@@ -131,23 +139,25 @@ module OneLogin
       def self.retrieve_symmetric_key(encrypt_data, private_key)
         encrypted_key = REXML::XPath.first(
           encrypt_data,
-          "./ds:KeyInfo/xenc:EncryptedKey or \
-           //xenc:EncryptedKey[@Id=$id]",
+          "./ds:KeyInfo/xenc:EncryptedKey | ./KeyInfo/xenc:EncryptedKey | //xenc:EncryptedKey[@Id=$id]",
           { "ds" => DSIG, "xenc" => XENC },
-          { "id" =>  self.retrieve_symetric_key_reference(encrypt_data) }
+          { "id" => self.retrieve_symetric_key_reference(encrypt_data) }
         )
 
         encrypted_symmetric_key_element = REXML::XPath.first(
           encrypted_key,
           "./xenc:CipherData/xenc:CipherValue",
-          { "ds" => DSIG, "xenc" => XENC }
+          "xenc" => XENC
         )
+
         cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
+
         encrypt_method = REXML::XPath.first(
           encrypted_key,
           "./xenc:EncryptionMethod",
-          {"ds" => DSIG,  "xenc" => XENC }
+          "xenc" => XENC
         )
+
         algorithm = encrypt_method.attributes['Algorithm']
         retrieve_plaintext(cipher_text, private_key, algorithm)
       end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.4.3'
+    VERSION = '1.5.0'
   end
 end

data/lib/xml_security.rb

@@ -260,9 +260,11 @@ module XMLSecurity
         # check saml response cert matches provided idp cert
         if idp_cert.to_pem != cert.to_pem
           return false
+        end
+      else
+        base64_cert = Base64.encode64(idp_cert.to_pem)
       end
-        validate_signature(base64_cert, true)
-      end
+      validate_signature(base64_cert, true)
     end
 
     def validate_signature(base64_cert, soft = true)

data/test/idp_metadata_parser_test.rb

@@ -202,10 +202,10 @@ class IdpMetadataParserTest < Minitest::Test
       assert_nil settings.idp_cert_fingerprint
       assert_nil settings.idp_cert
       assert_equal 2, settings.idp_cert_multi.size
-      assert settings.idp_cert_multi.key?("signing")
-      assert_equal 2, settings.idp_cert_multi["signing"].size
-      assert settings.idp_cert_multi.key?("encryption")
-      assert_equal 1, settings.idp_cert_multi["encryption"].size
+      assert settings.idp_cert_multi.key?(:signing)
+      assert_equal 2, settings.idp_cert_multi[:signing].size
+      assert settings.idp_cert_multi.key?(:encryption)
+      assert_equal 1, settings.idp_cert_multi[:encryption].size
     end
   end
 
@@ -332,4 +332,15 @@ class IdpMetadataParserTest < Minitest::Test
       assert_equal ["AuthToken", "SSOStartPage"], @settings.idp_attribute_names
     end
   end
+
+  describe "parsing metadata with no IDPSSODescriptor element" do
+    before do
+      @idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      @idp_metadata = no_idp_metadata_descriptor
+    end
+
+    it "raise due no IDPSSODescriptor element" do
+        assert_raises(ArgumentError) { @idp_metadata_parser.parse(@idp_metadata) }
+    end
+  end
 end

data/test/logoutresponse_test.rb

@@ -90,6 +90,7 @@ class RubySamlTest < Minitest::Test
         it "invalidate logout response when initiated with no idp cert or fingerprint" do
           settings.idp_cert_fingerprint = nil
           settings.idp_cert = nil
+          settings.idp_cert_multi = nil
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings)
           assert !logoutresponse.validate
           assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response"

data/test/metadata/no_idp_descriptor.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor entityID="https://sp.example.com/sp.xml" validUntil="2014-04-17T18:02:33.910Z" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T1RJeU5UUXhPRm9YRFRNeU1EUXgKTkRJeU5UUXhPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXFqaWUzUjJvaStwRGFldndJeXMvbWJVVApubkdsa3h0ZGlrcnExMXZleHd4SmlQTmhtaHFSVzNtVXVKRXpsbElkVkw2RW14R1lUcXBxZjkzSGxoa3NhZUowCjhVZ2pQOVVtTVlyaFZKdTFqY0ZXVjdmei9yKzIxL2F3VG5EVjlzTVlRcXVJUllZeTdiRzByMU9iaXdkb3ZudGsKN2dGSTA2WjB2WmFjREU1Ym9xVUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJTUk9OOEdKOG8rOGpnRnRqa3R3WmRxeDZCUnlUQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVrVGpmQmlmS1B2STRCYlk1TGNHWGFzZWdVY21oZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FDRQpUQWVKVERTQVc2ejFVRlRWN1FyZWg0VUxGT1JhajkrZUN1RjNLV0RIYyswSVFDajlyZG5ERzRRL3dmNy9yYVEwCkpuUFFDU0NkclBMSmV5b1BIN1FhVHdvYUY3ZHpWdzRMQ3N5TkpURld4NGNNNTBWdzZSNWZET2dpQzhic2ZmUzgKQkptb3VscnJaRE5OVmpHOG1XNmNMeHJZdlZRT3JSVmVjQ0ZJZ3NzQ2JBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp.example.com/saml2-logout.php/default-sp"/>
+    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.com/saml2-acs.php/default-sp" index="0"/>    
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>

data/test/response_test.rb

@@ -30,6 +30,7 @@ class RubySamlTest < Minitest::Test
     let(:response_no_statuscode) { OneLogin::RubySaml::Response.new(read_invalid_response("no_status_code.xml.base64")) }
     let(:response_statuscode_responder) { OneLogin::RubySaml::Response.new(read_invalid_response("status_code_responder.xml.base64")) }
     let(:response_statuscode_responder_and_msg) { OneLogin::RubySaml::Response.new(read_invalid_response("status_code_responer_and_msg.xml.base64")) }
+    let(:response_double_statuscode) { OneLogin::RubySaml::Response.new(response_document_double_status_code) }
     let(:response_encrypted_attrs) { OneLogin::RubySaml::Response.new(response_document_encrypted_attrs) }
     let(:response_no_signed_elements) { OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64")) }
     let(:response_multiple_signed) { OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64")) }
@@ -138,6 +139,7 @@ class RubySamlTest < Minitest::Test
         it "raise when No fingerprint or certificate on settings" do
           settings.idp_cert_fingerprint = nil
           settings.idp_cert = nil
+          settings.idp_cert_multi = nil
           response.settings = settings
           error_msg = "No fingerprint or certificate on settings"
           assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
@@ -516,12 +518,12 @@ class RubySamlTest < Minitest::Test
         assert_empty response.errors
       end
 
-      it "return false when the status if no Status provided" do
+      it "return false when no Status provided" do
         assert !response_no_status.send(:validate_success_status)
         assert_includes response_no_status.errors, "The status code of the Response was not Success"
       end
 
-      it "return false when the status if no StatusCode provided" do
+      it "return false when no StatusCode provided" do
         assert !response_no_statuscode.send(:validate_success_status)
         assert_includes response_no_statuscode.errors, "The status code of the Response was not Success"
       end
@@ -535,6 +537,11 @@ class RubySamlTest < Minitest::Test
         assert !response_statuscode_responder_and_msg.send(:validate_success_status)
         assert_includes response_statuscode_responder_and_msg.errors, "The status code of the Response was not Success, was Responder -> something_is_wrong"
       end
+
+      it "return false when the status is not 'Success'" do
+        assert !response_double_statuscode.send(:validate_success_status)
+        assert_includes response_double_statuscode.errors, "The status code of the Response was not Success, was Requester => UnsupportedBinding"
+      end
     end
 
     describe "#validate_structure" do
@@ -1271,6 +1278,11 @@ class RubySamlTest < Minitest::Test
 
         response4 = OneLogin::RubySaml::Response.new(unsigned_message_encrypted_unsigned_assertion, :settings => settings)
         assert response4.decrypted_document
+
+        assert OneLogin::RubySaml::Response.new(
+          Base64.encode64(File.read('test/responses/unsigned_encrypted_adfs.xml')),
+          :settings => settings
+        ).decrypted_document
       end
     end
 

data/test/responses/response_double_status_code.xml.base64

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGJjODI2YWZkLWU5ZmUtZDNmYi1kODc0LWM0NzAwYzNlZjBjOCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2FwcC5tdWRhLm5vL3Nzby9jb25zdW1lIiBJblJlc3BvbnNlVG89Il9mYzRhMzRiMC03ZWZiLTAxMmUtY2FhZS03ODJiY2IxM2JiMzgiPjxzYW1sOklzc3Vlcj5odHRwczovL2FwcC5vbmVsb2dpbi5jb20vc2FtbDI8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6UmVxdWVzdGVyIj4gIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlVuc3VwcG9ydGVkQmluZGluZyIgLz48L3NhbWxwOlN0YXR1c0NvZGU+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4wIiBJRD0icGZ4OTUxNmIwZjMtNDUzNi0xMGY2LWM2ZmEtOWRkNTIzZTE0OThjIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDYtMDRUMDI6MjI6MDJaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwyPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+dGVzdEBvbmVsb2dpbi5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjIwOTAtMDYtMDRUMDI6Mjc6MDJaIiBSZWNpcGllbnQ9InJlY2lwaWVudCIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDExLTA2LTA0VDAyOjE3OjAyWiIgTm90T25PckFmdGVyPSIyMDkwLTA2LTA0VDAyOjI3OjAyWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NvbWVvbmUuZXhhbXBsZS5jb20vYXVkaWVuY2U8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTA2LTA0VDAyOjIyOjAyWiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjA5MC0wNi0wNVQwMjoyMjowMloiIFNlc3Npb25JbmRleD0iXzE2ZjU3MGZiYzAzMTUwMDdhMDM1NWRmZWE2YjNjNDZjIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

data/test/responses/unsigned_encrypted_adfs.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9365faa3a6f6a23b5cd75a74cb0786dc19e845200e" Version="2.0" IssueInstant="2015-03-19T14:00:31Z" Destination="http://rubysaml.com:3000/saml/acs" InResponseTo="_3ab7adb0-b06e-0132-5c3b-0090f5dedd77">
+  <saml:Issuer>https://idp.example.com/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
+      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
+          <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+          <e:CipherData>
+            <e:CipherValue>xkJn7LQHrTZzLdrNec33hMSC5dc8B0uM4fw8HKhwpkWINwC9deaj0QVz4fZ82Zv2QdP3v6r0wJ/8VrUIF8puJTHSU0u2EUU+XqBJxvivGp2UhUPCyWmirSi6efBnWqMKhOz5YJoaLEu17yw+kOnavLZPv2bB8b5bo2mZPiaPG6s=</e:CipherValue>
+          </e:CipherData>
+        </e:EncryptedKey>
+      </KeyInfo>
+      <xenc:CipherData>
+        <xenc:CipherValue>ERiTkdJzJN841qIRwT79+laTQZWz83osoKohRBIaBHNLasGuBApR6iJqsSrQb2/6wWddDaNOqbnBEY+6Ze1mSzDjYomrWtVDD2psrzk1T29G56LuTQiOtTtOUlOPOVUkS9Tp1RgCXmi7No49lJJHxM8b53Y6hNjJQiSwrEdxhrv83MSuqYahuT5n2yB9jGg/ZnF6IP2YXLT7cd4kYRj/0g0mEBGAIHV3ZGRLVSKg0CMVPnQUCPLXqVCKoRbF2nt5R8Q6gGmKm/2zsyEfDw/vW076fVg6EoK+XVZ/M/gHKccA+iyeHKMN2k/yWeHn7FB32jY9oR8Ct6mW9JlgBbliM1SCDMnshuJXlKnyXuvOfJQd12NUrt9lWACwnKQzSZ3y/b5UthalAYTgHPVtL871hXnC9MTeTfAk+HqV7nfdPJTk/jVDIi0Wsbqlf+ppC1nvRab8ovWmfpUKFYhHhiQ6K6XQGo7xT/dKqV7+2wvhHtvYPt8iW76RkWtHVEjZaHjgCF/XGpMrj5CuX8KMQ3b67CIxb28V5MxnUXrJV1q5TnEF56bvlG4NNqQTYWMcu+bhcA5w1E/rJZxSKfpg7VdT4RMA3s0ZCXs9DR7RnjQP9szrytarMRwF+AI07Axt2/z71t551rNzCedNLdQFnFbFh9IgDSmYin7y1mxsa7IiLUZcJwtJTh33tKf0ObwMfj68vWgEJ0Aq8ZjnhVB7C7sRK4vh7NOgldS/CXZ2L5E5kYh2hVzqh0EGJrkOs3Rb3/nbZCwO4zdAYvv74qrPUkEUxG3/p9wjcg+bSFulcJCpk7i0+NnsocQ3OpDQGUFhtv6Q925h2LDAYQSkQgIvPnqbt+A6VRCng6g+mMwbbwP6o/agY2CyduED0QINAvZz85Cpts3uf4uxJEnaztDGT1RBPFwhMuJVt7Qe4nqurRftCh+T6KiVvwE6CqfuRFQm+SlWFyYq5u7GdRNFsuT3YKji3mF+UdqgNJa++R4bpOtZm1QQzv1qSS6UCtrJHbjBXhYDig3dEz1erkMWCwwjcicpeSrjBFc0lc1VzYfm1mOYWBHTE2RfDnEUztOzBUmiBVD3GXmS4xrUErIqz3RHe1erG8HwSZbfsXfOpfR5K8RsqL5A8l+vjSN6wfQGB1uIf07OPplzLL/UlZWcPQq+j0GGQAd/4Kbl5giWSSbwueaW95/dUJQGcOw7gIw9LIRasAWb6JQ0/TRgwU+a7Hoj+cFAdWxkeV63V9g4BvwOW3Zr00pSo2G9g+KUsAuFQxk9h9cDEqdEM2vPtfeSkjpXOZnGOrRNVUG23lgJHEQsTNb+VQb4ROFJBVjjdpE7jHMU9YaK8EfQokUBfr+8OtIdp9+LAUnfZ3JKGMKOROuQ2rtjb3NCZ8sy5u6usom0mbcxHiVqA+XbFYoNfer4JyqI+vanSC+dXnUEHnWxF9s6OqmSLUNCQ0TlKhXA/6SEBTC5Lb+Nust80tYHSgBm2S49aFD5sR2sI+8SCd3fftcyZESZCH7zH/t0c6gr7AEIPHaro0jmJPX/2Sxbof0TDmd1VCP1vEQIKo/jXgiPplIPMzk+ZTKLCn5TGjlBXQMLkEgXQuFcxf6kwnWgvV+4wfkV0dSweMF4RIq7oUBMuRcKLZzsI1xK1+Og1oros/oMgmkfAvR+LHn/q2vl73HgTMKyti5tBwWJBDGQ1uKP4UDzlO3L3SU72xT2SeAkavU6WJ0fz6XXRVIYnfkfzJ6nUpXYxEA7G+9X2zIBe6x9oyG1rOB8tNG3IyHJXfVujz5TaMVycP5hFqBy+EN2WF1Vu0qMUgi7ZY9u2xDnrI9XkYD+d0hXhC6Ow/EzMi+THV6w2MsOhy5E0FMQPbiipRSirzxs0bQkKLmgxkxaulaWPuCATc2lNZOb1Xp3y277TX5IkJQdbo1h772cUTf/tfW6lb/my34VbFEJEusMXSPxwXa2LkNoqDvIBPjsMYnogagriVWd+WDIjM/Sqh+RhRo0Owp/V4w8KhrCU0tFI/g1pn59i4mrhnMUyeZdYSPk0TFdNBMekMB5Kq3Cc9kHSpe4TCAkWkknZ9qKF0sH7kQnDzfvWsrLDHdv9ijX/Kz+J4wwopeSKcLbjOORpnNd0sAuF4FhwuOh9t9bHgxIVNpipcfiMUKzxI1IcLQjFC7aNuc/K+SdW4mw1L9rI8JihNH21vid4h9BZUaY18fedWvdtH+0W2TPsHgMKM5KbADS6ixcxaK9qBAELDaRrIwY209pDgDIj6TU/IrhB5SKGsrEoEnvvxDXIds7vZPfbn6Q5KphxcU66zLhI1AtGmYkO1uIRRrjX3A1zchhHpE2OmTFhCDLYMIuGPhY55I71Nnzn6ysF2HHnxRBWEIEV8aEFFA87UzqhdzNWI3sMcy7yVsyLxWpdSB+GpsCM9vU1+BRZh10KeNROSQryY3lUp/uYpWCsuTPMXuYvqS6RSebFgVu38bgGfaBvLILfb/YkcHWGP/5Yo/ndEgsTI2pDTqdpDArNaxoHJJ+uC1DhPKsQgc1OLtdcIR81eHn9JHdUKBRWcHU+8GBEcMmFjHrbr7V8eVPOEuTodO1gIjQuUC0OjRD5O7gadPNwMG5JV3Q878V8stkrQFPyFdgsCSjrPPgeXifmsZDeVzVw+bjoACqbTHcYGYOEYUkSfYe4G43YP/we0wr4ehJUo9nj4taP8IN8nnn8ZTvuai8LHVgRZ+uXZI7qJvOToj1s8qBl7KWZTHRuVCvACvZp7V6mzzBxKdQwB8A5/mnp3jnVhjFkDTzczBDaPqyhurN3pYVdGhV62TTrECf04u0uvJY/84v56xHsnDOw0PtKZ3KbRdaQT4rI3YfS7FlI4jk/uIcG5OijKxzeK8v9UCDn7tAoDATkSQvi9Tn9cJfUdLMYqKXN+3CLKOsJH974b+78ZhFplD6v++6PHzZaeelPkP/9a9vYUbDPX3Rx3bxVfcVgO3Mvm/1mB/D71q33zEUreS0qBQzLqWLSOmAca9uXAsTMrvUBjl2Ir5NXcLvpm5kUMu3B3SazJiDT212fPu03xT3PIYlGMXyc10KmFByXevKAcRTsS8ov7IHnctxo6As2/UsiQU0S2Sa2fx0w7T9+yLOPkUPtplCLHjqTq3ZDsmpRpDV3XYFMVgBLM6LqKjDep3uJB3Q1PX1pewH3HklWyV7WyIWsoD6hFAD3tRinrIOZ2GYvU+FfTfZuJ2Bl6UGpJV3vYa4MnVtQlpyNKsOoCfxAO4xi0cWotlmJpyOz7PlE+mKkYCKDl7i3g1nbtk2vC6l1Z7rJaPkYLBsjW4WuifOs9h/DyrmaeSk2BGcT1w8vgiG9zsHsREpcO7IHFmPtViNdwzRSd+0ufubp1g42v7//WgNU/swT+xeUk5Ew/dnnnVjWF7ihKG+LjA6ZG5WvCYqeyT1KffCJC2awSL8mgHTpaBHfO6DbA+Znh+5mNiHNdD4KdCqUNuaCW3OL3ftj/fgyXLm4JQl88s3ixPkHWDLQkkvNHJf4ZMD0Zgzw0GhZ9dEElcrGrTSq2KcX0wmAC2bO41FEfvIi4YGTMi44q1UH7sKiOam4bDrnWf9r+ecUhutCivqAY5g+9OPt3VLgdEHv9HyUk2PjYBAQJA+nOSHnBGxLJQXD0uXYoX3Rr8c4wHCyyC5pnRtWX6fLiaXrrtm6mi4BxzUG0FGBWNjvaCvbgOxFN7i8xsode8FElDUFYXp8MG3yFlyDp7FHEZsWwUX58E6Zj+HjBUETcYQXUjX3gBC2RxjZcz80ZsSaFEIhsphIAzREr/JcfRgpJH7b0FvbG/EIQBGMwSZ1LK7ZM0oXJY+W6BGShKtp8eOr6Ej8fxcxQoDxID1H/jgKwzltKq6v1fpYSbCjd+lEuz3OBRLa+bVr8rzSRezJ1XbQCvCDk/KeQS2au3FOoGIhaYTzDec8GvEx/xe1gQjuumCKsfDOAdTk2RNCw7zvsPGk+IMteMUNJya+bEK8j1zkb/Elxc6smwAScotZ2meKe/lhh0TwX8nVBHjTP/5gPFGl8fl36aJ1DqRij9O6iv2h9dckT1xbCWY/pW8gF7/TyOQoDje/JLZg97xhZ0PxoQyWHopXlNaKivfDXF5sV72lcOzazSP32mSelJuh4kES332dpjQLsiT2TGK7tsN3r77RM2iKpA3HE/XyhjyFqkwI4c6E7tCQmY9CPXeNWZyLWXdL/4Fgvs7elmQjhVvhx+9K5CLv5O/DYTeB31L9oF0zLV6N/K+vzCOFaFT6tI6B+icXUtccuKGcggIDF4N/z+AKCNK1m2TX0P0Y7ZPESdVzvSoYQqYbCRx+yGTACEHd6c72y3UlgecifscdJ983F+QDFjeZBRf8C4NhWxALyrwqAg1tKJPX8RXEpQfJDHoGNdIFFveZhku/4hYZF6B2GJ8l/fgItQDcwSnqctLNBlwVJ0P5cgbU3SCAYQF/+ldB0NJiJ8gzYOQCp2N8kJEEl4cc5gq28v5BtmUGhA7GilS4ZSHs6tJIuqego8ZWKir4KIKZg5QiiTfK/sME4u/ZadKJnJ5mhCTE+M7HG+Tyrmn6rkgsHHn6sTc4px23xxIH3PIM5YCQwK0DxopaflXDXUBwYYUr7mO8zv+NLzI3o/nkQzwX2+Wp3cb9qES/8N7q6h3653y8jgKYi+1Tv+ODLTFax9QkAGAKNsbeW9dOWCGovDSlcA+jizBmO+ag2Dy1AoZEI/ioy9rfmNWe7rNCvR/ulVNsyeC7VO0Y3o6g7JCttjc5+Beh4/HCTg/Cn6l1//Lhu1jVecSCZQOTv5wLQKqITF4/NtneGytWkUsroJwMu1PjCFBCp0I938tBk8mCpzf57i3C50I+vIEFNDNq3zmoSkcMae8U6Kvp1/e7p4wtwjwHAvy7PwewtYzndhT5CwqEq1uN/SrkDlXaCAMZGt9jHTzONviXjox7l0fr/l8HJ7y/GLno7wdE00a0LxzlxNGNdcKuqrDjndE3QmLUXrzTICSH7+2P5bqhoeSjj44HAu/QkDHpBqQl0k92DiKy4USbULnrAlRn8ix0u9uAZL+aMwrERyFtIoetNJMrWpkEHELg2V744qR3QY8QnjvL9jmG5J1rAXNCk2qbFI4SLYO+bLIAZaxIcXrP5GMf/ojYUZEnBiny2E+JWR9TFRjh+8yxXk9/PwJWI3RDJFdV6rY8rsKm1M2+01qNwjAYKkWTdyBeg3Jlvb84BoqOwPPoJHXKB0fJsY82R/FoVQK26aL6bA5xcAvfVszwSYs+4yTJA2roA==</xenc:CipherValue>
+      </xenc:CipherData>
+    </xenc:EncryptedData>
+  </EncryptedAssertion>
+</samlp:Response>

data/test/test_helper.rb

@@ -136,6 +136,10 @@ class Minitest::Test
     @response_document_encrypted_attrs ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_encrypted_attrs.xml.base64'))
   end
 
+  def response_document_double_status_code
+    @response_document_double_status_code ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_double_status_code.xml.base64'))
+  end
+
   def signature_fingerprint_1
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
@@ -162,6 +166,10 @@ class Minitest::Test
     @idp_metadata_descriptor3 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_3.xml'))
   end
 
+  def no_idp_metadata_descriptor
+    @no_idp_metadata_descriptor ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'no_idp_descriptor.xml'))
+  end
+
   def idp_metadata_multiple_descriptors
     @idp_metadata_multiple_descriptors ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_multiple_descriptors.xml'))
   end

data/test/xml_security_test.rb

@@ -106,7 +106,7 @@ class XmlSecurityTest < Minitest::Test
     end
   end
 
-  describe "#algorithm" do    
+  describe "#algorithm" do
     it "SHA1" do
       alg = OpenSSL::Digest::SHA1
       assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1")
@@ -130,7 +130,7 @@ class XmlSecurityTest < Minitest::Test
       alg = OpenSSL::Digest::SHA512
       assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512")
       assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha512")
-    end        
+    end
   end
 
   describe "Fingerprint Algorithms" do
@@ -278,7 +278,7 @@ class XmlSecurityTest < Minitest::Test
         logout_request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
         # verify our signature
         signed_doc2 = XMLSecurity::SignedDocument.new(logout_request2.to_s)
-        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)        
+        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
         assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
       end
 
@@ -293,7 +293,7 @@ class XmlSecurityTest < Minitest::Test
         logout_response2.sign_document(ruby_saml_key, ruby_saml_cert_text)
         # verify our signature
         signed_doc2 = XMLSecurity::SignedDocument.new(logout_response2.to_s)
-        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)        
+        signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
         assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
       end
     end
@@ -316,9 +316,14 @@ class XmlSecurityTest < Minitest::Test
         Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
           assert !response.is_valid?
 
-          contains_expected_error = response.errors.include? "Current time is earlier than NotBefore condition 2012-11-20 17:55:00 UTC < 2012-11-28 17:53:45 UTC)"
-          contains_expected_error ||= response.errors.include? "Current time is earlier than NotBefore condition Tue Nov 20 17:55:00 UTC 2012 < Wed Nov 28 17:53:45 UTC 2012)"
-          assert contains_expected_error
+          time_1 = '2012-11-20 17:55:00 UTC < 2012-11-28 17:53:45 UTC'
+          time_2 = 'Tue Nov 20 17:55:00 UTC 2012 < Wed Nov 28 17:53:45 UTC 2012'
+
+          errors = [time_1, time_2].map do |time|
+            "Current time is earlier than NotBefore condition (#{time})"
+          end
+
+          assert_predicate response.errors & errors, :any?
         end
       end
 
@@ -344,7 +349,7 @@ class XmlSecurityTest < Minitest::Test
             assert document.validate_document(fingerprint, true), 'Document should be valid'
           end
         end
-        
+
         describe 'when response has signed assertion' do
           let(:document_data) { read_response('response_with_signed_assertion_3.xml') }
           let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
@@ -388,5 +393,29 @@ class XmlSecurityTest < Minitest::Test
         end
       end
     end
+
+    describe '#validate_document_with_cert' do
+      describe 'with valid document ' do
+        describe 'when response has cert' do
+          let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }
+          let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+          let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
+
+          it 'is valid' do
+            assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
+          end
+        end
+        
+        describe 'when response has no cert but you have local cert' do
+          let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+          it 'is valid' do
+            assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
+          end
+        end
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.4.3
+  version: 1.5.0
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-18 00:00:00.000000000 Z
+date: 2017-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -218,6 +218,7 @@ files:
 - test/metadata/idp_descriptor_2.xml
 - test/metadata/idp_descriptor_3.xml
 - test/metadata/idp_multiple_descriptors.xml
+- test/metadata/no_idp_descriptor.xml
 - test/metadata_test.rb
 - test/request_test.rb
 - test/response_test.rb
@@ -263,6 +264,7 @@ files:
 - test/responses/no_signature_ns.xml
 - test/responses/open_saml_response.xml
 - test/responses/response_assertion_wrapped.xml.base64
+- test/responses/response_double_status_code.xml.base64
 - test/responses/response_encrypted_attrs.xml.base64
 - test/responses/response_encrypted_nameid.xml.base64
 - test/responses/response_eval.xml
@@ -290,6 +292,7 @@ files:
 - test/responses/simple_saml_php.xml
 - test/responses/starfield_response.xml.base64
 - test/responses/test_sign.xml
+- test/responses/unsigned_encrypted_adfs.xml
 - test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64
 - test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64
 - test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64
@@ -327,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.4.8
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
@@ -363,6 +366,7 @@ test_files:
 - test/metadata/idp_descriptor_2.xml
 - test/metadata/idp_descriptor_3.xml
 - test/metadata/idp_multiple_descriptors.xml
+- test/metadata/no_idp_descriptor.xml
 - test/metadata_test.rb
 - test/request_test.rb
 - test/response_test.rb
@@ -408,6 +412,7 @@ test_files:
 - test/responses/no_signature_ns.xml
 - test/responses/open_saml_response.xml
 - test/responses/response_assertion_wrapped.xml.base64
+- test/responses/response_double_status_code.xml.base64
 - test/responses/response_encrypted_attrs.xml.base64
 - test/responses/response_encrypted_nameid.xml.base64
 - test/responses/response_eval.xml
@@ -435,6 +440,7 @@ test_files:
 - test/responses/simple_saml_php.xml
 - test/responses/starfield_response.xml.base64
 - test/responses/test_sign.xml
+- test/responses/unsigned_encrypted_adfs.xml
 - test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64
 - test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64
 - test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64