ruby-saml 1.7.0 → 1.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: cb5007dd289f308983339a7ae35cd40018f58143
-  data.tar.gz: 16f12f151a3ab5d9cb32739b4d55f7437748d17e
+SHA256:
+  metadata.gz: 43bc92cf8a14835577d9bb32d1bdcef71fd5ffccb351dd41ac9b56863fb173c7
+  data.tar.gz: e7975fcf413d9c64801f7b5190246685548205034dc74315bc169738697e1006
 SHA512:
-  metadata.gz: 6395d86c33cd7d49bc329f486a5be5a8c4cc5e24076d75234f96bb51fcefe1d8c782f6bf18fd07201751d300c23c521cf4441c7514d61651c89d363ffb9cf700
-  data.tar.gz: d5eb6efeb77b267ad51487dfb3baa06f28103c582e61efbf996c279f0e7f0915d1abe18ed34be1c5b60eef69240b31d0d40c44e6cf6157b9c968bf96208ad7c8
+  metadata.gz: 0a09fcb8777969eb6d54b29d20520c7e17e3f7dc128cfc81475eba8c9b31f5926f2b64d308b18268762b43fb60cf7956f6e266c1f5343d2b9d58e545be0c3392
+  data.tar.gz: 8e9008647a610935764b2f578b76c5eb72d09be482d76b5f4d8ab51fd29d4569a3ba2e2db61f63fbdde27bd1be14bf4afdeffe1c7f699afc0b7d5e1c85d0fe09

data/.travis.yml

@@ -1,26 +1,48 @@
-sudo: false
 language: ruby
 rvm:
-  - 1.8.7
   - 1.9.3
   - 2.0.0
-  - 2.1.5
-  - 2.2.0
-  - 2.3.0
-  - 2.4.0
-  - ree
-  - jruby-1.7.21
-  - jruby-9.0.0.0
+  - 2.1.10
+  - 2.2.10
+  - 2.3.8
+  - 2.4.6
+  - 2.5.8
+  - 2.6.6
+  - 2.7.2
+  - 3.0.0
+  - jruby-1.7.27
+  - jruby-9.1.17.0
+  - jruby-9.2.13.0
 gemfile:
   - Gemfile
   - gemfiles/nokogiri-1.5.gemfile
+before_install:
+  - gem update bundler
 matrix:
   exclude:
-    - rvm: 1.8.7
-      gemfile: Gemfile
-    - rvm: ree
-      gemfile: Gemfile
-    - rvm: jruby-9.0.0.0
+    - rvm: jruby-1.7.27
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-1.7.21
+    - rvm: jruby-9.1.17.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: jruby-9.2.13.0
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.1.5
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.1.10
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.2.10
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.3.8
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.4.6
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.5.8
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.6.6
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.7.2
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 3.0.0
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+env:
+  - JRUBY_OPTS="--debug"

data/README.md

@@ -1,4 +1,25 @@
-# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
+# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master)](https://coveralls.io/r/onelogin/ruby-saml?branch=master)
+
+## Updating from 1.11.x to 1.12.0
+Version `1.12.0` adds support for gcm algorithm and
+change/adds specific error messages for signature validations
+
+## Updating from 1.10.x to 1.11.0
+Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
+There are two new security settings: `settings.security[:check_idp_cert_expiration]` and `settings.security[:check_sp_cert_expiration]` (both false by default) that check if the IdP or SP X.509 certificate has expired, respectively.
+
+Version `1.10.2` includes the `valid_until` attribute in parsed IdP metadata.
+
+Version `1.10.1` improves Ruby 1.8.7 support.
+
+## Updating from 1.9.0 to 1.10.0
+Version `1.10.0` improves IdpMetadataParser to allow parse multiple IDPSSODescriptor, Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user to be authenticated and updates the format_cert method to accept certs with /\x0d/
+
+## Updating from 1.8.0 to 1.9.0
+Version `1.9.0` better supports Ruby 2.4+ and JRuby 9.2.0.0. `Settings` initialization now has a second parameter, `keep_security_settings` (default: false), which saves security settings attributes that are not explicitly overridden, if set to true.
+
+## Updating from 1.7.X to 1.8.0
+On Version `1.8.0`, creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState param will not generate a URL with an empty RelayState parameter anymore. It also changes the invalid audience error message.
 
 ## Updating from 1.6.0 to 1.7.0
 
@@ -41,6 +62,10 @@ value.
 If you want to skip that validation, add the :skip_recipient_check option to the
 initialize method of the Response object.
 
+Parsing metadata that contains more than one certificate will propagate the
+idp_cert_multi property rather than idp_cert. See [signature validation
+section](#signature-validation) for details.
+
 ## Updating from 1.3.x to 1.4.X
 
 Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.
@@ -92,8 +117,12 @@ We created a demo project for Rails4 that uses the latest version of this librar
 * 2.2.x
 * 2.3.x
 * 2.4.x
+* 2.5.x
+* 2.6.x
+* 2.7.x
 * JRuby 1.7.19
 * JRuby 9.0.0.0
+* JRuby 9.2.0.0
 
 ## Adding Features, Pull Requests
 * Fork the repository
@@ -107,6 +136,17 @@ We created a demo project for Rails4 that uses the latest version of this librar
 
 If you believe you have discovered a security vulnerability in this gem, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
 
+### Security warning
+
+Some tools may incorrectly report ruby-saml is a potential security vulnerability.
+ruby-saml depends on Nokogiri, and it's possible to use Nokogiri in a dangerous way
+(by enabling its DTDLOAD option and disabling its NONET option).
+This dangerous Nokogiri configuration, which is sometimes used by other components,
+can create an XML External Entity (XXE) vulnerability if the XML data is not trusted.
+However, ruby-saml never enables this dangerous Nokogiri configuration;
+ruby-saml never enables DTDLOAD, and it never disables NONET.
+
+
 ## Getting Started
 In order to use the toolkit you will need to install the gem (either manually or using Bundler), and require the library in your Ruby application:
 
@@ -114,7 +154,7 @@ Using `Gemfile`
 
 ```ruby
 # latest stable
-gem 'ruby-saml', '~> 1.0.0'
+gem 'ruby-saml', '~> 1.11.0'
 
 # or track master for bleeding-edge
 gem 'ruby-saml', :github => 'onelogin/ruby-saml'
@@ -163,7 +203,7 @@ To override the default behavior and control the destination of log messages, pr
 a ruby Logger object to the gem's logging singleton:
 
 ```ruby
-OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w'))
+OneLogin::RubySaml::Logging.logger = Logger.new('/var/log/ruby-saml.log')
 ```
 
 ## The Initialization Phase
@@ -177,6 +217,17 @@ def init
 end
 ```
 
+If the SP knows who should be authenticated in the IdP, then can provide that info as follows:
+
+```ruby
+def init
+  request = OneLogin::RubySaml::Authrequest.new
+  saml_settings.name_identifier_value_requested = "testuser@example.com"
+  saml_settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  redirect_to(request.create(saml_settings))
+end
+```
+
 Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption. This can look something like this (the `authorize_success` and `authorize_failure` methods are specific to your application):
 
 ```ruby
@@ -190,6 +241,7 @@ def consume
      session[:attributes] = response.attributes
   else
     authorize_failure  # This method shows an error message
+    # List of errors is available in response.errors array
   end
 end
 ```
@@ -211,10 +263,10 @@ def saml_settings
   settings = OneLogin::RubySaml::Settings.new
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.idp_entity_id                  = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
-  settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
-  settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
+  settings.idp_sso_service_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
+  settings.idp_slo_service_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
   settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -235,12 +287,16 @@ def saml_settings
 end
 ```
 
-Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
+The use of settings.issuer is deprecated in favour of settings.sp_entity_id since version 1.11.0
+
+Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `AuthnStatement`, `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
 
 ```ruby
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_authnstatement: true}) # skips AuthnStatement
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doens't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_audience: true}) # skips audience check
 ```
 
 All that's left is to wrap everything in a controller and reference it in the initialization and consumption URLs in OneLogin. A full controller example could look like this:
@@ -264,6 +320,7 @@ class SamlController < ApplicationController
        session[:attributes] = response.attributes
     else
       authorize_failure  # This method shows an error message
+      # List of errors is available in response.errors array
     end
   end
 
@@ -273,8 +330,8 @@ class SamlController < ApplicationController
     settings = OneLogin::RubySaml::Settings.new
 
     settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-    settings.issuer                         = "http://#{request.host}/saml/metadata"
-    settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+    settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
+    settings.idp_sso_service_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
     settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 
@@ -305,6 +362,8 @@ On the ruby-saml toolkit there are different ways to validate the signature of t
 When validating the signature of redirect binding, the fingerprint is useless and the certficate of the IdP is required in order to execute the validation.
 You can pass the option :relax_signature_validation to SloLogoutrequest and Logoutresponse if want to avoid signature validation if no certificate of the IdP is provided.
 
+In production also we highly recommend to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
+
 In some scenarios the IdP uses different certificates for signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.
 
 In order to handle that the toolkit offers the 'idp_cert_multi' parameter.
@@ -334,7 +393,7 @@ def saml_settings
   settings = idp_metadata_parser.parse_remote("https://example.com/auth/saml2/idp/metadata")
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
   # Optional for most SAML IdPs
   settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
@@ -345,11 +404,11 @@ end
 The following attributes are set:
   * idp_entity_id
   * name_identifier_format
-  * idp_sso_target_url
-  * idp_slo_target_url
+  * idp_sso_service_url
+  * idp_slo_service_url
   * idp_attribute_names
-  * idp_cert 
-  * idp_cert_fingerprint 
+  * idp_cert
+  * idp_cert_fingerprint
   * idp_cert_multi
 
 ### Retrieve one Entity Descriptor when many exist in Metadata
@@ -412,6 +471,9 @@ Imagine this `saml:AttributeStatement`
       <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
       <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1"/>
     </saml:Attribute>
+    <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
+      <saml:AttributeValue>usersName</saml:AttributeValue>
+    </saml:Attribute>
   </saml:AttributeStatement>
 ```
 
@@ -422,7 +484,8 @@ pp(response.attributes)   # is an OneLogin::RubySaml::Attributes object
    "another_value"=>["value1", "value2"],
    "role"=>["role1", "role2", "role3"],
    "attribute_with_nil_value"=>[nil],
-   "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]}>
+   "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]
+   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"=>["usersName"]}>
 
 # Active single_value_compatibility
 OneLogin::RubySaml::Attributes.single_value_compatibility = true
@@ -439,6 +502,9 @@ pp(response.attributes.single(:role))
 pp(response.attributes.multi(:role))
 # => ["role1", "role2", "role3"]
 
+pp(response.attributes.fetch(:role))
+# => "role1"
+
 pp(response.attributes[:attribute_with_nil_value])
 # => nil
 
@@ -454,6 +520,9 @@ pp(response.attributes.single(:not_exists))
 pp(response.attributes.multi(:not_exists))
 # => nil
 
+pp(response.attributes.fetch(/givenname/))
+# => "usersName"
+
 # Deactive single_value_compatibility
 OneLogin::RubySaml::Attributes.single_value_compatibility = false
 
@@ -469,6 +538,9 @@ pp(response.attributes.single(:role))
 pp(response.attributes.multi(:role))
 # => ["role1", "role2", "role3"]
 
+pp(response.attributes.fetch(:role))
+# => ["role1", "role2", "role3"]
+
 pp(response.attributes[:attribute_with_nil_value])
 # => [nil]
 
@@ -483,11 +555,17 @@ pp(response.attributes.single(:not_exists))
 
 pp(response.attributes.multi(:not_exists))
 # => nil
+
+pp(response.attributes.fetch(/givenname/))
+# => ["usersName"]
 ```
 
 The `saml:AuthnContextClassRef` of the AuthNRequest can be provided by `settings.authn_context`; possible values are described at [SAMLAuthnCxt]. The comparison method can be set using `settings.authn_context_comparison` parameter. Possible values include: 'exact', 'better', 'maximum' and 'minimum' (default value is 'exact').
 To add a `saml:AuthnContextDeclRef`, define `settings.authn_context_decl_ref`.
 
+In a SP-initiated flow, the SP can indicate to the IdP the subject that should be authenticated. This is done by defining the `settings.name_identifier_value_requested` before
+building the authrequest object.
+
 
 ## Signing
 
@@ -515,6 +593,8 @@ The settings related to sign are stored in the `security` attribute of the setti
   # Embeded signature or HTTP GET parameter signature
   # Note that metadata signature is always embedded regardless of this value.
   settings.security[:embed_sign] = false
+  settings.security[:check_idp_cert_expiration] = false   # Enable or not IdP x509 cert expiration check
+  settings.security[:check_sp_cert_expiration] = false   # Enable or not SP x509 cert expiration check
 ```
 
 Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding.
@@ -522,7 +602,7 @@ Remember to provide it to the Signature builder if you are sending a `GET RelayS
 signature validation process will fail at the Identity Provider.
 
 The Service Provider will sign the request/responses with its private key.
-The Identity Provider will validate the sign of the received request/responses with the public x500 cert of the
+The Identity Provider will validate the sign of the received request/responses with the public x509 cert of the
 Service Provider.
 
 Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and decrypt processes.
@@ -563,21 +643,27 @@ def sp_logout_request
   # LogoutRequest accepts plain browser requests w/o paramters
   settings = saml_settings
 
-  if settings.idp_slo_target_url.nil?
+  if settings.idp_slo_service_url.nil?
     logger.info "SLO IdP Endpoint not found in settings, executing then a normal logout'"
     delete_session
   else
 
-    # Since we created a new SAML request, save the transaction_id
-    # to compare it with the response we get back
     logout_request = OneLogin::RubySaml::Logoutrequest.new()
-    session[:transaction_id] = logout_request.uuid
-    logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{session[:transaction_id]}'"
+    logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{logout_request.uuid}'"
 
     if settings.name_identifier_value.nil?
       settings.name_identifier_value = session[:userid]
     end
 
+    # Ensure user is logged out before redirect to IdP, in case anything goes wrong during single logout process (as recommended by saml2int [SDP-SP34])
+    logged_user = session[:userid]
+    logger.info "Delete session for '#{session[:userid]}'"
+    delete_session
+
+    # Save the transaction_id to compare it with the response we get back
+    session[:transaction_id] = logout_request.uuid
+    session[:logged_out_user] = logged_user
+
     relayState =  url_for controller: 'saml', action: 'index'
     redirect_to(logout_request.create(settings, :RelayState => relayState))
   end
@@ -605,7 +691,7 @@ def process_logout_response
     logger.error "The SAML Logout Response is invalid"
   else
     # Actually log out this session
-    logger.info "Delete session for '#{session[:userid]}'"
+    logger.info "SLO completed for '#{session[:logged_out_user]}'"
     delete_session
   end
 end
@@ -614,6 +700,8 @@ end
 def delete_session
   session[:userid] = nil
   session[:attributes] = nil
+  session[:transaction_id] = nil
+  session[:logged_out_user] = nil
 end
 ```
 
@@ -626,7 +714,7 @@ def idp_logout_request
   logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest])
   if !logout_request.is_valid?
     logger.error "IdP initiated LogoutRequest was not valid!"
-    render :inline => logger.error
+    return render :inline => logger.error
   end
   logger.info "IdP initiated Logout for #{logout_request.name_id}"
 
@@ -681,6 +769,14 @@ class SamlController < ApplicationController
 end
 ```
 
+You can add ValidUntil and CacheDuration to the XML Metadata using instead
+```ruby
+  # Valid until => 2 days from now
+  # Cache duration = 604800s = 1 week
+  valid_until = Time.now + 172800
+  cache_duration = 604800
+  meta.generate(settings, false, valid_until, cache_duration)
+```
 
 ## Clock Drift
 

data/changelog.md

@@ -1,5 +1,65 @@
 # RubySaml Changelog
 
+### 1.12.0 (Feb 18, 2021)
+* Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
+* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings 
+* Adding idp_sso_service_url and idp_slo_service_url settings
+* [#536](https://github.com/onelogin/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
+* Reduce size of built gem by excluding the test folder
+* Improve protection on Zlib deflate decompression bomb attack.
+* Add ValidUntil and cacheDuration support on Metadata generator
+* Add support for cacheDuration at the IdpMetadataParser
+* Support customizable statusCode on generated LogoutResponse
+* [#545](https://github.com/onelogin/ruby-saml/pull/545) More specific error messages for signature validation
+* Support Process Transform
+* Raise SettingError if invoking an action with no endpoint defined on the settings
+* Made IdpMetadataParser more extensible for subclasses
+*[#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
+* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
+* Improve documentation
+
+### 1.11.0 (Jul 24, 2019)
+
+* Deprecate settings.issuer in favor of settings.sp_entity_id
+* Add support for certification expiration
+
+### 1.10.2 (Apr 29, 2019)
+
+* Add valid until, accessor
+* Fix Rubygem metadata that requested nokogiri <= 1.5.11
+
+### 1.10.1 (Apr 08, 2019)
+
+* Fix ruby 1.8.7 incompatibilities
+
+### 1.10.0 (Mar 21, 2019)
+* Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user to be authenticated
+* Improves IdpMetadataParser to allow parse multiple IDPSSODescriptors
+* Improves format_cert method to accept certs with /\x0d/
+* Forces nokogiri >= 1.8.2 when possible
+
+### 1.9.0 (Sept 03, 2018)
+* [#458](https://github.com/onelogin/ruby-saml/pull/458) Remove ruby 2.4+ warnings
+* Improve JRuby support
+* [#465](https://github.com/onelogin/ruby-saml/pull/465) Extend Settings initialization with the new keep_security_attributes parameter
+* Fix wrong message when SessionNotOnOrAfter expired
+* [#471](https://github.com/onelogin/ruby-saml/pull/471) Allow for `allowed_clock_drift` to be set as a string
+
+### 1.8.0 (April 23, 2018)
+* [#437](https://github.com/onelogin/ruby-saml/issues/437) Creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState should not send empty RelayState URL param
+* [#454](https://github.com/onelogin/ruby-saml/pull/454) Added Response available options
+* [#453](https://github.com/onelogin/ruby-saml/pull/453) Raise a more descriptive exception if idp_sso_target_url is missing
+* [#452](https://github.com/onelogin/ruby-saml/pull/452) Fix behavior of skip_conditions flag on Response
+* [#449](https://github.com/onelogin/ruby-saml/pull/449) Add ability to skip authnstatement validation
+* Clear cached values to be able to use IdpMetadataParser more than once
+* Updated invalid audience error message
+
+### 1.7.2 (Feb 28, 2018)
+* [#446](https://github.com/onelogin/ruby-saml/pull/446) Normalize text returned by OneLogin::RubySaml::Utils.element_text
+
+### 1.7.1 (Feb 28, 2018)
+* [#444](https://github.com/onelogin/ruby-saml/pull/444) Fix audience validation for empty audience restriction
+
 ### 1.7.0 (Feb 27, 2018)
 * Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
 

data/lib/onelogin/ruby-saml/attribute_service.rb

@@ -16,7 +16,7 @@ module OneLogin
       end
 
       def configure(&block)
-        instance_eval &block
+        instance_eval(&block)
       end
 
       # @return [Boolean] True if the AttributeService object has been initialized and set with the required values

data/lib/onelogin/ruby-saml/attributes.rb

@@ -79,7 +79,7 @@ module OneLogin
         self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
       end
 
-      # @return [Array] Return all attributes as an array
+      # @return [Hash] Return all attributes as a hash
       #
       def all
         attributes
@@ -113,6 +113,29 @@ module OneLogin
         end
       end
 
+      # Fetch attribute value using name or regex
+      # @param name [String|Regexp] The attribute name
+      # @return [String|Array] Depending on the single value compatibility status this returns:
+      #                        - First value if single_value_compatibility = true
+      #                          response.attributes['mail']  # => 'user@example.com'
+      #                        - All values if single_value_compatibility = false
+      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      #
+      def fetch(name)
+        attributes.each_key do |attribute_key|
+          if name.is_a?(Regexp)
+            if name.method_exists? :match?
+              return self[attribute_key] if name.match?(attribute_key)
+            else 
+              return self[attribute_key] if name.match(attribute_key)
+            end
+          elsif canonize_name(name) == canonize_name(attribute_key)
+            return self[attribute_key]
+          end
+        end
+        nil
+      end
+
       protected
 
       # stringifies all names so both 'email' and :email return the same result

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -3,6 +3,7 @@ require "rexml/document"
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -23,6 +24,10 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def request_id
+        @uuid
+      end
+
       # Creates the AuthNRequest string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
@@ -30,13 +35,14 @@ module OneLogin
       #
       def create(settings, params = {})
         params = create_params(settings, params)
-        params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        params_prefix = (settings.idp_sso_service_url =~ /\?/) ? '&' : '?'
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        @login_url = settings.idp_sso_target_url + request_params
+        raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
+        @login_url = settings.idp_sso_service_url + request_params
       end
 
       # Creates the Get parameters for the request.
@@ -50,6 +56,11 @@ module OneLogin
         # conflicts so this line will solve them.
         relay_state = params[:RelayState] || params['RelayState']
 
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
 
@@ -101,7 +112,7 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
+        root.attributes['Destination'] = settings.idp_sso_service_url unless settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
         root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
         root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
@@ -111,10 +122,22 @@ module OneLogin
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
+
+        if settings.name_identifier_value_requested != nil
+          subject = root.add_element "saml:Subject"
+
+          nameid = subject.add_element "saml:NameID"
+          nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          nameid.text = settings.name_identifier_value_requested
+
+          subject_confirmation = subject.add_element "saml:SubjectConfirmation"
+          subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+        end
+
         if settings.name_identifier_format != nil
           root.add_element "samlp:NameIDPolicy", {
               # Might want to make AllowCreate a setting?
@@ -157,7 +180,7 @@ module OneLogin
 
       def sign_document(document, settings)
         # embed signature
-        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
+        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
           private_key = settings.get_sp_key
           cert = settings.get_sp_cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])