ruby-saml 1.8.0 → 1.13.0

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,6 +1,7 @@
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -20,6 +21,10 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def request_id
+        @uuid
+      end
+
       # Creates the Logout Request string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
@@ -27,13 +32,14 @@ module OneLogin
       #
       def create(settings, params={})
         params = create_params(settings, params)
-        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        @logout_url = settings.idp_slo_target_url + request_params
+        raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
+        @logout_url = settings.idp_slo_service_url + request_params
       end
 
       # Creates the Get parameters for the logout request.
@@ -64,8 +70,8 @@ module OneLogin
         base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
 
-        if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_requests_signed] && settings.private_key
+          params['SigAlg'] = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLRequest',
             :data => base64_request,
@@ -89,6 +95,11 @@ module OneLogin
       # @return [String] The SAMLRequest String.
       #
       def create_logout_request_xml_doc(settings)
+        document = create_xml_document(settings)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings)
         time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
         request_doc = XMLSecurity::Document.new
@@ -98,11 +109,11 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
+        root.attributes['Destination'] = settings.idp_slo_service_url  unless settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
 
-        if settings.issuer
+        if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         nameid = root.add_element "saml:NameID"
@@ -122,14 +133,18 @@ module OneLogin
           sessionindex.text = settings.sessionindex
         end
 
+        request_doc
+      end
+
+      def sign_document(document, settings)
         # embed signature
-        if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.security[:logout_requests_signed] && settings.private_key && settings.certificate
           private_key = settings.get_sp_key
           cert = settings.get_sp_cert
-          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 
-        request_doc
+        document
       end
     end
   end

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -24,7 +24,7 @@ module OneLogin
       # Constructs the Logout Response. A Logout Response Object that is an extension of the SamlMessage class.
       # @param response  [String] A UUEncoded logout response from the IdP.
       # @param settings  [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param options   [Hash] Extra parameters. 
+      # @param options   [Hash] Extra parameters.
       #                    :matches_request_id It will validate that the logout response matches the ID of the request.
       #                    :get_params GET Parameters, including the SAMLResponse
       #                    :relax_signature_validation to accept signatures if no idp certificate registered on settings
@@ -43,19 +43,20 @@ module OneLogin
         end
 
         @options = options
-        @response = decode_raw_saml(response)
+        @response = decode_raw_saml(response, settings)
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
+      def response_id
+        id(document)
+      end
+
       # Checks if the Status has the "Success" code
       # @return [Boolean] True if the StatusCode is Sucess
       # @raise [ValidationError] if soft == false and validation fails
-      # 
+      #
       def success?
-        unless status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
-          return append_error("Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <#@status_code>")
-        end
-        true
+        return status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
       end
 
       # @return [String|nil] Gets the InResponseTo attribute from the Logout Response if exists.
@@ -65,7 +66,7 @@ module OneLogin
           node = REXML::XPath.first(
             document,
             "/p:LogoutResponse",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            { "p" => PROTOCOL }
           )
           node.nil? ? nil : node.attributes['InResponseTo']
         end
@@ -88,7 +89,7 @@ module OneLogin
       #
       def status_code
         @status_code ||= begin
-          node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL })
           node.nil? ? nil : node.attributes["Value"]
         end
       end
@@ -98,7 +99,7 @@ module OneLogin
           node = REXML::XPath.first(
             document,
             "/p:LogoutResponse/p:Status/p:StatusMessage",
-            { "p" => PROTOCOL, "a" => ASSERTION }
+            { "p" => PROTOCOL }
           )
           Utils.element_text(node)
         end
@@ -146,7 +147,7 @@ module OneLogin
 
       # Validates the Logout Response against the specified schema.
       # @return [Boolean] True if the XML is valid, otherwise False if soft=True
-      # @raise [ValidationError] if soft == false and validation fails 
+      # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_structure
         unless valid_saml?(document, soft)
@@ -166,7 +167,7 @@ module OneLogin
 
         return append_error("No settings on logout response") if settings.nil?
 
-        return append_error("No issuer in settings of the logout response") if settings.issuer.nil?
+        return append_error("No sp_entity_id in settings of the logout response") if settings.sp_entity_id.nil?
 
         if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil?
           return append_error("No fingerprint or certificate on settings of the logout response")
@@ -205,7 +206,7 @@ module OneLogin
       # Validates the Signature if it exists and the GET parameters are provided
       # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
-      #      
+      #
       def validate_signature
         return true unless !options.nil?
         return true unless options.has_key? :get_params
@@ -231,33 +232,48 @@ module OneLogin
           :raw_sig_alg     => options[:raw_get_params]['SigAlg']
         )
 
+        expired = false
         if idp_certs.nil? || idp_certs[:signing].empty?
           valid = OneLogin::RubySaml::Utils.verify_signature(
-            :cert         => settings.get_idp_cert,
+            :cert         => idp_cert,
             :sig_alg      => options[:get_params]['SigAlg'],
             :signature    => options[:get_params]['Signature'],
             :query_string => query_string
           )
+          if valid && settings.security[:check_idp_cert_expiration]
+            if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+              expired = true
+            end
+          end
         else
           valid = false
-          idp_certs[:signing].each do |idp_cert|
+          idp_certs[:signing].each do |signing_idp_cert|
             valid = OneLogin::RubySaml::Utils.verify_signature(
-              :cert         => idp_cert,
+              :cert         => signing_idp_cert,
               :sig_alg      => options[:get_params]['SigAlg'],
               :signature    => options[:get_params]['Signature'],
               :query_string => query_string
             )
             if valid
+              if settings.security[:check_idp_cert_expiration]
+                if OneLogin::RubySaml::Utils.is_cert_expired(signing_idp_cert)
+                  expired = true
+                end
+              end
               break
             end
           end
         end
 
+        if expired
+          error_msg = "IdP x509 certificate expired"
+          return append_error(error_msg)
+        end
         unless valid
           error_msg = "Invalid Signature on Logout Response"
           return append_error(error_msg)
         end
-        true        
+        true
       end
 
     end

data/lib/onelogin/ruby-saml/metadata.rb

@@ -15,25 +15,56 @@ module OneLogin
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param pretty_print [Boolean] Pretty print or not the response
       #                               (No pretty print if you gonna validate the signature)
+      # @param valid_until [DateTime] Metadata's valid time
+      # @param cache_duration [Integer] Duration of the cache in seconds
       # @return [String] XML Metadata of the Service Provider
       #
-      def generate(settings, pretty_print=false)
+      def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
         meta_doc = XMLSecurity::Document.new
+        add_xml_declaration(meta_doc)
+        root = add_root_element(meta_doc, settings, valid_until, cache_duration)
+        sp_sso = add_sp_sso_element(root, settings)
+        add_sp_certificates(sp_sso, settings)
+        add_sp_service_elements(sp_sso, settings)
+        add_extras(root, settings)
+        embed_signature(meta_doc, settings)
+        output_xml(meta_doc, pretty_print)
+      end
+
+      protected
+
+      def add_xml_declaration(meta_doc)
+        meta_doc << REXML::XMLDecl.new('1.0', 'UTF-8')
+      end
+
+      def add_root_element(meta_doc, settings, valid_until, cache_duration)
         namespaces = {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
         }
+
         if settings.attribute_consuming_service.configured?
           namespaces["xmlns:saml"] = "urn:oasis:names:tc:SAML:2.0:assertion"
         end
-        root = meta_doc.add_element "md:EntityDescriptor", namespaces
-        sp_sso = root.add_element "md:SPSSODescriptor", {
+
+        root = meta_doc.add_element("md:EntityDescriptor", namespaces)
+        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
+        root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
+        root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z') if valid_until
+        root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
+        root
+      end
+
+      def add_sp_sso_element(root, settings)
+        root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
             "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
             "WantAssertionsSigned" => settings.security[:want_assertions_signed],
         }
+      end
 
-        # Add KeyDescriptor if messages will be signed / encrypted
-        # with SP certificate, and new SP certificate if any
+      # Add KeyDescriptor if messages will be signed / encrypted
+      # with SP certificate, and new SP certificate if any
+      def add_sp_certificates(sp_sso, settings)
         cert = settings.get_sp_cert
         cert_new = settings.get_sp_cert_new
 
@@ -56,10 +87,10 @@ module OneLogin
           end
         end
 
-        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
-        if settings.issuer
-          root.attributes["entityID"] = settings.issuer
-        end
+        sp_sso
+      end
+
+      def add_sp_service_elements(sp_sso, settings)
         if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
               "Binding" => settings.single_logout_service_binding,
@@ -67,10 +98,12 @@ module OneLogin
               "ResponseLocation" => settings.single_logout_service_url
           }
         end
+
         if settings.name_identifier_format
           nameid = sp_sso.add_element "md:NameIDFormat"
           nameid.text = settings.name_identifier_format
         end
+
         if settings.assertion_consumer_service_url
           sp_sso.add_element "md:AssertionConsumerService", {
               "Binding" => settings.assertion_consumer_service_binding,
@@ -109,15 +142,27 @@ module OneLogin
         #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
-        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+        sp_sso
+      end
 
-        # embed signature
-        if settings.security[:metadata_signed] && settings.private_key && settings.certificate
-          private_key = settings.get_sp_key
-          meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
-        end
+      # can be overridden in subclass
+      def add_extras(root, _settings)
+        root
+      end
+
+      def embed_signature(meta_doc, settings)
+        return unless settings.security[:metadata_signed]
+
+        private_key = settings.get_sp_key
+        cert = settings.get_sp_cert
+        return unless private_key && cert
+
+        meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+      end
+
+      def output_xml(meta_doc, pretty_print)
+        ret = ''
 
-        ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
         if pretty_print
           meta_doc.write(ret, 1)
@@ -125,7 +170,7 @@ module OneLogin
           ret = meta_doc.to_s
         end
 
-        return ret
+        ret
       end
     end
   end

data/lib/onelogin/ruby-saml/response.rb

@@ -34,7 +34,7 @@ module OneLogin
       # This is not a whitelist to allow people extending OneLogin::RubySaml:Response
       # and pass custom options
       AVAILABLE_OPTIONS = [
-        :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_authnstatement, :skip_conditions,
+        :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_audience, :skip_authnstatement, :skip_conditions,
         :skip_destination, :skip_recipient_check, :skip_subject_confirmation
       ]
       # TODO: Update the comment on initialize to describe every option
@@ -47,6 +47,8 @@ module OneLogin
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
       #                          or skip the subject confirmation validation with the :skip_subject_confirmation option
       #                          or skip the recipient validation of the subject confirmation element with :skip_recipient_check option
+      #                          or skip the audience validation with :skip_audience option
+      #
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
 
@@ -61,7 +63,7 @@ module OneLogin
           end
         end
 
-        @response = decode_raw_saml(response)
+        @response = decode_raw_saml(response, settings)
         @document = XMLSecurity::SignedDocument.new(@response, @errors)
 
         if assertion_encrypted?
@@ -171,9 +173,10 @@ module OneLogin
                 # identify the subject in an SP rather than email or other less opaque attributes
                 # NameQualifier, if present is prefixed with a "/" to the value
                 else
-                 REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect{|n|
-                    (n.attributes['NameQualifier'] ? n.attributes['NameQualifier'] +"/" : '') + Utils.element_text(n)
-                  }
+                  REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect do |n|
+                    base_path = n.attributes['NameQualifier'] ? "#{n.attributes['NameQualifier']}/" : ''
+                    "#{base_path}#{Utils.element_text(n)}"
+                  end
                 end
               }
 
@@ -221,14 +224,13 @@ module OneLogin
                 "/p:Response/p:Status/p:StatusCode/p:StatusCode",
                 { "p" => PROTOCOL }
               )
-              statuses = nodes.collect do |node|
-                node.attributes["Value"]
-              end
-              extra_code = statuses.join(" | ")
-              if extra_code
-                code = "#{code} | #{extra_code}"
+              statuses = nodes.collect do |inner_node|
+                inner_node.attributes["Value"]
               end
+
+              code = [code, statuses].flatten.join(" | ")
             end
+
             code
           end
         end
@@ -288,7 +290,6 @@ module OneLogin
             raise ValidationError.new(error_msg)
           end
 
-          doc = decrypted_document.nil? ? document : decrypted_document
           issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
           unless issuer_assertion_nodes.size == 1
             error_msg = "Issuer of the Assertion not found or multiple."
@@ -336,9 +337,31 @@ module OneLogin
       end
 
       # returns the allowed clock drift on timing validation
-      # @return [Integer]
+      # @return [Float]
       def allowed_clock_drift
-        return options[:allowed_clock_drift] || 0
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
+      end
+
+      # Checks if the SAML Response contains or not an EncryptedAssertion element
+      # @return [Boolean] True if the SAML Response contains an EncryptedAssertion element
+      #
+      def assertion_encrypted?
+        ! REXML::XPath.first(
+          document,
+          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+          { "p" => PROTOCOL, "a" => ASSERTION }
+        ).nil?
+      end
+
+      def response_id
+        id(document)
+      end
+
+      def assertion_id
+        @assertion_id ||= begin
+          node = xpath_first_from_signed_assertion("")
+          node.nil? ? nil : node.attributes['ID']
+        end
       end
 
       private
@@ -353,7 +376,6 @@ module OneLogin
         return false unless validate_response_state
 
         validations = [
-          :validate_response_state,
           :validate_version,
           :validate_id,
           :validate_success_status,
@@ -435,7 +457,7 @@ module OneLogin
       # @return [Boolean] True if the SAML Response contains an ID, otherwise returns False
       #
       def validate_id
-        unless id(document)
+        unless response_id
           return append_error("Missing ID attribute on SAML Response")
         end
 
@@ -584,16 +606,18 @@ module OneLogin
       end
 
       # Validates the Audience, (If the Audience match the Service Provider EntityID)
+      # If the response was initialized with the :skip_audience option, this validation is skipped,
       # If fails, the error is added to the errors array
       # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_audience
-        return true if audiences.empty? || settings.issuer.nil? || settings.issuer.empty?
+        return true if options[:skip_audience]
+        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 
-        unless audiences.include? settings.issuer
+        unless audiences.include? settings.sp_entity_id
           s = audiences.count > 1 ? 's' : '';
-          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.issuer}"
+          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.sp_entity_id}"
           return append_error(error_msg)
         end
 
@@ -668,13 +692,13 @@ module OneLogin
 
         now = Time.now.utc
 
-        if not_before && (now_with_drift = now + allowed_clock_drift) < not_before
-          error_msg = "Current time is earlier than NotBefore condition (#{now_with_drift} < #{not_before})"
+        if not_before && now < (not_before - allowed_clock_drift)
+          error_msg = "Current time is earlier than NotBefore condition (#{now} < #{not_before}#{" - #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
-        if not_on_or_after && now >= (not_on_or_after_with_drift = not_on_or_after + allowed_clock_drift)
-          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after_with_drift})"
+        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+          error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
           return append_error(error_msg)
         end
 
@@ -709,15 +733,15 @@ module OneLogin
       # this time validation is relaxed by the allowed_clock_drift value)
       # If fails, the error is added to the errors array
       # @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the response is invalid or not)
-      # @return [Boolean] True if the SessionNotOnOrAfter of the AttributeStatement is valid, otherwise (when expired) False if soft=True
+      # @return [Boolean] True if the SessionNotOnOrAfter of the AuthnStatement is valid, otherwise (when expired) False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_session_expiration(soft = true)
         return true if session_expires_at.nil?
 
         now = Time.now.utc
-        unless (session_expires_at + allowed_clock_drift) > now
-          error_msg = "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response"
+        unless now < (session_expires_at + allowed_clock_drift)
+          error_msg = "The attributes have expired, based on the SessionNotOnOrAfter of the AuthnStatement of this Response"
           return append_error(error_msg)
         end
 
@@ -754,8 +778,8 @@ module OneLogin
 
           attrs = confirmation_data_node.attributes
           next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
-                  (attrs.include? "NotOnOrAfter" and (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift) <= now) ||
-                  (attrs.include? "NotBefore" and parse_time(confirmation_data_node, "NotBefore") > (now + allowed_clock_drift)) ||
+                  (attrs.include? "NotBefore" and now < (parse_time(confirmation_data_node, "NotBefore") - allowed_clock_drift)) ||
+                  (attrs.include? "NotOnOrAfter" and now >= (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift)) ||
                   (attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.assertion_consumer_service_url)
 
           valid_subject_confirmation = true
@@ -781,8 +805,8 @@ module OneLogin
             return append_error("An empty NameID value found")
           end
 
-          unless settings.issuer.nil? || settings.issuer.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
-            if name_id_spnamequalifier != settings.issuer
+          unless settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
+            if name_id_spnamequalifier != settings.sp_entity_id
               return append_error("The SPNameQualifier value mistmatch the SP entityID value.")
             end
           end
@@ -802,7 +826,7 @@ module OneLogin
         # otherwise, review if the decrypted assertion contains a signature
         sig_elements = REXML::XPath.match(
           document,
-          "/p:Response[@ID=$id]/ds:Signature]",
+          "/p:Response[@ID=$id]/ds:Signature",
           { "p" => PROTOCOL, "ds" => DSIG },
           { 'id' => document.signed_element_id }
         )
@@ -821,28 +845,59 @@ module OneLogin
         end
 
         if sig_elements.size != 1
+          if sig_elements.size == 0
+             append_error("Signed element id ##{doc.signed_element_id} is not found")
+          else
+             append_error("Signed element id ##{doc.signed_element_id} is found more than once")
+          end
           return append_error(error_msg)
         end
 
+        old_errors = @errors.clone
+
         idp_certs = settings.get_idp_cert_multi
         if idp_certs.nil? || idp_certs[:signing].empty?
           opts = {}
           opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
-          opts[:cert] = settings.get_idp_cert
+          idp_cert = settings.get_idp_cert
           fingerprint = settings.get_fingerprint
+          opts[:cert] = idp_cert
 
-          unless fingerprint && doc.validate_document(fingerprint, @soft, opts)
+          if fingerprint && doc.validate_document(fingerprint, @soft, opts)
+            if settings.security[:check_idp_cert_expiration]
+              if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+                error_msg = "IdP x509 certificate expired"
+                return append_error(error_msg)
+              end
+            end
+          else
             return append_error(error_msg)
           end
         else
           valid = false
+          expired = false
           idp_certs[:signing].each do |idp_cert|
-            valid = doc.validate_document_with_cert(idp_cert)
+            valid = doc.validate_document_with_cert(idp_cert, true)
             if valid
+              if settings.security[:check_idp_cert_expiration]
+                if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+                  expired = true
+                end
+              end
+
+              # At least one certificate is valid, restore the old accumulated errors
+              @errors = old_errors
               break
             end
+
+          end
+          if expired
+            error_msg = "IdP x509 certificate expired"
+            return append_error(error_msg)
           end
           unless valid
+            # Remove duplicated errors
+            @errors = @errors.uniq
             return append_error(error_msg)
           end
         end
@@ -943,17 +998,6 @@ module OneLogin
         XMLSecurity::SignedDocument.new(response_node.to_s)
       end
 
-      # Checks if the SAML Response contains or not an EncryptedAssertion element
-      # @return [Boolean] True if the SAML Response contains an EncryptedAssertion element
-      #
-      def assertion_encrypted?
-        ! REXML::XPath.first(
-          document,
-          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
-          { "p" => PROTOCOL, "a" => ASSERTION }
-        ).nil?
-      end
-
       # Decrypts an EncryptedAssertion element
       # @param encrypted_assertion_node [REXML::Element] The EncryptedAssertion element
       # @return [REXML::Document] The decrypted EncryptedAssertion element