ruby-saml 0.6.0 → 0.7.0

data/.gitignore

@@ -8,3 +8,4 @@ Gemfile.lock
 lib/Lib.iml
 test/Test.iml
 .rvmrc
+*.gem

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -10,6 +10,8 @@ module Onelogin
   include REXML
     class Authrequest
       def create(settings, params = {})
+        params = {} if params.nil?
+
         request_doc = create_authentication_xml_doc(settings)
 
         request = ""
@@ -17,14 +19,14 @@ module Onelogin
 
         Logging.debug "Created AuthnRequest: #{request}"
 
-        deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
-        base64_request    = Base64.encode64(deflated_request)
+        request           = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
+        base64_request    = Base64.encode64(request)
         encoded_request   = CGI.escape(base64_request)
         params_prefix     = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
         request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
 
         params.each_pair do |key, value|
-          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
 
         settings.idp_sso_target_url + request_params

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -35,7 +35,7 @@ module Onelogin
 
       def create_unauth_xml_doc(settings, params)
 
-        time = Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
+        time = Time.new().strftime("%Y-%m-%dT%H:%M:%S")
 
         request_doc = REXML::Document.new
         root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
@@ -53,6 +53,8 @@ module Onelogin
           name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
           name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
           name_id.text = settings.name_identifier_value
+        else
+          raise ValidationError.new("Missing required name identifier")
         end
 
         if settings.sessionindex

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -0,0 +1,154 @@
+require "xml_security"
+require "time"
+require "base64"
+require "zlib"
+require "open-uri"
+
+module Onelogin
+  module Saml
+    class Logoutresponse
+
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      # For API compability, this is mutable.
+      attr_accessor :settings
+
+      attr_reader :document
+      attr_reader :response
+      attr_reader :options
+
+      #
+      # In order to validate that the response matches a given request, append
+      # the option:
+      #   :matches_request_id => REQUEST_ID
+      #
+      # It will validate that the logout response matches the ID of the request.
+      # You can also do this yourself through the in_response_to accessor.
+      #
+      def initialize(response, settings = nil, options = {})
+        raise ArgumentError.new("Logoutresponse cannot be nil") if response.nil?
+        self.settings = settings
+
+        @options = options
+        @response = decode_raw_response(response)
+        @document = XMLSecurity::SignedDocument.new(response)
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      def validate(soft = true)
+        return false unless valid_saml?(soft) && valid_state?(soft)
+
+        valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
+      end
+
+      def success?(soft = true)
+        unless status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+          return soft ? false : validation_error("Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <#@status_code> ")
+        end
+        true
+      end
+
+      def in_response_to
+        @in_response_to ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes['InResponseTo']
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      def status_code
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes["Value"]
+        end
+      end
+
+      private
+
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def decode_raw_response(response)
+        if response =~ /^</
+          return response
+        elsif (decoded  = decode(response)) =~ /^</
+          return decoded
+        elsif (inflated = inflate(decoded)) =~ /^</
+          return inflated
+        end
+
+        raise "Couldn't decode SAMLResponse"
+      end
+
+      def valid_saml?(soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(self.document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| raise(Exception.new("#{error.message}\n\n#{@xml.to_s}")) }
+        end
+      end
+
+      def valid_state?(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.issuer.nil?
+          return soft ? false : validation_error("No issuer in settings")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def valid_in_response_to?(soft = true)
+        return true unless self.options.has_key? :matches_request_id
+
+        unless self.options[:matches_request_id] == in_response_to
+          return soft ? false : validation_error("Response does not match the request ID, expected: <#{self.options[:matches_request_id]}>, but was: <#{in_response_to}>")
+        end
+
+        true
+      end
+
+      def valid_issuer?(soft = true)
+        unless URI.parse(issuer) == URI.parse(self.settings.issuer)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.issuer}>, but was: <#{issuer}>")
+        end
+        true
+      end
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/metadata.rb

@@ -12,15 +12,29 @@ module Onelogin
     class Metadata
       def generate(settings)
         meta_doc = REXML::Document.new
-        root = meta_doc.add_element "md:EntityDescriptor", { 
-            "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata" 
+        root = meta_doc.add_element "md:EntityDescriptor", {
+            "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
         }
-        sp_sso = root.add_element "md:SPSSODescriptor", { 
-            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol"
+        sp_sso = root.add_element "md:SPSSODescriptor", {
+            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            # Metadata request need not be signed (as we don't publish our cert)
+            "AuthnRequestsSigned" => false,
+            # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
+            "WantAssertionsSigned" => (!settings.idp_cert_fingerprint.nil? || !settings.idp_cert.nil?)
         }
         if settings.issuer != nil
           root.attributes["entityID"] = settings.issuer
         end
+        if settings.assertion_consumer_logout_service_url != nil
+          sp_sso.add_element "md:SingleLogoutService", {
+              # Add this as a setting to create different bindings?
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+              "Location" => settings.assertion_consumer_logout_service_url,
+              "ResponseLocation" => settings.assertion_consumer_logout_service_url,
+              "isDefault" => true,
+              "index" => 0
+          }
+        end
         if settings.name_identifier_format != nil
           name_id = sp_sso.add_element "md:NameIDFormat"
           name_id.text = settings.name_identifier_format
@@ -29,9 +43,15 @@ module Onelogin
           sp_sso.add_element "md:AssertionConsumerService", {
               # Add this as a setting to create different bindings?
               "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-              "Location" => settings.assertion_consumer_service_url
+              "Location" => settings.assertion_consumer_service_url,
+              "isDefault" => true,
+              "index" => 0
           }
         end
+        # With OpenSSO, it might be required to also include
+        #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+        #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+
         meta_doc << REXML::XMLDecl.new
         ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
@@ -39,8 +59,7 @@ module Onelogin
 
         Logging.debug "Generated metadata:\n#{ret}"
 
-        return ret
-
+        ret
       end
     end
   end

data/lib/onelogin/ruby-saml/response.rb

@@ -11,22 +11,18 @@ module Onelogin
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
 
-      attr_accessor :options, :response, :document, :settings
+      # TODO: This should probably be ctor initialized too... WDYT?
+      attr_accessor :settings
+
+      attr_reader :options
+      attr_reader :response
+      attr_reader :document
 
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
-        self.options  = options
-        self.response = response
-
-        begin
-          self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
-        rescue REXML::ParseException => e
-          if response =~ /</
-            self.document = XMLSecurity::SignedDocument.new(response)
-          else
-            raise e
-          end
-        end
+        @options  = options
+        @response = (response =~ /^</) ? response : Base64.decode64(response)
+        @document = XMLSecurity::SignedDocument.new(@response)
       end
 
       def is_valid?
@@ -46,6 +42,14 @@ module Onelogin
         end
       end
 
+      def sessionindex
+        @sessionindex ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||=  REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes['SessionIndex']
+        end
+      end
+
       # A hash of alle the attributes with the response. Assuming there is only one value for each key
       def attributes
         @attr_statements ||= begin
@@ -155,13 +159,13 @@ module Onelogin
         return true if conditions.nil?
         return true if options[:skip_conditions]
 
-        if not_before = parse_time(conditions, "NotBefore")
+        if (not_before = parse_time(conditions, "NotBefore"))
           if Time.now.utc < not_before
             return soft ? false : validation_error("Current time is earlier than NotBefore condition")
           end
         end
 
-        if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
+        if (not_on_or_after = parse_time(conditions, "NotOnOrAfter"))
           if Time.now.utc >= not_on_or_after
             return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
           end

data/lib/onelogin/ruby-saml/settings.rb

@@ -1,7 +1,8 @@
 module Onelogin
   module Saml
     class Settings
-      def initialize(config = {})
+      def initialize(overrides = {})
+        config = DEFAULTS.merge(overrides)
         config.each do |k,v|
           acc = "#{k.to_s}=".to_sym
           self.send(acc, v) if self.respond_to? acc
@@ -13,6 +14,12 @@ module Onelogin
       attr_accessor :idp_slo_target_url
       attr_accessor :name_identifier_value
       attr_accessor :sessionindex
+      attr_accessor :assertion_consumer_logout_service_url
+      attr_accessor :compress_request
+
+      private
+      
+      DEFAULTS = {:compress_request => true}
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module Onelogin
   module Saml
-    VERSION = '0.6.0'
+    VERSION = '0.7.0'
   end
 end

data/lib/ruby-saml.rb

@@ -1,6 +1,7 @@
 require 'onelogin/ruby-saml/logging'
 require 'onelogin/ruby-saml/authrequest'
 require 'onelogin/ruby-saml/logoutrequest'
+require 'onelogin/ruby-saml/logoutresponse'
 require 'onelogin/ruby-saml/response'
 require 'onelogin/ruby-saml/settings'
 require 'onelogin/ruby-saml/validation_error'

data/lib/xml_security.rb

@@ -80,7 +80,7 @@ module XMLSecurity
       signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
       self.noko_sig_element ||= document.at_xpath('//ds:Signature', 'ds' => DSIG)
       noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
-      canon_algorithm = canon_algorithm REXML::XPath.first(sig_element, '//ds:CanonicalizationMethod')
+      canon_algorithm = canon_algorithm REXML::XPath.first(sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
@@ -89,7 +89,7 @@ module XMLSecurity
         uri                           = ref.attributes.get_attribute("URI").value
 
         hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
-        canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod')
+        canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
         canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces).gsub('&','&')
 
         digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))

data/test/logoutrequest_test.rb

@@ -7,6 +7,8 @@ class RequestTest < Test::Unit::TestCase
 
     should "create the deflated SAMLRequest URL parameter" do
       settings.idp_slo_target_url = "http://unauth.com/logout"
+      settings.name_identifier_value = "f00f00"
+
       unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
       assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
 
@@ -50,10 +52,19 @@ class RequestTest < Test::Unit::TestCase
       assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
     end
 
+    should "require name_identifier_value" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_slo_target_url = "http://example.com"
+      settings.name_identifier_format = nil
+
+      assert_raises(Onelogin::Saml::ValidationError) { Onelogin::Saml::Logoutrequest.new.create(settings) }
+    end
+
     context "when the target url doesn't contain a query string" do
       should "create the SAMLRequest parameter correctly" do
         settings = Onelogin::Saml::Settings.new
         settings.idp_slo_target_url = "http://example.com"
+        settings.name_identifier_value = "f00f00"
 
         unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
@@ -64,6 +75,7 @@ class RequestTest < Test::Unit::TestCase
       should "create the SAMLRequest parameter correctly" do
         settings = Onelogin::Saml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
 
         unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
         assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
@@ -74,6 +86,7 @@ class RequestTest < Test::Unit::TestCase
       should "have access to the request uuid" do
         settings = Onelogin::Saml::Settings.new
         settings.idp_slo_target_url = "http://example.com?field=value"
+        settings.name_identifier_value = "f00f00"
 
         unauth_req = Onelogin::Saml::Logoutrequest.new
         unauth_url = unauth_req.create(settings)

data/test/logoutresponse_test.rb

@@ -0,0 +1,116 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'rexml/document'
+require 'responses/logoutresponse_fixtures'
+class RubySamlTest < Test::Unit::TestCase
+
+  context "Logoutresponse" do
+    context "#new" do
+      should "raise an exception when response is initialized with nil" do
+        assert_raises(ArgumentError) { Onelogin::Saml::Logoutresponse.new(nil) }
+      end
+      should "default to empty settings" do
+        logoutresponse = Onelogin::Saml::Logoutresponse.new( valid_response)
+        assert logoutresponse.settings.nil?
+      end
+      should "accept constructor-injected settings" do
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, settings)
+        assert !logoutresponse.settings.nil?
+      end
+      should "accept constructor-injected options" do
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
+        assert !logoutresponse.options.empty?
+      end
+      should "support base64 encoded responses" do
+        expected_response = valid_response
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(Base64.encode64(expected_response), settings)
+
+        assert_equal expected_response, logoutresponse.response
+      end
+    end
+
+    context "#validate" do
+      should "validate the response" do
+        in_relation_to_request_id = random_id
+
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
+
+        assert logoutresponse.validate
+
+        assert_equal settings.issuer, logoutresponse.issuer
+        assert_equal in_relation_to_request_id, logoutresponse.in_response_to
+
+        assert logoutresponse.success?
+      end
+
+      should "invalidate responses with wrong id when given option :matches_uuid" do
+
+        expected_request_id = "_some_other_expected_uuid"
+        opts = { :matches_request_id => expected_request_id}
+
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, settings, opts)
+
+        assert !logoutresponse.validate
+        assert_not_equal expected_request_id, logoutresponse.in_response_to
+      end
+
+      should "invalidate responses with wrong request status" do
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response, settings)
+
+        assert !logoutresponse.validate
+        assert !logoutresponse.success?
+      end
+    end
+
+    context "#validate!" do
+      should "validates good responses" do
+        in_relation_to_request_id = random_id
+
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
+
+        logoutresponse.validate!
+      end
+
+      should "raises validation error when matching for wrong request id" do
+
+        expected_request_id = "_some_other_expected_id"
+        opts = { :matches_request_id => expected_request_id}
+
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(valid_response, settings, opts)
+
+        assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
+      end
+
+      should "raise validation error for wrong request status" do
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response, settings)
+
+        assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
+      end
+
+      should "raise validation error when in bad state" do
+        # no settings
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response)
+        assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
+      end
+
+      should "raise validation error when in lack of issuer setting" do
+        bad_settings = settings
+        bad_settings.issuer = nil
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(unsuccessful_response, bad_settings)
+        assert_raises(Onelogin::Saml::ValidationError) { logoutresponse.validate! }
+      end
+
+      should "raise error for invalid xml" do
+        logoutresponse = Onelogin::Saml::Logoutresponse.new(invalid_xml_response, settings)
+
+        assert_raises(Exception) { logoutresponse.validate! }
+      end
+    end
+
+  end
+
+  # logoutresponse fixtures
+  def random_id
+    "_#{UUID.new.generate}"
+  end
+
+end

data/test/request_test.rb

@@ -19,6 +19,18 @@ class RequestTest < Test::Unit::TestCase
       assert_match /^<samlp:AuthnRequest/, inflated
     end
 
+    should "create the SAMLRequest URL parameter without deflating" do
+      settings = Onelogin::Saml::Settings.new
+      settings.compress_request = false
+      settings.idp_sso_target_url = "http://example.com"
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings)
+      assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+
+      assert_match /^<samlp:AuthnRequest/, decoded
+    end
+
     should "accept extra parameters" do
       settings = Onelogin::Saml::Settings.new
       settings.idp_sso_target_url = "http://example.com"

data/test/responses/logoutresponse_fixtures.rb

@@ -0,0 +1,67 @@
+#encoding: utf-8
+
+def default_response_opts
+  {
+      :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
+      :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
+      :settings => settings
+  }
+end
+
+def valid_response(opts = {})
+  opts = default_response_opts.merge!(opts)
+
+  "<samlp:LogoutResponse
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        ID=\"#{random_id}\" Version=\"2.0\"
+        IssueInstant=\"#{opts[:issue_instant]}\"
+        Destination=\"#{opts[:settings].assertion_consumer_logout_service_url}\"
+        InResponseTo=\"#{opts[:uuid]}\">
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
+      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+          Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
+      </samlp:StatusCode>
+      </samlp:Status>
+      </samlp:LogoutResponse>"
+end
+
+def unsuccessful_response(opts = {})
+  opts = default_response_opts.merge!(opts)
+
+  "<samlp:LogoutResponse
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        ID=\"#{random_id}\" Version=\"2.0\"
+        IssueInstant=\"#{opts[:issue_instant]}\"
+        Destination=\"#{opts[:settings].assertion_consumer_logout_service_url}\"
+        InResponseTo=\"#{opts[:uuid]}\">
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
+      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+          Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
+      </samlp:StatusCode>
+      </samlp:Status>
+      </samlp:LogoutResponse>"
+end
+
+def invalid_xml_response
+  "<samlp:SomethingAwful
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        ID=\"#{random_id}\" Version=\"2.0\">
+      </samlp:SomethingAwful>"
+end
+
+def settings
+  @settings ||= Onelogin::Saml::Settings.new(
+      {
+          :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
+          :assertion_consumer_logout_service_url => "http://app.muda.no/sso/consume_logout",
+          :issuer => "http://app.muda.no",
+          :sp_name_qualifier => "http://sso.muda.no",
+          :idp_sso_target_url => "http://sso.muda.no/sso",
+          :idp_slo_target_url => "http://sso.muda.no/slo",
+          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+      }
+  )
+end

data/test/responses/starfield_response.xml.base64

@@ -0,0 +1 @@
+PHNhbWxwOlJlc3BvbnNlIElEPSJCZWViMzkyYjc1Ny02ZGM3LTRlYjktYmI1Yy03NmU1MTFmZDZiZWIiIElzc3VlSW5zdGFudD0iMjAxMi0xMS0yOFQxODoxMzo0NVoiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PFNpZ25lZEluZm8+PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIgLz48U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIiAvPjxSZWZlcmVuY2UgVVJJPSIjQmVlYjM5MmI3NTctNmRjNy00ZWI5LWJiNWMtNzZlNTExZmQ2YmViIj48VHJhbnNmb3Jtcz48VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiIC8+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgLz48RGlnZXN0VmFsdWU+S0RqNHlxK0RDaVVJZVpDZUcyRFhFZWxWVURNPTwvRGlnZXN0VmFsdWU+PC9SZWZlcmVuY2U+PC9TaWduZWRJbmZvPjxTaWduYXR1cmVWYWx1ZT5zTDZjakVJTkt0U2l3THpRamk3RzYvRXVXMytZVXUzOHNUa3A1WnJva2pmUUxxZlZacVE0MDltYXowSU9neDVwWW44TmxrdWpIZUtTQ1N6ME9uRjlLRUxUNEpINi82Sklob0JuSjdiY1JFMG0vSFdEbFhCRGU2V3hkd2w4M1Y2aENKMTZtM25tTHhLTldDRThPU3BuaEdqK3d3UFRxRU56NVRTdGgrbkU1WVcyLzNBU3ZYK3ZENjFBUFNUeWkxWm5CR0huWWRiZVQ5Yk9LUUFVck1kQ1ZwWFlYZlVrK1I5Qkh6U3grR1VaL3RWU01mUjQ0ZE01dlpjTXFnSHhtd1c0eUQrQUVYNVNNQlZEYkdRd1o5dUFnQk14YWtQYjU4VHM1YlVtVUVFUzFDbFV6Zm95S3lvdHR3WmIwSVVsQVh4bSs3RHNpT2tkQ1BTQjhyUDRnMXIvNHc9PTwvU2lnbmF0dXJlVmFsdWU+PEtleUluZm8+PFg1MDlEYXRhPjxYNTA5Q2VydGlmaWNhdGU+TUlJQ1dUQ0NBZ2VnQXdJQkFnSVF5K0lPeGE5UkZZcE1mZjlPYkJMNThqQUpCZ1VyRGdNQ0hRVUFNQll4RkRBU0JnTlZCQU1UQzFKdmIzUWdRV2RsYm1ONU1CNFhEVEV3TURFeU1URTFNREl4TUZvWERUTTVNVEl6TVRJek5UazFPVm93T0RFMk1EUUdBMVVFQXhNdFUwRk5URlJsYzNRdE5qSTVOalF4T0dRdFlUWmpOeTAwTVRoa0xUZzBaV0V0WmpSak1EUmlPV1JrTVdJMk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBM1JtMW9oaEcwdE5XdVRIdnpNYWJaWUgwclJSeUFGQ012Wk9EczBBNVArVjJSYVU2b3IwcmNpREhLQUlhaG5FVGRNcUl0RzhzbEtxeUhRRVAzbXFVTk1adjMrd3ByMVBlV0I2REJZMnBBUmoxM2pQaTUyTjVHSWF2UUtCS0E1OEJBcmtJK0pzQjZmMmpXWXM4c0YyekZ5TUg5aEEvZDJVRm50L1BDWjNBLytUU1FJY3lqTldiUVByZUNDdW1hRUJDVWkvbGRhQ2lZSXM2SUJ5aGdFeXRKYWhTejdPTWVPdWNKanFmUGRHbWlHVzZ1dzRmZmZaR3l1U0k0TC9memFKQTZGdU9XZlZCTUdLb3NoZzQxUnB3U3V1dDRXWU05dXlLZzdYQ1dZbndSL1F3YTJDQmgzdGZHd3E3ME5uMzcyWVdqYkszdU1OU2JzOHlhUGtqb0psLzJRSURBUUFCbzBzd1NUQkhCZ05WSFFFRVFEQStnQkFTNUFrdEJoMGRUd0NOWVNIY0ZtUmpvUmd3RmpFVU1CSUdBMVVFQXhNTFVtOXZkQ0JCWjJWdVkzbUNFQVkzYkFDcUFHU0tFYys0MUtwY05mUXdDUVlGS3c0REFoMEZBQU5CQUM1K2RFaElTbFB4bEZLeDIvQTVXcU9WTWZVVG96N2F6c0k3VDVmMXJkdWhrWXlDVnlvc3RUb3BSQWQrL3JSdzhxYmVGVXhYTVZHK3VHaG5RVlR3N0ljPTwvWDUwOUNlcnRpZmljYXRlPjwvWDUwOURhdGE+PC9LZXlJbmZvPjwvU2lnbmF0dXJlPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJCZWVhYjUwOTk1My01ZDE0LTQwMDctYTY0NC1mOWFjMmRlOWNlMjIiIElzc3VlSW5zdGFudD0iMjAwMy0wNC0xN1QwMDo0NjowMloiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxJc3N1ZXI+QmVlbGluZS5jb20NCiAgICAgICAgICAgICAgICA8L0lzc3Vlcj48U3ViamVjdD48TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdHJldm9yLmxpdHRsZUBzdGFyZmllbGR0bXMuY29tDQogICAgICAgICAgICAgICAgICAgICAgICA8L05hbWVJRD48U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiIC8+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMi0xMS0yOFQxNzo1Mzo0NVoiIE5vdE9uT3JBZnRlcj0iMjAxMi0xMS0yOFQxODozMzo0NVoiPjwvQ29uZGl0aW9ucz48QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEyLTExLTI4VDE4OjEzOjQ1WiI+PEF1dGhuQ29udGV4dD48QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9BdXRobkNvbnRleHRDbGFzc1JlZj48L0F1dGhuQ29udGV4dD48L0F1dGhuU3RhdGVtZW50PjwvQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+

data/test/settings_test.rb

@@ -10,7 +10,8 @@ class SettingsTest < Test::Unit::TestCase
       accessors = [
         :assertion_consumer_service_url, :issuer, :sp_name_qualifier,
         :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
-        :idp_slo_target_url, :name_identifier_value, :sessionindex
+        :idp_slo_target_url, :name_identifier_value, :sessionindex,
+        :assertion_consumer_logout_service_url
       ]
 
       accessors.each do |accessor|

data/test/xml_security_test.rb

@@ -117,7 +117,17 @@ class XmlSecurityTest < Test::Unit::TestCase
         assert inclusive_namespaces.empty?
       end
     end
-    
+
+    context "StarfieldTMS" do
+      should "be able to validate a response" do
+        response = Onelogin::Saml::Response.new(fixture(:starfield_response))
+        response.settings = Onelogin::Saml::Settings.new(
+          :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
+        )
+        assert response.validate!
+      end
+    end
+
   end
   
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-02 00:00:00.000000000 Z
+date: 2013-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: canonix
@@ -77,6 +77,7 @@ files:
 - lib/onelogin/ruby-saml/authrequest.rb
 - lib/onelogin/ruby-saml/logging.rb
 - lib/onelogin/ruby-saml/logoutrequest.rb
+- lib/onelogin/ruby-saml/logoutresponse.rb
 - lib/onelogin/ruby-saml/metadata.rb
 - lib/onelogin/ruby-saml/response.rb
 - lib/onelogin/ruby-saml/settings.rb
@@ -91,12 +92,14 @@ files:
 - ruby-saml.gemspec
 - test/certificates/certificate1
 - test/logoutrequest_test.rb
+- test/logoutresponse_test.rb
 - test/request_test.rb
 - test/response_test.rb
 - test/responses/adfs_response_sha1.xml
 - test/responses/adfs_response_sha256.xml
 - test/responses/adfs_response_sha384.xml
 - test/responses/adfs_response_sha512.xml
+- test/responses/logoutresponse_fixtures.rb
 - test/responses/no_signature_ns.xml
 - test/responses/open_saml_response.xml
 - test/responses/response1.xml.base64
@@ -107,6 +110,7 @@ files:
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/simple_saml_php.xml
+- test/responses/starfield_response.xml.base64
 - test/responses/wrapped_response_2.xml.base64
 - test/settings_test.rb
 - test/test_helper.rb
@@ -132,19 +136,21 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 1.8.24
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: SAML Ruby Tookit
 test_files:
 - test/certificates/certificate1
 - test/logoutrequest_test.rb
+- test/logoutresponse_test.rb
 - test/request_test.rb
 - test/response_test.rb
 - test/responses/adfs_response_sha1.xml
 - test/responses/adfs_response_sha256.xml
 - test/responses/adfs_response_sha384.xml
 - test/responses/adfs_response_sha512.xml
+- test/responses/logoutresponse_fixtures.rb
 - test/responses/no_signature_ns.xml
 - test/responses/open_saml_response.xml
 - test/responses/response1.xml.base64
@@ -155,6 +161,7 @@ test_files:
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
 - test/responses/simple_saml_php.xml
+- test/responses/starfield_response.xml.base64
 - test/responses/wrapped_response_2.xml.base64
 - test/settings_test.rb
 - test/test_helper.rb