saml_idp 0.16.0 → 1.0.0

data/spec/lib/saml_idp/incoming_metadata_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+
 module SamlIdp
 
   metadata_1 = <<-eos
@@ -29,11 +30,52 @@ module SamlIdp
 </md:EntityDescriptor>
   eos
 
+  metadata_5 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnht3GR...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_6 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmw6vGr...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_7 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dX3Gr...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
   describe IncomingMetadata do
     it 'should properly set sign_assertions to false' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_1)
       expect(metadata.sign_assertions).to eq(false)
-      expect(metadata.sign_authn_request).to eq(false)
     end
 
     it 'should properly set entity_id as https://test-saml.com/saml' do
@@ -56,5 +98,37 @@ module SamlIdp
       metadata = SamlIdp::IncomingMetadata.new(metadata_4)
       expect(metadata.sign_authn_request).to eq(false)
     end
+
+    it 'should properly set unspecified_certificate when present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_5)
+      expect(metadata.unspecified_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnht3GR...')
+    end
+
+    it 'should return empty unspecified_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should properly set signing_certificate when present but not unspecified_certificate' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_6)
+      expect(metadata.signing_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmw6vGr...')
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should return empty signing_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.signing_certificate).to eq('')
+    end
+
+    it 'should properly set encryption_certificate when present but not unspecified_certificate' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_7)
+      expect(metadata.encryption_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dX3Gr...')
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should return empty encryption_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.encryption_certificate).to eq('')
+    end
   end
 end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -6,7 +6,7 @@ module SamlIdp
     end
 
     it "signs valid xml" do
-      expect(Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT)).to be_truthy
+      expect(Saml::XML::Document.parse(subject.signed).valid_signature?("", Default::FINGERPRINT)).to be_truthy
     end
 
     it "includes logout element" do

data/spec/lib/saml_idp/request_spec.rb

@@ -1,157 +1,195 @@
 require 'spec_helper'
-module SamlIdp
-  describe Request do
-    let(:issuer) { 'localhost:3000' }
-    let(:raw_authn_request) do
-      "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>#{issuer}</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>"
-    end
 
-    describe "deflated request" do
-      let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
+RSpec.describe SamlIdp::Request, type: :model do
+  let(:valid_saml_request) { make_saml_request("https://foo.example.com/saml/consume", true) }
+  let(:valid_logout_request) { make_saml_sp_slo_request(security_options: { embed_sign: true })['SAMLRequest'] }
+  let(:invalid_saml_request) { "invalid_saml_request" }
+  let(:external_attributes) { { saml_request: valid_saml_request, relay_state: "state" } }
 
-      subject { described_class.from_deflated_request deflated_request }
+  describe ".from_deflated_request" do
+    context "when request is valid and deflated" do
+      it "inflates and decodes the request" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "inflates" do
-        expect(subject.request_id).to eq("_af43d1a0-e111-0130-661a-3c0754403fdb")
+        expect { Saml::XML::Document.parse(request.raw_xml) }.not_to raise_error
       end
+    end
 
-      it "handles invalid SAML" do
-        req = described_class.from_deflated_request "bang!"
-        expect(req.valid?).to eq(false)
+    context "when request is invalid" do
+      it "returns an empty inflated string" do
+        request = SamlIdp::Request.from_deflated_request(nil)
+        expect(request.raw_xml).to eq("")
       end
     end
+  end
 
-    describe "authn request" do
-      subject { described_class.new raw_authn_request }
-
-      it "has a valid request_id" do
-        expect(subject.request_id).to eq("_af43d1a0-e111-0130-661a-3c0754403fdb")
-      end
+  describe "#logout_request?" do
+    it "returns true for a valid logout request" do
+      request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+      expect(request.logout_request?).to be true
+    end
 
-      it "has a valid acs_url" do
-        expect(subject.acs_url).to eq("http://localhost:3000/saml/consume")
-      end
+    it "returns false for a non-logout request" do
+      request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+      expect(request.logout_request?).to be false
+    end
+  end
 
-      it "has a valid service_provider" do
-        expect(subject.service_provider).to be_a ServiceProvider
-      end
+  describe "#authn_request?" do
+    it "returns true for a valid authn request" do
+      request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+      expect(request.authn_request?).to be true
+    end
 
-      it "has a valid service_provider" do
-        expect(subject.service_provider).to be_truthy
-      end
+    it "returns false for a non-authn request" do
+      request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+      expect(request.authn_request?).to be false
+    end
+  end
 
-      it "has a valid issuer" do
-        expect(subject.issuer).to eq("localhost:3000")
-      end
+  describe "#valid?" do
+    let(:sp_issuer) { "test_issuer" }
+    let(:valid_service_provider) do 
+      instance_double(
+        "SamlIdp::ServiceProvider",
+        valid?: true,
+        acs_url: 'https://foo.example.com/saml/consume',
+        current_metadata: instance_double("Metadata", sign_authn_request?: true),
+        assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+        sign_authn_request: true,
+        acceptable_response_hosts: ["foo.example.com"],
+        cert: sp_x509_cert,
+        fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert, :sha256),
+      )
+    end
+    
+    before do
+      allow_any_instance_of(SamlIdp::Request).to receive(:service_provider).and_return(valid_service_provider)
+      allow_any_instance_of(SamlIdp::Request).to receive(:issuer).and_return(sp_issuer)
+    end
 
-      it "has a valid valid_signature" do
-        expect(subject.valid_signature?).to be_truthy
+    context "when the request is valid" do
+      it "returns true for a valid authn request" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+        expect(request.errors).to be_empty
+        expect(request.valid?).to be true
       end
 
-      it "should return acs_url for response_url" do
-        expect(subject.response_url).to eq(subject.acs_url)
+      it "returns true for a valid logout request" do
+        request = SamlIdp::Request.from_deflated_request(valid_logout_request)
+        expect(request.errors).to be_empty
+        expect(request.valid?).to be true
       end
+    end
 
-      it "is a authn request" do
-        expect(subject.authn_request?).to eq(true)
-      end
+    context 'when signature provided as external param' do
+      let!(:uri_query) { make_saml_sp_slo_request(security_options: { embed_sign: false }) }
+      let(:raw_saml_request) { uri_query['SAMLRequest'] }
+      let(:relay_state) { uri_query['RelayState'] }
+      let(:siging_algorithm) { uri_query['SigAlg'] }
+      let(:signature) { uri_query['Signature'] }
 
-      it "fetches internal request" do
-        expect(subject.request['ID']).to eq(subject.request_id)
+      subject do
+        described_class.from_deflated_request(
+          raw_saml_request,
+          saml_request: raw_saml_request,
+          relay_state: relay_state,
+          sig_algorithm: siging_algorithm,
+          signature: signature
+        )
       end
 
-      it 'has a valid authn context' do
-        expect(subject.requested_authn_context).to eq('urn:oasis:names:tc:SAML:2.0:ac:classes:Password')
+      it "should validate the request" do
+        expect(subject.valid_external_signature?).to be true
+        expect(subject.errors).to be_empty
       end
 
-      context 'the issuer is empty' do
-        let(:issuer) { nil }
-        let(:logger) { ->(msg) { puts msg } }
-
-        before do
-          allow(SamlIdp.config).to receive(:logger).and_return(logger)
-        end
-
-        it 'is invalid' do
-          expect(subject.issuer).to_not eq('')
-          expect(subject.issuer).to be_nil
-          expect(subject.valid?).to eq(false)
-        end
-
-        context 'a Ruby Logger is configured' do
-          let(:logger) { Logger.new($stdout) }
-
-          before do
-            allow(logger).to receive(:info)
-          end
-
-          it 'logs an error message' do
-            expect(subject.valid?).to be false
-            expect(logger).to have_received(:info).with('Unable to find service provider for issuer ')
-          end
-        end
-
-        context 'a Logger-like logger is configured' do
-          let(:logger) do
-            Class.new {
-              def info(msg); end
-            }.new
-          end
-
-          before do
-            allow(logger).to receive(:info)
-          end
-
-          it 'logs an error message' do
-            expect(subject.valid?).to be false
-            expect(logger).to have_received(:info).with('Unable to find service provider for issuer ')
-          end
-        end
-
-        context 'a logger lambda is configured' do
-          let(:logger) { double }
-
-          before { allow(logger).to receive(:call) }
-
-          it 'logs an error message' do
-            expect(subject.valid?).to be false
-            expect(logger).to have_received(:call).with('Unable to find service provider for issuer ')
-          end
-        end
+      it "should collect errors when the signature is invalid" do
+        allow(subject).to receive(:valid_external_signature?).and_return(false)
+        expect(subject.valid?).to eq(false)
+        expect(subject.errors).to include(:invalid_external_signature)
       end
     end
 
-    describe "logout request" do
-      let(:raw_logout_request) { "<LogoutRequest ID='_some_response_id' Version='2.0' IssueInstant='2010-06-01T13:00:00Z' Destination='http://localhost:3000/saml/logout' xmlns='urn:oasis:names:tc:SAML:2.0:protocol'><Issuer xmlns='urn:oasis:names:tc:SAML:2.0:assertion'>http://example.com</Issuer><NameID xmlns='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'>some_name_id</NameID><SessionIndex>abc123index</SessionIndex></LogoutRequest>" }
-
-      subject { described_class.new raw_logout_request }
+    context "when the service provider is invalid" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:service_provider?).and_return(false)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "has a valid request_id" do
-        expect(subject.request_id).to eq('_some_response_id')
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:sp_not_found)
       end
+    end
 
-      it "should be flagged as a logout_request" do
-        expect(subject.logout_request?).to eq(true)
+    context "when empty certificate for authn request validation" do
+      let(:valid_service_provider) do 
+        instance_double(
+          "SamlIdp::ServiceProvider",
+          valid?: true,
+          acs_url: 'https://foo.example.com/saml/consume',
+          current_metadata: instance_double("Metadata", sign_authn_request?: true),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+          sign_authn_request: true,
+          acceptable_response_hosts: ["foo.example.com"],
+          cert: nil,
+          fingerprint: nil,
+        )
+      end
+      it "returns false and logs an error" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:empty_certificate)
       end
+    end
 
-      it "should have a valid name_id" do
-        expect(subject.name_id).to eq('some_name_id')
+    context "when empty certificate for logout validation" do
+      let(:valid_service_provider) do 
+        instance_double(
+          "SamlIdp::ServiceProvider",
+          valid?: true,
+          acs_url: 'https://foo.example.com/saml/consume',
+          current_metadata: instance_double("Metadata", sign_authn_request?: true),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout',
+          sign_authn_request: true,
+          acceptable_response_hosts: ["foo.example.com"],
+          cert: nil,
+          fingerprint: nil,
+        )
       end
 
-      it "should have a session index" do
-        expect(subject.session_index).to eq('abc123index')
+      before do
+        allow_any_instance_of(SamlIdp::Request).to receive(:authn_request?).and_return(false)
+        allow_any_instance_of(SamlIdp::Request).to receive(:logout_request?).and_return(true)
       end
 
-      it "should have a valid issuer" do
-        expect(subject.issuer).to eq('http://example.com')
+      it "returns false and logs an error" do
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:empty_certificate)
       end
+    end
 
-      it "fetches internal request" do
-        expect(subject.request['ID']).to eq(subject.request_id)
+    context "when both authn and logout requests are present" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:authn_request?).and_return(true)
+        allow_any_instance_of(SamlIdp::Request).to receive(:logout_request?).and_return(true)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
+
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:unaccepted_request)
       end
+    end
+
+    context "when the signature is invalid" do
+      it "returns false and logs an error" do
+        allow_any_instance_of(SamlIdp::Request).to receive(:valid_signature?).and_return(false)
+        allow_any_instance_of(SamlIdp::Request).to receive(:log)
+        request = SamlIdp::Request.from_deflated_request(valid_saml_request)
 
-      it "should return logout_url for response_url" do
-        expect(subject.response_url).to eq(subject.logout_url)
+        expect(request.valid?).to be false
+        expect(request.errors).to include(:invalid_embedded_signature)
       end
     end
   end

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -192,6 +192,25 @@ module SamlIdp
       expect(saml_resp.is_valid?).to eq(true)
     end
 
+    it "will pass reference_id as SessionIndex" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+          "//saml:AuthnStatement/@SessionIndex",
+          {
+            "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+          }
+        ).value
+      ).to eq("_#{reference_id}")
+    end
+
     it "sets session expiration" do
       saml_resp = OneLogin::RubySaml::Response.new(subject.build)
       expect(saml_resp.session_expires_at).to eq Time.local(1990, "jan", 2).iso8601

data/spec/rails_app/app/views/saml_idp/idp/new.html.erb

@@ -4,6 +4,9 @@
 <%= form_tag do %>
   <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
   <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+  <%= hidden_field_tag("SigAlg", params[:SigAlg]) %>
+  <%= hidden_field_tag("Signature", params[:Signature]) %>
+
   <p>
     <%= label_tag :email %>
     <%= email_field_tag :email, params[:email], :autocapitalize => "off", :autocorrect => "off", :autofocus => "autofocus", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>

data/spec/support/saml_request_macros.rb

@@ -3,8 +3,8 @@ require 'saml_idp/logout_request_builder'
 module SamlRequestMacros
   def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     auth_request = OneLogin::RubySaml::Authrequest.new
-    auth_url = auth_request.create(saml_settings(requested_saml_acs_url, enable_secure_options))
-    CGI.unescape(auth_url.split("=").last)
+    auth_url = auth_request.create_params(saml_settings(requested_saml_acs_url, enable_secure_options))
+    auth_url['SAMLRequest']
   end
 
   def make_saml_logout_request(requested_saml_logout_url = 'https://foo.example.com/saml/logout')
@@ -18,41 +18,46 @@ module SamlRequestMacros
     Base64.strict_encode64(request_builder.signed)
   end
 
+  def make_saml_sp_slo_request(param_type: true, security_options: {})
+    logout_request = OneLogin::RubySaml::Logoutrequest.new
+    saml_sp_setting = saml_settings("https://foo.example.com/saml/consume", true, security_options: security_options)
+    if param_type
+      logout_request.create_params(saml_sp_setting, 'RelayState' => 'https://foo.example.com/home')
+    else
+      logout_request.create(saml_sp_setting, 'RelayState' => 'https://foo.example.com/home')
+    end
+  end
+
   def generate_sp_metadata(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     sp_metadata = OneLogin::RubySaml::Metadata.new
     sp_metadata.generate(saml_settings(saml_acs_url, enable_secure_options), true)
   end
 
-  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false, security_options: {})
     settings = OneLogin::RubySaml::Settings.new
     settings.assertion_consumer_service_url = saml_acs_url
     settings.issuer = "http://example.com/issuer"
     settings.idp_sso_target_url = "http://idp.com/saml/idp"
+    settings.idp_slo_target_url = "http://idp.com/saml/slo"
     settings.assertion_consumer_logout_service_url = 'https://foo.example.com/saml/logout'
     settings.idp_cert_fingerprint = SamlIdp::Default::FINGERPRINT
     settings.name_identifier_format = SamlIdp::Default::NAME_ID_FORMAT
-    add_securty_options(settings) if enable_secure_options
+    add_securty_options(settings, default_sp_security_options.merge!(security_options)) if enable_secure_options
     settings
   end
 
-  def add_securty_options(settings, authn_requests_signed: true, 
-                                    embed_sign: true, 
-                                    logout_requests_signed: true, 
-                                    logout_responses_signed: true,
-                                    digest_method: XMLSecurity::Document::SHA256,
-                                    signature_method: XMLSecurity::Document::RSA_SHA256,
-                                    assertions_signed: true)
+  def add_securty_options(settings, options = default_sp_security_options)
     # Security section
     settings.idp_cert = SamlIdp::Default::X509_CERTIFICATE
     # Signed embedded singature
-    settings.security[:authn_requests_signed] = authn_requests_signed
-    settings.security[:embed_sign] = embed_sign
-    settings.security[:logout_requests_signed] = logout_requests_signed
-    settings.security[:logout_responses_signed] = logout_responses_signed
-    settings.security[:metadata_signed] = digest_method
-    settings.security[:digest_method] = digest_method
-    settings.security[:signature_method] = signature_method
-    settings.security[:want_assertions_signed] = assertions_signed
+    settings.security[:authn_requests_signed] = options[:authn_requests_signed]
+    settings.security[:embed_sign] = options[:embed_sign]
+    settings.security[:logout_requests_signed] = options[:logout_requests_signed]
+    settings.security[:logout_responses_signed] = options[:logout_responses_signed]
+    settings.security[:metadata_signed] = options[:digest_method]
+    settings.security[:digest_method] = options[:digest_method]
+    settings.security[:signature_method] = options[:signature_method]
+    settings.security[:want_assertions_signed] = options[:assertions_signed]
     settings.private_key = sp_pv_key
     settings.certificate = sp_x509_cert
   end
@@ -84,16 +89,51 @@ module SamlRequestMacros
           response_hosts: [URI(saml_acs_url).host],
           acs_url: saml_acs_url,
           cert: sp_x509_cert,
-          fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert)
+          fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout'
         }
       }
     end
   end
 
+  def decode_saml_request(saml_request)
+    decoded_request = Base64.decode64(saml_request)
+    begin
+      # Try to decompress, since SAMLRequest might be compressed
+      Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(decoded_request)
+    rescue Zlib::DataError
+      # If it's not compressed, just return the decoded request
+      decoded_request
+    end
+  end
+
   def print_pretty_xml(xml_string)
     doc = REXML::Document.new xml_string
     outbuf = ""
     doc.write(outbuf, 1)
     puts outbuf
   end
+
+  def decode_saml_request(saml_request)
+    decoded_request = Base64.decode64(saml_request)
+    begin
+      # Try to decompress, since SAMLRequest might be compressed
+      Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(decoded_request)
+    rescue Zlib::DataError
+      # If it's not compressed, just return the decoded request
+      decoded_request
+    end
+  end
+
+  def default_sp_security_options
+    {
+      authn_requests_signed: true, 
+      embed_sign: true, 
+      logout_requests_signed: true, 
+      logout_responses_signed: true,
+      digest_method: XMLSecurity::Document::SHA256,
+      signature_method: XMLSecurity::Document::RSA_SHA256,
+      assertions_signed: true
+    }
+  end
 end

data/spec/support/security_helpers.rb

@@ -51,8 +51,8 @@ module SecurityHelpers
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
 
-  def signature_1
-    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+  def certificate_1
+    @certificate_1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
   end
 
   def r1_signature_2

data/spec/xml_security_spec.rb

@@ -19,7 +19,7 @@ module SamlIdp
     end
 
     it "it raise Fingerprint mismatch" do
-      expect { document.validate("no:fi:ng:er:pr:in:t", false) }.to(
+      expect { document.validate("", "no:fi:ng:er:pr:in:t", false) }.to(
         raise_error(SamlIdp::XMLSecurity::SignedDocument::ValidationError, "Fingerprint mismatch")
       )
     end
@@ -45,10 +45,10 @@ module SamlIdp
       response = Base64.decode64(response_document)
       response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
       document = XMLSecurity::SignedDocument.new(response)
-      expect { document.validate("a fingerprint", false) }.to(
+      expect { document.validate("", "a fingerprint", false) }.to(
         raise_error(
           SamlIdp::XMLSecurity::SignedDocument::ValidationError,
-          "Certificate element missing in response (ds:X509Certificate)"
+          "Certificate validation is required, but it doesn't exist."
         )
       )
     end
@@ -57,22 +57,26 @@ module SamlIdp
   describe "Algorithms" do
     it "validate using SHA1" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
-      expect(document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
     end
 
     it "validate using SHA256" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
-      expect(document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")).to be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")).to be_truthy
     end
 
     it "validate using SHA384" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
-      expect(document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
     end
 
     it "validate using SHA512" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
-      expect(document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
     end
   end