saml_idp 0.8.0 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 33008cf3468ff0038f5308fb5820edc2023c071d1d0a046c6778f9fd393d96da
-  data.tar.gz: 95e3adfcc852d0384ae3fa5c8740a820f16db073f83aef78bdba524d3581f8ed
+  metadata.gz: 73712903d3949f895e57a13b138c007e0ae74715d7d546b4415f278829e59054
+  data.tar.gz: fbab7e28d01ea3fc7624e52e20a234f6f997a51643905170e6809cb3f7beeec7
 SHA512:
-  metadata.gz: e66b93acbc0ab6b965258a6ba2c205e4563e197206b94c50dbd5a7603a36ebda7c2dc47d57932b821dcbd4a4e3e033616d2c6879141222b0496a0faa1811af6f
-  data.tar.gz: d3aee5f5466e2b7c70cb9434eb6c0fe3036d55335ec65555c489124ce4d4889e4051969d8f1cc87e2b3a523f1fbbc447a8a609a86e62a4ffd53f0cf4a7f31285
+  metadata.gz: 80a4683963e04b8b7f68051d15b12a5f0a098300cbfba9b72c4ed3940338ab3505c47cda0b091a9a36c1605f4396b5f1732bed7d3356438dd944f83541573a47
+  data.tar.gz: b01be29f645e31f9987afef74bb8b368ccfc86340b67e29524f582fe139e99b56cd827315d5a4e73d34b69e2c3c5b89d881c89f6d29b68c4b3cd2ff5499a39c3

data/README.md

@@ -1,4 +1,5 @@
 # Ruby SAML Identity Provider (IdP)
+
 Forked from https://github.com/lawrencepit/ruby-saml-idp
 
 [![Build Status](https://travis-ci.org/saml-idp/saml_idp.svg)](https://travis-ci.org/saml-idp/saml_idp)
@@ -19,6 +20,7 @@ Add this to your Gemfile:
     gem 'saml_idp'
 
 ## Not using rails?
+
 Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you.
 
 Basically you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value
@@ -30,9 +32,10 @@ posting to `saml_acs_url` the parameter `SAMLResponse` with the return value fro
 `encode_response(user_email)`.
 
 ## Using rails?
+
 Add to your `routes.rb` file, for example:
 
-``` ruby
+```ruby
 get '/saml/auth' => 'saml_idp#new'
 get '/saml/metadata' => 'saml_idp#show'
 post '/saml/auth' => 'saml_idp#create'
@@ -41,7 +44,7 @@ match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
 
 Create a controller that looks like this, customize to your own situation:
 
-``` ruby
+```ruby
 class SamlIdpController < SamlIdp::IdpController
   def idp_authenticate(email, password) # not using params intentionally
     user = User.by_email(email).first
@@ -69,6 +72,22 @@ end
 
 ## Configuration
 
+#### Signed assertions and Signed Response
+
+By default SAML Assertion will be signed with an algorithm which defined to `config.algorithm`. Because SAML assertions contain secure information used for authentication such as NameID.
+
+Signing SAML Response is optional, but some security perspective SP services might require Response message itself must be signed.
+For that, you can enable it with `config.signed_message` option. [More about SAML spec](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=68)
+
+#### Signing algorithm
+
+Following algorithms you can set in your response signing algorithm
+:sha1 - RSA-SHA1 default value but not recommended to production environment
+Highly recommended to use one of following algorithm, suit with your computing power.
+:sha256 - RSA-SHA256
+:sha384 - RSA-SHA384
+:sha512 - RSA-SHA512
+
 Be sure to load a file like this during your app initialization:
 
 ```ruby
@@ -88,20 +107,21 @@ KEY DATA
 CERT
 
   # config.password = "secret_key_password"
-  # config.algorithm = :sha256
+  # config.algorithm = :sha256                                    # Default: sha1 only for development.
   # config.organization_name = "Your Organization"
   # config.organization_url = "http://example.com"
   # config.base_saml_location = "#{base}/saml"
-  # config.reference_id_generator                                 # Default: -> { UUID.generate }
+  # config.reference_id_generator                                 # Default: -> { SecureRandom.uuid }
   # config.single_logout_service_post_location = "#{base}/saml/logout"
   # config.single_logout_service_redirect_location = "#{base}/saml/logout"
   # config.attribute_service_location = "#{base}/saml/attributes"
   # config.single_service_post_location = "#{base}/saml/auth"
   # config.session_expiry = 86400                                 # Default: 0 which means never
+  # config.signed_message = true                                  # Default: false which means unsigned SAML Response
 
   # Principal (e.g. User) is passed in when you `encode_response`
   #
-  # config.name_id.formats # =>
+  # config.name_id.formats =
   #   {                         # All 2.0
   #     email_address: -> (principal) { principal.email_address },
   #     transient: -> (principal) { principal.id },
@@ -211,6 +231,7 @@ end
 ```
 
 # Keys and Secrets
+
 To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret.
 You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032.
 Obviously you shouldn't use these if you intend to use this in production environments. In that case,
@@ -224,18 +245,28 @@ The fingerprint to use, if you use the default X.509 certificate of this gem, is
 9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
 ```
 
+# Fingerprint
+
+The gem provides an helper to generate a fingerprint for a X.509 certificate.
+The second parameter is optional and default to your configuration `SamlIdp.config.algorithm`
+
+```ruby
+Fingerprint.certificate_digest(x509_cert, :sha512)
+```
 
 # Service Providers
+
 To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the
 excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
 
-
 # Author
-Jon Phenow, me@jphenow.com
+
+Jon Phenow, jon@jphenow.com, jphenow.com, @jphenow
 
 Lawrence Pit, lawrence.pit@gmail.com, lawrencepit.com, @lawrencepit
 
 # Copyright
+
 Copyright (c) 2012 Sport Ngin.
 Portions Copyright (c) 2010 OneLogin, LLC
 Portions Copyright (c) 2012 Lawrence Pit (http://lawrencepit.com)

data/lib/saml_idp.rb

@@ -8,6 +8,7 @@ module SamlIdp
   require 'saml_idp/default'
   require 'saml_idp/metadata_builder'
   require 'saml_idp/version'
+  require 'saml_idp/fingerprint'
   require 'saml_idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
 
   def self.config

data/lib/saml_idp/configurator.rb

@@ -1,5 +1,7 @@
 # encoding: utf-8
 require 'ostruct'
+require 'securerandom'
+
 module SamlIdp
   class Configurator
     attr_accessor :x509_certificate
@@ -13,6 +15,7 @@ module SamlIdp
     attr_accessor :reference_id_generator
     attr_accessor :attribute_service_location
     attr_accessor :single_service_post_location
+    attr_accessor :single_service_redirect_location
     attr_accessor :single_logout_service_post_location
     attr_accessor :single_logout_service_redirect_location
     attr_accessor :attributes
@@ -24,7 +27,7 @@ module SamlIdp
       self.x509_certificate = Default::X509_CERTIFICATE
       self.secret_key = Default::SECRET_KEY
       self.algorithm = :sha1
-      self.reference_id_generator = ->() { UUID.generate }
+      self.reference_id_generator = ->() { SecureRandom.uuid }
       self.service_provider = OpenStruct.new
       self.service_provider.finder = ->(_) { Default::SERVICE_PROVIDER }
       self.service_provider.metadata_persister = ->(id, settings) {  }

data/lib/saml_idp/controller.rb

@@ -2,7 +2,7 @@
 require 'openssl'
 require 'base64'
 require 'time'
-require 'uuid'
+require 'securerandom'
 require 'saml_idp/request'
 require 'saml_idp/logout_response_builder'
 module SamlIdp
@@ -36,10 +36,12 @@ module SamlIdp
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
       decode_request(raw_saml_request)
       return true if valid_saml_request?
-      if Rails::VERSION::MAJOR >= 4
-        head :forbidden
-      else
-        render nothing: true, status: :forbidden
+      if defined?(::Rails)
+        if Rails::VERSION::MAJOR >= 4
+          head :forbidden
+        else
+          render nothing: true, status: :forbidden
+        end
       end
       false
     end
@@ -62,6 +64,7 @@ module SamlIdp
       expiry = opts[:expiry] || 60*60
       session_expiry = opts[:session_expiry]
       encryption_opts = opts[:encryption] || nil
+      signed_message_opts = opts[:signed_message] || false
 
       SamlResponse.new(
         reference_id,
@@ -75,7 +78,8 @@ module SamlIdp
         my_authn_context_classref,
         expiry,
         encryption_opts,
-        session_expiry
+        session_expiry,
+        signed_message_opts
       ).build
     end
 
@@ -122,11 +126,11 @@ module SamlIdp
     end
 
     def get_saml_response_id
-      UUID.generate
+      SecureRandom.uuid
     end
 
     def get_saml_reference_id
-      UUID.generate
+      SecureRandom.uuid
     end
 
     def default_algorithm

data/lib/saml_idp/fingerprint.rb

@@ -0,0 +1,19 @@
+module SamlIdp
+  module Fingerprint
+    def self.certificate_digest(cert, sha_size = nil)
+      sha_size ||= SamlIdp.config.algorithm
+      digest_sha_class(sha_size).hexdigest(OpenSSL::X509::Certificate.new(cert).to_der).scan(/../).join(':')
+    end
+
+    def self.digest_sha_class(sha_size)
+      case sha_size
+      when :sha256
+        Digest::SHA256
+      when :sha512
+        Digest::SHA512
+      else
+        raise ArgumentError, "Unsupported sha size parameter: #{sha_size}"
+      end
+    end
+  end
+end

data/lib/saml_idp/incoming_metadata.rb

@@ -16,6 +16,11 @@ module SamlIdp
       @document ||= Saml::XML::Document.parse raw
     end
 
+    def entity_id
+      xpath('//md:EntityDescriptor/@entityID', md: metadata_namespace).first.try(:content).to_s
+    end
+    hashable :entity_id
+
     def sign_assertions
       doc = xpath(
         "//md:SPSSODescriptor",
@@ -29,6 +34,19 @@ module SamlIdp
     end
     hashable :sign_assertions
 
+    def sign_authn_request
+      doc = xpath(
+        "//md:SPSSODescriptor",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first
+      if (doc && !doc['AuthnRequestsSigned'].nil?)
+        return doc['AuthnRequestsSigned'].strip.downcase == 'true'
+      end
+      return false
+    end
+    hashable :sign_authn_request
+
     def display_name
       role_descriptor_document.present? ? role_descriptor_document["ServiceDisplayName"] : ""
     end

data/lib/saml_idp/metadata_builder.rb

@@ -24,13 +24,15 @@ module SamlIdp
 
             entity.IDPSSODescriptor protocolSupportEnumeration: protocol_enumeration do |descriptor|
               build_key_descriptor descriptor
-              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                Location: single_logout_service_post_location
-              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: single_logout_service_redirect_location
+              build_endpoint descriptor, [
+                { tag: 'SingleLogoutService', url: single_logout_service_post_location, bind: 'HTTP-POST' }, 
+                { tag: 'SingleLogoutService', url: single_logout_service_redirect_location, bind: 'HTTP-Redirect'}
+              ]
               build_name_id_formats descriptor
-              descriptor.SingleSignOnService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: single_service_post_location
+              build_endpoint descriptor, [
+                { tag: 'SingleSignOnService', url: single_service_post_location, bind: 'HTTP-POST' }, 
+                { tag: 'SingleSignOnService', url: single_service_redirect_location, bind: 'HTTP-Redirect'}
+              ]
               build_attribute descriptor
             end
 
@@ -38,8 +40,9 @@ module SamlIdp
               build_key_descriptor authority_descriptor
               build_organization authority_descriptor
               build_contact authority_descriptor
-              authority_descriptor.AttributeService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: attribute_service_location
+              build_endpoint authority_descriptor, [
+                { tag: 'AttributeService', url: attribute_service_location, bind: 'HTTP-Redirect' }
+              ]
               build_name_id_formats authority_descriptor
               build_attribute authority_descriptor
             end
@@ -69,6 +72,17 @@ module SamlIdp
     end
     private :build_name_id_formats
 
+    def build_endpoint(el, end_points)
+      end_points.each do |ep|
+        next unless ep[:url].present?
+
+        el.tag! ep[:tag],
+          Binding: "urn:oasis:names:tc:SAML:2.0:bindings:#{ep[:bind]}",
+          Location: ep[:url]
+      end
+    end
+    private :build_endpoint
+
     def build_attribute(el)
       attributes.each do |attribute|
         el.tag! "saml:Attribute",
@@ -151,6 +165,7 @@ module SamlIdp
       organization_url
       attribute_service_location
       single_service_post_location
+      single_service_redirect_location
       single_logout_service_post_location
       single_logout_service_redirect_location
       technical_contact

data/lib/saml_idp/persisted_metadata.rb

@@ -6,5 +6,9 @@ module SamlIdp
     def sign_assertions?
       !!attributes[:sign_assertions]
     end
+
+    def sign_authn_request?
+      !!attributes[:sign_authn_request]
+    end
   end
 end

data/lib/saml_idp/request.rb

@@ -106,6 +106,7 @@ module SamlIdp
       end
 
       if !service_provider.acceptable_response_hosts.include?(response_host)
+        log "#{service_provider.acceptable_response_hosts} compare to #{response_host}"
         log "No acceptable AssertionConsumerServiceURL, either configure them via config.service_provider.response_hosts or match to your metadata_url host"
         return false
       end
@@ -114,9 +115,14 @@ module SamlIdp
     end
 
     def valid_signature?
-      # Force signatures for logout requests because there is no other
-      # protection against a cross-site DoS.
-      service_provider.valid_signature?(document, logout_request?)
+      # Force signatures for logout requests because there is no other protection against a cross-site DoS.
+      # Validate signature when metadata specify AuthnRequest should be signed
+      metadata = service_provider.current_metadata
+      if logout_request? || authn_request? && metadata.respond_to?(:sign_authn_request?) && metadata.sign_authn_request?
+        document.valid_signature?(service_provider.fingerprint)
+      else
+        true
+      end
     end
 
     def service_provider?

data/lib/saml_idp/response_builder.rb

@@ -1,32 +1,45 @@
 require 'builder'
+require 'saml_idp/algorithmable'
+require 'saml_idp/signable'
 module SamlIdp
   class ResponseBuilder
+    include Algorithmable
+    include Signable
     attr_accessor :response_id
     attr_accessor :issuer_uri
     attr_accessor :saml_acs_url
     attr_accessor :saml_request_id
     attr_accessor :assertion_and_signature
+    attr_accessor :raw_algorithm
 
-    def initialize(response_id, issuer_uri, saml_acs_url, saml_request_id, assertion_and_signature)
+    alias_method :reference_id, :response_id
+
+    def initialize(response_id, issuer_uri, saml_acs_url, saml_request_id, assertion_and_signature, raw_algorithm)
       self.response_id = response_id
       self.issuer_uri = issuer_uri
       self.saml_acs_url = saml_acs_url
       self.saml_request_id = saml_request_id
       self.assertion_and_signature = assertion_and_signature
+      self.raw_algorithm = raw_algorithm
     end
 
-    def encoded
-      @encoded ||= encode
+    def encoded(signed_message: false)
+      @encoded ||= signed_message ? encode_signed_message : encode_raw_message
     end
 
     def raw
       build
     end
 
-    def encode
+    def encode_raw_message
       Base64.strict_encode64(raw)
     end
-    private :encode
+    private :encode_raw_message
+
+    def encode_signed_message
+      Base64.strict_encode64(signed)
+    end
+    private :encode_signed_message
 
     def build
       resp_options = {}
@@ -41,6 +54,7 @@ module SamlIdp
       builder = Builder::XmlMarkup.new
       builder.tag! "samlp:Response", resp_options do |response|
           response.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          sign response
           response.tag! "samlp:Status" do |status|
             status.tag! "samlp:StatusCode", Value: Saml::XML::Namespaces::Statuses::SUCCESS
           end

data/lib/saml_idp/saml_response.rb

@@ -17,6 +17,7 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
+    attr_accessor :signed_message_opts
 
     def initialize(reference_id,
           response_id,
@@ -29,7 +30,8 @@ module SamlIdp
           authn_context_classref,
           expiry=60*60,
           encryption_opts=nil,
-          session_expiry=0
+          session_expiry=0,
+          signed_message_opts
           )
       self.reference_id = reference_id
       self.response_id = response_id
@@ -45,10 +47,11 @@ module SamlIdp
       self.expiry = expiry
       self.encryption_opts = encryption_opts
       self.session_expiry = session_expiry
+      self.signed_message_opts = signed_message_opts
     end
 
     def build
-      @built ||= response_builder.encoded
+      @built ||= encoded_message
     end
 
     def signed_assertion
@@ -60,8 +63,17 @@ module SamlIdp
     end
     private :signed_assertion
 
+    def encoded_message
+      if signed_message_opts
+        response_builder.encoded(signed_message: true)
+      else
+        response_builder.encoded(signed_message: false)
+      end
+    end
+    private :encoded_message
+
     def response_builder
-      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion)
+      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion, algorithm)
     end
     private :response_builder
 

data/lib/saml_idp/service_provider.rb

@@ -22,18 +22,13 @@ module SamlIdp
     end
 
     def valid_signature?(doc, require_signature = false)
-      if require_signature || should_validate_signature?
+      if require_signature || attributes[:validate_signature]
         doc.valid_signature?(fingerprint)
       else
         true
       end
     end
 
-    def should_validate_signature?
-      attributes[:validate_signature] ||
-        current_metadata.respond_to?(:sign_assertions?) && current_metadata.sign_assertions?
-    end
-
     def refresh_metadata
       fresh = fresh_incoming_metadata
       if valid_signature?(fresh.document)

data/lib/saml_idp/signable.rb

@@ -108,8 +108,7 @@ module SamlIdp
       canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
       canon_hashed_element = noko_raw.canonicalize(canon_algorithm, inclusive_namespaces)
       digest_algorithm = get_algorithm
-
-      hash                          = digest_algorithm.digest(canon_hashed_element)
+      hash = digest_algorithm.digest(canon_hashed_element)
       Base64.strict_encode64(hash).gsub(/\n/, '')
     end
     private :digest

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.8.0'
+  VERSION = '0.12.0'
 end

data/lib/saml_idp/xml_security.rb

@@ -108,7 +108,7 @@ module SamlIdp
           canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
           canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
 
-          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", {'ds' => DSIG}))
 
           hash                          = digest_algorithm.digest(canon_hashed_element)
           digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)

data/saml_idp.gemspec

@@ -44,19 +44,18 @@ section of the README.
   INST
 
   s.add_dependency('activesupport', '>= 3.2')
-  s.add_dependency('uuid', '>= 2.3')
   s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
 
   s.add_development_dependency('rake')
   s.add_development_dependency('simplecov')
   s.add_development_dependency('rspec', '>= 3.7.0')
-  s.add_development_dependency('ruby-saml', '>= 1.5')
+  s.add_development_dependency('ruby-saml', '>= 1.7.2')
   s.add_development_dependency('rails', '>= 3.2')
   s.add_development_dependency('activeresource', '>= 3.2')
   s.add_development_dependency('capybara', '>= 2.16')
   s.add_development_dependency('timecop', '>= 0.8')
   s.add_development_dependency('xmlenc', '>= 0.6.4')
   s.add_development_dependency('appraisal')
+  s.add_development_dependency('byebug')
 end
-

data/spec/lib/saml_idp/configurator_spec.rb

@@ -9,6 +9,7 @@ module SamlIdp
     it { should respond_to :base_saml_location }
     it { should respond_to :reference_id_generator }
     it { should respond_to :attribute_service_location }
+    it { should respond_to :single_service_redirect_location }
     it { should respond_to :single_service_post_location }
     it { should respond_to :single_logout_service_post_location }
     it { should respond_to :single_logout_service_redirect_location }

data/spec/lib/saml_idp/controller_spec.rb

@@ -21,6 +21,30 @@ describe SamlIdp::Controller do
     expect(saml_acs_url).to eq(requested_saml_acs_url)
   end
 
+  context "When SP metadata required to validate auth request signature" do
+    before do
+      idp_configure("https://foo.example.com/saml/consume", true)
+      params[:SAMLRequest] = make_saml_request("https://foo.example.com/saml/consume", true)
+    end
+
+    it 'SP metadata sign_authn_request attribute should be true' do
+      # Signed auth request will be true in the metadata
+      expect(SamlIdp.config.service_provider.persisted_metadata_getter.call(nil,nil)[:sign_authn_request]).to eq(true)
+    end
+
+    it 'should call xml signature validation method' do
+      signed_doc = SamlIdp::XMLSecurity::SignedDocument.new(params[:SAMLRequest])
+      allow(signed_doc).to receive(:validate).and_return(true)
+      allow(SamlIdp::XMLSecurity::SignedDocument).to receive(:new).and_return(signed_doc)
+      validate_saml_request
+      expect(signed_doc).to have_received(:validate).once
+    end
+
+    it 'should successfully validate signature' do
+      expect(validate_saml_request).to eq(true)
+    end
+  end
+
   context "SAML Responses" do
     let(:principal) { double email_address: "foo@example.com" }
     let (:encryption_opts) do

data/spec/lib/saml_idp/fingerprint_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+module SamlIdp
+  describe Fingerprint do
+    describe "certificate_digest" do
+      let(:cert) { sp_x509_cert }
+      let(:fingerprint) { "a2:cb:f6:6b:bc:2a:33:b9:4f:f3:c3:7e:26:a4:21:cd:41:83:ef:26:88:fa:ba:71:37:40:07:3e:d5:76:04:b7" }
+
+      it "returns the fingerprint string" do
+        expect(Fingerprint.certificate_digest(cert, :sha256)).to eq(fingerprint)
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/incoming_metadata_spec.rb

@@ -3,7 +3,7 @@ module SamlIdp
 
   metadata_1 = <<-eos
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
-  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="false">
   </md:SPSSODescriptor>
 </md:EntityDescriptor>
   eos
@@ -22,20 +22,39 @@ module SamlIdp
 </md:EntityDescriptor>
   eos
 
+  metadata_4 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
   describe IncomingMetadata do
     it 'should properly set sign_assertions to false' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_1)
       expect(metadata.sign_assertions).to eq(false)
+      expect(metadata.sign_authn_request).to eq(false)
+    end
+
+    it 'should properly set entity_id as https://test-saml.com/saml' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.entity_id).to eq('https://test-saml.com/saml')
     end
 
     it 'should properly set sign_assertions to true' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_2)
       expect(metadata.sign_assertions).to eq(true)
+      expect(metadata.sign_authn_request).to eq(true)
     end
 
     it 'should properly set sign_assertions to false when WantAssertionsSigned is not included' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_3)
       expect(metadata.sign_assertions).to eq(false)
     end
+
+    it 'should properly set sign_authn_request to false when AuthnRequestsSigned is not included' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_4)
+      expect(metadata.sign_authn_request).to eq(false)
+    end
   end
 end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -11,7 +11,30 @@ module SamlIdp
 
     it "includes logout element" do
       subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
+      subject.configurator.single_logout_service_redirect_location = 'https://example.com/saml/logout'
       expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>')
+      expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>')
+    end
+
+    it 'will not includes empty logout endpoint' do
+      subject.configurator.single_logout_service_post_location = ''
+      subject.configurator.single_logout_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
+    end
+
+    it 'will includes sso element' do
+      subject.configurator.single_service_post_location = 'https://example.com/saml/sso'
+      subject.configurator.single_service_redirect_location = 'https://example.com/saml/sso'
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/sso"/>')
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/sso"/>')
+    end
+
+    it 'will not includes empty sso element' do
+      subject.configurator.single_service_post_location = ''
+      subject.configurator.single_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
     end
 
     context "technical contact" do

data/spec/lib/saml_idp/response_builder_spec.rb

@@ -6,12 +6,14 @@ module SamlIdp
     let(:saml_acs_url) { "http://sportngin.com" }
     let(:saml_request_id) { "134" }
     let(:assertion_and_signature) { "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion>" }
+    let(:algorithm) { :sha256 }
     subject { described_class.new(
       response_id,
       issuer_uri,
       saml_acs_url,
       saml_request_id,
-      assertion_and_signature
+      assertion_and_signature,
+      algorithm
     ) }
 
     before do

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -24,6 +24,8 @@ module SamlIdp
         key_transport: 'rsa-oaep-mgf1p',
       }
     end
+    let(:signed_response_opts) { true }
+    let(:unsigned_response_opts) { false }
     let(:subject_encrypted) { described_class.new(reference_id,
                                   response_id,
                                   issuer_uri,
@@ -35,7 +37,8 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   encryption_opts,
-                                  session_expiry
+                                  session_expiry,
+                                  unsigned_response_opts
                                  )
     }
 
@@ -50,7 +53,8 @@ module SamlIdp
                                   authn_context_classref,
                                   expiry,
                                   nil,
-                                  session_expiry
+                                  session_expiry,
+                                  signed_response_opts
                                  )
     }
 
@@ -77,6 +81,25 @@ module SamlIdp
       expect(saml_resp.is_valid?).to eq(true)
     end
 
+    it "will build signed valid response" do
+      expect { subject.build }.not_to raise_error
+      signed_encoded_xml = subject.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(signed_encoded_xml, settings: resp_settings)
+      expect(
+        Nokogiri::XML(saml_resp.response).at_xpath(
+        "//p:Response//ds:Signature",
+        {
+          "p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+          "ds" => "http://www.w3.org/2000/09/xmldsig#"
+        }
+      )).to be_present
+      expect(saml_resp.send(:validate_signature)).to eq(true)
+      expect(saml_resp.is_valid?).to eq(true)
+    end
+
     it "sets session expiration" do
       saml_resp = OneLogin::RubySaml::Response.new(subject.build)
       expect(saml_resp.session_expires_at).to eq Time.local(1990, "jan", 2).iso8601

data/spec/spec_helper.rb

@@ -43,6 +43,25 @@ RSpec.configure do |config|
       }
     end
   end
+
+  # To reset to default config
+  config.after do
+    SamlIdp.instance_variable_set(:@config, nil)
+    SamlIdp.configure do |c|
+      c.attributes = {
+        emailAddress: {
+          name: "email-address",
+          getter: ->(p) { "foo@example.com" }
+        }
+      }
+
+      c.name_id.formats = {
+        "1.1" => {
+          email_address: ->(p) { "foo@example.com" }
+        }
+      }
+    end
+  end
 end
 
 SamlIdp::Default::SERVICE_PROVIDER[:metadata_url] = 'https://example.com/meta'

data/spec/support/certificates/sp_cert_req.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAmpwMQ4wDAYDVQQIDAVUb2t5bzELMAkG
+A1UECgwCR1MxIDAeBgNVBAMMF2h0dHBzOi8vZm9vLmV4YW1wbGUuY29tMQwwCgYD
+VQQHDANGb28xDDAKBgNVBAsMA0JvbzEeMBwGCSqGSIb3DQEJARYPZm9vQGV4YW1w
+bGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8DVj2mVLQV7AjT+cn
+Lv3kDnQFvAo3RdUeGGhplsYFacYByzNRD/jeguu1ahrvznDyZN8p3yB7OPbmt0r0
+aGr+yYzPh6brgkf5u6FMtWTj94vLQuT/uyQGuzdBkiLb5mAWRMtm43oHXDK0v25J
+tsG1PJnntkXfBDpFP1eWLO+jZwIDAQABoAAwDQYJKoZIhvcNAQENBQADgYEAd/J6
+5zjrMhgjxuaMuWCiNN7IS4F9SKy+gEmhkpNVCpChbpggruaEIoERjDP/TkZn2dgL
+VUeHTZB92t+wWfQbHNvEfbzqlV3XkuHkxewCwofnIV/k+8zG1Al5ELSKHehItxig
+rnTuBrFYsd2j4HEVqLzm4NyCfL+xzn/D4U2ec50=
+-----END CERTIFICATE REQUEST-----

data/spec/support/certificates/sp_private_key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALwNWPaZUtBXsCNP
+5ycu/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3
+SvRoav7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/
+bkm2wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAECgYEArwclVHCkebIECPnnxbqhKNCj
+AGtifsuKbrZ9CDoDGSq31xeQLdTV6BSm2nVlmOnmilWEuG4qx0Xf2CGlrBI78kmv
+vHCfFdaGnTxbmYnD0HN0u4RK2trsxWO+rEkJk14JE2eVD6ZRPrq1UOSMgGPrQSMb
+SuwAHUu/j94eL8BXuhECQQD3jTlo3Y4VPWttP6XPNqKDP+jRYJs5G0Bch//S9Qy7
+QzmU9/yAUk0BEOyqYcLxinjJhoq6bR2fiIibn+77z3jtAkEAwnhLwkGYOb7Nt3V6
+dQLKx1BP9dnYH7qG/sCmAs7GHPv4LGluaz4zsh2pdEDF/Xar4gwTzUpxYo8FpkCH
+rf4nIwJAVfWnGr/cR4nVVNFGHUcGdXbqvFHEdLb+yWK8NZ+79Qap5w2Zk2GAtb8P
+vzZFQCRqPuhGIegj4jLB5PBLRwtLHQJBAJiWyWL4ExikRUhBTr/HXBL+Sm9u6i0j
+L89unBQx6LNPZhB6/Z/6Y5fLvG2ycWgLGJ06usLnOYaLEHS9x3hXpp8CQQCdtQHw
+xeLBPhRDpfWWbSmFr+bFxyD/4iQHTHToIs3kaecn6OJ4rczIFpGm2Bm7f4X7F3H3
+DDy4jZ0R6iDqCcQD
+-----END PRIVATE KEY-----

data/spec/support/certificates/sp_x509_cert.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2DCCAkGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBiDELMAkGA1UEBhMCanAx
+DjAMBgNVBAgMBVRva3lvMQswCQYDVQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9m
+b28uZXhhbXBsZS5jb20xDDAKBgNVBAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJ
+KoZIhvcNAQkBFg9mb29AZXhhbXBsZS5jb20wHhcNMjAwMTIzMDYyMzI5WhcNNDcw
+NjA5MDYyMzI5WjCBiDELMAkGA1UEBhMCanAxDjAMBgNVBAgMBVRva3lvMQswCQYD
+VQQKDAJHUzEgMB4GA1UEAwwXaHR0cHM6Ly9mb28uZXhhbXBsZS5jb20xDDAKBgNV
+BAcMA0ZvbzEMMAoGA1UECwwDQm9vMR4wHAYJKoZIhvcNAQkBFg9mb29AZXhhbXBs
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwNWPaZUtBXsCNP5ycu
+/eQOdAW8CjdF1R4YaGmWxgVpxgHLM1EP+N6C67VqGu/OcPJk3ynfIHs49ua3SvRo
+av7JjM+HpuuCR/m7oUy1ZOP3i8tC5P+7JAa7N0GSItvmYBZEy2bjegdcMrS/bkm2
+wbU8mee2Rd8EOkU/V5Ys76NnAgMBAAGjUDBOMB0GA1UdDgQWBBQMtOtrh2VS/mh4
+awGbKA37vVnw+zAfBgNVHSMEGDAWgBQMtOtrh2VS/mh4awGbKA37vVnw+zAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAHjTTm4Hyx1rfzygknc6q1dYwpEv
+/3AsPiTnF4AfH/5kGIIXNzwg0ADsziFMJYRRR9eMu97CHQbr8gHt99P8uaen6cmJ
+4VCwJLP2N8gZrycssimA3M83DWRRVZbxZhpuUWNajtYIxwyUbB7eRSJgz3Tc0opF
+933YwucWuFzKSqn3
+-----END CERTIFICATE-----

data/spec/support/saml_request_macros.rb

@@ -1,9 +1,9 @@
 require 'saml_idp/logout_request_builder'
 
 module SamlRequestMacros
-  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume")
+  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     auth_request = OneLogin::RubySaml::Authrequest.new
-    auth_url = auth_request.create(saml_settings(requested_saml_acs_url))
+    auth_url = auth_request.create(saml_settings(requested_saml_acs_url, enable_secure_options))
     CGI.unescape(auth_url.split("=").last)
   end
 
@@ -18,7 +18,12 @@ module SamlRequestMacros
     Base64.strict_encode64(request_builder.signed)
   end
 
-  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume")
+  def generate_sp_metadata(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    sp_metadata = OneLogin::RubySaml::Metadata.new
+    sp_metadata.generate(saml_settings(saml_acs_url, enable_secure_options), true)
+  end
+
+  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     settings = OneLogin::RubySaml::Settings.new
     settings.assertion_consumer_service_url = saml_acs_url
     settings.issuer = "http://example.com/issuer"
@@ -26,9 +31,63 @@ module SamlRequestMacros
     settings.assertion_consumer_logout_service_url = 'https://foo.example.com/saml/logout'
     settings.idp_cert_fingerprint = SamlIdp::Default::FINGERPRINT
     settings.name_identifier_format = SamlIdp::Default::NAME_ID_FORMAT
+    add_securty_options(settings) if enable_secure_options
     settings
   end
 
+  def add_securty_options(settings, authn_requests_signed: true, 
+                                    embed_sign: true, 
+                                    logout_requests_signed: true, 
+                                    logout_responses_signed: true,
+                                    digest_method: XMLSecurity::Document::SHA256,
+                                    signature_method: XMLSecurity::Document::RSA_SHA256)
+    # Security section
+    settings.idp_cert = SamlIdp::Default::X509_CERTIFICATE
+    # Signed embedded singature
+    settings.security[:authn_requests_signed] = authn_requests_signed
+    settings.security[:embed_sign] = embed_sign
+    settings.security[:logout_requests_signed] = logout_requests_signed
+    settings.security[:logout_responses_signed] = logout_responses_signed
+    settings.security[:metadata_signed] = digest_method
+    settings.security[:digest_method] = digest_method
+    settings.security[:signature_method] = signature_method
+    settings.private_key = sp_pv_key
+    settings.certificate = sp_x509_cert
+  end
+
+  def idp_configure(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    SamlIdp.configure do |config|
+      config.x509_certificate = SamlIdp::Default::X509_CERTIFICATE
+      config.secret_key = SamlIdp::Default::SECRET_KEY
+      config.password = nil
+      config.algorithm = :sha256
+      config.organization_name = 'idp.com'
+      config.organization_url = 'http://idp.com'
+      config.base_saml_location = 'http://idp.com/saml/idp'
+      config.single_logout_service_post_location = 'http://idp.com/saml/idp/logout'
+      config.single_logout_service_redirect_location = 'http://idp.com/saml/idp/logout'
+      config.attribute_service_location = 'http://idp.com/saml/idp/attribute'
+      config.single_service_post_location = 'http://idp.com/saml/idp/sso'
+      config.name_id.formats = SamlIdp::Default::NAME_ID_FORMAT
+      config.service_provider.metadata_persister = lambda { |_identifier, _service_provider|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.persisted_metadata_getter = lambda { |_identifier, _settings|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.finder = lambda { |_issuer_or_entity_id|
+        {
+          response_hosts: [URI(saml_acs_url).host],
+          acs_url: saml_acs_url,
+          cert: sp_x509_cert,
+          fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert)
+        }
+      }
+    end
+  end
+
   def print_pretty_xml(xml_string)
     doc = REXML::Document.new xml_string
     outbuf = ""

data/spec/support/security_helpers.rb

@@ -58,4 +58,14 @@ module SecurityHelpers
   def r1_signature_2
     @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
   end
+
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php
+  def sp_pv_key
+    @sp_pv_key ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_private_key.pem'))
+  end
+
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php, expired date is 9999
+  def sp_x509_cert
+    @sp_x509_cert ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_x509_cert.crt'))
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_idp
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.12.0
 platform: ruby
 authors:
 - Jon Phenow
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-09 00:00:00.000000000 Z
+date: 2020-11-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: uuid
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.3'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +100,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: 1.7.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: 1.7.2
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -206,6 +192,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: SAML IdP (Identity Provider) Library for Ruby
 email: jon.phenow@sportngin.com
 executables: []
@@ -228,6 +228,7 @@ files:
 - lib/saml_idp/default.rb
 - lib/saml_idp/encryptor.rb
 - lib/saml_idp/engine.rb
+- lib/saml_idp/fingerprint.rb
 - lib/saml_idp/hashable.rb
 - lib/saml_idp/incoming_metadata.rb
 - lib/saml_idp/logout_builder.rb
@@ -254,6 +255,7 @@ files:
 - spec/lib/saml_idp/configurator_spec.rb
 - spec/lib/saml_idp/controller_spec.rb
 - spec/lib/saml_idp/encryptor_spec.rb
+- spec/lib/saml_idp/fingerprint_spec.rb
 - spec/lib/saml_idp/incoming_metadata_spec.rb
 - spec/lib/saml_idp/logout_request_builder_spec.rb
 - spec/lib/saml_idp/logout_response_builder_spec.rb
@@ -319,6 +321,9 @@ files:
 - spec/spec_helper.rb
 - spec/support/certificates/certificate1
 - spec/support/certificates/r1_certificate2_base64
+- spec/support/certificates/sp_cert_req.csr
+- spec/support/certificates/sp_private_key.pem
+- spec/support/certificates/sp_x509_cert.crt
 - spec/support/responses/adfs_response_sha1.xml
 - spec/support/responses/adfs_response_sha256.xml
 - spec/support/responses/adfs_response_sha384.xml
@@ -347,7 +352,7 @@ metadata:
   homepage_uri: https://github.com/saml-idp/saml_idp
   source_code_uri: https://github.com/saml-idp/saml_idp
   bug_tracker_uri: https://github.com/saml-idp/saml_idp/issues
-  documentation_uri: http://rdoc.info/gems/saml_idp/0.8.0
+  documentation_uri: http://rdoc.info/gems/saml_idp/0.12.0
 post_install_message: |
   If you're just recently updating saml_idp - please be aware we've changed the default
   certificate. See the PR and a description of why we've done this here:
@@ -378,8 +383,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: SAML Indentity Provider for Ruby
@@ -392,6 +396,7 @@ test_files:
 - spec/lib/saml_idp/configurator_spec.rb
 - spec/lib/saml_idp/controller_spec.rb
 - spec/lib/saml_idp/encryptor_spec.rb
+- spec/lib/saml_idp/fingerprint_spec.rb
 - spec/lib/saml_idp/incoming_metadata_spec.rb
 - spec/lib/saml_idp/logout_request_builder_spec.rb
 - spec/lib/saml_idp/logout_response_builder_spec.rb
@@ -457,6 +462,9 @@ test_files:
 - spec/spec_helper.rb
 - spec/support/certificates/certificate1
 - spec/support/certificates/r1_certificate2_base64
+- spec/support/certificates/sp_cert_req.csr
+- spec/support/certificates/sp_private_key.pem
+- spec/support/certificates/sp_x509_cert.crt
 - spec/support/responses/adfs_response_sha1.xml
 - spec/support/responses/adfs_response_sha256.xml
 - spec/support/responses/adfs_response_sha384.xml