saml_idp 0.9.0 → 1.0.0

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -19,6 +19,9 @@ module SamlIdp
         key_transport: 'rsa-oaep-mgf1p',
       }
     end
+    let(:session_expiry) { nil }
+    let(:name_id_formats_opt) { nil }
+    let(:asserted_attributes_opt) { nil }
     subject { described_class.new(
       reference_id,
       issuer_uri,
@@ -103,6 +106,76 @@ module SamlIdp
       expect(encrypted_xml).to_not match(audience_uri)
     end
 
+    describe "with name_id_formats_opt" do
+      let(:name_id_formats_opt) {
+        {
+            persistent: -> (principal) {
+              principal.unique_identifier
+            }
+        }
+      }
+      it "delegates name_id_formats to opts" do
+        UserWithUniqueId = Struct.new(:unique_identifier, :email, :asserted_attributes)
+        principal = UserWithUniqueId.new('unique_identifier_123456', 'foo@example.com',  { emailAddress: { getter: :email } })
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">unique_identifier_123456</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
+
+    describe "with asserted_attributes_opt" do
+      let(:asserted_attributes_opt) {
+        {
+            'GivenName' => {
+                getter: :first_name
+            },
+            'SurName' => {
+                getter: -> (principal) {
+                    principal.last_name
+                }
+            }
+        }
+      }
+
+      it "delegates asserted_attributes to opts" do
+        UserWithName = Struct.new(:email, :first_name, :last_name)
+        principal = UserWithName.new('foo@example.com', 'George', 'Washington')
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"GivenName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"GivenName\"><AttributeValue>George</AttributeValue></Attribute><Attribute Name=\"SurName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"SurName\"><AttributeValue>Washington</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
+
     describe "with custom session_expiry configuration" do
       let(:config) { SamlIdp::Configurator.new }
       before do
@@ -126,5 +199,75 @@ module SamlIdp
         expect(builder.session_expiry).to eq(8)
       end
     end
+
+    describe "with name_id_formats_opt" do
+      let(:name_id_formats_opt) {
+        {
+            persistent: -> (principal) {
+              principal.unique_identifier
+            }
+        }
+      }
+      it "delegates name_id_formats to opts" do
+        UserWithUniqueId = Struct.new(:unique_identifier, :email, :asserted_attributes)
+        principal = UserWithUniqueId.new('unique_identifier_123456', 'foo@example.com',  { emailAddress: { getter: :email } })
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">unique_identifier_123456</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
+
+    describe "with asserted_attributes_opt" do
+      let(:asserted_attributes_opt) {
+        {
+            'GivenName' => {
+                getter: :first_name
+            },
+            'SurName' => {
+                getter: -> (principal) {
+                    principal.last_name
+                }
+            }
+        }
+      }
+
+      it "delegates asserted_attributes to opts" do
+        UserWithName = Struct.new(:email, :first_name, :last_name)
+        principal = UserWithName.new('foo@example.com', 'George', 'Washington')
+        builder = described_class.new(
+            reference_id,
+            issuer_uri,
+            principal,
+            audience_uri,
+            saml_request_id,
+            saml_acs_url,
+            algorithm,
+            authn_context_classref,
+            expiry,
+            encryption_opts,
+            session_expiry,
+            name_id_formats_opt,
+            asserted_attributes_opt
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"GivenName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"GivenName\"><AttributeValue>George</AttributeValue></Attribute><Attribute Name=\"SurName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"SurName\"><AttributeValue>Washington</AttributeValue></Attribute></AttributeStatement></Assertion>")
+        end
+      end
+    end
   end
 end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -9,6 +9,7 @@ module SamlIdp
     it { should respond_to :base_saml_location }
     it { should respond_to :reference_id_generator }
     it { should respond_to :attribute_service_location }
+    it { should respond_to :single_service_redirect_location }
     it { should respond_to :single_service_post_location }
     it { should respond_to :single_logout_service_post_location }
     it { should respond_to :single_logout_service_redirect_location }
@@ -16,13 +17,14 @@ module SamlIdp
     it { should respond_to :attributes }
     it { should respond_to :service_provider }
     it { should respond_to :session_expiry }
+    it { should respond_to :logger }
 
     it "has a valid x509_certificate" do
-      expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
+      expect(subject.x509_certificate.call).to eq(Default::X509_CERTIFICATE)
     end
 
     it "has a valid secret_key" do
-      expect(subject.secret_key).to eq(Default::SECRET_KEY)
+      expect(subject.secret_key.call).to eq(Default::SECRET_KEY)
     end
 
     it "has a valid algorithm" do
@@ -45,5 +47,41 @@ module SamlIdp
     it 'has a valid session_expiry' do
       expect(subject.session_expiry).to eq(0)
     end
+
+    context "logger initialization" do
+      context 'when Rails has been properly initialized' do
+        before do
+          stub_const("Rails", double(logger: double("Rails.logger")))
+        end
+
+        it 'sets logger to Rails.logger' do
+          expect(subject.logger).to eq(Rails.logger)
+        end
+      end
+
+      context 'when Rails is not fully initialized' do
+        before do
+          stub_const("Rails", Class.new)          
+        end
+
+        it 'sets logger to a lambda' do
+          expect(subject.logger).to be_a(Proc)
+          expect { subject.logger.call("test") }.to output("test\n").to_stdout
+        end
+      end
+
+      context 'when Rails is not defined' do
+        it 'sets logger to a lambda' do
+          hide_const("Rails")
+
+          expect(subject.logger).to be_a(Proc)
+          expect { subject.logger.call("test") }.to output("test\n").to_stdout
+        end
+      end
+
+      after do
+        hide_const("Rails")
+      end
+    end
   end
 end

data/spec/lib/saml_idp/controller_spec.rb

@@ -21,6 +21,30 @@ describe SamlIdp::Controller do
     expect(saml_acs_url).to eq(requested_saml_acs_url)
   end
 
+  context "When SP metadata required to validate auth request signature" do
+    before do
+      idp_configure("https://foo.example.com/saml/consume", true)
+      params[:SAMLRequest] = make_saml_request("https://foo.example.com/saml/consume", true)
+    end
+
+    it 'SP metadata sign_authn_request attribute should be true' do
+      # Signed auth request will be true in the metadata
+      expect(SamlIdp.config.service_provider.persisted_metadata_getter.call(nil,nil)[:sign_authn_request]).to eq(true)
+    end
+
+    it 'should call xml signature validation method' do
+      signed_doc = SamlIdp::XMLSecurity::SignedDocument.new(decode_saml_request(params[:SAMLRequest]))
+      allow(signed_doc).to receive(:validate).and_return(true)
+      allow(SamlIdp::XMLSecurity::SignedDocument).to receive(:new).and_return(signed_doc)
+      validate_saml_request
+      expect(signed_doc).to have_received(:validate).once
+    end
+
+    it 'should successfully validate signature' do
+      expect(validate_saml_request).to eq(true)
+    end
+  end
+
   context "SAML Responses" do
     let(:principal) { double email_address: "foo@example.com" }
     let (:encryption_opts) do
@@ -42,6 +66,16 @@ describe SamlIdp::Controller do
       end
     end
 
+    context '#encode_authn_response' do
+      it 'uses default values when opts are not provided' do
+        saml_response = encode_authn_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume', signed_assertion: false })
+
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        response.settings = saml_settings
+        expect(response.document.to_s).to_not include("<ds:Signature>")
+      end
+    end
+
     context "solicited Response" do
       before(:each) do
         params[:SAMLRequest] = make_saml_request
@@ -57,17 +91,13 @@ describe SamlIdp::Controller do
         expect(response.is_valid?).to be_truthy
       end
 
-      it "should create a SAML Logout Response" do
-        params[:SAMLRequest] = make_saml_logout_request
-        expect(validate_saml_request).to eq(true)
-        expect(saml_request.logout_request?).to eq true
+      it "should by default create a SAML Response with a signed assertion" do
         saml_response = encode_response(principal)
-        response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
-        expect(response.validate).to eq(true)
-        expect(response.issuer).to eq("http://example.com")
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        response.settings = saml_settings("https://foo.example.com/saml/consume", true)
+        expect(response.is_valid?).to be_truthy
       end
 
-
       [:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
         it "should create a SAML Response using the #{algorithm_name} algorithm" do
           self.algorithm = algorithm_name
@@ -94,4 +124,32 @@ describe SamlIdp::Controller do
       end
     end
   end
+
+  context "Single Logout Request" do
+    before do
+      idp_configure("https://foo.example.com/saml/consume", true)
+      slo_request = make_saml_sp_slo_request(security_options: { embed_sign: false })
+      params[:SAMLRequest] = slo_request['SAMLRequest']
+      params[:RelayState] = slo_request['RelayState']
+      params[:SigAlg] = slo_request['SigAlg']
+      params[:Signature] = slo_request['Signature']
+    end
+
+    it 'should successfully validate signature' do
+      expect(validate_saml_request).to eq(true)
+    end
+
+    context "solicited Response" do
+      let(:principal) { double email_address: "foo@example.com" }
+
+      it "should create a SAML Logout Response" do
+        expect(validate_saml_request).to eq(true)
+        expect(saml_request.logout_request?).to eq true
+        saml_response = encode_response(principal)
+        response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
+        expect(response.validate).to eq(true)
+        expect(response.issuer).to eq("http://idp.com/saml/idp")
+      end
+    end
+  end
 end

data/spec/lib/saml_idp/fingerprint_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+module SamlIdp
+  describe Fingerprint do
+    describe "certificate_digest" do
+      let(:cert) { sp_x509_cert }
+      let(:fingerprint) { "a2:cb:f6:6b:bc:2a:33:b9:4f:f3:c3:7e:26:a4:21:cd:41:83:ef:26:88:fa:ba:71:37:40:07:3e:d5:76:04:b7" }
+
+      it "returns the fingerprint string" do
+        expect(Fingerprint.certificate_digest(cert, :sha256)).to eq(fingerprint)
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/incoming_metadata_spec.rb

@@ -1,9 +1,10 @@
 require 'spec_helper'
+
 module SamlIdp
 
   metadata_1 = <<-eos
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
-  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false" WantAssertionsSigned="false">
   </md:SPSSODescriptor>
 </md:EntityDescriptor>
   eos
@@ -22,6 +23,55 @@ module SamlIdp
 </md:EntityDescriptor>
   eos
 
+  metadata_4 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_5 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor>
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnht3GR...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_6 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmw6vGr...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
+  metadata_7 = <<-eos
+<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
+  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dX3Gr...</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+  </md:SPSSODescriptor>
+</md:EntityDescriptor>
+  eos
+
   describe IncomingMetadata do
     it 'should properly set sign_assertions to false' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_1)
@@ -36,11 +86,49 @@ module SamlIdp
     it 'should properly set sign_assertions to true' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_2)
       expect(metadata.sign_assertions).to eq(true)
+      expect(metadata.sign_authn_request).to eq(true)
     end
 
     it 'should properly set sign_assertions to false when WantAssertionsSigned is not included' do
       metadata = SamlIdp::IncomingMetadata.new(metadata_3)
       expect(metadata.sign_assertions).to eq(false)
     end
+
+    it 'should properly set sign_authn_request to false when AuthnRequestsSigned is not included' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_4)
+      expect(metadata.sign_authn_request).to eq(false)
+    end
+
+    it 'should properly set unspecified_certificate when present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_5)
+      expect(metadata.unspecified_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnht3GR...')
+    end
+
+    it 'should return empty unspecified_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should properly set signing_certificate when present but not unspecified_certificate' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_6)
+      expect(metadata.signing_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmw6vGr...')
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should return empty signing_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.signing_certificate).to eq('')
+    end
+
+    it 'should properly set encryption_certificate when present but not unspecified_certificate' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_7)
+      expect(metadata.encryption_certificate).to eq('MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dX3Gr...')
+      expect(metadata.unspecified_certificate).to eq('')
+    end
+
+    it 'should return empty encryption_certificate when not present' do
+      metadata = SamlIdp::IncomingMetadata.new(metadata_1)
+      expect(metadata.encryption_certificate).to eq('')
+    end
   end
 end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -6,12 +6,35 @@ module SamlIdp
     end
 
     it "signs valid xml" do
-      expect(Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT)).to be_truthy
+      expect(Saml::XML::Document.parse(subject.signed).valid_signature?("", Default::FINGERPRINT)).to be_truthy
     end
 
     it "includes logout element" do
       subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
+      subject.configurator.single_logout_service_redirect_location = 'https://example.com/saml/logout'
       expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>')
+      expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>')
+    end
+
+    it 'will not includes empty logout endpoint' do
+      subject.configurator.single_logout_service_post_location = ''
+      subject.configurator.single_logout_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
+    end
+
+    it 'will includes sso element' do
+      subject.configurator.single_service_post_location = 'https://example.com/saml/sso'
+      subject.configurator.single_service_redirect_location = 'https://example.com/saml/sso'
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/sso"/>')
+      expect(subject.fresh).to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/sso"/>')
+    end
+
+    it 'will not includes empty sso element' do
+      subject.configurator.single_service_post_location = ''
+      subject.configurator.single_service_redirect_location = nil
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"')
+      expect(subject.fresh).not_to match('<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"')
     end
 
     context "technical contact" do