samlurai 0.1.0

data/LICENSE

@@ -0,0 +1,50 @@
+Samlurai is adapted from ruby-saml, licensed as follows:
+
+-----
+
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+-----
+
+To what extent Samlurai has extended and modified ruby-saml, that software is
+licensed as follows:
+
+-----
+
+Copyright (c) 2013 Instructure, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,5 @@
+# Slice and dice yourself some SAML 
+
+[![Build Status](https://travis-ci.org/phinze/samlurai.png?branch=master)](https://travis-ci.org/phinze/samlurai)
+
+![Samlurai Logo](https://github.com/phinze/samlurai/raw/master/doc/samlurai.png)

data/lib/samlurai.rb

@@ -0,0 +1,50 @@
+require 'rubygems'
+require 'xml_security'
+
+require 'zlib'
+require 'base64'
+require 'xml/libxml'
+require 'openssl'
+require 'cgi'
+
+module Samlurai
+  NAMESPACES = {
+    "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+    "saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+    "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+    "xenc" => "http://www.w3.org/2001/04/xmlenc#",
+    "ds" => "http://www.w3.org/2000/09/xmldsig#"
+  }
+
+  # for SAML2 IDPs that omit the FriendlyName, map from the registered name
+  # http://middleware.internet2.edu/dir/edu-schema-oid-registry.html
+  ATTRIBUTES = {
+    "urn:oid:1.3.6.1.4.1.5923.1.1.2" => "eduPerson",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.1" => "eduPersonAffiliation",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.7" => "eduPersonEntitlement",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.2" => "eduPersonNickname",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.3" => "eduPersonOrgDN",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.4" => "eduPersonOrgUnitDN",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.5" => "eduPersonPrimaryAffiliation",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.8" => "eduPersonPrimaryOrgUnitDN",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" => "eduPersonPrincipalName",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.9" => "eduPersonScopedAffiliation",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" => "eduPersonTargetedID",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.2" => "eduOrg",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.2" => "eduOrgHomePageURI",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.3" => "eduOrgIdentityAuthNPolicyURI",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.4" => "eduOrgLegalName",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.5" => "eduOrgSuperiorURI",
+    "urn:oid:1.3.6.1.4.1.5923.1.2.1.6" => "eduOrgWhitePagesURI",
+  }
+end
+
+require 'samlurai/auth_request'
+require 'samlurai/authn_contexts.rb'
+require 'samlurai/response'
+require 'samlurai/settings'
+require 'samlurai/name_identifiers'
+require 'samlurai/status_codes'
+require 'samlurai/meta_data'
+require 'samlurai/log_out_request'
+require 'samlurai/logout_response'

data/lib/samlurai/auth_request.rb

@@ -0,0 +1,53 @@
+module Samlurai
+  class AuthRequest
+    
+    attr_reader :settings, :id, :request_xml, :forward_url
+    
+    def initialize(settings)
+      @settings = settings
+    end
+    
+    def self.create(settings)
+      ar = AuthRequest.new(settings)
+      ar.generate_request
+    end
+    
+    def generate_request
+      @id = Samlurai::AuthRequest.generate_unique_id(42)
+      issue_instant = Samlurai::AuthRequest.get_timestamp
+
+      @request_xml = 
+        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{@id}\" Version=\"2.0\" IssueInstant=\"#{issue_instant}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{Array(settings.assertion_consumer_service_url).first}\">" +
+        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{@settings.issuer}</saml:Issuer>\n" +
+        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{@settings.name_identifier_format}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n"
+      
+      if @settings.requested_authn_context
+        @request_xml += "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">"
+        @request_xml += "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{@settings.requested_authn_context}</saml:AuthnContextClassRef>"
+        @request_xml += "</samlp:RequestedAuthnContext>\n"
+      end
+        
+      @request_xml += "</samlp:AuthnRequest>"
+
+      deflated_request  = Zlib::Deflate.deflate(@request_xml, 9)[2..-5]     
+      base64_request    = Base64.encode64(deflated_request)  
+      encoded_request   = CGI.escape(base64_request)
+
+      @forward_url = @settings.idp_sso_target_url + (@settings.idp_sso_target_url.include?("?") ? "&" : "?") + "SAMLRequest=" + encoded_request
+    end
+    
+    private 
+    
+    def self.generate_unique_id(length)
+      chars = ("a".."f").to_a + ("0".."9").to_a
+      chars_len = chars.size
+      unique_id = ("a".."f").to_a[rand(6)]
+      2.upto(length) { |i| unique_id << chars[rand(chars_len)] }
+      unique_id
+    end
+    
+    def self.get_timestamp
+      Time.new.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+  end
+end

data/lib/samlurai/authn_contexts.rb

@@ -0,0 +1,35 @@
+module Samlurai
+  module AuthnContexts
+    # see section 3.4 of http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
+    INTERNET_PROTOCOL = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"
+    INTERNET_PROTOCOL_PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
+    KERBEROS = "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
+    MOBILE_ONE_FACTOR_UNREGISTERED = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered"
+    MOBILE_TWO_FACTOR_UNREGISTERED = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered"
+    MOBILE_ONE_FACTOR_CONTRACT = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"
+    MOBILE_TWO_FACTOR_CONTRACT = "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
+    PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+    PASSWORD_PROTECTED_TRANSPORT = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+    PREVIOUS_SESSION = "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"
+    X509 = "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
+    PGP = "urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"
+    SPKI = "urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"
+    XMLD_SIG = "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
+    SMARTCARD_PKI = "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"
+    SOFTWARE_PKI = "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
+    TELEPHONY = "urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony"
+    NOMAD_TELEPHONY = "urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony"
+    PERSONAL_TELEPHONY = "urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony"
+    AUTHENTICATED_TELEPHONY = "urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony"
+    SECURE_REMOTE_PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"
+    TLS_CLIENT = "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"
+    TIME_SYNC_TOKEN = "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"
+    UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
+    
+    ALL_CONTEXTS = [INTERNET_PROTOCOL_PASSWORD, KERBEROS, MOBILE_ONE_FACTOR_UNREGISTERED,
+                    MOBILE_TWO_FACTOR_UNREGISTERED, MOBILE_ONE_FACTOR_CONTRACT, MOBILE_TWO_FACTOR_CONTRACT,
+                    PASSWORD, PASSWORD_PROTECTED_TRANSPORT, PREVIOUS_SESSION, X509, PGP, SPKI, XMLD_SIG,
+                    SMARTCARD_PKI, SOFTWARE_PKI, TELEPHONY, NOMAD_TELEPHONY, PERSONAL_TELEPHONY,
+                    AUTHENTICATED_TELEPHONY, SECURE_REMOTE_PASSWORD, TLS_CLIENT, TIME_SYNC_TOKEN, UNSPECIFIED]
+  end
+end

data/lib/samlurai/log_out_request.rb

@@ -0,0 +1,52 @@
+module Samlurai
+  class LogOutRequest
+    attr_reader :settings, :id, :request_xml, :forward_url
+
+    def initialize(settings, session)
+      @settings = settings
+      @session = session
+    end
+
+    def self.create(settings, session)
+      ar = LogOutRequest.new(settings, session)
+      ar.generate_request
+    end
+    
+    def generate_request
+      @id = Samlurai::AuthRequest.generate_unique_id(42)
+      issue_instant = Samlurai::AuthRequest.get_timestamp
+      
+      @request_xml = "<samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{@id}\" Version=\"2.0\" IssueInstant=\"#{issue_instant}\" Destination=\"#{@settings.idp_slo_target_url}\">" +
+          "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{@settings.issuer}</saml:Issuer>" +
+          "<saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"#{@session[:name_qualifier]}\" SPNameQualifier=\"#{@settings.issuer}\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\">#{@session[:name_id]}</saml:NameID>" + 
+          "<samlp:SessionIndex xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">#{@session[:session_index]}</samlp:SessionIndex>" +
+          "</samlp:LogoutRequest>"
+
+      if settings.sign?
+        @request_xml = XMLSecurity.sign(@request_xml, @settings.xmlsec_privatekey)
+      end
+
+      deflated_logout_request = Zlib::Deflate.deflate(@request_xml, 9)[2..-5]
+      base64_logout_request = Base64.encode64(deflated_logout_request)
+      encoded_logout_request = CGI.escape(base64_logout_request)
+
+      query_string = "SAMLRequest=" + encoded_logout_request
+
+      if settings.sign?
+        query_string += '&SigAlg=' + CGI.escape('http://www.w3.org/2000/09/xmldsig#rsa-sha1')
+        signature = _generate_signature(query_string, @settings.xmlsec_privatekey)
+        query_string += "&Signature=#{CGI.escape(signature)}"
+      end
+
+      @forward_url = @settings.idp_slo_target_url + (@settings.idp_slo_target_url.include?("?") ? "&" : "?") + query_string
+  
+      @forward_url
+    end
+
+    def _generate_signature(string, private_key)
+      pkey = OpenSSL::PKey::RSA.new(File.read(private_key))
+      sign = pkey.sign(OpenSSL::Digest::SHA1.new, string)
+      Base64.encode64(sign).gsub(/\s/, '')
+    end
+  end
+end

data/lib/samlurai/logout_response.rb

@@ -0,0 +1,38 @@
+module Samlurai
+  class LogoutResponse
+    
+    attr_reader :settings, :document, :xml, :response
+    attr_reader :status_code, :status_message, :issuer
+    attr_reader :in_response_to, :destination, :request_id
+    def initialize(response, settings=nil)
+      @response = response
+
+      @xml = Base64.decode64(@response)
+      zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      @xml = zlib.inflate(@xml)
+      @document = LibXML::XML::Document.string(@xml)
+
+      @request_id = @document.find_first("/samlp:LogoutResponse", Samlurai::NAMESPACES)['ID'] rescue nil
+      @issuer = @document.find_first("/samlp:LogoutResponse/saml:Issuer", Samlurai::NAMESPACES).content rescue nil
+      @in_response_to = @document.find_first("/samlp:LogoutResponse", Samlurai::NAMESPACES)['InResponseTo'] rescue nil
+      @destination = @document.find_first("/samlp:LogoutResponse", Samlurai::NAMESPACES)['Destination'] rescue nil
+      @status_code = @document.find_first("/samlp:LogoutResponse/samlp:Status/samlp:StatusCode", Samlurai::NAMESPACES)['Value'] rescue nil
+      @status_message = @document.find_first("/samlp:LogoutResponse/samlp:Status/samlp:StatusMessage", Samlurai::NAMESPACES).content rescue nil
+
+      process(settings) if settings
+    end
+
+    def process(settings)
+      @settings = settings
+      return unless @response
+    end
+
+    def logger=(val)
+      @logger = val
+    end
+    
+    def success_status?
+      @status_code == Samlurai::StatusCodes::SUCCESS_URI
+    end
+  end
+end

data/lib/samlurai/meta_data.rb

@@ -0,0 +1,43 @@
+module Samlurai
+  class MetaData
+    def self.create(settings)
+      xml = %{<?xml version="1.0"?>
+        <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="#{settings.issuer}">
+          <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      }
+      if settings.encryption_configured?
+        xml += %{
+            <KeyDescriptor>
+              <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                <X509Data>
+                  <X509Certificate>
+                    #{File.read(settings.xmlsec_certificate).gsub(/\w*-+(BEGIN|END) CERTIFICATE-+\w*/, "").strip}
+                  </X509Certificate>
+                </X509Data>
+              </KeyInfo>
+              <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
+                <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
+              </EncryptionMethod>
+            </KeyDescriptor>
+        }
+      end
+      xml += %{
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="#{settings.sp_slo_url}"/>
+      }
+      Array(settings.assertion_consumer_service_url).each_with_index do |url, index|
+        xml += %{
+            <AssertionConsumerService index="#{index}" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="#{url}"/>
+        }
+      end
+      xml += %{
+          </SPSSODescriptor>
+          <ContactPerson contactType="technical">
+            <SurName>#{settings.tech_contact_name}</SurName>
+            <EmailAddress>mailto:#{settings.tech_contact_email}</EmailAddress>
+          </ContactPerson>
+        </EntityDescriptor>
+      }
+      xml
+    end
+  end
+end

data/lib/samlurai/name_identifiers.rb

@@ -0,0 +1,15 @@
+module Samlurai
+  module NameIdentifiers
+    # See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for further documentation
+    EMAIL = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    ENTITY = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+    KERBEROS = "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"
+    PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+    TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    UNSPECIFIED = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    WINDOWS_DOMAIN = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"
+    X509 = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
+    
+    ALL_IDENTIFIERS = [EMAIL, ENTITY, KERBEROS, PERSISTENT, TRANSIENT, UNSPECIFIED, WINDOWS_DOMAIN, X509]
+  end
+end

data/lib/samlurai/response.rb

@@ -0,0 +1,134 @@
+module Samlurai
+  class Response
+    attr_accessor :settings
+    attr_reader :document, :decrypted_document, :xml, :response
+    attr_reader :name_id, :name_qualifier, :session_index, :saml_attributes
+    attr_reader :status_code, :status_message
+    attr_reader :in_response_to, :destination, :issuer
+    attr_reader :validation_error
+
+    def initialize(response, settings=nil, validation_options={})
+      @response = response
+      @validation_options = validation_options
+
+      begin
+        @xml = Base64.decode64(@response)
+        @document = LibXML::XML::Document.string(@xml)
+      rescue => e
+        # could not parse document, everything is invalid
+        @response = nil
+        return
+      end
+
+      @issuer = @document.find_first("/samlp:Response/saml:Issuer", Samlurai::NAMESPACES).content rescue nil
+      @status_code = @document.find_first("/samlp:Response/samlp:Status/samlp:StatusCode", Samlurai::NAMESPACES)["Value"] rescue nil
+
+      process(settings) if settings
+    end
+
+    def process(settings)
+      @settings = settings
+      return unless @response
+
+      @decrypted_document = self.class.decrypt(@document, @settings)
+
+      @in_response_to = @decrypted_document.find_first("/samlp:Response", Samlurai::NAMESPACES)['InResponseTo'] rescue nil
+      @destination = @decrypted_document.find_first("/samlp:Response", Samlurai::NAMESPACES)['Destination'] rescue nil
+      @name_id = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Samlurai::NAMESPACES).content rescue nil
+      @saml_attributes = {}
+      @decrypted_document.find("//saml:Attribute", Samlurai::NAMESPACES).each do |attr|
+        attrname = attr['FriendlyName'] || Samlurai::ATTRIBUTES[attr['Name']] || attr['Name']
+        @saml_attributes[attrname] = attr.content.strip rescue nil
+      end
+      @name_qualifier = @decrypted_document.find_first("/samlp:Response//saml:Assertion/saml:Subject/saml:NameID", Samlurai::NAMESPACES)["NameQualifier"] rescue nil
+      @session_index = @decrypted_document.find_first("/samlp:Response//saml:Assertion/saml:AuthnStatement", Samlurai::NAMESPACES)["SessionIndex"] rescue nil
+      @status_message = @decrypted_document.find_first("/samlp:Response/samlp:Status/samlp:StatusCode", Samlurai::NAMESPACES).content rescue nil
+    end
+
+    def logger=(val)
+      @logger = val
+    end
+    
+    def is_valid?
+      if @response.nil? || @response == ""
+        @validation_error = "No response to validate"
+        return false
+      end
+      
+      if !@settings.idp_cert_fingerprint
+        @validation_error = "No fingerprint configured in SAML settings"
+        return false
+      end
+      
+      # Verify the original document if it has a signature, otherwise verify the signature
+      # in the encrypted portion. If there is no signature, then we can't verify.
+      verified = false
+      if @document.find_first("//ds:Signature", Samlurai::NAMESPACES)
+        verified = self.class.validate(@document, @validation_options.merge(:cert_fingerprint => @settings.idp_cert_fingerprint, :logger => @logger))
+        if !verified
+          return false
+        end
+      end
+
+      if !verified && @decrypted_document.find_first("//ds:Signature", Samlurai::NAMESPACES)
+        verified = self.class.validate(@decrypted_document, @validation_options.merge(:cert_fingerprint => @settings.idp_cert_fingerprint, :logger => @logger))
+        if !verified
+          return false
+        end
+      end
+      
+      if !verified
+        @validation_error = "No signature found in the response"
+        return false
+      end
+      
+      true
+    end
+    
+    def success_status?
+      @status_code == Samlurai::StatusCodes::SUCCESS_URI
+    end
+    
+    def auth_failure?
+      @status_code == Samlurai::StatusCodes::AUTHN_FAILED_URI
+    end
+    
+    def no_authn_context?
+      @status_code == Samlurai::StatusCodes::NO_AUTHN_CONTEXT_URI
+    end
+    
+    def fingerprint_from_idp
+      if base64_cert = @decrypted_document.find_first("//ds:X509Certificate", Samlurai::NAMESPACES)
+        cert_text = Base64.decode64(base64_cert.content)
+        cert = OpenSSL::X509::Certificate.new(cert_text)
+        Digest::SHA1.hexdigest(cert.to_der)
+      else
+        nil
+      end
+    end
+
+    def self.validate(document, options={})
+      auth_statement = document.find_first('//samlp:Response', Samlurai::NAMESPACES)
+      if auth_statement
+        options[:as_of] ||= auth_statement["IssueInstant"]
+      end
+      XMLSecurity.verify_signature(document.to_s(:indent => false), options)
+    end
+
+    # replaces EncryptedData nodes with decrypted copies
+    def self.decrypt(encrypted_document, settings)
+      if settings.encryption_configured?
+        decrypted_xml = nil
+        begin
+          decrypted_xml = XMLSecurity.decrypt(encrypted_document.to_s(:indent => false), settings.xmlsec_privatekey)
+        rescue Exception => e
+          # rescuing all exceptions here; bad. need to create superclass in xmlsecurity
+        end
+        if decrypted_xml
+          return LibXML::XML::Document.string(decrypted_xml)
+        end
+      end
+      encrypted_document
+    end
+  end
+end

data/lib/samlurai/settings.rb

@@ -0,0 +1,64 @@
+module Samlurai
+  class Settings
+    
+    def initialize(atts={})
+      atts.each do |key, val|
+        if self.respond_to? "#{key}="
+          self.send "#{key}=", val
+        end
+      end
+    end
+    
+    # The URL at which the SAML assertion should be received.
+    attr_accessor :assertion_consumer_service_url
+    
+    # The name of your application.
+    attr_accessor :issuer
+    
+    # 
+    attr_accessor :sp_name_qualifier
+    
+    # The IdP URL to which the authentication request should be sent.
+    attr_accessor :idp_sso_target_url
+    
+    # The IdP URL to which the logout request should be sent.
+    attr_accessor :idp_slo_target_url
+    
+    # The certificate fingerprint. This is provided from the identity provider when setting up the relationship.
+    attr_accessor :idp_cert_fingerprint
+    
+    # Describes the format of the username required by this application.
+    # For email: Samlurai::NameIdentifiers::EMAIL
+    attr_accessor :name_identifier_format
+    
+    # The type of authentication requested (see Samlurai::AuthnContexts)
+    attr_accessor :requested_authn_context
+    
+    ## Attributes for the metadata
+    
+    # The logout url of your application
+    attr_accessor :sp_slo_url
+    
+    # The name of the technical contact for your application 
+    attr_accessor :tech_contact_name
+    
+    # The email of the technical contact for your application
+    attr_accessor :tech_contact_email
+    
+    ## Attributes for xml encryption
+
+    # The PEM-encoded certificate
+    attr_accessor :xmlsec_certificate
+    
+    # The PEM-encoded private key
+    attr_accessor :xmlsec_privatekey
+    
+    def sign?
+      !!self.xmlsec_privatekey
+    end
+
+    def encryption_configured?
+      !!self.xmlsec_privatekey
+    end
+  end
+end

data/lib/samlurai/status_codes.rb

@@ -0,0 +1,28 @@
+module Samlurai
+  module StatusCodes
+    # See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 3.2.2 for further documentation
+    SUCCESS_URI = "urn:oasis:names:tc:SAML:2.0:status:Success"
+    REQUESTER_URI = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+    RESPONDER_URI = "urn:oasis:names:tc:SAML:2.0:status:Responder"
+    VERSION_MISMATCH_URI = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
+    AUTHN_FAILED_URI = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"
+    INVALID_ATTR_NAME_VALUE_URI = "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue"
+    INVALID_NAMEID_POLICY_URI = "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"
+    NO_AUTHN_CONTEXT_URI = "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"
+    NO_AVAILABLE_IDP_URI = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP"
+    NO_PASSIVE_URI = "urn:oasis:names:tc:SAML:2.0:status:NoPassive"
+    NO_SUPPORTED_IDP_URI = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP"
+    PARTIAL_LOGOUT_URI = "urn:oasis:names:tc:SAML:2.0:status:PartialLogout"
+    PROXY_COUNT_EXCEEDED_URI = "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded"
+    REQUEST_DENIED_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestDenied"
+    REQUEST_UNSUPPORTED_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"
+    REQUEST_VERSION_DEPRECATED_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated"
+    REQUEST_VERSION_TOO_HIGH_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh"
+    REQUEST_VERSION_TOO_LOW_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow"
+    RESOURCE_NOT_RECOGNIZED_URI = "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized"
+    TOO_MANY_RESPONSES = "urn:oasis:names:tc:SAML:2.0:status:TooManyResponses"
+    UNKNOWN_ATTR_PROFILE_URI = "urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile"
+    UNKNOWN_PRINCIPAL_URI = "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"
+    UNSUPPORTED_BINDING_URI = "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding"
+  end
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: samlurai
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Bracken
+- Zach
+- Cody
+- Jeremy
+- Paul
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-02-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: libxml-ruby
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.3.0
+- !ruby/object:Gem::Dependency
+  name: xml_security
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.3
+description: See http://github.com/phinze/samlurai
+email: paulh@instructure.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/samlurai/auth_request.rb
+- lib/samlurai/authn_contexts.rb
+- lib/samlurai/log_out_request.rb
+- lib/samlurai/logout_response.rb
+- lib/samlurai/meta_data.rb
+- lib/samlurai/name_identifiers.rb
+- lib/samlurai/response.rb
+- lib/samlurai/settings.rb
+- lib/samlurai/status_codes.rb
+- lib/samlurai.rb
+homepage: http://github.com/phinze/samlurai
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: A ruby library for SAML service providers
+test_files: []
+has_rdoc: