scashin133-rsaml 0.1.0

data/lib/rsaml/protocol/name_id_policy.rb

@@ -0,0 +1,31 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Tailors the name identifier in the subjects of assertions resulting from an authentication request.
+    class NameIdPolicy
+      # Specifies the URI reference corresponding to a name identifier format
+      attr_accessor :format
+      
+      # Optionally specifies that the assertion subject's identifier be returned (or created) in the namespace of 
+      # a service provider other than the requester, or in the namespace of an affiliation group of service 
+      # providers.
+      attr_accessor :sp_name_qualifier
+      
+      # A Boolean value used to indicate whether the identity provider is allowed, in the course of fulfilling the 
+      # request, to create a new identifier to represent the principal. Defaults to "false". When "false", the 
+      # requester constrains the identity provider to only issue an assertion to it if an acceptable identifier for 
+      # the principal has already been established. Note that this does not prevent the identity provider from 
+      # creating such identifiers outside the context of this specific request (for example, in advance for a 
+      # large number of principals).
+      attr_accessor :allow_create
+      
+      # Construct an XML fragment representing the name id policy
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['Format'] = format unless format.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        attributes['AllowCreate'] = allow_create unless allow_create.nil?
+        xml.tag!('samlp:NameIDPolicy', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query/attribute_query.rb

@@ -0,0 +1,56 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # used to make the query "Return the requested attributes for this subject." A successful response 
+      # will be in the form of assertions containing attribute statements, to the extent allowed by policy.
+      class AttributeQuery < SubjectQuery
+        # Each attribute element specifies an attribute whose value(s) are to be returned. If no 
+        # attributes are specified, it indicates that all attributes allowed by policy are requested. 
+        # If a given attribute element contains one or more AttributeValue elements, then if that attribute 
+        # is returned in the response, it MUST NOT contain any values that are not equal to the values 
+        # specified in the query. In the absence of equality rules specified by particular profiles or 
+        # attributes, equality is defined as an identical XML representation of the value. Each value in 
+        # the array MUST be an Attribute instance.
+        def attributes
+          @attributes ||= []
+        end
+      
+        # Validate the structure of the attribute query.
+        def validate
+          matched = {}
+          duplicated_attributes = []
+          attributes.each do |attribute|
+            if matched.has_key?(attribute.name) && matched[attribute.name] == attribute.name_format
+              duplicated_attributes << attribute.name unless duplicated_attributes.include?(attribute.name)
+            else
+              matched[attribute.name] = attribute.name_format
+            end
+          end
+          if !duplicated_attributes.empty?
+            raise ValidationError, "An attribute with the same name and name format may only be specified once. The following attributes were specified multiple times: #{duplicated_attributes.join(',')}"
+          end
+        end
+      
+        # Construct an XML fragment representing the attribute query
+        def to_xml(xml=Builder::XmlMarkup.new)
+          xml_attributes = {}
+          xml.tag!('samlp:AttributeQuery', xml_attributes) {
+            xml << subject.to_xml unless subject.nil?
+            attributes.each { |attribute| xml << attribute.to_xml }
+          }
+        end
+        
+        # Construct an AttributeQuery instance from the XML Element.
+        def self.from_xml(element)
+          element = REXML::Document.new(element).root if element.is_a?(String)
+          subject = Subject.from_xml(element.get_elements('saml:Subject').first)
+          attribute_query = AttributeQuery.new(subject)
+          element.get_elements('saml:Attribute').each do |attribute_element|
+            attribute_query.attributes << Attribute.from_xml(attribute_element)
+          end
+          attribute_query
+        end
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query/authn_query.rb

@@ -0,0 +1,30 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # An AuthnQuery is used to make the query "What assertions containing authentication statements 
+      # are available for this subject?" A successful response will contain one or more assertions containing 
+      # authentication statements.
+      class AuthnQuery < SubjectQuery
+        # If present, specifies a filter for possible responses. Such a query asks the question "What assertions 
+        # containing authentication statements do you have for this subject within the context of the supplied 
+        # session information?" The value of this attribute MUST be a string.
+        attr_accessor :session_index
+      
+        # If present, specifies a filter for possible responses. Such a query asks the question "What assertions 
+        # containing authentication statements do you have for this subject that satisfy the authentication 
+        # context requirements in this element?" The value of this attribute MUST be a RequestedAuthnContext
+        # instance.
+        attr_accessor :requested_authn_context
+      
+        # Construct an XML fragment representing the authn query
+        def to_xml(xml=Builder::XmlMarkup.new)
+          attributes = {}
+          attributes['SessionIndex'] = session_index unless session_index.nil?
+          xml.tag!('samlp:AuthnQuery', attributes) {
+            xml << subject.to_xml unless subject.nil?
+          }
+        end
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query/authz_decision_query.rb

@@ -0,0 +1,40 @@
+# Source code for the RSAML::Protocol::Query::AuthzDecisionQuery class.
+
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # Used to make the query "Should these actions on this resource be allowed for this subject, 
+      # given this evidence?" A successful response will be in the form of assertions containing 
+      # authorization decision statements.
+      class AuthzDecisionQuery < SubjectQuery
+        # A URI reference indicating the resource for which authorization is requested.
+        attr_accessor :resource
+        
+        # The actions for which authorization is requested.
+        def actions
+          @actions ||= []
+        end
+        
+        # A set of assertions that the SAML authority MAY rely on in making its authorization decision.
+        attr_accessor :evidence
+        
+        # Validate the query structure.
+        def validate
+          raise ValidationError, "Resource is required" if resource.nil?
+          raise ValidationError, "At least one action is required" if actions.empty?
+          actions.each { |action| action.validate }
+        end
+        
+        # Construct an XML fragment representing the authorization decision query
+        def to_xml(xml=Builder::XmlMarkup.new)
+          attributes = {'Resource' => resource}
+          xml.tag!('samlp:AuthzDecisionQuery', attributes) {
+            xml << subject.to_xml unless subject.nil?
+            actions.each { |action| xml << action.to_xml }
+            xml << evidence.to_xml unless evidence.nil?
+          }
+        end
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query/subject_query.rb

@@ -0,0 +1,22 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # Extension point that allows new SAML queries to be defined that specify a single SAML subject.
+      # This class should not be instantiated directly.
+      class SubjectQuery < RSAML::Protocol::Request
+        # The subject
+        attr_accessor :subject
+      
+        # Initialize the subject query
+        def initialize(subject)
+          @subject = subject
+        end
+      
+        # Validate the subject query structure.
+        def validate
+          raise ValidationError, "Subject is required" if subject.nil?
+        end
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query.rb

@@ -0,0 +1,12 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Module containing SAML query classes.
+    module Query
+    end
+  end
+end
+
+require 'rsaml/protocol/query/subject_query'
+require 'rsaml/protocol/query/authn_query'
+require 'rsaml/protocol/query/attribute_query'
+require 'rsaml/protocol/query/authz_decision_query'

data/lib/rsaml/protocol/request.rb

@@ -0,0 +1,27 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A SAML request
+    class Request < Message
+      # Generate a Response instance with the given status code. The response's in_response_to attribute
+      # will be set to the ID of the request.
+      def respond(status)
+        response = Response.new(status)
+        response.in_response_to = id
+        response
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'ID' => id, 'Version' => version, 'IssueInstant' => issue_instant.xmlschema}
+        attributes['Destination'] = destination unless destination.nil?
+        attributes['Consent'] = consent unless consent.nil?
+        attributes = add_xmlns(attributes)
+        xml.tag!('samlp:Request', attributes) {
+          xml << issuer.to_xml unless issuer.nil?
+          xml << signature.to_xml unless signature.nil?
+          # TODO: add extensions support
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/requested_authn_context.rb

@@ -0,0 +1,34 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Specifies the authentication context requirements of authentication statements returned in 
+    # response to a request or query.
+    class RequestedAuthnContext
+      # List of available comparison values
+      def self.comparisons
+        @comparisons ||= ['exact','minimum','maximum','better']
+      end
+      
+      # Authentication context references, either AuthnContextDeclRef or AuthnContextClassRef.
+      def authn_context_refs
+        @authn_context_refs ||= []
+      end
+      
+      # Specifies the comparison method used to evaluate the requested context classes or statements, one 
+      # of "exact", "minimum", "maximum", or "better". The default is "exact"
+      def comparison
+        @comparison ||= 'exact'
+      end
+      
+      # Validate the structure of the requested authn context
+      def validate
+        raise ValidationError, "Unknown comparison type: #{comparison}" unless RequestedAuthContext.comparisons.include?(comparison)
+      end
+      
+      # Construct an XML fragment representing the requested authn context
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Comparison' => comparison}
+        xml.tag!('samlp:RequestedAuthnContext')
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/response.rb

@@ -0,0 +1,56 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A SAML response
+    class Response < Message
+      # A reference to the identifier of the request to which the response corresponds, if any. If the response 
+      # is not generated in response to a request, or if the ID attribute value of a request cannot be 
+      # determined (for example, the request is malformed), then this attribute MUST NOT be present. 
+      # Otherwise, it MUST be present and its value MUST match the value of the corresponding request's 
+      # ID attribute.
+      attr_accessor :in_response_to
+      
+      # A code representing the status of the corresponding request.
+      attr_accessor :status
+      
+      # Initialize the Response instance
+      def initialize(status)
+        super()
+        @status = status
+      end
+      
+      # SAML assertions
+      def assertions
+        @assertions ||= []
+      end
+      
+      # SAML encrypted assertions
+      def encrypted_assertions
+        @encrypted_assertions ||= []
+      end
+      
+      # Validate the request structure
+      def validate
+        super
+        raise ValidationError, "Status must be specified" if status.nil?
+        raise ValidationError, "Status must be a RSAML::Protocol::Status instance" unless status.is_a?(Status)
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'ID' => id, 'Version' => version, 'IssueInstant' => issue_instant.xmlschema}
+        attributes['InResponseTo'] = in_response_to unless in_response_to.nil?
+        attributes['Destination'] = destination unless destination.nil?
+        attributes['Consent'] = consent unless consent.nil?
+        attributes = add_xmlns(attributes)
+        xml.tag!('samlp:Response', attributes) {
+          xml << issuer.to_xml unless issuer.nil?
+          xml << signature.to_xml unless signature.nil?
+          # TODO: add extensions support
+          xml << status.to_xml unless status.nil?
+          assertions.each { |assertion| xml << assertion.to_xml }
+          encrypted_assertions.each { |encrypted_assertion| xml << encrypted_assertion.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/scoping.rb

@@ -0,0 +1,33 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # specifies the identity providers trusted by the requester to authenticate the presenter, as well as 
+    # limitations and context related to proxying of the <AuthnRequest> message to subsequent identity 
+    # providers by the responder.
+    class Scoping
+      # Specifies the number of proxying indirections permissible between the identity provider that receives 
+      # this <AuthnRequest> and the identity provider who ultimately authenticates the principal. A count of 
+      # zero permits no proxying, while omitting this attribute expresses no such restriction.
+      attr_accessor :proxy_count
+      
+      # An advisory list of identity providers and associated information that the requester deems acceptable 
+      # to respond to the request.
+      attr_accessor :idp_list
+      
+      # Identifies the set of requesting entities on whose behalf the requester is acting. Used to communicate 
+      # the chain of requesters when proxying occurs.
+      def requestor_ids
+        @requestor_ids ||= []
+      end
+      
+      # Construct an XML fragment representing the scoping
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['ProxyCount'] = proxy_count if proxy_count
+        xml.tag!('samlp:Scoping', attributes) {
+          xml << idp_list.to_xml if idp_list
+          requestor_ids.each { |requestor_id| xml << requestor_id.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/status.rb

@@ -0,0 +1,38 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A SAML status indicator.
+    class Status
+      # A code representing the status of the activity carried out in response to the corresponding request.
+      attr_accessor :status_code
+      
+      # A message which MAY be returned to an operator.
+      attr_accessor :status_message
+      
+      # Initialize the status with the given status code
+      def initialize(status_code)
+        @status_code = status_code
+      end
+      
+      # Additional information concerning the status of the request. All objects in the collection must
+      # respond to the to_xml method.
+      def status_detail
+        @status_detail ||= []
+      end
+      
+      # Validate the structure of the Status instance
+      def validate
+        raise ValidationError, "Status code required" if status_code.nil?
+        raise ValidationError, "Status code must be a RSAML::Protocol::StatusCode instance" unless status_code.is_a?(StatusCode)
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('samlp:Status') {
+          xml << status_code.to_xml unless status_code.nil?
+          xml.tag!('StatusMessage', status_message) unless status_message.nil?
+          status_detail.each { |status_detail| xml << status_detail.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/status_code.rb

@@ -0,0 +1,84 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A code or a set of nested codes representing the status of the corresponding request.
+    # 
+    # More information on available status codes may be found in Section 3.2.2.2 of the SAML 2.0 Core
+    # specification.
+    class StatusCode
+      # Initialize the status code with the given value
+      def initialize(value)
+        @value = value
+      end
+      
+      # Constant respresenting the Success status
+      SUCCESS = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:Success')
+      
+      # Constant representing the Requestor status
+      REQUESTOR = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:Requestor')
+      
+      # Constant representing the Responder status
+      RESPONDER = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:Responder')
+      
+      # Constant representing the VersionMismatch status
+      VERSION_MISMATCH = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:VersionMismatch')
+      
+      # Hash of symbol/StatusCode pairs representing top-level status codes.
+      def self.top_level_status_codes
+        @top_level_status_codes ||= {
+          :success => SUCCESS,
+          :requestor => REQUESTOR,
+          :responder => RESPONDER,
+          :version_mismatch => VERSION_MISMATCH
+        }
+      end
+      
+      # Hash of symbol/StatusCode pairs representing second-level status codes.
+      def self.second_level_status_codes
+        @second_level_status_codes ||= {
+          :authn_failed => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:AuthnFailed'),
+          :invalid_attr_name_or_value => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue'),
+          :invalid_name_id_policy => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy'),
+          :no_authn_context => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext'),
+          :no_available_idp => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP'),
+          :no_passive => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoPassive'),
+          :no_supported_idp => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP'),
+          :partial_logout => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:PartialLogout'),
+          :proxy_count_exceeded => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'),
+          :request_denied => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestDenied'),
+          :request_unsupported => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported'),
+          :request_version_deprecated => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated'),
+          :request_version_too_high => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh'),
+          :request_version_too_low => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow'),
+          :resource_not_recognized => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized'),
+          :too_many_responses => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:TooManyResponse'),
+          :unknown_attr_profile => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile'),
+          :unknown_principal => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal'),
+          :unsupported_binding => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding'),
+        }
+      end
+      
+      # The status code value. Value is a URI reference.
+      attr_accessor :value
+      
+      # An optional child status code.
+      attr_accessor :status_code
+      
+      def validate
+        raise ValidationError, "Value is required" if value.nil?
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Value' => value}
+        xml.tag!('samlp:StatusCode', attributes) {
+          xml << status_code.to_xml unless status_code.nil?
+        }
+      end
+      
+      # Return the value of the status code as a string.
+      def to_s
+        value
+      end
+    end
+  end
+end

data/lib/rsaml/protocol.rb

@@ -0,0 +1,21 @@
+module RSAML #:nodoc:
+  # The protocol module contains request and response classes for the SAML protocol implementation
+  module Protocol 
+  end
+end
+
+require 'rsaml/protocol/message'
+require 'rsaml/protocol/status_code'
+require 'rsaml/protocol/status'
+require 'rsaml/protocol/request'
+require 'rsaml/protocol/response'
+
+require 'rsaml/protocol/name_id_policy'
+require 'rsaml/protocol/scoping'
+require 'rsaml/protocol/idp_list'
+require 'rsaml/protocol/idp_entry'
+
+require 'rsaml/protocol/assertion_id_request'
+require 'rsaml/protocol/authn_request'
+
+require 'rsaml/protocol/query'

data/lib/rsaml/proxy_restriction.rb

@@ -0,0 +1,30 @@
+module RSAML #:nodoc:
+  # Specifies limitations that the asserting party imposes on relying parties that in turn wish to act as asserting 
+  # parties and issue subsequent assertions of their own on the basis of the information contained in the 
+  # original assertion. A relying party acting as an asserting party MUST NOT issue an assertion that itself 
+  # violates the restrictions specified in this condition on the basis of an assertion containing such a condition.
+  class ProxyRestriction
+    # Specifies the maximum number of indirections that the asserting party permits to exist between this 
+    # assertion and an assertion which has ultimately been issued on the basis of it.
+    attr_accessor :count
+    
+    def audiences
+      @audiences ||= []
+    end
+    
+    # Validate the structure
+    def validate
+      raise ValidationError, "Count must be 0 or more if specified" if !count.nil? && count < 0
+    end
+    
+    # Construct an XML fragment representing the proxy restriction
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Count'] = count unless count.nil?
+      xml.tag!('saml:ProxyRestriction', attributes) {
+        audiences.each { |audience| xml << audience.to_xml }
+      }
+    end
+    
+  end
+end

data/lib/rsaml/statement/attribute_statement.rb

@@ -0,0 +1,27 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # The assertion subject is associated with the supplied attributes.
+    class AttributeStatement < Base
+      # Specifies attributes of the assertion subject.
+      def attributes
+        @attributes ||= []
+      end
+      
+      # Validate the structure of the attribute statement. Raises a validation error if:
+      #
+      # * Has no attributes specified
+      # * Any of the attributes are invalid
+      def validate
+        raise ValidationError, "At least one attribute must be specified" if @attributes.empty?
+        @attributes.each { |attribute| attribute.validate }
+      end
+      
+      # Construct an XML fragment representing the authentication statement
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('saml:AttributeStatement') {
+          attributes.each { |attribute| xml << attribute.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/statement/authentication_statement.rb

@@ -0,0 +1,57 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # The assertion subject was authenticated by a particular means at a particular time.
+    class AuthenticationStatement < Base
+      # Specifies the time at which the authentication took place. The time value is encoded in UTC
+      attr_accessor :authn_instant
+    
+      # Specifies the index of a particular session between the principal identified by the subject and the 
+      # authenticating authority. In general, any string value MAY be used as a SessionIndex value. 
+      # However, when privacy is a consideration, care must be taken to ensure that the SessionIndex 
+      # value does not invalidate other privacy mechanisms. Accordingly, the value SHOULD NOT be usable 
+      # to correlate activity by a principal across different session participants.
+      attr_accessor :session_index
+    
+      # Specifies a time instant at which the session between the principal identified by the subject and the 
+      # SAML authority issuing this statement MUST be considered ended. The time value is encoded in 
+      # UTCSpecifies
+      attr_accessor :session_not_on_or_after
+    
+      # Specifies the DNS domain name and IP address for the system from which the assertion subject was 
+      # apparently authenticated.
+      attr_accessor :subject_locality
+    
+      # The authentication context.
+      attr_accessor :authn_context
+    
+      # Initialize the statement
+      def initialize(authn_context)
+        @authn_context = authn_context
+        @authn_instant = Time.now.utc
+      end
+      
+      # Validate the structure of the authentication statement. Raise a ValidationError if the 
+      # statement is invalid.
+      def validate
+        if session_not_on_or_after && !session_not_on_or_after.utc?
+          raise ValidationError, "Session not on or after must be UTC"
+        end
+        raise ValidationError, "Authn context required" unless authn_context
+        raise ValidationError, "Authn instant required" unless authn_instant
+        raise ValidationError, "Authn instant must be UTC" unless authn_instant.utc?
+      end
+      
+      # Construct an XML fragment representing the authentication statement
+      def to_xml(xml=Builder::XmlMarkup.new)
+        validate
+        attributes = {'AuthnInstant' => authn_instant.xmlschema}
+        attributes['SessionIndex'] = session_index unless session_index.nil?
+        attributes['SessionNotOnOrAfter'] = session_not_on_or_after.xmlschema unless session_not_on_or_after.nil?
+        xml.tag!('saml:AuthnStatement', attributes) {
+          xml << authn_context.to_xml
+          xml << subject_locality.to_xml unless subject_locality.nil?
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/statement/authorization_decision_statement.rb

@@ -0,0 +1,53 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # A request to allow the assertion subject to access the specified resource 
+    # has been granted or denied.
+    class AuthorizationDecisionStatement < Base
+      # defines the possible values to be reported as the status of an authorization decision statement. 
+      # 
+      # Possible values are:
+      # * <tt>Permit</tt>: The specified action is permitted. 
+      # * <tt>Deny</tt>: The specified action is denied. 
+      # * <tt>Indeterminate</tt> The SAML authority cannot determine whether the specified action 
+      #   is permitted or denied.
+      def self.decision_types
+        %w(Permit Deny Indeterminate)
+      end
+      
+      # A URI reference identifying the resource to which access authorization is sought. 
+      # This attribute MAY have the value of the empty URI reference (""), and the meaning 
+      # is defined to be "the start of the current document"
+      attr_accessor :resource
+      
+      # The decision rendered by the SAML authority with respect to the specified resource.
+      attr_accessor :decision
+      
+      # The set of actions authorized to be performed on the specified resource.
+      def actions
+        @actions ||= []
+      end
+      
+      # A set of assertions that the SAML authority relied on in making the decision.
+      def evidence
+        @evidence ||= []
+      end
+      
+      # Validate the structure
+      def validate
+        raise ValidationError, "Resource is required" if resource.nil?
+        raise ValidationError, "Decision is required" if decision.nil?
+        raise ValidationError, "One or more actions must be specified" if actions.empty?
+        actions.each { |action| action.validate }
+      end
+      
+      # Construct an XML fragment representing the authorization decision statement
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Resource' => resource, 'Decision' => decision}
+        xml.tag!('saml:AuthzStatement', attributes) {
+          actions.each { |action| xml << action.to_xml }
+          evidence.each { |e| xml << e.to_xml }
+        }
+      end
+    end
+  end
+end