spid-es 0.0.1

data/lib/spid/ruby-saml/response.rb

@@ -0,0 +1,202 @@
+require "xml_security"
+require "time"
+require "nokogiri"
+require "base64"
+require "openssl"
+require "digest/sha1"
+
+# Only supports SAML 2.0
+module Spid
+  module Saml
+
+    class Response
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_accessor :options, :response, :document, :settings
+
+      def initialize(response, options = {})
+        raise ArgumentError.new("Response cannot be nil") if response.nil?
+        self.options  = options
+        self.response = response
+        begin
+          self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+        rescue REXML::ParseException => e
+          if response =~ /</
+            self.document = XMLSecurity::SignedDocument.new(response)
+          else
+            raise e
+          end
+        end
+        
+      end
+
+      def is_valid?
+        validate
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= begin
+          node = REXML::XPath.first(document, "/saml2p:Response/saml2:Assertion[@ID='#{document.signed_element_id}']/saml2:Subject/saml2:NameID")
+          node ||=  REXML::XPath.first(document, "/saml2p:Response[@ID='#{document.signed_element_id}']/saml2:Assertion/saml2:Subject/saml2:NameID")
+          node.nil? ? nil : node.text
+        end
+      end
+
+      # A hash of alle the attributes with the response. Assuming there is only one value for each key
+      def attributes
+        @attr_statements ||= begin
+          result = {}
+
+          stmt_element = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AttributeStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          return {} if stmt_element.nil?
+
+          stmt_element.elements.each do |attr_element|
+            name  = attr_element.attributes["Name"]
+            value = attr_element.elements.first.text
+
+            result[name] = value
+          end
+
+          result.keys.each do |key|
+            result[key.intern] = result[key]
+          end
+
+          result
+        end
+      end
+
+      # When this user session should expire at latest
+      def session_expires_at
+        @expires_at ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          parse_time(node, "SessionNotOnOrAfter")
+        end
+      end
+      
+      # Checks the status of the response for a "Success" code
+      def success?
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
+        end
+      end
+
+      # Conditions (if any) for the assertion to run
+      def conditions
+        @conditions ||= begin
+          REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']/a:Conditions", { "p" => PROTOCOL, "a" => ASSERTION })
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||= REXML::XPath.first(document, "/p:Response/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      private
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+    def validate(soft = true)
+        # prime the IdP metadata before the document validation. 
+        # The idp_cert needs to be populated before the validate_response_state method
+        
+        if settings 
+          Spid::Saml::Metadata.new(settings).get_idp_metadata
+        end
+          return false if validate_structure(soft) == false
+          return false if validate_response_state(soft) == false
+          return false if validate_conditions(soft) == false
+        
+        # Just in case a user needs to toss out the signature validation,
+        # I'm adding in an option for it.  (Sometimes canonicalization is a bitch!)
+        return true if settings.skip_validation == true
+        
+        # document.validte populates the idp_cert
+          return false if document.validate(get_fingerprint, soft) == false
+        
+        # validate response code
+        return false if success? == false  
+
+        return true
+    end
+
+
+      def validate_structure(soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(self.document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| raise(Exception.new("#{error.message}\n\n#{@xml.to_s}")) }
+        end
+      end
+
+      def validate_response_state(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def get_fingerprint
+        if settings.idp_cert
+          cert_text = Base64.decode64(settings.idp_cert)
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        else
+          settings.idp_cert_fingerprint
+        end
+        
+      end
+
+      def validate_conditions(soft = true)
+        return true if conditions.nil?
+        return true if options[:skip_conditions]
+
+        if not_before = parse_time(conditions, "NotBefore")
+          if Time.now.utc < not_before
+            return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+          end
+        end
+
+        if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
+          if Time.now.utc >= not_on_or_after
+            return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+          end
+        end
+
+        true
+      end
+
+      def parse_time(node, attribute)
+        if node && node.attributes[attribute]
+          Time.parse(node.attributes[attribute])
+        end
+      end
+    end
+  end
+end

data/lib/spid/ruby-saml/settings.rb

@@ -0,0 +1,72 @@
+require "xml_security_new"
+
+module Spid
+  module Saml
+    class Settings
+     
+      attr_accessor :sp_name_qualifier, :sp_cert, :sp_private_key, :metadata_signed, :requested_attribute, :organization
+      attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_target_url, :idp_metadata, :idp_metadata_ttl, :idp_name_qualifier
+      attr_accessor :assertion_consumer_service_binding, :assertion_consumer_service_url
+      attr_accessor :name_identifier_value, :name_identifier_format
+      attr_accessor :sessionindex, :issuer, :destination_service_url, :authn_context, :requester_identificator
+      attr_accessor :single_logout_service_url, :single_logout_service_binding, :single_logout_destination
+      attr_accessor :skip_validation
+    
+      def initialize(config = {})
+        config.each do |k,v|
+          acc = "#{k.to_s}=".to_sym
+          self.send(acc, v) if self.respond_to? acc
+        end
+
+        # Set some sane default values on a few options
+        self.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        self.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        # Default cache TTL for metadata is 1 day
+        self.idp_metadata_ttl = 86400
+      end
+
+
+      def get_fingerprint
+        idp_cert_fingerprint || begin
+          idp_cert = get_idp_cert
+          if idp_cert
+            fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(idp_cert_fingerprint_algorithm).new
+            fingerprint_alg.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
+      #
+      def get_idp_cert
+        return nil if idp_cert.nil? || idp_cert.empty?
+        #decoded_content = Base64.decode64(File.read(idp_cert))
+        #formatted_cert = Spid::Saml::Utils.format_cert(idp_cert)
+        OpenSSL::X509::Certificate.new(File.read(idp_cert))
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert
+        return nil if sp_cert.nil? || sp_cert.empty?
+        #decoded_content = Base64.decode64(File.read(sp_cert))
+        #formatted_cert = Spid::Saml::Utils.format_cert(decoded_content)
+        OpenSSL::X509::Certificate.new(File.read(sp_cert))
+      end
+
+      # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
+      #
+      def get_sp_key
+        return nil if sp_private_key.nil? || sp_private_key.empty?
+
+        #formatted_private_key = Spid::Saml::Utils.format_private_key(sp_private_key)
+        OpenSSL::PKey::RSA.new(File.read(sp_private_key))
+      end
+
+
+
+
+
+    end
+  end
+end

data/lib/spid/ruby-saml/validation_error.rb

@@ -0,0 +1,7 @@
+module Spid
+  module Saml
+    class ValidationError < Exception
+    end
+  end
+end
+

data/lib/spid/ruby-saml/version.rb

@@ -0,0 +1,5 @@
+module Spid
+  module Saml
+    VERSION = '0.6.0'
+  end
+end

data/lib/spid-es.rb

@@ -0,0 +1,14 @@
+require "xml_security"
+require 'spid/ruby-saml/utils'
+require 'spid/ruby-saml/logging'
+require 'spid/ruby-saml/coding'
+require 'spid/ruby-saml/request'
+require 'spid/ruby-saml/authrequest'
+require 'spid/ruby-saml/logout_request'
+require 'spid/ruby-saml/logout_response'
+require 'spid/ruby-saml/response'
+require 'spid/ruby-saml/settings'
+require 'spid/ruby-saml/error_handling'
+require 'spid/ruby-saml/validation_error'
+require 'spid/ruby-saml/metadata'
+require 'spid/ruby-saml/version'

data/lib/xml_security.rb

@@ -0,0 +1,165 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+require "spid/ruby-saml/validation_error"
+
+module XMLSecurity
+
+  class SignedDocument < REXML::Document
+    C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
+    DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+    attr_accessor :signed_element_id, :sig_element, :noko_sig_element
+
+    def initialize(response)
+      super(response)
+      extract_signed_element_id
+    end
+
+    def validate(idp_cert_fingerprint, soft = true)
+      # get cert from response
+      cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+      base64_cert  = cert_element.text
+      cert_text    = Base64.decode64(base64_cert)
+      cert         = OpenSSL::X509::Certificate.new(cert_text)
+
+      # check cert matches registered idp cert
+      fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+
+      if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+        return soft ? false : (raise Spid::Saml::ValidationError.new("Fingerprint mismatch"))
+      end
+
+      validate_doc(base64_cert, soft)
+    end
+
+    def validate_doc(base64_cert, soft = true)
+      # validate references
+
+      # check for inclusive namespaces
+      inclusive_namespaces = extract_inclusive_namespaces
+
+      document = Nokogiri.parse(self.to_s)
+
+      # store and remove signature node
+      self.sig_element ||= begin
+        element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>DSIG})
+        element.remove
+      end
+
+
+      # verify signature
+      signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
+      self.noko_sig_element ||= document.at_xpath('//ds:Signature', 'ds' => DSIG)
+      noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+      canon_algorithm = canon_algorithm REXML::XPath.first(sig_element, '//ds:CanonicalizationMethod')
+      canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+      noko_sig_element.remove
+
+      # check digests
+      REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
+        uri                           = ref.attributes.get_attribute("URI").value
+
+        hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
+        canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod')
+        canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces).gsub('&','&amp;')
+
+        digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+
+        hash                          = digest_algorithm.digest(canon_hashed_element)
+        digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
+
+        unless digests_match?(hash, digest_value)
+          return soft ? false : (raise Spid::Saml::ValidationError.new("Digest mismatch"))
+        end
+      end
+
+      base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
+      signature               = Base64.decode64(base64_signature)
+
+      # get certificate object
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+      # signature method
+      signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+
+      unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+        return soft ? false : (raise Spid::Saml::ValidationError.new("Key validation error"))
+      end
+
+      return true
+    end
+
+    private
+
+    def digests_match?(hash, digest_value)
+      hash == digest_value
+    end
+
+    def extract_signed_element_id
+      reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+      self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
+    end
+
+    def canon_algorithm(element)
+      algorithm = element.attribute('Algorithm').value if element
+      case algorithm
+        when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
+        else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+      end
+    end
+
+    def algorithm(element)
+      algorithm = element.attribute("Algorithm").value if element
+      algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
+      case algorithm
+      when 256 then OpenSSL::Digest::SHA256
+      when 384 then OpenSSL::Digest::SHA384
+      when 512 then OpenSSL::Digest::SHA512
+      else
+        OpenSSL::Digest::SHA1
+      end
+    end
+
+    def extract_inclusive_namespaces
+      if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+        prefix_list = element.attributes.get_attribute("PrefixList").value
+        prefix_list.split(" ")
+      else
+        []
+      end
+    end
+
+  end
+end

data/spid-es.gemspec

@@ -0,0 +1,23 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+
+Gem::Specification.new do |s|
+  s.name = 'spid-es'
+  s.version = '0.0.1'
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Fabiano Pavan"]
+  s.date = Time.now.strftime("%Y-%m-%d")
+  s.description = %q{SAML toolkit for Ruby programs to integrate with SPID }
+  s.email = %q{fabiano.pavan@soluzionipa.it}
+  s.files = `git ls-files`.split("\n")
+  s.homepage = %q{https://github.com/EuroServizi/spid-es}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.summary = %q{SAML Ruby Tookit Spid}
+  s.license = "MIT"
+
+  s.add_runtime_dependency("canonix", ["0.1.1"])
+  s.add_runtime_dependency("uuid", ["~> 2.3"])
+  s.add_runtime_dependency("nokogiri", '~> 1.6', '>= 1.6.7.2')
+  s.add_runtime_dependency("addressable", '~> 2.4', '>= 2.4.0')
+end

data/test/certificates/certificate1

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
+YWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv
+Z2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloX
+DTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
+aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX
+BgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDug
+MK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0ed
+MOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMB
+AA==
+-----END CERTIFICATE-----

data/test/logoutrequest_test.rb

@@ -0,0 +1,98 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class RequestTest < Test::Unit::TestCase
+
+  context "Logoutrequest" do
+    settings = Spid::Saml::Settings.new
+
+    should "create the deflated SAMLRequest URL parameter" do
+      settings.idp_slo_target_url = "http://unauth.com/logout"
+      unauth_url = Spid::Saml::Logoutrequest.new.create(settings)
+      assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
+
+      inflated = decode_saml_request_payload(unauth_url)
+
+      assert_match /^<samlp:LogoutRequest/, inflated
+    end
+
+    should "support additional params" do
+
+      unauth_url = Spid::Saml::Logoutrequest.new.create(settings, { :hello => nil })
+      assert unauth_url =~ /&hello=$/
+
+      unauth_url = Spid::Saml::Logoutrequest.new.create(settings, { :foo => "bar" })
+      assert unauth_url =~ /&foo=bar$/
+    end
+
+    should "set sessionindex" do
+      settings.idp_slo_target_url = "http://example.com"
+      sessionidx = UUID.new.generate
+      settings.sessionindex = sessionidx
+
+      unauth_url = Spid::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
+      inflated = decode_saml_request_payload(unauth_url)
+
+      assert_match /<samlp:SessionIndex/, inflated
+      assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
+    end
+
+    should "set name_identifier_value" do
+      settings = Spid::Saml::Settings.new
+      settings.idp_slo_target_url = "http://example.com"
+      settings.name_identifier_format = "transient"
+      name_identifier_value = "abc123"
+      settings.name_identifier_value = name_identifier_value
+
+      unauth_url = Spid::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
+      inflated = decode_saml_request_payload(unauth_url)
+
+      assert_match /<saml:NameID/, inflated
+      assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
+    end
+
+    context "when the target url doesn't contain a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = Spid::Saml::Settings.new
+        settings.idp_slo_target_url = "http://example.com"
+
+        unauth_url = Spid::Saml::Logoutrequest.new.create(settings)
+        assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
+      end
+    end
+
+    context "when the target url contains a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = Spid::Saml::Settings.new
+        settings.idp_slo_target_url = "http://example.com?field=value"
+
+        unauth_url = Spid::Saml::Logoutrequest.new.create(settings)
+        assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
+      end
+    end
+
+    context "consumation of logout may need to track the transaction" do
+      should "have access to the request uuid" do
+        settings = Spid::Saml::Settings.new
+        settings.idp_slo_target_url = "http://example.com?field=value"
+
+        unauth_req = Spid::Saml::Logoutrequest.new
+        unauth_url = unauth_req.create(settings)
+
+        inflated = decode_saml_request_payload(unauth_url)
+        assert_match %r[ID='#{unauth_req.uuid}'], inflated
+      end
+    end
+  end
+
+  def decode_saml_request_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
+    decoded = Base64.decode64(payload)
+
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
+
+end

data/test/request_test.rb

@@ -0,0 +1,53 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class RequestTest < Test::Unit::TestCase
+
+  context "Authrequest" do
+    should "create the deflated SAMLRequest URL parameter" do
+      settings = Spid::Saml::Settings.new
+      settings.idp_sso_target_url = "http://example.com"
+      auth_url = Spid::Saml::Authrequest.new.create(settings)
+      assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+
+      assert_match /^<samlp:AuthnRequest/, inflated
+    end
+
+    should "accept extra parameters" do
+      settings = Spid::Saml::Settings.new
+      settings.idp_sso_target_url = "http://example.com"
+
+      auth_url = Spid::Saml::Authrequest.new.create(settings, { :hello => "there" })
+      assert auth_url =~ /&hello=there$/
+
+      auth_url = Spid::Saml::Authrequest.new.create(settings, { :hello => nil })
+      assert auth_url =~ /&hello=$/
+    end
+
+    context "when the target url doesn't contain a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = Spid::Saml::Settings.new
+        settings.idp_sso_target_url = "http://example.com"
+  
+        auth_url = Spid::Saml::Authrequest.new.create(settings)
+        assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
+      end
+    end
+
+    context "when the target url contains a query string" do
+      should "create the SAMLRequest parameter correctly" do
+        settings = Spid::Saml::Settings.new
+        settings.idp_sso_target_url = "http://example.com?field=value"
+  
+        auth_url = Spid::Saml::Authrequest.new.create(settings)
+        assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
+      end
+    end
+  end
+end