spid-es 0.0.7 → 0.0.8

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    N2NhNjg3NDRlNGYxYTcyYzk4MzRmZGUyOGRmNTE2ZjE4NDc2MDYyMg==
+    MDMxZWQyMjdjMjFjMjRjNWQyODI3ZjgzNWUzZDMyOWEzNTJmYzM5ZA==
   data.tar.gz: !binary |-
-    OTBjMTI4YzdmNTkyMzQ3NDYwMzlhZDk2NTczNWExMWVkYWYzMmZhZg==
+    M2FkYzdiYzU5NThkNDA1ODM2MzVmMThmMmY4MTY0MTEwZDg0ZmRjNA==
 SHA512:
   metadata.gz: !binary |-
-    ZTg4OTVhZjliMTA3YTBlY2ZhODI1YWIwZjQ2NTdjNjk5NzczZTdhODM3ZWJm
-    Nzc2OGJiZGJlZmJhZmUzNDUxZWU2ZWYxZDE1NjdiMjUwYmVhMjdkZGEwNWRj
-    MDlmZWM2OTk2Y2UzODg5ODBjMDMzYjAyOGQyYjIxMGE1NjI5MzY=
+    ZGExNjg1YTM2NGQ0ZjkzOTk2ZjM0MDBkYWI2MjRhMzg5OTFjOWQ2YjY1ZDM0
+    OTY3NjVlMDg0NTIxNTlkMGQ3MTk0YWM2ZjA2N2Y5ZjMwMjIzYWQzMzZkMzgz
+    NWMxNjljODczY2JhMzRkZGVkM2JjZTBkMjMxOTkzMzhjODJiMTE=
   data.tar.gz: !binary |-
-    NjkzMGNhNjdhMjg0NjZhZjk5ZGY5MjEzZmIwZTdkYzNjMjZhNjU0MjMzN2I4
-    ZTBmNzQwYWJiNDczMmUwNDdiN2M2Nzk3NDJiY2I2YzIwYjk0MDI1NDlhYTE2
-    ZDdkOTM2YWE1ZmE5NTk0ODJhMTM0Y2VhN2JkODUzMTQ5Mzc3YzY=
+    NjcwYzc5NTcwOGQyMzRkMTI4Y2E5ZDZlMmJmZjJhNzA4OWE2YjgzZDEwMzg0
+    NmE1OThiNDc4MzIxMzM2MTJiNmYwZTE4ZWNkNjdlNDA5Y2M0MTE5NDhiODI2
+    ZWU5NzA3ZjM2MjJmNmJhYzc2Yjg4MmQ2ZTlkMGMzYWUyMWNmMDI=

data/README.md

@@ -1,94 +1,109 @@
 # SPID Euro Servizi
 
-The Ruby SAML Spid library is a fork of Ruby SAML and it is used for implementing the client side of a SAML authorization, initialization and confirmation requests
-with SPID.
+La libreria è un fork della libreria Ruby SAML e serve per l'integrazione di un client (Service Provider) con l'autenticazione SPID (Sistema Pubblico di Identità Digitale)
+Utilizza lo standard SAML 2 come previsto dalla normativa (Regole tecniche v1. http://www.agid.gov.it/sites/default/files/circolari/spid-regole_tecniche_v1.pdf)
 
 
-## The initialization phase
+## Fase iniziale
 
-This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this:
+Azione di partenza in cui viene creata la request da inviare all'idp e viene fatto un redirect all'identity provider.
 
 ```ruby
     def init
-        #your login with Spid method..
+        #creo un istanza di Spid::Saml::Authrequest
+        saml_settings = get_saml_settings
         #create an instance of Spid::Saml::Authrequest
-        request = Spid::Saml::Authrequest.new(get_saml_settings)
+        request = Spid::Saml::Authrequest.new(saml_settings)
         auth_request = request.create
         # Based on the IdP metadata, select the appropriate binding 
         # and return the action to perform to the controller
-        meta = Spid::Saml::Metadata.new(get_saml_settings)
+        meta = Spid::Saml::Metadata.new(saml_settings)
         signature = get_signature(auth_request.uuid,auth_request.request,"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
-        redirect meta.create_sso_request( auth_request.request, {   :RelayState   => request.uuid,
-                                                                  :SigAlg       => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-                                                                  :Signature    => signature
-                                                              } )
+        sso_request = meta.create_sso_request( auth_request.request, {  :RelayState   => request.uuid,
+                                                                        :SigAlg       => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+                                                                        :Signature    => signature } )
+        redirect_to sso_request
     end
 
-    
+```
+## Generazione della firma
+
+```ruby
     def get_signature(relayState, request, sigAlg)
-        #url encode of relayState
+        #url encode relayState
         relayState_encoded = escape(relayState)
-        
-        #deflate and base64 of samlrequest
+        #deflate e base64 della samlrequest
         deflate_request_B64 = encode(deflate(request))
-        
-        #url encode of samlrequest
+        #url encode della samlrequest
         deflate_request_B64_encoded = escape(deflate_request_B64)
-        
-        #url encode of sigAlg
+        #url encode della sigAlg
         sigAlg_encoded = escape(sigAlg)
-        
         querystring="SAMLRequest=#{deflate_request_B64_encoded}&RelayState=#{relayState_encoded}&SigAlg=#{sigAlg_encoded}"
-        digest = OpenSSL::Digest::SHA1.new(querystring.strip)  
-        pk = OpenSSL::PKey::RSA.new File.read(File.join("path.of.cert.pem"))
+        #puts "**QUERYSTRING** = "+querystring
+        digest = OpenSSL::Digest::SHA256.new(querystring.strip) #sha2 a 256
+        chiave_privata = xxxxxx  #path della chiave privata con cui firmare 
+        pk = OpenSSL::PKey::RSA.new File.read(chiave_privata) #chiave privata
         qssigned = pk.sign(digest,querystring.strip)
         Base64.encode64(qssigned).gsub(/\n/, "")
-    end 
+    end
 ```
 
 
-Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption, this is can look something like this (the authorize_success and authorize_failure methods are specific to your application):
+Questo metodo è l'endpoint impostato a livello di metadata del service provider come 'assertion consumer', riceve la response saml con i dati di registrazione fatta su SPID dagli utenti. 
 
 ```ruby
-    def consume
-        #your assertion_consumer method...
+    def assertion_consumer
+        #id dell' idp che manda response (es: 'infocert','poste')
+        provider_id = @request.params['ProviderID']
+        #response saml inviata dall'idp
         saml_response = @request.params['SAMLResponse'] 
         if !saml_response.nil? 
-          #read the settings
-          settings = get_saml_settings
-          #create an instance of response
-          response = Spid::Saml::Response.new(saml_response)
-          response.settings = settings
-
-          #validation of response
-          if response.is_valid? 
-            authorize_success(response.attributes)
-          else
-            authorize_failure(response.attributes)
-          end
+            #assegno i settaggi
+            settings = get_saml_settings
+            #creo un oggetto response
+            response = Spid::Saml::Response.new(saml_response)
+            #assegno alla response i settaggi
+            response.settings = settings
+            #estraggo dal Base64 l'xml
+            saml_response_dec = Base64.decode64(saml_response)
+            #puts "**SAML RESPONSE DECODIFICATA: #{saml_response_dec}"
+
+            #validation of response
+            if response.is_valid? 
+                attributi_utente = response.attributes
+                ...
+            else
+                #autenticazione fallita!
+            end
       end
     end  
 ```
 
-In the above there are a few assumptions in place, one being that the response.name_id is an email address. This is all handled with how you specify the settings that are in play via the saml_settings method. That could be implemented along the lines of this:
+Questo metodo va a impostare le varie configurazioni che servono per connettersi ad un idp. ( NB: nel caso di SPID ci sono vari idp (Poste, TIM, Info Cert) ) 
 
 ```ruby
     def get_saml_settings  
         settings = Spid::Saml::Settings.new
-        settings.assertion_consumer_service_url     = ...String, url of your assertion consumer.
-        settings.issuer                             = ...String, host of your service provider or metadata url.
-        settings.sp_cert                            = ...String, path of your cert.pem.
-        settings.single_logout_service_url          = ...String, url of idp logout service'.
-        settings.sp_name_qualifier                  = ...String, name qualifier of service processor  (like your metadata url).
-        settings.idp_name_qualifier                 = ...String, name qualifier of identity provider (idp metadata).
-        settings.name_identifier_format             = ...Array, format names ( ["urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] ).
-        settings.destination_service_url            = ...String, url of proxy for single sign on (in Idp).
-        settings.single_logout_destination          = ...String, url of logout request. 
-        settings.authn_context                      = ...Array, types of permissions allowed (["urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"]).
-        settings.requester_identificator            = ...unique id of your service provider domain.
-        settings.skip_validation                    = ...Bool, skip validation of assertion or response (false).
-        settings.idp_sso_target_url                 = ...String, url of idp sso proxy ("https://federatest.lepida.it/gw/SSOProxy/SAML2").
-        settings.idp_metadata                       = ...String, url of idp metadata ("https://federatest.lepida.it/gw/metadata").
+        settings.assertion_consumer_service_url    #= ...String, url dell' assertion consumer al quale arriva la response dell' idp.
+        settings.issuer                            #= ...String, host del service provider o url dei metadata.
+        settings.sp_cert                           #= ...String, path del certificato pubblico in formato pem.
+        settings.sp_private_key                    #= ...String, path della chiave privata in formato pem.
+        settings.single_logout_service_url         #= ...String, url del servizio di logout dell'idp.
+        settings.sp_name_qualifier                 #= ...String, nome qualificato del service provider o url dei metadata.
+        settings.idp_name_qualifier                #= ...String, nome qualificato dell' identity provider o url dei metadata dell' idp.
+        settings.name_identifier_format            #= ...Array, formato di nomi ( impostare: ["urn:oasis:names:tc:SAML:2.0:nameid-format:transient"] ).
+        settings.destination_service_url           #= ...String, url del servizio per l'identity provider, usato come proxy per il sso.
+        settings.single_logout_destination         #= ...String, url di destinazione per la request logout. 
+        settings.authn_context                     #= ...Array, tipi di autorizzazioni permesse (impostare: ["urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", 
+                                                                "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"]).
+        settings.requester_identificator           #= ...Array con id dei richiedenti (non usato).
+        settings.skip_validation                   #= ...Bool, imposta se evitare la validazione della response o delle asserzioni (false).
+        settings.idp_sso_target_url                #= ...String, url target del sso dell' identity provider.
+        settings.idp_metadata                      #= ...String, url dei metadata dell' idp.
+        settings.requested_attribute               #= ...Array, contiene i nomi dei campi richiesti dal servizio nei metadata.
+        settings.metadata_signed                   #= ...String, imposta se firmare i metadata.
+        settings.organization                      #= ...Hash, contiene nome breve (org_name), nome esteso (org_display_name) e url (org_url) 
+                                                               dell' organizzazione fornitore di servizi.
         settings
     end  
 ```
@@ -97,28 +112,16 @@ In the above there are a few assumptions in place, one being that the response.n
 
 ## Service Provider Metadata
 
-To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML
-to the IdP for various good reasons.  (Caching, certificate lookups, relying party permissions, etc)
-
-The class Onelogin::Saml::Metdata takes care of this by reading the Settings and returning XML.  All
-you have to do is add a controller to return the data, then give this URL to the IdP administrator.
-The metdata will be polled by the IdP every few minutes, so updating your settings should propagate
-to the IdP settings.
+Per una relazione sicura con l'idp, il Service Provider deve fornire i metadata in formato xml.
+La classe Spid::Saml::Metadata legge i settaggi e fornisce l'xml richiesto dagli idp.
 
 ```ruby
-  class SamlController < ApplicationController
-    # ... the rest of your controller definitions ...
-    def metadata
-      meta = Spid::Saml::Metadata.new
-      settings = get_saml_settings
-      render :xml => meta.generate(settings)
+    def sp_metadata
+        settings = get_saml_settings
+        meta = Spid::Saml::Metadata.new
+        
+        @response.headers['Content-Type'] = 'application/samlmetadata+xml'
+        $out << meta.generate(settings)
     end
-  end
 ```
 
-## Note on Patches/Pull Requests
-
-* Fork the project.
-* Make your feature addition or bug fix.
-* Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
-* Send me a pull request.

data/lib/spid/ruby-saml/authrequest.rb

@@ -27,30 +27,33 @@ module Spid::Saml
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
       self.issue_instant = time
       # Create AuthnRequest root element using REXML 
-      request_doc = REXML::Document.new
+      request_doc = Spid::XMLSecurityNew::Document.new
       request_doc.context[:attribute_quote] = :quote
-      root = request_doc.add_element "saml2p:AuthnRequest", { "xmlns:saml2p" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+      root = request_doc.add_element "saml2p:AuthnRequest", { "xmlns:saml2p" => "urn:oasis:names:tc:SAML:2.0:protocol", 
+                                                              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+                                                             }
       root.attributes['ID'] = uuid
       root.attributes['IssueInstant'] = time
       root.attributes['Version'] = "2.0"
-      root.attributes['ProtocolBinding'] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-      root.attributes['AttributeConsumingServiceIndex'] = "1"
-      root.attributes['ForceAuthn'] = "false"
+      #root.attributes['ProtocolBinding'] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      root.attributes['AttributeConsumingServiceIndex'] = "0"
+      root.attributes['ForceAuthn'] = "true"
       #root.attributes['IsPassive'] = "false"
       #usato AssertionConsumerServiceURL e ProtocolBinding in alternativa, pag 8 regole tecniche
-      #root.attributes['AssertionConsumerServiceIndex'] = 1
+      root.attributes['AssertionConsumerServiceIndex'] = "0"
 
-      # Conditionally defined elements based on settings
-      if @settings.assertion_consumer_service_url != nil
-        root.attributes["AssertionConsumerServiceURL"] = @settings.assertion_consumer_service_url
-      end
+      #Tolto, utilizzo AssertionConsumerServiceIndex
+      # # Conditionally defined elements based on settings
+      # if @settings.assertion_consumer_service_url != nil
+      #   root.attributes["AssertionConsumerServiceURL"] = @settings.assertion_consumer_service_url
+      # end
 
        if @settings.destination_service_url != nil
         root.attributes["Destination"] = @settings.destination_service_url
       end
 
       if @settings.issuer != nil
-        issuer = root.add_element "saml2:Issuer", { "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        issuer = root.add_element "saml:Issuer"
         issuer.attributes['NameQualifier'] =  @settings.issuer
         issuer.attributes['Format'] =  "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
         issuer.text = @settings.issuer
@@ -58,8 +61,8 @@ module Spid::Saml
 
       #opzionale
       if @settings.sp_name_qualifier != nil
-        subject = root.add_element "saml2:Subject", { "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion" }
-        name_id = subject.add_element "saml2:NameID", { "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        subject = root.add_element "saml:Subject"
+        name_id = subject.add_element "saml:NameID"
         name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
         name_id.attributes['NameQualifier'] = @settings.sp_name_qualifier
       end
@@ -70,8 +73,7 @@ module Spid::Saml
         root.add_element "saml2p:NameIDPolicy", { 
             # Might want to make AllowCreate a setting?
             #{}"AllowCreate"     => "true",
-            "Format"          => @settings.name_identifier_format[1],
-            "SPNameQualifier" => @settings.sp_name_qualifier
+            "Format"          => @settings.name_identifier_format[0]
         }
       end
 
@@ -80,13 +82,11 @@ module Spid::Saml
       # the IdP will choose default rules for authentication.  (Shibboleth IdP)
       if @settings.authn_context != nil
         requested_context = root.add_element "saml2p:RequestedAuthnContext", { 
-          "Comparison" => "exact"
+          "Comparison" => "minimum"
         }
         context_class = []
         @settings.authn_context.each_with_index{ |context, index|
-          context_class[index] = requested_context.add_element "saml2:AuthnContextClassRef", {
-            "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion"
-          }
+          context_class[index] = requested_context.add_element "saml:AuthnContextClassRef"
           context_class[index].text = context
         }
         
@@ -104,13 +104,20 @@ module Spid::Saml
         
       end
 
-      request_doc << REXML::XMLDecl.new(version='1.0', encoding='UTF-8')
-      ret = ""
-      # pretty print the XML so IdP administrators can easily see what the SP supports
-      request_doc.write(ret, 1)
-
-      @request = ""
-      request_doc.write(@request)
+      request_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+      
+      #LA FIRMA VA MESSA SOLO NEL CASO CON HTTP POST
+      # cert = @settings.get_sp_cert
+      #   # embed signature
+      #   if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+      #     private_key = @settings.get_sp_key
+      #     request_doc.sign_document(private_key, cert)
+      #   end
+
+      # stampo come stringa semplice i metadata per non avere problemi con validazione firma
+      #ret = request_doc.to_s
+
+      @request = request_doc.to_s
 
       #Logging.debug "Created AuthnRequest: #{@request}"
 

data/lib/spid/ruby-saml/logout_request.rb

@@ -22,12 +22,12 @@ module Spid::Saml
       # The IdP sent us a LogoutRequest (IdP initiated SLO)
       else
         begin
-          @request = XMLSecurity::SignedDocument.new( decode( opt[:request] ))
+          @request = Spid::XMLSecurity::SignedDocument.new( decode( opt[:request] ))
           raise if @request.nil?
           raise if @request.root.nil?
           raise if @request.root.namespace != PROTOCOL
         rescue
-          @request = XMLSecurity::SignedDocument.new( inflate( decode( opt[:request] ) ) )
+          @request = Spid::XMLSecurity::SignedDocument.new( inflate( decode( opt[:request] ) ) )
         end
         Logging.debug "LogoutRequest is: \n#{@request}"
       end 

data/lib/spid/ruby-saml/logout_response.rb

@@ -16,7 +16,7 @@ module Spid
 			# We've recieved a LogoutResponse from the IdP 
 			if opt[:response]
 				begin
-					@response = XMLSecurity::SignedDocument.new(decode( opt[:response] ))
+					@response = Spid::XMLSecurity::SignedDocument.new(decode( opt[:response] ))
 					# Check to see if we have a root tag using the "protocol" namespace.
 					# If not, it means this is deflated text and we need to raise to 
 					# the rescue below
@@ -25,7 +25,7 @@ module Spid
 						raise if @response.root.namespace != PROTOCOL
 					document
 				rescue
-					@response = XMLSecurity::SignedDocument.new( inflate(decode( opt[:response] ) ) )
+					@response = Spid::XMLSecurity::SignedDocument.new( inflate(decode( opt[:response] ) ) )
 				end
 			end
 			# We plan to create() a new LogoutResponse

data/lib/spid/ruby-saml/metadata.rb

@@ -4,7 +4,7 @@ require "net/https"
 require "uri"
 require "digest/md5"
 require "nokogiri"
-require "xml_security_new" #fa il require della nokogiri
+require_relative "../xml_security_new" #fa il require della nokogiri
 require "uuid"
 
 # Class to return SP metadata based on the settings requested.
@@ -30,7 +30,7 @@ module Spid
 
       def generate(settings)
         #meta_doc = REXML::Document.new
-        meta_doc = ::XMLSecurityNew::Document.new
+        meta_doc = Spid::XMLSecurityNew::Document.new
         root = meta_doc.add_element "md:EntityDescriptor", { 
             "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
             "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace"
@@ -227,31 +227,32 @@ module Spid
       def binding_select(service)
         # first check if we're still using the old hard coded method for 
         # backwards compatability
-        if service == "SingleSignOnService" && @settings.idp_metadata == nil && @settings.idp_sso_target_url != nil
+        if service == "SingleSignOnService" && @settings.idp_sso_target_url != nil
             return @settings.idp_sso_target_url
         end
-        if service == "SingleLogoutService" && @settings.idp_metadata == nil && @settings.idp_slo_target_url != nil
+        if service == "SingleLogoutService" && @settings.idp_slo_target_url != nil
             return  @settings.idp_slo_target_url
         end
         
         meta_doc = get_idp_metadata
         
         return nil unless meta_doc
-        # first try POST
-        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_POST}']")
+        # first try GET (REDIRECT)
+        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
         if !sso_element.nil? 
           @URL = sso_element.attributes["Location"]
-          #Logging.debug "binding_select: POST to #{@URL}"
+          Logging.debug "binding_select: GET from #{@URL}"
           return @URL
         end
-        
-        # next try GET
-        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
+                
+        # next try post
+        sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_POST}']")
         if !sso_element.nil? 
           @URL = sso_element.attributes["Location"]
-          Logging.debug "binding_select: GET from #{@URL}"
+          #Logging.debug "binding_select: POST to #{@URL}"
           return @URL
         end
+
         # other types we might want to add in the future:  SOAP, Artifact
       end
 

data/lib/spid/ruby-saml/response.rb

@@ -1,4 +1,4 @@
-require "xml_security"
+require_relative "../xml_security_new"
 require "time"
 require "nokogiri"
 require "base64"
@@ -21,10 +21,10 @@ module Spid
         self.options  = options
         self.response = response
         begin
-          self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+          self.document = Spid::XMLSecurityNew::SignedDocument.new(Base64.decode64(response))
         rescue REXML::ParseException => e
           if response =~ /</
-            self.document = XMLSecurity::SignedDocument.new(response)
+            self.document = Spid::XMLSecurityNew::SignedDocument.new(response)
           else
             raise e
           end
@@ -95,6 +95,10 @@ module Spid
         end
       end
 
+      
+
+      #metodi per ricavare info per tracciatura agid
+
       def issuer
         @issuer ||= begin
           node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
@@ -103,6 +107,40 @@ module Spid
         end
       end
 
+      def response_to_id
+        node = REXML::XPath.first(document, "/p:Response", { "p" => PROTOCOL })
+        return  node.attributes["InResponseTo"]
+      end
+
+      def id
+        node = REXML::XPath.first(document, "/p:Response", { "p" => PROTOCOL })
+        return  node.attributes["ID"]
+      end
+
+      def issue_instant
+        node = REXML::XPath.first(document, "/p:Response", { "p" => PROTOCOL })
+        return  node.attributes["IssueInstant"]
+      end
+
+      def assertion_id
+        node = REXML::XPath.first(document, "/p:Response/a:Assertion/", { "p" => PROTOCOL, "a" => ASSERTION  })
+        return  node.attributes["ID"]
+      end
+
+      def assertion_subject
+        node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION  })
+        return  node.text
+      end
+
+      def assertion_subject_name_qualifier
+        node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION  })
+        return  node.attributes["NameQualifier"]
+      end
+
+     
+
+
+
       private
 
       def validation_error(message)
@@ -113,7 +151,7 @@ module Spid
         # prime the IdP metadata before the document validation. 
         # The idp_cert needs to be populated before the validate_response_state method
         
-        if settings 
+        if settings
           Spid::Saml::Metadata.new(settings).get_idp_metadata
         end
           return false if validate_structure(soft) == false
@@ -125,7 +163,7 @@ module Spid
         return true if settings.skip_validation == true
         
         # document.validte populates the idp_cert
-          return false if document.validate(get_fingerprint, soft) == false
+        return false if document.validate_document(get_fingerprint, soft) == false
         
         # validate response code
         return false if success? == false  
@@ -163,10 +201,12 @@ module Spid
       end
 
       def get_fingerprint
+        idp_metadata = Spid::Saml::Metadata.new(settings).get_idp_metadata
+        
         if settings.idp_cert
           cert_text = Base64.decode64(settings.idp_cert)
           cert = OpenSSL::X509::Certificate.new(cert_text)
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
         else
           settings.idp_cert_fingerprint
         end

data/lib/spid/ruby-saml/settings.rb

@@ -1,4 +1,4 @@
-require "xml_security_new"
+require_relative "../xml_security_new"
 
 module Spid
   module Saml
@@ -30,7 +30,7 @@ module Spid
         idp_cert_fingerprint || begin
           idp_cert = get_idp_cert
           if idp_cert
-            fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(idp_cert_fingerprint_algorithm).new
+            fingerprint_alg = Spid::XMLSecurity::BaseDocument.new.algorithm(idp_cert_fingerprint_algorithm).new
             fingerprint_alg.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
           end
         end

data/lib/spid/ruby-saml/utils.rb

@@ -77,7 +77,7 @@ module Spid
       #
       def self.verify_signature(params)
         cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
-        signature_algorithm = XMLSecurityNew::BaseDocument.new.algorithm(sig_alg)
+        signature_algorithm = Spid::XMLSecurityNew::BaseDocument.new.algorithm(sig_alg)
         return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
       end