diff --git a/Gemfile b/Gemfile
index ad4a603fca53876262a74d569278219b49c43af1..63fe1c2472f222c53a2d3c7acb6cd3e48e94ab80 100644
--- a/Gemfile
+++ b/Gemfile
@@ -95,7 +95,7 @@ gem 'doorkeeper', '~> 5.8', '>= 5.8.1', feature_category: :system_access
gem 'doorkeeper-openid_connect', '~> 1.8.10', feature_category: :system_access
gem 'doorkeeper-device_authorization_grant', '~> 1.0.0', feature_category: :system_access
gem 'rexml', '~> 3.4.0', feature_category: :shared
-gem 'ruby-saml', '~> 1.17.0', feature_category: :system_access
+gem 'ruby-saml', '~> 1.18.0', path: 'vendor/gems/ruby-saml', feature_category: :system_access
gem 'omniauth', '~> 2.1.0', feature_category: :system_access
gem 'omniauth-auth0', '~> 3.1', feature_category: :system_access
gem 'omniauth-azure-activedirectory-v2', '~> 2.0', feature_category: :system_access
diff --git a/Gemfile.checksum b/Gemfile.checksum
index 875d5a41d89f7c6f55618fc84b0f6e9ad6d57f05..026d86f89e69ec9cf315def5c173ce9bfafe1bf8 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -640,7 +640,6 @@
{"name":"ruby-magic","version":"0.6.0","platform":"ruby","checksum":"7b2138877b7d23aff812c95564eba6473b74b815ef85beb0eb792e729a2b6101"},
{"name":"ruby-openai","version":"3.7.0","platform":"ruby","checksum":"fb735d4c055e282ade264cab9864944c05a8a10e0cddd45a0551e8a9851b1850"},
{"name":"ruby-progressbar","version":"1.11.0","platform":"ruby","checksum":"cc127db3866dc414ffccbf92928a241e585b3aa2b758a5563e74a6ee0f57d50a"},
-{"name":"ruby-saml","version":"1.17.0","platform":"ruby","checksum":"0419839ba3312d255e35fe3cc7ae155e4a241fd468796caebcf61164aa01b8a9"},
{"name":"ruby-statistics","version":"4.1.0","platform":"ruby","checksum":"7d697abd5dc4e6141d21ecb4165482807564f11bbe154cf1c60a2677b507f2a9"},
{"name":"ruby2_keywords","version":"0.0.5","platform":"ruby","checksum":"ffd13740c573b7301cf7a2e61fc857b2a8e3d3aff32545d6f8300d8bae10e3ef"},
{"name":"rubyntlm","version":"0.6.3","platform":"ruby","checksum":"5b321456dba3130351f7451f8669f1afa83a0d26fd63cdec285b7b88e667102d"},
diff --git a/Gemfile.lock b/Gemfile.lock
index 5e9f8650e68cf9bec4bdbb725d4125862dc5f503..529daff322c7f774a5af47d381a84a2b7c50da15 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -206,6 +206,13 @@ PATH
nokogiri (>= 1.4.4)
omniauth (~> 2.0)
+PATH
+ remote: vendor/gems/ruby-saml
+ specs:
+ ruby-saml (1.18.0)
+ nokogiri (>= 1.13.10)
+ rexml
+
PATH
remote: vendor/gems/sidekiq-7.2.4
specs:
@@ -1707,9 +1714,6 @@ GEM
ruby-openai (3.7.0)
httparty (>= 0.18.1)
ruby-progressbar (1.11.0)
- ruby-saml (1.17.0)
- nokogiri (>= 1.13.10)
- rexml
ruby-statistics (4.1.0)
ruby2_keywords (0.0.5)
rubyntlm (0.6.3)
@@ -2304,7 +2308,7 @@ DEPENDENCIES
ruby-magic (~> 0.6)
ruby-openai (~> 3.7)
ruby-progressbar (~> 1.10)
- ruby-saml (~> 1.17.0)
+ ruby-saml (~> 1.18.0)!
rubyzip (~> 2.3.2)
rugged (~> 1.6)
sanitize (~> 6.0.2)
diff --git a/Gemfile.next.checksum b/Gemfile.next.checksum
index f7f4c13212a96a5d0fa698a00c51b7c69c2ef2ad..b744a7206d0d0cf0fc3fd0bad63631f6d5f018a4 100644
--- a/Gemfile.next.checksum
+++ b/Gemfile.next.checksum
@@ -650,7 +650,6 @@
{"name":"ruby-magic","version":"0.6.0","platform":"ruby","checksum":"7b2138877b7d23aff812c95564eba6473b74b815ef85beb0eb792e729a2b6101"},
{"name":"ruby-openai","version":"3.7.0","platform":"ruby","checksum":"fb735d4c055e282ade264cab9864944c05a8a10e0cddd45a0551e8a9851b1850"},
{"name":"ruby-progressbar","version":"1.11.0","platform":"ruby","checksum":"cc127db3866dc414ffccbf92928a241e585b3aa2b758a5563e74a6ee0f57d50a"},
-{"name":"ruby-saml","version":"1.17.0","platform":"ruby","checksum":"0419839ba3312d255e35fe3cc7ae155e4a241fd468796caebcf61164aa01b8a9"},
{"name":"ruby-statistics","version":"4.1.0","platform":"ruby","checksum":"7d697abd5dc4e6141d21ecb4165482807564f11bbe154cf1c60a2677b507f2a9"},
{"name":"ruby2_keywords","version":"0.0.5","platform":"ruby","checksum":"ffd13740c573b7301cf7a2e61fc857b2a8e3d3aff32545d6f8300d8bae10e3ef"},
{"name":"rubyntlm","version":"0.6.3","platform":"ruby","checksum":"5b321456dba3130351f7451f8669f1afa83a0d26fd63cdec285b7b88e667102d"},
diff --git a/Gemfile.next.lock b/Gemfile.next.lock
index b67291f9e0f707ae7cc3ec9efacd78b5d3e4bbea..d2beca30bd53a937bbe112dd5d93c15da734a7c7 100644
--- a/Gemfile.next.lock
+++ b/Gemfile.next.lock
@@ -206,6 +206,13 @@ PATH
nokogiri (>= 1.4.4)
omniauth (~> 2.0)
+PATH
+ remote: vendor/gems/ruby-saml
+ specs:
+ ruby-saml (1.18.0)
+ nokogiri (>= 1.13.10)
+ rexml
+
PATH
remote: vendor/gems/sidekiq-7.2.4
specs:
@@ -1739,9 +1746,6 @@ GEM
ruby-openai (3.7.0)
httparty (>= 0.18.1)
ruby-progressbar (1.11.0)
- ruby-saml (1.17.0)
- nokogiri (>= 1.13.10)
- rexml
ruby-statistics (4.1.0)
ruby2_keywords (0.0.5)
rubyntlm (0.6.3)
@@ -2338,7 +2342,7 @@ DEPENDENCIES
ruby-magic (~> 0.6)
ruby-openai (~> 3.7)
ruby-progressbar (~> 1.10)
- ruby-saml (~> 1.17.0)
+ ruby-saml (~> 1.18.0)!
rubyzip (~> 2.3.2)
rugged (~> 1.6)
sanitize (~> 6.0.2)
diff --git a/spec/dependencies/omniauth_saml_spec.rb b/spec/dependencies/omniauth_saml_spec.rb
index cd73a598b327393620cf6544eaeff5ed9c68ffdb..ace25c72e678740211e350597b312a10ba6e1347 100644
--- a/spec/dependencies/omniauth_saml_spec.rb
+++ b/spec/dependencies/omniauth_saml_spec.rb
@@ -7,7 +7,7 @@
let(:mock_saml_response) { File.read('spec/fixtures/authentication/saml_response.xml') }
let(:saml_strategy) { OmniAuth::Strategies::SAML.new({}) }
let(:session_mock) { {} }
- let(:settings) { double('settings', { soft: false, idp_cert_fingerprint: 'something' }) }
+ let(:settings) { double('settings', { soft: false, idp_cert_fingerprint: 'something', check_malformed_doc: true }) }
let(:auth_hash) { Gitlab::Auth::Saml::AuthHash.new(saml_strategy) }
subject { auth_hash.authn_context }
diff --git a/vendor/gems/ruby-saml/.document b/vendor/gems/ruby-saml/.document
new file mode 100644
index 0000000000000000000000000000000000000000..ecf3673194b8b6963488dabc93d5f16fea93c5e9
--- /dev/null
+++ b/vendor/gems/ruby-saml/.document
@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE
diff --git a/vendor/gems/ruby-saml/CHANGELOG.md b/vendor/gems/ruby-saml/CHANGELOG.md
new file mode 100644
index 0000000000000000000000000000000000000000..7bb3be736b28290dead53db376931e6208a7f48b
--- /dev/null
+++ b/vendor/gems/ruby-saml/CHANGELOG.md
@@ -0,0 +1,305 @@
+# Ruby SAML Changelog
+
+### 1.18.0 (???)
+* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
+* [#720](https://github.com/SAML-Toolkits/ruby-saml/pull/720) Fix ambiguous regex warnings
+* [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in SPNameQualifier error text
+
+### 1.17.0 (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+* [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Deprecate `Settings#certificate_new` parameter.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` will use the first non-expired certificate/key when signing/decrypting. It will raise an error only if there are no valid certificates/keys.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now validates the certificate `not_before` condition; previously it was only validating `not_after`.
+* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now causes the generated SP metadata to exclude any inactive/expired certificates.
+
+### 1.16.0 (Oct 09, 2023)
+* [#671](https://github.com/SAML-Toolkits/ruby-saml/pull/671) Add support on LogoutRequest with Encrypted NameID
+
+### 1.15.0 (Jan 04, 2023)
+* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
+* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
+* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support `Settings#idp_cert_multi` with string keys
+* [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
+* Add info about new repo, new maintainer, new security contact
+* Fix tests, Adjust dependencies, Add ruby 3.2 and new jruby versions tests to the CI. Add coveralls support
+
+### 1.14.0 (Feb 01, 2022)
+* [#627](https://github.com/onelogin/ruby-saml/pull/627) Support escape downcasing for validating SLO Signatures of ADFS/Azure
+* [#633](https://github.com/onelogin/ruby-saml/pull/633) Support ability to change ID prefix
+* Make the uuid editable on the SAML Messages generated by the toolkit
+* [#622](https://github.com/onelogin/ruby-saml/pull/622) Add security setting to more strictly enforce audience validation
+
+### 1.13.0 (Sept 06, 2021)
+* [#611](https://github.com/onelogin/ruby-saml/pull/601) Replace MAX_BYTE_SIZE constant with setting: message_max_bytesize
+* [#605](https://github.com/onelogin/ruby-saml/pull/605) :allowed_clock_drift is now bidrectional
+* [#614](https://github.com/onelogin/ruby-saml/pull/614) Support :name_id_format option for IdpMetadataParser
+* [#611](https://github.com/onelogin/ruby-saml/pull/611) IdpMetadataParser should always set idp_cert_multi, even when there is only one cert
+* [#610](https://github.com/onelogin/ruby-saml/pull/610) New IDP sso/slo binding params which deprecate :embed_sign
+* [#602](https://github.com/onelogin/ruby-saml/pull/602) Refactor the OneLogin::RubySaml::Metadata class
+* [#586](https://github.com/onelogin/ruby-saml/pull/586) Support milliseconds in cacheDuration parsing
+* [#585](https://github.com/onelogin/ruby-saml/pull/585) Do not append " | " to StatusCode unnecessarily
+* [#607](https://github.com/onelogin/ruby-saml/pull/607) Clean up
+* Add warning about the use of IdpMetadataParser class and SSRF
+* CI: Migrate from Travis to Github Actions
+
+### 1.12.3 (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+
+### 1.12.2 (Apr 08, 2021)
+* [#575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
+
+### 1.12.1 (Apr 05, 2021)
+* Fix XPath typo incompatible with Rexml 3.2.5
+* Refactor GCM support
+
+### 1.12.0 (Feb 18, 2021)
+* Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
+* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
+* Adding idp_sso_service_url and idp_slo_service_url settings
+* [#536](https://github.com/onelogin/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
+* Reduce size of built gem by excluding the test folder
+* Improve protection on Zlib deflate decompression bomb attack.
+* Add ValidUntil and cacheDuration support on Metadata generator
+* Add support for cacheDuration at the IdpMetadataParser
+* Support customizable statusCode on generated LogoutResponse
+* [#545](https://github.com/onelogin/ruby-saml/pull/545) More specific error messages for signature validation
+* Support Process Transform
+* Raise SettingError if invoking an action with no endpoint defined on the settings
+* Made IdpMetadataParser more extensible for subclasses
+* [#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
+* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
+* Improve documentation
+
+### 1.11.0 (Jul 24, 2019)
+
+* Deprecate settings.issuer in favor of settings.sp_entity_id
+* Add support for certification expiration
+
+### 1.10.2 (Apr 29, 2019)
+
+* Add valid until, accessor
+* Fix Rubygem metadata that requested nokogiri <= 1.5.11
+
+### 1.10.1 (Apr 08, 2019)
+
+* Fix ruby 1.8.7 incompatibilities
+
+### 1.10.0 (Mar 21, 2019)
+* Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user to be authenticated
+* Improves IdpMetadataParser to allow parse multiple IDPSSODescriptors
+* Improves format_cert method to accept certs with /\x0d/
+* Forces nokogiri >= 1.8.2 when possible
+
+### 1.9.0 (Sept 03, 2018)
+* [#458](https://github.com/onelogin/ruby-saml/pull/458) Remove ruby 2.4+ warnings
+* Improve JRuby support
+* [#465](https://github.com/onelogin/ruby-saml/pull/465) Extend Settings initialization with the new keep_security_attributes parameter
+* Fix wrong message when SessionNotOnOrAfter expired
+* [#471](https://github.com/onelogin/ruby-saml/pull/471) Allow for `allowed_clock_drift` to be set as a string
+
+### 1.8.0 (April 23, 2018)
+* [#437](https://github.com/onelogin/ruby-saml/issues/437) Creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState should not send empty RelayState URL param
+* [#454](https://github.com/onelogin/ruby-saml/pull/454) Added Response available options
+* [#453](https://github.com/onelogin/ruby-saml/pull/453) Raise a more descriptive exception if idp_sso_target_url is missing
+* [#452](https://github.com/onelogin/ruby-saml/pull/452) Fix behavior of skip_conditions flag on Response
+* [#449](https://github.com/onelogin/ruby-saml/pull/449) Add ability to skip authnstatement validation
+* Clear cached values to be able to use IdpMetadataParser more than once
+* Updated invalid audience error message
+
+### 1.7.2 (Feb 28, 2018)
+* [#446](https://github.com/onelogin/ruby-saml/pull/446) Normalize text returned by OneLogin::RubySaml::Utils.element_text
+
+### 1.7.1 (Feb 28, 2018)
+* [#444](https://github.com/onelogin/ruby-saml/pull/444) Fix audience validation for empty audience restriction
+
+### 1.7.0 (Feb 27, 2018)
+* Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
+
+### 1.6.1 (January 15, 2018)
+* [#428](https://github.com/onelogin/ruby-saml/issues/428) Fix a bug on IdPMetadataParser when parsing certificates
+* [#426](https://github.com/onelogin/ruby-saml/pull/426) Ensure `Rails` responds to `logger`
+
+### 1.6.0 (November 27, 2017)
+* [#418](https://github.com/onelogin/ruby-saml/pull/418) Improve SAML message signature validation using original encoded parameters instead decoded in order to avoid conflicts (URL-encoding is not canonical, reported issues with ADFS)
+* [#420](https://github.com/onelogin/ruby-saml/pull/420) Expose NameID Format on SloLogoutrequest
+* [#423](https://github.com/onelogin/ruby-saml/pull/423) Allow format_cert to work with chained certificates
+* [#422](https://github.com/onelogin/ruby-saml/pull/422) Use to_s for requested attribute value
+
+
+### 1.5.0 (August 31, 2017)
+* [#400](https://github.com/onelogin/ruby-saml/pull/400) When validating Signature use stored IdP certficate if Signature contains no info about Certificate
+* [#402](https://github.com/onelogin/ruby-saml/pull/402) Fix validate_response_state method that rejected SAMLResponses when using idp_cert_multi and idp_cert and idp_cert_fingerprint were not provided.
+* [#411](https://github.com/onelogin/ruby-saml/pull/411) Allow space in Base64 string
+* [#407](https://github.com/onelogin/ruby-saml/issues/407) Improve IdpMetadataParser raising an ArgumentError when parser method receive a metadata string with no IDPSSODescriptor element.
+* [#374](https://github.com/onelogin/ruby-saml/issues/374) Support more than one level of StatusCode
+* [#405](https://github.com/onelogin/ruby-saml/pull/405) Support ADFS encrypted key (Accept KeyInfo nodes with no ds namespace)
+
+
+### 1.4.3 (May 18, 2017)
+* Added SubjectConfirmation Recipient validation
+* [#393](https://github.com/onelogin/ruby-saml/pull/393) Implement IdpMetadataParser#parse_to_hash
+* Adapt IdP XML metadata parser to take care of multiple IdP certificates and be able to inject the data obtained on the settings.
+* Improve binding detection on idp metadata parser
+* [#373](https://github.com/onelogin/ruby-saml/pull/373) Allow metadata to be retrieved from source containing data for multiple entities
+* Be able to register future SP x509cert on the settings and publish it on SP metadata
+* Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption.
+* Improve regex to detect base64 encoded messages
+* Fix binding configuration example in README.md
+* Add Fix SLO request. Correct NameQualifier/SPNameQualifier values.
+* Validate serial number as string to work around libxml2 limitation
+* Propagate isRequired on md:RequestedAttribute when generating SP metadata
+
+### 1.4.2 (January 11, 2017)
+* Improve tests format
+* Fix nokogiri requirements based on ruby version
+* Only publish `KeyDescriptor[use="encryption"]` at SP metadata if `security[:want_assertions_encrypted]` is true
+* Be able to skip destination validation
+* Improved inResponse validation on SAMLResponses and LogoutResponses
+* [#354](https://github.com/onelogin/ruby-saml/pull/354) Allow scheme and domain to match ignoring case
+* [#363](https://github.com/onelogin/ruby-saml/pull/363) Add support for multiple requested attributes
+
+### 1.4.1 (October 19, 2016)
+* [#357](https://github.com/onelogin/ruby-saml/pull/357) Add EncryptedAttribute support. Improve decrypt method
+* Allow multiple authn_context_decl_ref in settings
+* Allow options[:settings] to be an hash for Settings overrides in IdpMetadataParser#parse
+* Recover issuers method
+
+### 1.4.0 (October 13, 2016)
+* Several security improvements:
+ * Conditions element required and unique.
+ * AuthnStatement element required and unique.
+ * SPNameQualifier must math the SP EntityID
+ * Reject saml:Attribute element with same “Name†attribute
+ * Reject empty nameID
+ * Require Issuer element. (Must match IdP EntityID).
+ * Destination value can't be blank (if present must match ACS URL).
+ * Check that the EncryptedAssertion element only contains 1 Assertion element.
+
+* [#335](https://github.com/onelogin/ruby-saml/pull/335) Explicitly parse as XML and fix setting of Nokogiri options.
+* [#345](https://github.com/onelogin/ruby-saml/pull/345)Support multiple settings.auth_context
+* More tests to prevent XML Signature Wrapping
+* [#342](https://github.com/onelogin/ruby-saml/pull/342) Correct the usage of Mutex
+* [352](https://github.com/onelogin/ruby-saml/pull/352) Support multiple AttributeStatement tags
+
+
+### 1.3.1 (July 10, 2016)
+* Fix response_test.rb of gem 1.3.0
+* Add reference to Security Guidelines
+* Update License
+* [#334](https://github.com/onelogin/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method.
+
+### 1.3.0 (June 24, 2016)
+* [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
+* Fix XMLSecurity SHA256 and SHA512 uris
+* [#326](https://github.com/onelogin/ruby-saml/pull/326) Fix Destination validation
+
+### 1.2.0 (April 29, 2016)
+* [#269](https://github.com/onelogin/ruby-saml/pull/269) Refactor error handling; allow collect error messages when soft=true (normal validation stop after find first error)
+* [#289](https://github.com/onelogin/ruby-saml/pull/289) Remove uuid gem in favor of SecureRandom
+* [#297](https://github.com/onelogin/ruby-saml/pull/297) Implement EncryptedKey RetrievalMethod support
+* [#298](https://github.com/onelogin/ruby-saml/pull/298) IDP metadata parsing improved: binding parsing, fingerprint_algorithm support)
+* [#299](https://github.com/onelogin/ruby-saml/pull/299) Make 'signing' at KeyDescriptor optional
+* [#308](https://github.com/onelogin/ruby-saml/pull/308) Support name_id_format on SAMLResponse
+* [#315](https://github.com/onelogin/ruby-saml/pull/315) Support for canonicalization with comments
+* [#316](https://github.com/onelogin/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
+* [#321](https://github.com/onelogin/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
+* Changes on empty URI of Signature reference management
+* [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
+* [#306](https://github.com/onelogin/ruby-saml/pull/306) Support WantAssertionsSigned
+
+### 1.1.2 (February 15, 2016)
+* Improve signature validation. Add tests.
+ [#302](https://github.com/onelogin/ruby-saml/pull/302) Add Destination validation.
+* [#292](https://github.com/onelogin/ruby-saml/pull/292) Improve the error message when validating the audience.
+* [#287](https://github.com/onelogin/ruby-saml/pull/287) Keep the extracted certificate when parsing IdP metadata.
+
+### 1.1.1 (November 10, 2015)
+* [#275](https://github.com/onelogin/ruby-saml/pull/275) Fix a bug on signature validations that invalidates valid SAML messages.
+
+### 1.1.0 (October 27, 2015)
+* [#273](https://github.com/onelogin/ruby-saml/pull/273) Support SAMLResponse without ds:x509certificate
+* [#270](https://github.com/onelogin/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
+* [#261](https://github.com/onelogin/ruby-saml/pull/261) Allow validate_subject_confirmation Response validation to be skipped
+* [#258](https://github.com/onelogin/ruby-saml/pull/258) Fix allowed_clock_drift on the validate_session_expiration test
+* [#256](https://github.com/onelogin/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods.
+* [#255](https://github.com/onelogin/ruby-saml/pull/255) Refactor validate signature.
+* [#254](https://github.com/onelogin/ruby-saml/pull/254) Handle empty URI references
+* [#251](https://github.com/onelogin/ruby-saml/pull/251) Support qualified and unqualified NameID in attributes
+* [#234](https://github.com/onelogin/ruby-saml/pull/234) Add explicit support for JRuby
+
+### 1.0.0 (June 30, 2015)
+* [#247](https://github.com/onelogin/ruby-saml/pull/247) Avoid entity expansion (XEE attacks)
+* [#246](https://github.com/onelogin/ruby-saml/pull/246) Fix bug generating Logout Response (issuer was at wrong order)
+* [#243](https://github.com/onelogin/ruby-saml/issues/243) and [#244](https://github.com/onelogin/ruby-saml/issues/244) Fix metadata builder errors. Fix metadata xsd.
+* [#241](https://github.com/onelogin/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
+* [#240](https://github.com/onelogin/ruby-saml/pull/240) and [#238](https://github.com/onelogin/ruby-saml/pull/238) Improve test coverage and refactor.
+* [#239](https://github.com/onelogin/ruby-saml/pull/239) Improve security: Add more validations to SAMLResponse, LogoutRequest and LogoutResponse. Refactor code and improve tests coverage.
+* [#237](https://github.com/onelogin/ruby-saml/pull/237) Don't pretty print metadata by default.
+* [#235](https://github.com/onelogin/ruby-saml/pull/235) Remove the soft parameter from validation methods. Now can be configured on the settings and each class read it and store as an attribute of the class. Adding some validations and refactor old ones.
+* [#232](https://github.com/onelogin/ruby-saml/pull/232) Improve validations: Store the causes in the errors array, code refactor
+* [#231](https://github.com/onelogin/ruby-saml/pull/231) Refactor HTTP-Redirect Sign method, Move test data to right folder
+* [#226](https://github.com/onelogin/ruby-saml/pull/226) Ensure IdP certificate is formatted properly
+* [#225](https://github.com/onelogin/ruby-saml/pull/225) Add documentation to several methods. Fix xpath injection on xml_security.rb
+* [#223](https://github.com/onelogin/ruby-saml/pull/223) Allow logging to be delegated to an arbitrary Logger
+* [#222](https://github.com/onelogin/ruby-saml/pull/222) No more silent failure fetching idp metadata (OneLogin::RubySaml::HttpError raised).
+
+### 0.9.2 (Apr 28, 2015)
+* [#216](https://github.com/onelogin/ruby-saml/pull/216) Add fingerprint algorithm support
+* [#218](https://github.com/onelogin/ruby-saml/pull/218) Update README.md
+* [#214](https://github.com/onelogin/ruby-saml/pull/214) Cleanup `SamlMessage` class
+* [#213](https://github.com/onelogin/ruby-saml/pull/213) Add ability to sign metadata. (Improved)
+* [#212](https://github.com/onelogin/ruby-saml/pull/212) Rename library entry point
+* [#210](https://github.com/onelogin/ruby-saml/pull/210) Call assert in tests
+* [#208](https://github.com/onelogin/ruby-saml/pull/208) Update tests and CI for Ruby 2.2.0
+* [#205](https://github.com/onelogin/ruby-saml/pull/205) Allow requirement of single files
+* [#204](https://github.com/onelogin/ruby-saml/pull/204) Require ‘net/http’ library
+* [#201](https://github.com/onelogin/ruby-saml/pull/201) Freeze and duplicate default security settings hash so that it doesn't get modified.
+* [#200](https://github.com/onelogin/ruby-saml/pull/200) Set default SSL certificate store in Ruby 1.8.
+* [#199](https://github.com/onelogin/ruby-saml/pull/199) Change Nokogiri's runtime dependency to fix support for Ruby 1.8.7.
+* [#179](https://github.com/onelogin/ruby-saml/pull/179) Add support for setting the entity ID and name ID format when parsing metadata
+* [#175](https://github.com/onelogin/ruby-saml/pull/175) Introduce thread safety to SAML schema validation
+* [#171](https://github.com/onelogin/ruby-saml/pull/171) Fix inconsistent results with using regex matches in decode_raw_saml
+
+### 0.9.1 (Feb 10, 2015)
+* [#194](https://github.com/onelogin/ruby-saml/pull/194) Relax nokogiri gem requirements
+* [#191](https://github.com/onelogin/ruby-saml/pull/191) Use Minitest instead of Test::Unit
+
+### 0.9 (Jan 26, 2015)
+* [#169](https://github.com/onelogin/ruby-saml/pull/169) WantAssertionSigned should be either true or false
+* [#167](https://github.com/onelogin/ruby-saml/pull/167) (doc update) make unit of clock drift obvious
+* [#160](https://github.com/onelogin/ruby-saml/pull/160) Extended solution for Attributes method [] can raise NoMethodError
+* [#158](https://github.com/onelogin/ruby-saml/pull/1) Added ability to specify attribute services in metadata
+* [#154](https://github.com/onelogin/ruby-saml/pull/154) Fix incorrect gem declaration statement
+* [#152](https://github.com/onelogin/ruby-saml/pull/152) Fix the PR #99
+* [#150](https://github.com/onelogin/ruby-saml/pull/150) Nokogiri already in gemspec
+* [#147](https://github.com/onelogin/ruby-saml/pull/147) Fix LogoutResponse issuer validation and implement SAML Response issuer validation.
+* [#144](https://github.com/onelogin/ruby-saml/pull/144) Fix DigestMethod lookup bug
+* [#139](https://github.com/onelogin/ruby-saml/pull/139) Fixes handling of some soft and hard validation failures
+* [#138](https://github.com/onelogin/ruby-saml/pull/138) Change logoutrequest.rb to UTC time
+* [#136](https://github.com/onelogin/ruby-saml/pull/136) Remote idp metadata
+* [#135](https://github.com/onelogin/ruby-saml/pull/135) Restored support for NIL as well as empty AttributeValues
+* [#134](https://github.com/onelogin/ruby-saml/pull/134) explicitly require "onelogin/ruby-saml/logging"
+* [#133](https://github.com/onelogin/ruby-saml/pull/133) Added license to gemspec
+* [#132](https://github.com/onelogin/ruby-saml/pull/132) Support AttributeConsumingServiceIndex in AuthnRequest
+* [#131](https://github.com/onelogin/ruby-saml/pull/131) Add ruby 2.1.1 to .travis.yml
+* [#122](https://github.com/onelogin/ruby-saml/pull/122) Fixes #112 and #117 in a backwards compatible manner
+* [#119](https://github.com/onelogin/ruby-saml/pull/119) Add support for extracting IdP details from metadata xml
+
+### 0.8.2 (Jan 26, 2015)
+* [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
+
+### 0.8.0 (Feb 21, 2014)
+**IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`. Please update your implementations of the gem accordingly.
+
+* [#111](https://github.com/onelogin/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
+* [#108](https://github.com/onelogin/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
+
+
+### 0.7.3 (Feb 20, 2014)
+Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
+
+* [#107](https://github.com/onelogin/ruby-saml/pull/107) Relax nokogiri version requirement to >= 1.5.0
+* [#105](https://github.com/onelogin/ruby-saml/pull/105) Lock Gem versions, fix to resolve possible namespace collision
diff --git a/vendor/gems/ruby-saml/Gemfile b/vendor/gems/ruby-saml/Gemfile
new file mode 100644
index 0000000000000000000000000000000000000000..cc119f9ab7f57d35d7caaad5b55b92f11e0209d1
--- /dev/null
+++ b/vendor/gems/ruby-saml/Gemfile
@@ -0,0 +1,6 @@
+#
+# Please keep this file alphabetized and organized
+#
+source 'https://rubygems.org'
+
+gemspec
diff --git a/vendor/gems/ruby-saml/LICENSE b/vendor/gems/ruby-saml/LICENSE
new file mode 100644
index 0000000000000000000000000000000000000000..c141165ed2749acaf2704af253371152898268bb
--- /dev/null
+++ b/vendor/gems/ruby-saml/LICENSE
@@ -0,0 +1,24 @@
+Copyright (c) 2010-2022 OneLogin, Inc.
+Copyright (c) 2023 IAM Digital Services, SL.
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
diff --git a/vendor/gems/ruby-saml/README.md b/vendor/gems/ruby-saml/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..23b560de9701147fd61b6174dcc423756f2f7b4d
--- /dev/null
+++ b/vendor/gems/ruby-saml/README.md
@@ -0,0 +1,1009 @@
+# Ruby SAML
+[](https://github.com/SAML-Toolkits/ruby-saml/actions/workflows/test.yml)
+[](https://coveralls.io/github/SAML-Toolkits/ruby-saml?branch=master)
+[](https://badge.fury.io/rb/ruby-saml)
+[](https://badge.fury.io/gh/SAML-Toolkits%2Fruby-saml)   
+
+Minor and patch versions of Ruby SAML may introduce breaking changes. Please read
+[UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
+
+### **Pay it forward: a more secure open source ecosystem**
+
+RubySAML has been a cornerstone of authentication security for countless organizations, from startups to enterprises. It’s a powerful, community-driven alternative to costly third-party services—many of which simply repackage open-source libraries while charging a premium.
+
+But security doesn’t happen in a vacuum. Vulnerabilities don’t just impact one library or one company; they ripple across the entire ecosystem. A weakness in authentication libraries like RubySAML can have far-reaching consequences, affecting critical infrastructure, businesses, and users worldwide.
+
+Maintaining security in open-source software takes **ongoing effort, expertise, and resources.** Without community and financial support, projects like RubySAML risk stagnation—while expensive third-party solutions profit from that gap without reinvesting in the open-source ecosystem.
+
+By supporting RubySAML directly, you’re not just ensuring the security of your own systems—you’re strengthening the entire ecosystem. Instead of paying for a closed-source service that builds on the work of the open-source community, consider **paying it forward** to the people actually doing the security work.
+
+**How you can help:**-
+- Sponsor critical open source infrastructure libraries like Ruby-SAML: https://github.com/sponsors/SAML-Toolkits
+- Contribute to secure by design improvements
+- Finding & reporting new zero day vulnerabilities to open source libraries.
+
+Security is a shared responsibility. If RubySAML has helped your organization, now is the time to give back. Together, we can keep authentication secure—without locking critical security behind expensive paywalls.
+
+Thank you for being part of the open-source security movement!
+
+### Sponsors
+
+Thanks to the following sponsors for securing the open source ecosystem,
+
+[<img alt="84codes" src="https://avatars.githubusercontent.com/u/5353257" width="75px">](https://www.84codes.com)
+
+
+## Vulnerabilities
+
+There are critical vulnerabilities affecting ruby-saml < 1.18.0, two of them allows SAML authentication bypass (CVE-2025-25291, CVE-2025-25292, CVE-2025-25293). Please upgrade to a fixed version (1.18.0)
+
+
+## Overview
+
+The Ruby SAML library is for implementing the client side of a SAML authorization,
+i.e. it provides a means for managing authorization initialization and confirmation
+requests from identity providers.
+
+SAML authorization is a two-step process and you are expected to implement support for both.
+
+We created a demo project for Rails 4 that uses the latest version of this library:
+[ruby-saml-example](https://github.com/saml-toolkits/ruby-saml-example)
+
+### Supported Ruby Versions
+
+The following Ruby versions are covered by CI testing:
+
+* Ruby (MRI) 2.1 to 3.3
+* JRuby 9.1 to 9.4
+* TruffleRuby (latest)
+
+## Adding Features, Pull Requests
+
+* Fork the repository
+* Make your feature addition or bug fix
+* Add tests for your new features. This is important so we don't break any features in a future version unintentionally.
+* Ensure all tests pass by running `bundle exec rake test`.
+* Do not change Rakefile, version, or history.
+* Open a pull request, following [this template](https://gist.github.com/Lordnibbler/11002759).
+
+## Security Guidelines
+
+If you believe you have discovered a security vulnerability in this gem, please report it
+by mail to the maintainer: sixto.martin.garcia+security@gmail.com
+
+### Security Warning
+
+Some tools may incorrectly report ruby-saml is a potential security vulnerability.
+ruby-saml depends on Nokogiri, and it is possible to use Nokogiri in a dangerous way
+(by enabling its DTDLOAD option and disabling its NONET option).
+This dangerous Nokogiri configuration, which is sometimes used by other components,
+can create an XML External Entity (XXE) vulnerability if the XML data is not trusted.
+However, ruby-saml never enables this dangerous Nokogiri configuration;
+ruby-saml never enables DTDLOAD, and it never disables NONET.
+
+The OneLogin::RubySaml::IdpMetadataParser class does not validate the provided URL before parsing.
+
+Usually, the same administrator who handles the Service Provider also sets the URL to
+the IdP, which should be a trusted resource.
+
+But there are other scenarios, like a SaaS app where the administrator of the app
+delegates this functionality to other users. In this case, extra precautions should
+be taken in order to validate such URL inputs and avoid attacks like SSRF.
+
+
+## Getting Started
+
+In order to use Ruby SAML you will need to install the gem (either manually or using Bundler),
+and require the library in your Ruby application:
+
+Using `Gemfile`
+
+```ruby
+# latest stable
+gem 'ruby-saml', '~> 1.17.0'
+
+# or track master for bleeding-edge
+gem 'ruby-saml', :github => 'saml-toolkit/ruby-saml'
+```
+
+Using RubyGems
+
+```sh
+gem install ruby-saml
+```
+
+You may require the entire Ruby SAML gem:
+
+```ruby
+require 'onelogin/ruby-saml'
+```
+
+or just the required components individually:
+
+```ruby
+require 'onelogin/ruby-saml/authrequest'
+```
+
+### Installation on Ruby 1.8.7
+
+This gem uses Nokogiri as a dependency, which dropped support for Ruby 1.8.x in Nokogiri 1.6.
+When installing this gem on Ruby 1.8.7, you will need to make sure a version of Nokogiri
+prior to 1.6 is installed or specified if it hasn't been already.
+
+Using `Gemfile`
+
+```ruby
+gem 'nokogiri', '~> 1.5.10'
+```
+
+Using RubyGems
+
+```sh
+gem install nokogiri --version '~> 1.5.10'
+````
+
+### Configuring Logging
+
+When troubleshooting SAML integration issues, you will find it extremely helpful to examine the
+output of this gem's business logic. By default, log messages are emitted to `RAILS_DEFAULT_LOGGER`
+when the gem is used in a Rails context, and to `STDOUT` when the gem is used outside of Rails.
+
+To override the default behavior and control the destination of log messages, provide
+a ruby Logger object to the gem's logging singleton:
+
+```ruby
+OneLogin::RubySaml::Logging.logger = Logger.new('/var/log/ruby-saml.log')
+```
+
+## The Initialization Phase
+
+This is the first request you will get from the identity provider. It will hit your application
+at a specific URL that you've announced as your SAML initialization point. The response to
+this initialization is a redirect back to the identity provider, which can look something
+like this (ignore the saml_settings method call for now):
+
+```ruby
+def init
+ request = OneLogin::RubySaml::Authrequest.new
+ redirect_to(request.create(saml_settings))
+end
+```
+
+If the SP knows who should be authenticated in the IdP, it can provide that info as follows:
+
+```ruby
+def init
+ request = OneLogin::RubySaml::Authrequest.new
+ saml_settings.name_identifier_value_requested = "testuser@example.com"
+ saml_settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+ redirect_to(request.create(saml_settings))
+end
+```
+
+Once you've redirected back to the identity provider, it will ensure that the user has been
+authorized and redirect back to your application for final consumption.
+This can look something like this (the `authorize_success` and `authorize_failure`
+methods are specific to your application):
+
+```ruby
+def consume
+ response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
+
+ # We validate the SAML Response and check if the user already exists in the system
+ if response.is_valid?
+ # authorize_success, log the user
+ session[:userid] = response.nameid
+ session[:attributes] = response.attributes
+ else
+ authorize_failure # This method shows an error message
+ # List of errors is available in response.errors array
+ end
+end
+```
+
+In the above there are a few assumptions, one being that `response.nameid` is an email address.
+This is all handled with how you specify the settings that are in play via the `saml_settings` method.
+That could be implemented along the lines of this:
+
+```
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+response.settings = saml_settings
+```
+
+If the assertion of the SAMLResponse is not encrypted, you can initialize the Response
+without the `:settings` parameter and set it later. If the SAMLResponse contains an encrypted
+assertion, you need to provide the settings in the initialize method in order to obtain the
+decrypted assertion, using the service provider private key in order to decrypt.
+If you don't know what expect, always use the former (set the settings on initialize).
+
+```ruby
+def saml_settings
+ settings = OneLogin::RubySaml::Settings.new
+
+ settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+ settings.sp_entity_id = "http://#{request.host}/saml/metadata"
+ settings.idp_entity_id = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
+ settings.idp_sso_service_url = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
+ settings.idp_sso_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" # or :post, :redirect
+ settings.idp_slo_service_url = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
+ settings.idp_slo_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" # or :post, :redirect
+ settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
+ settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
+ settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+ # Optional for most SAML IdPs
+ settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+ # or as an array
+ settings.authn_context = [
+ "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
+ "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+ ]
+
+ # Optional bindings (defaults to Redirect for logout POST for ACS)
+ settings.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" # or :post, :redirect
+ settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" # or :post, :redirect
+
+ settings
+end
+```
+
+The use of `settings.issuer` is deprecated in favor of `settings.sp_entity_id` since version 1.11.0
+
+Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.
+For example, you can skip the `AuthnStatement`, `Conditions`, `Recipient`, or the `SubjectConfirmation`
+validations by initializing the response with different options:
+
+```ruby
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_authnstatement: true}) # skips AuthnStatement
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doesn't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_audience: true}) # skips audience check
+```
+
+All that's left is to wrap everything in a controller and reference it in the initialization and
+consumption URLs in OneLogin. A full controller example could look like this:
+
+```ruby
+# This controller expects you to use the URLs /saml/init and /saml/consume in your OneLogin application.
+class SamlController < ApplicationController
+ def init
+ request = OneLogin::RubySaml::Authrequest.new
+ redirect_to(request.create(saml_settings))
+ end
+
+ def consume
+ response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+ response.settings = saml_settings
+
+ # We validate the SAML Response and check if the user already exists in the system
+ if response.is_valid?
+ # authorize_success, log the user
+ session[:userid] = response.nameid
+ session[:attributes] = response.attributes
+ else
+ authorize_failure # This method shows an error message
+ # List of errors is available in response.errors array
+ end
+ end
+
+ private
+
+ def saml_settings
+ settings = OneLogin::RubySaml::Settings.new
+
+ settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+ settings.sp_entity_id = "http://#{request.host}/saml/metadata"
+ settings.idp_sso_service_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+ settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
+ settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+ # Optional for most SAML IdPs
+ settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+ # Optional. Describe according to IdP specification (if supported) which attributes the SP desires to receive in SAMLResponse.
+ settings.attributes_index = 5
+ # Optional. Describe an attribute consuming service for support of additional attributes.
+ settings.attribute_consuming_service.configure do
+ service_name "Service"
+ service_index 5
+ add_attribute :name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name"
+ end
+
+ settings
+ end
+end
+```
+
+## Signature Validation
+
+Ruby SAML allows different ways to validate the signature of the SAMLResponse:
+- You can provide the IdP X.509 public certificate at the `idp_cert` setting.
+- You can provide the IdP X.509 public certificate in fingerprint format using the
+ `idp_cert_fingerprint` setting parameter and additionally the `idp_cert_fingerprint_algorithm` parameter.
+
+When validating the signature of redirect binding, the fingerprint is useless and the certificate
+of the IdP is required in order to execute the validation. You can pass the option
+`:relax_signature_validation` to `SloLogoutrequest` and `Logoutresponse` if want to avoid signature
+validation if no certificate of the IdP is provided.
+
+In production also we highly recommend to register on the settings the IdP certificate instead
+of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision
+attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism,
+we maintain it for compatibility and also to be used on test environment.
+
+## Handling Multiple IdP Certificates
+
+If the IdP metadata XML includes multiple certificates, you may specify the `idp_cert_multi`
+parameter. When used, the `idp_cert` and `idp_cert_fingerprint` parameters are ignored.
+This is useful in the following scenarios:
+
+* The IdP uses different certificates for signing versus encryption.
+* The IdP is undergoing a key rollover and is publishing the old and new certificates in parallel.
+
+The `idp_cert_multi` must be a `Hash` as follows. The `:signing` and `:encryption` arrays below,
+add the IdP X.509 public certificates which were published in the IdP metadata.
+
+```ruby
+{
+ :signing => [],
+ :encryption => []
+}
+```
+
+## Metadata Based Configuration
+
+The method above requires a little extra work to manually specify attributes about both the IdP and your SP application.
+There's an easier method: use a metadata exchange. Metadata is an XML file that defines the capabilities of both the IdP
+and the SP application. It also contains the X.509 public key certificates which add to the trusted relationship.
+The IdP administrator can also configure custom settings for an SP based on the metadata.
+
+Using `IdpMetadataParser#parse_remote`, the IdP metadata will be added to the settings.
+
+```ruby
+def saml_settings
+
+ idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+ # Returns OneLogin::RubySaml::Settings pre-populated with IdP metadata
+ settings = idp_metadata_parser.parse_remote("https://example.com/auth/saml2/idp/metadata")
+
+ settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+ settings.sp_entity_id = "http://#{request.host}/saml/metadata"
+ settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+ # Optional for most SAML IdPs
+ settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+ settings
+end
+```
+
+The following attributes are set:
+ * idp_entity_id
+ * name_identifier_format
+ * idp_sso_service_url
+ * idp_slo_service_url
+ * idp_attribute_names
+ * idp_cert
+ * idp_cert_fingerprint
+ * idp_cert_multi
+
+### Retrieve one Entity Descriptor when many exist in Metadata
+
+If the Metadata contains several entities, the relevant Entity
+Descriptor can be specified when retrieving the settings from the
+IdpMetadataParser by its Entity Id value:
+
+```ruby
+ validate_cert = true
+ settings = idp_metadata_parser.parse_remote(
+ "https://example.com/auth/saml2/idp/metadata",
+ validate_cert,
+ entity_id: "http//example.com/target/entity"
+ )
+```
+
+### Retrieve one Entity Descriptor with a specific binding and nameid format when several are available
+
+If the metadata contains multiple bindings and NameID formats, the relevant ones
+can be specified when retrieving the settings from the IdpMetadataParser
+by the values of binding and NameID:
+
+```ruby
+ validate_cert = true
+ options = {
+ entity_id: "http//example.com/target/entity",
+ name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+ sso_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+ slo_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ }
+ settings = idp_metadata_parser.parse_remote(
+ "https://example.com/auth/saml2/idp/metadata",
+ validate_cert,
+ options
+ )
+```
+
+### Parsing Metadata into an Hash
+
+The `OneLogin::RubySaml::IdpMetadataParser` also provides the methods `#parse_to_hash` and `#parse_remote_to_hash`.
+Those return an Hash instead of a `Settings` object, which may be useful for configuring
+[omniauth-saml](https://github.com/omniauth/omniauth-saml), for instance.
+
+
+### Validating Signature of Metadata and retrieve settings
+
+Right now there is no method at ruby_saml to validate the signature of the metadata that gonna be parsed,
+but it can be done as follows:
+* Download the XML.
+* Validate the Signature, providing the cert.
+* Provide the XML to the parse method if the signature was validated
+
+```ruby
+require "xml_security"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/idp_metadata_parser"
+
+url = "<url_to_the_metadata>"
+idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+
+uri = URI.parse(url)
+raise ArgumentError.new("url must begin with http or https") unless /^https?/ =~ uri.scheme
+http = Net::HTTP.new(uri.host, uri.port)
+if uri.scheme == "https"
+ http.use_ssl = true
+ http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+end
+
+get = Net::HTTP::Get.new(uri.request_uri)
+get.basic_auth uri.user, uri.password if uri.user
+response = http.request(get)
+xml = response.body
+errors = []
+doc = XMLSecurity::SignedDocument.new(xml, errors)
+cert_str = "<include_cert_here>"
+cert = OneLogin::RubySaml::Utils.format_cert("cert_str")
+metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
+valid = doc.validate_document_with_cert(metadata_sign_cert, true)
+if valid
+ settings = idp_metadata_parser.parse(
+ xml,
+ entity_id: "<entity_id_of_the_entity_to_be_retrieved>"
+ )
+else
+ print "Metadata Signature failed to be verified with the cert provided"
+end
+```
+
+## Retrieving Attributes
+
+If you are using `saml:AttributeStatement` to transfer data, such as the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the
+`single_value_compatibility` (when activated, only the first value is returned)
+
+```ruby
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+response.settings = saml_settings
+
+response.attributes[:username]
+```
+
+Imagine this `saml:AttributeStatement`
+
+```xml
+ <saml:AttributeStatement>
+ <saml:Attribute Name="uid">
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">demo</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="another_value">
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value1</saml:AttributeValue>
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value2</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="role">
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role1</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="role">
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role2</saml:AttributeValue>
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role3</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="attribute_with_nil_value">
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+ </saml:Attribute>
+ <saml:Attribute Name="attribute_with_nils_and_empty_strings">
+ <saml:AttributeValue/>
+ <saml:AttributeValue>valuePresent</saml:AttributeValue>
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+ <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1"/>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
+ <saml:AttributeValue>usersName</saml:AttributeValue>
+ </saml:Attribute>
+ </saml:AttributeStatement>
+```
+
+```ruby
+pp(response.attributes) # is an OneLogin::RubySaml::Attributes object
+# => @attributes=
+ {"uid"=>["demo"],
+ "another_value"=>["value1", "value2"],
+ "role"=>["role1", "role2", "role3"],
+ "attribute_with_nil_value"=>[nil],
+ "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]
+ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"=>["usersName"]}>
+
+# Active single_value_compatibility
+OneLogin::RubySaml::Attributes.single_value_compatibility = true
+
+pp(response.attributes[:uid])
+# => "demo"
+
+pp(response.attributes[:role])
+# => "role1"
+
+pp(response.attributes.single(:role))
+# => "role1"
+
+pp(response.attributes.multi(:role))
+# => ["role1", "role2", "role3"]
+
+pp(response.attributes.fetch(:role))
+# => "role1"
+
+pp(response.attributes[:attribute_with_nil_value])
+# => nil
+
+pp(response.attributes[:attribute_with_nils_and_empty_strings])
+# => ""
+
+pp(response.attributes[:not_exists])
+# => nil
+
+pp(response.attributes.single(:not_exists))
+# => nil
+
+pp(response.attributes.multi(:not_exists))
+# => nil
+
+pp(response.attributes.fetch(/givenname/))
+# => "usersName"
+
+# Deprecated single_value_compatibility
+OneLogin::RubySaml::Attributes.single_value_compatibility = false
+
+pp(response.attributes[:uid])
+# => ["demo"]
+
+pp(response.attributes[:role])
+# => ["role1", "role2", "role3"]
+
+pp(response.attributes.single(:role))
+# => "role1"
+
+pp(response.attributes.multi(:role))
+# => ["role1", "role2", "role3"]
+
+pp(response.attributes.fetch(:role))
+# => ["role1", "role2", "role3"]
+
+pp(response.attributes[:attribute_with_nil_value])
+# => [nil]
+
+pp(response.attributes[:attribute_with_nils_and_empty_strings])
+# => ["", "valuePresent", nil, nil]
+
+pp(response.attributes[:not_exists])
+# => nil
+
+pp(response.attributes.single(:not_exists))
+# => nil
+
+pp(response.attributes.multi(:not_exists))
+# => nil
+
+pp(response.attributes.fetch(/givenname/))
+# => ["usersName"]
+```
+
+The `saml:AuthnContextClassRef` of the AuthNRequest can be provided by `settings.authn_context`; possible values are described at [SAMLAuthnCxt]. The comparison method can be set using `settings.authn_context_comparison` parameter. Possible values include: 'exact', 'better', 'maximum' and 'minimum' (default value is 'exact').
+To add a `saml:AuthnContextDeclRef`, define `settings.authn_context_decl_ref`.
+
+In a SP-initiated flow, the SP can indicate to the IdP the subject that should be authenticated. This is done by defining the `settings.name_identifier_value_requested` before
+building the authrequest object.
+
+## Service Provider Metadata
+
+To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML
+to the IdP for various good reasons. (Caching, certificate lookups, relaying party permissions, etc)
+
+The class `OneLogin::RubySaml::Metadata` takes care of this by reading the Settings and returning XML. All you have to do is add a controller to return the data, then give this URL to the IdP administrator.
+
+The metadata will be polled by the IdP every few minutes, so updating your settings should propagate
+to the IdP settings.
+
+```ruby
+class SamlController < ApplicationController
+ # ... the rest of your controller definitions ...
+ def metadata
+ settings = Account.get_saml_settings
+ meta = OneLogin::RubySaml::Metadata.new
+ render :xml => meta.generate(settings), :content_type => "application/samlmetadata+xml"
+ end
+end
+```
+
+You can add `ValidUntil` and `CacheDuration` to the SP Metadata XML using instead:
+
+```ruby
+ # Valid until => 2 days from now
+ # Cache duration = 604800s = 1 week
+ valid_until = Time.now + 172800
+ cache_duration = 604800
+ meta.generate(settings, false, valid_until, cache_duration)
+```
+
+## Signing and Decryption
+
+Ruby SAML supports the following functionality:
+
+1. Signing your SP Metadata XML
+2. Signing your SP SAML messages
+3. Decrypting IdP Assertion messages upon receipt (EncryptedAssertion)
+4. Verifying signatures on SAML messages and IdP Assertions
+
+In order to use functions 1-3 above, you must first define your SP public certificate and private key:
+
+```ruby
+ settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
+ settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
+```
+
+Note that the same certificate (and its associated private key) are used to perform
+all decryption and signing-related functions (1-4) above. Ruby SAML does not currently allow
+to specify different certificates for each function.
+
+You may also globally set the SP signature and digest method, to be used in SP signing (functions 1 and 2 above):
+
+```ruby
+ settings.security[:digest_method] = XMLSecurity::Document::SHA1
+ settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+```
+
+#### Signing SP Metadata
+
+You may add a `<ds:Signature>` digital signature element to your SP Metadata XML using the following setting:
+
+```ruby
+ settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
+ settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
+
+ settings.security[:metadata_signed] = true # Enable signature on Metadata
+```
+
+#### Signing SP SAML Messages
+
+Ruby SAML supports SAML request signing. The Service Provider will sign the
+request/responses with its private key. The Identity Provider will then validate the signature
+of the received request/responses with the public X.509 cert of the Service Provider.
+
+To enable, please first set your certificate and private key. This will add `<md:KeyDescriptor use="signing">`
+to your SP Metadata XML, to be read by the IdP.
+
+```ruby
+ settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
+ settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
+```
+
+Next, you may specify the specific SP SAML messages you would like to sign:
+
+```ruby
+ settings.security[:authn_requests_signed] = true # Enable signature on AuthNRequest
+ settings.security[:logout_requests_signed] = true # Enable signature on Logout Request
+ settings.security[:logout_responses_signed] = true # Enable signature on Logout Response
+```
+
+Signatures will be handled automatically for both `HTTP-Redirect` and `HTTP-POST` Binding.
+Note that the RelayState parameter is used when creating the Signature on the `HTTP-Redirect` Binding.
+Remember to provide it to the Signature builder if you are sending a `GET RelayState` parameter or the
+signature validation process will fail at the Identity Provider.
+
+#### Decrypting IdP SAML Assertions
+
+Ruby SAML supports EncryptedAssertion. The Identity Provider will encrypt the Assertion with the
+public cert of the Service Provider. The Service Provider will decrypt the EncryptedAssertion with its private key.
+
+You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor use="encryption">` to your
+SP Metadata XML, to be read by the IdP.
+
+```ruby
+ settings.certificate = "CERTIFICATE TEXT WITH BEGIN/END HEADER AND FOOTER"
+ settings.private_key = "PRIVATE KEY TEXT WITH BEGIN/END HEADER AND FOOTER"
+
+ settings.security[:want_assertions_encrypted] = true # Invalidate SAML messages without an EncryptedAssertion
+```
+
+#### Verifying Signature on IdP Assertions
+
+You may require the IdP to sign its SAML Assertions using the following setting.
+With will add `<md:SPSSODescriptor WantAssertionsSigned="true">` to your SP Metadata XML.
+The signature will be checked against the `<md:KeyDescriptor use="signing">` element
+present in the IdP's metadata.
+
+```ruby
+ settings.security[:want_assertions_signed] = true # Require the IdP to sign its SAML Assertions
+```
+
+#### Certificate and Signature Validation
+
+You may require SP and IdP certificates to be non-expired using the following settings:
+
+```ruby
+ settings.security[:check_idp_cert_expiration] = true # Raise error if IdP X.509 cert is expired
+ settings.security[:check_sp_cert_expiration] = true # Raise error SP X.509 cert is expired
+```
+
+By default, Ruby SAML will raise a `OneLogin::RubySaml::ValidationError` if a signature or certificate
+validation fails. You may disable such exceptions using the `settings.security[:soft]` parameter.
+
+```ruby
+ settings.security[:soft] = true # Do not raise error on failed signature/certificate validations
+```
+
+#### Advanced SP Certificate Usage & Key Rollover
+
+Ruby SAML provides the `settings.sp_cert_multi` parameter to enable the following
+advanced usage scenarios:
+- Rotating SP certificates and private keys without disruption of service.
+- Specifying separate SP certificates for signing and encryption.
+
+The `sp_cert_multi` parameter replaces `certificate` and `private_key`
+(you may not specify both pparameters at the same time.) `sp_cert_multi` has the following shape:
+
+```ruby
+settings.sp_cert_multi = {
+ signing: [
+ { certificate: cert1, private_key: private_key1 },
+ { certificate: cert2, private_key: private_key2 }
+ ],
+ encryption: [
+ { certificate: cert1, private_key: private_key1 },
+ { certificate: cert3, private_key: private_key1 }
+ ],
+}
+```
+
+Certificate rotation is acheived by inserting new certificates at the bottom of each list,
+and then removing the old certificates from the top of the list once your IdPs have migrated.
+A common practice is for apps to publish the current SP metadata at a URL endpoint and have
+the IdP regularly poll for updates.
+
+Note the following:
+- You may re-use the same certificate and/or private key in multiple places, including for both signing and encryption.
+- The IdP should attempt to verify signatures with *all* `:signing` certificates,
+ and permit if *any one* succeeds. When signing, Ruby SAML will use the first SP certificate
+ in the `sp_cert_multi[:signing]` array. This will be the first active/non-expired certificate
+ in the array if `settings.security[:check_sp_cert_expiration]` is true.
+- The IdP may encrypt with any of the SP certificates in the `sp_cert_multi[:encryption]`
+ array. When decrypting, Ruby SAML attempt to decrypt with each SP private key in
+ `sp_cert_multi[:encryption]` until the decryption is successful. This will skip private
+ keys for inactive/expired certificates if `:check_sp_cert_expiration` is true.
+- If `:check_sp_cert_expiration` is true, the generated SP metadata XML will not include
+ inactive/expired certificates. This avoids validation errors when the IdP reads the SP
+ metadata.
+
+#### Audience Validation
+
+A service provider should only consider a SAML response valid if the IdP includes an <AudienceRestriction>
+element containing an <Audience> element that uniquely identifies the service provider. Unless you specify
+the `skip_audience` option, Ruby SAML will validate that each SAML response includes an <Audience> element
+whose contents matches `settings.sp_entity_id`.
+
+By default, Ruby SAML considers an <AudienceRestriction> element containing only empty <Audience> elements
+to be valid. That means an otherwise valid SAML response with a condition like this would be valid:
+
+```xml
+<AudienceRestriction>
+ <Audience />
+</AudienceRestriction>
+```
+
+You may enforce that an <AudienceRestriction> element containing only empty <Audience> elements
+is invalid using the `settings.security[:strict_audience_validation]` parameter.
+
+```ruby
+settings.security[:strict_audience_validation] = true
+```
+
+## Single Log Out
+
+Ruby SAML supports SP-initiated Single Logout and IdP-Initiated Single Logout.
+
+Here is an example that we could add to our previous controller to generate and send a SAML Logout Request to the IdP:
+
+```ruby
+# Create a SP initiated SLO
+def sp_logout_request
+ # LogoutRequest accepts plain browser requests w/o paramters
+ settings = saml_settings
+
+ if settings.idp_slo_service_url.nil?
+ logger.info "SLO IdP Endpoint not found in settings, executing then a normal logout'"
+ delete_session
+ else
+
+ logout_request = OneLogin::RubySaml::Logoutrequest.new
+ logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{logout_request.uuid}'"
+
+ if settings.name_identifier_value.nil?
+ settings.name_identifier_value = session[:userid]
+ end
+
+ # Ensure user is logged out before redirect to IdP, in case anything goes wrong during single logout process (as recommended by saml2int [SDP-SP34])
+ logged_user = session[:userid]
+ logger.info "Delete session for '#{session[:userid]}'"
+ delete_session
+
+ # Save the transaction_id to compare it with the response we get back
+ session[:transaction_id] = logout_request.uuid
+ session[:logged_out_user] = logged_user
+
+ relayState = url_for(controller: 'saml', action: 'index')
+ redirect_to(logout_request.create(settings, :RelayState => relayState))
+ end
+end
+```
+
+This method processes the SAML Logout Response sent by the IdP as the reply of the SAML Logout Request:
+
+```ruby
+# After sending an SP initiated LogoutRequest to the IdP, we need to accept
+# the LogoutResponse, verify it, then actually delete our session.
+def process_logout_response
+ settings = Account.get_saml_settings
+
+ if session.has_key? :transaction_id
+ logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => session[:transaction_id])
+ else
+ logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings)
+ end
+
+ logger.info "LogoutResponse is: #{logout_response.to_s}"
+
+ # Validate the SAML Logout Response
+ if not logout_response.validate
+ logger.error "The SAML Logout Response is invalid"
+ else
+ # Actually log out this session
+ logger.info "SLO completed for '#{session[:logged_out_user]}'"
+ delete_session
+ end
+end
+
+# Delete a user's session.
+def delete_session
+ session[:userid] = nil
+ session[:attributes] = nil
+ session[:transaction_id] = nil
+ session[:logged_out_user] = nil
+end
+```
+
+Here is an example that we could add to our previous controller to process a SAML Logout Request from the IdP and reply with a SAML Logout Response to the IdP:
+
+```ruby
+# Method to handle IdP initiated logouts
+def idp_logout_request
+ settings = Account.get_saml_settings
+ # ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
+ # uppercase. Turn it True for ADFS compatibility on signature verification
+ settings.security[:lowercase_url_encoding] = true
+
+ logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
+ params[:SAMLRequest], settings: settings
+ )
+ if !logout_request.is_valid?
+ logger.error "IdP initiated LogoutRequest was not valid!"
+ return render :inline => logger.error
+ end
+ logger.info "IdP initiated Logout for #{logout_request.name_id}"
+
+ # Actually log out this session
+ delete_session
+
+ # Generate a response to the IdP.
+ logout_request_id = logout_request.id
+ logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request_id, nil, :RelayState => params[:RelayState])
+ redirect_to logout_response
+end
+```
+
+All the mentioned methods could be handled in a unique view:
+
+```ruby
+# Trigger SP and IdP initiated Logout requests
+def logout
+ # If we're given a logout request, handle it in the IdP logout initiated method
+ if params[:SAMLRequest]
+ return idp_logout_request
+ # We've been given a response back from the IdP, process it
+ elsif params[:SAMLResponse]
+ return process_logout_response
+ # Initiate SLO (send Logout Request)
+ else
+ return sp_logout_request
+ end
+end
+```
+
+## Clock Drift
+
+Server clocks tend to drift naturally. If during validation of the response you get the error "Current time is earlier than NotBefore condition", this may be due to clock differences between your system and that of the Identity Provider.
+
+First, ensure that both systems synchronize their clocks, using for example the industry standard [Network Time Protocol (NTP)](http://en.wikipedia.org/wiki/Network_Time_Protocol).
+
+Even then you may experience intermittent issues, as the clock of the Identity Provider may drift slightly ahead of your system clocks. To allow for a small amount of clock drift, you can initialize the response by passing in an option named `:allowed_clock_drift`. Its value must be given in a number (and/or fraction) of seconds. The value given is added to the current time at which the response is validated before it's tested against the `NotBefore` assertion. For example:
+
+```ruby
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :allowed_clock_drift => 1.second)
+```
+
+Make sure to keep the value as comfortably small as possible to keep security risks to a minimum.
+
+## Deflation Limit
+
+To protect against decompression bombs (a form of DoS attack), SAML messages are limited to 250,000 bytes by default.
+Sometimes legitimate SAML messages will exceed this limit,
+for example due to custom claims like including groups a user is a member of.
+If you want to customize this limit, you need to provide a different setting when initializing the response object.
+Example:
+
+```ruby
+def consume
+ response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], { settings: saml_settings })
+ ...
+end
+
+private
+
+def saml_settings
+ OneLogin::RubySaml::Settings.new(message_max_bytesize: 500_000)
+end
+```
+
+## Attribute Service
+
+To request attributes from the IdP the SP must provide an attribute service within its metadata and reference the index in the assertion.
+
+```ruby
+settings = OneLogin::RubySaml::Settings.new
+settings.attributes_index = 5
+settings.attribute_consuming_service.configure do
+ service_name "Service"
+ service_index 5
+ add_attribute :name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name"
+ add_attribute :name => "Another Attribute", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => "Attribute Value"
+end
+```
+
+The `attribute_value` option additionally accepts an array of possible values.
+
+## Custom Metadata Fields
+
+Some IdPs may require SPs to add additional fields (Organization, ContactPerson, etc.)
+into the SP metadata. This can be achieved by extending the `OneLogin::RubySaml::Metadata`
+class and overriding the `#add_extras` method as per the following example:
+
+```ruby
+class MyMetadata < OneLogin::RubySaml::Metadata
+ def add_extras(root, _settings)
+ org = root.add_element("md:Organization")
+ org.add_element("md:OrganizationName", 'xml:lang' => "en-US").text = 'ACME Inc.'
+ org.add_element("md:OrganizationDisplayName", 'xml:lang' => "en-US").text = 'ACME'
+ org.add_element("md:OrganizationURL", 'xml:lang' => "en-US").text = 'https://www.acme.com'
+
+ cp = root.add_element("md:ContactPerson", 'contactType' => 'technical')
+ cp.add_element("md:GivenName").text = 'ACME SAML Team'
+ cp.add_element("md:EmailAddress").text = 'saml@acme.com'
+ end
+end
+
+# Output XML with custom metadata
+MyMetadata.new.generate(settings)
+```
diff --git a/vendor/gems/ruby-saml/Rakefile b/vendor/gems/ruby-saml/Rakefile
new file mode 100644
index 0000000000000000000000000000000000000000..40fa256058dce3937d4d8d63198dea40ed82b572
--- /dev/null
+++ b/vendor/gems/ruby-saml/Rakefile
@@ -0,0 +1,27 @@
+require 'rubygems'
+require 'rake'
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+ test.libs << 'lib' << 'test'
+ test.pattern = 'test/**/*_test.rb'
+ test.verbose = true
+end
+
+begin
+ require 'rcov/rcovtask'
+ Rcov::RcovTask.new do |test|
+ test.libs << 'test'
+ test.pattern = 'test/**/*_test.rb'
+ test.verbose = true
+ end
+rescue LoadError
+ task :rcov do
+ abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+ end
+end
+
+task :test
+
+task :default => :test
diff --git a/vendor/gems/ruby-saml/UPGRADING.md b/vendor/gems/ruby-saml/UPGRADING.md
new file mode 100644
index 0000000000000000000000000000000000000000..d4ec15fb77a110bf36ccc08742db8c0f695afe83
--- /dev/null
+++ b/vendor/gems/ruby-saml/UPGRADING.md
@@ -0,0 +1,158 @@
+# Ruby SAML Migration Guide
+
+## Updating from 1.17.x to 1.18.0
+
+Version `1.18.0` changes the way the toolkit validates SAML signatures. There is a new order
+how validation happens in the toolkit and also the toolkit by default will check malformed doc
+when parsing a SAML Message (`settings.check_malformed_doc`).
+
+The SignedDocument class defined at xml_security.rb experienced several changes.
+We don't expect compatibilty issues if you use the main methods offered by ruby-saml, but if you use a fork or customized usage, is possible that you need to adapt your code.
+
+## Updating from 1.12.x to 1.13.0
+
+Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and
+deprecates `settings.security[:embed_sign]`. If specified, new binding parameters will be used in place of `:embed_sign`
+to determine how to handle SAML message signing (`HTTP-POST` embeds signature and `HTTP-Redirect` does not.)
+
+In addition, the `IdpMetadataParser#parse`, `#parse_to_hash` and `#parse_to_array` methods now retrieve
+`idp_sso_service_binding` and `idp_slo_service_binding`.
+
+Lastly, for convenience you may now use the Symbol aliases `:post` and `:redirect` for any `settings.*_binding` parameter.
+
+## Upgrading from 1.11.x to 1.12.0
+
+Version `1.12.0` adds support for gcm algorithm and
+change/adds specific error messages for signature validations
+
+`idp_sso_target_url` and `idp_slo_target_url` attributes of the Settings class deprecated
+in favor of `idp_sso_service_url` and `idp_slo_service_url`. The `IdpMetadataParser#parse`,
+`#parse_to_hash` and `#parse_to_array` methods now retrieve SSO URL and SLO URL endpoints with
+`idp_sso_service_url` and `idp_slo_service_url` (previously `idp_sso_target_url` and
+`idp_slo_target_url` respectively).
+
+## Upgrading from 1.10.x to 1.11.0
+
+Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
+There are two new security settings: `settings.security[:check_idp_cert_expiration]` and
+`settings.security[:check_sp_cert_expiration]` (both false by default) that check if the
+IdP or SP X.509 certificate has expired, respectively.
+
+Version `1.10.2` includes the `valid_until` attribute in parsed IdP metadata.
+
+Version `1.10.1` improves Ruby 1.8.7 support.
+
+## Upgrading from 1.9.0 to 1.10.0
+
+Version `1.10.0` improves IdpMetadataParser to allow parse multiple IDPSSODescriptor,
+Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user
+to be authenticated and updates the format_cert method to accept certs with /\x0d/
+
+## Upgrading from 1.8.0 to 1.9.0
+
+Version `1.9.0` better supports Ruby 2.4+ and JRuby 9.2.0.0. `Settings` initialization
+now has a second parameter, `keep_security_settings` (default: false), which saves security
+settings attributes that are not explicitly overridden, if set to true.
+
+## Upgrading from 1.7.x to 1.8.0
+
+On Version `1.8.0`, creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState
+param will not generate a URL with an empty RelayState parameter anymore. It also changes
+the invalid audience error message.
+
+## Upgrading from 1.6.0 to 1.7.0
+
+Version `1.7.0` is a recommended update for all Ruby SAML users as it includes a fix for
+the [CVE-2017-11428](https://www.cvedetails.com/cve/CVE-2017-11428/) vulnerability.
+
+## Upgrading from 1.5.0 to 1.6.0
+
+Version `1.6.0` changes the preferred way to construct instances of `Logoutresponse` and
+`SloLogoutrequest`. Previously the _SAMLResponse_, _RelayState_, and _SigAlg_ parameters
+of these message types were provided via the constructor's `options[:get_params]` parameter.
+Unfortunately this can result in incompatibility with other SAML implementations; signatures
+are specified to be computed based on the _sender's_ URI-encoding of the message, which can
+differ from that of Ruby SAML. In particular, Ruby SAML's URI-encoding does not match that
+of Microsoft ADFS, so messages from ADFS can fail signature validation.
+
+The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is via the
+`options[:raw_get_params]` parameter. For example:
+
+```ruby
+# In this example `query_params` is assumed to contain decoded query parameters,
+# and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
+settings = {
+ settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+ settings.soft = false
+}
+options = {
+ get_params: {
+ "Signature" => query_params["Signature"],
+ },
+ raw_get_params: {
+ "SAMLRequest" => raw_query_params["SAMLRequest"],
+ "SigAlg" => raw_query_params["SigAlg"],
+ "RelayState" => raw_query_params["RelayState"],
+ },
+}
+slo_logout_request = OneLogin::RubySaml::SloLogoutrequest.new(query_params["SAMLRequest"], settings, options)
+raise "Invalid Logout Request" unless slo_logout_request.is_valid?
+```
+
+The old form is still supported for backward compatibility, but all Ruby SAML users
+should prefer `options[:raw_get_params]` where possible to ensure compatibility with
+other SAML implementations.
+
+## Upgrading from 1.4.2 to 1.4.3
+
+Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
+The 'Recipient' value is compared with the settings.assertion_consumer_service_url
+value.
+
+If you want to skip that validation, add the :skip_recipient_check option to the
+initialize method of the Response object.
+
+Parsing metadata that contains more than one certificate will propagate the
+idp_cert_multi property rather than idp_cert. See [signature validation
+section](#signature-validation) for details.
+
+## Upgrading from 1.3.x to 1.4.x
+
+Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.
+
+## Upgrading from 1.2.x to 1.3.x
+
+Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes.
+It adds security improvements in order to prevent Signature wrapping attacks.
+[CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
+
+## Upgrading from 1.1.x to 1.2.x
+
+Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom,
+refactor error handling and some minor improvements.
+
+There is no compatibility issue detected.
+
+For more details, please review [CHANGELOG.md](CHANGELOG.md).
+
+## Upgrading from 1.0.x to 1.1.x
+
+Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+
+## Upgrading from 0.9.x to 1.0.x
+
+Version `1.0` is a recommended update for all Ruby SAML users as it includes security fixes.
+
+Version `1.0` adds security improvements like entity expansion limitation, more SAML message validations, and other important improvements like decrypt support.
+
+### Important Changes
+
+Please note the `get_idp_metadata` method raises an exception when it is not able to fetch the idp metadata, so review your integration if you are using this functionality.
+
+## Upgrading from 0.8.x to 0.9.x
+
+Version `0.9` adds many new features and improvements.
+
+## Upgrading from 0.7.x to 0.8.x
+
+Version `0.8.x` changes the namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`. Please update your implementations of the gem accordingly.
diff --git a/vendor/gems/ruby-saml/gemfiles/nokogiri-1.5.gemfile b/vendor/gems/ruby-saml/gemfiles/nokogiri-1.5.gemfile
new file mode 100644
index 0000000000000000000000000000000000000000..9808b56756001897916daaea84ed6d3850789ab4
--- /dev/null
+++ b/vendor/gems/ruby-saml/gemfiles/nokogiri-1.5.gemfile
@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem "nokogiri", "~> 1.5.10"
+
+gemspec :path => "../"
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml.rb
new file mode 100644
index 0000000000000000000000000000000000000000..61b79b640d9890b961b7f66de88f4f9c49eb0613
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml.rb
@@ -0,0 +1,17 @@
+require 'onelogin/ruby-saml/logging'
+require 'onelogin/ruby-saml/saml_message'
+require 'onelogin/ruby-saml/authrequest'
+require 'onelogin/ruby-saml/logoutrequest'
+require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/attributes'
+require 'onelogin/ruby-saml/slo_logoutrequest'
+require 'onelogin/ruby-saml/slo_logoutresponse'
+require 'onelogin/ruby-saml/response'
+require 'onelogin/ruby-saml/settings'
+require 'onelogin/ruby-saml/attribute_service'
+require 'onelogin/ruby-saml/http_error'
+require 'onelogin/ruby-saml/validation_error'
+require 'onelogin/ruby-saml/metadata'
+require 'onelogin/ruby-saml/idp_metadata_parser'
+require 'onelogin/ruby-saml/utils'
+require 'onelogin/ruby-saml/version'
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/attribute_service.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/attribute_service.rb
new file mode 100644
index 0000000000000000000000000000000000000000..1571e7f548f50596c9b921509ba1c8f05678b449
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/attribute_service.rb
@@ -0,0 +1,57 @@
+module OneLogin
+ module RubySaml
+
+ # SAML2 AttributeService. Auxiliary class to build the AttributeService of the SP Metadata
+ #
+ class AttributeService
+ attr_reader :attributes
+ attr_reader :name
+ attr_reader :index
+
+ # Initializes the AttributeService, set the index value as 1 and an empty array as attributes
+ #
+ def initialize
+ @index = "1"
+ @attributes = []
+ end
+
+ def configure(&block)
+ instance_eval(&block)
+ end
+
+ # @return [Boolean] True if the AttributeService object has been initialized and set with the required values
+ # (has attributes and a name)
+ def configured?
+ @attributes.length > 0 && !@name.nil?
+ end
+
+ # Set a name to the service
+ # @param name [String] The service name
+ #
+ def service_name(name)
+ @name = name
+ end
+
+ # Set an index to the service
+ # @param index [Integer] An index
+ #
+ def service_index(index)
+ @index = index
+ end
+
+ # Add an AttributeService
+ # @param options [Hash] AttributeService option values
+ # add_attribute(
+ # :name => "Name",
+ # :name_format => "Name Format",
+ # :index => 1,
+ # :friendly_name => "Friendly Name",
+ # :attribute_value => "Attribute Value"
+ # )
+ #
+ def add_attribute(options={})
+ attributes << options
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/attributes.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/attributes.rb
new file mode 100644
index 0000000000000000000000000000000000000000..cb4ad9648444bdeec61192b31ea18396e9ddb235
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/attributes.rb
@@ -0,0 +1,151 @@
+module OneLogin
+ module RubySaml
+
+ # SAML2 Attributes. Parse the Attributes from the AttributeStatement of the SAML Response.
+ #
+ class Attributes
+ include Enumerable
+
+ attr_reader :attributes
+
+ # By default Attributes#[] is backwards compatible and
+ # returns only the first value for the attribute
+ # Setting this to `false` returns all values for an attribute
+ @@single_value_compatibility = true
+
+ # @return [Boolean] Get current status of backwards compatibility mode.
+ #
+ def self.single_value_compatibility
+ @@single_value_compatibility
+ end
+
+ # Sets the backwards compatibility mode on/off.
+ # @param value [Boolean]
+ #
+ def self.single_value_compatibility=(value)
+ @@single_value_compatibility = value
+ end
+
+ # @param attrs [Hash] The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
+ # Attributes.new({
+ # 'name' => ['value1', 'value2'],
+ # 'mail' => ['value1'],
+ # })
+ #
+ def initialize(attrs = {})
+ @attributes = attrs
+ end
+
+
+ # Iterate over all attributes
+ #
+ def each
+ attributes.each{|name, values| yield name, values}
+ end
+
+
+ # Test attribute presence by name
+ # @param name [String] The attribute name to be checked
+ #
+ def include?(name)
+ attributes.has_key?(canonize_name(name))
+ end
+
+ # Return first value for an attribute
+ # @param name [String] The attribute name
+ # @return [String] The value (First occurrence)
+ #
+ def single(name)
+ attributes[canonize_name(name)].first if include?(name)
+ end
+
+ # Return all values for an attribute
+ # @param name [String] The attribute name
+ # @return [Array] Values of the attribute
+ #
+ def multi(name)
+ attributes[canonize_name(name)]
+ end
+
+ # Retrieve attribute value(s)
+ # @param name [String] The attribute name
+ # @return [String|Array] Depending on the single value compatibility status this returns:
+ # - First value if single_value_compatibility = true
+ # response.attributes['mail'] # => 'user@example.com'
+ # - All values if single_value_compatibility = false
+ # response.attributes['mail'] # => ['user@example.com','user@example.net']
+ #
+ def [](name)
+ self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
+ end
+
+ # @return [Hash] Return all attributes as a hash
+ #
+ def all
+ attributes
+ end
+
+ # @param name [String] The attribute name
+ # @param values [Array] The values
+ #
+ def set(name, values)
+ attributes[canonize_name(name)] = values
+ end
+ alias_method :[]=, :set
+
+ # @param name [String] The attribute name
+ # @param values [Array] The values
+ #
+ def add(name, values = [])
+ attributes[canonize_name(name)] ||= []
+ attributes[canonize_name(name)] += Array(values)
+ end
+
+ # Make comparable to another Attributes collection based on attributes
+ # @param other [Attributes] An Attributes object to compare with
+ # @return [Boolean] True if are contains the same attributes and values
+ #
+ def ==(other)
+ if other.is_a?(Attributes)
+ all == other.all
+ else
+ super
+ end
+ end
+
+ # Fetch attribute value using name or regex
+ # @param name [String|Regexp] The attribute name
+ # @return [String|Array] Depending on the single value compatibility status this returns:
+ # - First value if single_value_compatibility = true
+ # response.attributes['mail'] # => 'user@example.com'
+ # - All values if single_value_compatibility = false
+ # response.attributes['mail'] # => ['user@example.com','user@example.net']
+ #
+ def fetch(name)
+ attributes.each_key do |attribute_key|
+ if name.is_a?(Regexp)
+ if name.respond_to? :match?
+ return self[attribute_key] if name.match?(attribute_key)
+ else
+ return self[attribute_key] if name.match(attribute_key)
+ end
+ elsif canonize_name(name) == canonize_name(attribute_key)
+ return self[attribute_key]
+ end
+ end
+ nil
+ end
+
+ protected
+
+ # stringifies all names so both 'email' and :email return the same result
+ # @param name [String] The attribute name
+ # @return [String] stringified name
+ #
+ def canonize_name(name)
+ name.to_s
+ end
+
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/authrequest.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/authrequest.rb
new file mode 100644
index 0000000000000000000000000000000000000000..78a8f385dd0c79116b0be2e410b104556bc71d3c
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/authrequest.rb
@@ -0,0 +1,192 @@
+require "rexml/document"
+
+require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+ include REXML
+
+ # SAML2 Authentication. AuthNRequest (SSO SP initiated, Builder)
+ #
+ class Authrequest < SamlMessage
+
+ # AuthNRequest ID
+ attr_accessor :uuid
+
+ # Initializes the AuthNRequest. An Authrequest Object that is an extension of the SamlMessage class.
+ # Asigns an ID, a random uuid.
+ #
+ def initialize
+ @uuid = OneLogin::RubySaml::Utils.uuid
+ end
+
+ def request_id
+ @uuid
+ end
+
+ # Creates the AuthNRequest string.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+ # @return [String] AuthNRequest string that includes the SAMLRequest
+ #
+ def create(settings, params = {})
+ params = create_params(settings, params)
+ params_prefix = (settings.idp_sso_service_url =~ /\?/) ? '&' : '?'
+ saml_request = CGI.escape(params.delete("SAMLRequest"))
+ request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+ params.each_pair do |key, value|
+ request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+ end
+ raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
+ @login_url = settings.idp_sso_service_url + request_params
+ end
+
+ # Creates the Get parameters for the request.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+ # @return [Hash] Parameters
+ #
+ def create_params(settings, params={})
+ # The method expects :RelayState but sometimes we get 'RelayState' instead.
+ # Based on the HashWithIndifferentAccess value in Rails we could experience
+ # conflicts so this line will solve them.
+ relay_state = params[:RelayState] || params['RelayState']
+
+ if relay_state.nil?
+ params.delete(:RelayState)
+ params.delete('RelayState')
+ end
+
+ request_doc = create_authentication_xml_doc(settings)
+ request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+ request = "".dup
+ request_doc.write(request)
+
+ Logging.debug "Created AuthnRequest: #{request}"
+
+ request = deflate(request) if settings.compress_request
+ base64_request = encode(request)
+ request_params = {"SAMLRequest" => base64_request}
+ sp_signing_key = settings.get_sp_signing_key
+
+ if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && sp_signing_key
+ params['SigAlg'] = settings.security[:signature_method]
+ url_string = OneLogin::RubySaml::Utils.build_query(
+ :type => 'SAMLRequest',
+ :data => base64_request,
+ :relay_state => relay_state,
+ :sig_alg => params['SigAlg']
+ )
+ sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+ signature = sp_signing_key.sign(sign_algorithm.new, url_string)
+ params['Signature'] = encode(signature)
+ end
+
+ params.each_pair do |key, value|
+ request_params[key] = value.to_s
+ end
+
+ request_params
+ end
+
+ # Creates the SAMLRequest String.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @return [String] The SAMLRequest String.
+ #
+ def create_authentication_xml_doc(settings)
+ document = create_xml_document(settings)
+ sign_document(document, settings)
+ end
+
+ def create_xml_document(settings)
+ time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+ request_doc = XMLSecurity::Document.new
+ request_doc.uuid = uuid
+
+ root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+ root.attributes['ID'] = uuid
+ root.attributes['IssueInstant'] = time
+ root.attributes['Version'] = "2.0"
+ root.attributes['Destination'] = settings.idp_sso_service_url unless settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
+ root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
+ root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
+ root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
+ root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
+
+ # Conditionally defined elements based on settings
+ if settings.assertion_consumer_service_url != nil
+ root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
+ end
+ if settings.sp_entity_id != nil
+ issuer = root.add_element "saml:Issuer"
+ issuer.text = settings.sp_entity_id
+ end
+
+ if settings.name_identifier_value_requested != nil
+ subject = root.add_element "saml:Subject"
+
+ nameid = subject.add_element "saml:NameID"
+ nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+ nameid.text = settings.name_identifier_value_requested
+
+ subject_confirmation = subject.add_element "saml:SubjectConfirmation"
+ subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+ end
+
+ if settings.name_identifier_format != nil
+ root.add_element "samlp:NameIDPolicy", {
+ # Might want to make AllowCreate a setting?
+ "AllowCreate" => "true",
+ "Format" => settings.name_identifier_format
+ }
+ end
+
+ if settings.authn_context || settings.authn_context_decl_ref
+
+ if settings.authn_context_comparison != nil
+ comparison = settings.authn_context_comparison
+ else
+ comparison = 'exact'
+ end
+
+ requested_context = root.add_element "samlp:RequestedAuthnContext", {
+ "Comparison" => comparison,
+ }
+
+ if settings.authn_context != nil
+ authn_contexts_class_ref = settings.authn_context.is_a?(Array) ? settings.authn_context : [settings.authn_context]
+ authn_contexts_class_ref.each do |authn_context_class_ref|
+ class_ref = requested_context.add_element "saml:AuthnContextClassRef"
+ class_ref.text = authn_context_class_ref
+ end
+ end
+
+ if settings.authn_context_decl_ref != nil
+ authn_contexts_decl_refs = settings.authn_context_decl_ref.is_a?(Array) ? settings.authn_context_decl_ref : [settings.authn_context_decl_ref]
+ authn_contexts_decl_refs.each do |authn_context_decl_ref|
+ decl_ref = requested_context.add_element "saml:AuthnContextDeclRef"
+ decl_ref.text = authn_context_decl_ref
+ end
+ end
+ end
+
+ request_doc
+ end
+
+ def sign_document(document, settings)
+ cert, private_key = settings.get_sp_signing_pair
+ if settings.idp_sso_service_binding == Utils::BINDINGS[:post] && settings.security[:authn_requests_signed] && private_key && cert
+ document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+ end
+
+ document
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/error_handling.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/error_handling.rb
new file mode 100644
index 0000000000000000000000000000000000000000..02f0c62f73f87179f4cfc4f1e54f7b23956b969b
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/error_handling.rb
@@ -0,0 +1,27 @@
+require "onelogin/ruby-saml/validation_error"
+
+module OneLogin
+ module RubySaml
+ module ErrorHandling
+ attr_accessor :errors
+
+ # Append the cause to the errors array, and based on the value of soft, return false or raise
+ # an exception. soft_override is provided as a means of overriding the object's notion of
+ # soft for just this invocation.
+ def append_error(error_msg, soft_override = nil)
+ @errors << error_msg
+
+ unless soft_override.nil? ? soft : soft_override
+ raise ValidationError.new(error_msg)
+ end
+
+ false
+ end
+
+ # Reset the errors array
+ def reset_errors!
+ @errors = []
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/http_error.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/http_error.rb
new file mode 100644
index 0000000000000000000000000000000000000000..7f77c56ac982e4dc996661da6eac15fd69b60a5d
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/http_error.rb
@@ -0,0 +1,7 @@
+module OneLogin
+ module RubySaml
+ class HttpError < StandardError
+ end
+ end
+end
+
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/idp_metadata_parser.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/idp_metadata_parser.rb
new file mode 100644
index 0000000000000000000000000000000000000000..08b030ce7e4e4cca22b537ae03bc3749c024c5f6
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/idp_metadata_parser.rb
@@ -0,0 +1,471 @@
+require "base64"
+require "net/http"
+require "net/https"
+require "rexml/document"
+require "rexml/xpath"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+ include REXML
+
+ # Auxiliary class to retrieve and parse the Identity Provider Metadata
+ #
+ # This class does not validate in any way the URL that is introduced,
+ # make sure to validate it properly before use it in a parse_remote method.
+ # Read the `Security warning` section of the README.md file to get more info
+ #
+ class IdpMetadataParser
+
+ module SamlMetadata
+ module Vocabulary
+ METADATA = "urn:oasis:names:tc:SAML:2.0:metadata".freeze
+ DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
+ NAME_FORMAT = "urn:oasis:names:tc:SAML:2.0:attrname-format:*".freeze
+ SAML_ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion".freeze
+ end
+
+ NAMESPACE = {
+ "md" => Vocabulary::METADATA,
+ "NameFormat" => Vocabulary::NAME_FORMAT,
+ "saml" => Vocabulary::SAML_ASSERTION,
+ "ds" => Vocabulary::DSIG
+ }.freeze
+ end
+
+ include SamlMetadata::Vocabulary
+ attr_reader :document
+ attr_reader :response
+ attr_reader :options
+
+ # fetch IdP descriptors from a metadata document
+ def self.get_idps(metadata_document, only_entity_id=nil)
+ path = "//md:EntityDescriptor#{only_entity_id && '[@entityID="' + only_entity_id + '"]'}/md:IDPSSODescriptor"
+ REXML::XPath.match(
+ metadata_document,
+ path,
+ SamlMetadata::NAMESPACE
+ )
+ end
+
+ # Parse the Identity Provider metadata and update the settings with the
+ # IdP values
+ #
+ # @param url [String] Url where the XML of the Identity Provider Metadata is published.
+ # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
+ #
+ # @param options [Hash] options used for parsing the metadata and the returned Settings instance
+ # @option options [OneLogin::RubySaml::Settings, Hash] :settings the OneLogin::RubySaml::Settings object which gets the parsed metadata merged into or an hash for Settings overrides.
+ # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+ # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
+ #
+ # @return [OneLogin::RubySaml::Settings]
+ #
+ # @raise [HttpError] Failure to fetch remote IdP metadata
+ def parse_remote(url, validate_cert = true, options = {})
+ idp_metadata = get_idp_metadata(url, validate_cert)
+ parse(idp_metadata, options)
+ end
+
+ # Parse the Identity Provider metadata and return the results as Hash
+ #
+ # @param url [String] Url where the XML of the Identity Provider Metadata is published.
+ # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
+ #
+ # @param options [Hash] options used for parsing the metadata
+ # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+ # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
+ #
+ # @return [Hash]
+ #
+ # @raise [HttpError] Failure to fetch remote IdP metadata
+ def parse_remote_to_hash(url, validate_cert = true, options = {})
+ parse_remote_to_array(url, validate_cert, options)[0]
+ end
+
+ # Parse all Identity Provider metadata and return the results as Array
+ #
+ # @param url [String] Url where the XML of the Identity Provider Metadata is published.
+ # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
+ #
+ # @param options [Hash] options used for parsing the metadata
+ # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, all found IdPs are returned.
+ # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
+ #
+ # @return [Array<Hash>]
+ #
+ # @raise [HttpError] Failure to fetch remote IdP metadata
+ def parse_remote_to_array(url, validate_cert = true, options = {})
+ idp_metadata = get_idp_metadata(url, validate_cert)
+ parse_to_array(idp_metadata, options)
+ end
+
+ # Parse the Identity Provider metadata and update the settings with the IdP values
+ #
+ # @param idp_metadata [String]
+ #
+ # @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
+ # @option options [OneLogin::RubySaml::Settings, Hash] :settings the OneLogin::RubySaml::Settings object which gets the parsed metadata merged into or an hash for Settings overrides.
+ # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+ # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
+ #
+ # @return [OneLogin::RubySaml::Settings]
+ def parse(idp_metadata, options = {})
+ parsed_metadata = parse_to_hash(idp_metadata, options)
+
+ unless parsed_metadata[:cache_duration].nil?
+ cache_valid_until_timestamp = OneLogin::RubySaml::Utils.parse_duration(parsed_metadata[:cache_duration])
+ unless cache_valid_until_timestamp.nil?
+ if parsed_metadata[:valid_until].nil? || cache_valid_until_timestamp < Time.parse(parsed_metadata[:valid_until], Time.now.utc).to_i
+ parsed_metadata[:valid_until] = Time.at(cache_valid_until_timestamp).utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+ end
+ end
+ end
+ # Remove the cache_duration because on the settings
+ # we only gonna suppot valid_until
+ parsed_metadata.delete(:cache_duration)
+
+ settings = options[:settings]
+
+ if settings.nil?
+ OneLogin::RubySaml::Settings.new(parsed_metadata)
+ elsif settings.is_a?(Hash)
+ OneLogin::RubySaml::Settings.new(settings.merge(parsed_metadata))
+ else
+ merge_parsed_metadata_into(settings, parsed_metadata)
+ end
+ end
+
+ # Parse the Identity Provider metadata and return the results as Hash
+ #
+ # @param idp_metadata [String]
+ #
+ # @param options [Hash] options used for parsing the metadata and the returned Settings instance
+ # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, the first entity descriptor is used.
+ # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
+ #
+ # @return [Hash]
+ def parse_to_hash(idp_metadata, options = {})
+ parse_to_array(idp_metadata, options)[0]
+ end
+
+ # Parse all Identity Provider metadata and return the results as Array
+ #
+ # @param idp_metadata [String]
+ #
+ # @param options [Hash] options used for parsing the metadata and the returned Settings instance
+ # @option options [String, nil] :entity_id when this is given, the entity descriptor for this ID is used. When omitted, all found IdPs are returned.
+ # @option options [String, Array<String>, nil] :sso_binding an ordered list of bindings to detect the single signon URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :slo_binding an ordered list of bindings to detect the single logout URL. The first binding in the list that is included in the metadata will be used.
+ # @option options [String, Array<String>, nil] :name_id_format an ordered list of NameIDFormats to detect a desired value. The first NameIDFormat in the list that is included in the metadata will be used.
+ #
+ # @return [Array<Hash>]
+ def parse_to_array(idp_metadata, options = {})
+ parse_to_idp_metadata_array(idp_metadata, options).map { |idp_md| idp_md.to_hash(options) }
+ end
+
+ def parse_to_idp_metadata_array(idp_metadata, options = {})
+ @document = REXML::Document.new(idp_metadata)
+ @options = options
+
+ idpsso_descriptors = self.class.get_idps(@document, options[:entity_id])
+ if !idpsso_descriptors.any?
+ raise ArgumentError.new("idp_metadata must contain an IDPSSODescriptor element")
+ end
+
+ idpsso_descriptors.map {|id| IdpMetadata.new(id, id.parent.attributes["entityID"])}
+ end
+
+ # Retrieve the remote IdP metadata from the URL or a cached copy.
+ # @param url [String] Url where the XML of the Identity Provider Metadata is published.
+ # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
+ # @return [REXML::document] Parsed XML IdP metadata
+ # @raise [HttpError] Failure to fetch remote IdP metadata
+ def get_idp_metadata(url, validate_cert)
+ uri = URI.parse(url)
+ raise ArgumentError.new("url must begin with http or https") unless /^https?/ =~ uri.scheme
+ http = Net::HTTP.new(uri.host, uri.port)
+
+ if uri.scheme == "https"
+ http.use_ssl = true
+ # Most IdPs will probably use self signed certs
+ http.verify_mode = validate_cert ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+
+ # Net::HTTP in Ruby 1.8 did not set the default certificate store
+ # automatically when VERIFY_PEER was specified.
+ if RUBY_VERSION < '1.9' && !http.ca_file && !http.ca_path && !http.cert_store
+ http.cert_store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+ end
+ end
+
+ get = Net::HTTP::Get.new(uri.request_uri)
+ get.basic_auth uri.user, uri.password if uri.user
+ @response = http.request(get)
+ return response.body if response.is_a? Net::HTTPSuccess
+
+ raise OneLogin::RubySaml::HttpError.new(
+ "Failed to fetch idp metadata: #{response.code}: #{response.message}"
+ )
+ end
+
+ private
+
+ class IdpMetadata
+ attr_reader :idpsso_descriptor, :entity_id
+
+ def initialize(idpsso_descriptor, entity_id)
+ @idpsso_descriptor = idpsso_descriptor
+ @entity_id = entity_id
+ end
+
+ def to_hash(options = {})
+ sso_binding = options[:sso_binding]
+ slo_binding = options[:slo_binding]
+ {
+ :idp_entity_id => @entity_id,
+ :name_identifier_format => idp_name_id_format(options[:name_id_format]),
+ :idp_sso_service_url => single_signon_service_url(sso_binding),
+ :idp_sso_service_binding => single_signon_service_binding(sso_binding),
+ :idp_slo_service_url => single_logout_service_url(slo_binding),
+ :idp_slo_service_binding => single_logout_service_binding(slo_binding),
+ :idp_slo_response_service_url => single_logout_response_service_url(slo_binding),
+ :idp_attribute_names => attribute_names,
+ :idp_cert => nil,
+ :idp_cert_fingerprint => nil,
+ :idp_cert_multi => nil,
+ :valid_until => valid_until,
+ :cache_duration => cache_duration,
+ }.tap do |response_hash|
+ merge_certificates_into(response_hash) unless certificates.nil?
+ end
+ end
+
+ # @return [String|nil] 'validUntil' attribute of metadata
+ #
+ def valid_until
+ root = @idpsso_descriptor.root
+ root.attributes['validUntil'] if root && root.attributes
+ end
+
+ # @return [String|nil] 'cacheDuration' attribute of metadata
+ #
+ def cache_duration
+ root = @idpsso_descriptor.root
+ root.attributes['cacheDuration'] if root && root.attributes
+ end
+
+ # @param name_id_priority [String|Array<String>] The prioritized list of NameIDFormat values to select. Will select first value if nil.
+ # @return [String|nil] IdP NameIDFormat value if exists
+ #
+ def idp_name_id_format(name_id_priority = nil)
+ nodes = REXML::XPath.match(
+ @idpsso_descriptor,
+ "md:NameIDFormat",
+ SamlMetadata::NAMESPACE
+ )
+ first_ranked_text(nodes, name_id_priority)
+ end
+
+ # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
+ # @return [String|nil] SingleSignOnService binding if exists
+ #
+ def single_signon_service_binding(binding_priority = nil)
+ nodes = REXML::XPath.match(
+ @idpsso_descriptor,
+ "md:SingleSignOnService/@Binding",
+ SamlMetadata::NAMESPACE
+ )
+ first_ranked_value(nodes, binding_priority)
+ end
+
+ # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
+ # @return [String|nil] SingleLogoutService binding if exists
+ #
+ def single_logout_service_binding(binding_priority = nil)
+ nodes = REXML::XPath.match(
+ @idpsso_descriptor,
+ "md:SingleLogoutService/@Binding",
+ SamlMetadata::NAMESPACE
+ )
+ first_ranked_value(nodes, binding_priority)
+ end
+
+ # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
+ # @return [String|nil] SingleSignOnService endpoint if exists
+ #
+ def single_signon_service_url(binding_priority = nil)
+ binding = single_signon_service_binding(binding_priority)
+ return if binding.nil?
+
+ node = REXML::XPath.first(
+ @idpsso_descriptor,
+ "md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
+ SamlMetadata::NAMESPACE
+ )
+ node.value if node
+ end
+
+ # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
+ # @return [String|nil] SingleLogoutService endpoint if exists
+ #
+ def single_logout_service_url(binding_priority = nil)
+ binding = single_logout_service_binding(binding_priority)
+ return if binding.nil?
+
+ node = REXML::XPath.first(
+ @idpsso_descriptor,
+ "md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
+ SamlMetadata::NAMESPACE
+ )
+ node.value if node
+ end
+
+ # @param binding_priority [String|Array<String>] The prioritized list of Binding values to select. Will select first value if nil.
+ # @return [String|nil] SingleLogoutService response url if exists
+ #
+ def single_logout_response_service_url(binding_priority = nil)
+ binding = single_logout_service_binding(binding_priority)
+ return if binding.nil?
+
+ node = REXML::XPath.first(
+ @idpsso_descriptor,
+ "md:SingleLogoutService[@Binding=\"#{binding}\"]/@ResponseLocation",
+ SamlMetadata::NAMESPACE
+ )
+ node.value if node
+ end
+
+ # @return [String|nil] Unformatted Certificate if exists
+ #
+ def certificates
+ @certificates ||= begin
+ signing_nodes = REXML::XPath.match(
+ @idpsso_descriptor,
+ "md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+ SamlMetadata::NAMESPACE
+ )
+
+ encryption_nodes = REXML::XPath.match(
+ @idpsso_descriptor,
+ "md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+ SamlMetadata::NAMESPACE
+ )
+
+ return nil if signing_nodes.empty? && encryption_nodes.empty?
+
+ certs = {}
+ unless signing_nodes.empty?
+ certs['signing'] = []
+ signing_nodes.each do |cert_node|
+ certs['signing'] << Utils.element_text(cert_node)
+ end
+ end
+
+ unless encryption_nodes.empty?
+ certs['encryption'] = []
+ encryption_nodes.each do |cert_node|
+ certs['encryption'] << Utils.element_text(cert_node)
+ end
+ end
+ certs
+ end
+ end
+
+ # @return [String|nil] the fingerpint of the X509Certificate if it exists
+ #
+ def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1)
+ return unless certificate
+
+ cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
+
+ fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
+ fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+ end
+
+ # @return [Array] the names of all SAML attributes if any exist
+ #
+ def attribute_names
+ nodes = REXML::XPath.match(
+ @idpsso_descriptor ,
+ "saml:Attribute/@Name",
+ SamlMetadata::NAMESPACE
+ )
+ nodes.map(&:value)
+ end
+
+ def merge_certificates_into(parsed_metadata)
+ if (certificates.size == 1 &&
+ (certificates_has_one('signing') || certificates_has_one('encryption'))) ||
+ (certificates_has_one('signing') && certificates_has_one('encryption') &&
+ certificates["signing"][0] == certificates["encryption"][0])
+
+ if certificates.key?("signing")
+ parsed_metadata[:idp_cert] = certificates["signing"][0]
+ parsed_metadata[:idp_cert_fingerprint] = fingerprint(
+ parsed_metadata[:idp_cert],
+ parsed_metadata[:idp_cert_fingerprint_algorithm]
+ )
+ else
+ parsed_metadata[:idp_cert] = certificates["encryption"][0]
+ parsed_metadata[:idp_cert_fingerprint] = fingerprint(
+ parsed_metadata[:idp_cert],
+ parsed_metadata[:idp_cert_fingerprint_algorithm]
+ )
+ end
+ end
+
+ # symbolize keys of certificates and pass it on
+ parsed_metadata[:idp_cert_multi] = Hash[certificates.map { |k, v| [k.to_sym, v] }]
+ end
+
+ def certificates_has_one(key)
+ certificates.key?(key) && certificates[key].size == 1
+ end
+
+ private
+
+ def first_ranked_text(nodes, priority = nil)
+ return unless nodes.any?
+
+ priority = Array(priority)
+ if priority.any?
+ values = nodes.map(&:text)
+ priority.detect { |candidate| values.include?(candidate) }
+ else
+ nodes.first.text
+ end
+ end
+
+ def first_ranked_value(nodes, priority = nil)
+ return unless nodes.any?
+
+ priority = Array(priority)
+ if priority.any?
+ values = nodes.map(&:value)
+ priority.detect { |candidate| values.include?(candidate) }
+ else
+ nodes.first.value
+ end
+ end
+ end
+
+ def merge_parsed_metadata_into(settings, parsed_metadata)
+ parsed_metadata.each do |key, value|
+ settings.send("#{key}=".to_sym, value)
+ end
+
+ settings
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logging.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logging.rb
new file mode 100644
index 0000000000000000000000000000000000000000..862fcefecbf248debafa2467b6ef40a543989ae4
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logging.rb
@@ -0,0 +1,33 @@
+require 'logger'
+
+# Simplistic log class when we're running in Rails
+module OneLogin
+ module RubySaml
+ class Logging
+ DEFAULT_LOGGER = ::Logger.new(STDOUT)
+
+ def self.logger
+ @logger ||= begin
+ (defined?(::Rails) && Rails.respond_to?(:logger) && Rails.logger) ||
+ DEFAULT_LOGGER
+ end
+ end
+
+ def self.logger=(logger)
+ @logger = logger
+ end
+
+ def self.debug(message)
+ return if !!ENV["ruby-saml/testing"]
+
+ logger.debug message
+ end
+
+ def self.info(message)
+ return if !!ENV["ruby-saml/testing"]
+
+ logger.info message
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logoutrequest.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logoutrequest.rb
new file mode 100644
index 0000000000000000000000000000000000000000..7ed0766d8a43b31a91310d99eaa5ab6c2164ab0e
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logoutrequest.rb
@@ -0,0 +1,151 @@
+require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Logout Request (SLO SP initiated, Builder)
+ #
+ class Logoutrequest < SamlMessage
+
+ # Logout Request ID
+ attr_accessor :uuid
+
+ # Initializes the Logout Request. A Logoutrequest Object that is an extension of the SamlMessage class.
+ # Asigns an ID, a random uuid.
+ #
+ def initialize
+ @uuid = OneLogin::RubySaml::Utils.uuid
+ end
+
+ def request_id
+ @uuid
+ end
+
+ # Creates the Logout Request string.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+ # @return [String] Logout Request string that includes the SAMLRequest
+ #
+ def create(settings, params={})
+ params = create_params(settings, params)
+ params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
+ saml_request = CGI.escape(params.delete("SAMLRequest"))
+ request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+ params.each_pair do |key, value|
+ request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+ end
+ raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
+ @logout_url = settings.idp_slo_service_url + request_params
+ end
+
+ # Creates the Get parameters for the logout request.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+ # @return [Hash] Parameters
+ #
+ def create_params(settings, params={})
+ # The method expects :RelayState but sometimes we get 'RelayState' instead.
+ # Based on the HashWithIndifferentAccess value in Rails we could experience
+ # conflicts so this line will solve them.
+ relay_state = params[:RelayState] || params['RelayState']
+
+ if relay_state.nil?
+ params.delete(:RelayState)
+ params.delete('RelayState')
+ end
+
+ request_doc = create_logout_request_xml_doc(settings)
+ request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+ request = "".dup
+ request_doc.write(request)
+
+ Logging.debug "Created SLO Logout Request: #{request}"
+
+ request = deflate(request) if settings.compress_request
+ base64_request = encode(request)
+ request_params = {"SAMLRequest" => base64_request}
+ sp_signing_key = settings.get_sp_signing_key
+
+ if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_requests_signed] && sp_signing_key
+ params['SigAlg'] = settings.security[:signature_method]
+ url_string = OneLogin::RubySaml::Utils.build_query(
+ :type => 'SAMLRequest',
+ :data => base64_request,
+ :relay_state => relay_state,
+ :sig_alg => params['SigAlg']
+ )
+ sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+ signature = settings.get_sp_signing_key.sign(sign_algorithm.new, url_string)
+ params['Signature'] = encode(signature)
+ end
+
+ params.each_pair do |key, value|
+ request_params[key] = value.to_s
+ end
+
+ request_params
+ end
+
+ # Creates the SAMLRequest String.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @return [String] The SAMLRequest String.
+ #
+ def create_logout_request_xml_doc(settings)
+ document = create_xml_document(settings)
+ sign_document(document, settings)
+ end
+
+ def create_xml_document(settings)
+ time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+ request_doc = XMLSecurity::Document.new
+ request_doc.uuid = uuid
+
+ root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+ root.attributes['ID'] = uuid
+ root.attributes['IssueInstant'] = time
+ root.attributes['Version'] = "2.0"
+ root.attributes['Destination'] = settings.idp_slo_service_url unless settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
+
+ if settings.sp_entity_id
+ issuer = root.add_element "saml:Issuer"
+ issuer.text = settings.sp_entity_id
+ end
+
+ nameid = root.add_element "saml:NameID"
+ if settings.name_identifier_value
+ nameid.attributes['NameQualifier'] = settings.idp_name_qualifier if settings.idp_name_qualifier
+ nameid.attributes['SPNameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+ nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+ nameid.text = settings.name_identifier_value
+ else
+ # If no NameID is present in the settings we generate one
+ nameid.text = OneLogin::RubySaml::Utils.uuid
+ nameid.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+ end
+
+ if settings.sessionindex
+ sessionindex = root.add_element "samlp:SessionIndex"
+ sessionindex.text = settings.sessionindex
+ end
+
+ request_doc
+ end
+
+ def sign_document(document, settings)
+ # embed signature
+ cert, private_key = settings.get_sp_signing_pair
+ if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.security[:logout_requests_signed] && private_key && cert
+ document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+ end
+
+ document
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logoutresponse.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logoutresponse.rb
new file mode 100644
index 0000000000000000000000000000000000000000..51a30c06b4fb7f0b8a72b807f750f855aaee6633
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/logoutresponse.rb
@@ -0,0 +1,281 @@
+require "xml_security"
+require "onelogin/ruby-saml/saml_message"
+
+require "time"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Logout Response (SLO IdP initiated, Parser)
+ #
+ class Logoutresponse < SamlMessage
+ include ErrorHandling
+
+ # OneLogin::RubySaml::Settings Toolkit settings
+ attr_accessor :settings
+
+ attr_reader :document
+ attr_reader :response
+ attr_reader :options
+
+ attr_accessor :soft
+
+ # Constructs the Logout Response. A Logout Response Object that is an extension of the SamlMessage class.
+ # @param response [String] A UUEncoded logout response from the IdP.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param options [Hash] Extra parameters.
+ # :matches_request_id It will validate that the logout response matches the ID of the request.
+ # :get_params GET Parameters, including the SAMLResponse
+ # :relax_signature_validation to accept signatures if no idp certificate registered on settings
+ #
+ # @raise [ArgumentError] if response is nil
+ #
+ def initialize(response, settings = nil, options = {})
+ @errors = []
+ raise ArgumentError.new("Logoutresponse cannot be nil") if response.nil?
+ @settings = settings
+
+ if settings.nil? || settings.soft.nil?
+ @soft = true
+ else
+ @soft = settings.soft
+ end
+
+ @options = options
+ @response = decode_raw_saml(response, settings)
+ @document = XMLSecurity::SignedDocument.new(@response)
+ end
+
+ def response_id
+ id(document)
+ end
+
+ # Checks if the Status has the "Success" code
+ # @return [Boolean] True if the StatusCode is Sucess
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def success?
+ return status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+ end
+
+ # @return [String|nil] Gets the InResponseTo attribute from the Logout Response if exists.
+ #
+ def in_response_to
+ @in_response_to ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:LogoutResponse",
+ { "p" => PROTOCOL }
+ )
+ node.nil? ? nil : node.attributes['InResponseTo']
+ end
+ end
+
+ # @return [String] Gets the Issuer from the Logout Response.
+ #
+ def issuer
+ @issuer ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:LogoutResponse/a:Issuer",
+ { "p" => PROTOCOL, "a" => ASSERTION }
+ )
+ Utils.element_text(node)
+ end
+ end
+
+ # @return [String] Gets the StatusCode from a Logout Response.
+ #
+ def status_code
+ @status_code ||= begin
+ node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL })
+ node.nil? ? nil : node.attributes["Value"]
+ end
+ end
+
+ def status_message
+ @status_message ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:LogoutResponse/p:Status/p:StatusMessage",
+ { "p" => PROTOCOL }
+ )
+ Utils.element_text(node)
+ end
+ end
+
+ # Aux function to validate the Logout Response
+ # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
+ # @return [Boolean] TRUE if the SAML Response is valid
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate(collect_errors = false)
+ reset_errors!
+
+ validations = [
+ :valid_state?,
+ :validate_success_status,
+ :validate_structure,
+ :valid_in_response_to?,
+ :valid_issuer?,
+ :validate_signature
+ ]
+
+ if collect_errors
+ validations.each { |validation| send(validation) }
+ @errors.empty?
+ else
+ validations.all? { |validation| send(validation) }
+ end
+ end
+
+ private
+
+ # Validates the Status of the Logout Response
+ # If fails, the error is added to the errors array, including the StatusCode returned and the Status Message.
+ # @return [Boolean] True if the Logout Response contains a Success code, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_success_status
+ return true if success?
+
+ error_msg = 'The status code of the Logout Response was not Success'
+ status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+ append_error(status_error_msg)
+ end
+
+ # Validates the Logout Response against the specified schema.
+ # @return [Boolean] True if the XML is valid, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_structure
+ unless valid_saml?(document, soft)
+ return append_error("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd")
+ end
+
+ true
+ end
+
+ # Validates that the Logout Response provided in the initialization is not empty,
+ # also check that the setting and the IdP cert were also provided
+ # @return [Boolean] True if the required info is found, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def valid_state?
+ return append_error("Blank logout response") if response.empty?
+
+ return append_error("No settings on logout response") if settings.nil?
+
+ return append_error("No sp_entity_id in settings of the logout response") if settings.sp_entity_id.nil?
+
+ if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil?
+ return append_error("No fingerprint or certificate on settings of the logout response")
+ end
+
+ true
+ end
+
+ # Validates if a provided :matches_request_id matchs the inResponseTo value.
+ # @param soft [String|nil] request_id The ID of the Logout Request sent by this SP to the IdP (if was sent any)
+ # @return [Boolean] True if there is no request_id or it match, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def valid_in_response_to?
+ return true unless options.has_key? :matches_request_id
+ return true if options[:matches_request_id].nil?
+ return true unless options[:matches_request_id] != in_response_to
+
+ error_msg = "The InResponseTo of the Logout Response: #{in_response_to}, does not match the ID of the Logout Request sent by the SP: #{options[:matches_request_id]}"
+ append_error(error_msg)
+ end
+
+ # Validates the Issuer of the Logout Response
+ # @return [Boolean] True if the Issuer matchs the IdP entityId, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def valid_issuer?
+ return true if settings.idp_entity_id.nil? || issuer.nil?
+
+ unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+ return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
+ end
+ true
+ end
+
+ # Validates the Signature if it exists and the GET parameters are provided
+ # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_signature
+ return true unless !options.nil?
+ return true unless options.has_key? :get_params
+ return true unless options[:get_params].has_key? 'Signature'
+
+ options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params], settings.security[:lowercase_url_encoding])
+
+ if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
+ options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
+ end
+
+ idp_cert = settings.get_idp_cert
+ idp_certs = settings.get_idp_cert_multi
+
+ if idp_cert.nil? && (idp_certs.nil? || idp_certs[:signing].empty?)
+ return options.has_key? :relax_signature_validation
+ end
+
+ query_string = OneLogin::RubySaml::Utils.build_query_from_raw_parts(
+ :type => 'SAMLResponse',
+ :raw_data => options[:raw_get_params]['SAMLResponse'],
+ :raw_relay_state => options[:raw_get_params]['RelayState'],
+ :raw_sig_alg => options[:raw_get_params]['SigAlg']
+ )
+
+ expired = false
+ if idp_certs.nil? || idp_certs[:signing].empty?
+ valid = OneLogin::RubySaml::Utils.verify_signature(
+ :cert => idp_cert,
+ :sig_alg => options[:get_params]['SigAlg'],
+ :signature => options[:get_params]['Signature'],
+ :query_string => query_string
+ )
+ if valid && settings.security[:check_idp_cert_expiration]
+ if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+ expired = true
+ end
+ end
+ else
+ valid = false
+ idp_certs[:signing].each do |signing_idp_cert|
+ valid = OneLogin::RubySaml::Utils.verify_signature(
+ :cert => signing_idp_cert,
+ :sig_alg => options[:get_params]['SigAlg'],
+ :signature => options[:get_params]['Signature'],
+ :query_string => query_string
+ )
+ if valid
+ if settings.security[:check_idp_cert_expiration]
+ if OneLogin::RubySaml::Utils.is_cert_expired(signing_idp_cert)
+ expired = true
+ end
+ end
+ break
+ end
+ end
+ end
+
+ if expired
+ error_msg = "IdP x509 certificate expired"
+ return append_error(error_msg)
+ end
+ unless valid
+ error_msg = "Invalid Signature on Logout Response"
+ return append_error(error_msg)
+ end
+ true
+ end
+
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/metadata.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/metadata.rb
new file mode 100644
index 0000000000000000000000000000000000000000..a50e9e66bf9ab9320eb20933055ed3bf4c99b81c
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/metadata.rb
@@ -0,0 +1,173 @@
+require "uri"
+
+require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/utils"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Metadata. XML Metadata Builder
+ #
+ class Metadata
+
+ # Return SP metadata based on the settings.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param pretty_print [Boolean] Pretty print or not the response
+ # (No pretty print if you gonna validate the signature)
+ # @param valid_until [DateTime] Metadata's valid time
+ # @param cache_duration [Integer] Duration of the cache in seconds
+ # @return [String] XML Metadata of the Service Provider
+ #
+ def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
+ meta_doc = XMLSecurity::Document.new
+ add_xml_declaration(meta_doc)
+ root = add_root_element(meta_doc, settings, valid_until, cache_duration)
+ sp_sso = add_sp_sso_element(root, settings)
+ add_sp_certificates(sp_sso, settings)
+ add_sp_service_elements(sp_sso, settings)
+ add_extras(root, settings)
+ embed_signature(meta_doc, settings)
+ output_xml(meta_doc, pretty_print)
+ end
+
+ protected
+
+ def add_xml_declaration(meta_doc)
+ meta_doc << REXML::XMLDecl.new('1.0', 'UTF-8')
+ end
+
+ def add_root_element(meta_doc, settings, valid_until, cache_duration)
+ namespaces = {
+ "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
+ }
+
+ if settings.attribute_consuming_service.configured?
+ namespaces["xmlns:saml"] = "urn:oasis:names:tc:SAML:2.0:assertion"
+ end
+
+ root = meta_doc.add_element("md:EntityDescriptor", namespaces)
+ root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
+ root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
+ root.attributes["validUntil"] = valid_until.utc.strftime('%Y-%m-%dT%H:%M:%SZ') if valid_until
+ root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
+ root
+ end
+
+ def add_sp_sso_element(root, settings)
+ root.add_element "md:SPSSODescriptor", {
+ "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
+ "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
+ "WantAssertionsSigned" => settings.security[:want_assertions_signed],
+ }
+ end
+
+ # Add KeyDescriptor elements for SP certificates.
+ def add_sp_certificates(sp_sso, settings)
+ certs = settings.get_sp_certs
+
+ certs[:signing].each { |cert, _| add_sp_cert_element(sp_sso, cert, :signing) }
+
+ if settings.security[:want_assertions_encrypted]
+ certs[:encryption].each { |cert, _| add_sp_cert_element(sp_sso, cert, :encryption) }
+ end
+
+ sp_sso
+ end
+
+ def add_sp_service_elements(sp_sso, settings)
+ if settings.single_logout_service_url
+ sp_sso.add_element "md:SingleLogoutService", {
+ "Binding" => settings.single_logout_service_binding,
+ "Location" => settings.single_logout_service_url,
+ "ResponseLocation" => settings.single_logout_service_url
+ }
+ end
+
+ if settings.name_identifier_format
+ nameid = sp_sso.add_element "md:NameIDFormat"
+ nameid.text = settings.name_identifier_format
+ end
+
+ if settings.assertion_consumer_service_url
+ sp_sso.add_element "md:AssertionConsumerService", {
+ "Binding" => settings.assertion_consumer_service_binding,
+ "Location" => settings.assertion_consumer_service_url,
+ "isDefault" => true,
+ "index" => 0
+ }
+ end
+
+ if settings.attribute_consuming_service.configured?
+ sp_acs = sp_sso.add_element "md:AttributeConsumingService", {
+ "isDefault" => "true",
+ "index" => settings.attribute_consuming_service.index
+ }
+ srv_name = sp_acs.add_element "md:ServiceName", {
+ "xml:lang" => "en"
+ }
+ srv_name.text = settings.attribute_consuming_service.name
+ settings.attribute_consuming_service.attributes.each do |attribute|
+ sp_req_attr = sp_acs.add_element "md:RequestedAttribute", {
+ "NameFormat" => attribute[:name_format],
+ "Name" => attribute[:name],
+ "FriendlyName" => attribute[:friendly_name],
+ "isRequired" => attribute[:is_required] || false
+ }
+ unless attribute[:attribute_value].nil?
+ Array(attribute[:attribute_value]).each do |value|
+ sp_attr_val = sp_req_attr.add_element "saml:AttributeValue"
+ sp_attr_val.text = value.to_s
+ end
+ end
+ end
+ end
+
+ # With OpenSSO, it might be required to also include
+ # <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+ # <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+
+ sp_sso
+ end
+
+ # can be overridden in subclass
+ def add_extras(root, _settings)
+ root
+ end
+
+ def embed_signature(meta_doc, settings)
+ return unless settings.security[:metadata_signed]
+
+ cert, private_key = settings.get_sp_signing_pair
+ return unless private_key && cert
+
+ meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+ end
+
+ def output_xml(meta_doc, pretty_print)
+ ret = ''.dup
+
+ # pretty print the XML so IdP administrators can easily see what the SP supports
+ if pretty_print
+ meta_doc.write(ret, 1)
+ else
+ ret = meta_doc.to_s
+ end
+
+ ret
+ end
+
+ private
+
+ def add_sp_cert_element(sp_sso, cert, use)
+ return unless cert
+ cert_text = Base64.encode64(cert.to_der).gsub("\n", '')
+ kd = sp_sso.add_element "md:KeyDescriptor", { "use" => use.to_s }
+ ki = kd.add_element "ds:KeyInfo", { "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#" }
+ xd = ki.add_element "ds:X509Data"
+ xc = xd.add_element "ds:X509Certificate"
+ xc.text = cert_text
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/response.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/response.rb
new file mode 100644
index 0000000000000000000000000000000000000000..99fe1d129eb33db558a0610755c636ffe63bc3c9
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/response.rb
@@ -0,0 +1,1136 @@
+require "xml_security"
+require "onelogin/ruby-saml/attributes"
+
+require "time"
+require "nokogiri"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Authentication Response. SAML Response
+ #
+ class Response < SamlMessage
+ include ErrorHandling
+
+ ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+ PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
+ DSIG = "http://www.w3.org/2000/09/xmldsig#"
+ XENC = "http://www.w3.org/2001/04/xmlenc#"
+ SAML_NAMESPACES = {
+ "p" => PROTOCOL,
+ "a" => ASSERTION
+ }
+
+ # TODO: Settings should probably be initialized too... WDYT?
+
+ # OneLogin::RubySaml::Settings Toolkit settings
+ attr_accessor :settings
+
+ attr_reader :document
+ attr_reader :decrypted_document
+ attr_reader :response
+ attr_reader :options
+
+ attr_accessor :soft
+
+ # Response available options
+ # This is not a whitelist to allow people extending OneLogin::RubySaml:Response
+ # and pass custom options
+ AVAILABLE_OPTIONS = [
+ :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_audience, :skip_authnstatement, :skip_conditions,
+ :skip_destination, :skip_recipient_check, :skip_subject_confirmation
+ ]
+ # TODO: Update the comment on initialize to describe every option
+
+ # Constructs the SAML Response. A Response Object that is an extension of the SamlMessage class.
+ # @param response [String] A UUEncoded SAML response from the IdP.
+ # @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object
+ # Or some options for the response validation process like skip the conditions validation
+ # with the :skip_conditions, or allow a clock_drift when checking dates with :allowed_clock_drift
+ # or :matches_request_id that will validate that the response matches the ID of the request,
+ # or skip the subject confirmation validation with the :skip_subject_confirmation option
+ # or skip the recipient validation of the subject confirmation element with :skip_recipient_check option
+ # or skip the audience validation with :skip_audience option
+ #
+ def initialize(response, options = {})
+ raise ArgumentError.new("Response cannot be nil") if response.nil?
+
+ @errors = []
+
+ @options = options
+ @soft = true
+ unless options[:settings].nil?
+ @settings = options[:settings]
+ unless @settings.soft.nil?
+ @soft = @settings.soft
+ end
+ end
+
+ @response = decode_raw_saml(response, settings)
+ @document = XMLSecurity::SignedDocument.new(@response, @errors)
+
+ if assertion_encrypted?
+ @decrypted_document = generate_decrypted_document
+ end
+ end
+
+ # Validates the SAML Response with the default values (soft = true)
+ # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
+ # @return [Boolean] TRUE if the SAML Response is valid
+ #
+ def is_valid?(collect_errors = false)
+ validate(collect_errors)
+ end
+
+ # @return [String] the NameID provided by the SAML response from the IdP.
+ #
+ def name_id
+ @name_id ||= Utils.element_text(name_id_node)
+ end
+
+ alias_method :nameid, :name_id
+
+ # @return [String] the NameID Format provided by the SAML response from the IdP.
+ #
+ def name_id_format
+ @name_id_format ||=
+ if name_id_node && name_id_node.attribute("Format")
+ name_id_node.attribute("Format").value
+ end
+ end
+
+ alias_method :nameid_format, :name_id_format
+
+ # @return [String] the NameID SPNameQualifier provided by the SAML response from the IdP.
+ #
+ def name_id_spnamequalifier
+ @name_id_spnamequalifier ||=
+ if name_id_node && name_id_node.attribute("SPNameQualifier")
+ name_id_node.attribute("SPNameQualifier").value
+ end
+ end
+
+ # @return [String] the NameID NameQualifier provided by the SAML response from the IdP.
+ #
+ def name_id_namequalifier
+ @name_id_namequalifier ||=
+ if name_id_node && name_id_node.attribute("NameQualifier")
+ name_id_node.attribute("NameQualifier").value
+ end
+ end
+
+ # Gets the SessionIndex from the AuthnStatement.
+ # Could be used to be stored in the local session in order
+ # to be used in a future Logout Request that the SP could
+ # send to the IdP, to set what specific session must be deleted
+ # @return [String] SessionIndex Value
+ #
+ def sessionindex
+ @sessionindex ||= begin
+ node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+ node.nil? ? nil : node.attributes['SessionIndex']
+ end
+ end
+
+ # Gets the Attributes from the AttributeStatement element.
+ #
+ # All attributes can be iterated over +attributes.each+ or returned as array by +attributes.all+
+ # For backwards compatibility ruby-saml returns by default only the first value for a given attribute with
+ # attributes['name']
+ # To get all of the attributes, use:
+ # attributes.multi('name')
+ # Or turn off the compatibility:
+ # OneLogin::RubySaml::Attributes.single_value_compatibility = false
+ # Now this will return an array:
+ # attributes['name']
+ #
+ # @return [Attributes] OneLogin::RubySaml::Attributes enumerable collection.
+ # @raise [ValidationError] if there are 2+ Attribute with the same Name
+ #
+ def attributes
+ @attr_statements ||= begin
+ attributes = Attributes.new
+
+ stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
+ stmt_elements.each do |stmt_element|
+ stmt_element.elements.each do |attr_element|
+ if attr_element.name == "EncryptedAttribute"
+ node = decrypt_attribute(attr_element.dup)
+ else
+ node = attr_element
+ end
+
+ name = node.attributes["Name"]
+
+ if options[:check_duplicated_attributes] && attributes.include?(name)
+ raise ValidationError.new("Found an Attribute element with duplicated Name")
+ end
+
+ values = node.elements.collect{|e|
+ if (e.elements.nil? || e.elements.size == 0)
+ # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
+ # otherwise the value is to be regarded as empty.
+ ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : Utils.element_text(e)
+ # explicitly support saml2:NameID with saml2:NameQualifier if supplied in attributes
+ # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to
+ # identify the subject in an SP rather than email or other less opaque attributes
+ # NameQualifier, if present is prefixed with a "/" to the value
+ else
+ REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect do |n|
+ base_path = n.attributes['NameQualifier'] ? "#{n.attributes['NameQualifier']}/" : ''
+ "#{base_path}#{Utils.element_text(n)}"
+ end
+ end
+ }
+
+ attributes.add(name, values.flatten)
+ end
+ end
+ attributes
+ end
+ end
+
+ # Gets the SessionNotOnOrAfter from the AuthnStatement.
+ # Could be used to set the local session expiration (expire at latest)
+ # @return [String] The SessionNotOnOrAfter value
+ #
+ def session_expires_at
+ @expires_at ||= begin
+ node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+ node.nil? ? nil : parse_time(node, "SessionNotOnOrAfter")
+ end
+ end
+
+ # Gets the AuthnInstant from the AuthnStatement.
+ # Could be used to require re-authentication if a long time has passed
+ # since the last user authentication.
+ # @return [String] AuthnInstant value
+ #
+ def authn_instant
+ @authn_instant ||= begin
+ node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+ node.nil? ? nil : node.attributes['AuthnInstant']
+ end
+ end
+
+ # Gets the AuthnContextClassRef from the AuthnStatement
+ # Could be used to require re-authentication if the assertion
+ # did not met the requested authentication context class.
+ # @return [String] AuthnContextClassRef value
+ #
+ def authn_context_class_ref
+ @authn_context_class_ref ||= Utils.element_text(xpath_first_from_signed_assertion('/a:AuthnStatement/a:AuthnContext/a:AuthnContextClassRef'))
+ end
+
+ # Checks if the Status has the "Success" code
+ # @return [Boolean] True if the StatusCode is Sucess
+ #
+ def success?
+ status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+ end
+
+ # @return [String] StatusCode value from a SAML Response.
+ #
+ def status_code
+ @status_code ||= begin
+ nodes = REXML::XPath.match(
+ document,
+ "/p:Response/p:Status/p:StatusCode",
+ { "p" => PROTOCOL }
+ )
+ if nodes.size == 1
+ node = nodes[0]
+ code = node.attributes["Value"] if node && node.attributes
+
+ unless code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+ nodes = REXML::XPath.match(
+ document,
+ "/p:Response/p:Status/p:StatusCode/p:StatusCode",
+ { "p" => PROTOCOL }
+ )
+ statuses = nodes.collect do |inner_node|
+ inner_node.attributes["Value"]
+ end
+
+ code = [code, statuses].flatten.join(" | ")
+ end
+
+ code
+ end
+ end
+ end
+
+ # @return [String] the StatusMessage value from a SAML Response.
+ #
+ def status_message
+ @status_message ||= begin
+ nodes = REXML::XPath.match(
+ document,
+ "/p:Response/p:Status/p:StatusMessage",
+ { "p" => PROTOCOL }
+ )
+ if nodes.size == 1
+ Utils.element_text(nodes.first)
+ end
+ end
+ end
+
+ # Gets the Condition Element of the SAML Response if exists.
+ # (returns the first node that matches the supplied xpath)
+ # @return [REXML::Element] Conditions Element if exists
+ #
+ def conditions
+ @conditions ||= xpath_first_from_signed_assertion('/a:Conditions')
+ end
+
+ # Gets the NotBefore Condition Element value.
+ # @return [Time] The NotBefore value in Time format
+ #
+ def not_before
+ @not_before ||= parse_time(conditions, "NotBefore")
+ end
+
+ # Gets the NotOnOrAfter Condition Element value.
+ # @return [Time] The NotOnOrAfter value in Time format
+ #
+ def not_on_or_after
+ @not_on_or_after ||= parse_time(conditions, "NotOnOrAfter")
+ end
+
+ # Gets the Issuers (from Response and Assertion).
+ # (returns the first node that matches the supplied xpath from the Response and from the Assertion)
+ # @return [Array] Array with the Issuers (REXML::Element)
+ #
+ def issuers
+ @issuers ||= begin
+ issuer_response_nodes = REXML::XPath.match(
+ document,
+ "/p:Response/a:Issuer",
+ SAML_NAMESPACES
+ )
+
+ unless issuer_response_nodes.size == 1
+ error_msg = "Issuer of the Response not found or multiple."
+ raise ValidationError.new(error_msg)
+ end
+
+ issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
+ unless issuer_assertion_nodes.size == 1
+ error_msg = "Issuer of the Assertion not found or multiple."
+ raise ValidationError.new(error_msg)
+ end
+
+ nodes = issuer_response_nodes + issuer_assertion_nodes
+ nodes.map { |node| Utils.element_text(node) }.compact.uniq
+ end
+ end
+
+ # @return [String|nil] The InResponseTo attribute from the SAML Response.
+ #
+ def in_response_to
+ @in_response_to ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:Response",
+ { "p" => PROTOCOL }
+ )
+ node.nil? ? nil : node.attributes['InResponseTo']
+ end
+ end
+
+ # @return [String|nil] Destination attribute from the SAML Response.
+ #
+ def destination
+ @destination ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:Response",
+ { "p" => PROTOCOL }
+ )
+ node.nil? ? nil : node.attributes['Destination']
+ end
+ end
+
+ # @return [Array] The Audience elements from the Contitions of the SAML Response.
+ #
+ def audiences
+ @audiences ||= begin
+ nodes = xpath_from_signed_assertion('/a:Conditions/a:AudienceRestriction/a:Audience')
+ nodes.map { |node| Utils.element_text(node) }.reject(&:empty?)
+ end
+ end
+
+ # returns the allowed clock drift on timing validation
+ # @return [Float]
+ def allowed_clock_drift
+ options[:allowed_clock_drift].to_f.abs + Float::EPSILON
+ end
+
+ # Checks if the SAML Response contains or not an EncryptedAssertion element
+ # @return [Boolean] True if the SAML Response contains an EncryptedAssertion element
+ #
+ def assertion_encrypted?
+ ! REXML::XPath.first(
+ document,
+ "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+ SAML_NAMESPACES
+ ).nil?
+ end
+
+ def response_id
+ id(document)
+ end
+
+ def assertion_id
+ @assertion_id ||= begin
+ node = xpath_first_from_signed_assertion("")
+ node.nil? ? nil : node.attributes['ID']
+ end
+ end
+
+ private
+
+ # Validates the SAML Response (calls several validation methods)
+ # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
+ # @return [Boolean] True if the SAML Response is valid, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate(collect_errors = false)
+ reset_errors!
+ return false unless validate_response_state
+
+ validations = [
+ :validate_version,
+ :validate_id,
+ :validate_success_status,
+ :validate_num_assertion,
+ :validate_signed_elements,
+ :validate_structure,
+ :validate_no_duplicated_attributes,
+ :validate_in_response_to,
+ :validate_one_conditions,
+ :validate_conditions,
+ :validate_one_authnstatement,
+ :validate_audience,
+ :validate_destination,
+ :validate_issuer,
+ :validate_session_expiration,
+ :validate_subject_confirmation,
+ :validate_name_id,
+ :validate_signature
+ ]
+
+ if collect_errors
+ validations.each { |validation| send(validation) }
+ @errors.empty?
+ else
+ validations.all? { |validation| send(validation) }
+ end
+ end
+
+
+ # Validates the Status of the SAML Response
+ # @return [Boolean] True if the SAML Response contains a Success code, otherwise False if soft == false
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_success_status
+ return true if success?
+
+ error_msg = 'The status code of the Response was not Success'
+ status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+ append_error(status_error_msg)
+ end
+
+ # Validates the SAML Response against the specified schema.
+ # @return [Boolean] True if the XML is valid, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_structure
+ structure_error_msg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"
+
+ unless valid_saml?(document, soft, check_malformed_doc_enabled?)
+ return append_error(structure_error_msg)
+ end
+
+ unless decrypted_document.nil?
+ unless valid_saml?(decrypted_document, soft, check_malformed_doc_enabled?)
+ return append_error(structure_error_msg)
+ end
+ end
+
+ true
+ end
+
+ # Validates that the SAML Response provided in the initialization is not empty,
+ # also check that the setting and the IdP cert were also provided
+ # @return [Boolean] True if the required info is found, false otherwise
+ #
+ def validate_response_state
+ return append_error("Blank response") if response.nil? || response.empty?
+
+ return append_error("No settings on response") if settings.nil?
+
+ if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil?
+ return append_error("No fingerprint or certificate on settings")
+ end
+
+ true
+ end
+
+ # Validates that the SAML Response contains an ID
+ # If fails, the error is added to the errors array.
+ # @return [Boolean] True if the SAML Response contains an ID, otherwise returns False
+ #
+ def validate_id
+ unless response_id
+ return append_error("Missing ID attribute on SAML Response")
+ end
+
+ true
+ end
+
+ # Validates the SAML version (2.0)
+ # If fails, the error is added to the errors array.
+ # @return [Boolean] True if the SAML Response is 2.0, otherwise returns False
+ #
+ def validate_version
+ unless version(document) == "2.0"
+ return append_error("Unsupported SAML version")
+ end
+
+ true
+ end
+
+ # Validates that the SAML Response only contains a single Assertion (encrypted or not).
+ # If fails, the error is added to the errors array.
+ # @return [Boolean] True if the SAML Response contains one unique Assertion, otherwise False
+ #
+ def validate_num_assertion
+ error_msg = "SAML Response must contain 1 assertion"
+ assertions = REXML::XPath.match(
+ document,
+ "//a:Assertion",
+ { "a" => ASSERTION }
+ )
+ encrypted_assertions = REXML::XPath.match(
+ document,
+ "//a:EncryptedAssertion",
+ { "a" => ASSERTION }
+ )
+
+ unless assertions.size + encrypted_assertions.size == 1
+ return append_error(error_msg)
+ end
+
+ unless decrypted_document.nil?
+ assertions = REXML::XPath.match(
+ decrypted_document,
+ "//a:Assertion",
+ { "a" => ASSERTION }
+ )
+ unless assertions.size == 1
+ return append_error(error_msg)
+ end
+ end
+
+ true
+ end
+
+ # Validates that there are not duplicated attributes
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if there are no duplicated attribute elements, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_no_duplicated_attributes
+ if options[:check_duplicated_attributes]
+ begin
+ attributes
+ rescue ValidationError => e
+ return append_error(e.message)
+ end
+ end
+
+ true
+ end
+
+ # Validates the Signed elements
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if there is 1 or 2 Elements signed in the SAML Response
+ # an are a Response or an Assertion Element, otherwise False if soft=True
+ #
+ def validate_signed_elements
+ signature_nodes = REXML::XPath.match(
+ decrypted_document.nil? ? document : decrypted_document,
+ "//ds:Signature",
+ {"ds"=>DSIG}
+ )
+ signed_elements = []
+ verified_seis = []
+ verified_ids = []
+ signature_nodes.each do |signature_node|
+ signed_element = signature_node.parent.name
+ if signed_element != 'Response' && signed_element != 'Assertion'
+ return append_error("Invalid Signature Element '#{signed_element}'. SAML Response rejected")
+ end
+
+ if signature_node.parent.attributes['ID'].nil?
+ return append_error("Signed Element must contain an ID. SAML Response rejected")
+ end
+
+ id = signature_node.parent.attributes.get_attribute("ID").value
+ if verified_ids.include?(id)
+ return append_error("Duplicated ID. SAML Response rejected")
+ end
+ verified_ids.push(id)
+
+ # Check that reference URI matches the parent ID and no duplicate References or IDs
+ ref = REXML::XPath.first(signature_node, ".//ds:Reference", {"ds"=>DSIG})
+ if ref
+ uri = ref.attributes.get_attribute("URI")
+ if uri && !uri.value.empty?
+ sei = uri.value[1..-1]
+
+ unless sei == id
+ return append_error("Found an invalid Signed Element. SAML Response rejected")
+ end
+
+ if verified_seis.include?(sei)
+ return append_error("Duplicated Reference URI. SAML Response rejected")
+ end
+
+ verified_seis.push(sei)
+ end
+ end
+
+ signed_elements << signed_element
+ end
+
+ unless signature_nodes.length < 3 && !signed_elements.empty?
+ return append_error("Found an unexpected number of Signature Element. SAML Response rejected")
+ end
+
+ if settings.security[:want_assertions_signed] && !(signed_elements.include? "Assertion")
+ return append_error("The Assertion of the Response is not signed and the SP requires it")
+ end
+
+ true
+ end
+
+ # Validates if the provided request_id match the inResponseTo value.
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if there is no request_id or it match, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_in_response_to
+ return true unless options.has_key? :matches_request_id
+ return true if options[:matches_request_id].nil?
+ return true unless options[:matches_request_id] != in_response_to
+
+ error_msg = "The InResponseTo of the Response: #{in_response_to}, does not match the ID of the AuthNRequest sent by the SP: #{options[:matches_request_id]}"
+ append_error(error_msg)
+ end
+
+ # Validates the Audience, (If the Audience match the Service Provider EntityID)
+ # If the response was initialized with the :skip_audience option, this validation is skipped,
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_audience
+ return true if options[:skip_audience]
+ return true if settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+
+ if audiences.empty?
+ return true unless settings.security[:strict_audience_validation]
+ return append_error("Invalid Audiences. The <AudienceRestriction> element contained only empty <Audience> elements. Expected audience #{settings.sp_entity_id}.")
+ end
+
+ unless audiences.include? settings.sp_entity_id
+ s = audiences.count > 1 ? 's' : '';
+ error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.sp_entity_id}"
+ return append_error(error_msg)
+ end
+
+ true
+ end
+
+ # Validates the Destination, (If the SAML Response is received where expected).
+ # If the response was initialized with the :skip_destination option, this validation is skipped,
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if there is a Destination element that matches the Consumer Service URL, otherwise False
+ #
+ def validate_destination
+ return true if destination.nil?
+ return true if options[:skip_destination]
+
+ if destination.empty?
+ error_msg = "The response has an empty Destination value"
+ return append_error(error_msg)
+ end
+
+ return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
+
+ unless OneLogin::RubySaml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
+ error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
+ return append_error(error_msg)
+ end
+
+ true
+ end
+
+ # Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.
+ # (If the response was initialized with the :skip_conditions option, this validation is skipped)
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if there is a conditions element and is unique
+ #
+ def validate_one_conditions
+ return true if options[:skip_conditions]
+
+ conditions_nodes = xpath_from_signed_assertion('/a:Conditions')
+ unless conditions_nodes.size == 1
+ error_msg = "The Assertion must include one Conditions element"
+ return append_error(error_msg)
+ end
+
+ true
+ end
+
+ # Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if there is a authnstatement element and is unique
+ #
+ def validate_one_authnstatement
+ return true if options[:skip_authnstatement]
+
+ authnstatement_nodes = xpath_from_signed_assertion('/a:AuthnStatement')
+ unless authnstatement_nodes.size == 1
+ error_msg = "The Assertion must include one AuthnStatement element"
+ return append_error(error_msg)
+ end
+
+ true
+ end
+
+ # Validates the Conditions. (If the response was initialized with the :skip_conditions option, this validation is skipped,
+ # If the response was initialized with the :allowed_clock_drift option, the timing validations are relaxed by the allowed_clock_drift value)
+ # @return [Boolean] True if satisfies the conditions, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_conditions
+ return true if conditions.nil?
+ return true if options[:skip_conditions]
+
+ now = Time.now.utc
+
+ if not_before && now < (not_before - allowed_clock_drift)
+ error_msg = "Current time is earlier than NotBefore condition (#{now} < #{not_before}#{" - #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
+ return append_error(error_msg)
+ end
+
+ if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+ error_msg = "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})"
+ return append_error(error_msg)
+ end
+
+ true
+ end
+
+ # Validates the Issuer (Of the SAML Response and the SAML Assertion)
+ # @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the response is invalid or not)
+ # @return [Boolean] True if the Issuer matchs the IdP entityId, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_issuer
+ return true if settings.idp_entity_id.nil?
+
+ begin
+ obtained_issuers = issuers
+ rescue ValidationError => e
+ return append_error(e.message)
+ end
+
+ obtained_issuers.each do |issuer|
+ unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+ error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
+ return append_error(error_msg)
+ end
+ end
+
+ true
+ end
+
+ # Validates that the Session haven't expired (If the response was initialized with the :allowed_clock_drift option,
+ # this time validation is relaxed by the allowed_clock_drift value)
+ # If fails, the error is added to the errors array
+ # @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the response is invalid or not)
+ # @return [Boolean] True if the SessionNotOnOrAfter of the AuthnStatement is valid, otherwise (when expired) False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_session_expiration
+ return true if session_expires_at.nil?
+
+ now = Time.now.utc
+ unless now < (session_expires_at + allowed_clock_drift)
+ error_msg = "The attributes have expired, based on the SessionNotOnOrAfter of the AuthnStatement of this Response"
+ return append_error(error_msg)
+ end
+
+ true
+ end
+
+ # Validates if exists valid SubjectConfirmation (If the response was initialized with the :allowed_clock_drift option,
+ # timimg validation are relaxed by the allowed_clock_drift value. If the response was initialized with the
+ # :skip_subject_confirmation option, this validation is skipped)
+ # There is also an optional Recipient check
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if exists a valid SubjectConfirmation, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_subject_confirmation
+ return true if options[:skip_subject_confirmation]
+ valid_subject_confirmation = false
+
+ subject_confirmation_nodes = xpath_from_signed_assertion('/a:Subject/a:SubjectConfirmation')
+
+ now = Time.now.utc
+ subject_confirmation_nodes.each do |subject_confirmation|
+ if subject_confirmation.attributes.include? "Method" and subject_confirmation.attributes['Method'] != 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
+ next
+ end
+
+ confirmation_data_node = REXML::XPath.first(
+ subject_confirmation,
+ 'a:SubjectConfirmationData',
+ { "a" => ASSERTION }
+ )
+
+ next unless confirmation_data_node
+
+ attrs = confirmation_data_node.attributes
+ next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
+ (attrs.include? "NotBefore" and now < (parse_time(confirmation_data_node, "NotBefore") - allowed_clock_drift)) ||
+ (attrs.include? "NotOnOrAfter" and now >= (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift)) ||
+ (attrs.include? "Recipient" and !options[:skip_recipient_check] and settings and attrs['Recipient'] != settings.assertion_consumer_service_url)
+
+ valid_subject_confirmation = true
+ break
+ end
+
+ if !valid_subject_confirmation
+ error_msg = "A valid SubjectConfirmation was not found on this Response"
+ return append_error(error_msg)
+ end
+
+ true
+ end
+
+ # Validates the NameID element
+ def validate_name_id
+ if name_id_node.nil?
+ if settings.security[:want_name_id]
+ return append_error("No NameID element found in the assertion of the Response")
+ end
+ else
+ if name_id.nil? || name_id.empty?
+ return append_error("An empty NameID value found")
+ end
+
+ unless settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
+ if name_id_spnamequalifier != settings.sp_entity_id
+ return append_error("SPNameQualifier value does not match the SP entityID value.")
+ end
+ end
+ end
+
+ true
+ end
+
+ def doc_to_validate
+ # If the response contains the signature, and the assertion was encrypted, validate the original SAML Response
+ # otherwise, review if the decrypted assertion contains a signature
+ sig_elements = REXML::XPath.match(
+ document,
+ "/p:Response[@ID=$id]/ds:Signature",
+ { "p" => PROTOCOL, "ds" => DSIG },
+ { 'id' => document.signed_element_id }
+ )
+
+ use_original = sig_elements.size == 1 || decrypted_document.nil?
+ doc = use_original ? document : decrypted_document
+ if !doc.processed
+ doc.cache_referenced_xml(@soft, check_malformed_doc_enabled?)
+ end
+
+ return doc
+ end
+
+ # Validates the Signature
+ # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_signature
+ error_msg = "Invalid Signature on SAML Response"
+
+ doc = doc_to_validate
+
+ sig_elements = REXML::XPath.match(
+ document,
+ "/p:Response[@ID=$id]/ds:Signature",
+ { "p" => PROTOCOL, "ds" => DSIG },
+ { 'id' => document.signed_element_id }
+ )
+
+ # Check signature node inside assertion
+ if sig_elements.nil? || sig_elements.size == 0
+ sig_elements = REXML::XPath.match(
+ doc,
+ "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
+ SAML_NAMESPACES.merge({"ds"=>DSIG}),
+ { 'id' => doc.signed_element_id }
+ )
+ end
+
+ if sig_elements.size != 1
+ if sig_elements.size == 0
+ append_error("Signed element id ##{doc.signed_element_id} is not found")
+ else
+ append_error("Signed element id ##{doc.signed_element_id} is found more than once")
+ end
+ return append_error(error_msg)
+ end
+
+ old_errors = @errors.clone
+
+ idp_certs = settings.get_idp_cert_multi
+ if idp_certs.nil? || idp_certs[:signing].empty?
+ opts = {}
+ opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
+ idp_cert = settings.get_idp_cert
+ fingerprint = settings.get_fingerprint
+ opts[:cert] = idp_cert
+
+ if fingerprint && doc.validate_document(fingerprint, @soft, opts)
+ if settings.security[:check_idp_cert_expiration]
+ if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+ error_msg = "IdP x509 certificate expired"
+ return append_error(error_msg)
+ end
+ end
+ else
+ return append_error(error_msg)
+ end
+ else
+ valid = false
+ expired = false
+ idp_certs[:signing].each do |idp_cert|
+ valid = doc.validate_document_with_cert(idp_cert, true)
+ if valid
+ if settings.security[:check_idp_cert_expiration]
+ if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+ expired = true
+ end
+ end
+
+ # At least one certificate is valid, restore the old accumulated errors
+ @errors = old_errors
+ break
+ end
+
+ end
+ if expired
+ error_msg = "IdP x509 certificate expired"
+ return append_error(error_msg)
+ end
+ unless valid
+ # Remove duplicated errors
+ @errors = @errors.uniq
+ return append_error(error_msg)
+ end
+ end
+
+ true
+ end
+
+ def name_id_node
+ @name_id_node ||=
+ begin
+ encrypted_node = xpath_first_from_signed_assertion('/a:Subject/a:EncryptedID')
+ if encrypted_node
+ decrypt_nameid(encrypted_node)
+ else
+ xpath_first_from_signed_assertion('/a:Subject/a:NameID')
+ end
+ end
+ end
+
+ def get_cached_signed_assertion
+ xml = doc_to_validate.referenced_xml
+ empty_doc = REXML::Document.new
+
+ return empty_doc if xml.nil? # when no signature/reference is found, return empty document
+
+ root = REXML::Document.new(xml).root
+
+ if root["ID"] != doc_to_validate.signed_element_id
+ return empty_doc
+ end
+
+ assertion = empty_doc
+ if root.name == "Response"
+ if REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
+ assertion = REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
+ elsif REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION})
+ assertion = decrypt_assertion(REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION}))
+ end
+ elsif root.name == "Assertion"
+ assertion = root
+ end
+
+ assertion
+ end
+
+ def signed_assertion
+ @signed_assertion ||= get_cached_signed_assertion
+ end
+
+ # Extracts the first appearance that matchs the subelt (pattern)
+ # Search on any Assertion that is signed, or has a Response parent signed
+ # @param subelt [String] The XPath pattern
+ # @return [REXML::Element | nil] If any matches, return the Element
+ #
+ def xpath_first_from_signed_assertion(subelt=nil)
+ doc = signed_assertion
+ node = REXML::XPath.first(
+ doc,
+ "./#{subelt}",
+ SAML_NAMESPACES
+ )
+ node
+ end
+
+ # Extracts all the appearances that matchs the subelt (pattern)
+ # Search on any Assertion that is signed, or has a Response parent signed
+ # @param subelt [String] The XPath pattern
+ # @return [Array of REXML::Element] Return all matches
+ #
+ def xpath_from_signed_assertion(subelt=nil)
+ doc = signed_assertion
+ node = REXML::XPath.match(
+ doc,
+ "./#{subelt}",
+ SAML_NAMESPACES
+ )
+ node
+ end
+
+ # Generates the decrypted_document
+ # @return [XMLSecurity::SignedDocument] The SAML Response with the assertion decrypted
+ #
+ def generate_decrypted_document
+ if settings.nil? || settings.get_sp_decryption_keys.empty?
+ raise ValidationError.new('An EncryptedAssertion found and no SP private key found on the settings to decrypt it. Be sure you provided the :settings parameter at the initialize method')
+ end
+
+ # Marshal at Ruby 1.8.7 throw an Exception
+ if RUBY_VERSION < "1.9"
+ document_copy = XMLSecurity::SignedDocument.new(response, errors)
+ else
+ document_copy = Marshal.load(Marshal.dump(document))
+ end
+
+ decrypt_assertion_from_document(document_copy)
+ end
+
+ # Obtains a SAML Response with the EncryptedAssertion element decrypted
+ # @param document_copy [XMLSecurity::SignedDocument] A copy of the original SAML Response with the encrypted assertion
+ # @return [XMLSecurity::SignedDocument] The SAML Response with the assertion decrypted
+ #
+ def decrypt_assertion_from_document(document_copy)
+ response_node = REXML::XPath.first(
+ document_copy,
+ "/p:Response/",
+ { "p" => PROTOCOL }
+ )
+ encrypted_assertion_node = REXML::XPath.first(
+ document_copy,
+ "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+ SAML_NAMESPACES
+ )
+ response_node.add(decrypt_assertion(encrypted_assertion_node))
+ encrypted_assertion_node.remove
+ XMLSecurity::SignedDocument.new(response_node.to_s)
+ end
+
+ # Decrypts an EncryptedAssertion element
+ # @param encrypted_assertion_node [REXML::Element] The EncryptedAssertion element
+ # @return [REXML::Document] The decrypted EncryptedAssertion element
+ #
+ def decrypt_assertion(encrypted_assertion_node)
+ decrypt_element(encrypted_assertion_node, /(.*<\/(\w+:)?Assertion>)/m)
+ end
+
+ # Decrypts an EncryptedID element
+ # @param encrypted_id_node [REXML::Element] The EncryptedID element
+ # @return [REXML::Document] The decrypted EncrypedtID element
+ #
+ def decrypt_nameid(encrypted_id_node)
+ decrypt_element(encrypted_id_node, /(.*<\/(\w+:)?NameID>)/m)
+ end
+
+ # Decrypts an EncryptedAttribute element
+ # @param encrypted_attribute_node [REXML::Element] The EncryptedAttribute element
+ # @return [REXML::Document] The decrypted EncryptedAttribute element
+ #
+ def decrypt_attribute(encrypted_attribute_node)
+ decrypt_element(encrypted_attribute_node, /(.*<\/(\w+:)?Attribute>)/m)
+ end
+
+ # Decrypt an element
+ # @param encrypt_node [REXML::Element] The encrypted element
+ # @param regexp [Regexp] The regular expression to extract the decrypted data
+ # @return [REXML::Document] The decrypted element
+ #
+ def decrypt_element(encrypt_node, regexp)
+ if settings.nil? || settings.get_sp_decryption_keys.empty?
+ raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
+ end
+
+ if encrypt_node.name == 'EncryptedAttribute'
+ node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
+ else
+ node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
+ end
+
+ elem_plaintext = OneLogin::RubySaml::Utils.decrypt_multi(encrypt_node, settings.get_sp_decryption_keys)
+
+ # If we get some problematic noise in the plaintext after decrypting.
+ # This quick regexp parse will grab only the Element and discard the noise.
+ elem_plaintext = elem_plaintext.match(regexp)[0]
+
+ # To avoid namespace errors if saml namespace is not defined
+ # create a parent node first with the namespace defined
+ elem_plaintext = node_header + elem_plaintext + '</node>'
+ doc = REXML::Document.new(elem_plaintext)
+ doc.root[0]
+ end
+
+ # Parse the attribute of a given node in Time format
+ # @param node [REXML:Element] The node
+ # @param attribute [String] The attribute name
+ # @return [Time|nil] The parsed value
+ #
+ def parse_time(node, attribute)
+ if node && node.attributes[attribute]
+ Time.parse(node.attributes[attribute])
+ end
+ end
+
+ def check_malformed_doc_enabled?
+ default_value = OneLogin::RubySaml::Settings::DEFAULTS[:check_malformed_doc]
+
+ settings.nil? ? default_value : settings.check_malformed_doc
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/saml_message.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/saml_message.rb
new file mode 100644
index 0000000000000000000000000000000000000000..70f3319f28248ec50e7ddc5426e05984cb0e523a
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/saml_message.rb
@@ -0,0 +1,164 @@
+require 'cgi'
+require 'zlib'
+require 'base64'
+require 'nokogiri'
+require 'rexml/document'
+require 'rexml/xpath'
+require "onelogin/ruby-saml/error_handling"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Message
+ #
+ class SamlMessage
+ include REXML
+
+ ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion".freeze
+ PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol".freeze
+
+ BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
+
+ # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
+ #
+ def self.schema
+ path = File.expand_path("../../../schemas/saml-schema-protocol-2.0.xsd", __FILE__)
+ File.open(path) do |file|
+ ::Nokogiri::XML::Schema(file)
+ end
+ end
+
+ # @return [String|nil] Gets the Version attribute from the SAML Message if exists.
+ #
+ def version(document)
+ @version ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:AuthnRequest | /p:Response | /p:LogoutResponse | /p:LogoutRequest",
+ { "p" => PROTOCOL }
+ )
+ node.nil? ? nil : node.attributes['Version']
+ end
+ end
+
+ # @return [String|nil] Gets the ID attribute from the SAML Message if exists.
+ #
+ def id(document)
+ @id ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:AuthnRequest | /p:Response | /p:LogoutResponse | /p:LogoutRequest",
+ { "p" => PROTOCOL }
+ )
+ node.nil? ? nil : node.attributes['ID']
+ end
+ end
+
+ # Validates the SAML Message against the specified schema.
+ # @param document [REXML::Document] The message that will be validated
+ # @param soft [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the message is invalid or not)
+ # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
+ # @return [Boolean] True if the XML is valid, otherwise False, if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def valid_saml?(document, soft = true, check_malformed_doc = true)
+ begin
+ xml = XMLSecurity::BaseDocument.safe_load_xml(document, check_malformed_doc)
+ rescue StandardError => error
+ return false if soft
+ raise ValidationError.new("XML load failed: #{error.message}")
+ end
+
+ SamlMessage.schema.validate(xml).map do |schema_error|
+ return false if soft
+ raise ValidationError.new("#{schema_error.message}\n\n#{xml}")
+ end
+ end
+
+ private
+
+ # Base64 decode and try also to inflate a SAML Message
+ # @param saml [String] The deflated and encoded SAML Message
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @return [String] The plain SAML Message
+ #
+ def decode_raw_saml(saml, settings = nil)
+ return saml unless base64_encoded?(saml)
+
+ settings = OneLogin::RubySaml::Settings.new if settings.nil?
+ if saml.bytesize > settings.message_max_bytesize
+ raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
+ end
+
+ decoded = decode(saml)
+ begin
+ message = inflate(decoded)
+ rescue
+ message = decoded
+ end
+
+ if message.bytesize > settings.message_max_bytesize
+ raise ValidationError.new("SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
+ end
+
+ message
+ end
+
+ # Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
+ # @param saml [String] The plain SAML Message
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @return [String] The deflated and encoded SAML Message (encoded if the compression is requested)
+ #
+ def encode_raw_saml(saml, settings)
+ saml = deflate(saml) if settings.compress_request
+
+ CGI.escape(encode(saml))
+ end
+
+ # Base 64 decode method
+ # @param string [String] The string message
+ # @return [String] The decoded string
+ #
+ def decode(string)
+ Base64.decode64(string)
+ end
+
+ # Base 64 encode method
+ # @param string [String] The string
+ # @return [String] The encoded string
+ #
+ def encode(string)
+ if Base64.respond_to?('strict_encode64')
+ Base64.strict_encode64(string)
+ else
+ Base64.encode64(string).gsub(/\n/, "")
+ end
+ end
+
+ # Check if a string is base64 encoded
+ # @param string [String] string to check the encoding of
+ # @return [true, false] whether or not the string is base64 encoded
+ #
+ def base64_encoded?(string)
+ !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)
+ end
+
+ # Inflate method
+ # @param deflated [String] The string
+ # @return [String] The inflated string
+ #
+ def inflate(deflated)
+ Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated)
+ end
+
+ # Deflate method
+ # @param inflated [String] The string
+ # @return [String] The deflated string
+ #
+ def deflate(inflated)
+ Zlib::Deflate.deflate(inflated, 9)[2..-5]
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/setting_error.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/setting_error.rb
new file mode 100644
index 0000000000000000000000000000000000000000..847766bf8c087fdbc759c2fce8025b547ea298f8
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/setting_error.rb
@@ -0,0 +1,6 @@
+module OneLogin
+ module RubySaml
+ class SettingError < StandardError
+ end
+ end
+end
\ No newline at end of file
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/settings.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/settings.rb
new file mode 100644
index 0000000000000000000000000000000000000000..59867f6129859c04facb1971bfbdfd862af84bb3
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/settings.rb
@@ -0,0 +1,385 @@
+require "xml_security"
+require "onelogin/ruby-saml/attribute_service"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/validation_error"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Toolkit Settings
+ #
+ class Settings
+ def initialize(overrides = {}, keep_security_attributes = false)
+ if keep_security_attributes
+ security_attributes = overrides.delete(:security) || {}
+ config = DEFAULTS.merge(overrides)
+ config[:security] = DEFAULTS[:security].merge(security_attributes)
+ else
+ config = DEFAULTS.merge(overrides)
+ end
+
+ config.each do |k,v|
+ acc = "#{k}=".to_sym
+ if respond_to? acc
+ value = v.is_a?(Hash) ? v.dup : v
+ send(acc, value)
+ end
+ end
+ @attribute_consuming_service = AttributeService.new
+ end
+
+ # IdP Data
+ attr_accessor :idp_entity_id
+ attr_writer :idp_sso_service_url
+ attr_writer :idp_slo_service_url
+ attr_accessor :idp_slo_response_service_url
+ attr_accessor :idp_cert
+ attr_accessor :idp_cert_fingerprint
+ attr_accessor :idp_cert_fingerprint_algorithm
+ attr_accessor :idp_cert_multi
+ attr_accessor :idp_attribute_names
+ attr_accessor :idp_name_qualifier
+ attr_accessor :valid_until
+ # SP Data
+ attr_writer :sp_entity_id
+ attr_accessor :assertion_consumer_service_url
+ attr_reader :assertion_consumer_service_binding
+ attr_writer :single_logout_service_url
+ attr_accessor :sp_name_qualifier
+ attr_accessor :name_identifier_format
+ attr_accessor :name_identifier_value
+ attr_accessor :name_identifier_value_requested
+ attr_accessor :sessionindex
+ attr_accessor :compress_request
+ attr_accessor :compress_response
+ attr_accessor :double_quote_xml_attribute_values
+ attr_accessor :message_max_bytesize
+ attr_accessor :check_malformed_doc
+ attr_accessor :passive
+ attr_reader :protocol_binding
+ attr_accessor :attributes_index
+ attr_accessor :force_authn
+ attr_accessor :certificate
+ attr_accessor :private_key
+ attr_accessor :sp_cert_multi
+ attr_accessor :authn_context
+ attr_accessor :authn_context_comparison
+ attr_accessor :authn_context_decl_ref
+ attr_reader :attribute_consuming_service
+ # Work-flow
+ attr_accessor :security
+ attr_accessor :soft
+ # Deprecated
+ attr_accessor :certificate_new
+ attr_accessor :assertion_consumer_logout_service_url
+ attr_reader :assertion_consumer_logout_service_binding
+ attr_accessor :issuer
+ attr_accessor :idp_sso_target_url
+ attr_accessor :idp_slo_target_url
+
+ # @return [String] IdP Single Sign On Service URL
+ #
+ def idp_sso_service_url
+ @idp_sso_service_url || @idp_sso_target_url
+ end
+
+ # @return [String] IdP Single Logout Service URL
+ #
+ def idp_slo_service_url
+ @idp_slo_service_url || @idp_slo_target_url
+ end
+
+ # @return [String] IdP Single Sign On Service Binding
+ #
+ def idp_sso_service_binding
+ @idp_sso_service_binding || idp_binding_from_embed_sign
+ end
+
+ # Setter for IdP Single Sign On Service Binding
+ # @param value [String, Symbol].
+ #
+ def idp_sso_service_binding=(value)
+ @idp_sso_service_binding = get_binding(value)
+ end
+
+ # @return [String] IdP Single Logout Service Binding
+ #
+ def idp_slo_service_binding
+ @idp_slo_service_binding || idp_binding_from_embed_sign
+ end
+
+ # Setter for IdP Single Logout Service Binding
+ # @param value [String, Symbol].
+ #
+ def idp_slo_service_binding=(value)
+ @idp_slo_service_binding = get_binding(value)
+ end
+
+ # @return [String] SP Entity ID
+ #
+ def sp_entity_id
+ @sp_entity_id || @issuer
+ end
+
+ # Setter for SP Protocol Binding
+ # @param value [String, Symbol].
+ #
+ def protocol_binding=(value)
+ @protocol_binding = get_binding(value)
+ end
+
+ # Setter for SP Assertion Consumer Service Binding
+ # @param value [String, Symbol].
+ #
+ def assertion_consumer_service_binding=(value)
+ @assertion_consumer_service_binding = get_binding(value)
+ end
+
+ # @return [String] Single Logout Service URL.
+ #
+ def single_logout_service_url
+ @single_logout_service_url || @assertion_consumer_logout_service_url
+ end
+
+ # @return [String] Single Logout Service Binding.
+ #
+ def single_logout_service_binding
+ @single_logout_service_binding || @assertion_consumer_logout_service_binding
+ end
+
+ # Setter for Single Logout Service Binding.
+ #
+ # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
+ # @param value [String, Symbol]
+ #
+ def single_logout_service_binding=(value)
+ @single_logout_service_binding = get_binding(value)
+ end
+
+ # @deprecated Setter for legacy Single Logout Service Binding parameter.
+ #
+ # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
+ # @param value [String, Symbol]
+ #
+ def assertion_consumer_logout_service_binding=(value)
+ @assertion_consumer_logout_service_binding = get_binding(value)
+ end
+
+ # Calculates the fingerprint of the IdP x509 certificate.
+ # @return [String] The fingerprint
+ #
+ def get_fingerprint
+ idp_cert_fingerprint || begin
+ idp_cert = get_idp_cert
+ if idp_cert
+ fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(idp_cert_fingerprint_algorithm).new
+ fingerprint_alg.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
+ end
+ end
+ end
+
+ # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
+ #
+ def get_idp_cert
+ OneLogin::RubySaml::Utils.build_cert_object(idp_cert)
+ end
+
+ # @return [Hash with 2 arrays of OpenSSL::X509::Certificate] Build multiple IdP certificates from the settings.
+ #
+ def get_idp_cert_multi
+ return nil if idp_cert_multi.nil? || idp_cert_multi.empty?
+
+ raise ArgumentError.new("Invalid value for idp_cert_multi") unless idp_cert_multi.is_a?(Hash)
+
+ certs = {:signing => [], :encryption => [] }
+
+ [:signing, :encryption].each do |type|
+ certs_for_type = idp_cert_multi[type] || idp_cert_multi[type.to_s]
+ next if !certs_for_type || certs_for_type.empty?
+
+ certs_for_type.each do |idp_cert|
+ certs[type].push(OneLogin::RubySaml::Utils.build_cert_object(idp_cert))
+ end
+ end
+
+ certs
+ end
+
+ # @return [Hash<Symbol, Array<Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>>>]
+ # Build the SP certificates and private keys from the settings. If
+ # check_sp_cert_expiration is true, only returns certificates and private keys
+ # that are not expired.
+ def get_sp_certs
+ certs = get_all_sp_certs
+ return certs unless security[:check_sp_cert_expiration]
+
+ active_certs = { signing: [], encryption: [] }
+ certs.each do |use, pairs|
+ next if pairs.empty?
+
+ pairs = pairs.select { |cert, _| !cert || OneLogin::RubySaml::Utils.is_cert_active(cert) }
+ raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.") if pairs.empty?
+
+ active_certs[use] = pairs.freeze
+ end
+ active_certs.freeze
+ end
+
+ # @return [Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>]
+ # The SP signing certificate and private key.
+ def get_sp_signing_pair
+ get_sp_certs[:signing].first
+ end
+
+ # @return [OpenSSL::X509::Certificate] The SP signing certificate.
+ # @deprecated Use get_sp_signing_pair or get_sp_certs instead.
+ def get_sp_cert
+ node = get_sp_signing_pair
+ node[0] if node
+ end
+
+ # @return [OpenSSL::PKey::RSA] The SP signing key.
+ def get_sp_signing_key
+ node = get_sp_signing_pair
+ node[1] if node
+ end
+
+ # @deprecated Use get_sp_signing_key or get_sp_certs instead.
+ alias_method :get_sp_key, :get_sp_signing_key
+
+ # @return [Array<OpenSSL::PKey::RSA>] The SP decryption keys.
+ def get_sp_decryption_keys
+ ary = get_sp_certs[:encryption].map { |pair| pair[1] }
+ ary.compact!
+ ary.uniq!(&:to_pem)
+ ary.freeze
+ end
+
+ # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings.
+ #
+ # @deprecated Use get_sp_certs instead
+ def get_sp_cert_new
+ node = get_sp_certs[:signing].last
+ node[0] if node
+ end
+
+ def idp_binding_from_embed_sign
+ security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
+ end
+
+ def get_binding(value)
+ return unless value
+
+ Utils::BINDINGS[value.to_sym] || value
+ end
+
+ DEFAULTS = {
+ :assertion_consumer_service_binding => Utils::BINDINGS[:post],
+ :single_logout_service_binding => Utils::BINDINGS[:redirect],
+ :idp_cert_fingerprint_algorithm => XMLSecurity::Document::SHA1,
+ :compress_request => true,
+ :compress_response => true,
+ :message_max_bytesize => 250000,
+ :soft => true,
+ :double_quote_xml_attribute_values => false,
+ :check_malformed_doc => true,
+ :security => {
+ :authn_requests_signed => false,
+ :logout_requests_signed => false,
+ :logout_responses_signed => false,
+ :want_assertions_signed => false,
+ :want_assertions_encrypted => false,
+ :want_name_id => false,
+ :metadata_signed => false,
+ :embed_sign => false, # Deprecated
+ :digest_method => XMLSecurity::Document::SHA1,
+ :signature_method => XMLSecurity::Document::RSA_SHA1,
+ :check_idp_cert_expiration => false,
+ :check_sp_cert_expiration => false,
+ :strict_audience_validation => false,
+ :lowercase_url_encoding => false
+ }.freeze
+ }.freeze
+
+ private
+
+ # @return [Hash<Symbol, Array<Array<OpenSSL::X509::Certificate, OpenSSL::PKey::RSA>>>]
+ # Build the SP certificates and private keys from the settings. Returns all
+ # certificates and private keys, even if they are expired.
+ def get_all_sp_certs
+ validate_sp_certs_params!
+ get_sp_certs_multi || get_sp_certs_single
+ end
+
+ # Validate certificate, certificate_new, private_key, and sp_cert_multi params.
+ def validate_sp_certs_params!
+ multi = sp_cert_multi && !sp_cert_multi.empty?
+ cert = certificate && !certificate.empty?
+ cert_new = certificate_new && !certificate_new.empty?
+ pk = private_key && !private_key.empty?
+ if multi && (cert || cert_new || pk)
+ raise ArgumentError.new("Cannot specify both sp_cert_multi and certificate, certificate_new, private_key parameters")
+ end
+ end
+
+ # Get certs from certificate, certificate_new, and private_key parameters.
+ def get_sp_certs_single
+ certs = { :signing => [], :encryption => [] }
+
+ sp_key = OneLogin::RubySaml::Utils.build_private_key_object(private_key)
+ cert = OneLogin::RubySaml::Utils.build_cert_object(certificate)
+ if cert || sp_key
+ ary = [cert, sp_key].freeze
+ certs[:signing] << ary
+ certs[:encryption] << ary
+ end
+
+ cert_new = OneLogin::RubySaml::Utils.build_cert_object(certificate_new)
+ if cert_new
+ ary = [cert_new, sp_key].freeze
+ certs[:signing] << ary
+ certs[:encryption] << ary
+ end
+
+ certs
+ end
+
+ # Get certs from get_sp_cert_multi parameter.
+ def get_sp_certs_multi
+ return if sp_cert_multi.nil? || sp_cert_multi.empty?
+
+ raise ArgumentError.new("sp_cert_multi must be a Hash") unless sp_cert_multi.is_a?(Hash)
+
+ certs = { :signing => [], :encryption => [] }.freeze
+
+ [:signing, :encryption].each do |type|
+ certs_for_type = sp_cert_multi[type] || sp_cert_multi[type.to_s]
+ next if !certs_for_type || certs_for_type.empty?
+
+ unless certs_for_type.is_a?(Array) && certs_for_type.all? { |cert| cert.is_a?(Hash) }
+ raise ArgumentError.new("sp_cert_multi :#{type} node must be an Array of Hashes")
+ end
+
+ certs_for_type.each do |pair|
+ cert = pair[:certificate] || pair['certificate'] || pair[:cert] || pair['cert']
+ key = pair[:private_key] || pair['private_key'] || pair[:key] || pair['key']
+
+ unless cert && key
+ raise ArgumentError.new("sp_cert_multi :#{type} node Hashes must specify keys :certificate and :private_key")
+ end
+
+ certs[type] << [
+ OneLogin::RubySaml::Utils.build_cert_object(cert),
+ OneLogin::RubySaml::Utils.build_private_key_object(key)
+ ].freeze
+ end
+ end
+
+ certs.each { |_, ary| ary.freeze }
+ certs
+ end
+ end
+ end
+end
+
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/slo_logoutrequest.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/slo_logoutrequest.rb
new file mode 100644
index 0000000000000000000000000000000000000000..10a500f352ce080f74b1cfb0e0126ac5e713defe
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/slo_logoutrequest.rb
@@ -0,0 +1,347 @@
+require 'zlib'
+require 'time'
+require 'nokogiri'
+
+require "onelogin/ruby-saml/saml_message"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Logout Request (SLO IdP initiated, Parser)
+ #
+ class SloLogoutrequest < SamlMessage
+ include ErrorHandling
+
+ # OneLogin::RubySaml::Settings Toolkit settings
+ attr_accessor :settings
+
+ attr_reader :document
+ attr_reader :request
+ attr_reader :options
+
+ attr_accessor :soft
+
+ # Constructs the Logout Request. A Logout Request Object that is an extension of the SamlMessage class.
+ # @param request [String] A UUEncoded Logout Request from the IdP.
+ # @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object
+ # Or :allowed_clock_drift for the logout request validation process to allow a clock drift when checking dates with
+ # Or :relax_signature_validation to accept signatures if no idp certificate registered on settings
+ #
+ # @raise [ArgumentError] If Request is nil
+ #
+ def initialize(request, options = {})
+ raise ArgumentError.new("Request cannot be nil") if request.nil?
+
+ @errors = []
+ @options = options
+ @soft = true
+ unless options[:settings].nil?
+ @settings = options[:settings]
+ unless @settings.soft.nil?
+ @soft = @settings.soft
+ end
+ end
+
+ @request = decode_raw_saml(request, settings)
+ @document = REXML::Document.new(@request)
+ end
+
+ def request_id
+ id(document)
+ end
+
+ # Validates the Logout Request with the default values (soft = true)
+ # @param collect_errors [Boolean] Stop validation when first error appears or keep validating.
+ # @return [Boolean] TRUE if the Logout Request is valid
+ #
+ def is_valid?(collect_errors = false)
+ validate(collect_errors)
+ end
+
+ # @return [String] Gets the NameID of the Logout Request.
+ #
+ def name_id
+ @name_id ||= Utils.element_text(name_id_node)
+ end
+
+ alias_method :nameid, :name_id
+
+ # @return [String] Gets the NameID Format of the Logout Request.
+ #
+ def name_id_format
+ @name_id_format ||=
+ if name_id_node && name_id_node.attribute("Format")
+ name_id_node.attribute("Format").value
+ end
+ end
+
+ alias_method :nameid_format, :name_id_format
+
+ def name_id_node
+ @name_id_node ||=
+ begin
+ encrypted_node = REXML::XPath.first(document, "/p:LogoutRequest/a:EncryptedID", { "p" => PROTOCOL, "a" => ASSERTION })
+ if encrypted_node
+ node = decrypt_nameid(encrypted_node)
+ else
+ node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+ end
+ end
+ end
+
+ # Decrypts an EncryptedID element
+ # @param encrypted_id_node [REXML::Element] The EncryptedID element
+ # @return [REXML::Document] The decrypted EncrypedtID element
+ #
+ def decrypt_nameid(encrypted_id_node)
+
+ if settings.nil? || settings.get_sp_decryption_keys.empty?
+ raise ValidationError.new('An ' + encrypted_id_node.name + ' found and no SP private key found on the settings to decrypt it')
+ end
+
+ elem_plaintext = OneLogin::RubySaml::Utils.decrypt_multi(encrypted_id_node, settings.get_sp_decryption_keys)
+ # If we get some problematic noise in the plaintext after decrypting.
+ # This quick regexp parse will grab only the Element and discard the noise.
+ elem_plaintext = elem_plaintext.match(/(.*<\/(\w+:)?NameID>)/m)[0]
+
+ # To avoid namespace errors if saml namespace is not defined
+ # create a parent node first with the namespace defined
+ node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
+ elem_plaintext = node_header + elem_plaintext + '</node>'
+ doc = REXML::Document.new(elem_plaintext)
+ doc.root[0]
+ end
+
+ # @return [String|nil] Gets the ID attribute from the Logout Request. if exists.
+ #
+ def id
+ super(document)
+ end
+
+ # @return [String] Gets the Issuer from the Logout Request.
+ #
+ def issuer
+ @issuer ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:LogoutRequest/a:Issuer",
+ { "p" => PROTOCOL, "a" => ASSERTION }
+ )
+ Utils.element_text(node)
+ end
+ end
+
+ # @return [Time|nil] Gets the NotOnOrAfter Attribute value if exists.
+ #
+ def not_on_or_after
+ @not_on_or_after ||= begin
+ node = REXML::XPath.first(
+ document,
+ "/p:LogoutRequest",
+ { "p" => PROTOCOL }
+ )
+ if node && node.attributes["NotOnOrAfter"]
+ Time.parse(node.attributes["NotOnOrAfter"])
+ end
+ end
+ end
+
+ # @return [Array] Gets the SessionIndex if exists (Supported multiple values). Empty Array if none found
+ #
+ def session_indexes
+ nodes = REXML::XPath.match(
+ document,
+ "/p:LogoutRequest/p:SessionIndex",
+ { "p" => PROTOCOL }
+ )
+
+ nodes.map { |node| Utils.element_text(node) }
+ end
+
+ private
+
+ # returns the allowed clock drift on timing validation
+ # @return [Float]
+ def allowed_clock_drift
+ options[:allowed_clock_drift].to_f.abs + Float::EPSILON
+ end
+
+ # Hard aux function to validate the Logout Request
+ # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
+ # @return [Boolean] TRUE if the Logout Request is valid
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate(collect_errors = false)
+ reset_errors!
+
+ validations = [
+ :validate_request_state,
+ :validate_id,
+ :validate_version,
+ :validate_structure,
+ :validate_not_on_or_after,
+ :validate_issuer,
+ :validate_signature
+ ]
+
+ if collect_errors
+ validations.each { |validation| send(validation) }
+ @errors.empty?
+ else
+ validations.all? { |validation| send(validation) }
+ end
+ end
+
+ # Validates that the Logout Request contains an ID
+ # If fails, the error is added to the errors array.
+ # @return [Boolean] True if the Logout Request contains an ID, otherwise returns False
+ #
+ def validate_id
+ unless id
+ return append_error("Missing ID attribute on Logout Request")
+ end
+
+ true
+ end
+
+ # Validates the SAML version (2.0)
+ # If fails, the error is added to the errors array.
+ # @return [Boolean] True if the Logout Request is 2.0, otherwise returns False
+ #
+ def validate_version
+ unless version(document) == "2.0"
+ return append_error("Unsupported SAML version")
+ end
+
+ true
+ end
+
+ # Validates the time. (If the logout request was initialized with the :allowed_clock_drift
+ # option, the timing validations are relaxed by the allowed_clock_drift value)
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if satisfies the conditions, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_not_on_or_after
+ now = Time.now.utc
+
+ if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+ return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})")
+ end
+
+ true
+ end
+
+ # Validates the Logout Request against the specified schema.
+ # @return [Boolean] True if the XML is valid, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_structure
+ unless valid_saml?(document, soft)
+ return append_error("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd")
+ end
+
+ true
+ end
+
+ # Validates that the Logout Request provided in the initialization is not empty,
+ # @return [Boolean] True if the required info is found, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_request_state
+ return append_error("Blank logout request") if request.nil? || request.empty?
+
+ true
+ end
+
+ # Validates the Issuer of the Logout Request
+ # If fails, the error is added to the errors array
+ # @return [Boolean] True if the Issuer matchs the IdP entityId, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_issuer
+ return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+
+ unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+ return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
+ end
+
+ true
+ end
+
+ # Validates the Signature if exists and GET parameters are provided
+ # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
+ # @raise [ValidationError] if soft == false and validation fails
+ #
+ def validate_signature
+ return true if options.nil?
+ return true unless options.has_key? :get_params
+ return true unless options[:get_params].has_key? 'Signature'
+
+ options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params], settings.security[:lowercase_url_encoding])
+
+ if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
+ options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
+ end
+
+ idp_cert = settings.get_idp_cert
+ idp_certs = settings.get_idp_cert_multi
+
+ if idp_cert.nil? && (idp_certs.nil? || idp_certs[:signing].empty?)
+ return options.has_key? :relax_signature_validation
+ end
+
+ query_string = OneLogin::RubySaml::Utils.build_query_from_raw_parts(
+ :type => 'SAMLRequest',
+ :raw_data => options[:raw_get_params]['SAMLRequest'],
+ :raw_relay_state => options[:raw_get_params]['RelayState'],
+ :raw_sig_alg => options[:raw_get_params]['SigAlg']
+ )
+
+ expired = false
+ if idp_certs.nil? || idp_certs[:signing].empty?
+ valid = OneLogin::RubySaml::Utils.verify_signature(
+ :cert => idp_cert,
+ :sig_alg => options[:get_params]['SigAlg'],
+ :signature => options[:get_params]['Signature'],
+ :query_string => query_string
+ )
+ if valid && settings.security[:check_idp_cert_expiration]
+ if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+ expired = true
+ end
+ end
+ else
+ valid = false
+ idp_certs[:signing].each do |signing_idp_cert|
+ valid = OneLogin::RubySaml::Utils.verify_signature(
+ :cert => signing_idp_cert,
+ :sig_alg => options[:get_params]['SigAlg'],
+ :signature => options[:get_params]['Signature'],
+ :query_string => query_string
+ )
+ if valid
+ if settings.security[:check_idp_cert_expiration]
+ if OneLogin::RubySaml::Utils.is_cert_expired(signing_idp_cert)
+ expired = true
+ end
+ end
+ break
+ end
+ end
+ end
+
+ if expired
+ error_msg = "IdP x509 certificate expired"
+ return append_error(error_msg)
+ end
+ unless valid
+ return append_error("Invalid Signature on Logout Request")
+ end
+
+ true
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/slo_logoutresponse.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/slo_logoutresponse.rb
new file mode 100644
index 0000000000000000000000000000000000000000..9791a73d3e93181fcc6defb80aa37b52331f0d06
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/slo_logoutresponse.rb
@@ -0,0 +1,164 @@
+require "onelogin/ruby-saml/logging"
+
+require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
+
+# Only supports SAML 2.0
+module OneLogin
+ module RubySaml
+
+ # SAML2 Logout Response (SLO SP initiated, Parser)
+ #
+ class SloLogoutresponse < SamlMessage
+
+ # Logout Response ID
+ attr_accessor :uuid
+
+ # Initializes the Logout Response. A SloLogoutresponse Object that is an extension of the SamlMessage class.
+ # Asigns an ID, a random uuid.
+ #
+ def initialize
+ @uuid = OneLogin::RubySaml::Utils.uuid
+ end
+
+ def response_id
+ @uuid
+ end
+
+ # Creates the Logout Response string.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+ # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+ # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+ # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
+ # @return [String] Logout Request string that includes the SAMLRequest
+ #
+ def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
+ params = create_params(settings, request_id, logout_message, params, logout_status_code)
+ params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
+ url = settings.idp_slo_response_service_url || settings.idp_slo_service_url
+ saml_response = CGI.escape(params.delete("SAMLResponse"))
+ response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
+ params.each_pair do |key, value|
+ response_params << "&#{key}=#{CGI.escape(value.to_s)}"
+ end
+
+ raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?
+ @logout_url = url + response_params
+ end
+
+ # Creates the Get parameters for the logout response.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+ # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+ # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+ # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
+ # @return [Hash] Parameters
+ #
+ def create_params(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
+ # The method expects :RelayState but sometimes we get 'RelayState' instead.
+ # Based on the HashWithIndifferentAccess value in Rails we could experience
+ # conflicts so this line will solve them.
+ relay_state = params[:RelayState] || params['RelayState']
+
+ if relay_state.nil?
+ params.delete(:RelayState)
+ params.delete('RelayState')
+ end
+
+ response_doc = create_logout_response_xml_doc(settings, request_id, logout_message, logout_status_code)
+ response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+ response = "".dup
+ response_doc.write(response)
+
+ Logging.debug "Created SLO Logout Response: #{response}"
+
+ response = deflate(response) if settings.compress_response
+ base64_response = encode(response)
+ response_params = {"SAMLResponse" => base64_response}
+ sp_signing_key = settings.get_sp_signing_key
+
+ if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && sp_signing_key
+ params['SigAlg'] = settings.security[:signature_method]
+ url_string = OneLogin::RubySaml::Utils.build_query(
+ :type => 'SAMLResponse',
+ :data => base64_response,
+ :relay_state => relay_state,
+ :sig_alg => params['SigAlg']
+ )
+ sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+ signature = sp_signing_key.sign(sign_algorithm.new, url_string)
+ params['Signature'] = encode(signature)
+ end
+
+ params.each_pair do |key, value|
+ response_params[key] = value.to_s
+ end
+
+ response_params
+ end
+
+ # Creates the SAMLResponse String.
+ # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+ # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+ # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+ # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
+ # @return [String] The SAMLResponse String.
+ #
+ def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil, logout_status_code = nil)
+ document = create_xml_document(settings, request_id, logout_message, logout_status_code)
+ sign_document(document, settings)
+ end
+
+ def create_xml_document(settings, request_id = nil, logout_message = nil, status_code = nil)
+ time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+ response_doc = XMLSecurity::Document.new
+ response_doc.uuid = uuid
+
+ destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url
+
+
+ root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+ root.attributes['ID'] = uuid
+ root.attributes['IssueInstant'] = time
+ root.attributes['Version'] = '2.0'
+ root.attributes['InResponseTo'] = request_id unless request_id.nil?
+ root.attributes['Destination'] = destination unless destination.nil? or destination.empty?
+
+ if settings.sp_entity_id != nil
+ issuer = root.add_element "saml:Issuer"
+ issuer.text = settings.sp_entity_id
+ end
+
+ # add status
+ status = root.add_element 'samlp:Status'
+
+ # status code
+ status_code ||= 'urn:oasis:names:tc:SAML:2.0:status:Success'
+ status_code_elem = status.add_element 'samlp:StatusCode'
+ status_code_elem.attributes['Value'] = status_code
+
+ # status message
+ logout_message ||= 'Successfully Signed Out'
+ status_message = status.add_element 'samlp:StatusMessage'
+ status_message.text = logout_message
+
+ response_doc
+ end
+
+ def sign_document(document, settings)
+ # embed signature
+ cert, private_key = settings.get_sp_signing_pair
+ if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && private_key && cert
+ document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+ end
+
+ document
+ end
+
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/utils.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/utils.rb
new file mode 100644
index 0000000000000000000000000000000000000000..b66f6d77cec140d14170c0cf7f8afb1dc41e7cda
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/utils.rb
@@ -0,0 +1,453 @@
+if RUBY_VERSION < '1.9'
+ require 'uuid'
+else
+ require 'securerandom'
+end
+require "openssl"
+
+module OneLogin
+ module RubySaml
+
+ # SAML2 Auxiliary class
+ #
+ class Utils
+ @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
+
+ BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+ :redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
+ DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
+ XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
+ DURATION_FORMAT = %r(^
+ (-?)P # 1: Duration sign
+ (?:
+ (?:(\d+)Y)? # 2: Years
+ (?:(\d+)M)? # 3: Months
+ (?:(\d+)D)? # 4: Days
+ (?:T
+ (?:(\d+)H)? # 5: Hours
+ (?:(\d+)M)? # 6: Minutes
+ (?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
+ )?
+ |
+ (\d+)W # 8: Weeks
+ )
+ $)x.freeze
+
+ UUID_PREFIX = '_'
+ @@prefix = '_'
+
+ # Checks if the x509 cert provided is expired.
+ #
+ # @param cert [OpenSSL::X509::Certificate|String] The x509 certificate.
+ # @return [true|false] Whether the certificate is expired.
+ def self.is_cert_expired(cert)
+ cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)
+
+ cert.not_after < Time.now
+ end
+
+ # Checks if the x509 cert provided has both started and has not expired.
+ #
+ # @param cert [OpenSSL::X509::Certificate|String] The x509 certificate.
+ # @return [true|false] Whether the certificate is currently active.
+ def self.is_cert_active(cert)
+ cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)
+ now = Time.now
+ cert.not_before <= now && cert.not_after >= now
+ end
+
+ # Interprets a ISO8601 duration value relative to a given timestamp.
+ #
+ # @param duration [String] The duration, as a string.
+ # @param timestamp [Integer] The unix timestamp we should apply the
+ # duration to. Optional, default to the
+ # current time.
+ #
+ # @return [Integer] The new timestamp, after the duration is applied.
+ #
+ def self.parse_duration(duration, timestamp=Time.now.utc)
+ return nil if RUBY_VERSION < '1.9' # 1.8.7 not supported
+
+ matches = duration.match(DURATION_FORMAT)
+
+ if matches.nil?
+ raise StandardError.new("Invalid ISO 8601 duration")
+ end
+
+ sign = matches[1] == '-' ? -1 : 1
+
+ durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
+ matches[2..8].map do |match|
+ if match
+ match = match.tr(',', '.').gsub(/\.0*\z/, '')
+ sign * (match.include?('.') ? match.to_f : match.to_i)
+ else
+ 0
+ end
+ end
+
+ datetime = Time.at(timestamp).utc.to_datetime
+ datetime = datetime.next_year(durYears)
+ datetime = datetime.next_month(durMonths)
+ datetime = datetime.next_day((7*durWeeks) + durDays)
+ datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
+ end
+
+ # Return a properly formatted x509 certificate
+ #
+ # @param cert [String] The original certificate
+ # @return [String] The formatted certificate
+ #
+ def self.format_cert(cert)
+ # don't try to format an encoded certificate or if is empty or nil
+ if cert.respond_to?(:ascii_only?)
+ return cert if cert.nil? || cert.empty? || !cert.ascii_only?
+ else
+ return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+ end
+
+ if cert.scan(/BEGIN CERTIFICATE/).length > 1
+ formatted_cert = []
+ cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
+ formatted_cert << format_cert(c)
+ }
+ formatted_cert.join("\n")
+ else
+ cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+ cert = cert.gsub(/\r/, "")
+ cert = cert.gsub(/\n/, "")
+ cert = cert.gsub(/\s/, "")
+ cert = cert.scan(/.{1,64}/)
+ cert = cert.join("\n")
+ "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+ end
+ end
+
+ # Return a properly formatted private key
+ #
+ # @param key [String] The original private key
+ # @return [String] The formatted private key
+ #
+ def self.format_private_key(key)
+ # don't try to format an encoded private key or if is empty
+ return key if key.nil? || key.empty? || key.match(/\x0d/)
+
+ # is this an rsa key?
+ rsa_key = key.match("RSA PRIVATE KEY")
+ key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
+ key = key.gsub(/\n/, "")
+ key = key.gsub(/\r/, "")
+ key = key.gsub(/\s/, "")
+ key = key.scan(/.{1,64}/)
+ key = key.join("\n")
+ key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
+ "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
+ end
+
+ # Given a certificate string, return an OpenSSL::X509::Certificate object.
+ #
+ # @param cert [String] The original certificate
+ # @return [OpenSSL::X509::Certificate] The certificate object
+ #
+ def self.build_cert_object(cert)
+ return nil if cert.nil? || cert.empty?
+
+ OpenSSL::X509::Certificate.new(format_cert(cert))
+ end
+
+ # Given a private key string, return an OpenSSL::PKey::RSA object.
+ #
+ # @param cert [String] The original private key
+ # @return [OpenSSL::PKey::RSA] The private key object
+ #
+ def self.build_private_key_object(private_key)
+ return nil if private_key.nil? || private_key.empty?
+
+ OpenSSL::PKey::RSA.new(format_private_key(private_key))
+ end
+
+ # Build the Query String signature that will be used in the HTTP-Redirect binding
+ # to generate the Signature
+ # @param params [Hash] Parameters to build the Query String
+ # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+ # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
+ # @option params [String] :relay_state The RelayState parameter
+ # @option params [String] :sig_alg The SigAlg parameter
+ # @return [String] The Query String
+ #
+ def self.build_query(params)
+ type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
+
+ url_string = "#{type}=#{CGI.escape(data)}"
+ url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+ url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
+ end
+
+ # Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature
+ #
+ # @param params [Hash] Parameters to build the Query String
+ # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+ # @option params [String] :raw_data URI-encoded, base64 encoded SAMLRequest or SAMLResponse, as sent by IDP
+ # @option params [String] :raw_relay_state URI-encoded RelayState parameter, as sent by IDP
+ # @option params [String] :raw_sig_alg URI-encoded SigAlg parameter, as sent by IDP
+ # @return [String] The Query String
+ #
+ def self.build_query_from_raw_parts(params)
+ type, raw_data, raw_relay_state, raw_sig_alg = [:type, :raw_data, :raw_relay_state, :raw_sig_alg].map { |k| params[k]}
+
+ url_string = "#{type}=#{raw_data}"
+ url_string << "&RelayState=#{raw_relay_state}" if raw_relay_state
+ url_string << "&SigAlg=#{raw_sig_alg}"
+ end
+
+ # Prepare raw GET parameters (build them from normal parameters
+ # if not provided).
+ #
+ # @param rawparams [Hash] Raw GET Parameters
+ # @param params [Hash] GET Parameters
+ # @param lowercase_url_encoding [bool] Lowercase URL Encoding (For ADFS urlencode compatiblity)
+ # @return [Hash] New raw parameters
+ #
+ def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
+ rawparams ||= {}
+
+ if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
+ rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
+ end
+ if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
+ rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
+ end
+ if rawparams['RelayState'].nil? && !params['RelayState'].nil?
+ rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
+ end
+ if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
+ rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
+ end
+
+ rawparams
+ end
+
+ def self.escape_request_param(param, lowercase_url_encoding)
+ CGI.escape(param).tap do |escaped|
+ next unless lowercase_url_encoding
+
+ escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
+ end
+ end
+
+ # Validate the Signature parameter sent on the HTTP-Redirect binding
+ # @param params [Hash] Parameters to be used in the validation process
+ # @option params [OpenSSL::X509::Certificate] cert The IDP public certificate
+ # @option params [String] sig_alg The SigAlg parameter
+ # @option params [String] signature The Signature parameter (base64 encoded)
+ # @option params [String] query_string The full GET Query String to be compared
+ # @return [Boolean] True if the Signature is valid, False otherwise
+ #
+ def self.verify_signature(params)
+ cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
+ signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(sig_alg)
+ return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
+ end
+
+ # Build the status error message
+ # @param status_code [String] StatusCode value
+ # @param status_message [Strig] StatusMessage value
+ # @return [String] The status error message
+ def self.status_error_msg(error_msg, raw_status_code = nil, status_message = nil)
+ error_msg = error_msg.dup
+
+ unless raw_status_code.nil?
+ if raw_status_code.include? "|"
+ status_codes = raw_status_code.split(' | ')
+ values = status_codes.collect do |status_code|
+ status_code.split(':').last
+ end
+ printable_code = values.join(" => ")
+ else
+ printable_code = raw_status_code.split(':').last
+ end
+ error_msg << ', was ' + printable_code
+ end
+
+ unless status_message.nil?
+ error_msg << ' -> ' + status_message
+ end
+
+ error_msg
+ end
+
+ # Obtains the decrypted string from an Encrypted node element in XML,
+ # given multiple private keys to try.
+ # @param encrypted_node [REXML::Element] The Encrypted element
+ # @param private_keys [Array<OpenSSL::PKey::RSA>] The Service provider private key
+ # @return [String] The decrypted data
+ def self.decrypt_multi(encrypted_node, private_keys)
+ raise ArgumentError.new('private_keys must be specified') if !private_keys || private_keys.empty?
+
+ error = nil
+ private_keys.each do |key|
+ begin
+ return decrypt_data(encrypted_node, key)
+ rescue OpenSSL::PKey::PKeyError => e
+ error ||= e
+ end
+ end
+
+ raise(error) if error
+ end
+
+ # Obtains the decrypted string from an Encrypted node element in XML
+ # @param encrypted_node [REXML::Element] The Encrypted element
+ # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
+ # @return [String] The decrypted data
+ def self.decrypt_data(encrypted_node, private_key)
+ encrypt_data = REXML::XPath.first(
+ encrypted_node,
+ "./xenc:EncryptedData",
+ { 'xenc' => XENC }
+ )
+ symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
+ cipher_value = REXML::XPath.first(
+ encrypt_data,
+ "./xenc:CipherData/xenc:CipherValue",
+ { 'xenc' => XENC }
+ )
+ node = Base64.decode64(element_text(cipher_value))
+ encrypt_method = REXML::XPath.first(
+ encrypt_data,
+ "./xenc:EncryptionMethod",
+ { 'xenc' => XENC }
+ )
+ algorithm = encrypt_method.attributes['Algorithm']
+ retrieve_plaintext(node, symmetric_key, algorithm)
+ end
+
+ # Obtains the symmetric key from the EncryptedData element
+ # @param encrypt_data [REXML::Element] The EncryptedData element
+ # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
+ # @return [String] The symmetric key
+ def self.retrieve_symmetric_key(encrypt_data, private_key)
+ encrypted_key = REXML::XPath.first(
+ encrypt_data,
+ "./ds:KeyInfo/xenc:EncryptedKey | ./KeyInfo/xenc:EncryptedKey | //xenc:EncryptedKey[@Id=$id]",
+ { "ds" => DSIG, "xenc" => XENC },
+ { "id" => self.retrieve_symetric_key_reference(encrypt_data) }
+ )
+
+ encrypted_symmetric_key_element = REXML::XPath.first(
+ encrypted_key,
+ "./xenc:CipherData/xenc:CipherValue",
+ "xenc" => XENC
+ )
+
+ cipher_text = Base64.decode64(element_text(encrypted_symmetric_key_element))
+
+ encrypt_method = REXML::XPath.first(
+ encrypted_key,
+ "./xenc:EncryptionMethod",
+ "xenc" => XENC
+ )
+
+ algorithm = encrypt_method.attributes['Algorithm']
+ retrieve_plaintext(cipher_text, private_key, algorithm)
+ end
+
+ def self.retrieve_symetric_key_reference(encrypt_data)
+ REXML::XPath.first(
+ encrypt_data,
+ "substring-after(./ds:KeyInfo/ds:RetrievalMethod/@URI, '#')",
+ { "ds" => DSIG }
+ )
+ end
+
+ # Obtains the deciphered text
+ # @param cipher_text [String] The ciphered text
+ # @param symmetric_key [String] The symmetric key used to encrypt the text
+ # @param algorithm [String] The encrypted algorithm
+ # @return [String] The deciphered text
+ def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
+ case algorithm
+ when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
+ when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
+ when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
+ when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+ when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
+ when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt
+ when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt
+ when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
+ when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
+ end
+
+ if cipher
+ iv_len = cipher.iv_len
+ data = cipher_text[iv_len..-1]
+ cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
+ assertion_plaintext = cipher.update(data)
+ assertion_plaintext << cipher.final
+ elsif auth_cipher
+ iv_len, text_len, tag_len = auth_cipher.iv_len, cipher_text.length, 16
+ data = cipher_text[iv_len..text_len-1-tag_len]
+ auth_cipher.padding = 0
+ auth_cipher.key = symmetric_key
+ auth_cipher.iv = cipher_text[0..iv_len-1]
+ auth_cipher.auth_data = ''
+ auth_cipher.auth_tag = cipher_text[text_len-tag_len..-1]
+ assertion_plaintext = auth_cipher.update(data)
+ assertion_plaintext << auth_cipher.final
+ elsif rsa
+ rsa.private_decrypt(cipher_text)
+ elsif oaep
+ oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+ else
+ cipher_text
+ end
+ end
+
+ def self.set_prefix(value)
+ @@prefix = value
+ end
+
+ def self.prefix
+ @@prefix
+ end
+
+ def self.uuid
+ "#{prefix}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
+ end
+
+ # Given two strings, attempt to match them as URIs using Rails' parse method. If they can be parsed,
+ # then the fully-qualified domain name and the host should performa a case-insensitive match, per the
+ # RFC for URIs. If Rails can not parse the string in to URL pieces, return a boolean match of the
+ # two strings. This maintains the previous functionality.
+ # @return [Boolean]
+ def self.uri_match?(destination_url, settings_url)
+ dest_uri = URI.parse(destination_url)
+ acs_uri = URI.parse(settings_url)
+
+ if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
+ raise URI::InvalidURIError
+ else
+ dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
+ dest_uri.host.downcase == acs_uri.host.downcase &&
+ dest_uri.path == acs_uri.path &&
+ dest_uri.query == acs_uri.query
+ end
+ rescue URI::InvalidURIError
+ original_uri_match?(destination_url, settings_url)
+ end
+
+ # If Rails' URI.parse can't match to valid URL, default back to the original matching service.
+ # @return [Boolean]
+ def self.original_uri_match?(destination_url, settings_url)
+ destination_url == settings_url
+ end
+
+ # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
+ # that there all children other than text nodes can be ignored (e.g. comments). If nil is
+ # passed, nil will be returned.
+ def self.element_text(element)
+ element.texts.map(&:value).join if element
+ end
+ end
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/validation_error.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/validation_error.rb
new file mode 100644
index 0000000000000000000000000000000000000000..0f777b8d88b465110eabc62e899dbe4c7fa0f7e6
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/validation_error.rb
@@ -0,0 +1,7 @@
+module OneLogin
+ module RubySaml
+ class ValidationError < StandardError
+ end
+ end
+end
+
diff --git a/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/version.rb b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/version.rb
new file mode 100644
index 0000000000000000000000000000000000000000..826d98fe0902fa1a2c0e5646379183102b463264
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/onelogin/ruby-saml/version.rb
@@ -0,0 +1,5 @@
+module OneLogin
+ module RubySaml
+ VERSION = '1.18.0'
+ end
+end
diff --git a/vendor/gems/ruby-saml/lib/ruby-saml.rb b/vendor/gems/ruby-saml/lib/ruby-saml.rb
new file mode 100644
index 0000000000000000000000000000000000000000..282e54908d24834b9dbec76ff80ece87e981da7a
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/ruby-saml.rb
@@ -0,0 +1 @@
+require 'onelogin/ruby-saml'
diff --git a/vendor/gems/ruby-saml/lib/schemas/saml-schema-assertion-2.0.xsd b/vendor/gems/ruby-saml/lib/schemas/saml-schema-assertion-2.0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..2b2f7b8018a7390584352c42a5db5654d6bd6033
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/saml-schema-assertion-2.0.xsd
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="xenc-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-assertion-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New assertion schema for SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <attributeGroup name="IDNameQualifiers">
+ <attribute name="NameQualifier" type="string" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ </attributeGroup>
+ <element name="BaseID" type="saml:BaseIDAbstractType"/>
+ <complexType name="BaseIDAbstractType" abstract="true">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ </complexType>
+ <element name="NameID" type="saml:NameIDType"/>
+ <complexType name="NameIDType">
+ <simpleContent>
+ <extension base="string">
+ <attributeGroup ref="saml:IDNameQualifiers"/>
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPProvidedID" type="string" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="EncryptedElementType">
+ <sequence>
+ <element ref="xenc:EncryptedData"/>
+ <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="EncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Issuer" type="saml:NameIDType"/>
+ <element name="AssertionIDRef" type="NCName"/>
+ <element name="AssertionURIRef" type="anyURI"/>
+ <element name="Assertion" type="saml:AssertionType"/>
+ <complexType name="AssertionType">
+ <sequence>
+ <element ref="saml:Issuer"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="saml:Advice" minOccurs="0"/>
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Statement"/>
+ <element ref="saml:AuthnStatement"/>
+ <element ref="saml:AuthzDecisionStatement"/>
+ <element ref="saml:AttributeStatement"/>
+ </choice>
+ </sequence>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ </complexType>
+ <element name="Subject" type="saml:SubjectType"/>
+ <complexType name="SubjectType">
+ <choice>
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/>
+ </choice>
+ </complexType>
+ <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/>
+ <complexType name="SubjectConfirmationType">
+ <sequence>
+ <choice minOccurs="0">
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+ </sequence>
+ <attribute name="Method" type="anyURI" use="required"/>
+ </complexType>
+ <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/>
+ <complexType name="SubjectConfirmationDataType" mixed="true">
+ <complexContent>
+ <restriction base="anyType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ <attribute name="Recipient" type="anyURI" use="optional"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Address" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <complexType name="KeyInfoConfirmationDataType" mixed="false">
+ <complexContent>
+ <restriction base="saml:SubjectConfirmationDataType">
+ <sequence>
+ <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
+ </sequence>
+ </restriction>
+ </complexContent>
+ </complexType>
+ <element name="Conditions" type="saml:ConditionsType"/>
+ <complexType name="ConditionsType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Condition"/>
+ <element ref="saml:AudienceRestriction"/>
+ <element ref="saml:OneTimeUse"/>
+ <element ref="saml:ProxyRestriction"/>
+ </choice>
+ <attribute name="NotBefore" type="dateTime" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </complexType>
+ <element name="Condition" type="saml:ConditionAbstractType"/>
+ <complexType name="ConditionAbstractType" abstract="true"/>
+ <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/>
+ <complexType name="AudienceRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Audience" type="anyURI"/>
+ <element name="OneTimeUse" type="saml:OneTimeUseType" />
+ <complexType name="OneTimeUseType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType"/>
+ </complexContent>
+ </complexType>
+ <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/>
+ <complexType name="ProxyRestrictionType">
+ <complexContent>
+ <extension base="saml:ConditionAbstractType">
+ <sequence>
+ <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Count" type="nonNegativeInteger" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Advice" type="saml:AdviceType"/>
+ <complexType name="AdviceType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+ <element name="EncryptedAssertion" type="saml:EncryptedElementType"/>
+ <element name="Statement" type="saml:StatementAbstractType"/>
+ <complexType name="StatementAbstractType" abstract="true"/>
+ <element name="AuthnStatement" type="saml:AuthnStatementType"/>
+ <complexType name="AuthnStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:SubjectLocality" minOccurs="0"/>
+ <element ref="saml:AuthnContext"/>
+ </sequence>
+ <attribute name="AuthnInstant" type="dateTime" use="required"/>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectLocality" type="saml:SubjectLocalityType"/>
+ <complexType name="SubjectLocalityType">
+ <attribute name="Address" type="string" use="optional"/>
+ <attribute name="DNSName" type="string" use="optional"/>
+ </complexType>
+ <element name="AuthnContext" type="saml:AuthnContextType"/>
+ <complexType name="AuthnContextType">
+ <sequence>
+ <choice>
+ <sequence>
+ <element ref="saml:AuthnContextClassRef"/>
+ <choice minOccurs="0">
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </sequence>
+ <choice>
+ <element ref="saml:AuthnContextDecl"/>
+ <element ref="saml:AuthnContextDeclRef"/>
+ </choice>
+ </choice>
+ <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AuthnContextClassRef" type="anyURI"/>
+ <element name="AuthnContextDeclRef" type="anyURI"/>
+ <element name="AuthnContextDecl" type="anyType"/>
+ <element name="AuthenticatingAuthority" type="anyURI"/>
+ <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/>
+ <complexType name="AuthzDecisionStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ <attribute name="Decision" type="saml:DecisionType" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <simpleType name="DecisionType">
+ <restriction base="string">
+ <enumeration value="Permit"/>
+ <enumeration value="Deny"/>
+ <enumeration value="Indeterminate"/>
+ </restriction>
+ </simpleType>
+ <element name="Action" type="saml:ActionType"/>
+ <complexType name="ActionType">
+ <simpleContent>
+ <extension base="string">
+ <attribute name="Namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <element name="Evidence" type="saml:EvidenceType"/>
+ <complexType name="EvidenceType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:AssertionIDRef"/>
+ <element ref="saml:AssertionURIRef"/>
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </complexType>
+ <element name="AttributeStatement" type="saml:AttributeStatementType"/>
+ <complexType name="AttributeStatementType">
+ <complexContent>
+ <extension base="saml:StatementAbstractType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:Attribute"/>
+ <element ref="saml:EncryptedAttribute"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Attribute" type="saml:AttributeType"/>
+ <complexType name="AttributeType">
+ <sequence>
+ <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Name" type="string" use="required"/>
+ <attribute name="NameFormat" type="anyURI" use="optional"/>
+ <attribute name="FriendlyName" type="string" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AttributeValue" type="anyType" nillable="true"/>
+ <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
+</schema>
diff --git a/vendor/gems/ruby-saml/lib/schemas/saml-schema-authn-context-2.0.xsd b/vendor/gems/ruby-saml/lib/schemas/saml-schema-authn-context-2.0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..e4754faf8c44218741ed4e292059bb739349f4bd
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/saml-schema-authn-context-2.0.xsd
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:ac"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns="urn:oasis:names:tc:SAML:2.0:ac"
+ blockDefault="substitution"
+ version="2.0">
+
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: saml-schema-authn-context-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V2.0 (March, 2005):
+ New core authentication context schema for SAML V2.0.
+ This is just an include of all types from the schema
+ referred to in the include statement below.
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:include schemaLocation="saml-schema-authn-context-types-2.0.xsd"/>
+
+</xs:schema>
\ No newline at end of file
diff --git a/vendor/gems/ruby-saml/lib/schemas/saml-schema-authn-context-types-2.0.xsd b/vendor/gems/ruby-saml/lib/schemas/saml-schema-authn-context-types-2.0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..8513959a5d5bde4eba75202aaa7c2d11084339fe
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/saml-schema-authn-context-types-2.0.xsd
@@ -0,0 +1,821 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ elementFormDefault="qualified"
+ version="2.0">
+
+ <xs:annotation>
+ <xs:documentation>
+ Document identifier: saml-schema-authn-context-types-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V2.0 (March, 2005):
+ New core authentication context schema types for SAML V2.0.
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ A particular assertion on an identity
+ provider's part with respect to the authentication
+ context associated with an authentication assertion.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Identification" type="IdentificationType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characteristics that describe the
+ processes and mechanisms
+ the Authentication Authority uses to initially create
+ an association between a Principal
+ and the identity (or name) by which the Principal will
+ be known
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PhysicalVerification">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that identification has been
+ performed in a physical
+ face-to-face meeting with the principal and not in an
+ online manner.
+ </xs:documentation>
+ </xs:annotation>
+ <xs:complexType>
+ <xs:attribute name="credentialLevel">
+ <xs:simpleType>
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="primary"/>
+ <xs:enumeration value="secondary"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ </xs:complexType>
+ </xs:element>
+
+ <xs:element name="WrittenConsent" type="ExtensionOnlyType"/>
+
+ <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characterstics that describe how the
+ 'secret' (the knowledge or possession
+ of which allows the Principal to authenticate to the
+ Authentication Authority) is kept secure
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the types and strengths of
+ facilities
+ of a UA used to protect a shared secret key from
+ unauthorized access and/or use.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the types and strengths of
+ facilities
+ of a UA used to protect a private key from
+ unauthorized access and/or use.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="KeyActivation" type="KeyActivationType">
+ <xs:annotation>
+ <xs:documentation>The actions that must be performed
+ before the private key can be used. </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="KeySharing" type="KeySharingType">
+ <xs:annotation>
+ <xs:documentation>Whether or not the private key is shared
+ with the certificate authority.</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="KeyStorage" type="KeyStorageType">
+ <xs:annotation>
+ <xs:documentation>
+ In which medium is the key stored.
+ memory - the key is stored in memory.
+ smartcard - the key is stored in a smartcard.
+ token - the key is stored in a hardware token.
+ MobileDevice - the key is stored in a mobile device.
+ MobileAuthCard - the key is stored in a mobile
+ authentication card.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/>
+ <xs:element name="UserSuffix" type="ExtensionOnlyType"/>
+
+ <xs:element name="Password" type="PasswordType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a password (or passphrase)
+ has been used to
+ authenticate the Principal to a remote system.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationPin" type="ActivationPinType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a Pin (Personal
+ Identification Number) has been used to authenticate the Principal to
+ some local system in order to activate a key.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Token" type="TokenType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a hardware or software
+ token is used
+ as a method of identifying the Principal.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="TimeSyncToken" type="TimeSyncTokenType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a time synchronization
+ token is used to identify the Principal. hardware -
+ the time synchonization
+ token has been implemented in hardware. software - the
+ time synchronization
+ token has been implemented in software. SeedLength -
+ the length, in bits, of the
+ random seed used in the time synchronization token.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Smartcard" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that a smartcard is used to
+ identity the Principal.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Length" type="LengthType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the minimum and/or maximum
+ ASCII length of the password which is enforced (by the UA or the
+ IdP). In other words, this is the minimum and/or maximum number of
+ ASCII characters required to represent a valid password.
+ min - the minimum number of ASCII characters required
+ in a valid password, as enforced by the UA or the IdP.
+ max - the maximum number of ASCII characters required
+ in a valid password, as enforced by the UA or the IdP.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationLimit" type="ActivationLimitType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates the length of time for which an
+ PIN-based authentication is valid.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Generation">
+ <xs:annotation>
+ <xs:documentation>
+ Indicates whether the password was chosen by the
+ Principal or auto-supplied by the Authentication Authority.
+ principalchosen - the Principal is allowed to choose
+ the value of the password. This is true even if
+ the initial password is chosen at random by the UA or
+ the IdP and the Principal is then free to change
+ the password.
+ automatic - the password is chosen by the UA or the
+ IdP to be cryptographically strong in some sense,
+ or to satisfy certain password rules, and that the
+ Principal is not free to change it or to choose a new password.
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:complexType>
+ <xs:attribute name="mechanism" use="required">
+ <xs:simpleType>
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="principalchosen"/>
+ <xs:enumeration value="automatic"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ </xs:complexType>
+ </xs:element>
+
+ <xs:element name="AuthnMethod" type="AuthnMethodBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characteristics that define the
+ mechanisms by which the Principal authenticates to the Authentication
+ Authority.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType">
+ <xs:annotation>
+ <xs:documentation>
+ The method that a Principal employs to perform
+ authentication to local system components.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="Authenticator" type="AuthenticatorBaseType">
+ <xs:annotation>
+ <xs:documentation>
+ The method applied to validate a principal's
+ authentication across a network
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType">
+ <xs:annotation>
+ <xs:documentation>
+ Supports Authenticators with nested combinations of
+ additional complexity.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PreviousSession" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ Indicates that the Principal has been strongly
+ authenticated in a previous session during which the IdP has set a
+ cookie in the UA. During the present session the Principal has only
+ been authenticated by the UA returning the cookie to the IdP.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ResumeSession" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ Rather like PreviousSession but using stronger
+ security. A secret that was established in a previous session with
+ the Authentication Authority has been cached by the local system and
+ is now re-used (e.g. a Master Secret is used to derive new session
+ keys in TLS, SSL, WTLS).
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ZeroKnowledge" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated by a zero knowledge technique as specified in ISO/IEC
+ 9798-5.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/>
+
+ <xs:complexType name="SharedSecretChallengeResponseType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated by a challenge-response protocol utilizing shared secret
+ keys and symmetric cryptography.
+ </xs:documentation>
+ </xs:annotation>
+ <xs:sequence>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="method" type="xs:anyURI" use="optional"/>
+ </xs:complexType>
+
+ <xs:element name="DigSig" type="PublicKeyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated by a mechanism which involves the Principal computing a
+ digital signature over at least challenge data provided by the IdP.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="AsymmetricDecryption" type="PublicKeyType">
+ <xs:annotation>
+ <xs:documentation>
+ The local system has a private key but it is used
+ in decryption mode, rather than signature mode. For example, the
+ Authentication Authority generates a secret and encrypts it using the
+ local system's public key: the local system then proves it has
+ decrypted the secret.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType">
+ <xs:annotation>
+ <xs:documentation>
+ The local system has a private key and uses it for
+ shared secret key agreement with the Authentication Authority (e.g.
+ via Diffie Helman).
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:complexType name="PublicKeyType">
+ <xs:sequence>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="keyValidation" use="optional"/>
+ </xs:complexType>
+
+ <xs:element name="IPAddress" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Principal has been
+ authenticated through connection from a particular IP address.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ The local system and Authentication Authority
+ share a secret key. The local system uses this to encrypt a
+ randomised string to pass to the Authentication Authority.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType">
+ <xs:annotation>
+ <xs:documentation>
+ The protocol across which Authenticator information is
+ transferred to an Authentication Authority verifier.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="HTTP" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using bare HTTP utilizing no additional security
+ protocols.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="IPSec" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using a transport mechanism protected by an IPSEC session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="WTLS" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using a transport mechanism protected by a WTLS session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted solely across a mobile network using no additional
+ security mechanism.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/>
+ <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/>
+
+ <xs:element name="SSL" type="ExtensionOnlyType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Authenticator has been
+ transmitted using a transport mechnanism protected by an SSL or TLS
+ session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="PSTN" type="ExtensionOnlyType"/>
+ <xs:element name="ISDN" type="ExtensionOnlyType"/>
+ <xs:element name="ADSL" type="ExtensionOnlyType"/>
+
+ <xs:element name="OperationalProtection" type="OperationalProtectionType">
+ <xs:annotation>
+ <xs:documentation>
+ Refers to those characteristics that describe
+ procedural security controls employed by the Authentication Authority.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="SecurityAudit" type="SecurityAuditType"/>
+ <xs:element name="SwitchAudit" type="ExtensionOnlyType"/>
+ <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/>
+
+ <xs:element name="GoverningAgreements" type="GoverningAgreementsType">
+ <xs:annotation>
+ <xs:documentation>
+ Provides a mechanism for linking to external (likely
+ human readable) documents in which additional business agreements,
+ (e.g. liability constraints, obligations, etc) can be placed.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/>
+
+ <xs:simpleType name="nymType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="anonymity"/>
+ <xs:enumeration value="verinymity"/>
+ <xs:enumeration value="pseudonymity"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:complexType name="AuthnContextDeclarationBaseType">
+ <xs:sequence>
+ <xs:element ref="Identification" minOccurs="0"/>
+ <xs:element ref="TechnicalProtection" minOccurs="0"/>
+ <xs:element ref="OperationalProtection" minOccurs="0"/>
+ <xs:element ref="AuthnMethod" minOccurs="0"/>
+ <xs:element ref="GoverningAgreements" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="ID" type="xs:ID" use="optional"/>
+ </xs:complexType>
+
+ <xs:complexType name="IdentificationType">
+ <xs:sequence>
+ <xs:element ref="PhysicalVerification" minOccurs="0"/>
+ <xs:element ref="WrittenConsent" minOccurs="0"/>
+ <xs:element ref="GoverningAgreements" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="nym" type="nymType">
+ <xs:annotation>
+ <xs:documentation>
+ This attribute indicates whether or not the
+ Identification mechanisms allow the actions of the Principal to be
+ linked to an actual end user.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+ </xs:complexType>
+
+ <xs:complexType name="TechnicalProtectionBaseType">
+ <xs:sequence>
+ <xs:choice minOccurs="0">
+ <xs:element ref="PrivateKeyProtection"/>
+ <xs:element ref="SecretKeyProtection"/>
+ </xs:choice>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="OperationalProtectionType">
+ <xs:sequence>
+ <xs:element ref="SecurityAudit" minOccurs="0"/>
+ <xs:element ref="DeactivationCallCenter" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="AuthnMethodBaseType">
+ <xs:sequence>
+ <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/>
+ <xs:element ref="Authenticator" minOccurs="0"/>
+ <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="GoverningAgreementsType">
+ <xs:sequence>
+ <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="GoverningAgreementRefType">
+ <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="PrincipalAuthenticationMechanismType">
+ <xs:sequence>
+ <xs:element ref="Password" minOccurs="0"/>
+ <xs:element ref="RestrictedPassword" minOccurs="0"/>
+ <xs:element ref="Token" minOccurs="0"/>
+ <xs:element ref="Smartcard" minOccurs="0"/>
+ <xs:element ref="ActivationPin" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="preauth" type="xs:integer" use="optional"/>
+ </xs:complexType>
+
+ <xs:group name="AuthenticatorChoiceGroup">
+ <xs:choice>
+ <xs:element ref="PreviousSession"/>
+ <xs:element ref="ResumeSession"/>
+ <xs:element ref="DigSig"/>
+ <xs:element ref="Password"/>
+ <xs:element ref="RestrictedPassword"/>
+ <xs:element ref="ZeroKnowledge"/>
+ <xs:element ref="SharedSecretChallengeResponse"/>
+ <xs:element ref="SharedSecretDynamicPlaintext"/>
+ <xs:element ref="IPAddress"/>
+ <xs:element ref="AsymmetricDecryption"/>
+ <xs:element ref="AsymmetricKeyAgreement"/>
+ <xs:element ref="SubscriberLineNumber"/>
+ <xs:element ref="UserSuffix"/>
+ <xs:element ref="ComplexAuthenticator"/>
+ </xs:choice>
+ </xs:group>
+
+ <xs:group name="AuthenticatorSequenceGroup">
+ <xs:sequence>
+ <xs:element ref="PreviousSession" minOccurs="0"/>
+ <xs:element ref="ResumeSession" minOccurs="0"/>
+ <xs:element ref="DigSig" minOccurs="0"/>
+ <xs:element ref="Password" minOccurs="0"/>
+ <xs:element ref="RestrictedPassword" minOccurs="0"/>
+ <xs:element ref="ZeroKnowledge" minOccurs="0"/>
+ <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/>
+ <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/>
+ <xs:element ref="IPAddress" minOccurs="0"/>
+ <xs:element ref="AsymmetricDecryption" minOccurs="0"/>
+ <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/>
+ <xs:element ref="SubscriberLineNumber" minOccurs="0"/>
+ <xs:element ref="UserSuffix" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:group>
+
+ <xs:complexType name="AuthenticatorBaseType">
+ <xs:sequence>
+ <xs:group ref="AuthenticatorChoiceGroup"/>
+ <xs:group ref="AuthenticatorSequenceGroup"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="ComplexAuthenticatorType">
+ <xs:sequence>
+ <xs:group ref="AuthenticatorChoiceGroup"/>
+ <xs:group ref="AuthenticatorSequenceGroup"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="AuthenticatorTransportProtocolType">
+ <xs:sequence>
+ <xs:choice minOccurs="0">
+ <xs:element ref="HTTP"/>
+ <xs:element ref="SSL"/>
+ <xs:element ref="MobileNetworkNoEncryption"/>
+ <xs:element ref="MobileNetworkRadioEncryption"/>
+ <xs:element ref="MobileNetworkEndToEndEncryption"/>
+ <xs:element ref="WTLS"/>
+ <xs:element ref="IPSec"/>
+ <xs:element ref="PSTN"/>
+ <xs:element ref="ISDN"/>
+ <xs:element ref="ADSL"/>
+ </xs:choice>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="KeyActivationType">
+ <xs:sequence>
+ <xs:element ref="ActivationPin" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="KeySharingType">
+ <xs:attribute name="sharing" type="xs:boolean" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="PrivateKeyProtectionType">
+ <xs:sequence>
+ <xs:element ref="KeyActivation" minOccurs="0"/>
+ <xs:element ref="KeyStorage" minOccurs="0"/>
+ <xs:element ref="KeySharing" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="PasswordType">
+ <xs:sequence>
+ <xs:element ref="Length" minOccurs="0"/>
+ <xs:element ref="Alphabet" minOccurs="0"/>
+ <xs:element ref="Generation" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+ </xs:complexType>
+
+ <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/>
+
+ <xs:complexType name="RestrictedPasswordType">
+ <xs:complexContent>
+ <xs:restriction base="PasswordType">
+ <xs:sequence>
+ <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/>
+ <xs:element ref="Generation" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/>
+ </xs:restriction>
+ </xs:complexContent>
+ </xs:complexType>
+
+ <xs:complexType name="RestrictedLengthType">
+ <xs:complexContent>
+ <xs:restriction base="LengthType">
+ <xs:attribute name="min" use="required">
+ <xs:simpleType>
+ <xs:restriction base="xs:integer">
+ <xs:minInclusive value="3"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+ <xs:attribute name="max" type="xs:integer" use="optional"/>
+ </xs:restriction>
+ </xs:complexContent>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationPinType">
+ <xs:sequence>
+ <xs:element ref="Length" minOccurs="0"/>
+ <xs:element ref="Alphabet" minOccurs="0"/>
+ <xs:element ref="Generation" minOccurs="0"/>
+ <xs:element ref="ActivationLimit" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:element name="Alphabet" type="AlphabetType"/>
+ <xs:complexType name="AlphabetType">
+ <xs:attribute name="requiredChars" type="xs:string" use="required"/>
+ <xs:attribute name="excludedChars" type="xs:string" use="optional"/>
+ <xs:attribute name="case" type="xs:string" use="optional"/>
+ </xs:complexType>
+
+ <xs:complexType name="TokenType">
+ <xs:sequence>
+ <xs:element ref="TimeSyncToken"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:simpleType name="DeviceTypeType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="hardware"/>
+ <xs:enumeration value="software"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:simpleType name="booleanType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="true"/>
+ <xs:enumeration value="false"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:complexType name="TimeSyncTokenType">
+ <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/>
+ <xs:attribute name="SeedLength" type="xs:integer" use="required"/>
+ <xs:attribute name="DeviceInHand" type="booleanType" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationLimitType">
+ <xs:choice>
+ <xs:element ref="ActivationLimitDuration"/>
+ <xs:element ref="ActivationLimitUsages"/>
+ <xs:element ref="ActivationLimitSession"/>
+ </xs:choice>
+ </xs:complexType>
+
+ <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Key Activation Limit is
+ defined as a specific duration of time.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Key Activation Limit is
+ defined as a number of usages.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType">
+ <xs:annotation>
+ <xs:documentation>
+ This element indicates that the Key Activation Limit is
+ the session.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
+ <xs:complexType name="ActivationLimitDurationType">
+ <xs:attribute name="duration" type="xs:duration" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationLimitUsagesType">
+ <xs:attribute name="number" type="xs:integer" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="ActivationLimitSessionType"/>
+
+ <xs:complexType name="LengthType">
+ <xs:attribute name="min" type="xs:integer" use="required"/>
+ <xs:attribute name="max" type="xs:integer" use="optional"/>
+ </xs:complexType>
+
+ <xs:simpleType name="mediumType">
+ <xs:restriction base="xs:NMTOKEN">
+ <xs:enumeration value="memory"/>
+ <xs:enumeration value="smartcard"/>
+ <xs:enumeration value="token"/>
+ <xs:enumeration value="MobileDevice"/>
+ <xs:enumeration value="MobileAuthCard"/>
+ </xs:restriction>
+ </xs:simpleType>
+
+ <xs:complexType name="KeyStorageType">
+ <xs:attribute name="medium" type="mediumType" use="required"/>
+ </xs:complexType>
+
+ <xs:complexType name="SecretKeyProtectionType">
+ <xs:sequence>
+ <xs:element ref="KeyActivation" minOccurs="0"/>
+ <xs:element ref="KeyStorage" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="SecurityAuditType">
+ <xs:sequence>
+ <xs:element ref="SwitchAudit" minOccurs="0"/>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:complexType name="ExtensionOnlyType">
+ <xs:sequence>
+ <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+ <xs:element name="Extension" type="ExtensionType"/>
+
+ <xs:complexType name="ExtensionType">
+ <xs:sequence>
+ <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </xs:sequence>
+ </xs:complexType>
+
+</xs:schema>
diff --git a/vendor/gems/ruby-saml/lib/schemas/saml-schema-metadata-2.0.xsd b/vendor/gems/ruby-saml/lib/schemas/saml-schema-metadata-2.0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..b656d4f414dcbcac4bb98ccb729af280ea7b2a48
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/saml-schema-metadata-2.0.xsd
@@ -0,0 +1,337 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="xmldsig-core-schema.xsd"/>
+ <import namespace="http://www.w3.org/2001/04/xmlenc#"
+ schemaLocation="xenc-schema.xsd"/>
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="xml.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-metadata-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V2.0 (March, 2005):
+ Schema for SAML metadata, first published in SAML 2.0.
+ </documentation>
+ </annotation>
+
+ <simpleType name="entityIDType">
+ <restriction base="anyURI">
+ <maxLength value="1024"/>
+ </restriction>
+ </simpleType>
+ <complexType name="localizedNameType">
+ <simpleContent>
+ <extension base="string">
+ <attribute ref="xml:lang" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+ <complexType name="localizedURIType">
+ <simpleContent>
+ <extension base="anyURI">
+ <attribute ref="xml:lang" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <element name="Extensions" type="md:ExtensionsType"/>
+ <complexType final="#all" name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+
+ <complexType name="EndpointType">
+ <sequence>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Binding" type="anyURI" use="required"/>
+ <attribute name="Location" type="anyURI" use="required"/>
+ <attribute name="ResponseLocation" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <complexType name="IndexedEndpointType">
+ <complexContent>
+ <extension base="md:EndpointType">
+ <attribute name="index" type="unsignedShort" use="required"/>
+ <attribute name="isDefault" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/>
+ <complexType name="EntitiesDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <choice minOccurs="1" maxOccurs="unbounded">
+ <element ref="md:EntityDescriptor"/>
+ <element ref="md:EntitiesDescriptor"/>
+ </choice>
+ </sequence>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <attribute name="Name" type="string" use="optional"/>
+ </complexType>
+
+ <element name="EntityDescriptor" type="md:EntityDescriptorType"/>
+ <complexType name="EntityDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <choice>
+ <choice maxOccurs="unbounded">
+ <element ref="md:RoleDescriptor"/>
+ <element ref="md:IDPSSODescriptor"/>
+ <element ref="md:SPSSODescriptor"/>
+ <element ref="md:AuthnAuthorityDescriptor"/>
+ <element ref="md:AttributeAuthorityDescriptor"/>
+ <element ref="md:PDPDescriptor"/>
+ </choice>
+ <element ref="md:AffiliationDescriptor"/>
+ </choice>
+ <element ref="md:Organization" minOccurs="0"/>
+ <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="entityID" type="md:entityIDType" use="required"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+
+ <element name="Organization" type="md:OrganizationType"/>
+ <complexType name="OrganizationType">
+ <sequence>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:OrganizationName" maxOccurs="unbounded"/>
+ <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/>
+ <element ref="md:OrganizationURL" maxOccurs="unbounded"/>
+ </sequence>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="OrganizationName" type="md:localizedNameType"/>
+ <element name="OrganizationDisplayName" type="md:localizedNameType"/>
+ <element name="OrganizationURL" type="md:localizedURIType"/>
+ <element name="ContactPerson" type="md:ContactType"/>
+ <complexType name="ContactType">
+ <sequence>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:Company" minOccurs="0"/>
+ <element ref="md:GivenName" minOccurs="0"/>
+ <element ref="md:SurName" minOccurs="0"/>
+ <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="contactType" type="md:ContactTypeType" use="required"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="Company" type="string"/>
+ <element name="GivenName" type="string"/>
+ <element name="SurName" type="string"/>
+ <element name="EmailAddress" type="anyURI"/>
+ <element name="TelephoneNumber" type="string"/>
+ <simpleType name="ContactTypeType">
+ <restriction base="string">
+ <enumeration value="technical"/>
+ <enumeration value="support"/>
+ <enumeration value="administrative"/>
+ <enumeration value="billing"/>
+ <enumeration value="other"/>
+ </restriction>
+ </simpleType>
+
+ <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/>
+ <complexType name="AdditionalMetadataLocationType">
+ <simpleContent>
+ <extension base="anyURI">
+ <attribute name="namespace" type="anyURI" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <element name="RoleDescriptor" type="md:RoleDescriptorType"/>
+ <complexType name="RoleDescriptorType" abstract="true">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:Organization" minOccurs="0"/>
+ <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="optional"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/>
+ <attribute name="errorURL" type="anyURI" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <simpleType name="anyURIListType">
+ <list itemType="anyURI"/>
+ </simpleType>
+
+ <element name="KeyDescriptor" type="md:KeyDescriptorType"/>
+ <complexType name="KeyDescriptorType">
+ <sequence>
+ <element ref="ds:KeyInfo"/>
+ <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="use" type="md:KeyTypes" use="optional"/>
+ </complexType>
+ <simpleType name="KeyTypes">
+ <restriction base="string">
+ <enumeration value="encryption"/>
+ <enumeration value="signing"/>
+ </restriction>
+ </simpleType>
+ <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/>
+
+ <complexType name="SSODescriptorType" abstract="true">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/>
+ <element name="SingleLogoutService" type="md:EndpointType"/>
+ <element name="ManageNameIDService" type="md:EndpointType"/>
+ <element name="NameIDFormat" type="anyURI"/>
+
+ <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/>
+ <complexType name="IDPSSODescriptorType">
+ <complexContent>
+ <extension base="md:SSODescriptorType">
+ <sequence>
+ <element ref="md:SingleSignOnService" maxOccurs="unbounded"/>
+ <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SingleSignOnService" type="md:EndpointType"/>
+ <element name="NameIDMappingService" type="md:EndpointType"/>
+ <element name="AssertionIDRequestService" type="md:EndpointType"/>
+ <element name="AttributeProfile" type="anyURI"/>
+
+ <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/>
+ <complexType name="SPSSODescriptorType">
+ <complexContent>
+ <extension base="md:SSODescriptorType">
+ <sequence>
+ <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/>
+ <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/>
+ <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AssertionConsumerService" type="md:IndexedEndpointType"/>
+ <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/>
+ <complexType name="AttributeConsumingServiceType">
+ <sequence>
+ <element ref="md:ServiceName" maxOccurs="unbounded"/>
+ <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:RequestedAttribute" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="index" type="unsignedShort" use="required"/>
+ <attribute name="isDefault" type="boolean" use="optional"/>
+ </complexType>
+ <element name="ServiceName" type="md:localizedNameType"/>
+ <element name="ServiceDescription" type="md:localizedNameType"/>
+ <element name="RequestedAttribute" type="md:RequestedAttributeType"/>
+ <complexType name="RequestedAttributeType">
+ <complexContent>
+ <extension base="saml:AttributeType">
+ <attribute name="isRequired" type="boolean" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/>
+ <complexType name="AuthnAuthorityDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AuthnQueryService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQueryService" type="md:EndpointType"/>
+
+ <element name="PDPDescriptor" type="md:PDPDescriptorType"/>
+ <complexType name="PDPDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AuthzService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzService" type="md:EndpointType"/>
+
+ <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/>
+ <complexType name="AttributeAuthorityDescriptorType">
+ <complexContent>
+ <extension base="md:RoleDescriptorType">
+ <sequence>
+ <element ref="md:AttributeService" maxOccurs="unbounded"/>
+ <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AttributeService" type="md:EndpointType"/>
+
+ <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/>
+ <complexType name="AffiliationDescriptorType">
+ <sequence>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="md:Extensions" minOccurs="0"/>
+ <element ref="md:AffiliateMember" maxOccurs="unbounded"/>
+ <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/>
+ <attribute name="validUntil" type="dateTime" use="optional"/>
+ <attribute name="cacheDuration" type="duration" use="optional"/>
+ <attribute name="ID" type="ID" use="optional"/>
+ <anyAttribute namespace="##other" processContents="lax"/>
+ </complexType>
+ <element name="AffiliateMember" type="md:entityIDType"/>
+</schema>
diff --git a/vendor/gems/ruby-saml/lib/schemas/saml-schema-protocol-2.0.xsd b/vendor/gems/ruby-saml/lib/schemas/saml-schema-protocol-2.0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..7fa6f489d684a7375e0581bcf53ca9e34a4e6d10
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/saml-schema-protocol-2.0.xsd
@@ -0,0 +1,302 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+ <import namespace="http://www.w3.org/2000/09/xmldsig#"
+ schemaLocation="xmldsig-core-schema.xsd"/>
+ <annotation>
+ <documentation>
+ Document identifier: saml-schema-protocol-2.0
+ Location: http://docs.oasis-open.org/security/saml/v2.0/
+ Revision history:
+ V1.0 (November, 2002):
+ Initial Standard Schema.
+ V1.1 (September, 2003):
+ Updates within the same V1.0 namespace.
+ V2.0 (March, 2005):
+ New protocol schema based in a SAML V2.0 namespace.
+ </documentation>
+ </annotation>
+ <complexType name="RequestAbstractType" abstract="true">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Extensions" type="samlp:ExtensionsType"/>
+ <complexType name="ExtensionsType">
+ <sequence>
+ <any namespace="##other" processContents="lax" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <complexType name="StatusResponseType">
+ <sequence>
+ <element ref="saml:Issuer" minOccurs="0"/>
+ <element ref="ds:Signature" minOccurs="0"/>
+ <element ref="samlp:Extensions" minOccurs="0"/>
+ <element ref="samlp:Status"/>
+ </sequence>
+ <attribute name="ID" type="ID" use="required"/>
+ <attribute name="InResponseTo" type="NCName" use="optional"/>
+ <attribute name="Version" type="string" use="required"/>
+ <attribute name="IssueInstant" type="dateTime" use="required"/>
+ <attribute name="Destination" type="anyURI" use="optional"/>
+ <attribute name="Consent" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="Status" type="samlp:StatusType"/>
+ <complexType name="StatusType">
+ <sequence>
+ <element ref="samlp:StatusCode"/>
+ <element ref="samlp:StatusMessage" minOccurs="0"/>
+ <element ref="samlp:StatusDetail" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="StatusCode" type="samlp:StatusCodeType"/>
+ <complexType name="StatusCodeType">
+ <sequence>
+ <element ref="samlp:StatusCode" minOccurs="0"/>
+ </sequence>
+ <attribute name="Value" type="anyURI" use="required"/>
+ </complexType>
+ <element name="StatusMessage" type="string"/>
+ <element name="StatusDetail" type="samlp:StatusDetailType"/>
+ <complexType name="StatusDetailType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+ <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/>
+ <complexType name="AssertionIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/>
+ <complexType name="SubjectQueryAbstractType" abstract="true">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnQuery" type="samlp:AuthnQueryType"/>
+ <complexType name="AuthnQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ </sequence>
+ <attribute name="SessionIndex" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/>
+ <complexType name="RequestedAuthnContextType">
+ <choice>
+ <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/>
+ <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/>
+ </choice>
+ <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/>
+ </complexType>
+ <simpleType name="AuthnContextComparisonType">
+ <restriction base="string">
+ <enumeration value="exact"/>
+ <enumeration value="minimum"/>
+ <enumeration value="maximum"/>
+ <enumeration value="better"/>
+ </restriction>
+ </simpleType>
+ <element name="AttributeQuery" type="samlp:AttributeQueryType"/>
+ <complexType name="AttributeQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/>
+ <complexType name="AuthzDecisionQueryType">
+ <complexContent>
+ <extension base="samlp:SubjectQueryAbstractType">
+ <sequence>
+ <element ref="saml:Action" maxOccurs="unbounded"/>
+ <element ref="saml:Evidence" minOccurs="0"/>
+ </sequence>
+ <attribute name="Resource" type="anyURI" use="required"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="AuthnRequest" type="samlp:AuthnRequestType"/>
+ <complexType name="AuthnRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="saml:Subject" minOccurs="0"/>
+ <element ref="samlp:NameIDPolicy" minOccurs="0"/>
+ <element ref="saml:Conditions" minOccurs="0"/>
+ <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
+ <element ref="samlp:Scoping" minOccurs="0"/>
+ </sequence>
+ <attribute name="ForceAuthn" type="boolean" use="optional"/>
+ <attribute name="IsPassive" type="boolean" use="optional"/>
+ <attribute name="ProtocolBinding" type="anyURI" use="optional"/>
+ <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/>
+ <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/>
+ <attribute name="ProviderName" type="string" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/>
+ <complexType name="NameIDPolicyType">
+ <attribute name="Format" type="anyURI" use="optional"/>
+ <attribute name="SPNameQualifier" type="string" use="optional"/>
+ <attribute name="AllowCreate" type="boolean" use="optional"/>
+ </complexType>
+ <element name="Scoping" type="samlp:ScopingType"/>
+ <complexType name="ScopingType">
+ <sequence>
+ <element ref="samlp:IDPList" minOccurs="0"/>
+ <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/>
+ </complexType>
+ <element name="RequesterID" type="anyURI"/>
+ <element name="IDPList" type="samlp:IDPListType"/>
+ <complexType name="IDPListType">
+ <sequence>
+ <element ref="samlp:IDPEntry" maxOccurs="unbounded"/>
+ <element ref="samlp:GetComplete" minOccurs="0"/>
+ </sequence>
+ </complexType>
+ <element name="IDPEntry" type="samlp:IDPEntryType"/>
+ <complexType name="IDPEntryType">
+ <attribute name="ProviderID" type="anyURI" use="required"/>
+ <attribute name="Name" type="string" use="optional"/>
+ <attribute name="Loc" type="anyURI" use="optional"/>
+ </complexType>
+ <element name="GetComplete" type="anyURI"/>
+ <element name="Response" type="samlp:ResponseType"/>
+ <complexType name="ResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="saml:Assertion"/>
+ <element ref="saml:EncryptedAssertion"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/>
+ <complexType name="ArtifactResolveType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <element ref="samlp:Artifact"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="Artifact" type="string"/>
+ <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/>
+ <complexType name="ArtifactResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/>
+ <complexType name="ManageNameIDRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <choice>
+ <element ref="samlp:NewID"/>
+ <element ref="samlp:NewEncryptedID"/>
+ <element ref="samlp:Terminate"/>
+ </choice>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NewID" type="string"/>
+ <element name="NewEncryptedID" type="saml:EncryptedElementType"/>
+ <element name="Terminate" type="samlp:TerminateType"/>
+ <complexType name="TerminateType"/>
+ <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/>
+ <element name="LogoutRequest" type="samlp:LogoutRequestType"/>
+ <complexType name="LogoutRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Reason" type="string" use="optional"/>
+ <attribute name="NotOnOrAfter" type="dateTime" use="optional"/>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="SessionIndex" type="string"/>
+ <element name="LogoutResponse" type="samlp:StatusResponseType"/>
+ <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/>
+ <complexType name="NameIDMappingRequestType">
+ <complexContent>
+ <extension base="samlp:RequestAbstractType">
+ <sequence>
+ <choice>
+ <element ref="saml:BaseID"/>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ <element ref="samlp:NameIDPolicy"/>
+ </sequence>
+ </extension>
+ </complexContent>
+ </complexType>
+ <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/>
+ <complexType name="NameIDMappingResponseType">
+ <complexContent>
+ <extension base="samlp:StatusResponseType">
+ <choice>
+ <element ref="saml:NameID"/>
+ <element ref="saml:EncryptedID"/>
+ </choice>
+ </extension>
+ </complexContent>
+ </complexType>
+</schema>
diff --git a/vendor/gems/ruby-saml/lib/schemas/sstc-metadata-attr.xsd b/vendor/gems/ruby-saml/lib/schemas/sstc-metadata-attr.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..f23e462a5b1cbd2de4fbe2dd75ebf48bdb25130a
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/sstc-metadata-attr.xsd
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:metadata:attribute"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+ xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+
+ <annotation>
+ <documentation>
+ Document title: SAML V2.0 Metadata Extention for Entity Attributes Schema
+ Document identifier: sstc-metadata-attr.xsd
+ Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+ Revision history:
+ V1.0 (November 2008):
+ Initial version.
+ </documentation>
+ </annotation>
+
+ <import namespace="urn:oasis:names:tc:SAML:2.0:assertion"
+ schemaLocation="saml-schema-assertion-2.0.xsd"/>
+
+ <element name="EntityAttributes" type="mdattr:EntityAttributesType"/>
+ <complexType name="EntityAttributesType">
+ <choice maxOccurs="unbounded">
+ <element ref="saml:Attribute"/>
+ <element ref="saml:Assertion"/>
+ </choice>
+ </complexType>
+
+</schema>
+
diff --git a/vendor/gems/ruby-saml/lib/schemas/sstc-saml-attribute-ext.xsd b/vendor/gems/ruby-saml/lib/schemas/sstc-saml-attribute-ext.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..ad309c14b2c4f3f57feccae8b53fabb6c1bba310
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/sstc-saml-attribute-ext.xsd
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:attribute:ext"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="2.0">
+
+ <annotation>
+ <documentation>
+ Document title: SAML V2.0 Attribute Extension Schema
+ Document identifier: sstc-saml-attribute-ext.xsd
+ Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+ Revision history:
+ V1.0 (October 2008):
+ Initial version.
+ </documentation>
+ </annotation>
+
+ <attribute name="OriginalIssuer" type="anyURI"/>
+ <attribute name="LastModified" type="dateTime"/>
+
+</schema>
+
diff --git a/vendor/gems/ruby-saml/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd b/vendor/gems/ruby-saml/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..3236ffcdce25f6e4b608e531274f0efc738c9148
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:metadata:algsupport"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="1.0">
+
+ <annotation>
+ <documentation>
+ Document title: Metadata Extension Schema for SAML V2.0 Metadata Profile for Algorithm Support Version 1.0
+ Document identifier: sstc-saml-metadata-algsupport.xsd
+ Location: http://docs.oasis-open.org/security/saml/Post2.0/
+ Revision history:
+ V1.0 (June 2010):
+ Initial version.
+ </documentation>
+ </annotation>
+
+ <element name="DigestMethod" type="alg:DigestMethodType"/>
+ <complexType name="DigestMethodType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+ <element name="SigningMethod" type="alg:SigningMethodType"/>
+ <complexType name="SigningMethodType">
+ <sequence>
+ <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ <attribute name="MinKeySize" type="positiveInteger"/>
+ <attribute name="MaxKeySize" type="positiveInteger"/>
+ </complexType>
+
+</schema>
+
diff --git a/vendor/gems/ruby-saml/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd b/vendor/gems/ruby-saml/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..a9f718e2bbd94a455f1377d304fada0e671d725e
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<schema
+ targetNamespace="urn:oasis:names:tc:SAML:metadata:ui"
+ xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
+ elementFormDefault="unqualified"
+ attributeFormDefault="unqualified"
+ blockDefault="substitution"
+ version="1.0">
+
+ <annotation>
+ <documentation>
+ Document title: Metadata Extension Schema for SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0
+ Document identifier: sstc-saml-metadata-ui-v1.0.xsd
+ Location: http://docs.oasis-open.org/security/saml/Post2.0/
+ Revision history:
+ 16 November 2010:
+ Added Keywords element/type.
+ 01 November 2010
+ Changed filename.
+ September 2010:
+ Initial version.
+ </documentation>
+ </annotation>
+
+ <import namespace="urn:oasis:names:tc:SAML:2.0:metadata"
+ schemaLocation="saml-schema-metadata-2.0.xsd"/>
+ <import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="xml.xsd"/>
+
+ <element name="UIInfo" type="mdui:UIInfoType" />
+ <complexType name="UIInfoType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="mdui:DisplayName"/>
+ <element ref="mdui:Description"/>
+ <element ref="mdui:Keywords"/>
+ <element ref="mdui:Logo"/>
+ <element ref="mdui:InformationURL"/>
+ <element ref="mdui:PrivacyStatementURL"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+
+ <element name="DisplayName" type="md:localizedNameType"/>
+ <element name="Description" type="md:localizedNameType"/>
+ <element name="InformationURL" type="md:localizedURIType"/>
+ <element name="PrivacyStatementURL" type="md:localizedURIType"/>
+
+ <element name="Keywords" type="mdui:KeywordsType"/>
+ <complexType name="KeywordsType">
+ <simpleContent>
+ <extension base="mdui:listOfStrings">
+ <attribute ref="xml:lang" use="required"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <simpleType name="listOfStrings">
+ <list itemType="string"/>
+ </simpleType>
+
+ <element name="Logo" type="mdui:LogoType"/>
+ <complexType name="LogoType">
+ <simpleContent>
+ <extension base="anyURI">
+ <attribute name="height" type="positiveInteger" use="required"/>
+ <attribute name="width" type="positiveInteger" use="required"/>
+ <attribute ref="xml:lang"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+ <element name="DiscoHints" type="mdui:DiscoHintsType"/>
+ <complexType name="DiscoHintsType">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <element ref="mdui:IPHint"/>
+ <element ref="mdui:DomainHint"/>
+ <element ref="mdui:GeolocationHint"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+
+ <element name="IPHint" type="string"/>
+ <element name="DomainHint" type="string"/>
+ <element name="GeolocationHint" type="anyURI"/>
+
+</schema>
+
diff --git a/vendor/gems/ruby-saml/lib/schemas/xenc-schema.xsd b/vendor/gems/ruby-saml/lib/schemas/xenc-schema.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..d6d79103cea071044dec1fa79acc187114a0a30e
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/xenc-schema.xsd
@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
+ xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
+ xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
+ targetNamespace='http://www.w3.org/2001/04/xmlenc#'
+ elementFormDefault='qualified'>
+
+ <import namespace='http://www.w3.org/2000/09/xmldsig#'
+ schemaLocation='xmldsig-core-schema.xsd'/>
+
+ <complexType name='EncryptedType' abstract='true'>
+ <sequence>
+ <element name='EncryptionMethod' type='xenc:EncryptionMethodType'
+ minOccurs='0'/>
+ <element ref='ds:KeyInfo' minOccurs='0'/>
+ <element ref='xenc:CipherData'/>
+ <element ref='xenc:EncryptionProperties' minOccurs='0'/>
+ </sequence>
+ <attribute name='Id' type='ID' use='optional'/>
+ <attribute name='Type' type='anyURI' use='optional'/>
+ <attribute name='MimeType' type='string' use='optional'/>
+ <attribute name='Encoding' type='anyURI' use='optional'/>
+ </complexType>
+
+ <complexType name='EncryptionMethodType' mixed='true'>
+ <sequence>
+ <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/>
+ <element name='OAEPparams' minOccurs='0' type='base64Binary'/>
+ <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='Algorithm' type='anyURI' use='required'/>
+ </complexType>
+
+ <simpleType name='KeySizeType'>
+ <restriction base="integer"/>
+ </simpleType>
+
+ <element name='CipherData' type='xenc:CipherDataType'/>
+ <complexType name='CipherDataType'>
+ <choice>
+ <element name='CipherValue' type='base64Binary'/>
+ <element ref='xenc:CipherReference'/>
+ </choice>
+ </complexType>
+
+ <element name='CipherReference' type='xenc:CipherReferenceType'/>
+ <complexType name='CipherReferenceType'>
+ <choice>
+ <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/>
+ </choice>
+ <attribute name='URI' type='anyURI' use='required'/>
+ </complexType>
+
+ <complexType name='TransformsType'>
+ <sequence>
+ <element ref='ds:Transform' maxOccurs='unbounded'/>
+ </sequence>
+ </complexType>
+
+
+ <element name='EncryptedData' type='xenc:EncryptedDataType'/>
+ <complexType name='EncryptedDataType'>
+ <complexContent>
+ <extension base='xenc:EncryptedType'>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <!-- Children of ds:KeyInfo -->
+
+ <element name='EncryptedKey' type='xenc:EncryptedKeyType'/>
+ <complexType name='EncryptedKeyType'>
+ <complexContent>
+ <extension base='xenc:EncryptedType'>
+ <sequence>
+ <element ref='xenc:ReferenceList' minOccurs='0'/>
+ <element name='CarriedKeyName' type='string' minOccurs='0'/>
+ </sequence>
+ <attribute name='Recipient' type='string'
+ use='optional'/>
+ </extension>
+ </complexContent>
+ </complexType>
+
+ <element name="AgreementMethod" type="xenc:AgreementMethodType"/>
+ <complexType name="AgreementMethodType" mixed="true">
+ <sequence>
+ <element name="KA-Nonce" minOccurs="0" type="base64Binary"/>
+ <!-- <element ref="ds:DigestMethod" minOccurs="0"/> -->
+ <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+ <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+ <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/>
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+ <!-- End Children of ds:KeyInfo -->
+
+ <element name='ReferenceList'>
+ <complexType>
+ <choice minOccurs='1' maxOccurs='unbounded'>
+ <element name='DataReference' type='xenc:ReferenceType'/>
+ <element name='KeyReference' type='xenc:ReferenceType'/>
+ </choice>
+ </complexType>
+ </element>
+
+ <complexType name='ReferenceType'>
+ <sequence>
+ <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='URI' type='anyURI' use='required'/>
+ </complexType>
+
+
+ <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/>
+ <complexType name='EncryptionPropertiesType'>
+ <sequence>
+ <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/>
+ </sequence>
+ <attribute name='Id' type='ID' use='optional'/>
+ </complexType>
+
+ <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/>
+ <complexType name='EncryptionPropertyType' mixed='true'>
+ <choice maxOccurs='unbounded'>
+ <any namespace='##other' processContents='lax'/>
+ </choice>
+ <attribute name='Target' type='anyURI' use='optional'/>
+ <attribute name='Id' type='ID' use='optional'/>
+ <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/>
+ </complexType>
+
+</schema>
+
diff --git a/vendor/gems/ruby-saml/lib/schemas/xml.xsd b/vendor/gems/ruby-saml/lib/schemas/xml.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..aea7d0db0a423b962247aa2b4d3d48fc73cda659
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/xml.xsd
@@ -0,0 +1,287 @@
+<?xml version='1.0'?>
+<?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?>
+<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns ="http://www.w3.org/1999/xhtml"
+ xml:lang="en">
+
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+ <h1>About the XML namespace</h1>
+
+ <div class="bodytext">
+ <p>
+ This schema document describes the XML namespace, in a form
+ suitable for import by other schema documents.
+ </p>
+ <p>
+ See <a href="http://www.w3.org/XML/1998/namespace.html">
+ http://www.w3.org/XML/1998/namespace.html</a> and
+ <a href="http://www.w3.org/TR/REC-xml">
+ http://www.w3.org/TR/REC-xml</a> for information
+ about this namespace.
+ </p>
+ <p>
+ Note that local names in this namespace are intended to be
+ defined only by the World Wide Web Consortium or its subgroups.
+ The names currently defined in this namespace are listed below.
+ They should not be used with conflicting semantics by any Working
+ Group, specification, or document instance.
+ </p>
+ <p>
+ See further below in this document for more information about <a
+ href="#usage">how to refer to this schema document from your own
+ XSD schema documents</a> and about <a href="#nsversioning">the
+ namespace-versioning policy governing this schema document</a>.
+ </p>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:attribute name="lang">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>lang (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ is a language code for the natural language of the content of
+ any element; its value is inherited. This name is reserved
+ by virtue of its definition in the XML specification.</p>
+
+ </div>
+ <div>
+ <h4>Notes</h4>
+ <p>
+ Attempting to install the relevant ISO 2- and 3-letter
+ codes as the enumerated possible values is probably never
+ going to be a realistic possibility.
+ </p>
+ <p>
+ See BCP 47 at <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt">
+ http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a>
+ and the IANA language subtag registry at
+ <a href="http://www.iana.org/assignments/language-subtag-registry">
+ http://www.iana.org/assignments/language-subtag-registry</a>
+ for further information.
+ </p>
+ <p>
+ The union allows for the 'un-declaration' of xml:lang with
+ the empty string.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:union memberTypes="xs:language">
+ <xs:simpleType>
+ <xs:restriction base="xs:string">
+ <xs:enumeration value=""/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:union>
+ </xs:simpleType>
+ </xs:attribute>
+
+ <xs:attribute name="space">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>space (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose
+ value is a keyword indicating what whitespace processing
+ discipline is intended for the content of the element; its
+ value is inherited. This name is reserved by virtue of its
+ definition in the XML specification.</p>
+
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:restriction base="xs:NCName">
+ <xs:enumeration value="default"/>
+ <xs:enumeration value="preserve"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
+
+ <xs:attribute name="base" type="xs:anyURI"> <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>base (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ provides a URI to be used as the base for interpreting any
+ relative URIs in the scope of the element on which it
+ appears; its value is inherited. This name is reserved
+ by virtue of its definition in the XML Base specification.</p>
+
+ <p>
+ See <a
+ href="http://www.w3.org/TR/xmlbase/">http://www.w3.org/TR/xmlbase/</a>
+ for information about this attribute.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+
+ <xs:attribute name="id" type="xs:ID">
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>id (as an attribute name)</h3>
+ <p>
+ denotes an attribute whose value
+ should be interpreted as if declared to be of type ID.
+ This name is reserved by virtue of its definition in the
+ xml:id specification.</p>
+
+ <p>
+ See <a
+ href="http://www.w3.org/TR/xml-id/">http://www.w3.org/TR/xml-id/</a>
+ for information about this attribute.
+ </p>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+
+ <xs:attributeGroup name="specialAttrs">
+ <xs:attribute ref="xml:base"/>
+ <xs:attribute ref="xml:lang"/>
+ <xs:attribute ref="xml:space"/>
+ <xs:attribute ref="xml:id"/>
+ </xs:attributeGroup>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div>
+
+ <h3>Father (in any context at all)</h3>
+
+ <div class="bodytext">
+ <p>
+ denotes Jon Bosak, the chair of
+ the original XML Working Group. This name is reserved by
+ the following decision of the W3C XML Plenary and
+ XML Coordination groups:
+ </p>
+ <blockquote>
+ <p>
+ In appreciation for his vision, leadership and
+ dedication the W3C XML Plenary on this 10th day of
+ February, 2000, reserves for Jon Bosak in perpetuity
+ the XML name "xml:Father".
+ </p>
+ </blockquote>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div xml:id="usage" id="usage">
+ <h2><a name="usage">About this schema document</a></h2>
+
+ <div class="bodytext">
+ <p>
+ This schema defines attributes and an attribute group suitable
+ for use by schemas wishing to allow <code>xml:base</code>,
+ <code>xml:lang</code>, <code>xml:space</code> or
+ <code>xml:id</code> attributes on elements they define.
+ </p>
+ <p>
+ To enable this, such a schema must import this schema for
+ the XML namespace, e.g. as follows:
+ </p>
+ <pre>
+ <schema . . .>
+ . . .
+ <import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="http://www.w3.org/2001/xml.xsd"/>
+ </pre>
+ <p>
+ or
+ </p>
+ <pre>
+ <import namespace="http://www.w3.org/XML/1998/namespace"
+ schemaLocation="http://www.w3.org/2009/01/xml.xsd"/>
+ </pre>
+ <p>
+ Subsequently, qualified reference to any of the attributes or the
+ group defined below will have the desired effect, e.g.
+ </p>
+ <pre>
+ <type . . .>
+ . . .
+ <attributeGroup ref="xml:specialAttrs"/>
+ </pre>
+ <p>
+ will define a type which will schema-validate an instance element
+ with any of those attributes.
+ </p>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+ <xs:annotation>
+ <xs:documentation>
+ <div id="nsversioning" xml:id="nsversioning">
+ <h2><a name="nsversioning">Versioning policy for this schema document</a></h2>
+ <div class="bodytext">
+ <p>
+ In keeping with the XML Schema WG's standard versioning
+ policy, this schema document will persist at
+ <a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd</a>.
+ </p>
+ <p>
+ At the date of issue it can also be found at
+ <a href="http://www.w3.org/2001/xml.xsd">
+ http://www.w3.org/2001/xml.xsd</a>.
+ </p>
+ <p>
+ The schema document at that URI may however change in the future,
+ in order to remain compatible with the latest version of XML
+ Schema itself, or with the XML namespace itself. In other words,
+ if the XML Schema or XML namespaces change, the version of this
+ document at <a href="http://www.w3.org/2001/xml.xsd">
+ http://www.w3.org/2001/xml.xsd
+ </a>
+ will change accordingly; the version at
+ <a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd
+ </a>
+ will not change.
+ </p>
+ <p>
+ Previous dated (and unchanging) versions of this schema
+ document are at:
+ </p>
+ <ul>
+ <li><a href="http://www.w3.org/2009/01/xml.xsd">
+ http://www.w3.org/2009/01/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2007/08/xml.xsd">
+ http://www.w3.org/2007/08/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2004/10/xml.xsd">
+ http://www.w3.org/2004/10/xml.xsd</a></li>
+ <li><a href="http://www.w3.org/2001/03/xml.xsd">
+ http://www.w3.org/2001/03/xml.xsd</a></li>
+ </ul>
+ </div>
+ </div>
+ </xs:documentation>
+ </xs:annotation>
+
+</xs:schema>
+
diff --git a/vendor/gems/ruby-saml/lib/schemas/xmldsig-core-schema.xsd b/vendor/gems/ruby-saml/lib/schemas/xmldsig-core-schema.xsd
new file mode 100644
index 0000000000000000000000000000000000000000..63d78199138c9ba69d1b6cbd27a27f2a0ae5dbac
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/schemas/xmldsig-core-schema.xsd
@@ -0,0 +1,309 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Schema for XML Signatures
+ http://www.w3.org/2000/09/xmldsig#
+ $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $
+
+ Copyright 2001 The Internet Society and W3C (Massachusetts Institute
+ of Technology, Institut National de Recherche en Informatique et en
+ Automatique, Keio University). All Rights Reserved.
+ http://www.w3.org/Consortium/Legal/
+
+ This document is governed by the W3C Software License [1] as described
+ in the FAQ [2].
+
+ [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
+ [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
+-->
+
+
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ targetNamespace="http://www.w3.org/2000/09/xmldsig#"
+ version="0.1" elementFormDefault="qualified">
+
+<!-- Basic Types Defined for Signatures -->
+
+<simpleType name="CryptoBinary">
+ <restriction base="base64Binary">
+ </restriction>
+</simpleType>
+
+<!-- Start Signature -->
+
+<element name="Signature" type="ds:SignatureType"/>
+<complexType name="SignatureType">
+ <sequence>
+ <element ref="ds:SignedInfo"/>
+ <element ref="ds:SignatureValue"/>
+ <element ref="ds:KeyInfo" minOccurs="0"/>
+ <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+ <element name="SignatureValue" type="ds:SignatureValueType"/>
+ <complexType name="SignatureValueType">
+ <simpleContent>
+ <extension base="base64Binary">
+ <attribute name="Id" type="ID" use="optional"/>
+ </extension>
+ </simpleContent>
+ </complexType>
+
+<!-- Start SignedInfo -->
+
+<element name="SignedInfo" type="ds:SignedInfoType"/>
+<complexType name="SignedInfoType">
+ <sequence>
+ <element ref="ds:CanonicalizationMethod"/>
+ <element ref="ds:SignatureMethod"/>
+ <element ref="ds:Reference" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+ <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
+ <complexType name="CanonicalizationMethodType" mixed="true">
+ <sequence>
+ <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
+ <!-- (0,unbounded) elements from (1,1) namespace -->
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+ <element name="SignatureMethod" type="ds:SignatureMethodType"/>
+ <complexType name="SignatureMethodType" mixed="true">
+ <sequence>
+ <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
+ <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+ <!-- (0,unbounded) elements from (1,1) external namespace -->
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+<!-- Start Reference -->
+
+<element name="Reference" type="ds:ReferenceType"/>
+<complexType name="ReferenceType">
+ <sequence>
+ <element ref="ds:Transforms" minOccurs="0"/>
+ <element ref="ds:DigestMethod"/>
+ <element ref="ds:DigestValue"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+ <attribute name="URI" type="anyURI" use="optional"/>
+ <attribute name="Type" type="anyURI" use="optional"/>
+</complexType>
+
+ <element name="Transforms" type="ds:TransformsType"/>
+ <complexType name="TransformsType">
+ <sequence>
+ <element ref="ds:Transform" maxOccurs="unbounded"/>
+ </sequence>
+ </complexType>
+
+ <element name="Transform" type="ds:TransformType"/>
+ <complexType name="TransformType" mixed="true">
+ <choice minOccurs="0" maxOccurs="unbounded">
+ <any namespace="##other" processContents="lax"/>
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
+ <element name="XPath" type="string"/>
+ </choice>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+ </complexType>
+
+<!-- End Reference -->
+
+<element name="DigestMethod" type="ds:DigestMethodType"/>
+<complexType name="DigestMethodType" mixed="true">
+ <sequence>
+ <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Algorithm" type="anyURI" use="required"/>
+</complexType>
+
+<element name="DigestValue" type="ds:DigestValueType"/>
+<simpleType name="DigestValueType">
+ <restriction base="base64Binary"/>
+</simpleType>
+
+<!-- End SignedInfo -->
+
+<!-- Start KeyInfo -->
+
+<element name="KeyInfo" type="ds:KeyInfoType"/>
+<complexType name="KeyInfoType" mixed="true">
+ <choice maxOccurs="unbounded">
+ <element ref="ds:KeyName"/>
+ <element ref="ds:KeyValue"/>
+ <element ref="ds:RetrievalMethod"/>
+ <element ref="ds:X509Data"/>
+ <element ref="ds:PGPData"/>
+ <element ref="ds:SPKIData"/>
+ <element ref="ds:MgmtData"/>
+ <any processContents="lax" namespace="##other"/>
+ <!-- (1,1) elements from (0,unbounded) namespaces -->
+ </choice>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+ <element name="KeyName" type="string"/>
+ <element name="MgmtData" type="string"/>
+
+ <element name="KeyValue" type="ds:KeyValueType"/>
+ <complexType name="KeyValueType" mixed="true">
+ <choice>
+ <element ref="ds:DSAKeyValue"/>
+ <element ref="ds:RSAKeyValue"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </complexType>
+
+ <element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
+ <complexType name="RetrievalMethodType">
+ <sequence>
+ <element ref="ds:Transforms" minOccurs="0"/>
+ </sequence>
+ <attribute name="URI" type="anyURI"/>
+ <attribute name="Type" type="anyURI" use="optional"/>
+ </complexType>
+
+<!-- Start X509Data -->
+
+<element name="X509Data" type="ds:X509DataType"/>
+<complexType name="X509DataType">
+ <sequence maxOccurs="unbounded">
+ <choice>
+ <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
+ <element name="X509SKI" type="base64Binary"/>
+ <element name="X509SubjectName" type="string"/>
+ <element name="X509Certificate" type="base64Binary"/>
+ <element name="X509CRL" type="base64Binary"/>
+ <any namespace="##other" processContents="lax"/>
+ </choice>
+ </sequence>
+</complexType>
+
+<complexType name="X509IssuerSerialType">
+ <sequence>
+ <element name="X509IssuerName" type="string"/>
+ <element name="X509SerialNumber" type="string"/>
+ </sequence>
+</complexType>
+
+<!-- End X509Data -->
+
+<!-- Begin PGPData -->
+
+<element name="PGPData" type="ds:PGPDataType"/>
+<complexType name="PGPDataType">
+ <choice>
+ <sequence>
+ <element name="PGPKeyID" type="base64Binary"/>
+ <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
+ <any namespace="##other" processContents="lax" minOccurs="0"
+ maxOccurs="unbounded"/>
+ </sequence>
+ <sequence>
+ <element name="PGPKeyPacket" type="base64Binary"/>
+ <any namespace="##other" processContents="lax" minOccurs="0"
+ maxOccurs="unbounded"/>
+ </sequence>
+ </choice>
+</complexType>
+
+<!-- End PGPData -->
+
+<!-- Begin SPKIData -->
+
+<element name="SPKIData" type="ds:SPKIDataType"/>
+<complexType name="SPKIDataType">
+ <sequence maxOccurs="unbounded">
+ <element name="SPKISexp" type="base64Binary"/>
+ <any namespace="##other" processContents="lax" minOccurs="0"/>
+ </sequence>
+</complexType>
+
+<!-- End SPKIData -->
+
+<!-- End KeyInfo -->
+
+<!-- Start Object (Manifest, SignatureProperty) -->
+
+<element name="Object" type="ds:ObjectType"/>
+<complexType name="ObjectType" mixed="true">
+ <sequence minOccurs="0" maxOccurs="unbounded">
+ <any namespace="##any" processContents="lax"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+ <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
+ <attribute name="Encoding" type="anyURI" use="optional"/>
+</complexType>
+
+<element name="Manifest" type="ds:ManifestType"/>
+<complexType name="ManifestType">
+ <sequence>
+ <element ref="ds:Reference" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
+<complexType name="SignaturePropertiesType">
+ <sequence>
+ <element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
+ </sequence>
+ <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+ <element name="SignatureProperty" type="ds:SignaturePropertyType"/>
+ <complexType name="SignaturePropertyType" mixed="true">
+ <choice maxOccurs="unbounded">
+ <any namespace="##other" processContents="lax"/>
+ <!-- (1,1) elements from (1,unbounded) namespaces -->
+ </choice>
+ <attribute name="Target" type="anyURI" use="required"/>
+ <attribute name="Id" type="ID" use="optional"/>
+ </complexType>
+
+<!-- End Object (Manifest, SignatureProperty) -->
+
+<!-- Start Algorithm Parameters -->
+
+<simpleType name="HMACOutputLengthType">
+ <restriction base="integer"/>
+</simpleType>
+
+<!-- Start KeyValue Element-types -->
+
+<element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
+<complexType name="DSAKeyValueType">
+ <sequence>
+ <sequence minOccurs="0">
+ <element name="P" type="ds:CryptoBinary"/>
+ <element name="Q" type="ds:CryptoBinary"/>
+ </sequence>
+ <element name="G" type="ds:CryptoBinary" minOccurs="0"/>
+ <element name="Y" type="ds:CryptoBinary"/>
+ <element name="J" type="ds:CryptoBinary" minOccurs="0"/>
+ <sequence minOccurs="0">
+ <element name="Seed" type="ds:CryptoBinary"/>
+ <element name="PgenCounter" type="ds:CryptoBinary"/>
+ </sequence>
+ </sequence>
+</complexType>
+
+<element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
+<complexType name="RSAKeyValueType">
+ <sequence>
+ <element name="Modulus" type="ds:CryptoBinary"/>
+ <element name="Exponent" type="ds:CryptoBinary"/>
+ </sequence>
+</complexType>
+
+<!-- End KeyValue Element-types -->
+
+<!-- End Signature -->
+
+</schema>
diff --git a/vendor/gems/ruby-saml/lib/xml_security.rb b/vendor/gems/ruby-saml/lib/xml_security.rb
new file mode 100644
index 0000000000000000000000000000000000000000..db54ff34583fe723f2bdb0e1f4e87573b51af77c
--- /dev/null
+++ b/vendor/gems/ruby-saml/lib/xml_security.rb
@@ -0,0 +1,501 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/error_handling"
+
+module XMLSecurity
+
+ class BaseDocument < REXML::Document
+ REXML::Document::entity_expansion_limit = 0
+
+ C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
+ DSIG = "http://www.w3.org/2000/09/xmldsig#"
+ NOKOGIRI_OPTIONS = Nokogiri::XML::ParseOptions::STRICT |
+ Nokogiri::XML::ParseOptions::NONET
+
+ # Safety load the SAML Message XML
+ # @param document [REXML::Document] The message to be loaded
+ # @param check_malformed_doc [Boolean] check_malformed_doc Enable or Disable the check for malformed XML
+ # @return [Nokogiri::XML] The nokogiri document
+ # @raise [ValidationError] If there was a problem loading the SAML Message XML
+ def self.safe_load_xml(document, check_malformed_doc = true)
+ doc_str = document.to_s
+ if doc_str.include?("<!DOCTYPE")
+ raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
+ end
+
+ begin
+ xml = Nokogiri::XML(doc_str) do |config|
+ config.options = self::NOKOGIRI_OPTIONS
+ end
+ rescue StandardError => error
+ raise StandardError.new(error.message)
+ end
+
+ if xml.internal_subset
+ raise StandardError.new("Dangerous XML detected. No Doctype nodes allowed")
+ end
+
+ unless xml.errors.empty?
+ raise StandardError.new("There were XML errors when parsing: #{xml.errors}") if check_malformed_doc
+ end
+
+ xml
+ end
+
+ def canon_algorithm(element)
+ algorithm = element
+ if algorithm.is_a?(REXML::Element)
+ algorithm = element.attribute('Algorithm').value
+ end
+
+ case algorithm
+ when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+ "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+ Nokogiri::XML::XML_C14N_1_0
+ when "http://www.w3.org/2006/12/xml-c14n11",
+ "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+ Nokogiri::XML::XML_C14N_1_1
+ else
+ Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+ end
+ end
+
+ def algorithm(element)
+ algorithm = element
+ if algorithm.is_a?(REXML::Element)
+ algorithm = element.attribute("Algorithm").value
+ end
+
+ algorithm = algorithm && algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+
+ case algorithm
+ when 256 then OpenSSL::Digest::SHA256
+ when 384 then OpenSSL::Digest::SHA384
+ when 512 then OpenSSL::Digest::SHA512
+ else
+ OpenSSL::Digest::SHA1
+ end
+ end
+
+ end
+
+ class Document < BaseDocument
+ RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+ RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+ RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+ RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+ SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
+ SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
+ SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+ SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
+ ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+ INC_PREFIX_LIST = "#default samlp saml ds xs xsi md"
+
+ attr_writer :uuid
+
+ def uuid
+ @uuid ||= begin
+ document.root.nil? ? nil : document.root.attributes['ID']
+ end
+ end
+
+ #<Signature>
+ #<SignedInfo>
+ #<CanonicalizationMethod />
+ #<SignatureMethod />
+ #<Reference>
+ #<Transforms>
+ #<DigestMethod>
+ #<DigestValue>
+ #</Reference>
+ #<Reference /> etc.
+ #</SignedInfo>
+ #<SignatureValue />
+ #<KeyInfo />
+ #<Object />
+ #</Signature>
+ def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1, check_malformed_doc = true)
+ noko = XMLSecurity::BaseDocument.safe_load_xml(self.to_s, check_malformed_doc)
+
+ signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
+ signed_info_element = signature_element.add_element("ds:SignedInfo")
+ signed_info_element.add_element("ds:CanonicalizationMethod", {"Algorithm" => C14N})
+ signed_info_element.add_element("ds:SignatureMethod", {"Algorithm"=>signature_method})
+
+ # Add Reference
+ reference_element = signed_info_element.add_element("ds:Reference", {"URI" => "##{uuid}"})
+
+ # Add Transforms
+ transforms_element = reference_element.add_element("ds:Transforms")
+ transforms_element.add_element("ds:Transform", {"Algorithm" => ENVELOPED_SIG})
+ c14element = transforms_element.add_element("ds:Transform", {"Algorithm" => C14N})
+ c14element.add_element("ec:InclusiveNamespaces", {"xmlns:ec" => C14N, "PrefixList" => INC_PREFIX_LIST})
+
+ digest_method_element = reference_element.add_element("ds:DigestMethod", {"Algorithm" => digest_method})
+ inclusive_namespaces = INC_PREFIX_LIST.split(" ")
+ canon_doc = noko.canonicalize(canon_algorithm(C14N), inclusive_namespaces)
+ reference_element.add_element("ds:DigestValue").text = compute_digest(canon_doc, algorithm(digest_method_element))
+
+ # add SignatureValue
+ noko_sig_element = XMLSecurity::BaseDocument.safe_load_xml(signature_element.to_s, check_malformed_doc)
+
+ noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
+ canon_string = noko_signed_info_element.canonicalize(canon_algorithm(C14N))
+
+ signature = compute_signature(private_key, algorithm(signature_method).new, canon_string)
+ signature_element.add_element("ds:SignatureValue").text = signature
+
+ # add KeyInfo
+ key_info_element = signature_element.add_element("ds:KeyInfo")
+ x509_element = key_info_element.add_element("ds:X509Data")
+ x509_cert_element = x509_element.add_element("ds:X509Certificate")
+ if certificate.is_a?(String)
+ certificate = OpenSSL::X509::Certificate.new(certificate)
+ end
+ x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
+
+ # add the signature
+ issuer_element = elements["//saml:Issuer"]
+ if issuer_element
+ root.insert_after(issuer_element, signature_element)
+ elsif first_child = root.children[0]
+ root.insert_before(first_child, signature_element)
+ else
+ root.add_element(signature_element)
+ end
+ end
+
+ protected
+
+ def compute_signature(private_key, signature_algorithm, document)
+ Base64.encode64(private_key.sign(signature_algorithm, document)).gsub(/\n/, "")
+ end
+
+ def compute_digest(document, digest_algorithm)
+ digest = digest_algorithm.digest(document)
+ Base64.encode64(digest).strip
+ end
+
+ end
+
+ class SignedDocument < BaseDocument
+ include OneLogin::RubySaml::ErrorHandling
+
+ attr_writer :signed_element_id
+
+ def initialize(response, errors = [])
+ super(response)
+ @errors = errors
+ reset_elements
+ end
+
+ def reset_elements
+ @referenced_xml = nil
+ @cached_signed_info = nil
+ @signature = nil
+ @signature_algorithm = nil
+ @ref = nil
+ @processed = false
+ end
+
+ def processed
+ @processed
+ end
+
+ def referenced_xml
+ @referenced_xml
+ end
+
+ def signed_element_id
+ @signed_element_id ||= extract_signed_element_id
+ end
+
+ # Validates the referenced_xml, which is the signed part of the document
+ def validate_document(idp_cert_fingerprint, soft = true, options = {})
+ # get cert from response
+ cert_element = REXML::XPath.first(
+ self,
+ "//ds:X509Certificate",
+ { "ds"=>DSIG }
+ )
+
+ if cert_element
+ base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
+ cert_text = Base64.decode64(base64_cert)
+ begin
+ cert = OpenSSL::X509::Certificate.new(cert_text)
+ rescue OpenSSL::X509::CertificateError => _e
+ return append_error("Document Certificate Error", soft)
+ end
+
+ if options[:fingerprint_alg]
+ fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
+ else
+ fingerprint_alg = OpenSSL::Digest.new('SHA1')
+ end
+ fingerprint = fingerprint_alg.hexdigest(cert.to_der)
+
+ # check cert matches registered idp cert
+ if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+ return append_error("Fingerprint mismatch", soft)
+ end
+ base64_cert = Base64.encode64(cert.to_der)
+ else
+ if options[:cert]
+ base64_cert = Base64.encode64(options[:cert].to_pem)
+ else
+ if soft
+ return false
+ else
+ return append_error("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", soft)
+ end
+ end
+ end
+ validate_signature(base64_cert, soft)
+ end
+
+ def validate_document_with_cert(idp_cert, soft = true)
+ # get cert from response
+ cert_element = REXML::XPath.first(
+ self,
+ "//ds:X509Certificate",
+ { "ds"=>DSIG }
+ )
+
+ if cert_element
+ base64_cert = OneLogin::RubySaml::Utils.element_text(cert_element)
+ cert_text = Base64.decode64(base64_cert)
+ begin
+ cert = OpenSSL::X509::Certificate.new(cert_text)
+ rescue OpenSSL::X509::CertificateError => _e
+ return append_error("Document Certificate Error", soft)
+ end
+
+ # check saml response cert matches provided idp cert
+ if idp_cert.to_pem != cert.to_pem
+ return append_error("Certificate of the Signature element does not match provided certificate", soft)
+ end
+ end
+
+ encoded_idp_cert = Base64.encode64(idp_cert.to_pem)
+ validate_signature(encoded_idp_cert, true)
+ end
+
+ def cache_referenced_xml(soft, check_malformed_doc = true)
+ reset_elements
+ @processed = true
+
+ begin
+ nokogiri_document = XMLSecurity::BaseDocument.safe_load_xml(self, check_malformed_doc)
+ rescue StandardError => error
+ @errors << error.message
+ return false if soft
+ raise ValidationError.new("XML load failed: #{error.message}")
+ end
+
+ # create a rexml document
+ @working_copy ||= REXML::Document.new(self.to_s).root
+
+ # get signature node
+ sig_element = REXML::XPath.first(
+ @working_copy,
+ "//ds:Signature",
+ {"ds"=>DSIG}
+ )
+
+ return if sig_element.nil?
+
+ # signature method
+ sig_alg_value = REXML::XPath.first(
+ sig_element,
+ "./ds:SignedInfo/ds:SignatureMethod",
+ {"ds"=>DSIG}
+ )
+ @signature_algorithm = algorithm(sig_alg_value)
+
+ # get signature
+ base64_signature = REXML::XPath.first(
+ sig_element,
+ "./ds:SignatureValue",
+ {"ds" => DSIG}
+ )
+
+ return if base64_signature.nil?
+
+ base64_signature_text = OneLogin::RubySaml::Utils.element_text(base64_signature)
+ @signature = base64_signature_text.nil? ? nil : Base64.decode64(base64_signature_text)
+
+ # canonicalization method
+ canon_algorithm = canon_algorithm REXML::XPath.first(
+ sig_element,
+ './ds:SignedInfo/ds:CanonicalizationMethod',
+ 'ds' => DSIG
+ )
+
+ noko_sig_element = nokogiri_document.at_xpath('//ds:Signature', 'ds' => DSIG)
+ noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+
+ @cached_signed_info = noko_signed_info_element.canonicalize(canon_algorithm)
+
+ ### Now get the @referenced_xml to use?
+ rexml_signed_info = REXML::Document.new(@cached_signed_info.to_s).root
+
+ noko_sig_element.remove
+
+ # get inclusive namespaces
+ inclusive_namespaces = extract_inclusive_namespaces
+
+ # check digests
+ @ref = REXML::XPath.first(rexml_signed_info, "./ds:Reference", {"ds"=>DSIG})
+ return if @ref.nil?
+
+ reference_nodes = nokogiri_document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+
+ hashed_element = reference_nodes[0]
+ return if hashed_element.nil?
+
+ canon_algorithm = canon_algorithm REXML::XPath.first(
+ rexml_signed_info,
+ './ds:CanonicalizationMethod',
+ { "ds" => DSIG }
+ )
+
+ canon_algorithm = process_transforms(@ref, canon_algorithm)
+
+ @referenced_xml = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+ end
+
+ def validate_signature(base64_cert, soft = true)
+ if !@processed
+ cache_referenced_xml(soft)
+ end
+
+ return append_error("No Signature Algorithm Method found", soft) if @signature_algorithm.nil?
+ return append_error("No Signature node found", soft) if @signature.nil?
+ return append_error("No canonized SignedInfo ", soft) if @cached_signed_info.nil?
+ return append_error("No Reference node found", soft) if @ref.nil?
+ return append_error("No referenced XML", soft) if @referenced_xml.nil?
+
+ # get certificate object
+ cert_text = Base64.decode64(base64_cert)
+ cert = OpenSSL::X509::Certificate.new(cert_text)
+
+ digest_algorithm = algorithm(REXML::XPath.first(
+ @ref,
+ "./ds:DigestMethod",
+ { "ds" => DSIG }
+ ))
+ hash = digest_algorithm.digest(@referenced_xml)
+ encoded_digest_value = REXML::XPath.first(
+ @ref,
+ "./ds:DigestValue",
+ { "ds" => DSIG }
+ )
+ encoded_digest_value_text = OneLogin::RubySaml::Utils.element_text(encoded_digest_value)
+ digest_value = encoded_digest_value_text.nil? ? nil : Base64.decode64(encoded_digest_value_text)
+
+ # Compare the computed "hash" with the "signed" hash
+ unless hash && hash == digest_value
+ return append_error("Digest mismatch", soft)
+ end
+
+ # verify signature
+ unless cert.public_key.verify(@signature_algorithm.new, @signature, @cached_signed_info)
+ return append_error("Key validation error", soft)
+ end
+
+ return true
+ end
+
+ private
+
+ def process_transforms(ref, canon_algorithm)
+ transforms = REXML::XPath.match(
+ ref,
+ "./ds:Transforms/ds:Transform",
+ { "ds" => DSIG }
+ )
+
+ transforms.each do |transform_element|
+ if transform_element.attributes && transform_element.attributes["Algorithm"]
+ algorithm = transform_element.attributes["Algorithm"]
+ case algorithm
+ when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+ "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+ canon_algorithm = Nokogiri::XML::XML_C14N_1_0
+ when "http://www.w3.org/2006/12/xml-c14n11",
+ "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+ canon_algorithm = Nokogiri::XML::XML_C14N_1_1
+ when "http://www.w3.org/2001/10/xml-exc-c14n#",
+ "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+ canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+ end
+ end
+ end
+
+ canon_algorithm
+ end
+
+ def digests_match?(hash, digest_value)
+ hash == digest_value
+ end
+
+ def extract_signed_element_id
+ reference_element = REXML::XPath.first(
+ self,
+ "//ds:Signature/ds:SignedInfo/ds:Reference",
+ {"ds"=>DSIG}
+ )
+
+ return nil if reference_element.nil?
+
+ sei = reference_element.attribute("URI").value[1..-1]
+ sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
+ end
+
+ def extract_inclusive_namespaces
+ element = REXML::XPath.first(
+ self,
+ "//ec:InclusiveNamespaces",
+ { "ec" => C14N }
+ )
+ if element
+ prefix_list = element.attributes.get_attribute("PrefixList").value
+ prefix_list.split(" ")
+ else
+ nil
+ end
+ end
+
+ end
+end
diff --git a/vendor/gems/ruby-saml/ruby-saml.gemspec b/vendor/gems/ruby-saml/ruby-saml.gemspec
new file mode 100644
index 0000000000000000000000000000000000000000..efbd40e36dbd51180b683a841dd1614d3989cab1
--- /dev/null
+++ b/vendor/gems/ruby-saml/ruby-saml.gemspec
@@ -0,0 +1,112 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+require 'onelogin/ruby-saml/version'
+
+Gem::Specification.new do |s|
+ s.name = 'ruby-saml'
+ s.version = OneLogin::RubySaml::VERSION
+
+ s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+ s.authors = ["SAML Toolkit", "Sixto Martin"]
+ s.email = ['contact@iamdigitalservices.com', 'sixto.martin.garcia@gmail.com']
+ s.date = Time.now.strftime("%Y-%m-%d")
+ s.description = %q{SAML Ruby toolkit. Add SAML support to your Ruby software using this library}
+ s.license = 'MIT'
+ s.extra_rdoc_files = [
+ "LICENSE",
+ "README.md"
+ ]
+ # rubocop:disable Gemspec/AvoidExecutingGit -- Temporary gem vendor
+ s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+ # rubocop:enable Gemspec/AvoidExecutingGit
+ s.homepage = %q{https://github.com/saml-toolkits/ruby-saml}
+ s.rdoc_options = ["--charset=UTF-8"]
+ s.require_paths = ["lib"]
+ s.rubygems_version = %q{1.3.7}
+ s.required_ruby_version = '>= 1.8.7'
+ s.summary = %q{SAML Ruby Tookit}
+
+ # Because runtime dependencies are determined at build time, we cannot make
+ # Nokogiri's version dependent on the Ruby version, even though we would
+ # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
+ if defined?(JRUBY_VERSION)
+ if JRUBY_VERSION < '9.1.7.0'
+ s.add_runtime_dependency('nokogiri', '>= 1.8.2', '<= 1.8.5')
+ s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
+ s.add_runtime_dependency('json', '< 2.3.0')
+ elsif JRUBY_VERSION < '9.2.0.0'
+ s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+ elsif JRUBY_VERSION < '9.3.2.0'
+ s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+ s.add_runtime_dependency('rexml')
+ else
+ s.add_runtime_dependency('nokogiri', '>= 1.13.10')
+ s.add_runtime_dependency('rexml')
+ end
+ elsif RUBY_VERSION < '1.9'
+ s.add_runtime_dependency('uuid')
+ s.add_runtime_dependency('nokogiri', '<= 1.5.11')
+ elsif RUBY_VERSION < '2.1'
+ s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
+ s.add_runtime_dependency('json', '< 2.3.0')
+ elsif RUBY_VERSION < '2.3'
+ s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+ elsif RUBY_VERSION < '2.5'
+ s.add_runtime_dependency('nokogiri', '>= 1.10.10', '< 1.11.0')
+ s.add_runtime_dependency('rexml')
+ elsif RUBY_VERSION < '2.6'
+ s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+ s.add_runtime_dependency('rexml')
+ else
+ s.add_runtime_dependency('nokogiri', '>= 1.13.10')
+ s.add_runtime_dependency('rexml')
+ end
+
+ if RUBY_VERSION >= '3.4.0'
+ s.add_runtime_dependency("logger")
+ s.add_runtime_dependency("base64")
+ s.add_runtime_dependency('mutex_m')
+ end
+
+ s.add_development_dependency('simplecov', '<0.22.0')
+ if RUBY_VERSION < '2.4.1'
+ s.add_development_dependency('simplecov-lcov', '<0.8.0')
+ else
+ s.add_development_dependency('simplecov-lcov', '>0.7.0')
+ end
+
+ s.add_development_dependency('minitest', '~> 5.5', '<5.19.0')
+ s.add_development_dependency('mocha', '~> 0.14')
+
+ if RUBY_VERSION < '2.0'
+ s.add_development_dependency('rake', '~> 10')
+ else
+ s.add_development_dependency('rake', '>= 12.3.3')
+ end
+
+ s.add_development_dependency('shoulda', '~> 2.11')
+ s.add_development_dependency('systemu', '~> 2')
+
+ if RUBY_VERSION < '2.1'
+ s.add_development_dependency('timecop', '<= 0.6.0')
+ else
+ s.add_development_dependency('timecop', '~> 0.9')
+ end
+
+ if defined?(JRUBY_VERSION)
+ # All recent versions of JRuby play well with pry
+ s.add_development_dependency('pry')
+ elsif RUBY_VERSION < '1.9'
+ # 1.8.7
+ s.add_development_dependency('ruby-debug', '~> 0.10.4')
+ elsif RUBY_VERSION < '2.0'
+ # 1.9.x
+ s.add_development_dependency('debugger-linecache', '~> 1.2.0')
+ s.add_development_dependency('debugger', '~> 1.6.4')
+ elsif RUBY_VERSION < '2.1'
+ # 2.0.x
+ s.add_development_dependency('byebug', '~> 2.1.1')
+ else
+ # 2.1.x, 2.2.x
+ s.add_development_dependency('pry-byebug')
+ end
+end