Merge pull request SAML-Toolkits#13 from bluemango/master

Update to support SAML assertions from Salesforce
orslumen · Jun 28, 2011 · 82b62f1 · 82b62f1
2 parents fe54d63 + e30f1fb
commit 82b62f1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/lib/onelogin/saml/response.rb b/lib/onelogin/saml/response.rb
@@ -29,6 +29,7 @@ def validate!
     def name_id
       @name_id ||= begin
         node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+        node ||=  REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
         node.nil? ? nil : node.text
       end
     end

diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -60,19 +60,30 @@ def validate(idp_cert_fingerprint, soft = true)
 
     def validate_doc(base64_cert, soft = true)
       # validate references
+
+      # check for inclusive namespaces
+
+      inclusive_namespaces            = []
+      inclusive_namespace_element     = REXML::XPath.first(self, "//ec:InclusiveNamespaces")
+
+      if inclusive_namespace_element
+        prefix_list                   = inclusive_namespace_element.attributes.get_attribute('PrefixList').value
+        inclusive_namespaces          = prefix_list.split(" ")
+      end
 
       # remove signature node
       sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
       sig_element.remove
 
       # check digests
       REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
-        uri                   = ref.attributes.get_attribute("URI").value
-        hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
-        canoner               = XML::Util::XmlCanonicalizer.new(false, true)
-        canon_hashed_element  = canoner.canonicalize(hashed_element)
-        hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
-        digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+        uri                           = ref.attributes.get_attribute("URI").value
+        hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+        canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
+        canoner.inclusive_namespaces  = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
+        canon_hashed_element          = canoner.canonicalize(hashed_element)
+        hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+        digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
 
         if hash != digest_value
           return soft ? false : (raise Onelogin::Saml::ValidationError.new("Digest mismatch"))