SAML-Toolkits
diff --git a/‎README.md‎
Lines changed: 18 additions & 3 deletions b/‎README.md‎
Lines changed: 18 additions & 3 deletions
diff --git a/‎lib/onelogin/ruby-saml/idp_metadata_parser.rb‎
Lines changed: 56 additions & 34 deletions b/‎lib/onelogin/ruby-saml/idp_metadata_parser.rb‎
Lines changed: 56 additions & 34 deletions
diff --git a/‎test/idp_metadata_parser_test.rb‎
Lines changed: 35 additions & 7 deletions b/‎test/idp_metadata_parser_test.rb‎
Lines changed: 35 additions & 7 deletions
@@ -279,6 +279,21 @@ The following attributes are set:
   * idp_slo_target_url
   * idp_cert_fingerprint
 
+### Retrieve one Entity Descriptor when many exist in Metadata
+
+If the Meta data contains the data for many SAML entities, the relevant Entity
+Descriptor can be specified when retrieving the settings from the
+IdpMetadataParser:
+
+```ruby
+  validate_cert = true
+  settings =  idp_metadata_parser.parse_remote(
+                "https://example.com/auth/saml2/idp/metadata",
+                validate_cert,
+                entity_id: "http//example.com/target/entity"
+              )
+```
+
 ## Retrieving Attributes
 
 If you are using `saml:AttributeStatement` to transfer data like the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the
@@ -411,9 +426,9 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```ruby
   settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
   settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
-  settings.security[:logout_responses_signed] = true     # Enable or not 
+  settings.security[:logout_responses_signed] = true     # Enable or not
   signature on Logout Response
-  settings.security[:want_assertions_signed]  = true     # Enable or not 
+  settings.security[:want_assertions_signed]  = true     # Enable or not
   the requirement of signed assertion
   settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
@@ -426,7 +441,7 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```
 
 Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding.
-Remember to provide it to the Signature builder if you are sending a `GET RelayState` parameter or the 
+Remember to provide it to the Signature builder if you are sending a `GET RelayState` parameter or the
 signature validation process will fail at the Identity Provider.
 
 The Service Provider will sign the request/responses with its private key.
 
@@ -22,6 +22,7 @@ class IdpMetadataParser
 
       attr_reader :document
       attr_reader :response
+      attr_reader :parse_options
 
       # Parse the Identity Provider metadata and update the settings with the
       # IdP values
@@ -39,19 +40,21 @@ def parse_remote(url, validate_cert = true, options = {})
       # @param idp_metadata [String]
       # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
       #
-      def parse(idp_metadata, options = {})
+      def parse(idp_metadata, parse_options = {})
         @document = REXML::Document.new(idp_metadata)
+        @parse_options = parse_options
+        @entity_descriptor = nil
 
-        settings = options[:settings]
+        settings = parse_options[:settings]
         if settings.nil? || settings.is_a?(Hash)
           settings = OneLogin::RubySaml::Settings.new(settings || {})
         end
 
         settings.tap do |settings|
           settings.idp_entity_id = idp_entity_id
           settings.name_identifier_format = idp_name_id_format
-          settings.idp_sso_target_url = single_signon_service_url(options)
-          settings.idp_slo_target_url = single_logout_service_url(options)
+          settings.idp_sso_target_url = single_signon_service_url(parse_options)
+          settings.idp_slo_target_url = single_logout_service_url(parse_options)
           settings.idp_cert = certificate_base64
           settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
           settings.idp_attribute_names = attribute_names
@@ -91,24 +94,34 @@ def get_idp_metadata(url, validate_cert)
         )
       end
 
+      def entity_descriptor
+        @entity_descriptor ||= REXML::XPath.first(
+          document,
+          entity_descriptor_path,
+          namespace
+        )
+      end
+
+      def entity_descriptor_path
+        path = "//md:EntityDescriptor"
+        entity_id = parse_options[:entity_id]
+        return path unless entity_id
+        path << "[@entityID=\"#{entity_id}\"]"
+      end
+
       # @return [String|nil] IdP Entity ID value if exists
       #
       def idp_entity_id
-        node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/@entityID",
-          { "md" => METADATA }
-        )
-        node.value if node
+        entity_descriptor.attributes["entityID"]
       end
 
       # @return [String|nil] IdP Name ID Format value if exists
       #
       def idp_name_id_format
         node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:NameIDFormat",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:NameIDFormat",
+          namespace
         )
         node.text if node
       end
@@ -118,9 +131,9 @@ def idp_name_id_format
       #
       def single_signon_service_binding(binding_priority = nil)
         nodes = REXML::XPath.match(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Binding",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:SingleSignOnService/@Binding",
+          namespace
         )
         if binding_priority
           values = nodes.map(&:value)
@@ -136,9 +149,9 @@ def single_signon_service_binding(binding_priority = nil)
       def single_signon_service_url(options = {})
         binding = options[:sso_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
+          namespace
         )
         node.value if node
       end
@@ -148,9 +161,9 @@ def single_signon_service_url(options = {})
       #
       def single_logout_service_binding(binding_priority = nil)
         nodes = REXML::XPath.match(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Binding",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:SingleLogoutService/@Binding",
+          namespace
         )
         if binding_priority
           values = nodes.map(&:value)
@@ -166,9 +179,9 @@ def single_logout_service_binding(binding_priority = nil)
       def single_logout_service_url(options = {})
         binding = options[:slo_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         node = REXML::XPath.first(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
-          { "md" => METADATA }
+          entity_descriptor,
+          "md:IDPSSODescriptor/md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
+          namespace
         )
         node.value if node
       end
@@ -178,16 +191,16 @@ def single_logout_service_url(options = {})
       def certificate_base64
         @certificate_base64 ||= begin
           node = REXML::XPath.first(
-              document,
-              "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-              { "md" => METADATA, "ds" => DSIG }
+            entity_descriptor,
+            "md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+            namespace
           )
 
           unless node
             node = REXML::XPath.first(
-                document,
-                "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-                { "md" => METADATA, "ds" => DSIG }
+              entity_descriptor,
+              "md:IDPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+              namespace
             )
           end
           node.text if node
@@ -220,12 +233,21 @@ def fingerprint(fingerprint_algorithm = XMLSecurity::Document::SHA1)
       #
       def attribute_names
         nodes = REXML::XPath.match(
-          document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/saml:Attribute/@Name",
-          { "md" => METADATA, "NameFormat" => NAME_FORMAT, "saml" => SAML_ASSERTION }
+          entity_descriptor,
+          "md:IDPSSODescriptor/saml:Attribute/@Name",
+          namespace
         )
         nodes.map(&:value)
       end
+
+      def namespace
+        {
+          "md" => METADATA,
+          "NameFormat" => NAME_FORMAT,
+          "saml" => SAML_ASSERTION,
+          "ds" => DSIG
+        }
+      end
     end
   end
 end
@@ -23,10 +23,10 @@ def initialize; end
 
       settings = idp_metadata_parser.parse(idp_metadata)
 
-      assert_equal "https://example.hello.com/access/saml/idp.xml", settings.idp_entity_id
-      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "https://hello.example.com/access/saml/idp.xml", settings.idp_entity_id
+      assert_equal "https://hello.example.com/access/saml/login", settings.idp_sso_target_url
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
-      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal "https://hello.example.com/access/saml/logout", settings.idp_slo_target_url
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
       assert_equal ["AuthToken", "SSOStartPage"], settings.idp_attribute_names
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
@@ -90,10 +90,10 @@ def initialize; end
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
       settings = idp_metadata_parser.parse_remote(@url)
 
-      assert_equal "https://example.hello.com/access/saml/idp.xml", settings.idp_entity_id
-      assert_equal "https://example.hello.com/access/saml/login", settings.idp_sso_target_url
+      assert_equal "https://hello.example.com/access/saml/idp.xml", settings.idp_entity_id
+      assert_equal "https://hello.example.com/access/saml/login", settings.idp_sso_target_url
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
-      assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
+      assert_equal "https://hello.example.com/access/saml/logout", settings.idp_slo_target_url
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
       assert_equal ["AuthToken", "SSOStartPage"], settings.idp_attribute_names
       assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
@@ -130,10 +130,38 @@ def initialize; end
       idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
 
       exception = assert_raises(OneLogin::RubySaml::HttpError) do
-        idp_metadata_parser.parse_remote("https://example.hello.com/access/saml/idp.xml")
+        idp_metadata_parser.parse_remote("https://hello.example.com/access/saml/idp.xml")
       end
 
       assert_match("Failed to fetch idp metadata", exception.message)
     end
   end
+
+  describe "parsing metadata with many entity descriptors" do
+    before do
+      @idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      @idp_metadata = read_response("idp_multiple_descriptors.xml")
+      @settings = @idp_metadata_parser.parse(@idp_metadata)
+    end
+
+    it "should find first descriptor" do
+      assert_equal "https://foo.example.com/access/saml/idp.xml", @settings.idp_entity_id
+    end
+
+    it "should find named descriptor" do
+      entity_id = "https://bar.example.com/access/saml/idp.xml"
+      settings = @idp_metadata_parser.parse(
+        @idp_metadata, :entity_id => entity_id
+      )
+      assert_equal entity_id, settings.idp_entity_id
+    end
+
+    it "should retreive data" do
+      assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", @settings.name_identifier_format
+      assert_equal "https://hello.example.com/access/saml/login", @settings.idp_sso_target_url
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", @settings.idp_cert_fingerprint
+      assert_equal "https://hello.example.com/access/saml/logout", @settings.idp_slo_target_url
+      assert_equal ["AuthToken", "SSOStartPage"], @settings.idp_attribute_names
+    end
+  end
 end