disabling recipient check

Author: gene

README.md

@@ -193,11 +193,12 @@ def saml_settings
 end
 ```
 
-Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `Conditions` validation or the `SubjectConfirmation` validations by initializing the response with different options:
+Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
 
 ```ruby
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doens't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
 ```
 
 All that's left is to wrap everything in a controller and reference it in the initialization and consumption URLs in OneLogin. A full controller example could look like this:

lib/onelogin/ruby-saml/response.rb

@@ -41,6 +41,12 @@ def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
 
         @errors = []
+
+        # skip recipient check by default for backwards compatibility
+        unless options.key?(:skip_recipient_check)
+          options[:skip_recipient_check] = true
+        end
+
         @options = options
         @soft = true
         unless options[:settings].nil?
@@ -708,6 +714,7 @@ def validate_session_expiration(soft = true)
       # Validates if exists valid SubjectConfirmation (If the response was initialized with the :allowed_clock_drift option,
       # timimg validation are relaxed by the allowed_clock_drift value. If the response was initialized with the
       # :skip_subject_confirmation option, this validation is skipped)
+      # There is also an optional Recipient check
       # If fails, the error is added to the errors array
       # @return [Boolean] True if exists a valid SubjectConfirmation, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
@@ -736,7 +743,7 @@ def validate_subject_confirmation
           next if (attrs.include? "InResponseTo" and attrs['InResponseTo'] != in_response_to) ||
                   (attrs.include? "NotOnOrAfter" and (parse_time(confirmation_data_node, "NotOnOrAfter") + allowed_clock_drift) <= now) ||
                   (attrs.include? "NotBefore" and parse_time(confirmation_data_node, "NotBefore") > (now + allowed_clock_drift)) ||
-                  (attrs.include? "Recipient" and settings.assertion_consumer_service_url != nil and attrs['Recipient'] != settings.assertion_consumer_service_url)
+                  (attrs.include? "Recipient" and !options[:skip_recipient_check] and attrs['Recipient'] != settings.assertion_consumer_service_url)
 
           valid_subject_confirmation = true
           break

lib/onelogin/ruby-saml/settings.rb

@@ -94,7 +94,7 @@ def single_logout_service_binding
       end
 
       # Setter for Single Logout Service Binding.
-      # 
+      #
       # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
       # @param url [String]
       #

test/response_test.rb

@@ -17,6 +17,7 @@ class RubySamlTest < Minitest::Test
     let(:response_wrapped) { OneLogin::RubySaml::Response.new(response_document_wrapped) }
     let(:response_multiple_attr_values) { OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values)) }
     let(:response_valid_signed) { OneLogin::RubySaml::Response.new(response_document_valid_signed) }
+    let(:response_valid_signed_with_recipient) { OneLogin::RubySaml::Response.new(response_document_valid_signed, {:skip_recipient_check => false })}
     let(:response_valid_signed_without_x509certificate) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate) }
     let(:response_no_id) { OneLogin::RubySaml::Response.new(read_invalid_response("no_id.xml.base64")) }
     let(:response_no_version) { OneLogin::RubySaml::Response.new(read_invalid_response("no_saml2.xml.base64")) }
@@ -677,17 +678,25 @@ class RubySamlTest < Minitest::Test
       end
 
       it "return true when valid subject confirmation recipient" do
-        response_valid_signed.settings = settings
-        response_valid_signed.settings.assertion_consumer_service_url= 'recipient'
+        response_valid_signed_with_recipient.settings = settings
+        response_valid_signed_with_recipient.settings.assertion_consumer_service_url = 'recipient'
         assert response_valid_signed.send(:validate_subject_confirmation)
         assert_empty response_valid_signed.errors
+        assert_empty response_valid_signed_with_recipient.errors
+      end
+
+      it "return false when invalid subject confirmation recipient" do
+        response_valid_signed_with_recipient.settings = settings
+        response_valid_signed_with_recipient.settings.assertion_consumer_service_url = 'not-the-recipient'
+        assert !response_valid_signed_with_recipient.send(:validate_subject_confirmation)
+        assert_includes response_valid_signed_with_recipient.errors, "A valid SubjectConfirmation was not found on this Response"
       end
 
-      it "return false when valid subject confirmation recipient" do
+      it "return false when invalid subject confirmation recipient, but skipping the check(default)" do
         response_valid_signed.settings = settings
         response_valid_signed.settings.assertion_consumer_service_url = 'not-the-recipient'
-        assert !response_valid_signed.send(:validate_subject_confirmation)
-        assert_includes response_valid_signed.errors, "A valid SubjectConfirmation was not found on this Response"
+        assert response_valid_signed.send(:validate_subject_confirmation)
+        assert_empty response_valid_signed.errors
       end
 
       it "return true when the skip_subject_confirmation option is passed and the subject confirmation is valid" do