Fix #306. Support WantAssertionsSigned

README.md

@@ -386,7 +386,10 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```ruby
   settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
   settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
-  settings.security[:logout_responses_signed] = true     # Enable or not signature on Logout Response
+  settings.security[:logout_responses_signed] = true     # Enable or not 
+  signature on Logout Response
+  settings.security[:want_assertions_signed]  = true     # Enable or not 
+  the requirement of signed assertion
   settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
   settings.security[:digest_method]    = XMLSecurity::Document::SHA1

lib/onelogin/ruby-saml/metadata.rb

@@ -29,8 +29,7 @@ def generate(settings, pretty_print=false)
         sp_sso = root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
             "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
-            # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
-            "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert)
+            "WantAssertionsSigned" => settings.security[:want_assertions_signed],
         }
 
         # Add KeyDescriptor if messages will be signed / encrypted

lib/onelogin/ruby-saml/response.rb

@@ -448,6 +448,10 @@ def validate_signed_elements
           return append_error("Found an unexpected number of Signature Element. SAML Response rejected")
         end
 
+        if settings.security[:want_assertions_signed] && !(signed_elements.include? "Assertion")
+          return append_error("The Assertion of the Response is not signed and the SP requires it")
+        end
+
         true
       end
 

lib/onelogin/ruby-saml/settings.rb

@@ -154,6 +154,7 @@ def get_sp_key
           :authn_requests_signed    => false,
           :logout_requests_signed   => false,
           :logout_responses_signed  => false,
+          :want_assertions_signed   => false,
           :metadata_signed          => false,
           :embed_sign               => false,
           :digest_method            => XMLSecurity::Document::SHA1,

test/metadata_test.rb

@@ -75,6 +75,20 @@ class MetadataTest < Minitest::Test
       assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
     end
 
+    describe "WantAssertionsSigned" do
+      it "generates Service Provider Metadata with WantAssertionsSigned = false" do
+        settings.security[:want_assertions_signed] = false
+        assert_equal "false", spsso_descriptor.attribute("WantAssertionsSigned").value
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+
+      it "generates Service Provider Metadata with WantAssertionsSigned = true" do
+        settings.security[:want_assertions_signed] = true
+        assert_equal "true", spsso_descriptor.attribute("WantAssertionsSigned").value
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+    end
+
     describe "when auth requests are signed" do
       let(:key_descriptors) do
         REXML::XPath.match(

test/response_test.rb

@@ -997,6 +997,26 @@ class RubySamlTest < Minitest::Test
       end
     end
 
+    describe '#want_assertion_signed' do
+      before do
+        settings.security[:want_assertions_signed] = true
+        @signed_assertion = OneLogin::RubySaml::Response.new(response_document_with_signed_assertion, :settings => settings)
+        @no_signed_assertion = OneLogin::RubySaml::Response.new(response_document_valid_signed, :settings => settings)
+      end
+
+
+      it 'returns false if :want_assertion_signed enabled and Assertion not signed' do
+        assert !@no_signed_assertion.send(:validate_signed_elements)
+        assert_includes @no_signed_assertion.errors, "The Assertion of the Response is not signed and the SP requires it"
+
+      end
+
+      it 'returns true if :want_assertion_signed enabled and Assertion is signed' do
+        assert @signed_assertion.send(:validate_signed_elements)
+        assert_empty @signed_assertion.errors
+      end
+    end
+
     describe "retrieve nameID" do
       it 'is possible  when nameID inside the assertion' do
         response_valid_signed.settings = settings