allows the signature to be embedded outside the assertion element

lib/saml2.coffee

@@ -337,7 +337,7 @@ parse_authn_response = (saml_response, sp_private_key, idp_certificates, allow_u
         assertion = saml_response.getElementsByTagNameNS(XMLNS.SAML, 'Assertion')
         unless assertion.length is 1
           return cb_wf new Error("Expected 1 Assertion or 1 EncryptedAssertion; found #{assertion.length}")
-        cb_wf null, assertion[0].toString()
+        cb_wf null, saml_response.toString()
     (result, cb_wf) ->
       debug result
       decrypted_assertion = (new xmldom.DOMParser()).parseFromString(result)
@@ -541,4 +541,3 @@ if process.env.NODE_ENV is "test"
   module.exports.get_session_index = get_session_index
   module.exports.parse_assertion_attributes = parse_assertion_attributes
   module.exports.set_option_defaults = set_option_defaults
-

test/data/post_response_outer_signature.xml

@@ -0,0 +1 @@
+PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOkFzc2VydGlvbiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48c2FtbDpBdXRoblN0YXRlbWVudCBTZXNzaW9uSW5kZXg9ImIwN2I4MDRjLTdjMjktZWExNi03MzAwLTRmM2Q2Zjc5MjhhYyIvPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5CZW5qYW1pbjwvc2FtbDpOYW1lSUQ+PC9zYW1sOlN1YmplY3Q+PC9zYW1sOkFzc2VydGlvbj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48bm9kZT48bmFtZSBJZD0iXzAiPkJlbmphbWluPC9uYW1lPjwvbm9kZT48U2lnbmF0dXJlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48U2lnbmVkSW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48UmVmZXJlbmNlIFVSST0iI18wIj48VHJhbnNmb3Jtcz48VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxEaWdlc3RWYWx1ZT5BajlYTGt6VjRqQkV4c0NLU3Y0ZkZVZUlyY2c9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8+PFNpZ25hdHVyZVZhbHVlPmxySHBXSm5NR1RkK3RUZUY4TUM0dlFmNkNhb2Z6SG9lUFBWLzczcU9vSkxmclR6c2pTZ0krWVhRVDMrZ1NQeVBsOTJHYVVjcXJBbUFZMzFoajBCQVdTeHZvQTlyQi82VFQxbGQzMWN3S0ZHNmFaRzN0d25JOGlrWG1jOHhVTXFYYXpodGR2Z25aSXNHNGowZXc3UVQ0QWhSVzBJeHVSSnU4NkF4N0h4b2lORk9hMXR4V0xBaS9xQnpKcysvR3IrRmZWdk1IZkdkQnRyYThUL0RJZGxSZXVxZmhVdGRZQ09qMDlsRWhuUEFwMDBNNFdsaDY3Y3lyMEF2am9UNkdqdkdoZTVIZ2lXTk5kalU1RDFEamM4d3p6UHRsWE1oWUI3ek9KdUJVNUIxU2pKeVZmL0dEUnZvOEhjUEJTZTJhRDQ1UVZqbDRQVkZtSjRldU5NSlhNSHhZUT09PC9TaWduYXR1cmVWYWx1ZT48L1NpZ25hdHVyZT48L3NhbWxwOlJlc3BvbnNlPg==

test/saml2.coffee

@@ -278,6 +278,37 @@ describe 'saml2', ->
         assert.deepEqual response, expected_response
         done()
 
+    it 'allows the signature to be embedded outside of the assertion', (done) ->
+      sp_options =
+        entity_id: 'https://sp.example.com/metadata.xml'
+        private_key: get_test_file('test.pem')
+        certificate: get_test_file('test.crt')
+        assert_endpoint: 'https://sp.example.com/assert'
+      idp_options =
+        sso_login_url: 'https://idp.example.com/login'
+        sso_logout_url:  'https://idp.example.com/logout'
+        certificates: [ get_test_file('test.crt') ]
+      request_options =
+        allow_unencrypted_assertion: true
+        request_body:
+          SAMLResponse: get_test_file("post_response_outer_signature.xml")
+
+      sp = new saml2.ServiceProvider sp_options
+      idp = new saml2.IdentityProvider idp_options
+
+      sp.post_assert idp, request_options, (err, response) ->
+        assert not err?, "Got error: #{err}"
+        expected_response =
+          response_header: {}
+          type: 'authn_response'
+          user:
+            name_id: 'Benjamin',
+            session_index: 'b07b804c-7c29-ea16-7300-4f3d6f7928ac'
+            attributes: {}
+
+        assert.deepEqual response, expected_response
+        done()
+
     it 'errors if passed invalid data', (done) ->
       sp_options =
         entity_id: 'https://sp.example.com/metadata.xml'
@@ -412,7 +443,7 @@ describe 'saml2', ->
         sso_login_url: 'https://idp.example.com/login'
         sso_logout_url:  'https://idp.example.com/logout'
         certificates: 'other_service_cert'
-      request_options = 
+      request_options =
         assert_endpoint: 'https://sp.example.com/assert'
         relay_state: 'Some Relay State!'
         nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -438,7 +469,7 @@ describe 'saml2', ->
         sso_login_url: 'https://idp.example.com/login'
         sso_logout_url:  'https://idp.example.com/logout'
         certificates: 'other_service_cert'
-      request_options = 
+      request_options =
         assert_endpoint: 'https://sp.example.com/assert'
         relay_state: 'Some Relay State!'
 
@@ -492,7 +523,7 @@ describe 'saml2', ->
         name_id: 'name_id'
         session_index: 'session_index'
         sign_get_request: true
-      
+
       sp = new saml2.ServiceProvider sp_options
       idp = new saml2.IdentityProvider idp_options