Fixed problems in decryption

build_request.go

@@ -171,7 +171,7 @@ func (sp *SAMLServiceProvider) buildAuthURLFromDocument(relayState, binding stri
 		qs.Add("RelayState", relayState)
 	}
 
-	if sp.SignAuthnRequests && binding == BindingHttpRedirect {
+	if ((sp.SignAuthnRequests && binding == BindingHttpRedirect) || sp.IncludeSignatureParameters) {
 		// Sign URL encoded query (see Section 3.4.4.1 DEFLATE Encoding of saml-bindings-2.0-os.pdf)
 		ctx := sp.SigningContext()
 		qs.Add("SigAlg", ctx.GetSignatureMethodIdentifier())

decode_response.go

@@ -102,6 +102,9 @@ func xmlUnmarshalElement(el *etree.Element, obj interface{}) error {
 	}
 	return nil
 }
+func (sp *SAMLServiceProvider) GetDecryptCertificate() (*tls.Certificate, error) {
+	return sp.getDecryptCert()
+}
 
 func (sp *SAMLServiceProvider) getDecryptCert() (*tls.Certificate, error) {
 	if sp.SPKeyStore == nil {
@@ -289,6 +292,8 @@ func (sp *SAMLServiceProvider) ValidateEncodedResponse(encodedResponse string) (
 		return nil, err
 	}
 
+	decrypted := etree.NewDocument()
+	decrypted.SetRoot(el.Copy())
 	var assertionSignaturesValidated bool
 	if !sp.SkipSignatureValidation {
 		err = sp.validateAssertionSignatures(el)
@@ -304,6 +309,7 @@ func (sp *SAMLServiceProvider) ValidateEncodedResponse(encodedResponse string) (
 	}
 
 	decodedResponse := &types.Response{}
+	decodedResponse.Document = decrypted
 	err = xmlUnmarshalElement(el, decodedResponse)
 	if err != nil {
 		return nil, fmt.Errorf("unable to unmarshal response: %v", err)

saml.go

@@ -4,14 +4,13 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//     https://www.apache.org/licenses/LICENSE-2.0
+//	https://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-
 package saml2
 
 import (
@@ -60,7 +59,9 @@ type SAMLServiceProvider struct {
 	// IsPassive attribute in authentication request requires that the identity provider and the
 	// user agent itself MUST NOT visibly take control of the user interface from the requester
 	// and interact with the presenter in a noticeable fashion.
-	IsPassive bool
+	IsPassive                  bool
+	IncludeSignatureParameters bool
+
 	// RequestedAuthnContext allows service providers to require that the identity
 	// provider use specific authentication mechanisms. Leaving this unset will
 	// permit the identity provider to choose the auth method. To maximize compatibility

types/response.go

@@ -16,6 +16,7 @@ package types
 
 import (
 	"encoding/xml"
+	"github.com/beevik/etree"
 	"time"
 )
 
@@ -45,6 +46,7 @@ type Response struct {
 	Assertions          []Assertion          `xml:"Assertion"`
 	EncryptedAssertions []EncryptedAssertion `xml:"EncryptedAssertion"`
 	SignatureValidated  bool                 `xml:"-"` // not read, not dumped
+	Document            *etree.Document       `xml:"-"` // not read, not dumped
 }
 
 type LogoutResponse struct {