More specific error messages for request certificate validation

lib/onelogin/ruby-saml/response.rb

@@ -863,7 +863,7 @@ def validate_signature
           valid = false
           expired = false
           idp_certs[:signing].each do |idp_cert|
-            valid = doc.validate_document_with_cert(idp_cert)
+            valid = doc.validate_document_with_cert(idp_cert, @soft)
             if valid
               if settings.security[:check_idp_cert_expiration]
                 if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)

lib/xml_security.rb

@@ -241,7 +241,7 @@ def validate_document(idp_cert_fingerprint, soft = true, options = {})
       validate_signature(base64_cert, soft)
     end
 
-    def validate_document_with_cert(idp_cert)
+    def validate_document_with_cert(idp_cert, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(
         self,
@@ -260,7 +260,7 @@ def validate_document_with_cert(idp_cert)
 
         # check saml response cert matches provided idp cert
         if idp_cert.to_pem != cert.to_pem
-          return false
+          return append_error("SAML response certificate does not match idp certificate", soft)
         end
       else
         base64_cert = Base64.encode64(idp_cert.to_pem)