arekinath · kmacgugan · Jun 21, 2016 · Jun 21, 2016
diff --git a/include/esaml.hrl b/include/esaml.hrl
@@ -34,9 +34,11 @@
 	org = #esaml_org{} :: esaml:org(),
 	tech = #esaml_contact{} :: esaml:contact(),
 	signed_requests = true :: boolean(),
-	certificate :: binary() | undefined,
+	certificates :: [binary()] | undefined,
 	entity_id = "" :: string(),
-	login_location = "" :: string(),
+	login_location_post :: string(),
+	login_location_redirect :: string(),
+	login_location_artifact :: string(),
 	logout_location :: string() | undefined,
 	name_format = unknown :: esaml:name_format()}).
 

diff --git a/src/esaml.erl b/src/esaml.erl
@@ -144,17 +144,28 @@ decode_idp_metadata(Xml) ->
           {"ds", 'http://www.w3.org/2000/09/xmldsig#'}],
     esaml_util:threaduntil([
         ?xpath_attr_required("/md:EntityDescriptor/@entityID", esaml_idp_metadata, entity_id, bad_entity),
-        ?xpath_attr_required("/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']/@Location",
-            esaml_idp_metadata, login_location, missing_sso_location),
+        ?xpath_attr("/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']/@Location",
+            esaml_idp_metadata, login_location_post),
+        ?xpath_attr("/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']/@Location",
+            esaml_idp_metadata, login_location_redirect),
+        ?xpath_attr("/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']/@Location",
+            esaml_idp_metadata, login_location_artifact),
         ?xpath_attr("/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']/@Location",
             esaml_idp_metadata, logout_location),
         ?xpath_text("/md:EntityDescriptor/md:IDPSSODescriptor/md:NameIDFormat/text()",
             esaml_idp_metadata, name_format, fun nameid_map/1),
-        ?xpath_text("/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate/text()", esaml_idp_metadata, certificate, fun(X) -> base64:decode(list_to_binary(X)) end),
+        ?xpath_text_multiple("/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate/text()", esaml_idp_metadata, certificates, fun(X) -> base64:decode(erlang:list_to_binary(X)) end),
         ?xpath_recurse("/md:EntityDescriptor/md:ContactPerson[@contactType='technical']", esaml_idp_metadata, tech, decode_contact),
-        ?xpath_recurse("/md:EntityDescriptor/md:Organization", esaml_idp_metadata, org, decode_org)
+        ?xpath_recurse("/md:EntityDescriptor/md:Organization", esaml_idp_metadata, org, decode_org),
+        fun check_at_least_one_binding/1
     ], #esaml_idp_metadata{}).
 
+check_at_least_one_binding(#esaml_idp_metadata{login_location_post = undefined,
+                                               login_location_redirect = undefined,
+                                               login_location_artifact = undefined}) ->
+    {error, missing_sso_location};
+check_at_least_one_binding(M) -> M.
+
 %% @private
 -spec decode_org(Xml :: #xmlElement{}) -> {ok, #esaml_org{}} | {error, term()}.
 decode_org(Xml) ->
@@ -636,4 +647,25 @@ validate_stale_assertion_test() ->
     }),
     {error, stale_assertion} = validate_assertion(E1, "foobar", "foo").
 
+decode_idp_metadata_with_multiple_bindings_test() ->
+    {Doc, _} = xmerl_scan:file("../test/data/okta_metadata.xml"),
+    {ok, IdP} = decode_idp_metadata(Doc),
+    #esaml_idp_metadata{login_location_post = "https://dev-xxx.okta.com/somehash/sso/saml_post"} = IdP,
+    #esaml_idp_metadata{login_location_redirect = "https://dev-xxx.okta.com/somehash/sso/saml_redirect"} = IdP,
+    #esaml_idp_metadata{login_location_artifact = "https://dev-xxx.okta.com/somehash/sso/saml_artifact"} = IdP.
+
+decode_idp_metadata_with_one_certificate_only_test() ->
+    {Doc, _} = xmerl_scan:file("../test/data/okta_metadata.xml"),
+    {ok, IdP} = decode_idp_metadata(Doc),
+    [Cert] = IdP#esaml_idp_metadata.certificates,
+    true = Cert =/= undefined.
+
+decode_idp_metadata_with_multiple_certificates_test() ->
+    {Doc, _} = xmerl_scan:file("../test/data/azure_metadata.xml"),
+    {ok, IdP} = decode_idp_metadata(Doc),
+    [Cert, AnotherCert|_] = IdP#esaml_idp_metadata.certificates,
+    true = Cert =/= undefined,
+    true = AnotherCert =/= undefined,
+    true = Cert =/= AnotherCert.
+
 -endif.
diff --git a/src/xmerl_xpath_macros.hrl b/src/xmerl_xpath_macros.hrl
@@ -14,6 +14,15 @@
         end
     end).
 
+-define(xpath_generic_multiple(XPath, Record, Field, TransFun, TargetType, NotFoundRet),
+	fun(Resp) ->
+        case xmerl_xpath:string(XPath, Xml, [{namespace, Ns}]) of
+            [_|_] = List ->
+                Resp#Record{Field = lists:map(TransFun, [V || #TargetType{value = V} <- List])};
+            _ -> NotFoundRet
+        end
+    end).
+
 -define(xpath_generic(XPath, Record, Field, TargetType, NotFoundRet),
 	fun(Resp) ->
         case xmerl_xpath:string(XPath, Xml, [{namespace, Ns}]) of
@@ -37,6 +46,11 @@
 -define(xpath_text(XPath, Record, Field, TransFun),
     ?xpath_generic(XPath, Record, Field, TransFun, xmlText, Resp)).
 
+-define(xpath_text_multiple(XPath, Record, Field),
+    ?xpath_generic_multiple(XPath, Record, Field, xmlText, Resp)).
+-define(xpath_text_multiple(XPath, Record, Field, TransFun),
+    ?xpath_generic_multiple(XPath, Record, Field, TransFun, xmlText, Resp)).
+
 -define(xpath_text_required(XPath, Record, Field, Error),
     ?xpath_generic(XPath, Record, Field, xmlText, {error, Error})).
 -define(xpath_text_required(XPath, Record, Field, TransFun, Error),
@@ -60,4 +74,4 @@
                 end;
             _ -> Resp
         end
-    end).
+    end).