johnnyshields
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/test.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 11 additions & 6 deletions b/‎CHANGELOG.md‎
Lines changed: 11 additions & 6 deletions
diff --git a/‎README.md‎
Lines changed: 23 additions & 12 deletions b/‎README.md‎
Lines changed: 23 additions & 12 deletions
diff --git a/‎UPGRADING.md‎
Lines changed: 32 additions & 23 deletions b/‎UPGRADING.md‎
Lines changed: 32 additions & 23 deletions
diff --git a/‎lib/ruby_saml.rb‎
Lines changed: 1 addition & 1 deletion b/‎lib/ruby_saml.rb‎
Lines changed: 1 addition & 1 deletion
@@ -26,7 +26,7 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - ubuntu-20.04
+          - ubuntu-22.04
           - macos-latest
           - windows-latest
         ruby-version:
@@ -36,10 +36,13 @@ jobs:
           - 3.3
           - 3.4
           - jruby-9.4
+          - jruby-10.0
           - truffleruby
         exclude:
           - os: windows-latest
             ruby-version: jruby-9.4
+          - os: windows-latest
+            ruby-version: jruby-10.0
           - os: windows-latest
             ruby-version: truffleruby
     runs-on: ${{ matrix.os }}
 
@@ -21,6 +21,11 @@
 * [#731](https://github.com/SAML-Toolkits/ruby-saml/pull/731) Add CI coverage for Ruby 3.4. Remove CI coverage for Ruby 1.x and 2.x.
 * [#735](https://github.com/SAML-Toolkits/ruby-saml/pull/735) Add `Settings#sp_uuid_prefix` and deprecate `Utils#set_prefix`.
 
+### 1.18.1  (Jul 29, 2025)
+* Fix vulnerability CVE-2025-54572 Prevent DOS due large SAML Message
+* Adapt tests to be able to execute signature validation sooner
+* CI Improvements. Support Ruby 3.4
+
 ### 1.18.0  (Mar 12, 2025)
 * [#750](https://github.com/SAML-Toolkits/ruby-saml/pull/750) Fix vulnerabilities: CVE-2025-25291, CVE-2025-25292: SAML authentication bypass via Signature Wrapping attack allowed due parser differential. Fix vulnerability: CVE-2025-25293: Potential DOS abusing of compressed messages.
 * [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
@@ -61,7 +66,7 @@
 * [#614](https://github.com/SAML-Toolkits/ruby-saml/pull/614) Support :name_id_format option for IdpMetadataParser
 * [#611](https://github.com/SAML-Toolkits/ruby-saml/pull/611) IdpMetadataParser should always set idp_cert_multi, even when there is only one cert
 * [#610](https://github.com/SAML-Toolkits/ruby-saml/pull/610) New IDP sso/slo binding params which deprecate :embed_sign
-* [#602](https://github.com/SAML-Toolkits/ruby-saml/pull/602) Refactor the OneLogin::RubySaml::Metadata class
+* [#602](https://github.com/SAML-Toolkits/ruby-saml/pull/602) Refactor the RubySaml::Metadata class
 * [#586](https://github.com/SAML-Toolkits/ruby-saml/pull/586) Support milliseconds in cacheDuration parsing
 * [#585](https://github.com/SAML-Toolkits/ruby-saml/pull/585) Do not append " | " to StatusCode unnecessarily
 * [#607](https://github.com/SAML-Toolkits/ruby-saml/pull/607) Clean up
@@ -136,7 +141,7 @@
 * Updated invalid audience error message
 
 ### 1.7.2 (Feb 28, 2018)
-* [#446](https://github.com/SAML-Toolkits/ruby-saml/pull/446) Normalize text returned by OneLogin::RubySaml::Utils.element_text
+* [#446](https://github.com/SAML-Toolkits/ruby-saml/pull/446) Normalize text returned by RubySaml::Utils.element_text
 
 ### 1.7.1 (Feb 28, 2018)
 * [#444](https://github.com/SAML-Toolkits/ruby-saml/pull/444) Fix audience validation for empty audience restriction
@@ -266,7 +271,7 @@
 * [#226](https://github.com/SAML-Toolkits/ruby-saml/pull/226) Ensure IdP certificate is formatted properly
 * [#225](https://github.com/SAML-Toolkits/ruby-saml/pull/225) Add documentation to several methods. Fix xpath injection on xml_security.rb
 * [#223](https://github.com/SAML-Toolkits/ruby-saml/pull/223) Allow logging to be delegated to an arbitrary Logger
-* [#222](https://github.com/SAML-Toolkits/ruby-saml/pull/222) No more silent failure fetching idp metadata (OneLogin::RubySaml::HttpError raised).
+* [#222](https://github.com/SAML-Toolkits/ruby-saml/pull/222) No more silent failure fetching idp metadata (RubySaml::HttpError raised).
 
 ### 0.9.2 (Apr 28, 2015)
 * [#216](https://github.com/SAML-Toolkits/ruby-saml/pull/216) Add fingerprint algorithm support
@@ -314,10 +319,10 @@
 * [#183](https://github.com/SAML-Toolkits/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
 
 ### 0.8.0 (Feb 21, 2014)
-**IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+**IMPORTANT**: This release changed namespace of the gem from `Saml` to `RubySaml`.  Please update your implementations of the gem accordingly.
 
-* [#111](https://github.com/SAML-Toolkits/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
-* [#108](https://github.com/SAML-Toolkits/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
+* [#111](https://github.com/SAML-Toolkits/ruby-saml/pull/111) `` is ``
+* [#108](https://github.com/SAML-Toolkits/ruby-saml/pull/108) Change namespacing from `Saml` to `Rubysaml`
 
 ### 0.7.3 (Feb 20, 2014)
 Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
 
@@ -9,9 +9,18 @@ Ruby SAML minor versions may introduce breaking changes. Please read
 
 ## Vulnerability Notice
 
-There are **critical vulnerabilities** affecting ruby-saml < 1.18.0 which allow
-SAML authentication bypass (CVE-2024-45409, CVE-2025-25291, CVE-2025-25292, CVE-2025-25293).
-**Please upgrade to a fixed version (1.18.0 or 2.0.0) as soon as possible.**
+Please note the following **critical vulnerabilities**:
+
+- CVE-2025-54572 (DOS attack vector) affects version ruby-saml < 1.18.1
+- CVE-2024-45409, CVE-2025-25291, CVE-2025-25292, CVE-2025-25293 (SAML authentication bypass) affects ruby-saml < 1.18.0
+
+**Please upgrade to a fixed version (2.0.0 or 1.18.1) as soon as possible.**
+
+## Sponsors
+
+Thanks to the following sponsors for securing the open source ecosystem,
+
+[<img alt="84codes" src="https://avatars.githubusercontent.com/u/5353257" width="75px">](https://www.84codes.com)
 
 ## Overview
 
@@ -46,7 +55,7 @@ it by email to the maintainer: sixto.martin.garcia+security@gmail.com
 The following Ruby versions are covered by CI testing:
 
 * Ruby (MRI) 3.0 to 3.4
-* JRuby 9.4
+* JRuby 9.4 to 10.0
 * TruffleRuby (latest)
 
 Older Ruby versions are supported on the 1.x release of Ruby SAML.
@@ -929,22 +938,24 @@ or underscore, and can only contain letters, digits, underscores, hyphens, and p
 
 Some IdPs may require to add SPs to add additional fields (Organization, ContactPerson, etc.)
 into the SP metadata. This can be done by extending the `RubySaml::Metadata` class and
-overriding the `#add_extras` method using a Nokogiri XML builder as per the following example:
+overriding the `#add_extras` method where the first arg is a
+[Nokogiri::XML::Builder](https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html) object as per
+the following example:
 
 ```ruby
 class MyMetadata < RubySaml::Metadata
   private
 
   def add_extras(xml, _settings)
-    xml['md'].Organization do
-      xml['md'].OrganizationName('ACME Inc.', 'xml:lang' => 'en-US')
-      xml['md'].OrganizationDisplayName('ACME', 'xml:lang' => 'en-US')
-      xml['md'].OrganizationURL('https://www.acme.com', 'xml:lang' => 'en-US')
+    xml.Organization do
+      xml.OrganizationName('xml:lang' => 'en-US') { xml.text 'ACME Inc.' }
+      xml.OrganizationDisplayName('xml:lang' => 'en-US') { xml.text 'ACME' }
+      xml.OrganizationURL('xml:lang' => 'en-US') { xml.text 'https://www.acme.com' }
     end
 
-    xml['md'].ContactPerson('contactType' => 'technical') do
-      xml['md'].GivenName('ACME SAML Team')
-      xml['md'].EmailAddress('saml@acme.com')
+    xml.ContactPerson('contactType' => 'technical') do
+      xml.GivenName { xml.text 'ACME SAML Team' }
+      xml.EmailAddress { xml.text 'saml@acme.com' }
     end
   end
 end
 
@@ -96,8 +96,6 @@ authn.url
 RubySaml::Application(settings).sp.build('AuthnRequest', **options)
 
 
-
-
 ## Upgrading from 1.x to 2.0.0
 
 **IMPORTANT: Please read this section carefully as it contains breaking changes!**
@@ -124,15 +122,15 @@ This issue is likely not critical for most IdPs, but since it is not tested, it
 
 ### Root "OneLogin" namespace changed to "RubySaml"
 
-RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`.
-Please remove `OneLogin::` and `onelogin/` everywhere in your codebase. Aside from this namespace change,
+RubySaml version `2.0.0` changes the root namespace from `RubySaml::` to just `RubySaml::`.
+Please remove `` and `onelogin/` everywhere in your codebase. Aside from this namespace change,
 the class names themselves have intentionally been kept the same.
 
 Note that the project folder structure has also been updated accordingly. Notably, the directory
 `lib/onelogin/schemas` is now `lib/ruby_saml/schemas`.
 
-For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work
-as before. This alias will be removed in RubySaml version `2.1.0`.
+For backward compatibility, the alias `OneLogin = Object` has been set, so `RubySaml::` will still work
+as before. This alias will be removed in RubySaml version `3.0.0`.
 
 ### Deprecation and removal of "XMLSecurity" namespace
 
@@ -172,24 +170,33 @@ settings.security[:signature_method] = RubySaml::XML::RSA_SHA1
 ### Replacement of REXML with Nokogiri
 
 RubySaml `1.x` used a combination of REXML and Nokogiri for XML parsing and generation.
-In `2.0.0`, REXML has been replaced with Nokogiri. This change should be transparent
-to most users, however, see note about Custom Metadata Fields below.
+In `2.0.0`, REXML has been replaced with Nokogiri. As a result, there are minor differences
+in how XML is generated, ncluding SAML requests and SP Metadata: 
+
+1. All XML namespace declarations will be on the root node of the XML. Previously,
+   some declarations such as `xmlns:ds` were done on child nodes.
+2. The ordering of attributes on each node may be different.
+
+These differences should not affect how the XML is parsed by various XML parsing libraries.
+However, if you are strictly asserting that the generated XML is an exact string in your tests,
+such tests may need to be adjusted accordingly.
 
 ### Custom Metadata Fields now use Nokogiri XML Builder
 
 If you have added custom fields to your SP metadata generation by overriding
-the `RubySaml::Metadata#add_extras` method, you will need to update your code to use
-[Nokogiri::XML::Builder](https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html) format
-instead of REXML. Here is an example of the new format:
+the `RubySaml::Metadata#add_extras` method, you will need to update your code
+so that the first arg of the method is a
+[Nokogiri::XML::Builder](https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html)
+object. Here is an example of the new format:
 
 ```ruby
 class MyMetadata < RubySaml::Metadata
   private
 
-  def add_extras(xml, _settings)
-    xml['md'].ContactPerson('contactType' => 'technical') do
-      xml['md'].GivenName('ACME SAML Team')
-      xml['md'].EmailAddress('saml@acme.com')
+  def add_extras(builder, _settings)
+    builder.ContactPerson('contactType' => 'technical') do
+      builder.GivenName { builder.text 'ACME SAML Team' }
+      builder.EmailAddress { builder.text 'saml@acme.com' }
     end
   end
 end
@@ -199,7 +206,7 @@ end
 
 RubySaml now always uses double quotes for attribute values when generating XML.
 The `settings.double_quote_xml_attribute_values` parameter now always behaves as `true`,
-and will be removed in RubySaml 2.1.0.
+and will be removed in RubySaml 3.0.0.
 
 The reasons for this change are:
 - RubySaml will use Nokogiri instead of REXML to generate XML. Nokogiri does not support
@@ -252,7 +259,7 @@ a different `sp_uuid_prefix` is passed-in on subsequent calls.
 ### Deprecation of compression settings
 
 The `settings.compress_request` and `settings.compress_response` parameters have been deprecated
-and are no longer functional. They will be removed in RubySaml 2.1.0. Please remove `compress_request`
+and are no longer functional. They will be removed in RubySaml 3.0.0. Please remove `compress_request`
 and `compress_response` everywhere within your project code.
 
 The SAML SP request/response message compression behavior is now controlled automatically by the
@@ -264,13 +271,15 @@ compression may be achieved by enabling `Content-Encoding: gzip` on your webserv
 ### Deprecation of IdP certificate fingerprint settings
 
 The `settings.idp_cert_fingerprint` and `settings.idp_cert_fingerprint_algorithm` are deprecated
-and will be removed in RubySaml 2.1.0. Please use `settings.idp_cert` or `settings.idp_cert_multi` instead.
-The reasons for this deprecation are that (1) fingerprint cannot be used with HTTP-Redirect binding,
-and (2) fingerprint is theoretically susceptible to collision attacks.
+and will be removed in RubySaml 3.0.0. Please use `settings.idp_cert` or `settings.idp_cert_multi` instead.
+
+The reasons for this deprecation are:
+- Fingerprint cannot be used with HTTP-Redirect binding
+- Fingerprint is theoretically susceptible to collision attacks.
 
 ### Other settings deprecations
 
-The following parameters in `RubySaml::Settings` are deprecated and will be removed in RubySaml 2.1.0:
+The following parameters in `RubySaml::Settings` are deprecated and will be removed in RubySaml 3.0.0:
 
 - `#issuer` is deprecated and replaced 1:1 by `#sp_entity_id`
 - `#idp_sso_target_url` is deprecated and replaced 1:1 by `#idp_sso_service_url`
@@ -406,7 +415,7 @@ options = {
     "RelayState" => raw_query_params["RelayState"],
   },
 }
-slo_logout_request = OneLogin::RubySaml::SloLogoutrequest.new(query_params["SAMLRequest"], settings, options)
+slo_logout_request = RubySaml::SloLogoutrequest.new(query_params["SAMLRequest"], settings, options)
 raise "Invalid Logout Request" unless slo_logout_request.is_valid?
 ```
 
@@ -466,4 +475,4 @@ Version `0.9` adds many new features and improvements.
 
 ## Upgrading from 0.7.x to 0.8.x
 
-Version `0.8.x` changes the namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+Version `0.8.x` changes the namespace of the gem from `Saml` to `RubySaml`.  Please update your implementations of the gem accordingly.
@@ -39,5 +39,5 @@
 require 'ruby_saml/utils'
 require 'ruby_saml/version'
 
-# @deprecated This alias adds compatibility with v1.x and will be removed in v2.1.0
+# @deprecated This alias adds compatibility with v1.x and will be removed in v3.0.0
 OneLogin = Object