From fa5b55d9a1773299e031a2b718a164949e640ae0 Mon Sep 17 00:00:00 2001
From: Brian Hartsock <brian.hartsock@gmail.com>
Date: Wed, 12 Aug 2015 22:24:41 -0400
Subject: [PATCH] Fixed broken validatePostRequest method; Added support for
 parsing session index out of logout request

---
 lib/passport-saml/saml.js                     |  7 ++-
 test/static/cert.pem                          | 22 +++++++
 test/static/key.pem                           | 27 +++++++++
 .../logout_request_with_bad_signature.xml     | 24 ++++++++
 .../logout_request_with_good_signature.xml    | 30 ++++++++++
 .../logout_request_with_session_index.xml     | 31 ++++++++++
 test/tests.js                                 | 59 +++++++++++++++++++
 7 files changed, 199 insertions(+), 1 deletion(-)
 create mode 100644 test/static/cert.pem
 create mode 100644 test/static/key.pem
 create mode 100644 test/static/logout_request_with_bad_signature.xml
 create mode 100644 test/static/logout_request_with_good_signature.xml
 create mode 100644 test/static/logout_request_with_session_index.xml

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
index 889858b6..94902766 100644
--- a/lib/passport-saml/saml.js
+++ b/lib/passport-saml/saml.js
@@ -693,6 +693,7 @@ SAML.prototype.checkTimestampsValidityError = function(nowMs, notBefore, notOnOr
 SAML.prototype.validatePostRequest = function (container, callback) {
   var self = this;
   var xml = new Buffer(container.SAMLRequest, 'base64').toString('utf8');
+  var dom = new xmldom.DOMParser().parseFromString(xml);
   var parserConfig = {
     explicitRoot: true,
     tagNameProcessors: [xml2js.processors.stripPrefix]
@@ -704,7 +705,7 @@ SAML.prototype.validatePostRequest = function (container, callback) {
     }
 
     // Check if this document has a valid top-level signature
-    if (self.options.cert && !self.validateSignature(xml, self.options.cert)) {
+    if (self.options.cert && !self.validateSignature(xml, dom.documentElement, self.options.cert)) {
       return callback(new Error('Invalid signature'));
     }
 
@@ -738,6 +739,10 @@ function processValidlySignedPostRequest(self, doc, callback) {
       } else {
         return callback(new Error('Missing SAML NameID'));
       }
+      var sessionIndex = request.SessionIndex;
+      if (sessionIndex) {
+        profile.sessionIndex = sessionIndex[0];
+      }
 
       callback(null, profile, true);
     } else {
diff --git a/test/static/cert.pem b/test/static/cert.pem
new file mode 100644
index 00000000..5cd2aa71
--- /dev/null
+++ b/test/static/cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBF
+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynX
+KsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJy
+vO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+
+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEs
+lqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMS
+aebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvo
+W4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzH
+F6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV
+BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEX
+mBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7
+FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesS
+iTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpR
+v5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9Bf
+XNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=
+-----END CERTIFICATE-----
diff --git a/test/static/key.pem b/test/static/key.pem
new file mode 100644
index 00000000..904084cc
--- /dev/null
+++ b/test/static/key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXy
+ptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9J
+oIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1
+Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYk
+tn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCR
+vFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABAoIBAF/Hh/a1Q7wuWZH2
+gjh8bLjis9hrTnpAzMpRNTOTxRvfrWf99vfNDA6ZBEXhlSxmvX6PronOjEB5vxcQ
+oFiKqPzTUqf/MruguBykxc+VLAOL+5k1mt0dPqqz3CarMyL6lyWcou59FgudfR3c
+DY1F8e2G0NP7oR1lioEKI4MszAwBEUt6oB4wDkGBv31uUbqtJZlxid9qOeMZxSCl
+/uzd32wOwc/zWPCS2mtsE2PScq5Wzep6EGQEDRno0WbfkxHn+CZxvRYv5XVWtyUD
+yCBrKuGQhRCCp6RO0x+39qxtXyT4m2ehwJb0wVmTPQ6e4ZayjRSlYHJI4+YPcdgc
+WeT4HOECgYEA/SidmPth4jfQY7H6gv1wryNCNHsWssYiittsjsEv//McQR1Nsnoi
+bU6RJTqpNFU0PPDgf9oh4W6Jxg8uHeuOcykacPhtlC9CotRYSJrxaOefW72G+ZWP
+VlnErdJWPyb61olLKOH/lyXCbs7k3JltPqJwJGdt+9N9eu+N3D6+B80CgYEAxqJL
++J3UJVUSpLfkgnp03IglAeABEoCb1LzO8G63dHxucCP+Jt/enB1qSZ8ez+VwACzh
+eCSFwzdL7Jqh0KJmcJf67c6YXZDfgT9oxWf6sY5KuljWvt6uvpvAATaHDM6Mvzyj
+vlc/d+8uwed/Slbq2EfeTzPP6goK3ppfbBQFx9MCgYEA4JTWcm+X31J6WOb8AJaL
+D6OsyNflRAVHgX206VNynJH0H8O6OLnmrqeDVc6baqSnqeRalLFTWyRvrreqxrpA
+beMp5MxOkaX3bHIKO6bQwKqyEXWqNuG5/fW26CjvgCi5X/b+KS+MSW8i9KAwIY8u
+feEmsPTcegmdiKDZbWhvtoUCgYBJooq1TJUDjekOZRlyAUFnK5VEf60GFeUu1RuF
+6BVcOnCaY81ozd7xUro/Npyuhyig+AJRjoCD4PDlcmGAPWPqY3zjQY4cSYOBn2cQ
+nz5BKjWrpRlewqBXCtf/2x3vcnacwjcVbbSamnFj8pSuk1AWA3Z3OAbghP6IjQPI
+xhdqfwKBgBUG49pMk1yYldtrDWQnGg/73nKXcnxyRus8uus51eLFUUaTDyp2HMKY
+DQer/NkQDDf26Ze1nBWURVPoMSU98JixBQjeKn3MX39PHtwFh6s3mxwLlzyxjAcu
+MmFNzbu+qfEJ7pFmNaYR83s52qs6GyfclVPB8g6ICV5c98VoFfqB
+-----END RSA PRIVATE KEY-----
diff --git a/test/static/logout_request_with_bad_signature.xml b/test/static/logout_request_with_bad_signature.xml
new file mode 100644
index 00000000..73c0a495
--- /dev/null
+++ b/test/static/logout_request_with_bad_signature.xml
@@ -0,0 +1,24 @@
+<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination="http://idp.example.com/SingleLogoutService.php">
+  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>Q9PRlugQZKSBt+Ed9i6bKUGWND0=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>e861LsuFQi4dmtZanZlFjCtHym5SLhjwRZMxW2DSMhPwWxg7tD2vOH7mgqqFd3Syt9Q6VYSiWyIdYkpf4jsVTGZDXKk2zQbUFG/avRC9EsgMIw7UfeMwFw0D/XGDqihV9YoQEc85wGdbafQOGhMXBxkt+1Ba37ok8mCZAEFlZpw=</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>
+</samlp:LogoutRequest>
diff --git a/test/static/logout_request_with_good_signature.xml b/test/static/logout_request_with_good_signature.xml
new file mode 100644
index 00000000..f3b95f54
--- /dev/null
+++ b/test/static/logout_request_with_good_signature.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination="http://idp.example.com/SingleLogoutService.php">
+  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>nnKN7AzO/KLZBu214w5N1xiKe+g=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>qhMlsf/wCNvhOLXj7fl0yVWb0HETW+9n0ufhyf9nWtOifMbbBqjuKoMpfr6hfeL6
+W5saXHq8oA8OD1r/+9Qc38+pdl3bM+idRWCXYTp1rOpdpKTFAnCD8AmfPPfpwNMD
+VAuRVmPxSgI5k5L6brhnr0bo+7pspr0Gly58HTBgUV3L/ausO/LwJFCD+SFy9XHn
+QySm0H7RrzxdcAxuRrRpQQYXMJmo3fj7j3E99qU+cNjhxVWnJ4A2cbQeYmTOuHH0
+qmNxHPCuVYtWttIAQ5epDhpde7AWAvqtO7i0lPF2cO8iczvFx0MwjtxUFSC5qqUu
+lCyEddWBO+aZ+DrP/uEy0A==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>
+</samlp:LogoutRequest>
diff --git a/test/static/logout_request_with_session_index.xml b/test/static/logout_request_with_session_index.xml
new file mode 100644
index 00000000..56d5d095
--- /dev/null
+++ b/test/static/logout_request_with_session_index.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1" Version="2.0" IssueInstant="2014-07-18T01:13:06Z" Destination="http://idp.example.com/SingleLogoutService.php">
+  <saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>eQtFs4k7Uzt9POhM6NzHHSSja/k=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>vmzou5/AnRSIuVjSZywtxenWImhRkhjvy245zn+jeSWuD5dF5YSpBZTW2dYloRUj
+nN8FCjJRMWFINuq0ByTNaJeUCR8JevgYSAkOnqesz5yEbmh8FTiIwWjx9eapW+O3
+rdehljK7E2ue7u4WLq+J6ld2xFQBhp71OsK+Q5Rpl4zel+iH3SyZxgNESEOS5cuC
+EH5Y2sERFM4QRksLMKp6OvF07TfDfiqrcgWP6uzwVoCtPQuBdPJGNF6/uZW5HlGv
+Y0R9BqN1el5RprY86A9ndLUCZnH8MzzeFSb3CEhfQSt00YtyzKfyGxLOedg+DmUA
+F3qen7wKakNO/qyBM/amcA==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIDtTCCAp2gAwIBAgIJAKg4VeVcIDz1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTUwODEzMDE1NDIwWhcNMTUwOTEyMDE1NDIwWjBFMQswCQYDVQQGEwJVUzETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG3ouM7U+fXbJt69X1H6d4UNg/uRr06pFuU9RkfIwNC+yaXyptqB3ynXKsL7BFt4DCd0fflRvJAx3feJIDp16wN9GDVHcufWMYPhh2j5HcTW/j9JoIJzGhJyvO00YKBt+hHy83iN1SdChKv5y0iSyiPP5GnqFw+ayyHoM6hSO0PqBou1Xb0ZSIE+DHosBnvVna5w2AiPY4xrJl9yZHZ4Q7DfMiYTgstjETio4bX+6oLiBnYktn7DjdEslqhffVme4PuBxNojI+uCeg/sn4QVLd/iogMJfDWNuLD8326Mi/FE9cCRvFlvAiMSaebMI3zPaySsxTK7Zgj5TpEbmbHI9wIDAQABo4GnMIGkMB0GA1UdDgQWBBSVGgvoW4MhMuzBGce29PY8vSzHFzB1BgNVHSMEbjBsgBSVGgvoW4MhMuzBGce29PY8vSzHF6FJpEcwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAKg4VeVcIDz1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJu1rqs+anD74dbdwgd3CnqnQsQDJiEXmBhG2leaGt3ve9b/9gKaJg2pyb2NyppDe1uLqh6nNXDuzg1oNZrPz5pJL/eCXPl7FhxhMUi04TtLf8LeNTCIWYZiFuO4pmhohHcv8kRvYR1+6SkLTC8j/TZerm7qvesSiTQFNapa1eNdVQ8nFwVkEtWl+JzKEM1BlRcn42sjJkijeFp7DpI7pU+PnYeiaXpRv5pJo8ogM1iFxN+SnfEs0EuQ7fhKIG9aHKi7bKZ7L6SyX7MDIGLeulEU6lf5D9BfXNmcMambiS0pXhL2QXajt96UBq8FT2KNXY8XNtR4y6MyyCzhaiZZcc8=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7</saml:NameID>
+  <samlp:SessionIndex>1</samlp:SessionIndex>
+</samlp:LogoutRequest>
diff --git a/test/tests.js b/test/tests.js
index 6ad94657..8f79c8e0 100644
--- a/test/tests.js
+++ b/test/tests.js
@@ -1128,4 +1128,63 @@ describe( 'passport-saml /', function() {
       });
     });
   });
+  describe('validatePostRequest()', function() {
+    var samlObj;
+    beforeEach(function() {
+      samlObj = new SAML({
+        cert: fs.readFileSync(__dirname + '/static/cert.pem', 'ascii')
+      });
+    });
+
+    it('errors if bad xml', function(done) {
+      var body = {
+        SAMLRequest: "asdf"
+      };
+      samlObj.validatePostRequest(body, function(err) {
+        should.exist(err);
+        done();
+      });
+    });
+    it('errors if bad signature', function(done) {
+      var body = {
+        SAMLRequest: fs.readFileSync(__dirname + '/static/logout_request_with_bad_signature.xml', 'base64')
+      };
+      samlObj.validatePostRequest(body, function(err) {
+        should.exist(err);
+        err.should.eql(new Error('Invalid signature'));
+        done();
+      });
+    });
+    it('returns profile for valid signature', function(done) {
+      var body = {
+        SAMLRequest: fs.readFileSync(__dirname + '/static/logout_request_with_good_signature.xml', 'base64')
+      };
+      samlObj.validatePostRequest(body, function(err, profile) {
+        should.not.exist(err);
+        profile.should.eql({
+          ID: 'pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1',
+          issuer: 'http://sp.example.com/demo1/metadata.php',
+          nameID: 'ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7',
+          nameIDFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        });
+        done();
+      });
+    });
+    it('returns profile for valid signature including session index', function(done) {
+      var body = {
+        SAMLRequest: fs.readFileSync(__dirname + '/static/logout_request_with_session_index.xml', 'base64')
+      };
+      samlObj.validatePostRequest(body, function(err, profile) {
+        should.not.exist(err);
+        profile.should.eql({
+          ID: 'pfxd4d369e8-9ea1-780c-aff8-a1d11a9862a1',
+          issuer: 'http://sp.example.com/demo1/metadata.php',
+          nameID: 'ONELOGIN_f92cc1834efc0f73e9c09f482fce80037a6251e7',
+          nameIDFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+          sessionIndex: '1'
+        });
+        done();
+      });
+    });
+  });
 });