From e5a6a03c9af7d65bda3a077b7cf1929726da465b Mon Sep 17 00:00:00 2001
From: Sam Decrock <sam.decrock@gmail.com>
Date: Thu, 11 Aug 2016 15:30:16 +0200
Subject: [PATCH] Different approach on fixing issue of pull request #69

---
 lib/saml2.coffee | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/saml2.coffee b/lib/saml2.coffee
index d248adf..af279f1 100644
--- a/lib/saml2.coffee
+++ b/lib/saml2.coffee
@@ -415,6 +415,17 @@ add_namespaces_to_child_assertions = (xml_string) ->
 parse_authn_response = (saml_response, sp_private_keys, idp_certificates, allow_unencrypted, ignore_signature, require_session_index, cb) ->
   user = {}
 
+  # strip of possible enveloping xml tags:
+  saml_response = saml_response.getElementsByTagNameNS(XMLNS.SAMLP, 'Response')[0] or saml_response
+
+  # check if we have a special case where the complete response is signed (an envelopped signature):
+  if !ignore_signature
+    for cert in idp_certificates or []
+      signed_data_from_complete_saml_response = check_saml_signature(saml_response.toString(), cert)
+      if signed_data_from_complete_saml_response.length is 1 and signed_data_from_complete_saml_response[0] == saml_response.toString()
+        # parse reponse without checking for signatures anymore:
+        return parse_authn_response(saml_response, sp_private_keys, idp_certificates, allow_unencrypted, true, require_session_index, cb)
+
   async.waterfall [
     (cb_wf) ->
       decrypt_assertion saml_response, sp_private_keys, (err, result) ->