diff --git a/.coveralls.yml b/.coveralls.yml
index 173ff356..cb6cdeb2 100644
--- a/.coveralls.yml
+++ b/.coveralls.yml
@@ -1,4 +1,4 @@
-service_name: travis-ci
+service_name: github
 
 src_dir: lib
 
diff --git a/.github/workflows/php-package.yml b/.github/workflows/php-package.yml
index ea1b48bb..4f12009f 100644
--- a/.github/workflows/php-package.yml
+++ b/.github/workflows/php-package.yml
@@ -5,9 +5,9 @@ name: php-saml package
 
 on:
   push:
-    branches: [ master, 2.* ]
+    branches: [ master, 3.*, 4.* ]
   pull_request:
-    branches: [ master, 2.* ]
+    branches: [ master, 3.*, 4.* ]
 
 jobs:
   test:
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index f3c0a43e..00000000
--- a/.travis.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-language: php
-dist: trusty
-php:
-  - 5.5
-  - 5.6
-
-matrix:
-  fast_finish: true
-  include:
-    - php: 5.3
-      dist: precise
-    - php: 5.4
-      dist: precise
-
-env:
- - TRAVIS=true
-
-before_install:
- - composer self-update || true
- - composer install --prefer-source --no-interaction
-
-before_script:
-  - phpenv config-rm xdebug.ini
-
-script:
-  - vendor/bin/phpunit
-  - php vendor/bin/phpcpd --exclude tests --exclude vendor .
-  - php vendor/bin/phploc . --exclude vendor
-  - php vendor/bin/phploc lib/.
-  - mkdir -p tests/build/dependences
-  - php vendor/bin/pdepend --summary-xml=tests/build/logs/dependence-summary.xml --jdepend-chart=tests/build/dependences/jdepend.svg --overview-pyramid=tests/build/dependences/pyramid.svg  lib/.
-  - php vendor/bin/phpcs --standard=tests/ZendModStandard lib/Saml2 demo1 demo2 demo-old endpoints tests/src
-
-after_script:
-  - export TRAVIS=https://travis-ci.org/onelogin/php-saml
-  - echo $TRAVIS
-  - echo $TRAVIS_JOB_ID
-  - php vendor/bin/coveralls --config .coveralls.yml -v
diff --git a/CHANGELOG b/CHANGELOG
index 08a1a53a..8ddb5764 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,34 @@
 CHANGELOG
 =========
+
+v.2.21.0
+* [#619](https://github.com/SAML-Toolkits/php-saml/pull/619) Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773
+* [#603](https://github.com/SAML-Toolkits/php-saml/issues/603) Fix typo in ignoreValidUntil that breaks metadata. Add parameter to exclude validUntil on Settings getSPMetadata
+* [#594](https://github.com/SAML-Toolkits/php-saml/pull/594) Add support for encrypted name id in encrypted assertion
+* Fix buildWithBaseURLPath
+* Doc fix typo
+* Remove Travis CI references
+
+v.2.20.0
+* [#586](https://github.com/SAML-Toolkits/php-saml/pull/586) IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate
+* [#585](https://github.com/SAML-Toolkits/php-saml/pull/585) Declare conditional return types
+* Make Saml2\Auth can accept a param $spValidationOnly
+* [#577](https://github.com/SAML-Toolkits/php-saml/pull/577) Allow empty NameID value when no strict or wantNameId is false
+* [#570](https://github.com/SAML-Toolkits/php-saml/pull/570) Support X509 cert comments
+* [#569](https://github.com/SAML-Toolkits/php-saml/pull/569) Add parameter to exclude validUntil on SP Metadata XML
+* [#551](https://github.com/SAML-Toolkits/php-saml/pull/551) Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST
+* [#487](https://github.com/SAML-Toolkits/php-saml/issues/487) Enable strict check on in_array method
+* Fix typos on readme.
+* [#480](https://github.com/SAML-Toolkits/php-saml/pull/480) Fix typo on SPNameQualifier mismatch error message
+* Add $spValidationOnly param to Auth
+* Update xmlseclibs (3.1.2 without AES-GCM and OAEP support)
+* Add warning about Open Redirect and Reply attacks
+* Add warning about the use of IdpMetadataParser class. If Metadata URLs
+  are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF
+* Update dependencies
+* Fix test payloads
+* Remove references to OneLogin.
+
 v.2.19.1
 * [#467](https://github.com/onelogin/php-saml/issues/467) Fix bug on getSelfRoutedURLNoQuery method
 
@@ -8,7 +37,7 @@ v.2.19.0
 * [#433](https://github.com/onelogin/php-saml/issues/443) Fix Incorrect Destination in LogoutResponse when using responseUrl #443
 * Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts
 * Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting
-* Get lib path dinamically
+* Get lib path dynamically
 * Check for x509Cert of the IdP when loading settings, even if the security index was not provided
 
 v.2.18.1
@@ -31,7 +60,7 @@ v.2.17.1
 v.2.17.0
 * Set true as the default value for strict setting
 * Support 'x509cert' and 'privateKey' on signMetadata security settings
-* Relax comparision of false on SignMetadata
+* Relax comparison of false on SignMetadata
 * Fix CI
 
 v.2.16.0
@@ -70,7 +99,7 @@ v.2.12.0
 * [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest.
 
 v.2.11.0
-* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads
+* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecessary files from Composer production downloads
 * [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request
 * Improve logout documentation on Readme.
 * Improve multi-certificate support
@@ -176,14 +205,14 @@ v.2.7.0
 * Fix PHP 7 error (used continue outside a loop/switch).
 * Fix bug on organization element of the SP metadata builder.
 * Fix typos on documentation. Fix ALOWED Misspell.
-* Be able to extract RequestID. Add RequestID validation on demo1. 
+* Be able to extract RequestID. Add RequestID validation on demo1.
 * Add $stay parameter to login, logout and processSLO method.
 
 v.2.6.1
 -------
 * Fix bug on cacheDuration of the Metadata XML generated.
 * Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder.
-* Allows the authn comparsion attribute to be set via config.
+* Allows the authn comparison attribute to be set via config.
 * Retrieve Session Timeout after processResponse with getSessionExpiration().
 * Improve readme readability.
 * Allow single log out to work for applications not leveraging php session_start. Added a callback parameter in order to close the session at processSLO.
@@ -201,8 +230,8 @@ v.2.6.0
 
 v.2.5.0
 -------
-* Do accesible the ID of the object Logout Request (id attribute).
-* Add note about the fact that PHP 5.3 is unssuported.
+* Do accessible the ID of the object Logout Request (id attribute).
+* Add note about the fact that PHP 5.3 is unsupported.
 * Add fingerprint algorithm support.
 * Add dependences to composer.
 
@@ -230,7 +259,7 @@ v.2.2.0
 -------
 * Fix bug with Encrypted nameID on LogoutRequest.
 * Fixed usability bug. SP will inform about AuthFail status after process a Response.
-* Added SessionIndex support on LogoutRequest, and know is accesible from the Auth class.
+* Added SessionIndex support on LogoutRequest, and know is accessible from the Auth class.
 * LogoutRequest and LogoutResponse classes now accept non deflated xml.
 * Improved the XML metadata/ Decrypted Assertion output. (prettyprint).
 * Fix bug in formatPrivateKey method, the key could be not RSA.
diff --git a/README.md b/README.md
index d7b6cf12..8c6407af 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,9 @@
 Add SAML support to your PHP software using this library.
 
 
-**The 3.X branch is compatible with PHP > 7.1, so if you are using that PHP version, use it and not the 2.X or the master branch**
+**The 3.X branch is compatible with PHP 7.0, PHP 7.1, PHP 7.2 , so if you are using that PHP version, use it and not the 2.X or the master branch**
+
+**The 4.X branch is compatible with PHP >= 7.3 and PHP 8.X**
 
 Warning
 -------
@@ -189,14 +191,14 @@ a trusted and expected URL.
 Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html).
 
 
-### Avoiding Reply attacks ###
+### Avoiding Replay attacks ###
 
-A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
+A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
 
 SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
 make harder this kind of attacks, but they are still possible.
 
-In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need
+In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs already validated and processed. Those values only need
 to be stored the amount of time of the SAML Message life time, so
 we don't need to store all processed message/assertion Ids, but the most recent ones.
 
@@ -554,11 +556,11 @@ $advancedSettings = array (
 
         // If true, Destination URL should strictly match to the address to
         // which the response has been sent.
-        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
+        // Notice that if 'relaxDestinationValidation' is true an empty Destination
         // will be accepted.
         'destinationStrictlyMatches' => false,
 
-        // If true, SAMLResponses with an InResponseTo value will be rejectd if not
+        // If true, SAMLResponses with an InResponseTo value will be rejected if not
         // AuthNRequest ID provided to the validation method.
         'rejectUnsolicitedResponsesWithInResponseTo' => false,
 
@@ -598,7 +600,7 @@ $advancedSettings = array (
     ),
 
     // Organization information template, the info in en_US lang is
-    // recomended, add more if required.
+    // recommended, add more if required.
     'organization' => array (
         'en-US' => array(
             'name' => '',
@@ -713,7 +715,7 @@ The login method can receive other six optional parameters:
 * `$parameters` - An array of parameters that will be added to the `GET` in the HTTP-Redirect.
 * `$forceAuthn` - When true the `AuthNRequest` will set the `ForceAuthn='true'`
 * `$isPassive` - When true the `AuthNRequest` will set the `Ispassive='true'`
-* `$strict` - True if we want to stay (returns the url string) False to redirect
+* `$stay` - True if we want to stay (returns the url string) False to redirect
 * `$setNameIdPolicy` - When true the AuthNRequest will set a nameIdPolicy element.
 * `$nameIdValueReq` - Indicates to the IdP the subject that should be authenticated.
 
@@ -945,7 +947,7 @@ $auth->processSLO(false, $requestID);
 $errors = $auth->getErrors();
 
 if (empty($errors)) {
-    echo 'Sucessfully logged out';
+    echo 'Successfully logged out';
 } else {
     echo implode(', ', $errors);
 }
@@ -1152,7 +1154,7 @@ if (isset($_GET['sso'])) {    // SSO action.  Will send an AuthNRequest to the I
         echo '<p>', implode(', ', $errors), '</p>';
     }
                                           // This check if the response was
-    if (!$auth->isAuthenticated()) {      // sucessfully validated and the user
+    if (!$auth->isAuthenticated()) {      // successfully validated and the user
         echo "<p>Not authenticated</p>";  // data retrieved or not
         exit();
     }
@@ -1167,7 +1169,7 @@ if (isset($_GET['sso'])) {    // SSO action.  Will send an AuthNRequest to the I
     $auth->processSLO();            // Process the Logout Request & Logout Response
     $errors = $auth->getErrors(); // Retrieves possible validation errors
     if (empty($errors)) {
-        echo '<p>Sucessfully logged out</p>';
+        echo '<p>Successfully logged out</p>';
     } else {
         echo '<p>', implode(', ', $errors), '</p>';
     }
@@ -1417,7 +1419,7 @@ SAML 2 Authentication Response class
 SAML 2 Logout Request class
 
  * `OneLogin_Saml2_LogoutRequest` - Constructs the Logout Request object.
- * `getRequest` - Returns the Logout Request defated, base64encoded, unsigned
+ * `getRequest` - Returns the Logout Request deflated, base64encoded, unsigned
  * `getID` - Returns the ID of the Logout Request. (If you have the object you can access to the id attribute)
  * `getNameIdData` - Gets the NameID Data of the the Logout Request.
  * `getNameId` - Gets the NameID of the Logout Request.
@@ -1484,7 +1486,7 @@ A class that contains functionality related to the metadata of the SP
 
 * `builder` - Generates the metadata of the SP based on the settings.
 * `signmetadata` - Signs the metadata with the key/cert provided
-* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encriptation) to
+* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encryption) to
   the metadata
 
 ##### OneLogin_Saml2_Utils - `Utils.php` #####
diff --git a/advanced_settings_example.php b/advanced_settings_example.php
index 95b2f87e..ce974e19 100644
--- a/advanced_settings_example.php
+++ b/advanced_settings_example.php
@@ -91,11 +91,11 @@
 
         // If true, Destination URL should strictly match to the address to
         // which the response has been sent.
-        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
+        // Notice that if 'relaxDestinationValidation' is true an empty Destination
         // will be accepted.
         'destinationStrictlyMatches' => false,
 
-        // If true, SAMLResponses with an InResponseTo value will be rejectd if not
+        // If true, SAMLResponses with an InResponseTo value will be rejected if not
         // AuthNRequest ID provided to the validation method.
         'rejectUnsolicitedResponsesWithInResponseTo' => false,
 
@@ -121,7 +121,7 @@
         'lowercaseUrlencoding' => false,
     ),
 
-    // Contact information template, it is recommended to suply a technical and support contacts
+    // Contact information template, it is recommended to supply a technical and support contacts
     'contactPerson' => array (
         'technical' => array (
             'givenName' => '',
@@ -133,7 +133,7 @@
         ),
     ),
 
-    // Organization information template, the info in en_US lang is recomended, add more if required
+    // Organization information template, the info in en_US lang is recommended, add more if required
     'organization' => array (
         'en-US' => array(
             'name' => '',
diff --git a/demo1/Readme.txt b/demo1/Readme.txt
index d8810676..392ae176 100644
--- a/demo1/Readme.txt
+++ b/demo1/Readme.txt
@@ -43,7 +43,7 @@ How it works
     notice that a RelayState parameter is set to the url that initiated the
     process, the index.php view.
 
-    2.2 in the second link we access to (attrs.php) have the same process described at 2.1 with the diference that as RelayState is set the attrs.php
+    2.2 in the second link we access to (attrs.php) have the same process described at 2.1 with the difference that as RelayState is set the attrs.php
 
 3. The SAML Response is processed in the ACS (index.php?acs), if the Response
    is not valid, the process stop here and a message is showed. Otherwise we
@@ -64,7 +64,7 @@ How it works
     side, the logout process is initiated at the idP, sends a Logout Request to the SP (SLS endpoint, index.php?sls). The SLS endpoint of the SP
     process the Logout Request and if is valid, close the session of the user
     at the local app and send a Logout Response to the IdP (to the SLS endpoint
-    of the IdP). The IdP recieve the Logout Response, process it and close the
+    of the IdP). The IdP receive the Logout Response, process it and close the
     session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP.
 
 Notice that all the SAML Requests and Responses are handler at a unique file,
diff --git a/demo1/index.php b/demo1/index.php
index 8e1babd9..4ec511f3 100644
--- a/demo1/index.php
+++ b/demo1/index.php
@@ -53,7 +53,7 @@
     $auth->logout($returnTo, $parameters, $nameId, $sessionIndex, false, $nameIdFormat, $samlNameIdNameQualifier, $samlNameIdSPNameQualifier);
 
     # If LogoutRequest ID need to be saved in order to later validate it, do instead
-    # $sloBuiltUrl = $auth->logout(null, $paramters, $nameId, $sessionIndex, true);
+    # $sloBuiltUrl = $auth->logout(null, $parameters, $nameId, $sessionIndex, true);
     # $_SESSION['LogoutRequestID'] = $auth->getLastRequestID();
     # header('Pragma: no-cache');
     # header('Cache-Control: no-cache, must-revalidate');
@@ -105,7 +105,7 @@
     $auth->processSLO(false, $requestID);
     $errors = $auth->getErrors();
     if (empty($errors)) {
-        echo '<p>Sucessfully logged out</p>';
+        echo '<p>Successfully logged out</p>';
     } else {
         echo '<p>', htmlentities(implode(', ', $errors)), '</p>';
         if ($auth->getSettings()->isDebugActive()) {
diff --git a/demo2/Readme.txt b/demo2/Readme.txt
index 7a34800f..1be1ab01 100644
--- a/demo2/Readme.txt
+++ b/demo2/Readme.txt
@@ -54,7 +54,7 @@ demo1, only changes the targets.
  3. We are logged in the app and the user attributes are showed.
     At this point, we can test the single log out functionality.
 
- 4. The single log out funcionality could be tested by 2 ways.
+ 4. The single log out functionality could be tested by 2 ways.
 
     4.1 SLO Initiated by SP. Click on the "logout" link at the SP, after that
     we are redirected to the slo.php view and there a Logout Request is sent
@@ -69,7 +69,7 @@ demo1, only changes the targets.
     Request to the SP (SLS endpoint sls.php of the endpoint folder).
     The SLS endpoint of the SP process the Logout Request and if is valid,
     close the session of the user at the local app and sends a Logout Response
-    to the IdP (to the SLS endpoint of the IdP).The IdP recieves the Logout
+    to the IdP (to the SLS endpoint of the IdP).The IdP receives the Logout
     Response, process it and close the session at of the IdP. Notice that the
     SLO Workflow starts and ends at the IdP.
 
diff --git a/docs/Saml2/files/Settings.php.txt b/docs/Saml2/files/Settings.php.txt
index ba715b5e..66e5e83b 100644
--- a/docs/Saml2/files/Settings.php.txt
+++ b/docs/Saml2/files/Settings.php.txt
@@ -684,7 +684,7 @@ class OneLogin_Saml2_Settings
                     || !isset($organization['displayname']) || empty($organization['displayname'])
                     || !isset($organization['url']) || empty($organization['url'])
                 ) {
-                    $errors[] = 'organization_not_enought_data';
+                    $errors[] = 'organization_not_enough_data';
                     break;
                 }
             }
diff --git a/endpoints/sls.php b/endpoints/sls.php
index 7dd508ba..909376e3 100644
--- a/endpoints/sls.php
+++ b/endpoints/sls.php
@@ -14,7 +14,7 @@
 $errors = $auth->getErrors();
 
 if (empty($errors)) {
-    echo 'Sucessfully logged out';
+    echo 'Successfully logged out';
 } else {
     echo htmlentities(implode(', ', $errors));
 }
diff --git a/extlib/xmlseclibs/xmlseclibs.php b/extlib/xmlseclibs/xmlseclibs.php
index d1095c8a..5139d62d 100644
--- a/extlib/xmlseclibs/xmlseclibs.php
+++ b/extlib/xmlseclibs/xmlseclibs.php
@@ -37,7 +37,7 @@
  * @author     Robert Richards <rrichards@cdatazone.org>
  * @copyright  2007-2019 Robert Richards <rrichards@cdatazone.org>
  * @license    http://www.opensource.org/licenses/bsd-license.php  BSD License
- * @version    3.0.4 modified
+ * @version    3.1.2 modified
  */
 
 class XMLSecurityKey {
@@ -198,13 +198,13 @@ public function getSymmetricKeySize() {
         }
         return $this->cryptParams['keysize'];
     }
-      
+
     public function generateSessionKey() {
         if (!isset($this->cryptParams['keysize'])) {
             throw new Exception('Unknown key size for type "' . $this->type . '".');
         }
         $keysize = $this->cryptParams['keysize'];
-        
+
         if (function_exists('openssl_random_pseudo_bytes')) {
             /* We have PHP >= 5.3 - use openssl to generate session key. */
             $key = openssl_random_pseudo_bytes($keysize);
@@ -212,7 +212,7 @@ public function generateSessionKey() {
             /* Generating random key using iv generation routines */
             $key = mcrypt_create_iv($keysize, MCRYPT_RAND);
         }
-        
+
         if ($this->type === XMLSecurityKey::TRIPLEDES_CBC) {
             /* Make sure that the generated key has the proper parity bits set.
              * Mcrypt doesn't care about the parity bits, but others may care.
@@ -227,7 +227,7 @@ public function generateSessionKey() {
                 $key[$i] = chr($byte);
             }
         }
-        
+
         $this->key = $key;
         return $key;
     }
@@ -281,6 +281,10 @@ public function loadKey($key, $isFile=false, $isCert = false) {
                 $this->key = openssl_get_publickey($this->key);
             } else {
                 $this->key = openssl_get_privatekey($this->key, $this->passphrase);
+
+                if ($this->key === false) {
+                    throw new Exception('Unable to extract private key (invalid key or passphrase): ' . openssl_error_string());
+                }
             }
         } else if (isset($this->cryptParams['cipher']) && $this->cryptParams['cipher'] == MCRYPT_RIJNDAEL_128) {
             /* Check key length */
@@ -469,7 +473,7 @@ static function convertRSA($modulus, $exponent) {
     public function serializeKey($parent) {
 
     }
-    
+
 
 
     /**
@@ -557,7 +561,7 @@ public function __construct() {
     private function resetXPathObj() {
         $this->xPathCtx = null;
     }
-    
+
     private function getXPathObj() {
         if (empty($this->xPathCtx) && ! empty($this->sigNode)) {
             $xpath = new DOMXPath($this->sigNode->ownerDocument);
@@ -654,7 +658,7 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefi
                 $withComments = true;
                 break;
         }
-        
+
         if (is_null($arXPath) && ($node instanceof DOMNode) && ($node->ownerDocument !== null) && $node->isSameNode($node->ownerDocument->documentElement)) {
             /* Check for any PI or comments as they would have been excluded */
             $element = $node;
@@ -668,7 +672,7 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=null, $prefi
                 $node = $node->ownerDocument;
             }
         }
-        
+
         return $node->C14N($exclusive, $withComments, $arXPath, $prefixList);
     }
 
@@ -686,10 +690,22 @@ public function canonicalizeSignedInfo() {
             if ($signInfoNode = $nodeset->item(0)) {
                 $query = "./secdsig:CanonicalizationMethod";
                 $nodeset = $xpath->query($query, $signInfoNode);
+                $prefixList = null;
                 if ($canonNode = $nodeset->item(0)) {
                     $canonicalmethod = $canonNode->getAttribute('Algorithm');
+                    foreach ($canonNode->childNodes as $node)
+                    {
+                        if ($node->localName == 'InclusiveNamespaces') {
+                            if ($pfx = $node->getAttribute('PrefixList')) {
+                                $arpfx = array_filter(explode(' ', $pfx));
+                                if (count($arpfx) > 0) {
+                                    $prefixList = array_merge($prefixList ? $prefixList : array(), $arpfx);
+                                }
+                            }
+                        }
+                    }
                 }
-                $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod);
+                $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod, null, $prefixList);
                 return $this->signedInfo;
             }
         }
@@ -918,10 +934,10 @@ public function validateReference() {
         if ($nodeset->length == 0) {
             throw new Exception("Reference nodes not found");
         }
-        
+
         /* Initialize/reset the list of validated nodes. */
         $this->validatedNodes = array();
-        
+
         foreach ($nodeset AS $refNode) {
             if (! $this->processRefNode($refNode)) {
                 /* Clear the list of validated nodes. */
@@ -976,8 +992,8 @@ private function addRefInternal($sinfoNode, $node, $algorithm, $arTransforms=nul
             foreach ($arTransforms AS $transform) {
                 $transNode = $this->createNewSignNode('Transform');
                 $transNodes->appendChild($transNode);
-                if (is_array($transform) && 
-                    (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116'])) && 
+                if (is_array($transform) &&
+                    (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116'])) &&
                     (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']))) {
                     $transNode->setAttribute('Algorithm', 'http://www.w3.org/TR/1999/REC-xpath-19991116');
                     $XPathNode = $this->createNewSignNode('XPath', $transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']);
@@ -1134,7 +1150,7 @@ public function appendKey($objKey, $parent=null) {
      *
      * @param $node  The node the signature element should be inserted into.
      * @param $beforeNode  The node the signature element should be located before.
-     * 
+     *
      * @return DOMNode The signature element node
      */
     public function insertSignature($node, $beforeNode = null) {
@@ -1196,9 +1212,9 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa
         if (! $parentRef instanceof DOMElement) {
             throw new Exception('Invalid parent Node parameter');
         }
-        
+
         list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath);
-        
+
         // Add all certs if there are more than one
         $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
 
@@ -1217,7 +1233,7 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa
                 $subjectName = true;
             }
         }
-        
+
         // Attach all certificate nodes and any additional data
         foreach ($certs as $X509Cert){
             if ($issuerSerial || $subjectName) {
@@ -1236,7 +1252,7 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa
                             }
                             $subjectNameValue = implode(',', $parts);
                         } else {
-                            $subjectNameValue = $certData['issuer'];
+                            $subjectNameValue = $certData['subject'];
                         }
                         $x509SubjectNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SubjectName', $subjectNameValue);
                         $x509DataNode->appendChild($x509SubjectNode);
@@ -1251,17 +1267,17 @@ static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=true, $isURL=fa
                         } else {
                             $issuerName = $certData['issuer'];
                         }
-                        
+
                         $x509IssuerNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerSerial');
                         $x509DataNode->appendChild($x509IssuerNode);
-                        
+
                         $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509IssuerName', $issuerName);
                         $x509IssuerNode->appendChild($x509Node);
                         $x509Node = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509SerialNumber', $certData['serialNumber']);
                         $x509IssuerNode->appendChild($x509Node);
                     }
                 }
-                
+
             }
             $x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert);
             $x509DataNode->appendChild($x509CertNode);
@@ -1273,14 +1289,14 @@ public function add509Cert($cert, $isPEMFormat=true, $isURL=false, $options=null
             self::staticAdd509Cert($this->sigNode, $cert, $isPEMFormat, $isURL, $xpath, $options);
          }
     }
-    
+
     /**
      * This function appends a node to the KeyInfo.
      *
      * The KeyInfo element will be created if one does not exist in the document.
      *
      * @param DOMNode $node The node to append to the KeyInfo.
-     * 
+     *
      * @return DOMNode The KeyInfo element node
      */
     public function appendToKeyInfo($node) {
@@ -1289,12 +1305,12 @@ public function appendToKeyInfo($node) {
         $xpath = $this->getXPathObj();
 
         list($parentRef, $keyInfo) = self::auxKeyInfo($parentRef, $xpath);
-                
+
         $keyInfo->appendChild($node);
-        
+
         return $keyInfo;
     }
-    
+
     static function auxKeyInfo($parentRef, $xpath=null)
     {
         $baseDoc = $parentRef->ownerDocument;
@@ -1302,7 +1318,7 @@ static function auxKeyInfo($parentRef, $xpath=null)
             $xpath = new DOMXPath($parentRef->ownerDocument);
             $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
         }
-        
+
         $query = "./secdsig:KeyInfo";
         $nodeset = $xpath->query($query, $parentRef);
         $keyInfo = $nodeset->item(0);
@@ -1507,7 +1523,7 @@ public function getCipherValue() {
      * @params XMLSecurityKey $objKey  The decryption key that should be used when decrypting the node.
      * @params boolean $replace  Whether we should replace the encrypted node in the XML document with the decrypted data. The default is true.
      * @return string|DOMElement  The decrypted data.
-     */     
+     */
     public function decryptNode($objKey, $replace=true) {
         if (! $objKey instanceof XMLSecurityKey) {
             throw new Exception('Invalid Key');
@@ -1707,7 +1723,7 @@ static function staticLocateKeyInfo($objBaseKey=null, $node=null) {
                     if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) {
                         if ($x509certNodes->length > 0) {
                             $x509cert = $x509certNodes->item(0)->textContent;
-                            $x509cert = str_replace(array("\r", "\n", " "), "", $x509cert);
+                            $x509cert = str_replace(array("\r", "\n", " ", "\t"), "", $x509cert);
                             $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n";
                             $objBaseKey->loadKey($x509cert, false, true);
                         }
diff --git a/lib/Saml2/Auth.php b/lib/Saml2/Auth.php
index c8a1c6f0..956c5052 100644
--- a/lib/Saml2/Auth.php
+++ b/lib/Saml2/Auth.php
@@ -143,8 +143,8 @@ class OneLogin_Saml2_Auth
     /**
      * Initializes the SP SAML instance.
      *
-     * @param array|object|null $oldSettings Setting data (You can provide a OneLogin_Saml_Settings, the settings object of the Saml folder implementation)
-     * @param bool $spValidationOnly if you only as an SP , you should set it to false if not you should set it to true
+     * @param array|object|null $oldSettings      Setting data (You can provide a OneLogin_Saml_Settings, the settings object of the Saml folder implementation)
+     * @param bool              $spValidationOnly If true, The library will only validate the SAML SP settings
      *
      * @throws OneLogin_Saml2_Error
      */
@@ -246,6 +246,7 @@ public function processResponse($requestId = null)
      * @param bool        $stay                         True if we want to stay (returns the url string) False to redirect
      *
      * @return string|null
+     * @phpstan-return ($stay is true ? string : never)
      *
      * @throws OneLogin_Saml2_Error
      */
@@ -498,6 +499,7 @@ public function getAttributeWithFriendlyName($friendlyName)
      * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated
      *
      * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
+     * @phpstan-return ($stay is true ? string : never)
      *
      * @throws OneLogin_Saml2_Error
      */
@@ -540,6 +542,7 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
      * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest.
      *
      * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
+     * @phpstan-return ($stay is true ? string : never)
      *
      * @throws OneLogin_Saml2_Error
      */
diff --git a/lib/Saml2/Error.php b/lib/Saml2/Error.php
index 7afc8ddd..ae0c2e55 100644
--- a/lib/Saml2/Error.php
+++ b/lib/Saml2/Error.php
@@ -25,6 +25,7 @@ class OneLogin_Saml2_Error extends Exception
     const SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12;
     const PRIVATE_KEY_NOT_FOUND = 13;
     const UNSUPPORTED_SETTINGS_OBJECT = 14;
+    const INVALID_PARAMETER = 15;
 
     /**
      * Constructor
diff --git a/lib/Saml2/IdPMetadataParser.php b/lib/Saml2/IdPMetadataParser.php
index 195b5691..c2121ac1 100644
--- a/lib/Saml2/IdPMetadataParser.php
+++ b/lib/Saml2/IdPMetadataParser.php
@@ -25,7 +25,7 @@ class OneLogin_Saml2_IdPMetadataParser
      *
      * @return array metadata info in php-saml settings format
      */
-    public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT)
+    public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, $validatePeer = false)
     {
         $metadataInfo = array();
 
@@ -37,7 +37,7 @@ public static function parseRemoteXML($url, $entityId = null, $desiredNameIdForm
             curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
             curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
-            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $validatePeer);
             curl_setopt($ch, CURLOPT_FAILONERROR, 1);
 
             $xml = curl_exec($ch);
diff --git a/lib/Saml2/LogoutRequest.php b/lib/Saml2/LogoutRequest.php
index 882a8daf..2a4a6a1e 100644
--- a/lib/Saml2/LogoutRequest.php
+++ b/lib/Saml2/LogoutRequest.php
@@ -136,7 +136,7 @@ public function __construct(OneLogin_Saml2_Settings $settings, $request = null,
 
 
     /**
-     * Returns the Logout Request defated, base64encoded, unsigned
+     * Returns the Logout Request deflated, base64encoded, unsigned
      *
      * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it.
      *
diff --git a/lib/Saml2/LogoutResponse.php b/lib/Saml2/LogoutResponse.php
index 21c1adad..763ee0ca 100644
--- a/lib/Saml2/LogoutResponse.php
+++ b/lib/Saml2/LogoutResponse.php
@@ -213,7 +213,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
     }
 
     /**
-     * Extracts a node from the DOMDocument (Logout Response Menssage)
+     * Extracts a node from the DOMDocument (Logout Response Message)
      *
      * @param string $query Xpath Expresion
      *
diff --git a/lib/Saml2/Metadata.php b/lib/Saml2/Metadata.php
index 9343ac44..3f63a093 100644
--- a/lib/Saml2/Metadata.php
+++ b/lib/Saml2/Metadata.php
@@ -21,10 +21,11 @@ class OneLogin_Saml2_Metadata
      * @param array         $contacts      Contacts info
      * @param array         $organization  Organization ingo
      * @param array         $attributes
+     * @param bool          $ignoreValidUntil exclude the validUntil tag from metadata
      *
      * @return string SAML Metadata XML
      */
-    public static function builder($sp, $authnsign = false, $wsign = false, $validUntil = null, $cacheDuration = null, $contacts = array(), $organization = array(), $attributes = array())
+    public static function builder($sp, $authnsign = false, $wsign = false, $validUntil = null, $cacheDuration = null, $contacts = array(), $organization = array(), $attributes = array(), $ignoreValidUntil = false)
     {
 
         if (!isset($validUntil)) {
@@ -144,27 +145,37 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn
 
             $requestedAttributeStr = implode(PHP_EOL, $requestedAttributeData);
             $strAttributeConsumingService = <<<METADATA_TEMPLATE
-<md:AttributeConsumingService index="1">
+
+        <md:AttributeConsumingService index="1">
             <md:ServiceName xml:lang="en">{$sp['attributeConsumingService']['serviceName']}</md:ServiceName>
 {$attrCsDesc}{$requestedAttributeStr}
         </md:AttributeConsumingService>
 METADATA_TEMPLATE;
         }
 
+        if ($ignoreValidUntil) {
+            $timeStr = <<<TIME_TEMPLATE
+cacheDuration="PT{$cacheDuration}S"
+TIME_TEMPLATE;
+        } else {
+            $timeStr = <<<TIME_TEMPLATE
+validUntil="{$validUntilTime}"
+                     cacheDuration="PT{$cacheDuration}S"
+TIME_TEMPLATE;
+        }
+
         $spEntityId = htmlspecialchars($sp['entityId'], ENT_QUOTES);
         $acsUrl = htmlspecialchars($sp['assertionConsumerService']['url'], ENT_QUOTES);
         $metadata = <<<METADATA_TEMPLATE
 <?xml version="1.0"?>
 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
-                     validUntil="{$validUntilTime}"
-                     cacheDuration="PT{$cacheDuration}S"
+                     {$timeStr}
                      entityID="{$spEntityId}">
     <md:SPSSODescriptor AuthnRequestsSigned="{$strAuthnsign}" WantAssertionsSigned="{$strWsign}" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 {$sls}        <md:NameIDFormat>{$sp['NameIDFormat']}</md:NameIDFormat>
         <md:AssertionConsumerService Binding="{$sp['assertionConsumerService']['binding']}"
                                      Location="{$acsUrl}"
-                                     index="1" />
-        {$strAttributeConsumingService}
+                                     index="1" />{$strAttributeConsumingService}
     </md:SPSSODescriptor>{$strOrganization}{$strContacts}
 </md:EntityDescriptor>
 METADATA_TEMPLATE;
diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php
index 1b57400e..519af8e0 100644
--- a/lib/Saml2/Response.php
+++ b/lib/Saml2/Response.php
@@ -38,6 +38,13 @@ class OneLogin_Saml2_Response
      */
     public $encrypted = false;
 
+    /**
+     * The response contains an encrypted nameId in the assertion.
+     *
+     * @var bool
+     */
+    public $encryptedNameId = false;
+
     /**
      * After validation, if it fail this var has the cause of the problem
      * @var string
@@ -165,7 +172,7 @@ public function isValid($requestId = null)
                 }
 
                 $currentURL = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery();
-                
+
                 $responseInResponseTo = null;
                 if ($this->document->documentElement->hasAttribute('InResponseTo')) {
                     $responseInResponseTo = $this->document->documentElement->getAttribute('InResponseTo');
@@ -200,14 +207,12 @@ public function isValid($requestId = null)
                     );
                 }
 
-                if ($security['wantNameIdEncrypted']) {
-                    $encryptedIdNodes = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData');
-                    if ($encryptedIdNodes->length != 1) {
-                        throw new OneLogin_Saml2_ValidationError(
-                            "The NameID of the Response is not encrypted and the SP requires it",
-                            OneLogin_Saml2_ValidationError::NO_ENCRYPTED_NAMEID
-                        );
-                    }
+                $this->encryptedNameId = $this->encryptedNameId || $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')->length > 0;
+                if (!$this->encryptedNameId && $security['wantNameIdEncrypted']) {
+                    throw new OneLogin_Saml2_ValidationError(
+                        "The NameID of the Response is not encrypted and the SP requires it",
+                        OneLogin_Saml2_ValidationError::NO_ENCRYPTED_NAMEID
+                    );
                 }
 
                 // Validate Conditions element exists
@@ -218,7 +223,7 @@ public function isValid($requestId = null)
                     );
                 }
 
-                // Validate Asserion timestamps
+                // Validate Assertion timestamps
                 $this->validateTimestamps();
 
                 // Validate AuthnStatement element exists and is unique
@@ -357,7 +362,7 @@ public function isValid($requestId = null)
                         OneLogin_Saml2_ValidationError::NO_SIGNED_ASSERTION
                     );
                 }
-                
+
                 if ($security['wantMessagesSigned'] && !$hasSignedResponse) {
                     throw new OneLogin_Saml2_ValidationError(
                         "The Message of the Response is not signed and the SP requires it",
@@ -366,17 +371,6 @@ public function isValid($requestId = null)
                 }
             }
 
-            // Detect case not supported
-            if ($this->encrypted) {
-                $encryptedIDNodes = OneLogin_Saml2_Utils::query($this->decryptedDocument, '/samlp:Response/saml:Assertion/saml:Subject/saml:EncryptedID');
-                if ($encryptedIDNodes->length > 0) {
-                    throw new OneLogin_Saml2_ValidationError(
-                        'SAML Response that contains a an encrypted Assertion with encrypted nameId is not supported.',
-                        OneLogin_Saml2_ValidationError::NOT_SUPPORTED
-                    );
-                }
-            }
-
             if (empty($signedElements) || (!$hasSignedResponse && !$hasSignedAssertion)) {
                 throw new OneLogin_Saml2_ValidationError(
                     'No Signature found. SAML Response rejected',
@@ -585,9 +579,15 @@ public function getNameIdData()
         if ($encryptedIdDataEntries->length == 1) {
             $encryptedData = $encryptedIdDataEntries->item(0);
 
-            $key = $this->_settings->getSPkey();
+            $pem = $this->_settings->getSPkey();
+            if (empty($pem)) {
+                throw new OneLogin_Saml2_Error(
+                    "No private key available, check settings",
+                    OneLogin_Saml2_Error::PRIVATE_KEY_NOT_FOUND
+                );
+            }
             $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'private'));
-            $seckey->loadKey($key);
+            $seckey->loadKey($pem);
 
             $nameId = OneLogin_Saml2_Utils::decryptElement($encryptedData, $seckey);
 
@@ -600,8 +600,8 @@ public function getNameIdData()
 
         $nameIdData = array();
 
+        $security = $this->_settings->getSecurityData();
         if (!isset($nameId)) {
-            $security = $this->_settings->getSecurityData();
             if ($security['wantNameId']) {
                 throw new OneLogin_Saml2_ValidationError(
                     "NameID not found in the assertion of the Response",
@@ -609,7 +609,7 @@ public function getNameIdData()
                 );
             }
         } else {
-            if ($this->_settings->isStrict() && empty($nameId->nodeValue)) {
+            if ($this->_settings->isStrict() && $security['wantNameId'] && empty($nameId->nodeValue)) {
                 throw new OneLogin_Saml2_ValidationError(
                     "An empty NameID value found",
                     OneLogin_Saml2_ValidationError::EMPTY_NAMEID
@@ -983,9 +983,9 @@ public function validateSignedElements($signedElements)
         $responseTag = '{'.OneLogin_Saml2_Constants::NS_SAMLP.'}Response';
         $assertionTag = '{'.OneLogin_Saml2_Constants::NS_SAML.'}Assertion';
 
-        $ocurrence = array_count_values($signedElements);
-        if ((in_array($responseTag, $signedElements) && $ocurrence[$responseTag] > 1) ||
-            (in_array($assertionTag, $signedElements) && $ocurrence[$assertionTag] > 1) ||
+        $occurrence = array_count_values($signedElements);
+        if ((in_array($responseTag, $signedElements) && $occurrence[$responseTag] > 1) ||
+            (in_array($assertionTag, $signedElements) && $occurrence[$assertionTag] > 1) ||
             !in_array($responseTag, $signedElements) && !in_array($assertionTag, $signedElements)
         ) {
             return false;
@@ -1068,7 +1068,7 @@ protected function _queryAssertion($assertionXpath)
     }
 
     /**
-     * Extracts nodes that match the query from the DOMDocument (Response Menssage)
+     * Extracts nodes that match the query from the DOMDocument (Response Message)
      *
      * @param string $query Xpath Expresion
      *
@@ -1129,7 +1129,7 @@ protected function _decryptAssertion($dom)
                 $objKeyInfo->loadKey($pem, false, false);
             }
         }
-                
+
         if (empty($objKey->key)) {
             $objKey->loadKey($key);
         }
@@ -1139,6 +1139,17 @@ protected function _decryptAssertion($dom)
         if ($check === false) {
             throw new Exception('Error: string from decrypted assertion could not be loaded into a XML document');
         }
+
+        // check if the decrypted assertion contains an encryptedID
+        $encryptedID = $decrypted->getElementsByTagName('EncryptedID')->item(0);
+        if ($encryptedID) {
+            // decrypt the encryptedID
+            $this->encryptedNameId = true;
+            $encryptedData = $encryptedID->getElementsByTagName('EncryptedData')->item(0);
+            $nameId = $this->decryptNameId($encryptedData, $pem);
+            OneLogin_Saml2_Utils::treeCopyReplace($encryptedID, $nameId);
+        }
+
         if ($encData->parentNode instanceof DOMDocument) {
             return $decrypted;
         } else {
@@ -1171,6 +1182,46 @@ protected function _decryptAssertion($dom)
         }
     }
 
+    /**
+     * Decrypt EncryptedID element
+     *
+     * @param \DOMElement $encryptedData The encrypted data.
+     * @param string     $key            The private key
+     *
+     * @return \DOMElement  The decrypted element.
+     *
+     * @throws OneLogin_Saml2_Error
+     * @throws OneLogin_Saml2_ValidationError
+     */
+    private function decryptNameId(\DOMElement $encryptedData, string $pem)
+    {
+        $objenc = new XMLSecEnc();
+        $encData = $objenc->locateEncryptedData($encryptedData);
+        $objenc->setNode($encData);
+        $objenc->type = $encData->getAttribute("Type");
+        if (!$objKey = $objenc->locateKey()) {
+            throw new OneLogin_Saml2_ValidationError(
+                "Unknown algorithm",
+                ValidationError::KEY_ALGORITHM_ERROR
+            );
+        }
+        $key = null;
+        if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) {
+            if ($objKeyInfo->isEncrypted) {
+                $objencKey = $objKeyInfo->encryptedCtx;
+                $objKeyInfo->loadKey($pem, false, false);
+                $key = $objencKey->decryptKey($objKeyInfo);
+            } else {
+                // symmetric encryption key support
+                $objKeyInfo->loadKey($pem, false, false);
+            }
+        }
+        if (empty($objKey->key)) {
+            $objKey->loadKey($key);
+        }
+        return OneLogin_Saml2_Utils::decryptElement($encryptedData, $objKey);
+    }
+
     /**
      * After execute a validation process, if fails this method returns the cause
      *
diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php
index 358bf5ea..bec377e8 100644
--- a/lib/Saml2/Settings.php
+++ b/lib/Saml2/Settings.php
@@ -672,7 +672,7 @@ public function checkSPSettings($settings)
                 if (!isset($contact['givenName']) || empty($contact['givenName'])
                     || !isset($contact['emailAddress']) || empty($contact['emailAddress'])
                 ) {
-                    $errors[] = 'contact_not_enought_data';
+                    $errors[] = 'contact_not_enough_data';
                     break;
                 }
             }
@@ -684,7 +684,7 @@ public function checkSPSettings($settings)
                     || !isset($organization['displayname']) || empty($organization['displayname'])
                     || !isset($organization['url']) || empty($organization['url'])
                 ) {
-                    $errors[] = 'organization_not_enought_data';
+                    $errors[] = 'organization_not_enough_data';
                     break;
                 }
             }
@@ -888,15 +888,16 @@ public function getIdPSLOResponseUrl()
      *   or $advancedSettings['security']['wantAssertionsEncrypted'] are enabled.
      * @param DateTime|null $validUntil    Metadata's valid time
      * @param int|null      $cacheDuration Duration of the cache in seconds
+     * @param bool          $ignoreValidUntil exclude the validUntil tag from metadata
      *
      * @return string  SP metadata (xml)
      *
      * @throws Exception
      * @throws OneLogin_Saml2_Error
      */
-    public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil = null, $cacheDuration = null)
+    public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil = null, $cacheDuration = null, $ignoreValidUntil = false)
     {
-        $metadata = OneLogin_Saml2_Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization());
+        $metadata = OneLogin_Saml2_Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization(), array(), $ignoreValidUntil);
 
         $certNew = $this->getSPcertNew();
         if (!empty($certNew)) {
@@ -1040,7 +1041,7 @@ public function formatIdPCert()
     }
 
     /**
-     * Formats the Multple IdP certs.
+     * Formats the Multiple IdP certs.
      */
     public function formatIdPCertMulti()
     {
diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php
index 24ecbd58..6ace614d 100644
--- a/lib/Saml2/Utils.php
+++ b/lib/Saml2/Utils.php
@@ -208,27 +208,29 @@ public static function treeCopyReplace(DomNode $targetNode, DomNode $sourceNode,
     /**
      * Returns a x509 cert (adding header & footer if required).
      *
-     * @param string  $cert  A x509 unformated cert
-     * @param bool    $heads True if we want to include head and footer
+     * @param string  $x509cert  A x509 unformated cert
+     * @param bool    $heads     True if we want to include head and footer
      *
      * @return string $x509 Formatted cert
      */
+     public static function formatCert($x509cert, $heads = true)
+     {
+         if (is_null($x509cert)) {
+           return;
+         }
 
-    public static function formatCert($cert, $heads = true)
-    {
-        $x509cert = str_replace(array("\x0D", "\r", "\n"), "", $cert);
-        if (!empty($x509cert)) {
-            $x509cert = str_replace('-----BEGIN CERTIFICATE-----', "", $x509cert);
-            $x509cert = str_replace('-----END CERTIFICATE-----', "", $x509cert);
-            $x509cert = str_replace(' ', '', $x509cert);
-
-            if ($heads) {
-                $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n";
-            }
+         if (strpos($x509cert, '-----BEGIN CERTIFICATE-----') !== false) {
+             $x509cert = static::getStringBetween($x509cert, '-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----');
+         }
 
-        }
-        return $x509cert;
-    }
+         $x509cert = str_replace(array("\x0d", "\r", "\n", " "), '', $x509cert);
+
+         if ($heads && $x509cert !== '') {
+             $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n";
+         }
+
+         return $x509cert;
+     }
 
     /**
      * Returns a private key (adding header & footer if required).
@@ -300,6 +302,7 @@ public static function getStringBetween($str, $start, $end)
      * @param bool         $stay       True if we want to stay (returns the url string) False to redirect
      *
      * @return string|null $url
+     * @phpstan-return ($stay is true ? string : never)
      *
      * @throws OneLogin_Saml2_Error
      */
@@ -706,8 +709,14 @@ protected static function buildWithBaseURLPath($info)
         if (!empty($baseURLPath)) {
             $result = $baseURLPath;
             if (!empty($info)) {
-                $path = explode('/', $info);
-                $extractedInfo = array_pop($path);
+                $extractedInfo = $info;
+                if ($baseURLPath != '/') {
+                    // Remove base path from the path info.
+                    $extractedInfo = str_replace($baseURLPath, '', $info);
+                }
+
+                // Remove starting and ending slash.
+                $extractedInfo = trim($extractedInfo, '/');
                 if (!empty($extractedInfo)) {
                     $result .= $extractedInfo;
                 }
@@ -725,6 +734,10 @@ protected static function buildWithBaseURLPath($info)
      */
     public static function extractOriginalQueryParam($name)
     {
+        if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) {
+            return '';
+        }
+
         $index = strpos($_SERVER['QUERY_STRING'], $name.'=');
         $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1);
         $end = strpos($substring, '&');
@@ -1506,12 +1519,41 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret
         }
 
         if ($retrieveParametersFromServer) {
+            if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) {
+                throw new OneLogin_Saml2_Error(
+                    "No query string provided",
+                    OneLogin_Saml2_Error::INVALID_PARAMETER
+                );
+            }
+            $keys = array("SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature");
+            foreach ($keys as $key) {
+                if (substr_count($_SERVER['QUERY_STRING'], $key) > 1) {
+                    throw new OneLogin_Saml2_Error(
+                        "Duplicate parameter in query string",
+                        OneLogin_Saml2_Error::INVALID_PARAMETER
+                    );
+                }
+            }
+            if (substr_count($_SERVER['QUERY_STRING'], "SAMLRequest") > 0 && substr_count($_SERVER['QUERY_STRING'], "SAMLResponse") > 0) {
+                throw new OneLogin_Saml2_Error(
+                    "Both SAMLRequest and SAMLResponse provided",
+                    OneLogin_Saml2_Error::INVALID_PARAMETER
+                );
+            }
+
             $signedQuery = $messageType.'='.OneLogin_Saml2_Utils::extractOriginalQueryParam($messageType);
             if (isset($getData['RelayState'])) {
                 $signedQuery .= '&RelayState='.OneLogin_Saml2_Utils::extractOriginalQueryParam('RelayState');
             }
             $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg');
         } else {
+            if (isset($getData['SAMLRequest']) && isset($getData['SAMLResponse'])) {
+                throw new OneLogin_Saml2_Error(
+                    "Both SAMLRequest and SAMLResponse provided",
+                    OneLogin_Saml2_Error::INVALID_PARAMETER
+                );
+            }
+
             $signedQuery = $messageType.'='.urlencode($getData[$messageType]);
             if (isset($getData['RelayState'])) {
                 $signedQuery .= '&RelayState='.urlencode($getData['RelayState']);
diff --git a/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd b/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd
index 8513959a..12ef3d42 100644
--- a/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd
+++ b/lib/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd
@@ -63,7 +63,7 @@
   <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType">
     <xs:annotation>
       <xs:documentation>
-        Refers to those characterstics that describe how the
+        Refers to those characteristics that describe how the
         'secret' (the knowledge or possession
         of which allows the Principal to authenticate to the
         Authentication Authority) is kept secure
@@ -429,7 +429,7 @@
     <xs:annotation>
       <xs:documentation>
         This element indicates that the Authenticator has been
-        transmitted using a transport mechnanism protected by an SSL or TLS
+        transmitted using a transport mechanism protected by an SSL or TLS
         session.
       </xs:documentation>
     </xs:annotation>
diff --git a/lib/Saml2/version.json b/lib/Saml2/version.json
index ac6f7011..52c3af78 100644
--- a/lib/Saml2/version.json
+++ b/lib/Saml2/version.json
@@ -1,6 +1,6 @@
 {
     "php-saml": {
-        "version": "2.19.1",
-        "released": "02/03/2021"
+        "version": "2.21.0",
+        "released": "25/05/2025"
     }
 }
diff --git a/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php b/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php
index d926ee38..675d86f3 100644
--- a/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php
+++ b/tests/ZendModStandard/Sniffs/Debug/CodeAnalyzerSniff.php
@@ -75,11 +75,11 @@ public function process(PHP_CodeSniffer_File $phpcsFile, $stackPtr)
 
         // There is the possibility to pass "--ide" as an option to the analyzer.
         // This would result in an output format which would be easier to parse.
-        // The problem here is that no cleartext error messages are returnwd; only
+        // The problem here is that no cleartext error messages are returned; only
         // error-code-labels. So for a start we go for cleartext output.
         $exitCode = exec($cmd, $output, $retval);
 
-        // $exitCode is the last line of $output if no error occures, on error it
+        // $exitCode is the last line of $output if no error occurs, on error it
         // is numeric. Try to handle various error conditions and provide useful
         // error reporting.
         if (is_numeric($exitCode) === true && $exitCode > 0) {
diff --git a/tests/ZendModStandard/ruleset.xml b/tests/ZendModStandard/ruleset.xml
index 80c14224..2a3eddc4 100644
--- a/tests/ZendModStandard/ruleset.xml
+++ b/tests/ZendModStandard/ruleset.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <ruleset name="ZendModStandard">
- <description>A coding standard based on an early Zend Framework coding standard. Note that this standard is out of date. And removed the line lenght limitation</description>
+ <description>A coding standard based on an early Zend Framework coding standard. Note that this standard is out of date. And removed the line length limitation</description>
 
  <!-- Include some sniffs from all around the place -->
  <rule ref="Generic.Functions.FunctionCallArgumentSpacing"/>
diff --git a/tests/certs/with.comment.crt b/tests/certs/with.comment.crt
new file mode 100644
index 00000000..ed0e9729
--- /dev/null
+++ b/tests/certs/with.comment.crt
@@ -0,0 +1,17 @@
+# certificate comments should be ignored
+-----BEGIN CERTIFICATE-----
+MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC
+Tk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYD
+VQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG
+9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4
+MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xi
+ZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2Zl
+aWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5v
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LO
+NoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHIS
+KOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d
+1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8
+BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7n
+bK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2Qar
+Q4/67OZfHd7R+POBXhophSMv1ZOo
+-----END CERTIFICATE-----
diff --git a/tests/data/metadata/idp/idp_metadata_multi_certs.xml b/tests/data/metadata/idp/idp_metadata_multi_certs.xml
index f993f64a..90d36ff0 100644
--- a/tests/data/metadata/idp/idp_metadata_multi_certs.xml
+++ b/tests/data/metadata/idp/idp_metadata_multi_certs.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.examle.com/saml/metadata">
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.example.com/saml/metadata">
   <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -68,8 +68,8 @@ WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==</ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </KeyDescriptor>
-    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.examle.com/saml/slo"/>    
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/saml/slo"/>    
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.examle.com/saml/sso"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/saml/sso"/>
   </IDPSSODescriptor>
-</EntityDescriptor>
\ No newline at end of file
+</EntityDescriptor>
diff --git a/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml b/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml
index 0cba257a..ef436f68 100644
--- a/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml
+++ b/tests/data/metadata/idp/idp_metadata_multi_signing_certs.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.examle.com/saml/metadata">
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.example.com/saml/metadata">
   <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -68,8 +68,8 @@ WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==</ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </KeyDescriptor>
-    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.examle.com/saml/slo"/>    
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/saml/slo"/>    
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.examle.com/saml/sso"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/saml/sso"/>
   </IDPSSODescriptor>
 </EntityDescriptor>
diff --git a/tests/data/metadata/idp/metadata.xml b/tests/data/metadata/idp/metadata.xml
index c2ca6739..decf301e 100644
--- a/tests/data/metadata/idp/metadata.xml
+++ b/tests/data/metadata/idp/metadata.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.examle.com/saml/metadata">
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.example.com/saml/metadata">
   <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <KeyDescriptor use="signing">
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
@@ -68,8 +68,8 @@ WQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw==</ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </KeyDescriptor>
-    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.examle.com/saml/slo" ResponseLocation="https://idp.examle.com/saml/slr"/>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/saml/slo" ResponseLocation="https://idp.example.com/saml/slr"/>
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
-    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.examle.com/saml/sso"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/saml/sso"/>
   </IDPSSODescriptor>
-</EntityDescriptor>
\ No newline at end of file
+</EntityDescriptor>
diff --git a/tests/data/metadata/idp/shib_metadata.xml b/tests/data/metadata/idp/shib_metadata.xml
index 5196db56..c28814c3 100644
--- a/tests/data/metadata/idp/shib_metadata.xml
+++ b/tests/data/metadata/idp/shib_metadata.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?><!--
-===============================================================
-= Federation metadata containing only localy managed entities.=
-===============================================================
+=================================================================
+= Federation metadata containing only locally managed entities. =
+=================================================================
 
 TERMS OF USE:
 Membership is limited to organisations who are members of RCTSaai and who meet the  additional requirements of eduGAIN with respect to the following;
@@ -296,4 +296,4 @@ QZfzDc9Vmm18OJtspKB74+x7JkNv6iszqOH6gvzq4qvkRw==
    <md:EmailAddress>mailto:stv@fccn.pt</md:EmailAddress>
   </md:ContactPerson>
  </md:EntityDescriptor>
-</md:EntitiesDescriptor>
\ No newline at end of file
+</md:EntitiesDescriptor>
diff --git a/tests/data/responses/invalids/no_value_nameid.xml.base64 b/tests/data/responses/invalids/no_value_nameid.xml.base64
new file mode 100644
index 00000000..6213ba73
--- /dev/null
+++ b/tests/data/responses/invalids/no_value_nameid.xml.base64
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGQxODhjZWE0LWUyOWEtYTAwOC01ZmUxLTAwN2Q2MmJhN2E5NyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGQxODhjZWE0LWUyOWEtYTAwOC01ZmUxLTAwN2Q2MmJhN2E5NyI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+dUhibVBSRVBheWx5czEvWXR2Wi91a3hJNnFJPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5HaHJveEZZbnVhNFhXYkZYOHJ3ZlYxeWFpZDFnMHloTnA2KzVQOWFHU3dOcEJiMTZqYUFwSUFwbFBZYllPYVBEZm9uOUd0dUlGQm9sQXQyb3NKNEFQYjgvd2J5ZDNpQlRJM3l4NkVZRkRQamxxeE5lbER0bXFYam9RZnpwWUdpcjRBS3FOaDkyYi9tc1dzVFVFUUVUL3FRWlpMSjNqTFNMVzgxeHo4QXZLZmc9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeGEzNTI4ZGZiLTVlZTQtZTM2ZS0xMDQ5LWJhMmI2NTI2OWUyNCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIj48c2FtbDpJc3N1ZXI+aHR0cDovL2lkcC5leGFtcGxlLmNvbS88L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPg0KICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhhMzUyOGRmYi01ZWU0LWUzNmUtMTA0OS1iYTJiNjUyNjllMjQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPms4THduYXpCMSthUUhBTDZUTSsxSXJDbDVFND08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+cnlxUGJENTQxNDdzQ2FkOHZHcFZsaGdSTXI1ZlVqWW1LR3IzekZBaVlFbFozSDA0ZXBOZzJzd3VTazBPbzI5ODhPeURNdmF6OGFyamN0VUtsZGd4cmhGdDRhTlJEYUhlNEx5OEw4djNIaHpPT3RxNXNyRmdRa0ZpL3lCNDVYVmlBZysydVhoT0tQME5yYU4yUStheGVPUUFvejJqbjBVa0ZDeHYvUnpSeXBZPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDZ1RDQ0Flb0NDUUNiT2xyV0RkWDdGVEFOQmdrcWhraUc5dzBCQVFVRkFEQ0JoREVMTUFrR0ExVUVCaE1DVGs4eEdEQVdCZ05WQkFnVEQwRnVaSEpsWVhNZ1UyOXNZbVZ5WnpFTU1Bb0dBMVVFQnhNRFJtOXZNUkF3RGdZRFZRUUtFd2RWVGtsT1JWUlVNUmd3RmdZRFZRUURFdzltWldsa1pTNWxjbXhoYm1jdWJtOHhJVEFmQmdrcWhraUc5dzBCQ1FFV0VtRnVaSEpsWVhOQWRXNXBibVYwZEM1dWJ6QWVGdzB3TnpBMk1UVXhNakF4TXpWYUZ3MHdOekE0TVRReE1qQXhNelZhTUlHRU1Rc3dDUVlEVlFRR0V3Sk9UekVZTUJZR0ExVUVDQk1QUVc1a2NtVmhjeUJUYjJ4aVpYSm5NUXd3Q2dZRFZRUUhFd05HYjI4eEVEQU9CZ05WQkFvVEIxVk9TVTVGVkZReEdEQVdCZ05WQkFNVEQyWmxhV1JsTG1WeWJHRnVaeTV1YnpFaE1COEdDU3FHU0liM0RRRUpBUllTWVc1a2NtVmhjMEIxYm1sdVpYUjBMbTV2TUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FEaXZiaFI3UDUxNngvUzNCcUt4dXBRZTBMT05vbGl1cGlCT2VzQ08zU0hiRHJsMytxOUliZm5mbUUwNHJOdU1jUHNJeEIxNjFUZERwSWVzTENuN2M4YVBISVNLT3RQbEFlVFpTbmI4UUF1N2FSalpxMytQYnJQNXVXM1RjZkNHUHRLVHl0SE9nZS9PbEpibzA3OGRWaFhRMTRkMUVEd1hKVzFyUlh1VXQ0QzhRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUNEVmZwODZIT2JxWStlOEJVb1dROStWTVF4MUFTRG9oQmp3T3NnMld5a1VxUlhGK2RMZmNVSDlkV1I2M0N0WklLRkRiU3ROb21QblF6N25iSytvbnlnd0JzcFZFYm5IdVVpaFpxM1pVZG11bVFxQ3c0VXZzLzFVdnEzb3JPby9XSlZoVHl2TGdGVksyUWFyUTQvNjdPWmZIZDdSK1BPQlhob3BoU012MVpPbzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIi8+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjk5My0wOC0yM1QwNjo1NzowMVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMi0xOVQwMTozNjozMVoiIE5vdE9uT3JBZnRlcj0iMjk5My0wOC0yM1QwNjo1NzowMVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3N0dWZmLmNvbS9lbmRwb2ludHMvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOVQwMTozNzowMVoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDk6Mzc6MDFaIiBTZXNzaW9uSW5kZXg9Il82MjczZDc3YjhjZGUwYzMzM2VjNzlkMjJhOWZhMDAwM2I5ZmUyZDc1Y2IiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+c21hcnRpbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zbWFydGluQHlhY28uZXM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPlNpeHRvMzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJzbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+TWFydGluMjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJlZHVQZXJzb25BZmZpbGlhdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==
diff --git a/tests/data/responses/invalids/not_before_failed.xml.base64 b/tests/data/responses/invalids/not_before_failed.xml.base64
index de62f5e4..fc102046 100644
--- a/tests/data/responses/invalids/not_before_failed.xml.base64
+++ b/tests/data/responses/invalids/not_before_failed.xml.base64
@@ -1 +1 @@
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9leGFtcGxlLmNvbS9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOX2FmM2Q0YTcxMGZjOGIzMDU4ODRiOTZkMDA5NGFiNjI4ODAyZjU2OTIiPjxzYW1sOklzc3Vlcj5odHRwczovL2V4YW1wbGUuY29tL3NpbXBsZXNhbWwvc2FtbDIvaWRwL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+eDJWa3BENml0ek5WRDh6cHhwZXZhRTU4cW4wPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5kc3R6cEdYcFFNL0hzdHU4TmFzWFJad2wxcjh6TC81TXlhbFhYS2xZUWZ3R2s3ZEE4S0Z5T1E1ajRneERFMFRjQmdwUVo0U0REOUl6SFNiOUNZTFFzR2lyVVVBTERNVUNjTHlXcndzQ01zUEpheVltRTJBUkdMc2IvTWIxK0FkaVZSTUhNL05NUVpoaTBFYnNqN2Nod1FRTWNuUXhiaG92a0g5cWVBdHp0UGc9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDdlNDhmZDc1LWNlMmItNjBlZC0yOWVlLWU3OTg0NmM5NTljNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9leGFtcGxlLmNvbS9zaW1wbGVzYW1sL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPg0KPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL2V4YW1wbGUuY29tL25ld29uZWxvZ2luL2RlbW8xL21ldGFkYXRhLnBocCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPjQ5Mjg4MjYxNWFjZjMxYzgwOTZiNjI3MjQ1ZDc2YWU1MzAzNmMwOTA8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIiBSZWNpcGllbnQ9Imh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl9hZjNkNGE3MTBmYzhiMzA1ODg0Yjk2ZDAwOTRhYjYyODgwMmY1NjkyIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjQtMDItMTlUMDE6MDU6MTlaIiBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOFQxOTo0MjoyMFoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDk6MDU6NDlaIiBTZXNzaW9uSW5kZXg9Il8wZjRmMTg4ZGMxYmZkM2JmZWEzNmExNjM0YTc0NDE1ODNhZmMzYjM3ODEiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmFkbWluPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9leGFtcGxlLmNvbS9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOX2FmM2Q0YTcxMGZjOGIzMDU4ODRiOTZkMDA5NGFiNjI4ODAyZjU2OTIiPjxzYW1sOklzc3Vlcj5odHRwczovL2V4YW1wbGUuY29tL3NpbXBsZXNhbWwvc2FtbDIvaWRwL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGU0MjcxNTkzLTJiNzctOTE4ZS1hNTMxLTdmODljMjVjYTJlZiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+eDJWa3BENml0ek5WRDh6cHhwZXZhRTU4cW4wPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5kc3R6cEdYcFFNL0hzdHU4TmFzWFJad2wxcjh6TC81TXlhbFhYS2xZUWZ3R2s3ZEE4S0Z5T1E1ajRneERFMFRjQmdwUVo0U0REOUl6SFNiOUNZTFFzR2lyVVVBTERNVUNjTHlXcndzQ01zUEpheVltRTJBUkdMc2IvTWIxK0FkaVZSTUhNL05NUVpoaTBFYnNqN2Nod1FRTWNuUXhiaG92a0g5cWVBdHp0UGc9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9InBmeDdlNDhmZDc1LWNlMmItNjBlZC0yOWVlLWU3OTg0NmM5NTljNiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6MDU6NDlaIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9leGFtcGxlLmNvbS9zaW1wbGVzYW1sL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPg0KPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJodHRwczovL2V4YW1wbGUuY29tL25ld29uZWxvZ2luL2RlbW8xL21ldGFkYXRhLnBocCIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPjQ5Mjg4MjYxNWFjZjMxYzgwOTZiNjI3MjQ1ZDc2YWU1MzAzNmMwOTA8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIiBSZWNpcGllbnQ9Imh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl9hZjNkNGE3MTBmYzhiMzA1ODg0Yjk2ZDAwOTRhYjYyODgwMmY1NjkyIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjI5OTMtMDItMTlUMDE6MDU6MTlaIiBOb3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDE6MTA6NDlaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vZXhhbXBsZS5jb20vbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMi0xOFQxOTo0MjoyMFoiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjI5OTMtMDItMTlUMDk6MDU6NDlaIiBTZXNzaW9uSW5kZXg9Il8wZjRmMTg4ZGMxYmZkM2JmZWEzNmExNjM0YTc0NDE1ODNhZmMzYjM3ODEiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InVpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+dXNlcjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9InNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImVkdVBlcnNvbkFmZmlsaWF0aW9uIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj51c2VyPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmFkbWluPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
diff --git a/tests/data/responses/response_encrypted_nameid_encrypted_assertion2.xml.base64 b/tests/data/responses/response_encrypted_nameid_encrypted_assertion2.xml.base64
new file mode 100644
index 00000000..4325429c
--- /dev/null
+++ b/tests/data/responses/response_encrypted_nameid_encrypted_assertion2.xml.base64
@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeDczMzI1MzJjLWQ2MDUtZmVkOS0xNTk2LWVlYTM0YjkyNDY2NiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDczMzI1MzJjLWQ2MDUtZmVkOS0xNTk2LWVlYTM0YjkyNDY2NiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+SndSWVdySHdNQ1RKWHJGVXI0cTZRL0g1UWpFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5lOEZYb2xETlA3MnFlZkVrRzExdkkzMVVqTmx2bWdqeStweVROa1FHbVhsME52bHRaVHJFamswVlFYanJUZkhMVzFvNTE4cU5ubWU1Nzl5ZXFnMWJLQU0xd3BCcENodWtIdnlWaXg2c3UyanBZbWQ1NFQ2bXJuTXFpYnUzZ01OZU52U2ZMaHFJQlpBWnVrc3kwZk1YNUpqd3R6elh0ejNHTENYNWFKVCsvRFk9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjx4ZW5jOkVuY3J5cHRlZERhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiB4bWxuczpkc2lnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiBUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNFbGVtZW50Ij48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyIvPjxkc2lnOktleUluZm8geG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PHhlbmM6RW5jcnlwdGVkS2V5Pjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNyc2EtMV81Ii8+PHhlbmM6Q2lwaGVyRGF0YT48eGVuYzpDaXBoZXJWYWx1ZT5pSWUyWTlWZFlGTUZLaWd5bUlaU2xGZlZpa09rclNoeE5qUzV2VjVRNEZJSGdYczU3dDVUTjIxMlJlalFCTVkzVzdjV0NFV01RZzZ6NXFVS3QrNEhNZ0lsVVc3V2h2UytDeDBIK1QzczhHYkRycGQxeVU2SE93WVMwclpydkVqaW05WmtMY25FRlZIREpGYWpneUsxZGU1Y3c4S1NBa25hL1F0Mk1aRS9BOWM9PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kc2lnOktleUluZm8+DQogICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+cHFpOGpRZ1o3YzMwSGVTbGt2M1hpY0JhRU03QkdJY3JqSEF3NkZ4NHpaMS9uTE9SSEtiZ1h2Rnh3REh3ZWljOXdibjZIZkFCalhtK2pBc1p4RnZxNmRHTmRZK2l5Y3VZaGN6QzlVUXYxTEpqclM4a1M1bkJnL2dQQy9WeEN1Vk1rRlVPekIxN0JUM0JaSy9zWjhoYWFjaXI4NlNFU2p1bytUVUJxQzkrc2czMnVGbEs0QnZ6RmJtT3NHMmFXcUo3WGVkODRleUNuV2R4Y3RpeW5ZbWh0MDlzUjRZaU1XWEw1elB2V3JmMXhZdnd5YlE0blVUTkJmditBZmoyMTNTYVJuN3p6bGdjOUtvUWNLWEVlTHFpMGZYb0ZjU2l4VXhDRGFURm54Y0tzNDlOeXl1ZmE5aUdHOE82WmpQUVFjVlVEVURTWVFJQWo3ZkxnZWhnUm1RRW5WUVR3WUFoK3JaWjEzMWc2VUNNcHlZRnlHWGx1TzlZa0NwQUpaTFp0NDk2M1FZREE5UE5KTjVvblhPRmZhVk4zc1hmUUlVaWVjcDdZK0FoNmlISjJBbUc3NnRLbWFqTk55d0VpRVRmWTRLVGVrU2J1RlY2YUo5NEpBcGVYa2RvWlZnajBURGZURHlUY20wTkpoTE1yWmpwOHpPd1g1ajd3MUY0SFJNM2tra1JhQmdRdUVTM2NER1QyaVMzbWNzQTM3S29IWnlFd0hrZHQ0azBuUHhmbHErZ2RlbUI1UkJMZGlEM3QySzdWZjJDOW5weTBIMFNUckR6dkM2TzJRNW5CeGxuU1IyNVd3bWxSaFIzaUhHaVBmOExkK1gwS1I2L1R2WDRzNHlyZDhraWtrK1NaM25GWGxiUEdWaXhxNzZsTnlQOXk4M0E2UE5GM05HL1RKRC81YVBFR1JXZzM1S05aN3ZiU3p6YTh2dXRHOVZUekJKQjBKdnlHbUtJTWlOeWNQbmxrSHFlOXdkTGVQeGw2b1o4UWlEdndzVVM0YjNmaFpwaDZVNE1oMi93TWJ2ZnE0WUIxd29QL0t2ako4eVdlV3FHa1EwbXdjVUNmbUxjTk5FUGpVbW5sOTVTTTlacWUzdldMTXpxaVNpSW5YaFFLUFpkbjV4WmxpRmRNU0kzWEM4L2hOSkI0aTQvRVJ6eXNVdEM3NzZsVkU4OTFmNnNoME9SWm9iR0FNU0J4TGc2bjB5QWZHVUJSU2ZuRDdpc3craWdrQWNxWHBqV0RZQ0diWFIrV2RUMHZaWGRqd3pxMjhReFZqcXhPYnVzWkxvZVBCcnI2bGdPd2NMcCtQSVN6VVlzcW9YSTJJdk1BVURjMGxUMldwNDlKdUwvcnU0Y0F1U0Zla1hRZ0tJcUM2anVGZkpueDBTazd4K2NHekcxK3FLQ1ArSHF0Z01IMkdBUUFOMExJTU9YM08xQ3hYVE5CNGd2K3gvWk5RdFNVZy83dG5KL3BCTEZWMzVSNEp6RFlxWllVVkk4NTRYQ2thZ0dFZ1NyZXNDQWRVc1BQbHFjbGRibCtqMzl2Z0tDN3V4dWtXaXErRzhCYkY2WUdtWVNGQThPa1kwMmFrSjJLMnkrYlppOTc2eE9ucERQWGhLT083eHhUMDEzUTN0VG56b1JaTkRHM0lhekVHblpBY2UrTlNDNDNzVFA0dHZpK0Nyay9sd1IwOEVRVDlOUDZUZ3BxNXpKeEViZEVJUXpoTDVsMDRRSjNKSGdnamV1QkljOXE2Ylp5SXdyc1AxVHQ2M0p6cHdERkxBRzRNRVhHM3VXSzVZTE9QN0l3SjZLcDZFK3poYVpqYUZJWTVKcUkvdi9FdjFUL3pLZ3hOUW9heGNZSDhBRTQwTFJYQWErVk8valU1dk5kdGF2SEFBUDQrU1ppTEtSUjlGYnhXencxd2owR1FLcWRZU2t6bU1QSFFBQU5hS04rdmhwRjZ3VnZFVnZkU0JXc0xKZnVtZi9COHhKbzZZWk5seUpSbUlyTURBTUNxdG5TYlNwbTZnSlJheHhML2Uyc29QbDZ2VXdwZ3N2OEkxbUljS1lmTHRlakt3VjRXREd5amYybHZvK29SdHhyTU9SNE5xNWNwRHBONkRHNlcxN2FqazhzN2ZFR0JPN1cxcFh6MVlXN1Y2TjgvaTV6M05kWExOcjkreExrWVN6a0NTR0tSb2hJQk9iRnIxK3VlbURpajVmZEhkZXpWbTY5aVdQZUR2aDJvK3JaS0NGOVl6Z0tIeGVrK1hmZUxiamVHREZNejBlNk5GZk03bW1lV1JZUzFNc25uK3pQNnI2cHQ3K1dReUYwZjhja2k1anhIM1BrU3B2eXNDK0NlUGFIRThodmVBM3J6Y1UrZ1NlU0FQWFFHY1hCK09GNzkyQThYU21JK2RhbzcxbU4wS2RCVUdGS1N0K2RlMnAzZFRIQTM4YW91VkU2d1Z0UXd1cVFmSmFzd2JjVmNTQU5WVkhiTWxQM0F1aVAxTWdmREFMNDBDU1N1Tjk5WGR2a1ZKMXNMODJhZDlkL1N3SDN6OHMremdIdDZCZTNFWS9aVEYvcjRXVG9kSVArK1JCcm50aEp6RGZwdkhjdmdGZmtuUTJoKzZMVTVwMXhvb21aeU1wUEtOZmdSL01lTk9vd3FrdkZxM2dDSFp0SlJ1QTVMaGVKb3g0ZXI4OXRFQks0Tll2eHp1RnhkaVM5UWRpSERBT1hWWjA3bXBtM1cxUkpybkE1anBNdjBzRHVOUFkvbStlakYwc2N3a3lmNFVjRU9DdjFnTTF2akYreWRPcVM1Y0MybFBEK1JCWll2L05QU3A2WSttMWFCbUVYS3ZuMEU1cE9QSXZ3QlNjSEVjVy9qaFhPcUpsYjNmc2FOOEpWemNUTWliRWlPdjltM3FaMUhyL3luOTN4REZLN1ZnQmg1aHJSNWhHY1M4MEwwMUpMY0JpcklLMGZPWW5GckJSNzhabjhRUW44OGNtMGMxdFE1SkhnenQ1bnVLNTUwWi9tM0hpMldNaDV3bDF6Sno1TkV2TkR3aHpybU94bHNVNEZDN2gzUDQySFV3aFdHZHBndys2Zzc1T1BJbGppc3hwa3N4WmxRYTIveWU1bGd4YWZRYzNaN1RwanpLQ2VMb2Q5Z0RRb20wT2RqNlM1VkZxTGNZaXFqMzRWUjRNRFplRW41TUFpU1BZVW5rQUk4TWtHMVZIT3VhaWJlVXZjVlBtVXRIMmZIcUhUU3BybFVzT3hDUVM3bWxqQUdvYkRyM3RBZEpxY2ZkblBrTVZlU0V2dDBzL1JOZC9jMTY1dnd3cENXV2czdkFmL2NWeEZYRmhQRldhcGpqNW1ub1JveTJIZzh2dmZKaTlIclpiSXhic2g5V1crR2VwZnpCWXhRL0l2RWI5QzQ0NFlreUJGWEF2c3lXaGVxL3J0TVhiTklJMmo0UkF2WEEyc0xkZTZ1cmVSUytmdVBwdHRURlpqd0FtSS9wT3BpSC9nWFVOcVZmbnRMcWV4ZkJWN2dmM0xNMGRHcE5CM1RIU24wMlIrSjVyOGtJMFE2M2JJTmNDMjhrUExDUUhCNk8zUU5OODVFZHlVa0F3TVhOSG45anFwUy9VSVZjdnp5alFBempYTngwd2Y4MUJRS1N1R0p4WS9JdzB0bW8yell3ZitWaWpzKy9iK1Z5NHVxZy92ckhqT0U2V041SllET3dkTnJBVDNIRTNlbHZReXRsazgwZXdCRERoL1QzYm50K0FqS2JtUHExclVzd21lcjJ3MG9aZHErRnpEc1VtclBZaS81UGtqbURMbWd4Rkp5R04weHpBbldwdjI1M2pwa1NCdW5xT3RYRjYrSTJ5aldNaFlHQ3hoN25kR3M5QXI3eHVkSlBNQWp6YVNEbzNYbFNtQXNnbFkxRGsvek50emxrZGMwTjRteVZGaGdDb1ozekIyNmZOVGsyM3RGOWJTSFBuYk44NFpaV05VdWs2MFUwU1BiY2pZUHI2U0tNTnEzOGtCTjVsRFUybTNXQ2owM0gyU29tOFNtWFlGdG9FcGZSb2ZKajltWmUvQUplMktxR3FOSE9RSFU1UldzU2JrWE1IM3VNOTJjU3ZjTmNYMGtuclNudUVFUGVpOEZXS2FnVFJTVm8rdzhEY3p4OVY2Q2JCemFkWWR5c0pFQ3Zrb0lEZ0xRQmJyWFhvVEMzT1FEaUxVdkVDbFBlSU1EMzhLREhxTEplOFVUSS9QSW9ONTFMTTZJVVVvOGJmUTJuTklWMGttZ1gwK1E0SW41UEhPMFlwaEh0OWR5WXVaV3I0cE9wZmVjR1RTRFB4TldxV2xvWVAreFFMWDkwRW5LNm1wTjVYTDFIQ0VqaUxFNjBUcXJsZUFLcmNhSnNzaDdSb3o5cVFWS2syRjcxQ2FLcGhQNkdaR09EZzhlelpFbXhGblVDc29USGREU2M4YzdULzV6UzA2eEZSSVcwSVRiMnJHWmppdnhYU0JjZ3BRSFNBZlZDWUtmVzVBREhWL1FoZVNNWDdtZGtBZ0YvbVZxUldvVGZRcGdsZFUxZUYrT0RTeUdoN083US9MTUh2Y3BxTzdXREpha2pXdjZaa0xMWFpvd3lJRUY3cDlEVmZhQ2ord1h4UWR0TFg4eHlKSFJZTHRybnRBZDNsODArYnlVYmw0SEdtVkNqTkVMMm5Xa1hzQ1Y3eUVsV0xLM2N1ek1MR1FDTWtOZFl0NHRlVHJOYkFOaWpScFVxelBrUExsVGdHanRvUGxzVnh1TkRXUFN1T1FBb2dzdUlYN01Db0wydmFITTB3MERTcjQwdnd6WXNzV2ZWN1FBSGIramVPQ2VwUWtTdWQzckwrcUF6VXZrcUQ3VVFBNUFZQWtMM1ppbVJvRFZCWVlUeDF5RFZOQXEyT1pySzBiUG5FclNGU2ozOG1FNmFwS3V4YWVHWHR0S2NkYVJDWUd5UCtXZit3TnU3alkwZEw1WTYreThjajNRMlZPamY4bytmamo3alZLaDRNc0RSbUtUd0R2VHR1VERma1hsMmZPOXBtemNMQmtWbWxDSzAxczJBcnJ3ck9CUnJmbE0veGNIMm9HUkRyTzNnSU9WK3JhMWNWSzdPNDlGNjdmbytuSm5ZV0s5Qno2aG90Ri9lMXEvdVVSU3d4L1lDN2Y4MGlqa21ieVpSZFk5MkxHM0RZMGFIOGNpS3pIK3hzMmkweld6RWpLWkdPaFREU1pjdWNnZWJuUi8xR0JlRy84RXVEYksxcWppSGhoaGErNVV3QmNwaW9JMFhORXJiTUVOSnZVdEpYcEtmd3FiUXg5MnZuUDJVY1plSUJ5WWE0YS9OUVEySWYrYXlGTFZpdEJiL1FNOGF4dUJyODBUbnIzZzUxVjYwQWRBUUZ3T1Q0K3Zkc0V5UnlzenN5bGgrckhlaEp1RHdncWJIMVBIODIyOVVaWWFqYjBpbEhSZUlKV1gxY0NFaTBzTVhEdTJJT2hCbXpOMzBhRFZSUkdNNHZKdU1ueEhYak1FQ2pvTjhkQUNQSnN2aTdNc0JqMHRkNjdKRDVxRVJjUkZBdk14QkF2Z1VmUmxXQUFtNXdzTUFmSGx0OFV6bkcyTGxXWEczQjcxYkoyUWhrbUpZendiemVjYzRiQ1dPQzBTalhIL3QvSTU5SHd0WlBFVHpITE9XOVpBMk1ZalVYRHpGc2xFbW5sdm9RT0EvcVlMT2dVY05ZVStDWDE0T3BCbjMzSHZEczZTeVBpb0VLdEJlTHp5Q21EWGgrdHlKWTUwZ1ppVVA2d3ovL04wdDBtM1JTTWtFcWVCYU1taWxGZjhIakdja1RXT2RQd1hqUjQvWmU0RUJ2ZG9aTzF0QjQvNHA0SSt2aTFzWTR3Y1JVZFlvbW54bWVaaG9RdnF0UFZmTTdtM1ZVaVM2Yktqd1Jpd2Y4PC94ZW5jOkNpcGhlclZhbHVlPg0KICAgPC94ZW5jOkNpcGhlckRhdGE+DQo8L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+
diff --git a/tests/src/OneLogin/Saml2/AuthTest.php b/tests/src/OneLogin/Saml2/AuthTest.php
index 908a7994..8d690e7e 100644
--- a/tests/src/OneLogin/Saml2/AuthTest.php
+++ b/tests/src/OneLogin/Saml2/AuthTest.php
@@ -39,6 +39,35 @@ public function testGetSettings()
         $this->assertEquals($authSettings, $settings);
     }
 
+    /**
+     * Tests the use of the spValidationOnly at OneLogin_Saml2_Auth
+     *
+     * @covers OneLogin_Saml2_Auth
+     */
+    public function testSpValidateOnly()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings2.php';
+        unset($settingsInfo['idp']);
+
+        $auth = new OneLogin_Saml2_Auth($settingsInfo, true);
+        $this->assertEmpty($auth->getErrors());
+
+        try {
+            $auth2 = new OneLogin_Saml2_Auth($settingsInfo, false);
+            $this->fail('Error was not raised');
+        } catch (OneLogin_Saml2_Error $e) {
+            $this->assertContains('idp_not_found', $e->getMessage());
+        }
+
+        try {
+            $auth3 = new OneLogin_Saml2_Auth($settingsInfo);
+            $this->fail('Error was not raised');
+        } catch (OneLogin_Saml2_Error $e) {
+            $this->assertContains('idp_not_found', $e->getMessage());
+        }
+    }
+
     /**
     * Tests the getLastRequestID method of the OneLogin_Saml2_Auth class
     *
@@ -351,7 +380,7 @@ public function testGetAttributes()
     /**
     * Tests the redirectTo method of the OneLogin_Saml2_Auth class
     * (phpunit raises an exception when a redirect is executed, the
-    * exception is catched and we check that the targetURL is correct)
+    * exception is caught and we check that the targetURL is correct)
     * Case redirect without url parameter
     *
     * @covers OneLogin_Saml2_Auth::redirectTo
@@ -378,7 +407,7 @@ public function testRedirectTo()
     /**
     * Tests the redirectTo method of the OneLogin_Saml2_Auth class
     * (phpunit raises an exception when a redirect is executed, the
-    * exception is catched and we check that the targetURL is correct)
+    * exception is caught and we check that the targetURL is correct)
     * Case redirect with url parameter
     *
     * @covers OneLogin_Saml2_Auth::redirectTo
@@ -447,7 +476,7 @@ public function testProcessSLOResponseInvalid()
 
     /**
     * Tests the processSLO method of the OneLogin_Saml2_Auth class
-    * Case Logout Response not sucess
+    * Case Logout Response not success
     *
     * @covers OneLogin_Saml2_Auth::processSLO
     */
@@ -817,22 +846,16 @@ public function testProcessSLORequestRelayState()
         $_GET['SAMLRequest'] = $message;
         $_GET['RelayState'] = 'http://relaystate.com/';
 
-        try {
-            $this->_auth->setStrict(true);
-            $this->_auth->processSLO(false);
-            $this->assertFalse(true);
-        } catch (Exception $e) {
-            $this->assertContains('Cannot modify header information', $e->getMessage());
-            $trace = $e->getTrace();
-            $targetUrl = getUrlFromRedirect($trace);
-            $parsedQuery = getParamsFromUrl($targetUrl);
+        $this->_auth->setStrict(true);
+        $targetUrl = $this->_auth->processSLO(false, null, false, null, true);
 
-            $sloUrl = $this->_settingsInfo['idp']['singleLogoutService']['url'];
-            $this->assertContains($sloUrl, $targetUrl);
-            $this->assertArrayHasKey('SAMLResponse', $parsedQuery);
-            $this->assertArrayHasKey('RelayState', $parsedQuery);
-            $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']);
-        }
+        $parsedQuery = getParamsFromUrl($targetUrl);
+
+        $sloResponseUrl = $this->_settingsInfo['idp']['singleLogoutService']['responseUrl'];
+        $this->assertContains($sloResponseUrl, $targetUrl);
+        $this->assertArrayHasKey('SAMLResponse', $parsedQuery);
+        $this->assertArrayHasKey('RelayState', $parsedQuery);
+        $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']);
     }
 
     /**
@@ -860,28 +883,22 @@ public function testProcessSLORequestSignedResponse()
         $plainMessage = str_replace('http://stuff.com/endpoints/endpoints/sls.php', $currentURL, $plainMessage);
         $message = base64_encode(gzdeflate($plainMessage));
 
+        unset($_GET['SAMLResponse']);
         $_GET['SAMLRequest'] = $message;
         $_GET['RelayState'] = 'http://relaystate.com/';
 
-        try {
-            $auth->setStrict(true);
-            $auth->processSLO(false);
-            $this->assertFalse(true);
-        } catch (Exception $e) {
-            $this->assertContains('Cannot modify header information', $e->getMessage());
-            $trace = $e->getTrace();
-            $targetUrl = getUrlFromRedirect($trace);
-            $parsedQuery = getParamsFromUrl($targetUrl);
-
-            $sloUrl = $settingsInfo['idp']['singleLogoutService']['url'];
-            $this->assertContains($sloUrl, $targetUrl);
-            $this->assertArrayHasKey('SAMLResponse', $parsedQuery);
-            $this->assertArrayHasKey('RelayState', $parsedQuery);
-            $this->assertArrayHasKey('SigAlg', $parsedQuery);
-            $this->assertArrayHasKey('Signature', $parsedQuery);
-            $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']);
-            $this->assertEquals(XMLSecurityKey::RSA_SHA1, $parsedQuery['SigAlg']);
-        }
+        $auth->setStrict(true);
+        $targetUrl = $auth->processSLO(false, null, false, null, true);
+        $parsedQuery = getParamsFromUrl($targetUrl);
+
+        $sloUrl = $settingsInfo['idp']['singleLogoutService']['responseUrl'];
+        $this->assertContains($sloUrl, $targetUrl);
+        $this->assertArrayHasKey('SAMLResponse', $parsedQuery);
+        $this->assertArrayHasKey('RelayState', $parsedQuery);
+        $this->assertArrayHasKey('SigAlg', $parsedQuery);
+        $this->assertArrayHasKey('Signature', $parsedQuery);
+        $this->assertEquals('http://relaystate.com/', $parsedQuery['RelayState']);
+        $this->assertEquals(XMLSecurityKey::RSA_SHA1, $parsedQuery['SigAlg']);
     }
 
     /**
diff --git a/tests/src/OneLogin/Saml2/IdPMetadataParserTest.php b/tests/src/OneLogin/Saml2/IdPMetadataParserTest.php
index 797b5c75..9e2e4546 100644
--- a/tests/src/OneLogin/Saml2/IdPMetadataParserTest.php
+++ b/tests/src/OneLogin/Saml2/IdPMetadataParserTest.php
@@ -63,14 +63,14 @@ public function testParseXML()
     {
         $expectedInfo = array (
             'idp' => array (
-                'entityId' => 'https://idp.examle.com/saml/metadata',
+                'entityId' => 'https://idp.example.com/saml/metadata',
                 'singleSignOnService' => array (
-                    'url' => 'https://idp.examle.com/saml/sso',
+                    'url' => 'https://idp.example.com/saml/sso',
                     'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                 ),
                 'singleLogoutService' => array (
-                    'url' => 'https://idp.examle.com/saml/slo',
-                    'responseUrl' => 'https://idp.examle.com/saml/slr',
+                    'url' => 'https://idp.example.com/saml/slo',
+                    'responseUrl' => 'https://idp.example.com/saml/slr',
                     'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                 ),
                 'x509certMulti' => array (
@@ -297,7 +297,7 @@ public function testParseMultiCerts()
             ),
             "idp" => array(
                 "singleLogoutService" => array(
-                    "url" => "https://idp.examle.com/saml/slo",
+                    "url" => "https://idp.example.com/saml/slo",
                     "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                 ),
                 "x509certMulti" => array(
@@ -309,9 +309,9 @@ public function testParseMultiCerts()
                         "MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xNzA0MTUxNjMzMThaFw0xODA0MTUxNjMzMThaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6GLkl5lDUZdHNDAojp5i24OoPlqrt5TGXJIPqAZYT1hQvJW5nv17MFDHrjmtEnmW4ACKEy0fAX80QWIcHunZSkbEGHb+NG/6oTi5RipXMvmHnfFnPJJ0AdtiLiPE478CV856gXekV4Xx5u3KrylcOgkpYsp0GMIQBDzleMUXlYQIDAQABo1AwTjAdBgNVHQ4EFgQUnP8vlYPGPL2n6ZzDYij2kMDC8wMwHwYDVR0jBBgwFoAUnP8vlYPGPL2n6ZzDYij2kMDC8wMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQAlQGAl+b8Cpot1g+65lLLjVoY7APJPWLW0klKQNlMU0s4MU+71Y3ExUEOXDAZgKcFoavb1fEOGMwEf38NaJAy1e/l6VNuixXShffq20ymqHQxOG0q8ujeNkgZF9k6XDfn/QZ3AD0o/IrCT7UMc/0QsfgIjWYxwCvp2syApc5CYfQ=="
                     )
                 ),
-                "entityId" => "https://idp.examle.com/saml/metadata",
+                "entityId" => "https://idp.example.com/saml/metadata",
                 "singleSignOnService" => array(
-                    "url" => "https://idp.examle.com/saml/sso",
+                    "url" => "https://idp.example.com/saml/sso",
                     "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                 )
             )
@@ -336,7 +336,7 @@ public function testParseMultiSigningCerts()
             ),
             "idp" => array(
                 "singleLogoutService" => array(
-                    "url" => "https://idp.examle.com/saml/slo",
+                    "url" => "https://idp.example.com/saml/slo",
                     "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                 ),
                 "x509certMulti" => array(
@@ -346,9 +346,9 @@ public function testParseMultiSigningCerts()
                         "MIIEZTCCA02gAwIBAgIUPyy/A3bZAZ4m28PzEUUoT7RJhxIwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMxKzApBgNVBAoMIk9uZUxvZ2luIFRlc3QgKHNnYXJjaWEtdXMtcHJlcHJvZCkxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9naW4gQWNjb3VudCA4OTE0NjAeFw0xNjA4MDQyMjI5MzdaFw0yMTA4MDUyMjI5MzdaMHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN6iqQGcLOCglNO42I2rkzE05UXSiMXT6c8ALThMMiaDw6qqzo3sd/tKK+NcNKWLIIC8TozWVyh5ykUiVZps+08xil7VsTU7E+wKu3kvmOsvw2wlRwtnoKZJwYhnr+RkBa+h1r3ZYUgXm1ZPeHMKj1g18KaWz9+MxYL6BhKqrOzfW/P2xxVRcFH7/pq+ZsDdgNzD2GD+apzY4MZyZj/N6BpBWJ0GlFsmtBegpbX3LBitJuFkk5L4/U/jjF1AJa3boBdCUVfATqO5G03H4XS1GySjBIRQXmlUF52rLjg6xCgWJ30/+t1X+IHLJeixiQ0vxyh6C4/usCEt94cgD1r8ADAgMBAAGjgfIwge8wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPW0DcH0G3IwynWgi74co4wZ6n7gwga8GA1UdIwSBpzCBpIAUPW0DcH0G3IwynWgi74co4wZ6n7ihdqR0MHIxCzAJBgNVBAYTAlVTMSswKQYDVQQKDCJPbmVMb2dpbiBUZXN0IChzZ2FyY2lhLXVzLXByZXByb2QpMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgODkxNDaCFD8svwN22QGeJtvD8xFFKE+0SYcSMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQhB4q9jrycwbHrDSoYR1X4LFFzvJ9Us75wQquRHXpdyS9D6HUBXMGI6ahPicXCQrfLgN8vzMIiqZqfySXXv/8/dxe/X4UsWLYKYJHDJmxXD5EmWTa65chjkeP1oJAc8f3CKCpcP2lOBTthbnk2fEVAeLHR4xNdQO0VvGXWO9BliYPpkYqUIBvlm+Fg9mF7AM/Uagq2503XXIE1Lq//HON68P10vNMwLSKOtYLsoTiCnuIKGJqG37MsZVjQ1ZPRcO+LSLkq0i91gFxrOrVCrgztX4JQi5XkvEsYZGIXXjwHqxTVyt3adZWQO0LPxPqRiUqUzyhDhLo/xXNrHCu4VbMw=="
                     )
                 ),
-                "entityId" => "https://idp.examle.com/saml/metadata",
+                "entityId" => "https://idp.example.com/saml/metadata",
                 "singleSignOnService" => array(
-                    "url" => "https://idp.examle.com/saml/sso",
+                    "url" => "https://idp.example.com/saml/sso",
                     "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                 )
             )
diff --git a/tests/src/OneLogin/Saml2/MetadataTest.php b/tests/src/OneLogin/Saml2/MetadataTest.php
index c6a8e6d1..5ce3e471 100644
--- a/tests/src/OneLogin/Saml2/MetadataTest.php
+++ b/tests/src/OneLogin/Saml2/MetadataTest.php
@@ -41,6 +41,7 @@ public function testBuilder()
         $this->assertContains('<md:OrganizationName xml:lang="en-US">sp_test</md:OrganizationName>', $metadata);
         $this->assertContains('<md:ContactPerson contactType="technical">', $metadata);
         $this->assertContains('<md:GivenName>technical_name</md:GivenName>', $metadata);
+        $this->assertContains('validUntil', $metadata);
 
         $security['authnRequestsSigned'] = true;
         $security['wantAssertionsSigned'] = true;
@@ -55,6 +56,9 @@ public function testBuilder()
 
         $this->assertNotContains('<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"', $metadata2);
         $this->assertNotContains(' Location="http://stuff.com/endpoints/endpoints/sls.php"/>', $metadata2);
+
+        $metadata3 = OneLogin_Saml2_Metadata::builder($spData, $security['authnRequestsSigned'], $security['wantAssertionsSigned'], null, null, $contacts, $organization, array(), true);
+        $this->assertNotContains('validUntil=', $metadata3);
     }
 
     /**
diff --git a/tests/src/OneLogin/Saml2/ResponseTest.php b/tests/src/OneLogin/Saml2/ResponseTest.php
index 8c63e055..26c81388 100644
--- a/tests/src/OneLogin/Saml2/ResponseTest.php
+++ b/tests/src/OneLogin/Saml2/ResponseTest.php
@@ -405,6 +405,71 @@ public function testGetNameIdData()
         } catch (OneLogin_Saml2_ValidationError $e) {
             $this->assertContains('An empty NameID value found', $e->getMessage());
         }
+
+        $xml7 = file_get_contents(TEST_ROOT . '/data/responses/invalids/no_value_nameid.xml.base64');
+        $response11 = new OneLogin_Saml2_Response($this->_settings, $xml7);
+        $nameIdData12 = $response11->getNameIdData();
+        $expectedNameIdData10 = array(
+            'Value' => "",
+            'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        );
+        $this->assertEquals($expectedNameIdData10, $nameIdData12);
+
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settingsInfo['strict'] = true;
+        $settingsInfo['security']['wantNameId'] = true;
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $response12 = new OneLogin_Saml2_Response($settings, $xml7);
+
+        try {
+            $nameIdData13 = $response12->getNameIdData();
+            $this->fail('OneLogin_Saml2_ValidationError was not raised');
+        } catch (OneLogin_Saml2_ValidationError $e) {
+            $this->assertContains('An empty NameID value found', $e->getMessage());
+        }
+
+        $settingsInfo['security']['wantNameId'] = false;
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $response13 = new OneLogin_Saml2_Response($settings, $xml7);
+
+        $nameIdData14 = $response13->getNameIdData();
+
+        $expectedNameIdData11 = array(
+            'Value' => "",
+            'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        );
+        $this->assertEquals($expectedNameIdData11, $nameIdData14);
+
+        $settingsInfo['strict'] = false;
+        $settingsInfo['security']['wantNameId'] = true;
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $response14 = new OneLogin_Saml2_Response($settings, $xml7);
+
+        $nameIdData15 = $response14->getNameIdData();
+
+        $expectedNameIdData12 = array(
+            'Value' => "",
+            'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        );
+        $this->assertEquals($expectedNameIdData12, $nameIdData15);
+
+        $settingsInfo['security']['wantNameId'] = false;
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $response15 = new OneLogin_Saml2_Response($settings, $xml7);
+
+        $nameIdData16 = $response15->getNameIdData();
+
+        $expectedNameIdData13 = array(
+            'Value' => "",
+            'Format' => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        );
+        $this->assertEquals($expectedNameIdData13, $nameIdData16);
     }
 
     /**
@@ -1257,7 +1322,7 @@ public function testIsInValidSubjectConfirmation()
     }
 
 /**
-    * Somtimes IdPs uses datetimes with miliseconds, this
+    * Sometimes IdPs uses datetimes with milliseconds, this
     * test is to verify that the toolkit supports them
     * @covers OneLogin_Saml2_Response::isValid
     */
@@ -1748,4 +1813,12 @@ public function testIsValidSignUsingX509certMulti()
         $response = new OneLogin_Saml2_Response($settings, $xml);
         $this->assertTrue($response->isValid());
     }
+
+    public function testCanGetEncryptedNameIdInEncryptedAssertion()
+    {
+        $xml = file_get_contents(TEST_ROOT . '/data/responses/response_encrypted_nameid_encrypted_assertion2.xml.base64');
+        $response = new OneLogin_Saml2_Response($this->_settings, $xml);
+        $this->assertTrue($response->isValid());
+        $this->assertEquals('492882615acf31c8096b627245d76ae53036c090', $response->getNameId());
+    }
 }
diff --git a/tests/src/OneLogin/Saml2/SettingsTest.php b/tests/src/OneLogin/Saml2/SettingsTest.php
index be03fe76..6bd160e5 100644
--- a/tests/src/OneLogin/Saml2/SettingsTest.php
+++ b/tests/src/OneLogin/Saml2/SettingsTest.php
@@ -74,6 +74,35 @@ public function testLoadSettingsFromFile()
         $this->assertEmpty($settings->getErrors());
     }
 
+    /**
+     * Tests the use of the spValidationOnly at OneLogin_Saml2_Settings
+     *
+     * @covers OneLogin_Saml2_Settings
+     */
+    public function testSpValidateOnly()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings2.php';
+        unset($settingsInfo['idp']);
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo, true);
+        $this->assertEmpty($settings->getErrors());
+
+        try {
+            $settings2 = new OneLogin_Saml2_Settings($settingsInfo, false);
+            $this->fail('Error was not raised');
+        } catch (OneLogin_Saml2_Error $e) {
+            $this->assertContains('idp_not_found', $e->getMessage());
+        }
+
+        try {
+            $settings3 = new OneLogin_Saml2_Settings($settingsInfo);
+            $this->fail('Error was not raised');
+        } catch (OneLogin_Saml2_Error $e) {
+            $this->assertContains('idp_not_found', $e->getMessage());
+        }
+    }
+
     /**
     * Tests getCertPath method of the OneLogin_Saml2_Settings
     *
@@ -404,7 +433,7 @@ public function testCheckSettings()
             $this->fail('OneLogin_Saml2_Error was not raised');
         } catch (OneLogin_Saml2_Error $e) {
             $this->assertContains('sp_signMetadata_invalid', $e->getMessage());
-            $this->assertContains('organization_not_enought_data', $e->getMessage());
+            $this->assertContains('organization_not_enough_data', $e->getMessage());
             $this->assertContains('contact_type_invalid', $e->getMessage());
         }
 
@@ -414,7 +443,7 @@ public function testCheckSettings()
             $this->fail('Error was not raised');
         } catch (OneLogin_Saml2_Error $e) {
             $this->assertContains('sp_signMetadata_invalid', $e->getMessage());
-            $this->assertContains('organization_not_enought_data', $e->getMessage());
+            $this->assertContains('organization_not_enough_data', $e->getMessage());
             $this->assertContains('contact_type_invalid', $e->getMessage());
         }
     }
diff --git a/tests/src/OneLogin/Saml2/UtilsTest.php b/tests/src/OneLogin/Saml2/UtilsTest.php
index c3226c36..9e9f803f 100644
--- a/tests/src/OneLogin/Saml2/UtilsTest.php
+++ b/tests/src/OneLogin/Saml2/UtilsTest.php
@@ -46,7 +46,7 @@ public function testLoadXML()
         try {
             $res1 = OneLogin_Saml2_Utils::loadXML($dom, $metadataUnloaded);
             $this->assertFalse($res1);
-        } catch (Exception $e) {
+        } catch (\Exception $e) {
           $this->assertEquals('DOMDocument::loadXML(): Premature end of data in tag EntityDescriptor line 1 in Entity, line: 1', $e->getMessage());
         }
 
@@ -206,6 +206,11 @@ public function testFormatCert()
         $this->assertNotContains('-----END CERTIFICATE-----', $formatedCert6);
         $this->assertEquals(strlen($cert2), 860);
 
+        $cert = file_get_contents(TEST_ROOT.'/certs/with.comment.crt');
+        $formatedCert7 = OneLogin_Saml2_Utils::formatCert($cert, true);
+        $this->assertContains('-----BEGIN CERTIFICATE-----', $formatedCert7);
+        $this->assertContains('-----END CERTIFICATE-----', $formatedCert7);
+        $this->assertNotContains('comments', $formatedCert7);
     }
 
     /**
@@ -443,6 +448,9 @@ public function testSetBaseURLPath()
     {
         $this->assertNull(OneLogin_Saml2_Utils::getBaseURLPath());
 
+        OneLogin_Saml2_Utils::setBaseURLPath('/');
+        $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath());
+
         OneLogin_Saml2_Utils::setBaseURLPath('sp');
         $this->assertEquals('/sp/', OneLogin_Saml2_Utils::getBaseURLPath());
 
@@ -456,6 +464,25 @@ public function testSetBaseURLPath()
         $this->assertEquals('/sp/', OneLogin_Saml2_Utils::getBaseURLPath());
     }
 
+    /**
+     * @covers OneLogin_Saml2_Utils::setBaseURLPath
+     */
+    public function testSetBaseURLPath2()
+    {
+        $_SERVER['HTTP_HOST'] = 'sp.example.com';
+        $_SERVER['HTTPS'] = 'https';
+        $_SERVER['REQUEST_URI'] = null;
+        $_SERVER['QUERY_STRING'] = null;
+        $_SERVER['SCRIPT_NAME'] = '/';
+        unset($_SERVER['PATH_INFO']);
+
+        OneLogin_Saml2_Utils::setBaseURLPath('/');
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURLNoQuery());
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURL());
+        $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath());
+    }
+
     /**
      * @covers OneLogin_Saml2_Utils::setBaseURL
      */
@@ -483,9 +510,9 @@ public function testSetBaseURL()
         $this->assertEquals($expectedUrl, OneLogin_Saml2_Utils::getSelfURL());
 
         OneLogin_Saml2_Utils::setBaseURL("http://anothersp.example.com:81/example2/");
-        $expectedUrlNQ2 = 'http://anothersp.example.com:81/example2/route.php';
-        $expectedRoutedUrlNQ2 = 'http://anothersp.example.com:81/example2/route.php';
-        $expectedUrl2 = 'http://anothersp.example.com:81/example2/route.php?x=test';
+        $expectedUrlNQ2 = 'http://anothersp.example.com:81/example2/example1/route.php';
+        $expectedRoutedUrlNQ2 = 'http://anothersp.example.com:81/example2/example1/route.php';
+        $expectedUrl2 = 'http://anothersp.example.com:81/example2/example1/route.php?x=test';
 
         $this->assertEquals('http', OneLogin_Saml2_Utils::getSelfProtocol());
         $this->assertEquals('anothersp.example.com', OneLogin_Saml2_Utils::getSelfHost());
@@ -497,11 +524,68 @@ public function testSetBaseURL()
         $this->assertEquals($expectedUrl2, OneLogin_Saml2_Utils::getSelfURL());
 
         $_SERVER['PATH_INFO'] = '/test';
-        $expectedUrlNQ2 = 'http://anothersp.example.com:81/example2/route.php/test';
+        $expectedUrlNQ2 = 'http://anothersp.example.com:81/example2/example1/route.php/test';
 
         $this->assertEquals($expectedUrlNQ2, OneLogin_Saml2_Utils::getSelfURLNoQuery());
         $this->assertEquals($expectedRoutedUrlNQ2, OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
         $this->assertEquals($expectedUrl2, OneLogin_Saml2_Utils::getSelfURL());
+
+        OneLogin_Saml2_Utils::setBaseURL("http://anothersp.example.com:81/example2");
+        $this->assertEquals($expectedUrlNQ2, OneLogin_Saml2_Utils::getSelfURLNoQuery());
+        $this->assertEquals($expectedRoutedUrlNQ2, OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
+        $this->assertEquals($expectedUrl2, OneLogin_Saml2_Utils::getSelfURL());
+        $this->assertEquals('/example2/', OneLogin_Saml2_Utils::getBaseURLPath());
+
+        $_SERVER['PATH_INFO'] = null;
+        $_SERVER['REQUEST_URI'] = null;
+        $_SERVER['QUERY_STRING'] = null;
+        $_SERVER['SCRIPT_NAME'] = '/';
+        OneLogin_Saml2_Utils::setBaseURL("https://sp.example.com/");
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURLNoQuery());
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURL());
+        $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath());
+    }
+
+    /**
+     * @covers OneLogin_Saml2_Utils::setBaseURL
+     */
+    public function testSetBaseURL2()
+    {
+        $_SERVER['HTTP_HOST'] = 'sp.example.com';
+        $_SERVER['HTTPS'] = 'https';
+        $_SERVER['REQUEST_URI'] = null;
+        $_SERVER['QUERY_STRING'] = null;
+        $_SERVER['SCRIPT_NAME'] = '/';
+        unset($_SERVER['PATH_INFO']);
+
+        OneLogin_Saml2_Utils::setBaseURL('https://sp.example.com/');
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURLNoQuery());
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
+        $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURL());
+        $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath());
+
+        $_SERVER['REQUEST_URI'] = '/example1/path/route.php?x=test';
+        $_SERVER['QUERY_STRING'] = '?x=test';
+        $_SERVER['SCRIPT_NAME'] = '/example1/path/route.php';
+        $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfURLNoQuery());
+        $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
+        $this->assertEquals("https://sp.example.com/example1/path/route.php?x=test", OneLogin_Saml2_Utils::getSelfURL());
+        $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath());
+
+        OneLogin_Saml2_Utils::setBaseURLPath('/example1/path/');
+        $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfURLNoQuery());
+        $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
+        $this->assertEquals("https://sp.example.com/example1/path/route.php?x=test", OneLogin_Saml2_Utils::getSelfURL());
+        $this->assertEquals('/example1/path/', OneLogin_Saml2_Utils::getBaseURLPath());
+
+        $_SERVER['REQUEST_URI'] = '/example1/path/route/?x=test';
+        $_SERVER['QUERY_STRING'] = '?x=test';
+        $_SERVER['SCRIPT_NAME'] = '/example1/path/route';
+        $this->assertEquals("https://sp.example.com/example1/path/route", OneLogin_Saml2_Utils::getSelfURLNoQuery());
+        $this->assertEquals("https://sp.example.com/example1/path/route", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery());
+        $this->assertEquals("https://sp.example.com/example1/path/route/?x=test", OneLogin_Saml2_Utils::getSelfURL());
+        $this->assertEquals('/example1/path/', OneLogin_Saml2_Utils::getBaseURLPath());
     }
 
     /**
@@ -561,6 +645,13 @@ public function testGetSelfURL()
 
         $_SERVER['REQUEST_URI'] = 'https://example.com/testing';
         $this->assertEquals($url.'/testing', OneLogin_Saml2_Utils::getSelfURL());
+
+        $_SERVER['REQUEST_URI'] = 'https://example.com/test/';
+        $this->assertEquals($url.'/test/', OneLogin_Saml2_Utils::getSelfURL());
+
+        $_SERVER['REQUEST_URI'] = 'https://example.com/';
+        $this->assertEquals($url.'/', OneLogin_Saml2_Utils::getSelfURL());
+
     }
 
     /**
@@ -700,7 +791,7 @@ public function testParseSAML2Time()
             $this->assertContains('Invalid SAML2 timestamp passed', $e->getMessage());
         }
 
-        // Now test if toolkit supports miliseconds
+        // Now test if toolkit supports milliseconds
         $SAMLTime2 = '2013-12-10T04:39:31.120Z';
         $this->assertEquals($time, OneLogin_Saml2_Utils::parseSAML2Time($SAMLTime2));
     }
@@ -1287,4 +1378,431 @@ public function testValidateSign()
             $this->assertContains('Reference validation failed', $e->getMessage());
         }
     }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     *
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignIsValid()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $idpData = $settings->getIdPData();
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+        $retrieveParametersFromServer = false;
+        $messageType = 'SAMLRequest';
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer));
+
+        $retrieveParametersFromServer = true;
+        $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc');
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer));
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData2 = array(
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+        $retrieveParametersFromServer = false;
+        $messageType = 'SAMLResponse';
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer));
+
+        $retrieveParametersFromServer = true;
+        $_SERVER['QUERY_STRING'] = 'SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=');
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer));
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     *
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignIsValidx509certMulti()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings6.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $idpData = $settings->getIdPData();
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+        $retrieveParametersFromServer = false;
+        $messageType = 'SAMLRequest';
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer));
+
+        $retrieveParametersFromServer = true;
+        $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc');
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer));
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData2 = array(
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+        $retrieveParametersFromServer = false;
+        $messageType = 'SAMLResponse';
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer));
+
+        $retrieveParametersFromServer = true;
+        $_SERVER['QUERY_STRING'] = 'SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=');
+        $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer));
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     * Case where the signature is wrong 
+     * 
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignSignatureWrong()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $idpData = $settings->getIdPData();
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'WRONGL2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+        $retrieveParametersFromServer = false;
+        $messageType = 'SAMLRequest';
+        $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer));
+
+        $getData2 = array(
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'WRONGvfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+        $retrieveParametersFromServer = false;
+        $messageType = 'SAMLResponse';
+        $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer));
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     * Case where the cert is wrong 
+     * 
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignCertWrong()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settingsInfo['idp']['x509cert'] = 'MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0yNTA1MjQyMjUyNTlaFw0zNTA1MjIyMjUyNTlaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD4pXDtSHXYCBA7j5Rc5v+Eh1QigIN2BPXcLtzvaQL5ajifXoQsXuSkcO3Rg7kcTVFcSjhtvM7/NUDq8yEq5g6cYCbdJHXCPH2xkotS57YWkY8zYohOuSa8LNLNeBVTcngQqLbprjgUAXjyXq8rlXu80lNgMw8eo7MbQCQpgC4VqwIDAQABo1AwTjAdBgNVHQ4EFgQUmPov0WxzvYUtCluz0AEFFWIx/NYwHwYDVR0jBBgwFoAUmPov0WxzvYUtCluz0AEFFWIx/NYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCHTsdA7LbSeDRiqqOHw+50ncIFCC2s4m6qBaxNrwSSyhoZKWhyUNxfnKIB4s/jaQxITn6U8hvuEv6e3Ews+07j4yIISF2SWefStAf8P/7Rt+qHQiV2zcE/RzxW4Trvav1dIfjqF26hOPQqGVnAKGP8wcjsEhwxUVOLP6EUTIoH3A==';
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+
+        $idpData = $settings->getIdPData();
+        $retrieveParametersFromServer = false;
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+        $messageType = 'SAMLRequest';
+        $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer));
+
+        $getData2 = array(
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+        $messageType = 'SAMLResponse';
+        $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer));
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     * Case removed element, ex RelayState
+     * 
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignRemovedParam()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+
+        $idpData = $settings->getIdPData();
+        $retrieveParametersFromServer = false;
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+        unset($getData['RelayState']);
+        $messageType = 'SAMLRequest';
+        $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer));
+
+        $getData2 = array(
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+        unset($getData2['RelayState']);
+        $messageType = 'SAMLResponse';
+        $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer));
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     * Case No Query String
+     * 
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignNoQueryString()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+
+        $idpData = $settings->getIdPData();
+        $retrieveParametersFromServer = true;
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+        unset($getData['RelayState']);
+        $messageType = 'SAMLRequest';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "No query string provided";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $getData2 = array(
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+        unset($getData2['RelayState']);
+        $messageType = 'SAMLResponse';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "No query string provided";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     * Case No Cert
+     * 
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignNoCert()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+
+        $idpData = $settings->getIdPData();
+        unset($idpData['x509cert']);
+
+        $retrieveParametersFromServer = false;
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+        $messageType = 'SAMLRequest';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "In order to validate the sign on the Logout Request, the x509cert of the IdP is required";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $getData2 = array(
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+        $messageType = 'SAMLResponse';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "In order to validate the sign on the Logout Response, the x509cert of the IdP is required";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     * Case Invalid Parameters: Ex. SAMLRequest and SAMLResponse present at the same time
+     * 
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignReqAndRes()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+
+        $idpData = $settings->getIdPData();
+        $retrieveParametersFromServer = false;
+
+        unset($_SERVER['QUERY_STRING']);
+        $getData = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg='
+        );
+
+        $messageType = 'SAMLRequest';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Both SAMLRequest and SAMLResponse provided";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $retrieveParametersFromServer = true;
+        $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '%SAMLResponse=' . urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc');
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Both SAMLRequest and SAMLResponse provided";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $getData2 = array(
+            'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=',
+            'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
+            'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
+        );
+
+        $messageType = 'SAMLResponse';
+        $retrieveParametersFromServer = false;
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Both SAMLRequest and SAMLResponse provided";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $retrieveParametersFromServer = true;
+        $_SERVER['QUERY_STRING'] = 'SAMLRequest='. urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=') . '&SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=');
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Both SAMLRequest and SAMLResponse provided";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+    }
+
+    /**
+     * Tests the validateBinarySign method of the Utils
+     * Case Invalid Parameters: Ex. Duplicated Parameters
+     * 
+     * @covers OneLogin_Saml2_Utils::validateSign
+     */
+    public function testValidateBinarySignDuplicatedParameters()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings6.php';
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $idpData = $settings->getIdPData();
+
+        $getData = array();
+        $retrieveParametersFromServer = true;
+        $messageType = 'SAMLRequest';
+
+        $_SERVER['QUERY_STRING'] = 'SAMLRequest=xxx&SAMLRequest=yyy';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Duplicate parameter in query string";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $_SERVER['QUERY_STRING'] = 'SAMLResponse=xxx&SAMLResponse=yyy';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Duplicate parameter in query string";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $_SERVER['QUERY_STRING'] = 'RelayState=xxx&RelayState=yyy';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Duplicate parameter in query string";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+
+        $_SERVER['QUERY_STRING'] = 'SigAlg=xxx&SigAlg=yyy';
+        try {
+            OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer);
+            $this->fail('Error was not raised');
+        } catch (Exception $e) {
+            $expectedMessage = "Duplicate parameter in query string";
+            $this->assertEquals($expectedMessage, $e->getMessage());
+        }
+    }
 }