diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3b804c64..53def01c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,15 +11,22 @@ jobs:
         os:
           - ubuntu-20.04
           - macos-latest
+          - windows-latest
         ruby-version:
           - 3.0
           - 3.1
           - 3.2
+          - 3.3
           - jruby-9.4
           - truffleruby
+        exclude:
+          - os: windows-latest
+            ruby-version: jruby-9.4
+          - os: windows-latest
+            ruby-version: truffleruby
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Ruby ${{ matrix.ruby-version }}
         uses: ruby/setup-ruby@v1
         with:
@@ -33,9 +40,6 @@ jobs:
 
       - name: Coveralls
         uses: coverallsapp/github-action@master
-        # 2023/03/07 - Simplecov is not working on TruffleRuby.
-        # TruffleRuby tests are otherwise passing.
-        if: ${{ matrix.ruby-version != 'truffleruby' }}
         with:
           github-token: ${{ secrets.github_token }}
           parallel: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65359192..d7d52f33 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,12 +11,14 @@
 * [#690](https://github.com/SAML-Toolkits/ruby-saml/pull/690) Remove deprecated `settings.security[:embed_sign]` parameter.
 
 ### 1.17.0
+* [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Deprecate `Settings#certificate_new` parameter.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` will use the first non-expired certificate/key when signing/decrypting. It will raise an error only if there are no valid certificates/keys.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now validates the certificate `not_before` condition; previously it was only validating `not_after`.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) `:check_sp_cert_expiration` now causes the generated SP metadata to exclude any inactive/expired certificates.
+* [#691](https://github.com/SAML-Toolkits/ruby-saml/pull/691) Make IdpMetadataParser#get_idp_metadata public.
 
 ### 1.16.0 (Oct 09, 2023)
 * [#671](https://github.com/SAML-Toolkits/ruby-saml/pull/671) Add support on LogoutRequest with Encrypted NameID
diff --git a/README.md b/README.md
index f5767ede..4d5eb8ba 100644
--- a/README.md
+++ b/README.md
@@ -20,14 +20,13 @@ We created a demo project for Rails 4 that uses the latest version of this libra
 
 ### Supported Ruby Versions
 
-* 3.0
-* 3.1
-* 3.2
-* JRuby 9.3
+The following Ruby versions are covered by CI testing:
+
+* Ruby (MRI) 3.0 to 3.3
 * JRuby 9.4
 * TruffleRuby (latest)
 
-For older Ruby support, please refer to older major versions of Ruby SAML.
+Older Ruby versions are supported on the 1.x release of Ruby SAML.
 
 ## Adding Features, Pull Requests
 
@@ -989,4 +988,4 @@ be written entirely in future versions.
 
 ## License
 
-RubySaml is made available under the MIT License. Refer to [LICENSE](LICENSE).
+Ruby SAML is made available under the MIT License. Refer to [LICENSE](LICENSE).
diff --git a/lib/ruby_saml/idp_metadata_parser.rb b/lib/ruby_saml/idp_metadata_parser.rb
index 9f99b021..08a80199 100644
--- a/lib/ruby_saml/idp_metadata_parser.rb
+++ b/lib/ruby_saml/idp_metadata_parser.rb
@@ -185,8 +185,6 @@ def parse_to_idp_metadata_array(idp_metadata, options = {})
       idpsso_descriptors.map {|id| IdpMetadata.new(id, id.parent.attributes["entityID"])}
     end
 
-    private
-
     # Retrieve the remote IdP metadata from the URL or a cached copy.
     # @param url [String] Url where the XML of the Identity Provider Metadata is published.
     # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
@@ -213,6 +211,8 @@ def get_idp_metadata(url, validate_cert)
       )
     end
 
+    private
+
     class IdpMetadata
       attr_reader :idpsso_descriptor, :entity_id
 
diff --git a/lib/ruby_saml/utils.rb b/lib/ruby_saml/utils.rb
index a0440ec3..55f917a1 100644
--- a/lib/ruby_saml/utils.rb
+++ b/lib/ruby_saml/utils.rb
@@ -68,13 +68,20 @@ def self.parse_duration(duration, timestamp=Time.now.utc)
       sign = matches[1] == '-' ? -1 : 1
 
       durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
-        matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
+        matches[2..8].map do |match|
+          if match
+            match = match.tr(',', '.').gsub(/\.0*\z/, '')
+            sign * (match.include?('.') ? match.to_f : match.to_i)
+          else
+            0
+          end
+        end
 
-      initial_datetime = Time.at(timestamp).utc.to_datetime
-      final_datetime = initial_datetime.next_year(durYears)
-      final_datetime = final_datetime.next_month(durMonths)
-      final_datetime = final_datetime.next_day((7*durWeeks) + durDays)
-      final_datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
+      datetime = Time.at(timestamp).utc.to_datetime
+      datetime = datetime.next_year(durYears)
+      datetime = datetime.next_month(durMonths)
+      datetime = datetime.next_day((7*durWeeks) + durDays)
+      datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
     end
 
     # Return a properly formatted x509 certificate