Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
logout.php 2.47 KiB 
<?php

/**
 * Logout endpoint handler for SAML 2.0 SP authentication client.
 *
 * This endpoint handles both logout requests and logout responses.
 */

if (!array_key_exists('PATH_INFO', $_SERVER)) {
	throw new SimpleSAML_Error_BadRequest('Missing authentication source id in logout URL');
}

$sourceId = substr($_SERVER['PATH_INFO'], 1);

$source = SimpleSAML_Auth_Source::getById($sourceId);
if ($source === NULL) {
	throw new Exception('Could not find authentication source with id ' . $sourceId);
}


$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();

if (array_key_exists('SAMLResponse', $_GET)) {

	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
	$response = $binding->decodeLogoutResponse($_GET);

	if ($binding->validateQuery($response->getIssuer(), 'SP', 'SAMLResponse')) {
		SimpleSAML_Logger::debug('module/saml2/sp/logout: Valid signature found on response');
	}

	if (!array_key_exists('RelayState', $_REQUEST)) {
		throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.');
	}

	$stateId = $_REQUEST['RelayState'];
	$state = SimpleSAML_Auth_State::loadState($_REQUEST['RelayState'], sspmod_saml2_Auth_Source_SP::STAGE_LOGOUTSENT);


	SimpleSAML_Auth_Source::completeLogout($state);

} elseif (array_key_exists('SAMLRequest', $_GET)) {

	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);

	$request = $binding->decodeLogoutRequest($_GET);

	$requestId = $request->getRequestID();
	$idpEntityId = $request->getIssuer();
	$relayState = $request->getRelayState();

	if ($binding->validateQuery($idpEntityId, 'SP')) {
		SimpleSAML_Logger::debug('module/saml2/sp/logout: Valid signature found on request');
	}


	$spEntityId = $source->getEntityId();

	SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId . ' with request id ' . $requestId);
	SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);

	/* Notify source of logout, so that it may call logout callbacks. */
	$source->onLogout($idpEntityId);

	/* Create an send response. */
	$lr = new SimpleSAML_XML_SAML20_LogoutResponse($config, $metadata);
	$responseXML = $lr->generate($spEntityId, $idpEntityId, $requestId, 'SP');
	$binding->sendMessage($responseXML, $spEntityId, $idpEntityId, $relayState, 'SingleLogoutServiceResponse', 'SAMLResponse');

} else {
	throw new SimpleSAML_Error_BadRequest('Missing request or response to logout endpoint');
}