From 193f36555f69aeca5321de50626256a3aede5582 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 27 Jan 2010 09:29:19 +0000
Subject: [PATCH] saml2/idp: Deprecate iframe versions of SingleLogoutService
 endpoints.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2143 44740490-163a-0410-bde0-09ae8108e29a
---
 docs/simplesamlphp-idp-more.txt               |  1 -
 .../Metadata/MetaDataStorageHandler.php       | 29 ++-----------------
 www/saml2/idp/SingleLogoutServiceiFrame.php   | 11 +++----
 .../idp/SingleLogoutServiceiFrameResponse.php | 11 +++----
 .../idp/idpInitSingleLogoutServiceiFrame.php  | 10 +++----
 www/saml2/idp/metadata.php                    | 15 ++--------
 6 files changed, 16 insertions(+), 61 deletions(-)

diff --git a/docs/simplesamlphp-idp-more.txt b/docs/simplesamlphp-idp-more.txt
index d77978c11..b16966768 100644
--- a/docs/simplesamlphp-idp-more.txt
+++ b/docs/simplesamlphp-idp-more.txt
@@ -17,7 +17,6 @@ If you have read about the AJAX iFrame Single Log-Out approach at Andreas' blog
 
 	'logouttype' => 'iframe',
 
-Notice that when setting this option after already having shared metadata with Service Providers, you need to send new metadata. The automatically genereated metadata will change.
 
 Attribute Release Consent
 -------------------------
diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
index 1bc23c5d9..7494bf5a2 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -74,7 +74,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
 	 * @param $set  The set we the property comes from.
 	 * @return The autogenerated metadata property.
 	 */
-	public function getGenerated($property, $set = 'saml20-sp-hosted', $options = array() ) {
+	public function getGenerated($property, $set = 'saml20-sp-hosted') {
 
 		/* First we check if the user has overridden this property in the metadata. */
 		try {
@@ -102,38 +102,13 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
 					return $baseurl . 'saml2/sp/SingleLogoutService.php';					
 			}
 		} elseif($set == 'saml20-idp-hosted') {
-			
-			$logouttype = 'traditional';
-			if (array_key_exists('logouttype', $options)) $logouttype = $options['logouttype'];
-			if (!in_array($logouttype, array('traditional', 'iframe'))) 
-				throw new Exception('Invalid logout type [' . $logouttype . '] in IdP Hosted Metadata');
 
 			switch ($property) {				
 				case 'SingleSignOnService' : 
 					return $baseurl . 'saml2/idp/SSOService.php';
 
 				case 'SingleLogoutService' : 
-					
-					switch ($logouttype) {
-						case 'iframe' : 
-							return $baseurl . 'saml2/idp/SingleLogoutServiceiFrame.php';
-						
-						case 'traditional' :
-						default :
-							return $baseurl . 'saml2/idp/SingleLogoutService.php';			
-					}
-				
-				case 'SingleLogoutServiceResponse' : 
-
-					switch ($logouttype) {
-						case 'iframe' : 
-							return $baseurl . 'saml2/idp/SingleLogoutServiceiFrameResponse.php';
-						
-						case 'traditional' :
-						default :
-							return $baseurl . 'saml2/idp/SingleLogoutService.php';			
-					}
-				
+					return $baseurl . 'saml2/idp/SingleLogoutService.php';
 			}
 		} elseif($set == 'shib13-sp-hosted') {
 			switch ($property) {				
diff --git a/www/saml2/idp/SingleLogoutServiceiFrame.php b/www/saml2/idp/SingleLogoutServiceiFrame.php
index 1e06782c2..ce0cc740a 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrame.php
@@ -1,14 +1,11 @@
 <?php
 
-/**
- * This SAML 2.0 endpoint can receive incoming LogoutRequests. It will also send LogoutResponses, 
- * and LogoutRequests and also receive LogoutResponses. It is implemeting SLO at the SAML 2.0 IdP.
+/*
+ * This endpoint is provided for backwards compatibility,
+ * and should not be used.
  *
- * @author Andreas Ă…kre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
- * @package simpleSAMLphp
- * @version $Id$
+ * Use SingleLogoutService.php instead.
  */
-
 require_once('../../_include.php');
 
 SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrame: Accessing SAML 2.0 IdP endpoint SingleLogoutService (iFrame version)');
diff --git a/www/saml2/idp/SingleLogoutServiceiFrameResponse.php b/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
index de95805e9..da18eefef 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
@@ -1,14 +1,11 @@
 <?php
 
-
-/**
- * This SAML 2.0 endpoint can receive incoming LogoutResponses. 
+/*
+ * This endpoint is provided for backwards compatibility,
+ * and should not be used.
  *
- * @author Andreas Ă…kre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
- * @package simpleSAMLphp
- * @version $Id$
+ * Use SingleLogoutService.php instead.
  */
-
 require_once('../../_include.php');
 
 SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrameResponse: Accessing SAML 2.0 IdP endpoint SingleLogoutServiceResponse (iFrame version)');
diff --git a/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
index 18b3d332e..24f89b013 100644
--- a/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
@@ -1,13 +1,11 @@
 <?php
 
-/**
- * IdP Initiated Single Log-Out. Requires one parameter: RelayState.
+/*
+ * This endpoint is provided for backwards compatibility,
+ * and should not be used.
  *
- * @author Andreas Ă…kre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
- * @package simpleSAMLphp
- * @version $Id$
+ * Use SingleLogoutService.php?ReturnTo=... instead.
  */
-
 require_once('../../_include.php');
 
 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index 9c8dba5ee..95fae46f4 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -28,25 +28,14 @@ try {
 		$certFingerprint = $certFingerprint[0];
 	}
 
-	$logouttype = 'traditional';
-	if (array_key_exists('logouttype', $idpmeta)) $logouttype = $idpmeta['logouttype'];
-
-	$urlSLO = $metadata->getGenerated('SingleLogoutService', 'saml20-idp-hosted', array('logouttype' => $logouttype));
-	$urlSLOr = $metadata->getGenerated('SingleLogoutServiceResponse', 'saml20-idp-hosted', array('logouttype' => $logouttype));
-
 	$metaArray = array(
 		'metadata-set' => 'saml20-idp-remote',
 		'entityid' => $idpentityid,
-		'SingleSignOnService' => $metadata->getGenerated('SingleSignOnService', 'saml20-idp-hosted', array()),
-		'SingleLogoutService' => $metadata->getGenerated('SingleLogoutService', 'saml20-idp-hosted', array('logouttype' => $logouttype)),
-		'SingleLogoutServiceResponse'  => $metadata->getGenerated('SingleLogoutServiceResponse', 'saml20-idp-hosted', array('logouttype' => $logouttype)),
+		'SingleSignOnService' => $metadata->getGenerated('SingleSignOnService', 'saml20-idp-hosted'),
+		'SingleLogoutService' => $metadata->getGenerated('SingleLogoutService', 'saml20-idp-hosted'),
 		'certFingerprint' => $certFingerprint,
 	);
 
-	if ($metaArray['SingleLogoutServiceResponse'] === $metaArray['SingleLogoutService']) {
-		unset($metaArray['SingleLogoutServiceResponse']);
-	}
-
 	if (isset($idpmeta['saml20.sendartifact']) && $idpmeta['saml20.sendartifact'] === TRUE) {
 		/* Artifact sending enabled. */
 		$metaArray['ArtifactResolutionService'][] = array(
-- 
GitLab