idp/SingleLogoutServiceiFrameResponse.php: Update to use the SAML2 library.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1618 44740490-163a-0410-bde0-09ae8108e29a

www/saml2/idp/SingleLogoutServiceiFrameResponse.php

@@ -21,42 +21,47 @@ if (!$config->getValue('enable.saml20-idp', false))
 	SimpleSAML_Utilities::fatalError(isset($session) ? $session->getTrackID() : null, 'NOACCESS');
 
 try {
-	$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+	$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+	$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-hosted');
 } catch (Exception $exception) {
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
 }
 
-SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: Got IdP entity id: ' . $idpentityid);
-
-$logouttype = 'traditional';
-$idpmeta = $metadata->getMetaDataCurrent('saml20-idp-hosted');
-if (array_key_exists('logouttype', $idpmeta)) $logouttype = $idpmeta['logouttype'];
+SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: Got IdP entity id: ' . $idpEntityId);
 
+$logouttype = $idpMetadata->getString('logouttype', 'traditional');
 if ($logouttype !== 'iframe') 
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS', new Exception('This IdP is configured to use logout type [' . $logouttype . '], but this endpoint is only available for IdP using logout type [iframe]'));
 
 
+if (!isset($_REQUEST['SAMLResponse'])) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS',
+		new Exception('No valid SAMLResponse found? Probably some error in remote partys metadata that sends something to this endpoint that is not SAML LogoutResponses') );
+}
+
+$binding = SAML2_Binding::getCurrentBinding();;
+$logoutResponse = $binding->receive();;
+if (!($logoutResponse instanceof SAML2_LogoutResponse)) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS',
+		new Exception('Message received on response endpoint wasn\'t a response. Was: ' . get_class($logoutResponse)));
+}
+
+$spEntityId = $logoutResponse->getIssuer();
+if ($spEntityId === NULL) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS',
+		new Exception('Missing issuer on logout response.'));
+}
+$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
 
+sspmod_saml2_Message::validateMessage($spMetadata, $idpMetadata, $logoutResponse);
 
 
-if (isset($_GET['SAMLResponse'])) {
+$sphash = sha1($spEntityId);
+setcookie('spstate-' . $sphash , '1'); // Duration: 2 hours
 
-	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
-	$logoutresponse = $binding->decodeLogoutResponse($_GET);
+SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrameResponse: Logging out completed');
 
-	/*
-	 * This would be the normal way to end SP sessions. But because we do not want concurrent 
-	 * updates on the session ojbect, we do set a cookie instead.
-	 *
-	 * $session->set_sp_logout_completed($logoutresponse->getIssuer());
-	 */
-	$sphash = sha1($logoutresponse->getIssuer());
-	setcookie('spstate-' . $sphash , '1'); // Duration: 2 hours
-	
-	
-	SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrameResponse: Logging out completed');
-	
-	echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
@@ -65,11 +70,5 @@ if (isset($_GET['SAMLResponse'])) {
 </head>
 <body>OK</body>
 </html>';
-	
-} else {
-
-	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS', 
-		new Exception('No valid SAMLResponse found? Probably some error in remote partys metadata that sends something to this endpoint that is not SAML LogoutResponses') );
-}
 
 ?>
\ No newline at end of file