From 2dd415e1f5c69ba39aba704f21f84db924b261ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Sun, 1 Mar 2009 12:45:07 +0000
Subject: [PATCH] add support for idp-initiated SLO with iframe.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1348 44740490-163a-0410-bde0-09ae8108e29a
---
templates/logout-iframe.php | 30 ++-
www/saml2/idp/SingleLogoutService.php | 2 +-
www/saml2/idp/SingleLogoutServiceiFrame.php | 6 +-
.../idp/SingleLogoutServiceiFrameResponse.php | 1 -
.../idp/idpInitSingleLogoutServiceiFrame.php | 255 ++++++++++++++++++
5 files changed, 281 insertions(+), 13 deletions(-)
create mode 100644 www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
diff --git a/templates/logout-iframe.php b/templates/logout-iframe.php
index 3c1467180..c62e75f28 100644
--- a/templates/logout-iframe.php
+++ b/templates/logout-iframe.php
@@ -57,6 +57,7 @@ function startslo() {
function slocompletesp($entityhash) {
$("table#slostatustable tr#" + $entityhash).filter(".inprogress").removeClass("inprogress").addClass("completed").
children().fadeOut("fast").fadeIn("fast");
+ alert("complete SP " + $entityhash );
}
@@ -97,9 +98,10 @@ function sendResponse() {
<?php
- $requestername = is_array($this->data['requesterName']) ?
- $this->getTranslation($this->data['requesterName']) : $this->data['requesterName'];
-
+ if (array_key_exists('requestername', $this->data)) {
+ $requestername = is_array($this->data['requesterName']) ?
+ $this->getTranslation($this->data['requesterName']) : $this->data['requesterName'];
+ }
#echo('<p>' . $this->t('{logout:description}', array('%REQUESTERNAME%' => $requestername)) . '</p>');
?>
@@ -108,11 +110,12 @@ function sendResponse() {
<?php
- echo('<div><img style="float: left; margin-right: 12px" src="/' . $this->data['baseurlpath'] . 'resources/icons/checkmark48.png" alt="Successful logout" />');
- echo('<p style="padding-top: 16px; ">' . $this->t('{logout:loggedoutfrom}', array('%SP%' => '<strong>' .$requestername.'</strong>')) . '</p>');
- echo('<p style="height: 0px; clear: left;"></p>');
- echo('</div>');
-
+ if (array_key_exists('requestername', $this->data)) {
+ echo('<div><img style="float: left; margin-right: 12px" src="/' . $this->data['baseurlpath'] . 'resources/icons/checkmark48.png" alt="Successful logout" />');
+ echo('<p style="padding-top: 16px; ">' . $this->t('{logout:loggedoutfrom}', array('%SP%' => '<strong>' .$requestername.'</strong>')) . '</p>');
+ echo('<p style="height: 0px; clear: left;"></p>');
+ echo('</div>');
+ }
echo('<div style="margin-top: 3em; clear: both">');
echo('<p style="margin-bottom: .5em">' . $this->t('{logout:also_from}') . '</p>');
@@ -187,7 +190,16 @@ function sendResponse() {
<?php echo $this->t('{logout:logout_all_question}'); ?> <br />
</p>
<input type="button" id="ok" name="ok" value="<?php echo $this->t('{logout:logout_all}'); ?>" />
- <input type="button" id="cancel" name="cancel" value="<?php echo $this->t('{logout:logout_only}', array('%SP%' => $requestername)); ?>" />
+ <?php
+
+ if (array_key_exists('requestername', $this->data)) {
+ echo '<input type="button" id="cancel" name="cancel" value="' . $this->t('{logout:logout_only}', array('%SP%' => $requestername)) . '" />';
+ } else {
+ echo '<input type="button" id="cancel" name="cancel" value="' . $this->t('{logout:no}') . '" />';
+ }
+
+ ?>
+
<p id="incapablesps" >
diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php
index 22e2caa9f..04809ac7b 100644
--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -115,7 +115,7 @@ if (isset($_GET['SAMLRequest'])) {
$responder = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
- SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $logoutrequest->getIssuer());
+ SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $requester);
SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $requester . ' ' . $responder);
/* Check if we have a valid session. */
diff --git a/www/saml2/idp/SingleLogoutServiceiFrame.php b/www/saml2/idp/SingleLogoutServiceiFrame.php
index 2985f746f..625a45ae1 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrame.php
@@ -17,6 +17,8 @@ $session = SimpleSAML_Session::getInstance();
SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrame: Accessing SAML 2.0 IdP endpoint SingleLogoutService (iFrame version)');
+SimpleSAML_Logger::debug('Initially; ' . join(',', $session->get_sp_list(SimpleSAML_Session::STATE_ONLINE)));
+
if (!$config->getValue('enable.saml20-idp', false))
SimpleSAML_Utilities::fatalError(isset($session) ? $session->getTrackID() : null, 'NOACCESS');
@@ -103,8 +105,8 @@ function updateslostatus() {
foreach ($templistofsps AS $spentityid) {
if (!empty($_COOKIE['spstate-' . sha1($spentityid)])) $listofsps[] = $spentityid;
}
- SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: templistofsps ' . var_export($templistofsps, TRUE));
- SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: listofsps ' . var_export($listofsps, TRUE));
+ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: templistofsps ' . join(',', $templistofsps));
+ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: listofsps ' . join(',', $listofsps));
// Using template object to be able to translate name of service provider.
diff --git a/www/saml2/idp/SingleLogoutServiceiFrameResponse.php b/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
index 545039d93..a89a450fd 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrameResponse.php
@@ -70,7 +70,6 @@ if (isset($_GET['SAMLResponse'])) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS',
new Exception('No valid SAMLResponse found? Probably some error in remote partys metadata that sends something to this endpoint that is not SAML LogoutResponses') );
-# echo 'Not set: SAMLResponse';
}
?>
\ No newline at end of file
diff --git a/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
new file mode 100644
index 000000000..682b4eebf
--- /dev/null
+++ b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
@@ -0,0 +1,255 @@
+<?php
+
+/**
+ * IdP Initiated Single Log-Out. Requires one parameter: RelayState.
+ *
+ * @author Andreas Ă…kre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+
+require_once('../../_include.php');
+
+$config = SimpleSAML_Configuration::getInstance();
+$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+$session = SimpleSAML_Session::getInstance();
+
+SimpleSAML_Logger::info('SAML2.0 - IdP.idpInitSingleLogoutServiceiFrame: Accessing SAML 2.0 IdP endpoint SingleLogoutService (iFrame version)');
+
+SimpleSAML_Logger::debug('Initially; ' . join(',', $session->get_sp_list(SimpleSAML_Session::STATE_ONLINE)));
+
+if (!$config->getValue('enable.saml20-idp', false))
+ SimpleSAML_Utilities::fatalError(isset($session) ? $session->getTrackID() : null, 'NOACCESS');
+
+try {
+ $idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+} catch (Exception $exception) {
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
+}
+
+SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: Got IdP entity id: ' . $idpentityid);
+
+
+
+$logouttype = 'traditional';
+$idpmeta = $metadata->getMetaDataCurrent('saml20-idp-hosted');
+if (array_key_exists('logouttype', $idpmeta)) $logouttype = $idpmeta['logouttype'];
+
+if ($logouttype !== 'iframe')
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS', new Exception('This IdP is configured to use logout type [' . $logouttype . '], but this endpoint is only available for IdP using logout type [iframe]'));
+
+
+
+
+
+
+
+/**
+ * This function retrieves the logout info with the given ID.
+ *
+ * @param $id The identifier of the logout info.
+ */
+function fetchLogoutInfo($id) {
+ global $session;
+ global $logoutInfo;
+
+ $logoutInfo = $session->getData('idplogoutresponsedata', $id);
+
+ if($logoutInfo === NULL) {
+ SimpleSAML_Logger::warning('SAML2.0 - IdP.SingleLogoutService: Lost logout information.');
+ }
+}
+
+
+/**
+ * This function saves the logout info with the given ID.
+ *
+ * @param $id The identifier the logout info should be saved with.
+ */
+function saveLogoutInfo($id) {
+ global $session;
+ global $logoutInfo;
+
+ $session->setData('idplogoutresponsedata', $id, $logoutInfo);
+}
+
+
+// Include XAJAX definition.
+require_once(SimpleSAML_Utilities::resolvePath('libextinc') . '/xajax/xajax.inc.php');
+
+
+
+/*
+ * This function is called via AJAX and will send LogoutRequest to one single SP by
+ * sending a LogoutRequest using HTTP-REDIRECT
+ */
+function updateslostatus() {
+
+ SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrame: Accessing SAML 2.0 IdP endpoint SingleLogoutService (iFrame version) within updateslostatus() ');
+
+ $config = SimpleSAML_Configuration::getInstance();
+ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+ $session = SimpleSAML_Session::getInstance();
+
+ $idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+
+ $templistofsps = $session->get_sp_list(SimpleSAML_Session::STATE_ONLINE);
+ $listofsps = array();
+ foreach ($templistofsps AS $spentityid) {
+ if (!empty($_COOKIE['spstate-' . sha1($spentityid)])) $listofsps[] = $spentityid;
+ }
+ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: templistofsps ' . join(',', $templistofsps));
+ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: listofsps ' . join(',', $listofsps));
+
+
+ // Using template object to be able to translate name of service provider.
+ $t = new SimpleSAML_XHTML_Template($config, 'logout-iframe.php');
+
+ // Instantiate the xajaxResponse object
+ $objResponse = new xajaxResponse();
+
+ foreach ($listofsps AS $spentityid) {
+
+ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutServiceiFrame: Completed ' . $spentityid);
+
+ // add a command to the response to assign the innerHTML attribute of
+ // the element with id="SomeElementId" to whatever the new content is
+
+ $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
+ $name = array_key_exists('name', $spmetadata) ? $spmetadata['name'] : $spentityid;
+
+ $spname = is_array($name) ? $t->getTranslation($name) : $name;
+
+ $objResponse->addScriptCall('slocompletesp', 'e' . sha1($spentityid));
+
+ }
+
+ if (count($templistofsps) === count($listofsps)) {
+
+ $templistofsps = $session->get_sp_list(SimpleSAML_Session::STATE_ONLINE);
+ foreach ($templistofsps AS $spentityid) {
+ $session->set_sp_logout_completed($spentityid);
+ setcookie('spstate-' . sha1($spentityid) , '', time() - 3600); // Delete cookie
+ }
+
+ $objResponse->addScriptCall('slocompleted');
+
+ /**
+ * Clean up session object to save storage.
+ */
+ if ($config->getValue('debug', false))
+ SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: Session Size before cleaning: ' . $session->getSize());
+
+ $session->clean();
+
+ if ($config->getValue('debug', false))
+ SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: Session Size after cleaning: ' . $session->getSize());
+
+ } else {
+ SimpleSAML_Logger::debug('SAML2.0 - sp_logout_completed FALSE');
+ }
+
+ //return the xajaxResponse object
+ return $objResponse;
+}
+
+
+
+$xajax = new xajax();
+$xajax->registerFunction("updateslostatus");
+$xajax->processRequests();
+
+
+
+
+/**
+ * Which URL to send the user to after logout?
+ */
+$relayState = NULL;
+if (array_key_exists('RelayState', $_REQUEST)) $relayState = $_REQUEST['RelayState'];
+
+// Do logout from the IdP
+$session->doLogout();
+
+// Debug entries in the log about what services the user is logged into.
+$session->dump_sp_sessions();
+
+
+
+/*
+ * Generate a list of all service providers, and create a LogoutRequest message for all these SPs.
+ */
+$listofsps = $session->get_sp_list();
+$sparray = array();
+$sparrayNoLogout = array();
+foreach ($listofsps AS $spentityid) {
+
+ // ($issuer, $receiver, $nameid, $nameidformat, $sessionindex, $mode) {
+ $nameId = $session->getSessionNameId('saml20-sp-remote', $spentityid);
+ if($nameId === NULL) {
+ $nameId = $session->getNameID();
+ }
+
+
+ $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
+ $name = array_key_exists('name', $spmetadata) ? $spmetadata['name'] : $spentityid;
+
+ try {
+ $lr = new SimpleSAML_XML_SAML20_LogoutRequest($config, $metadata);
+ $req = $lr->generate($idpentityid, $spentityid, $nameId, $session->getSessionIndex(), 'IdP');
+ $httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
+ // $request, $localentityid, $remoteentityid, $relayState = null, $endpoint = 'SingleSignOnService', $direction = 'SAMLRequest', $mode = 'SP'
+ $url = $httpredirect->getRedirectURL($req, $idpentityid, $spentityid, NULL, 'SingleLogoutService', 'SAMLRequest', 'IdP');
+
+
+ $sparray[$spentityid] = array('url' => $url, 'name' => $name);
+
+ } catch (Exception $e) {
+
+ $sparrayNoLogout[$spentityid] = array('name' => $name);
+
+ }
+
+}
+
+
+SimpleSAML_Logger::debug('SAML2.0 - SP Counter. other SPs with SLO support (' . count($sparray) . ') without SLO support (' . count($sparrayNoLogout) . ')');
+
+
+#print_r($sparray);
+
+
+
+
+/*
+ * If the user is not logged into any other SPs.
+ */
+if (count($sparray) === 0) {
+ SimpleSAML_Utilities::redirect($relayState);
+ exit;
+}
+
+
+$et = new SimpleSAML_XHTML_Template($config, 'logout-iframe.php');
+
+$et->data['header'] = 'Logout';
+$et->data['sparray'] = $sparray;
+$et->data['sparrayNoLogout'] = $sparrayNoLogout;
+
+$et->data['logoutresponse'] = $relayState;
+$et->data['xajax'] = $xajax;
+
+#$et->data['idpInitRelayState'] = $relayState;
+
+# $et->data['requesterName'] = $spname;
+
+$et->data['head'] = $xajax->getJavascript();
+
+$et->show();
+
+exit(0);
+
+
+
+
+?>
\ No newline at end of file
--
GitLab