Skip to content
Snippets Groups Projects
Commit a0172271 authored by Olav Morken's avatar Olav Morken
Browse files

Changed SP SingleLogoutService & initSLO to use IDs from requests and responses. 

This prevents the RelayState parameter from being passed to the IdP, and also
removes the length limitation some IdPs have on the RelayState parameter.


git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@543 44740490-163a-0410-bde0-09ae8108e29a
parent fb721702
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
www/saml2/sp/SingleLogoutService.php
+ 8
3
View file @ a0172271
...@@ -106,12 +106,17 @@ if (isset($_GET['SAMLRequest'])) { ...@@ -106,12 +106,17 @@ if (isset($_GET['SAMLRequest'])) {
SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $requester . ' ' . $responder); SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $requester . ' ' . $responder);
if (isset($_GET['RelayState'])) { $id = $logoutresponse->getInResponseTo();
SimpleSAML_Utilities::redirect($_GET['RelayState']); error_log('ID: ' . strlen($id) . ':' . $id);
} else { $returnTo = $session->getData('spLogoutReturnTo', $id);
error_log("returnTo: " . var_export($returnTo, TRUE));
if(empty($returnTo)) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE'); SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
} }
SimpleSAML_Utilities::redirect($returnTo);
} else { } else {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS'); SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS');
......
www/saml2/sp/initSLO.php
+ 13
10
View file @ a0172271
...@@ -19,6 +19,13 @@ SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: Accessing SAML 2.0 SP initSLO scr ...@@ -19,6 +19,13 @@ SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: Accessing SAML 2.0 SP initSLO scr
if (!$config->getValue('enable.saml20-sp', false)) if (!$config->getValue('enable.saml20-sp', false))
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS'); SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
if (isset($_REQUEST['RelayState'])) {
$returnTo = $_REQUEST['RelayState'];
} else {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
}
if (isset($session) ) { if (isset($session) ) {
...@@ -34,17 +41,17 @@ if (isset($session) ) { ...@@ -34,17 +41,17 @@ if (isset($session) ) {
*/ */
$lr = new SimpleSAML_XML_SAML20_LogoutRequest($config, $metadata); $lr = new SimpleSAML_XML_SAML20_LogoutRequest($config, $metadata);
$req = $lr->generate($spentityid, $idpentityid, $session->getNameID(), $session->getSessionIndex(), 'SP'); $req = $lr->generate($spentityid, $idpentityid, $session->getNameID(), $session->getSessionIndex(), 'SP');
/* Save the $returnTo url until the user returns from the IdP. */
$session->setData('spLogoutReturnTo', $lr->getGeneratedID(), 15*60, $returnTo);
error_log('Saved: "' . $lr->getGeneratedID() . '" => "' . $returnTo . '"');
$httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata); $httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
$relayState = SimpleSAML_Utilities::selfURL();
if (isset($_REQUEST['RelayState'])) {
$relayState = $_REQUEST['RelayState'];
}
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: SP (' . $spentityid . ') is sending logout request to IdP (' . $idpentityid . ')'); SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: SP (' . $spentityid . ') is sending logout request to IdP (' . $idpentityid . ')');
$httpredirect->sendMessage($req, $spentityid, $idpentityid, $relayState, 'SingleLogoutService', 'SAMLRequest', 'SP'); $httpredirect->sendMessage($req, $spentityid, $idpentityid, NULL, 'SingleLogoutService', 'SAMLRequest', 'SP');
} catch(Exception $exception) { } catch(Exception $exception) {
...@@ -53,12 +60,8 @@ if (isset($session) ) { ...@@ -53,12 +60,8 @@ if (isset($session) ) {
} else { } else {
if (!isset($_REQUEST['RelayState']))
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
$relaystate = $_REQUEST['RelayState'];
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User is already logged out. Go back to relaystate'); SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User is already logged out. Go back to relaystate');
SimpleSAML_Utilities::redirect($relaystate); SimpleSAML_Utilities::redirect($returnTo);
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment