diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php index a5b230b3e62b27b52b11f215f3f636e4a1430e67..44b010183253f5488c94f29d64b1493e0a154245 100644 --- a/www/saml2/sp/SingleLogoutService.php +++ b/www/saml2/sp/SingleLogoutService.php @@ -106,12 +106,17 @@ if (isset($_GET['SAMLRequest'])) { SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $requester . ' ' . $responder); - if (isset($_GET['RelayState'])) { - SimpleSAML_Utilities::redirect($_GET['RelayState']); - } else { + $id = $logoutresponse->getInResponseTo(); + error_log('ID: ' . strlen($id) . ':' . $id); + $returnTo = $session->getData('spLogoutReturnTo', $id); + error_log("returnTo: " . var_export($returnTo, TRUE)); + + if(empty($returnTo)) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE'); } + SimpleSAML_Utilities::redirect($returnTo); + } else { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS'); diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php index fc72466284b6f76042cd3837293e9b607514727b..238dd7a8eedc55d423d4557c593a44371990f23b 100644 --- a/www/saml2/sp/initSLO.php +++ b/www/saml2/sp/initSLO.php @@ -19,6 +19,13 @@ SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: Accessing SAML 2.0 SP initSLO scr if (!$config->getValue('enable.saml20-sp', false)) SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS'); + +if (isset($_REQUEST['RelayState'])) { + $returnTo = $_REQUEST['RelayState']; +} else { + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE'); +} + if (isset($session) ) { @@ -34,17 +41,17 @@ if (isset($session) ) { */ $lr = new SimpleSAML_XML_SAML20_LogoutRequest($config, $metadata); $req = $lr->generate($spentityid, $idpentityid, $session->getNameID(), $session->getSessionIndex(), 'SP'); + + /* Save the $returnTo url until the user returns from the IdP. */ + $session->setData('spLogoutReturnTo', $lr->getGeneratedID(), 15*60, $returnTo); + error_log('Saved: "' . $lr->getGeneratedID() . '" => "' . $returnTo . '"'); $httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata); - $relayState = SimpleSAML_Utilities::selfURL(); - if (isset($_REQUEST['RelayState'])) { - $relayState = $_REQUEST['RelayState']; - } SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: SP (' . $spentityid . ') is sending logout request to IdP (' . $idpentityid . ')'); - $httpredirect->sendMessage($req, $spentityid, $idpentityid, $relayState, 'SingleLogoutService', 'SAMLRequest', 'SP'); + $httpredirect->sendMessage($req, $spentityid, $idpentityid, NULL, 'SingleLogoutService', 'SAMLRequest', 'SP'); } catch(Exception $exception) { @@ -53,12 +60,8 @@ if (isset($session) ) { } else { - if (!isset($_REQUEST['RelayState'])) - SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE'); - - $relaystate = $_REQUEST['RelayState']; SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User is already logged out. Go back to relaystate'); - SimpleSAML_Utilities::redirect($relaystate); + SimpleSAML_Utilities::redirect($returnTo); }