From b64ad1db9fe6a8ecf30a139e259a6d5f6c06bed9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Mon, 24 Apr 2017 16:49:17 +0200
Subject: [PATCH] Make logout a bit easier.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
First, there’s no reason to obtain the logout URLs only when logout was initiated. If we get them always, we allow templates to do fancy things like using javascript to do everything on the fly, without going through the script, by dynamically loading the iframes.
Second, we should always check the associations against the ones registered in the session. That way, we can log SPs out individually, and if we refresh the page after that, they will still be marked as logged out.
---
modules/core/www/idp/logout-iframe.php | 33 ++++++++++----------------
1 file changed, 13 insertions(+), 20 deletions(-)
diff --git a/modules/core/www/idp/logout-iframe.php b/modules/core/www/idp/logout-iframe.php
index f2b24d1b4..68c0f8187 100644
--- a/modules/core/www/idp/logout-iframe.php
+++ b/modules/core/www/idp/logout-iframe.php
@@ -23,8 +23,6 @@ $idp = SimpleSAML_IdP::getByState($state);
$mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
if ($type !== 'init') { // update association state
- $associations = $idp->getAssociations();
-
foreach ($state['core:Logout-IFrame:Associations'] as $assocId => &$sp) {
$spId = sha1($assocId);
@@ -48,11 +46,6 @@ if ($type !== 'init') { // update association state
}
}
- // in case we are refreshing a page
- if (!isset($associations[$assocId])) {
- $sp['core:Logout-IFrame:State'] = 'completed';
- }
-
// update the IdP
if ($sp['core:Logout-IFrame:State'] === 'completed') {
$idp->terminateAssociation($assocId);
@@ -70,20 +63,19 @@ if ($type !== 'init') { // update association state
}
}
-if ($type === 'js' || $type === 'nojs') {
- foreach ($state['core:Logout-IFrame:Associations'] as $assocId => &$sp) {
- if ($sp['core:Logout-IFrame:State'] !== 'inprogress') {
- // this SP isn't logging out
- continue;
- }
+$associations = $idp->getAssociations();
+foreach ($state['core:Logout-IFrame:Associations'] as $assocId => &$sp) {
+ // in case we are refreshing a page
+ if (!isset($associations[$assocId])) {
+ $sp['core:Logout-IFrame:State'] = 'completed';
+ }
- try {
- $assocIdP = SimpleSAML_IdP::getByState($sp);
- $url = call_user_func(array($sp['Handler'], 'getLogoutURL'), $assocIdP, $sp, null);
- $sp['core:Logout-IFrame:URL'] = $url;
- } catch (Exception $e) {
- $sp['core:Logout-IFrame:State'] = 'failed';
- }
+ try {
+ $assocIdP = SimpleSAML_IdP::getByState($sp);
+ $url = call_user_func(array($sp['Handler'], 'getLogoutURL'), $assocIdP, $sp, null);
+ $sp['core:Logout-IFrame:URL'] = $url;
+ } catch (Exception $e) {
+ $sp['core:Logout-IFrame:State'] = 'failed';
}
}
@@ -105,6 +97,7 @@ foreach ($state['core:Logout-IFrame:Associations'] as $association) {
if (substr($association['id'], 0, 4) === 'adfs') {
$mdset = 'adfs-sp-remote';
}
+
$remaining[$key] = array(
'id' => $association['id'],
'expires_on' => $association['Expires'],
--
GitLab