sp/SingleLogoutService: Switch to SAML2 library.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1615 44740490-163a-0410-bde0-09ae8108e29a

sp/SingleLogoutService: Switch to SAML2 library.
eb0b7b6f · Olav Morken · b9aa63bc · eb0b7b6f
Commit eb0b7b6f authored 15 years ago by Olav Morken
--- a/www/saml2/sp/SingleLogoutService.php
+++ b/www/saml2/sp/SingleLogoutService.php
@@ -17,96 +17,68 @@ if (!$config->getValue('enable.saml20-sp', false))
 // Destroy local session if exists.
-if (isset($session) ) {
+$session->doLogout();
-	$session->doLogout();
+$session->clean();
-	$session->clean();
-}
-# sleep(max(0, rand(-3,5))*5);
+$binding = SAML2_Binding::getCurrentBinding();
+$message = $binding->receive();
+$idpEntityId = $message->getIssuer();
+if ($idpEntityId === NULL) {
+	/* Without an issuer we have no way to respond to the message. */
+	throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.');
+}
-if (isset($_GET['SAMLRequest'])) {
+$spEntityId = $metadata->getMetaDataCurrentEntityId('saml20-sp-hosted');
-	// Create a HTTPRedirect binding
+$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
-	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
+$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-hosted');
-	try {
-		// Decode the LogoutRequest using the HTTP Redirect binding.
-		$logoutrequest = $binding->decodeLogoutRequest($_GET);
-		if ($binding->validateQuery($logoutrequest->getIssuer(),'SP')) {
+sspmod_saml2_Message::validateMessage($idpMetadata, $spMetadata, $message);
-			SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: Valid signature found for '.$requestid);
-		}
-		// Extract some parameters from the logout request
+if ($message instanceof SAML2_LogoutRequest) {
-		$requestid = $logoutrequest->getRequestID();
-		$requester = $logoutrequest->getIssuer();
-		$relayState = $logoutrequest->getRelayState();
-		//$responder = $config->getValue('saml2-hosted-sp');
-		$responder = $metadata->getMetaDataCurrentEntityID();
-		SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: IdP (' . $requester . ') is sending logout request to me SP (' . $responder . ') requestid '.$requestid);
-		SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $responder . ' ' . $requester);
-		// Create a logout response
-		$lr = new SimpleSAML_XML_SAML20_LogoutResponse($config, $metadata);
-		$logoutResponseXML = $lr->generate($responder, $requester, $requestid, 'SP');
-		// Create a HTTP Redirect binding.
-		$httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
-		SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: SP me (' . $responder . ') is sending logout response to IdP (' . $requester . ')');
-		// Send the Logout response using HTTP POST binding.
-		$httpredirect->sendMessage($logoutResponseXML, $responder, $requester, $logoutrequest->getRelayState(), 'SingleLogoutServiceResponse', 'SAMLResponse');
-	} catch(Exception $exception) {
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception);
+	try {
+		// Extract some parameters from the logout request
-	}
+		$requestid = $message->getId();
-} elseif(isset($_GET['SAMLResponse'])) {
+		SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: IdP (' . $idpEntityId .
+			') is sending logout request to me SP (' . $spEntityId . ') requestid '.$requestid);
+		SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
-	// Create a HTTPRedirect binding
+		/* Create response. */
-	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
+		$lr = sspmod_saml2_Message::buildLogoutResponse($spMetadata, $idpMetadata);
+		$lr->setRelayState($message->getRelayState());
-	try {
+		$lr->setInResponseTo($message->getId());
-		// Decode the LogoutResponse using the HTTP Redirect binding.
-		$logoutresponse = $binding->decodeLogoutResponse($_GET);
-		if ($binding->validateQuery($logoutresponse->getIssuer(),'SP','SAMLResponse')) {
+		SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: SP me (' . $spEntityId . ') is sending logout response to IdP (' . $idpEntityId . ')');
-			SimpleSAML_Logger::info('SAML2.0  - SP.SingleLogoutService: Valid signature found');
-		}
-	} catch(Exception $exception) {
+		/* Send response. */
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTRESPONSE', $exception);
+		$binding = new SAML2_HTTPRedirect();
+		$binding->setDestination(sspmod_SAML2_Message::getDebugDestination());
+		$binding->send($lr);
+	} catch (Exception $exception) {
+		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception);
 	}
+} elseif ($message instanceof SAML2_LogoutResponse) {
-	// Extract some parameters from the logout request
+	SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $spEntityId . ' ' . $idpEntityId);
-	#$requestid = $logoutrequest->getRequestID();
-	$responder = $logoutresponse->getIssuer();
-	#$relayState = $logoutrequest->getRelayState();
-	//$responder = $config->getValue('saml2-hosted-sp');
+	$id = $message->getRelayState();
-	$requester = $metadata->getMetaDataCurrentEntityID('saml20-sp-hosted');
+	if (empty($id)) {
+		/* For backwardscompatibility. */
-	SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $requester . ' ' . $responder);
+		$id = $message->getInResponseTo();
+	}
-	$id = $logoutresponse->getInResponseTo();
 	$returnTo = $session->getData('spLogoutReturnTo', $id);
+	if (empty($returnTo)) {
-	if(empty($returnTo)) {
 		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTINFOLOST');
 	}
 	SimpleSAML_Utilities::redirect($returnTo);
 } else {
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS');
 }