From eb0b7b6f723a3a1915a3be16b39d4c14137d59f0 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 3 Aug 2009 12:49:19 +0000
Subject: [PATCH] sp/SingleLogoutService: Switch to SAML2 library.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1615 44740490-163a-0410-bde0-09ae8108e29a
---
www/saml2/sp/SingleLogoutService.php | 106 ++++++++++-----------------
1 file changed, 39 insertions(+), 67 deletions(-)
diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php
index e38daf959..fa382950e 100644
--- a/www/saml2/sp/SingleLogoutService.php
+++ b/www/saml2/sp/SingleLogoutService.php
@@ -17,96 +17,68 @@ if (!$config->getValue('enable.saml20-sp', false))
// Destroy local session if exists.
-if (isset($session) ) {
- $session->doLogout();
- $session->clean();
-}
+$session->doLogout();
+$session->clean();
-# sleep(max(0, rand(-3,5))*5);
+$binding = SAML2_Binding::getCurrentBinding();
+$message = $binding->receive();
+$idpEntityId = $message->getIssuer();
+if ($idpEntityId === NULL) {
+ /* Without an issuer we have no way to respond to the message. */
+ throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.');
+}
-if (isset($_GET['SAMLRequest'])) {
+$spEntityId = $metadata->getMetaDataCurrentEntityId('saml20-sp-hosted');
- // Create a HTTPRedirect binding
- $binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
- try {
- // Decode the LogoutRequest using the HTTP Redirect binding.
- $logoutrequest = $binding->decodeLogoutRequest($_GET);
+$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
+$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-hosted');
- if ($binding->validateQuery($logoutrequest->getIssuer(),'SP')) {
- SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: Valid signature found for '.$requestid);
- }
+sspmod_saml2_Message::validateMessage($idpMetadata, $spMetadata, $message);
- // Extract some parameters from the logout request
- $requestid = $logoutrequest->getRequestID();
- $requester = $logoutrequest->getIssuer();
- $relayState = $logoutrequest->getRelayState();
-
- //$responder = $config->getValue('saml2-hosted-sp');
- $responder = $metadata->getMetaDataCurrentEntityID();
-
- SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: IdP (' . $requester . ') is sending logout request to me SP (' . $responder . ') requestid '.$requestid);
- SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $responder . ' ' . $requester);
-
- // Create a logout response
- $lr = new SimpleSAML_XML_SAML20_LogoutResponse($config, $metadata);
- $logoutResponseXML = $lr->generate($responder, $requester, $requestid, 'SP');
-
-
- // Create a HTTP Redirect binding.
- $httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
-
-
- SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: SP me (' . $responder . ') is sending logout response to IdP (' . $requester . ')');
-
- // Send the Logout response using HTTP POST binding.
- $httpredirect->sendMessage($logoutResponseXML, $responder, $requester, $logoutrequest->getRelayState(), 'SingleLogoutServiceResponse', 'SAMLResponse');
-
- } catch(Exception $exception) {
+if ($message instanceof SAML2_LogoutRequest) {
- SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception);
-
- }
+ try {
+ // Extract some parameters from the logout request
+ $requestid = $message->getId();
-} elseif(isset($_GET['SAMLResponse'])) {
+ SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: IdP (' . $idpEntityId .
+ ') is sending logout request to me SP (' . $spEntityId . ') requestid '.$requestid);
+ SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
- // Create a HTTPRedirect binding
- $binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
-
- try {
- // Decode the LogoutResponse using the HTTP Redirect binding.
- $logoutresponse = $binding->decodeLogoutResponse($_GET);
+ /* Create response. */
+ $lr = sspmod_saml2_Message::buildLogoutResponse($spMetadata, $idpMetadata);
+ $lr->setRelayState($message->getRelayState());
+ $lr->setInResponseTo($message->getId());
- if ($binding->validateQuery($logoutresponse->getIssuer(),'SP','SAMLResponse')) {
- SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: Valid signature found');
- }
+ SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: SP me (' . $spEntityId . ') is sending logout response to IdP (' . $idpEntityId . ')');
- } catch(Exception $exception) {
- SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTRESPONSE', $exception);
+ /* Send response. */
+ $binding = new SAML2_HTTPRedirect();
+ $binding->setDestination(sspmod_SAML2_Message::getDebugDestination());
+ $binding->send($lr);
+ } catch (Exception $exception) {
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception);
}
+} elseif ($message instanceof SAML2_LogoutResponse) {
- // Extract some parameters from the logout request
- #$requestid = $logoutrequest->getRequestID();
- $responder = $logoutresponse->getIssuer();
- #$relayState = $logoutrequest->getRelayState();
+ SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $spEntityId . ' ' . $idpEntityId);
- //$responder = $config->getValue('saml2-hosted-sp');
- $requester = $metadata->getMetaDataCurrentEntityID('saml20-sp-hosted');
-
- SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $requester . ' ' . $responder);
+ $id = $message->getRelayState();
+ if (empty($id)) {
+ /* For backwardscompatibility. */
+ $id = $message->getInResponseTo();
+ }
- $id = $logoutresponse->getInResponseTo();
$returnTo = $session->getData('spLogoutReturnTo', $id);
-
- if(empty($returnTo)) {
+ if (empty($returnTo)) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTINFOLOST');
}
SimpleSAML_Utilities::redirect($returnTo);
} else {
-
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS');
}
--
GitLab