From efd37879a707ffc6912033b8c757322c5aa838c9 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@surfnet.nl>
Date: Mon, 15 Feb 2010 19:18:18 +0000
Subject: [PATCH] add support in core IDP for association groups which are used
to share associations between SAML 2 and ADFS IDPs, to enable cross-protocol
single-logout (thanks Olav)
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2181 44740490-163a-0410-bde0-09ae8108e29a
---
lib/SimpleSAML/IdP.php | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/lib/SimpleSAML/IdP.php b/lib/SimpleSAML/IdP.php
index b7ab3bc1a..89b44f7e8 100644
--- a/lib/SimpleSAML/IdP.php
+++ b/lib/SimpleSAML/IdP.php
@@ -26,6 +26,17 @@ class SimpleSAML_IdP {
private $id;
+ /**
+ * The "association group" for this IdP.
+ *
+ * We use this to support cross-protocol logout until
+ * we implement a cross-protocol IdP.
+ *
+ * @var string
+ */
+ private $associationGroup;
+
+
/**
* The configuration for this IdP.
*
@@ -62,10 +73,23 @@ class SimpleSAML_IdP {
throw new SimpleSAML_Error_Exception('enable.adfs-idp disabled in config.php.');
}
$this->config = $metadata->getMetaDataConfig(substr($id, 5), 'adfs-idp-hosted');
+
+ try {
+ /* This makes the ADFS IdP use the same SP associations as the SAML 2.0 IdP. */
+ $saml2EntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+ $this->associationGroup = 'saml2:' . $saml2EntityId;
+
+ } catch (Exception $e) {
+ /* Probably no SAML 2 IdP configured for this host. Ignore the error. */
+ }
} else {
assert(FALSE);
}
+ if ($this->associationGroup === NULL) {
+ $this->associationGroup = $this->id;
+ }
+
}
@@ -157,7 +181,7 @@ class SimpleSAML_IdP {
assert('isset($association["Handler"])');
$session = SimpleSAML_Session::getInstance();
- $session->addAssociation($this->id, $association);
+ $session->addAssociation($this->associationGroup, $association);
}
@@ -169,7 +193,7 @@ class SimpleSAML_IdP {
public function getAssociations() {
$session = SimpleSAML_Session::getInstance();
- return $session->getAssociations($this->id);
+ return $session->getAssociations($this->associationGroup);
}
@@ -182,7 +206,7 @@ class SimpleSAML_IdP {
assert('is_string($assocId)');
$session = SimpleSAML_Session::getInstance();
- $session->terminateAssociation($this->id, $assocId);
+ $session->terminateAssociation($this->associationGroup, $assocId);
}
--
GitLab