Skip to content
Snippets Groups Projects
Commit f359bf1c authored by Olav Morken's avatar Olav Morken
Browse files

saml:sp: Return partial logout when not logging out of all requested sessionindexes. 

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2672 44740490-163a-0410-bde0-09ae8108e29a
parent f11efad0
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/saml/lib/SP/LogoutStore.php
+ 4
2
View file @ f359bf1c
...@@ -194,7 +194,7 @@ class sspmod_saml_SP_LogoutStore { ...@@ -194,7 +194,7 @@ class sspmod_saml_SP_LogoutStore {
* @param string $authId The authsource ID. * @param string $authId The authsource ID.
* @param array $nameId The NameID of the user. * @param array $nameId The NameID of the user.
* @param array $sessionIndexes The SessionIndexes we should log out of. Logs out of all if this is empty. * @param array $sessionIndexes The SessionIndexes we should log out of. Logs out of all if this is empty.
* @returns bool TRUE if OK, FALSE if not supported. * @returns int|FALSE Number of sessions logged out, or FALSE if not supported.
*/ */
public static function logoutSessions($authId, array $nameId, array $sessionIndexes) { public static function logoutSessions($authId, array $nameId, array $sessionIndexes) {
assert('is_string($authId)'); assert('is_string($authId)');
...@@ -235,6 +235,7 @@ class sspmod_saml_SP_LogoutStore { ...@@ -235,6 +235,7 @@ class sspmod_saml_SP_LogoutStore {
$sessionHandler = SimpleSAML_SessionHandler::getSessionHandler(); $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler();
$numLoggedOut = 0;
foreach ($sessionIndexes as $sessionIndex) { foreach ($sessionIndexes as $sessionIndex) {
if (!isset($sessions[$sessionIndex])) { if (!isset($sessions[$sessionIndex])) {
SimpleSAML_Logger::info('saml.LogoutStore: Logout requested for unknown SessionIndex.'); SimpleSAML_Logger::info('saml.LogoutStore: Logout requested for unknown SessionIndex.');
...@@ -256,9 +257,10 @@ class sspmod_saml_SP_LogoutStore { ...@@ -256,9 +257,10 @@ class sspmod_saml_SP_LogoutStore {
SimpleSAML_Logger::info('saml.LogoutStore: Logging out of session with trackId [' . $session->getTrackId() . '].'); SimpleSAML_Logger::info('saml.LogoutStore: Logging out of session with trackId [' . $session->getTrackId() . '].');
$session->doLogout($authId); $session->doLogout($authId);
$numLoggedOut += 1;
} }
return TRUE; return $numLoggedOut;
} }
} }
modules/saml/www/sp/saml2-logout.php
+ 12
1
View file @ f359bf1c
...@@ -85,9 +85,11 @@ if ($message instanceof SAML2_LogoutResponse) { ...@@ -85,9 +85,11 @@ if ($message instanceof SAML2_LogoutResponse) {
$nameId = $message->getNameId(); $nameId = $message->getNameId();
$sessionIndexes = $message->getSessionIndexes(); $sessionIndexes = $message->getSessionIndexes();
if (!sspmod_saml_SP_LogoutStore::logoutSessions($sourceId, $nameId, $sessionIndexes)) { $numLoggedOut = sspmod_saml_SP_LogoutStore::logoutSessions($sourceId, $nameId, $sessionIndexes);
if ($numLoggedOut === FALSE) {
/* This type of logout was unsupported. Use the old method. */ /* This type of logout was unsupported. Use the old method. */
$source->handleLogout($idpEntityId); $source->handleLogout($idpEntityId);
$numLoggedOut = count($sessionIndexes);
} }
/* Create an send response. */ /* Create an send response. */
...@@ -95,6 +97,15 @@ if ($message instanceof SAML2_LogoutResponse) { ...@@ -95,6 +97,15 @@ if ($message instanceof SAML2_LogoutResponse) {
$lr->setRelayState($message->getRelayState()); $lr->setRelayState($message->getRelayState());
$lr->setInResponseTo($message->getId()); $lr->setInResponseTo($message->getId());
/* We should return a partial logout if we were unable to log out of all the given session(s). */
if ($numLoggedOut < count($sessionIndexes)) {
$lr->setStatus(array(
'Code' => SAML2_Const::STATUS_SUCCESS,
'SubCode' => SAML2_Const::STATUS_PARTIAL_LOGOUT,
'Message' => 'Logged out of ' . $numLoggedOut . ' of ' . count($sessionIndexes) . ' sessions.'
));
}
$binding->send($lr); $binding->send($lr);
} else { } else {
throw new SimpleSAML_Error_BadRequest('Unknown message received on logout endpoint: ' . get_class($message)); throw new SimpleSAML_Error_BadRequest('Unknown message received on logout endpoint: ' . get_class($message));
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment