public void sendLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
      throws SAMLException, MetadataProviderException, MessageEncodingException {

    // If no user is logged in we do not initialize the protocol.
    if (credential == null) {
      return;
    }

    IDPSSODescriptor idpDescriptor = (IDPSSODescriptor) context.getPeerEntityRoleMetadata();
    SPSSODescriptor spDescriptor = (SPSSODescriptor) context.getLocalEntityRoleMetadata();
    String binding = SAMLUtil.getLogoutBinding(idpDescriptor, spDescriptor);

    SingleLogoutService logoutServiceIDP =
        SAMLUtil.getLogoutServiceForBinding(idpDescriptor, binding);
    LogoutRequest logoutRequest = getLogoutRequest(context, credential, logoutServiceIDP);

    context.setCommunicationProfileId(getProfileIdentifier());
    context.setOutboundMessage(logoutRequest);
    context.setOutboundSAMLMessage(logoutRequest);
    context.setPeerEntityEndpoint(logoutServiceIDP);

    boolean signMessage = context.getPeerExtendedMetadata().isRequireLogoutRequestSigned();
    sendMessage(context, signMessage);

    SAMLMessageStorage messageStorage = context.getMessageStorage();
    if (messageStorage != null) {
      messageStorage.storeMessage(logoutRequest.getID(), logoutRequest);
    }
  }
  /**
   * This method handles the logout requests from the IdP Any request for the defined logout URL is
   * handled here
   *
   * @param request
   * @throws javax.servlet.ServletException
   * @throws IOException
   */
  public void doSLO(HttpServletRequest request) throws SAMLSSOException {

    doBootstrap();
    XMLObject samlObject = null;
    if (request.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) != null) {
      samlObject =
          unmarshall(
              new String(
                  Base64.decode(
                      request.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ))));
    }
    if (samlObject == null) {
      samlObject =
          unmarshall(
              new String(
                  Base64.decode(request.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_RESP))));
    }
    if (samlObject instanceof LogoutRequest) {
      LogoutRequest logoutRequest = (LogoutRequest) samlObject;
      String sessionIndex = logoutRequest.getSessionIndexes().get(0).getSessionIndex();
    } else if (samlObject instanceof LogoutResponse) {
      request.getSession().invalidate();
    } else {
      throw new SAMLSSOException("Invalid Single Logout SAML Request");
    }
  }
 @Test
 public void testBuildLogoutRequest() throws Exception {
   String logoutUrl = "http://logoutUrl";
   String spId = "cloudstack";
   String nameId = "_12345";
   LogoutRequest req = SAMLUtils.buildLogoutRequest(logoutUrl, spId, nameId);
   assertEquals(req.getDestination(), logoutUrl);
   assertEquals(req.getIssuer().getValue(), spId);
 }
  protected LogoutRequest buildLogoutRequest(String user, String sessionIdx)
      throws SSOAgentException {

    LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject();

    logoutReq.setID(SSOAgentUtils.createID());
    logoutReq.setDestination(ssoAgentConfig.getSAML2().getIdPURL());

    DateTime issueInstant = new DateTime();
    logoutReq.setIssueInstant(issueInstant);
    logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));

    IssuerBuilder issuerBuilder = new IssuerBuilder();
    Issuer issuer = issuerBuilder.buildObject();
    issuer.setValue(ssoAgentConfig.getSAML2().getSPEntityId());
    logoutReq.setIssuer(issuer);

    NameID nameId = new NameIDBuilder().buildObject();
    nameId.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
    nameId.setValue(user);
    logoutReq.setNameID(nameId);

    SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
    sessionIndex.setSessionIndex(sessionIdx);
    logoutReq.getSessionIndexes().add(sessionIndex);

    logoutReq.setReason("Single Logout");

    return logoutReq;
  }
 protected NameID getNameID(SAMLMessageContext context, LogoutRequest request)
     throws DecryptionException {
   NameID id;
   if (request.getEncryptedID() != null) {
     Assert.notNull(
         context.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context");
     id = (NameID) context.getLocalDecrypter().decrypt(request.getEncryptedID());
   } else {
     id = request.getNameID();
   }
   return id;
 }
  /**
   * This method handles the logout requests from the IdP Any request for the defined logout URL is
   * handled here
   *
   * @param request
   * @throws javax.servlet.ServletException
   * @throws IOException
   */
  public void doSLO(HttpServletRequest request) throws SSOAgentException {

    XMLObject saml2Object = null;
    if (request.getParameter(SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_AUTH_REQ) != null) {
      saml2Object =
          SSOAgentUtils.unmarshall(
              new String(
                  Base64.decode(
                      request.getParameter(
                          SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_AUTH_REQ)),
                  Charset.forName("UTF-8")));
    }
    if (saml2Object == null) {
      saml2Object =
          SSOAgentUtils.unmarshall(
              new String(
                  Base64.decode(
                      request.getParameter(SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_RESP)),
                  Charset.forName("UTF-8")));
    }
    if (saml2Object instanceof LogoutRequest) {
      LogoutRequest logoutRequest = (LogoutRequest) saml2Object;
      String sessionIndex = logoutRequest.getSessionIndexes().get(0).getSessionIndex();
      Set<HttpSession> sessions = SSOAgentSessionManager.invalidateAllSessions(sessionIndex);
      for (HttpSession session : sessions) {
        session.invalidate();
      }
    } else if (saml2Object instanceof LogoutResponse) {
      if (request.getSession(false) != null) {
        /**
         * Not invalidating session explicitly since there may be other listeners still waiting to
         * get triggered and at the end of the chain session needs to be invalidated by the system
         */
        Set<HttpSession> sessions =
            SSOAgentSessionManager.invalidateAllSessions(request.getSession(false));
        for (HttpSession session : sessions) {
          try {
            session.invalidate();
          } catch (IllegalStateException ignore) {

            if (log.isDebugEnabled()) {
              log.debug("Ignoring exception : ", ignore);
            }
            // ignore
            // session is already invalidated
          }
        }
      }
    } else {
      throw new SSOAgentException("Invalid SAML2 Single Logout Request/Response");
    }
  }
  private OMElement handleSLORequest(MessageContext messageContext, LogoutRequest logoutRequest) {

    // Get the session index from the SLORequest and remove the relevant session.
    String sessionIndex = logoutRequest.getSessionIndexes().get(0).getSessionIndex();

    String sessionId = CacheManager.getInstance().getSessionIndexMappingCache().get(sessionIndex);

    if (sessionId != null) {
      GatewayUtils.logWithRequestInfo(
          log,
          messageContext,
          String.format(
              "Found a session id (md5 : '%s')for the given session index in the SLO request: '%s'. Clearing the session",
              GatewayUtils.getMD5Hash(sessionId), sessionIndex));
      SessionStore.getInstance().removeSession(sessionId);
      CacheManager.getInstance().getSessionIndexMappingCache().remove(sessionIndex);
    } else {
      GatewayUtils.logWithRequestInfo(
          log,
          messageContext,
          String.format(
              "Couldn't find a session id for the given session index : '%s'", sessionIndex));
    }

    OMFactory fac = OMAbstractFactory.getOMFactory();
    OMNamespace ns = fac.createOMNamespace("http://wso2.org/appm", "appm");
    OMElement payload = fac.createOMElement("SLOResponse", ns);

    OMElement errorMessage = fac.createOMElement("message", ns);
    errorMessage.setText("SLORequest has been successfully processed by WSO2 App Manager");

    payload.addChild(errorMessage);

    return payload;
  }
  /**
   * Applies the XML Digital Signature to the SAML 2.0 based Logout Request (LogoutRequest).
   *
   * @param logoutRequest the SAML 2.0 based Logout Request (LogoutRequest)
   * @param signatureAlgorithm the algorithm used to compute the signature
   * @param credential the signature signing credential
   * @return the SAML 2.0 based Logout Request (LogoutRequest) with XML Digital Signature set
   * @throws SSOException if an error occurs while signing the SAML 2.0 LogoutRequest message
   */
  protected static LogoutRequest setSignature(
      LogoutRequest logoutRequest, String signatureAlgorithm, X509Credential credential)
      throws SSOException {
    try {
      Signature signature = setSignatureRaw(signatureAlgorithm, credential);
      logoutRequest.setSignature(signature);

      List<Signature> signatureList = new ArrayList<>();
      signatureList.add(signature);

      // Marshall and Sign
      MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration.getMarshallerFactory();
      Marshaller marshaller = marshallerFactory.getMarshaller(logoutRequest);
      marshaller.marshall(logoutRequest);

      //  Initializes and configures the library
      Init.init();
      //  Signer is responsible for creating the digital signatures for the given XML Objects.
      //  Signs the XML Objects based on the given order of the Signature list
      Signer.signObjects(signatureList);
      return logoutRequest;
    } catch (MarshallingException | SignatureException e) {
      throw new SSOException("Error while signing the SAML 2.0 based LogoutRequest message", e);
    }
  }
  private LogoutRequest buildLogoutRequest(
      String user,
      String sessionIndexStr,
      String idpUrl,
      String nameQualifier,
      String spNameQualifier)
      throws SAMLSSOException {

    LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject();

    logoutReq.setID(SSOUtils.createID());
    logoutReq.setDestination(idpUrl);

    DateTime issueInstant = new DateTime();
    logoutReq.setIssueInstant(issueInstant);
    logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));

    IssuerBuilder issuerBuilder = new IssuerBuilder();
    Issuer issuer = issuerBuilder.buildObject();

    String spEntityId =
        properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID);

    if (spEntityId != null && !spEntityId.isEmpty()) {
      issuer.setValue(spEntityId);
    } else {
      issuer.setValue("carbonServer");
    }

    logoutReq.setIssuer(issuer);

    NameID nameId = new NameIDBuilder().buildObject();
    nameId.setFormat(NameIDType.UNSPECIFIED);
    nameId.setValue(user);
    nameId.setNameQualifier(nameQualifier);
    nameId.setSPNameQualifier(spNameQualifier);
    logoutReq.setNameID(nameId);

    SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();

    if (sessionIndexStr != null) {
      sessionIndex.setSessionIndex(sessionIndexStr);
    } else {
      sessionIndex.setSessionIndex(UUID.randomUUID().toString());
    }

    logoutReq.getSessionIndexes().add(sessionIndex);
    logoutReq.setReason("Single Logout");

    return logoutReq;
  }
  /**
   * Returns logout request message ready to be sent to the IDP.
   *
   * @param context message context
   * @param credential information about assertions used to log current user in
   * @param bindingService service used to deliver the request
   * @return logoutRequest to be sent to IDP
   * @throws SAMLException error creating the message
   * @throws MetadataProviderException error retrieving metadata
   */
  protected LogoutRequest getLogoutRequest(
      SAMLMessageContext context, SAMLCredential credential, Endpoint bindingService)
      throws SAMLException, MetadataProviderException {

    SAMLObjectBuilder<LogoutRequest> builder =
        (SAMLObjectBuilder<LogoutRequest>)
            builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME);
    LogoutRequest request = builder.buildObject();
    buildCommonAttributes(context.getLocalEntityId(), request, bindingService);

    // Add session indexes
    SAMLObjectBuilder<SessionIndex> sessionIndexBuilder =
        (SAMLObjectBuilder<SessionIndex>)
            builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME);
    for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) {
      SessionIndex index = sessionIndexBuilder.buildObject();
      index.setSessionIndex(statement.getSessionIndex());
      request.getSessionIndexes().add(index);
    }

    if (request.getSessionIndexes().size() == 0) {
      throw new SAMLException("No session indexes to logout user for were found");
    }

    SAMLObjectBuilder<NameID> nameIDBuilder =
        (SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
    NameID nameID = nameIDBuilder.buildObject();
    nameID.setFormat(credential.getNameID().getFormat());
    nameID.setNameQualifier(credential.getNameID().getNameQualifier());
    nameID.setSPNameQualifier(credential.getNameID().getSPNameQualifier());
    nameID.setSPProvidedID(credential.getNameID().getSPProvidedID());
    nameID.setValue(credential.getNameID().getValue());
    request.setNameID(nameID);

    return request;
  }
Example #11
0
  /**
   * Sign the SAML AuthnRequest message
   *
   * @param logoutRequest
   * @param signatureAlgorithm
   * @param cred
   * @return
   * @throws SAMLSSOException
   */
  public static LogoutRequest setSignature(
      LogoutRequest logoutRequest, String signatureAlgorithm, X509Credential cred)
      throws SAMLSSOException {
    try {
      Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
      signature.setSigningCredential(cred);
      signature.setSignatureAlgorithm(signatureAlgorithm);
      signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

      try {
        KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
        X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
        org.opensaml.xml.signature.X509Certificate cert =
            (org.opensaml.xml.signature.X509Certificate)
                buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME);
        String value =
            org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
        cert.setValue(value);
        data.getX509Certificates().add(cert);
        keyInfo.getX509Datas().add(data);
        signature.setKeyInfo(keyInfo);
      } catch (CertificateEncodingException e) {
        throw new SAMLSSOException("Error getting certificate", e);
      }

      logoutRequest.setSignature(signature);

      List<Signature> signatureList = new ArrayList<Signature>();
      signatureList.add(signature);

      // Marshall and Sign
      MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration.getMarshallerFactory();
      Marshaller marshaller = marshallerFactory.getMarshaller(logoutRequest);

      marshaller.marshall(logoutRequest);

      org.apache.xml.security.Init.init();
      Signer.signObjects(signatureList);
      return logoutRequest;

    } catch (Exception e) {
      throw new SAMLSSOException("Error while signing the Logout Request message", e);
    }
  }
  /**
   * @param logoutRequest
   * @param sessionId
   * @param queryString
   * @return
   * @throws IdentityException
   */
  public SAMLSSOReqValidationResponseDTO process(
      LogoutRequest logoutRequest, String sessionId, String queryString) throws IdentityException {

    try {
      SAMLSSOReqValidationResponseDTO reqValidationResponseDTO =
          new SAMLSSOReqValidationResponseDTO();
      reqValidationResponseDTO.setLogOutReq(true);

      String subject = null;
      String issuer = null;
      String defaultSigningAlgoUri = IdentityApplicationManagementUtil.getSigningAlgoURIByConfig();
      String defaultDigestAlgoUri = IdentityApplicationManagementUtil.getDigestAlgoURIByConfig();

      // Get the sessions from the SessionPersistenceManager and prepare
      // the logout responses
      SSOSessionPersistenceManager ssoSessionPersistenceManager =
          SSOSessionPersistenceManager.getPersistenceManager();
      if (StringUtils.isBlank(sessionId)) {
        String message = "Session was already Expired";
        log.error(message);
        return buildErrorResponse(
            logoutRequest.getID(),
            SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
            message,
            logoutRequest.getDestination(),
            defaultSigningAlgoUri,
            defaultDigestAlgoUri);
      }
      String sessionIndex = ssoSessionPersistenceManager.getSessionIndexFromTokenId(sessionId);

      if (StringUtils.isBlank(sessionId)) {
        String message = "Session index value not found in the request";
        log.error(message);
        reqValidationResponseDTO =
            buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                null,
                defaultSigningAlgoUri,
                defaultDigestAlgoUri);
        reqValidationResponseDTO.setLogoutFromAuthFramework(true);
        return reqValidationResponseDTO;
      }
      // Only if the logout request is received.
      if (logoutRequest != null) {
        if (logoutRequest.getIssuer() == null) {
          String message = "Issuer should be mentioned in the Logout Request";
          log.error(message);
          return buildErrorResponse(
              logoutRequest.getID(),
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              message,
              logoutRequest.getDestination(),
              defaultSigningAlgoUri,
              defaultDigestAlgoUri);
        }

        // TODO : Check for BaseID and EncryptedID as well.
        if (logoutRequest.getNameID() != null) {
          NameID nameID = logoutRequest.getNameID();
          subject = nameID.getValue();
        } else {
          String message = "Subject Name should be specified in the Logout Request";
          log.error(message);
          return buildErrorResponse(
              logoutRequest.getID(),
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              message,
              logoutRequest.getDestination(),
              defaultSigningAlgoUri,
              defaultDigestAlgoUri);
        }

        if (logoutRequest.getSessionIndexes() == null) {
          String message = "At least one Session Index should be present in the Logout Request";
          log.error(message);
          return buildErrorResponse(
              logoutRequest.getID(),
              SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
              message,
              logoutRequest.getDestination(),
              defaultSigningAlgoUri,
              defaultDigestAlgoUri);
        }

        SessionInfoData sessionInfoData = ssoSessionPersistenceManager.getSessionInfo(sessionIndex);

        if (sessionInfoData == null) {
          String message = "No Established Sessions corresponding to Session Indexes provided.";
          log.error(message);
          reqValidationResponseDTO =
              buildErrorResponse(
                  logoutRequest.getID(),
                  SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                  message,
                  null,
                  defaultSigningAlgoUri,
                  defaultDigestAlgoUri);
          reqValidationResponseDTO.setLogoutFromAuthFramework(true);
          return reqValidationResponseDTO;
        }

        issuer = logoutRequest.getIssuer().getValue();

        if (issuer.contains("@")) {
          String tenantDomain = issuer.substring(issuer.lastIndexOf('@') + 1);
          issuer = issuer.substring(0, issuer.lastIndexOf('@'));
          if (StringUtils.isNotEmpty(tenantDomain) && StringUtils.isNotEmpty(issuer)) {
            SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain);
            if (log.isDebugEnabled()) {
              log.debug(
                  "Tenant Domain :"
                      + " "
                      + tenantDomain
                      + " "
                      + "&"
                      + " "
                      + "Issuer name :"
                      + issuer
                      + " "
                      + "has being spilt");
            }
          } else {
            SAMLSSOServiceProviderDO serviceProvider =
                sessionInfoData.getServiceProviderList().get(issuer);
            if (serviceProvider != null) {
              SAMLSSOUtil.setTenantDomainInThreadLocal(
                  sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain());
            } else {
              throw new IdentityException(
                  "Service provider :" + issuer + " does not exist in session " + "info data.");
            }
          }
        } else {
          SAMLSSOServiceProviderDO serviceProvider =
              sessionInfoData.getServiceProviderList().get(issuer);
          if (serviceProvider != null) {
            SAMLSSOUtil.setTenantDomainInThreadLocal(
                sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain());
          } else {
            throw new IdentityException(
                "Service provider :" + issuer + " does not exist in session info " + "data.");
          }
        }
        subject = sessionInfoData.getSubject(issuer);

        Map<String, SAMLSSOServiceProviderDO> sessionsList =
            sessionInfoData.getServiceProviderList();
        SAMLSSOServiceProviderDO logoutReqIssuer = sessionsList.get(issuer);

        if (logoutReqIssuer.isDoSingleLogout()) {
          // validate session index
          SessionIndex requestSessionIndex =
              logoutRequest.getSessionIndexes().size() > 0
                  ? logoutRequest.getSessionIndexes().get(0)
                  : null;

          if (requestSessionIndex == null
              || !sessionIndex.equals(requestSessionIndex.getSessionIndex())) {
            String message =
                "Session Index validation for Logout Request failed. "
                    + "Received: ["
                    + (requestSessionIndex == null ? "null" : requestSessionIndex.getSessionIndex())
                    + "]."
                    + " Expected: ["
                    + sessionIndex
                    + "]";
            log.error(message);
            return buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                logoutRequest.getDestination(),
                logoutReqIssuer.getSigningAlgorithmUri(),
                logoutReqIssuer.getDigestAlgorithmUri());
          }
        }

        if (logoutReqIssuer.isDoValidateSignatureInRequests()) {

          // Validate 'Destination'
          List<String> idpUrlSet =
              SAMLSSOUtil.getDestinationFromTenantDomain(
                  SAMLSSOUtil.getTenantDomainFromThreadLocal());

          if (logoutRequest.getDestination() == null
              || !idpUrlSet.contains(logoutRequest.getDestination())) {
            String message =
                "Destination validation for Logout Request failed. "
                    + "Received: ["
                    + logoutRequest.getDestination()
                    + "]."
                    + " Expected: ["
                    + StringUtils.join(idpUrlSet, ',')
                    + "]";
            log.error(message);
            return buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                logoutRequest.getDestination(),
                logoutReqIssuer.getSigningAlgorithmUri(),
                logoutReqIssuer.getDigestAlgorithmUri());
          }

          // Validate Signature
          boolean isSignatureValid =
              SAMLSSOUtil.validateLogoutRequestSignature(
                  logoutRequest, logoutReqIssuer.getCertAlias(), subject, queryString);
          if (!isSignatureValid) {
            String message = "Signature validation for Logout Request failed";
            log.error(message);
            return buildErrorResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
                message,
                logoutRequest.getDestination(),
                logoutReqIssuer.getSigningAlgorithmUri(),
                logoutReqIssuer.getDigestAlgorithmUri());
          }
        }

        SingleLogoutMessageBuilder logoutMsgBuilder = new SingleLogoutMessageBuilder();
        Map<String, String> rpSessionsList = sessionInfoData.getRPSessionsList();
        List<SingleLogoutRequestDTO> singleLogoutReqDTOs = new ArrayList<SingleLogoutRequestDTO>();

        for (Map.Entry<String, SAMLSSOServiceProviderDO> entry : sessionsList.entrySet()) {
          String key = entry.getKey();
          SAMLSSOServiceProviderDO value = entry.getValue();

          if (!key.equals(issuer)) {
            SingleLogoutRequestDTO logoutReqDTO = new SingleLogoutRequestDTO();
            if (StringUtils.isNotBlank(value.getSloRequestURL())) {
              logoutReqDTO.setAssertionConsumerURL(value.getSloRequestURL());
            } else if (StringUtils.isNotBlank(value.getSloResponseURL())) {
              logoutReqDTO.setAssertionConsumerURL(value.getSloResponseURL());
            } else {
              logoutReqDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl());
            }

            LogoutRequest logoutReq =
                logoutMsgBuilder.buildLogoutRequest(
                    sessionInfoData.getSubject(key),
                    sessionIndex,
                    SAMLSSOConstants.SingleLogoutCodes.LOGOUT_USER,
                    logoutReqDTO.getAssertionConsumerURL(),
                    value.getNameIDFormat(),
                    value.getTenantDomain(),
                    value.getSigningAlgorithmUri(),
                    value.getDigestAlgorithmUri());
            String logoutReqString = SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutReq));
            logoutReqDTO.setLogoutResponse(logoutReqString);
            logoutReqDTO.setRpSessionId(rpSessionsList.get(key));
            singleLogoutReqDTOs.add(logoutReqDTO);
          } else {
            reqValidationResponseDTO.setIssuer(value.getIssuer());
            reqValidationResponseDTO.setDoSignResponse(value.isDoSignResponse());
            reqValidationResponseDTO.setSigningAlgorithmUri(value.getSigningAlgorithmUri());
            reqValidationResponseDTO.setDigestAlgorithmUri(value.getDigestAlgorithmUri());
            if (StringUtils.isNotBlank(value.getSloResponseURL())) {
              reqValidationResponseDTO.setAssertionConsumerURL(value.getSloResponseURL());
            } else {
              reqValidationResponseDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl());
            }
          }
        }

        reqValidationResponseDTO.setLogoutRespDTO(
            singleLogoutReqDTOs.toArray(new SingleLogoutRequestDTO[singleLogoutReqDTOs.size()]));

        LogoutResponse logoutResponse =
            logoutMsgBuilder.buildLogoutResponse(
                logoutRequest.getID(),
                SAMLSSOConstants.StatusCodes.SUCCESS_CODE,
                null,
                reqValidationResponseDTO.getAssertionConsumerURL(),
                reqValidationResponseDTO.isDoSignResponse(),
                SAMLSSOUtil.getTenantDomainFromThreadLocal(),
                reqValidationResponseDTO.getSigningAlgorithmUri(),
                reqValidationResponseDTO.getDigestAlgorithmUri());

        reqValidationResponseDTO.setLogoutResponse(
            SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutResponse)));
        reqValidationResponseDTO.setValid(true);
      }

      return reqValidationResponseDTO;
    } catch (UserStoreException | IdentityException e) {
      throw new IdentityException("Error Processing the Logout Request", e);
    }
  }
  public boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
      throws SAMLException, MetadataProviderException, MessageEncodingException {

    SAMLObject message = context.getInboundSAMLMessage();

    // Verify type
    if (message == null || !(message instanceof LogoutRequest)) {
      log.warn("Received request is not of a LogoutRequest object type");
      throw new SAMLException("Error validating SAML request");
    }

    LogoutRequest logoutRequest = (LogoutRequest) message;

    // Make sure request was authenticated if required, authentication is done as part of the
    // binding processing
    if (!context.isInboundSAMLMessageAuthenticated()
        && context.getLocalExtendedMetadata().isRequireLogoutRequestSigned()) {
      log.warn(
          "Logout Request object is required to be signed by the entity policy: "
              + context.getInboundSAMLMessageId());
      Status status = getStatus(StatusCode.REQUEST_DENIED_URI, "Message signature is required");
      sendLogoutResponse(status, context);
      return false;
    }

    try {
      // Verify destination
      verifyEndpoint(context.getLocalEntityEndpoint(), logoutRequest.getDestination());
    } catch (SAMLException e) {
      log.warn(
          "Destination of the request {} does not match any singleLogout endpoint",
          logoutRequest.getDestination());
      Status status =
          getStatus(StatusCode.REQUEST_DENIED_URI, "Destination URL of the request is invalid");
      sendLogoutResponse(status, context);
      return false;
    }

    // Verify issuer
    if (logoutRequest.getIssuer() != null) {
      try {
        Issuer issuer = logoutRequest.getIssuer();
        verifyIssuer(issuer, context);
      } catch (SAMLException e) {
        log.warn(
            "Response issue time is either too old or with date in the future, id {}",
            context.getInboundSAMLMessageId());
        Status status =
            getStatus(StatusCode.REQUEST_DENIED_URI, "Issuer of the message is unknown");
        sendLogoutResponse(status, context);
        return false;
      }
    }

    // Verify issue time
    DateTime time = logoutRequest.getIssueInstant();
    if (!isDateTimeSkewValid(getResponseSkew(), time)) {
      log.warn(
          "Response issue time is either too old or with date in the future, id {}.",
          context.getInboundSAMLMessageId());
      Status status =
          getStatus(StatusCode.REQUESTER_URI, "Message has been issued too long time ago");
      sendLogoutResponse(status, context);
      return false;
    }

    // Check whether any user is logged in
    if (credential == null) {
      Status status = getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "No user is logged in");
      sendLogoutResponse(status, context);
      return false;
    }

    // Find index for which the logout is requested
    boolean indexFound = false;
    if (logoutRequest.getSessionIndexes() != null && logoutRequest.getSessionIndexes().size() > 0) {
      for (AuthnStatement statement :
          credential.getAuthenticationAssertion().getAuthnStatements()) {
        String statementIndex = statement.getSessionIndex();
        if (statementIndex != null) {
          for (SessionIndex index : logoutRequest.getSessionIndexes()) {
            if (statementIndex.equals(index.getSessionIndex())) {
              indexFound = true;
            }
          }
        }
      }
    } else {
      indexFound = true;
    }

    // Fail if sessionIndex is not found in any assertion
    if (!indexFound) {

      // Check logout request still valid and store request
      if (logoutRequest.getNotOnOrAfter() != null) {
        // TODO store request for assertions possibly arriving later
      }

      Status status =
          getStatus(StatusCode.REQUESTER_URI, "The requested SessionIndex was not found");
      sendLogoutResponse(status, context);
      return false;
    }

    try {
      // Fail if NameId doesn't correspond to the currently logged user
      NameID nameID = getNameID(context, logoutRequest);
      if (nameID == null || !equalsNameID(credential.getNameID(), nameID)) {
        Status status =
            getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "The requested NameID is invalid");
        sendLogoutResponse(status, context);
        return false;
      }
    } catch (DecryptionException e) {
      Status status = getStatus(StatusCode.RESPONDER_URI, "The NameID can't be decrypted");
      sendLogoutResponse(status, context);
      return false;
    }

    // Message is valid, let's logout
    Status status = getStatus(StatusCode.SUCCESS_URI, null);
    sendLogoutResponse(status, context);

    return true;
  }