public boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
throws SAMLException, MetadataProviderException, MessageEncodingException {
SAMLObject message = context.getInboundSAMLMessage();
// Verify type
if (message == null || !(message instanceof LogoutRequest)) {
log.warn("Received request is not of a LogoutRequest object type");
throw new SAMLException("Error validating SAML request");
}
LogoutRequest logoutRequest = (LogoutRequest) message;
// Make sure request was authenticated if required, authentication is done as part of the
// binding processing
if (!context.isInboundSAMLMessageAuthenticated()
&& context.getLocalExtendedMetadata().isRequireLogoutRequestSigned()) {
log.warn(
"Logout Request object is required to be signed by the entity policy: "
+ context.getInboundSAMLMessageId());
Status status = getStatus(StatusCode.REQUEST_DENIED_URI, "Message signature is required");
sendLogoutResponse(status, context);
return false;
}
try {
// Verify destination
verifyEndpoint(context.getLocalEntityEndpoint(), logoutRequest.getDestination());
} catch (SAMLException e) {
log.warn(
"Destination of the request {} does not match any singleLogout endpoint",
logoutRequest.getDestination());
Status status =
getStatus(StatusCode.REQUEST_DENIED_URI, "Destination URL of the request is invalid");
sendLogoutResponse(status, context);
return false;
}
// Verify issuer
if (logoutRequest.getIssuer() != null) {
try {
Issuer issuer = logoutRequest.getIssuer();
verifyIssuer(issuer, context);
} catch (SAMLException e) {
log.warn(
"Response issue time is either too old or with date in the future, id {}",
context.getInboundSAMLMessageId());
Status status =
getStatus(StatusCode.REQUEST_DENIED_URI, "Issuer of the message is unknown");
sendLogoutResponse(status, context);
return false;
}
}
// Verify issue time
DateTime time = logoutRequest.getIssueInstant();
if (!isDateTimeSkewValid(getResponseSkew(), time)) {
log.warn(
"Response issue time is either too old or with date in the future, id {}.",
context.getInboundSAMLMessageId());
Status status =
getStatus(StatusCode.REQUESTER_URI, "Message has been issued too long time ago");
sendLogoutResponse(status, context);
return false;
}
// Check whether any user is logged in
if (credential == null) {
Status status = getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "No user is logged in");
sendLogoutResponse(status, context);
return false;
}
// Find index for which the logout is requested
boolean indexFound = false;
if (logoutRequest.getSessionIndexes() != null && logoutRequest.getSessionIndexes().size() > 0) {
for (AuthnStatement statement :
credential.getAuthenticationAssertion().getAuthnStatements()) {
String statementIndex = statement.getSessionIndex();
if (statementIndex != null) {
for (SessionIndex index : logoutRequest.getSessionIndexes()) {
if (statementIndex.equals(index.getSessionIndex())) {
indexFound = true;
}
}
}
}
} else {
indexFound = true;
}
// Fail if sessionIndex is not found in any assertion
if (!indexFound) {
// Check logout request still valid and store request
if (logoutRequest.getNotOnOrAfter() != null) {
// TODO store request for assertions possibly arriving later
}
Status status =
getStatus(StatusCode.REQUESTER_URI, "The requested SessionIndex was not found");
sendLogoutResponse(status, context);
return false;
}
try {
// Fail if NameId doesn't correspond to the currently logged user
NameID nameID = getNameID(context, logoutRequest);
if (nameID == null || !equalsNameID(credential.getNameID(), nameID)) {
Status status =
getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "The requested NameID is invalid");
sendLogoutResponse(status, context);
return false;
}
} catch (DecryptionException e) {
Status status = getStatus(StatusCode.RESPONDER_URI, "The NameID can't be decrypted");
sendLogoutResponse(status, context);
return false;
}
// Message is valid, let's logout
Status status = getStatus(StatusCode.SUCCESS_URI, null);
sendLogoutResponse(status, context);
return true;
}
