public void sendLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
throws SAMLException, MetadataProviderException, MessageEncodingException {
// If no user is logged in we do not initialize the protocol.
if (credential == null) {
return;
}
IDPSSODescriptor idpDescriptor = (IDPSSODescriptor) context.getPeerEntityRoleMetadata();
SPSSODescriptor spDescriptor = (SPSSODescriptor) context.getLocalEntityRoleMetadata();
String binding = SAMLUtil.getLogoutBinding(idpDescriptor, spDescriptor);
SingleLogoutService logoutServiceIDP =
SAMLUtil.getLogoutServiceForBinding(idpDescriptor, binding);
LogoutRequest logoutRequest = getLogoutRequest(context, credential, logoutServiceIDP);
context.setCommunicationProfileId(getProfileIdentifier());
context.setOutboundMessage(logoutRequest);
context.setOutboundSAMLMessage(logoutRequest);
context.setPeerEntityEndpoint(logoutServiceIDP);
boolean signMessage = context.getPeerExtendedMetadata().isRequireLogoutRequestSigned();
sendMessage(context, signMessage);
SAMLMessageStorage messageStorage = context.getMessageStorage();
if (messageStorage != null) {
messageStorage.storeMessage(logoutRequest.getID(), logoutRequest);
}
}
@Test
public void testLogoutTypeNull() {
this.registeredService.setLogoutType(null);
final Collection<LogoutRequest> logoutRequests = this.logoutManager.performLogout(tgt);
assertEquals(1, logoutRequests.size());
final LogoutRequest logoutRequest = logoutRequests.iterator().next();
assertEquals(ID, logoutRequest.getTicketId());
}
@Test
public void testLogoutTypeNotSet() {
final Collection<LogoutRequest> logoutRequests = this.logoutManager.performLogout(tgt);
assertEquals(1, logoutRequests.size());
final LogoutRequest logoutRequest = logoutRequests.iterator().next();
assertEquals(ID, logoutRequest.getTicketId());
assertEquals(this.simpleWebApplicationServiceImpl, logoutRequest.getService());
assertEquals(LogoutRequestStatus.SUCCESS, logoutRequest.getStatus());
}
@Test
public void testLogoutTypeFront() {
this.registeredService.setLogoutType(LogoutType.FRONT_CHANNEL);
final Collection<LogoutRequest> logoutRequests = this.logoutManager.performLogout(tgt);
assertEquals(1, logoutRequests.size());
final LogoutRequest logoutRequest = logoutRequests.iterator().next();
assertEquals(ID, logoutRequest.getTicketId());
assertEquals(this.simpleWebApplicationServiceImpl, logoutRequest.getService());
assertEquals(LogoutRequestStatus.NOT_ATTEMPTED, logoutRequest.getStatus());
}
protected NameID getNameID(SAMLMessageContext context, LogoutRequest request)
throws DecryptionException {
NameID id;
if (request.getEncryptedID() != null) {
Assert.notNull(
context.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context");
id = (NameID) context.getLocalDecrypter().decrypt(request.getEncryptedID());
} else {
id = request.getNameID();
}
return id;
}
public void logout() throws LogonException {
// Make sure user is already logged on before letting them logout
if (!session.alreadyLoggedOn())
throw new LogonException("You must first be logged on before calling Logout");
LogoutRequest logoutRequest = new LogoutRequest();
logoutRequest.setSessionId(session.getSessionId());
LogoutResponse logoutResponse =
(LogoutResponse) wsTemplate.marshalSendAndReceive(logoutRequest);
System.out.println("logout response = " + logoutResponse.getStatus());
session.wipe();
}
private OMElement handleSLORequest(MessageContext messageContext, LogoutRequest logoutRequest) {
// Get the session index from the SLORequest and remove the relevant session.
String sessionIndex = logoutRequest.getSessionIndexes().get(0).getSessionIndex();
String sessionId = CacheManager.getInstance().getSessionIndexMappingCache().get(sessionIndex);
if (sessionId != null) {
GatewayUtils.logWithRequestInfo(
log,
messageContext,
String.format(
"Found a session id (md5 : '%s')for the given session index in the SLO request: '%s'. Clearing the session",
GatewayUtils.getMD5Hash(sessionId), sessionIndex));
SessionStore.getInstance().removeSession(sessionId);
CacheManager.getInstance().getSessionIndexMappingCache().remove(sessionIndex);
} else {
GatewayUtils.logWithRequestInfo(
log,
messageContext,
String.format(
"Couldn't find a session id for the given session index : '%s'", sessionIndex));
}
OMFactory fac = OMAbstractFactory.getOMFactory();
OMNamespace ns = fac.createOMNamespace("http://wso2.org/appm", "appm");
OMElement payload = fac.createOMElement("SLOResponse", ns);
OMElement errorMessage = fac.createOMElement("message", ns);
errorMessage.setText("SLORequest has been successfully processed by WSO2 App Manager");
payload.addChild(errorMessage);
return payload;
}
/**
* Returns logout request message ready to be sent to the IDP.
*
* @param context message context
* @param credential information about assertions used to log current user in
* @param bindingService service used to deliver the request
* @return logoutRequest to be sent to IDP
* @throws SAMLException error creating the message
* @throws MetadataProviderException error retrieving metadata
*/
protected LogoutRequest getLogoutRequest(
SAMLMessageContext context, SAMLCredential credential, Endpoint bindingService)
throws SAMLException, MetadataProviderException {
SAMLObjectBuilder<LogoutRequest> builder =
(SAMLObjectBuilder<LogoutRequest>)
builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME);
LogoutRequest request = builder.buildObject();
buildCommonAttributes(context.getLocalEntityId(), request, bindingService);
// Add session indexes
SAMLObjectBuilder<SessionIndex> sessionIndexBuilder =
(SAMLObjectBuilder<SessionIndex>)
builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME);
for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) {
SessionIndex index = sessionIndexBuilder.buildObject();
index.setSessionIndex(statement.getSessionIndex());
request.getSessionIndexes().add(index);
}
if (request.getSessionIndexes().size() == 0) {
throw new SAMLException("No session indexes to logout user for were found");
}
SAMLObjectBuilder<NameID> nameIDBuilder =
(SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME);
NameID nameID = nameIDBuilder.buildObject();
nameID.setFormat(credential.getNameID().getFormat());
nameID.setNameQualifier(credential.getNameID().getNameQualifier());
nameID.setSPNameQualifier(credential.getNameID().getSPNameQualifier());
nameID.setSPProvidedID(credential.getNameID().getSPProvidedID());
nameID.setValue(credential.getNameID().getValue());
request.setNameID(nameID);
return request;
}
public boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
throws SAMLException, MetadataProviderException, MessageEncodingException {
SAMLObject message = context.getInboundSAMLMessage();
// Verify type
if (message == null || !(message instanceof LogoutRequest)) {
log.warn("Received request is not of a LogoutRequest object type");
throw new SAMLException("Error validating SAML request");
}
LogoutRequest logoutRequest = (LogoutRequest) message;
// Make sure request was authenticated if required, authentication is done as part of the
// binding processing
if (!context.isInboundSAMLMessageAuthenticated()
&& context.getLocalExtendedMetadata().isRequireLogoutRequestSigned()) {
log.warn(
"Logout Request object is required to be signed by the entity policy: "
+ context.getInboundSAMLMessageId());
Status status = getStatus(StatusCode.REQUEST_DENIED_URI, "Message signature is required");
sendLogoutResponse(status, context);
return false;
}
try {
// Verify destination
verifyEndpoint(context.getLocalEntityEndpoint(), logoutRequest.getDestination());
} catch (SAMLException e) {
log.warn(
"Destination of the request {} does not match any singleLogout endpoint",
logoutRequest.getDestination());
Status status =
getStatus(StatusCode.REQUEST_DENIED_URI, "Destination URL of the request is invalid");
sendLogoutResponse(status, context);
return false;
}
// Verify issuer
if (logoutRequest.getIssuer() != null) {
try {
Issuer issuer = logoutRequest.getIssuer();
verifyIssuer(issuer, context);
} catch (SAMLException e) {
log.warn(
"Response issue time is either too old or with date in the future, id {}",
context.getInboundSAMLMessageId());
Status status =
getStatus(StatusCode.REQUEST_DENIED_URI, "Issuer of the message is unknown");
sendLogoutResponse(status, context);
return false;
}
}
// Verify issue time
DateTime time = logoutRequest.getIssueInstant();
if (!isDateTimeSkewValid(getResponseSkew(), time)) {
log.warn(
"Response issue time is either too old or with date in the future, id {}.",
context.getInboundSAMLMessageId());
Status status =
getStatus(StatusCode.REQUESTER_URI, "Message has been issued too long time ago");
sendLogoutResponse(status, context);
return false;
}
// Check whether any user is logged in
if (credential == null) {
Status status = getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "No user is logged in");
sendLogoutResponse(status, context);
return false;
}
// Find index for which the logout is requested
boolean indexFound = false;
if (logoutRequest.getSessionIndexes() != null && logoutRequest.getSessionIndexes().size() > 0) {
for (AuthnStatement statement :
credential.getAuthenticationAssertion().getAuthnStatements()) {
String statementIndex = statement.getSessionIndex();
if (statementIndex != null) {
for (SessionIndex index : logoutRequest.getSessionIndexes()) {
if (statementIndex.equals(index.getSessionIndex())) {
indexFound = true;
}
}
}
}
} else {
indexFound = true;
}
// Fail if sessionIndex is not found in any assertion
if (!indexFound) {
// Check logout request still valid and store request
if (logoutRequest.getNotOnOrAfter() != null) {
// TODO store request for assertions possibly arriving later
}
Status status =
getStatus(StatusCode.REQUESTER_URI, "The requested SessionIndex was not found");
sendLogoutResponse(status, context);
return false;
}
try {
// Fail if NameId doesn't correspond to the currently logged user
NameID nameID = getNameID(context, logoutRequest);
if (nameID == null || !equalsNameID(credential.getNameID(), nameID)) {
Status status =
getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "The requested NameID is invalid");
sendLogoutResponse(status, context);
return false;
}
} catch (DecryptionException e) {
Status status = getStatus(StatusCode.RESPONDER_URI, "The NameID can't be decrypted");
sendLogoutResponse(status, context);
return false;
}
// Message is valid, let's logout
Status status = getStatus(StatusCode.SUCCESS_URI, null);
sendLogoutResponse(status, context);
return true;
}
