public void sendLogoutRequest(SAMLMessageContext context, SAMLCredential credential) throws SAMLException, MetadataProviderException, MessageEncodingException { // If no user is logged in we do not initialize the protocol. if (credential == null) { return; } IDPSSODescriptor idpDescriptor = (IDPSSODescriptor) context.getPeerEntityRoleMetadata(); SPSSODescriptor spDescriptor = (SPSSODescriptor) context.getLocalEntityRoleMetadata(); String binding = SAMLUtil.getLogoutBinding(idpDescriptor, spDescriptor); SingleLogoutService logoutServiceIDP = SAMLUtil.getLogoutServiceForBinding(idpDescriptor, binding); LogoutRequest logoutRequest = getLogoutRequest(context, credential, logoutServiceIDP); context.setCommunicationProfileId(getProfileIdentifier()); context.setOutboundMessage(logoutRequest); context.setOutboundSAMLMessage(logoutRequest); context.setPeerEntityEndpoint(logoutServiceIDP); boolean signMessage = context.getPeerExtendedMetadata().isRequireLogoutRequestSigned(); sendMessage(context, signMessage); SAMLMessageStorage messageStorage = context.getMessageStorage(); if (messageStorage != null) { messageStorage.storeMessage(logoutRequest.getID(), logoutRequest); } }
/** * This method handles the logout requests from the IdP Any request for the defined logout URL is * handled here * * @param request * @throws javax.servlet.ServletException * @throws IOException */ public void doSLO(HttpServletRequest request) throws SAMLSSOException { doBootstrap(); XMLObject samlObject = null; if (request.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) != null) { samlObject = unmarshall( new String( Base64.decode( request.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ)))); } if (samlObject == null) { samlObject = unmarshall( new String( Base64.decode(request.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_RESP)))); } if (samlObject instanceof LogoutRequest) { LogoutRequest logoutRequest = (LogoutRequest) samlObject; String sessionIndex = logoutRequest.getSessionIndexes().get(0).getSessionIndex(); } else if (samlObject instanceof LogoutResponse) { request.getSession().invalidate(); } else { throw new SAMLSSOException("Invalid Single Logout SAML Request"); } }
@Test public void testBuildLogoutRequest() throws Exception { String logoutUrl = "http://logoutUrl"; String spId = "cloudstack"; String nameId = "_12345"; LogoutRequest req = SAMLUtils.buildLogoutRequest(logoutUrl, spId, nameId); assertEquals(req.getDestination(), logoutUrl); assertEquals(req.getIssuer().getValue(), spId); }
protected LogoutRequest buildLogoutRequest(String user, String sessionIdx) throws SSOAgentException { LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject(); logoutReq.setID(SSOAgentUtils.createID()); logoutReq.setDestination(ssoAgentConfig.getSAML2().getIdPURL()); DateTime issueInstant = new DateTime(); logoutReq.setIssueInstant(issueInstant); logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000)); IssuerBuilder issuerBuilder = new IssuerBuilder(); Issuer issuer = issuerBuilder.buildObject(); issuer.setValue(ssoAgentConfig.getSAML2().getSPEntityId()); logoutReq.setIssuer(issuer); NameID nameId = new NameIDBuilder().buildObject(); nameId.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity"); nameId.setValue(user); logoutReq.setNameID(nameId); SessionIndex sessionIndex = new SessionIndexBuilder().buildObject(); sessionIndex.setSessionIndex(sessionIdx); logoutReq.getSessionIndexes().add(sessionIndex); logoutReq.setReason("Single Logout"); return logoutReq; }
protected NameID getNameID(SAMLMessageContext context, LogoutRequest request) throws DecryptionException { NameID id; if (request.getEncryptedID() != null) { Assert.notNull( context.getLocalDecrypter(), "Can't decrypt NameID, no decrypter is set in the context"); id = (NameID) context.getLocalDecrypter().decrypt(request.getEncryptedID()); } else { id = request.getNameID(); } return id; }
/** * This method handles the logout requests from the IdP Any request for the defined logout URL is * handled here * * @param request * @throws javax.servlet.ServletException * @throws IOException */ public void doSLO(HttpServletRequest request) throws SSOAgentException { XMLObject saml2Object = null; if (request.getParameter(SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_AUTH_REQ) != null) { saml2Object = SSOAgentUtils.unmarshall( new String( Base64.decode( request.getParameter( SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_AUTH_REQ)), Charset.forName("UTF-8"))); } if (saml2Object == null) { saml2Object = SSOAgentUtils.unmarshall( new String( Base64.decode( request.getParameter(SSOAgentConstants.SAML2SSO.HTTP_POST_PARAM_SAML2_RESP)), Charset.forName("UTF-8"))); } if (saml2Object instanceof LogoutRequest) { LogoutRequest logoutRequest = (LogoutRequest) saml2Object; String sessionIndex = logoutRequest.getSessionIndexes().get(0).getSessionIndex(); Set<HttpSession> sessions = SSOAgentSessionManager.invalidateAllSessions(sessionIndex); for (HttpSession session : sessions) { session.invalidate(); } } else if (saml2Object instanceof LogoutResponse) { if (request.getSession(false) != null) { /** * Not invalidating session explicitly since there may be other listeners still waiting to * get triggered and at the end of the chain session needs to be invalidated by the system */ Set<HttpSession> sessions = SSOAgentSessionManager.invalidateAllSessions(request.getSession(false)); for (HttpSession session : sessions) { try { session.invalidate(); } catch (IllegalStateException ignore) { if (log.isDebugEnabled()) { log.debug("Ignoring exception : ", ignore); } // ignore // session is already invalidated } } } } else { throw new SSOAgentException("Invalid SAML2 Single Logout Request/Response"); } }
private OMElement handleSLORequest(MessageContext messageContext, LogoutRequest logoutRequest) { // Get the session index from the SLORequest and remove the relevant session. String sessionIndex = logoutRequest.getSessionIndexes().get(0).getSessionIndex(); String sessionId = CacheManager.getInstance().getSessionIndexMappingCache().get(sessionIndex); if (sessionId != null) { GatewayUtils.logWithRequestInfo( log, messageContext, String.format( "Found a session id (md5 : '%s')for the given session index in the SLO request: '%s'. Clearing the session", GatewayUtils.getMD5Hash(sessionId), sessionIndex)); SessionStore.getInstance().removeSession(sessionId); CacheManager.getInstance().getSessionIndexMappingCache().remove(sessionIndex); } else { GatewayUtils.logWithRequestInfo( log, messageContext, String.format( "Couldn't find a session id for the given session index : '%s'", sessionIndex)); } OMFactory fac = OMAbstractFactory.getOMFactory(); OMNamespace ns = fac.createOMNamespace("http://wso2.org/appm", "appm"); OMElement payload = fac.createOMElement("SLOResponse", ns); OMElement errorMessage = fac.createOMElement("message", ns); errorMessage.setText("SLORequest has been successfully processed by WSO2 App Manager"); payload.addChild(errorMessage); return payload; }
/** * Applies the XML Digital Signature to the SAML 2.0 based Logout Request (LogoutRequest). * * @param logoutRequest the SAML 2.0 based Logout Request (LogoutRequest) * @param signatureAlgorithm the algorithm used to compute the signature * @param credential the signature signing credential * @return the SAML 2.0 based Logout Request (LogoutRequest) with XML Digital Signature set * @throws SSOException if an error occurs while signing the SAML 2.0 LogoutRequest message */ protected static LogoutRequest setSignature( LogoutRequest logoutRequest, String signatureAlgorithm, X509Credential credential) throws SSOException { try { Signature signature = setSignatureRaw(signatureAlgorithm, credential); logoutRequest.setSignature(signature); List<Signature> signatureList = new ArrayList<>(); signatureList.add(signature); // Marshall and Sign MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration.getMarshallerFactory(); Marshaller marshaller = marshallerFactory.getMarshaller(logoutRequest); marshaller.marshall(logoutRequest); // Initializes and configures the library Init.init(); // Signer is responsible for creating the digital signatures for the given XML Objects. // Signs the XML Objects based on the given order of the Signature list Signer.signObjects(signatureList); return logoutRequest; } catch (MarshallingException | SignatureException e) { throw new SSOException("Error while signing the SAML 2.0 based LogoutRequest message", e); } }
private LogoutRequest buildLogoutRequest( String user, String sessionIndexStr, String idpUrl, String nameQualifier, String spNameQualifier) throws SAMLSSOException { LogoutRequest logoutReq = new LogoutRequestBuilder().buildObject(); logoutReq.setID(SSOUtils.createID()); logoutReq.setDestination(idpUrl); DateTime issueInstant = new DateTime(); logoutReq.setIssueInstant(issueInstant); logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000)); IssuerBuilder issuerBuilder = new IssuerBuilder(); Issuer issuer = issuerBuilder.buildObject(); String spEntityId = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID); if (spEntityId != null && !spEntityId.isEmpty()) { issuer.setValue(spEntityId); } else { issuer.setValue("carbonServer"); } logoutReq.setIssuer(issuer); NameID nameId = new NameIDBuilder().buildObject(); nameId.setFormat(NameIDType.UNSPECIFIED); nameId.setValue(user); nameId.setNameQualifier(nameQualifier); nameId.setSPNameQualifier(spNameQualifier); logoutReq.setNameID(nameId); SessionIndex sessionIndex = new SessionIndexBuilder().buildObject(); if (sessionIndexStr != null) { sessionIndex.setSessionIndex(sessionIndexStr); } else { sessionIndex.setSessionIndex(UUID.randomUUID().toString()); } logoutReq.getSessionIndexes().add(sessionIndex); logoutReq.setReason("Single Logout"); return logoutReq; }
/** * Returns logout request message ready to be sent to the IDP. * * @param context message context * @param credential information about assertions used to log current user in * @param bindingService service used to deliver the request * @return logoutRequest to be sent to IDP * @throws SAMLException error creating the message * @throws MetadataProviderException error retrieving metadata */ protected LogoutRequest getLogoutRequest( SAMLMessageContext context, SAMLCredential credential, Endpoint bindingService) throws SAMLException, MetadataProviderException { SAMLObjectBuilder<LogoutRequest> builder = (SAMLObjectBuilder<LogoutRequest>) builderFactory.getBuilder(LogoutRequest.DEFAULT_ELEMENT_NAME); LogoutRequest request = builder.buildObject(); buildCommonAttributes(context.getLocalEntityId(), request, bindingService); // Add session indexes SAMLObjectBuilder<SessionIndex> sessionIndexBuilder = (SAMLObjectBuilder<SessionIndex>) builderFactory.getBuilder(SessionIndex.DEFAULT_ELEMENT_NAME); for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { SessionIndex index = sessionIndexBuilder.buildObject(); index.setSessionIndex(statement.getSessionIndex()); request.getSessionIndexes().add(index); } if (request.getSessionIndexes().size() == 0) { throw new SAMLException("No session indexes to logout user for were found"); } SAMLObjectBuilder<NameID> nameIDBuilder = (SAMLObjectBuilder<NameID>) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME); NameID nameID = nameIDBuilder.buildObject(); nameID.setFormat(credential.getNameID().getFormat()); nameID.setNameQualifier(credential.getNameID().getNameQualifier()); nameID.setSPNameQualifier(credential.getNameID().getSPNameQualifier()); nameID.setSPProvidedID(credential.getNameID().getSPProvidedID()); nameID.setValue(credential.getNameID().getValue()); request.setNameID(nameID); return request; }
/** * Sign the SAML AuthnRequest message * * @param logoutRequest * @param signatureAlgorithm * @param cred * @return * @throws SAMLSSOException */ public static LogoutRequest setSignature( LogoutRequest logoutRequest, String signatureAlgorithm, X509Credential cred) throws SAMLSSOException { try { Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME); signature.setSigningCredential(cred); signature.setSignatureAlgorithm(signatureAlgorithm); signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); try { KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME); X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME); org.opensaml.xml.signature.X509Certificate cert = (org.opensaml.xml.signature.X509Certificate) buildXMLObject(org.opensaml.xml.signature.X509Certificate.DEFAULT_ELEMENT_NAME); String value = org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded()); cert.setValue(value); data.getX509Certificates().add(cert); keyInfo.getX509Datas().add(data); signature.setKeyInfo(keyInfo); } catch (CertificateEncodingException e) { throw new SAMLSSOException("Error getting certificate", e); } logoutRequest.setSignature(signature); List<Signature> signatureList = new ArrayList<Signature>(); signatureList.add(signature); // Marshall and Sign MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration.getMarshallerFactory(); Marshaller marshaller = marshallerFactory.getMarshaller(logoutRequest); marshaller.marshall(logoutRequest); org.apache.xml.security.Init.init(); Signer.signObjects(signatureList); return logoutRequest; } catch (Exception e) { throw new SAMLSSOException("Error while signing the Logout Request message", e); } }
/** * @param logoutRequest * @param sessionId * @param queryString * @return * @throws IdentityException */ public SAMLSSOReqValidationResponseDTO process( LogoutRequest logoutRequest, String sessionId, String queryString) throws IdentityException { try { SAMLSSOReqValidationResponseDTO reqValidationResponseDTO = new SAMLSSOReqValidationResponseDTO(); reqValidationResponseDTO.setLogOutReq(true); String subject = null; String issuer = null; String defaultSigningAlgoUri = IdentityApplicationManagementUtil.getSigningAlgoURIByConfig(); String defaultDigestAlgoUri = IdentityApplicationManagementUtil.getDigestAlgoURIByConfig(); // Get the sessions from the SessionPersistenceManager and prepare // the logout responses SSOSessionPersistenceManager ssoSessionPersistenceManager = SSOSessionPersistenceManager.getPersistenceManager(); if (StringUtils.isBlank(sessionId)) { String message = "Session was already Expired"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } String sessionIndex = ssoSessionPersistenceManager.getSessionIndexFromTokenId(sessionId); if (StringUtils.isBlank(sessionId)) { String message = "Session index value not found in the request"; log.error(message); reqValidationResponseDTO = buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null, defaultSigningAlgoUri, defaultDigestAlgoUri); reqValidationResponseDTO.setLogoutFromAuthFramework(true); return reqValidationResponseDTO; } // Only if the logout request is received. if (logoutRequest != null) { if (logoutRequest.getIssuer() == null) { String message = "Issuer should be mentioned in the Logout Request"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } // TODO : Check for BaseID and EncryptedID as well. if (logoutRequest.getNameID() != null) { NameID nameID = logoutRequest.getNameID(); subject = nameID.getValue(); } else { String message = "Subject Name should be specified in the Logout Request"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } if (logoutRequest.getSessionIndexes() == null) { String message = "At least one Session Index should be present in the Logout Request"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), defaultSigningAlgoUri, defaultDigestAlgoUri); } SessionInfoData sessionInfoData = ssoSessionPersistenceManager.getSessionInfo(sessionIndex); if (sessionInfoData == null) { String message = "No Established Sessions corresponding to Session Indexes provided."; log.error(message); reqValidationResponseDTO = buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null, defaultSigningAlgoUri, defaultDigestAlgoUri); reqValidationResponseDTO.setLogoutFromAuthFramework(true); return reqValidationResponseDTO; } issuer = logoutRequest.getIssuer().getValue(); if (issuer.contains("@")) { String tenantDomain = issuer.substring(issuer.lastIndexOf('@') + 1); issuer = issuer.substring(0, issuer.lastIndexOf('@')); if (StringUtils.isNotEmpty(tenantDomain) && StringUtils.isNotEmpty(issuer)) { SAMLSSOUtil.setTenantDomainInThreadLocal(tenantDomain); if (log.isDebugEnabled()) { log.debug( "Tenant Domain :" + " " + tenantDomain + " " + "&" + " " + "Issuer name :" + issuer + " " + "has being spilt"); } } else { SAMLSSOServiceProviderDO serviceProvider = sessionInfoData.getServiceProviderList().get(issuer); if (serviceProvider != null) { SAMLSSOUtil.setTenantDomainInThreadLocal( sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain()); } else { throw new IdentityException( "Service provider :" + issuer + " does not exist in session " + "info data."); } } } else { SAMLSSOServiceProviderDO serviceProvider = sessionInfoData.getServiceProviderList().get(issuer); if (serviceProvider != null) { SAMLSSOUtil.setTenantDomainInThreadLocal( sessionInfoData.getServiceProviderList().get(issuer).getTenantDomain()); } else { throw new IdentityException( "Service provider :" + issuer + " does not exist in session info " + "data."); } } subject = sessionInfoData.getSubject(issuer); Map<String, SAMLSSOServiceProviderDO> sessionsList = sessionInfoData.getServiceProviderList(); SAMLSSOServiceProviderDO logoutReqIssuer = sessionsList.get(issuer); if (logoutReqIssuer.isDoSingleLogout()) { // validate session index SessionIndex requestSessionIndex = logoutRequest.getSessionIndexes().size() > 0 ? logoutRequest.getSessionIndexes().get(0) : null; if (requestSessionIndex == null || !sessionIndex.equals(requestSessionIndex.getSessionIndex())) { String message = "Session Index validation for Logout Request failed. " + "Received: [" + (requestSessionIndex == null ? "null" : requestSessionIndex.getSessionIndex()) + "]." + " Expected: [" + sessionIndex + "]"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), logoutReqIssuer.getSigningAlgorithmUri(), logoutReqIssuer.getDigestAlgorithmUri()); } } if (logoutReqIssuer.isDoValidateSignatureInRequests()) { // Validate 'Destination' List<String> idpUrlSet = SAMLSSOUtil.getDestinationFromTenantDomain( SAMLSSOUtil.getTenantDomainFromThreadLocal()); if (logoutRequest.getDestination() == null || !idpUrlSet.contains(logoutRequest.getDestination())) { String message = "Destination validation for Logout Request failed. " + "Received: [" + logoutRequest.getDestination() + "]." + " Expected: [" + StringUtils.join(idpUrlSet, ',') + "]"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), logoutReqIssuer.getSigningAlgorithmUri(), logoutReqIssuer.getDigestAlgorithmUri()); } // Validate Signature boolean isSignatureValid = SAMLSSOUtil.validateLogoutRequestSignature( logoutRequest, logoutReqIssuer.getCertAlias(), subject, queryString); if (!isSignatureValid) { String message = "Signature validation for Logout Request failed"; log.error(message); return buildErrorResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, logoutRequest.getDestination(), logoutReqIssuer.getSigningAlgorithmUri(), logoutReqIssuer.getDigestAlgorithmUri()); } } SingleLogoutMessageBuilder logoutMsgBuilder = new SingleLogoutMessageBuilder(); Map<String, String> rpSessionsList = sessionInfoData.getRPSessionsList(); List<SingleLogoutRequestDTO> singleLogoutReqDTOs = new ArrayList<SingleLogoutRequestDTO>(); for (Map.Entry<String, SAMLSSOServiceProviderDO> entry : sessionsList.entrySet()) { String key = entry.getKey(); SAMLSSOServiceProviderDO value = entry.getValue(); if (!key.equals(issuer)) { SingleLogoutRequestDTO logoutReqDTO = new SingleLogoutRequestDTO(); if (StringUtils.isNotBlank(value.getSloRequestURL())) { logoutReqDTO.setAssertionConsumerURL(value.getSloRequestURL()); } else if (StringUtils.isNotBlank(value.getSloResponseURL())) { logoutReqDTO.setAssertionConsumerURL(value.getSloResponseURL()); } else { logoutReqDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl()); } LogoutRequest logoutReq = logoutMsgBuilder.buildLogoutRequest( sessionInfoData.getSubject(key), sessionIndex, SAMLSSOConstants.SingleLogoutCodes.LOGOUT_USER, logoutReqDTO.getAssertionConsumerURL(), value.getNameIDFormat(), value.getTenantDomain(), value.getSigningAlgorithmUri(), value.getDigestAlgorithmUri()); String logoutReqString = SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutReq)); logoutReqDTO.setLogoutResponse(logoutReqString); logoutReqDTO.setRpSessionId(rpSessionsList.get(key)); singleLogoutReqDTOs.add(logoutReqDTO); } else { reqValidationResponseDTO.setIssuer(value.getIssuer()); reqValidationResponseDTO.setDoSignResponse(value.isDoSignResponse()); reqValidationResponseDTO.setSigningAlgorithmUri(value.getSigningAlgorithmUri()); reqValidationResponseDTO.setDigestAlgorithmUri(value.getDigestAlgorithmUri()); if (StringUtils.isNotBlank(value.getSloResponseURL())) { reqValidationResponseDTO.setAssertionConsumerURL(value.getSloResponseURL()); } else { reqValidationResponseDTO.setAssertionConsumerURL(value.getAssertionConsumerUrl()); } } } reqValidationResponseDTO.setLogoutRespDTO( singleLogoutReqDTOs.toArray(new SingleLogoutRequestDTO[singleLogoutReqDTOs.size()])); LogoutResponse logoutResponse = logoutMsgBuilder.buildLogoutResponse( logoutRequest.getID(), SAMLSSOConstants.StatusCodes.SUCCESS_CODE, null, reqValidationResponseDTO.getAssertionConsumerURL(), reqValidationResponseDTO.isDoSignResponse(), SAMLSSOUtil.getTenantDomainFromThreadLocal(), reqValidationResponseDTO.getSigningAlgorithmUri(), reqValidationResponseDTO.getDigestAlgorithmUri()); reqValidationResponseDTO.setLogoutResponse( SAMLSSOUtil.encode(SAMLSSOUtil.marshall(logoutResponse))); reqValidationResponseDTO.setValid(true); } return reqValidationResponseDTO; } catch (UserStoreException | IdentityException e) { throw new IdentityException("Error Processing the Logout Request", e); } }
public boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential credential) throws SAMLException, MetadataProviderException, MessageEncodingException { SAMLObject message = context.getInboundSAMLMessage(); // Verify type if (message == null || !(message instanceof LogoutRequest)) { log.warn("Received request is not of a LogoutRequest object type"); throw new SAMLException("Error validating SAML request"); } LogoutRequest logoutRequest = (LogoutRequest) message; // Make sure request was authenticated if required, authentication is done as part of the // binding processing if (!context.isInboundSAMLMessageAuthenticated() && context.getLocalExtendedMetadata().isRequireLogoutRequestSigned()) { log.warn( "Logout Request object is required to be signed by the entity policy: " + context.getInboundSAMLMessageId()); Status status = getStatus(StatusCode.REQUEST_DENIED_URI, "Message signature is required"); sendLogoutResponse(status, context); return false; } try { // Verify destination verifyEndpoint(context.getLocalEntityEndpoint(), logoutRequest.getDestination()); } catch (SAMLException e) { log.warn( "Destination of the request {} does not match any singleLogout endpoint", logoutRequest.getDestination()); Status status = getStatus(StatusCode.REQUEST_DENIED_URI, "Destination URL of the request is invalid"); sendLogoutResponse(status, context); return false; } // Verify issuer if (logoutRequest.getIssuer() != null) { try { Issuer issuer = logoutRequest.getIssuer(); verifyIssuer(issuer, context); } catch (SAMLException e) { log.warn( "Response issue time is either too old or with date in the future, id {}", context.getInboundSAMLMessageId()); Status status = getStatus(StatusCode.REQUEST_DENIED_URI, "Issuer of the message is unknown"); sendLogoutResponse(status, context); return false; } } // Verify issue time DateTime time = logoutRequest.getIssueInstant(); if (!isDateTimeSkewValid(getResponseSkew(), time)) { log.warn( "Response issue time is either too old or with date in the future, id {}.", context.getInboundSAMLMessageId()); Status status = getStatus(StatusCode.REQUESTER_URI, "Message has been issued too long time ago"); sendLogoutResponse(status, context); return false; } // Check whether any user is logged in if (credential == null) { Status status = getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "No user is logged in"); sendLogoutResponse(status, context); return false; } // Find index for which the logout is requested boolean indexFound = false; if (logoutRequest.getSessionIndexes() != null && logoutRequest.getSessionIndexes().size() > 0) { for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { String statementIndex = statement.getSessionIndex(); if (statementIndex != null) { for (SessionIndex index : logoutRequest.getSessionIndexes()) { if (statementIndex.equals(index.getSessionIndex())) { indexFound = true; } } } } } else { indexFound = true; } // Fail if sessionIndex is not found in any assertion if (!indexFound) { // Check logout request still valid and store request if (logoutRequest.getNotOnOrAfter() != null) { // TODO store request for assertions possibly arriving later } Status status = getStatus(StatusCode.REQUESTER_URI, "The requested SessionIndex was not found"); sendLogoutResponse(status, context); return false; } try { // Fail if NameId doesn't correspond to the currently logged user NameID nameID = getNameID(context, logoutRequest); if (nameID == null || !equalsNameID(credential.getNameID(), nameID)) { Status status = getStatus(StatusCode.UNKNOWN_PRINCIPAL_URI, "The requested NameID is invalid"); sendLogoutResponse(status, context); return false; } } catch (DecryptionException e) { Status status = getStatus(StatusCode.RESPONDER_URI, "The NameID can't be decrypted"); sendLogoutResponse(status, context); return false; } // Message is valid, let's logout Status status = getStatus(StatusCode.SUCCESS_URI, null); sendLogoutResponse(status, context); return true; }