/**
* Single Logout Service
*/
public function slsAction()
{
if ($this->getRequest()->getPost('RelayState')) {
$this->_redirectUrl($this->getRequest()->getPost('RelayState'));
return;
}
$samlRequest = $this->getRequest()->getPost('SAMLRequest');
$oneLoginSettings = new OneLogin_Saml2_Settings(Mage::helper('hukmedia_wso2/config')->getWso2SamlConfig());
$logoutRequest = new OneLogin_Saml2_LogoutRequest($oneLoginSettings, $samlRequest);
$logoutRequestRaw = $logoutRequest->getRequestRaw();
$sessionIndex = current($logoutRequest->getSessionIndexes($logoutRequestRaw));
$sessionIndexModel = Mage::getModel('hukmedia_wso2/sessionindex');
$sessionIndexModel->loadBySessionIndex($sessionIndex);
/* destroy the session from incomming wso2 logout request */
session_destroy();
/* load the magento customer session and destroy */
/* this is a ugly solution, how can a session be loaded by id or somtheing else? */
/* someting like ...
/* $session = Mage::getSingleton('core/session')->loadByAnyId($sessionIndexModel->getMagentoSessionId()) */
/* $session->logout()->renew() */
/* i'm not happy with this solution :'-( */
session_id($sessionIndexModel->getMagentoSessionId());
session_start();
session_destroy();
$sessionIndexModel->delete();
}
/**
* Get URL to follow to get logged out
* @return string
*/
public function getLogoutUrl()
{
if (empty($GLOBALS['sugar_config']['SAML_SLO'])) {
return;
}
$auth = new OneLogin_Saml2_Auth(SAMLAuthenticate::loadSettings());
$req = new OneLogin_Saml2_LogoutRequest($auth->getSettings());
return $GLOBALS['sugar_config']['SAML_SLO'] . "?SAMLRequest=" . urlencode($req->getRequest());
}
/**
* Tests the logout method of the OneLogin_Saml2_Auth class
* Case nameID loaded after process SAML Response
*
* @covers OneLogin_Saml2_Auth::logout
* @runInSeparateProcess
*/
public function testLogoutNameID()
{
$message = file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64');
$_POST['SAMLResponse'] = $message;
$this->_auth->processResponse();
$nameIdFromResponse = $this->_auth->getNameId();
try {
$nameId = 'my_name_id';
$this->_auth->logout();
// Do not ever get here
$this->assertFalse(true);
} catch (Exception $e) {
$this->assertContains('Cannot modify header information', $e->getMessage());
$trace = $e->getTrace();
$targetUrl = getUrlFromRedirect($trace);
$parsedQuery = getParamsFromUrl($targetUrl);
$sloUrl = $this->_settingsInfo['idp']['singleLogoutService']['url'];
$this->assertContains($sloUrl, $targetUrl);
$this->assertArrayHasKey('SAMLRequest', $parsedQuery);
$logoutRequest = gzinflate(base64_decode($parsedQuery['SAMLRequest']));
$nameIdFromRequest = OneLogin_Saml2_LogoutRequest::getNameId($logoutRequest);
$this->assertEquals($nameIdFromResponse, $nameIdFromRequest);
}
}
/**
* Initiates the SLO process.
*
* @param string $returnTo The target URL the user should be returned to after logout.
* @param array $parameters Extra parameters to be added to the GET
* @param string $nameId The NameID that will be set in the LogoutRequest.
* @param string $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process).
*/
public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null)
{
assert('is_array($parameters)');
$sloUrl = $this->getSLOurl();
if (empty($sloUrl)) {
throw new OneLogin_Saml2_Error('The IdP does not support Single Log Out', OneLogin_Saml2_Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED);
}
if (empty($nameId) && !empty($this->_nameid)) {
$nameId = $this->_nameid;
}
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex);
$samlRequest = $logoutRequest->getRequest();
$parameters['SAMLRequest'] = $samlRequest;
if (!empty($returnTo)) {
$parameters['RelayState'] = $returnTo;
} else {
$parameters['RelayState'] = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery();
}
$security = $this->_settings->getSecurityData();
if (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned']) {
$signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState'], $security['signatureAlgorithm']);
$parameters['SigAlg'] = $security['signatureAlgorithm'];
$parameters['Signature'] = $signature;
}
return $this->redirectTo($sloUrl, $parameters);
}
* additional information regarding copyright ownership.
* The Apereo Foundation licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except in
* compliance with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
session_start();
require_once '_toolkit_loader.php';
$samlSettings = new OneLogin_Saml2_Settings();
$idpData = $samlSettings->getIdPData();
if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) {
$sloUrl = $idpData['singleLogoutService']['url'];
} else {
throw new Exception("The IdP does not support Single Log Out");
}
if (isset($_SESSION['IdPSessionIndex']) && !empty($_SESSION['IdPSessionIndex'])) {
$logoutRequest = new OneLogin_Saml2_LogoutRequest($samlSettings, null, $_SESSION['IdPSessionIndex']);
} else {
$logoutRequest = new OneLogin_Saml2_LogoutRequest($samlSettings);
}
$samlRequest = $logoutRequest->getRequest();
$parameters = array('SAMLRequest' => $samlRequest);
$url = OneLogin_Saml2_Utils::redirect($sloUrl, $parameters, true);
header("Location: {$url}");
/**
* Tests the isValid method of the OneLogin_Saml2_LogoutRequest
*
* @covers OneLogin_Saml2_LogoutRequest::isValid
*/
public function testIsInValidSign()
{
$currentURL = OneLogin_Saml2_Utils::getSelfURLNoQuery();
$this->_settings->setStrict(false);
$_GET = array('SAMLRequest' => 'lVLBitswEP0Vo7tjeWzJtki8LIRCYLvbNksPewmyPc6K2pJqyXQ/v1LSQlroQi/DMJr33rwZbZ2cJysezNms/gt+X9H55G2etBOXlx1ZFy2MdMoJLWd0wvfieP/xQcCGCrsYb3ozkRvI+wjpHC5eGU2Sw35HTg3lA8hqZFwWFcMKsStpxbEsxoLXeQN9OdY1VAgk+YqLC8gdCUQB7tyKB+281D6UaF6mtEiBPudcABcMXkiyD26Ulv6CevXeOpFlVvlunb5ttEmV3ZjlnGn8YTRO5qx0NuBs8kzpAd829tXeucmR5NH4J/203I8el6gFRUqbFPJnyEV51Wq30by4TLW0/9ZyarYTxt4sBsjUYLMZvRykl1Fxm90SXVkfwx4P++T4KSafVzmpUcVJ/sfSrQZJPphllv79W8WKGtLx0ir8IrVTqD1pT2MH3QAMSs4KTvui71jeFFiwirOmprwPkYW063+5uRq4urHiiC4e8hCX3J5wqAEGaPpw9XB5JmkBdeDqSlkz6CmUXdl0Qae5kv2F/1384wu3PwE=', 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'Signature' => 'XCwCyI5cs7WhiJlB5ktSlWxSBxv+6q2xT3c8L7dLV6NQG9LHWhN7gf8qNsahSXfCzA0Ey9dp5BQ0EdRvAk2DIzKmJY6e3hvAIEp1zglHNjzkgcQmZCcrkK9Czi2Y1WkjOwR/WgUTUWsGJAVqVvlRZuS3zk3nxMrLH6f7toyvuJc=');
$request = gzinflate(base64_decode($_GET['SAMLRequest']));
$encodedRequest = $_GET['SAMLRequest'];
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest);
$this->assertTrue($logoutRequest->isValid());
$this->_settings->setStrict(true);
$logoutRequest2 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest);
$this->assertFalse($logoutRequest2->isValid());
$this->assertContains('The LogoutRequest was received at', $logoutRequest2->getError());
$this->_settings->setStrict(false);
$oldSignature = $_GET['Signature'];
$_GET['Signature'] = 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVf3333=';
$logoutRequest3 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest);
$this->assertFalse($logoutRequest3->isValid());
$this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError());
$_GET['Signature'] = $oldSignature;
$oldSigAlg = $_GET['SigAlg'];
unset($_GET['SigAlg']);
$this->assertTrue($logoutRequest3->isValid());
$oldRelayState = $_GET['RelayState'];
$_GET['RelayState'] = 'http://example.com/relaystate';
$this->assertFalse($logoutRequest3->isValid());
$this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError());
$this->_settings->setStrict(true);
$request2 = str_replace('https://pitbulk.no-ip.org/newonelogin/demo1/index.php?sls', $currentURL, $request);
$request2 = str_replace('https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php', 'http://idp.example.com/', $request2);
$deflatedRequest2 = gzdeflate($request2);
$encodedRequest2 = base64_encode($deflatedRequest2);
$_GET['SAMLRequest'] = $encodedRequest2;
$logoutRequest4 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2);
$this->assertFalse($logoutRequest4->isValid());
$this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest4->getError());
$this->_settings->setStrict(false);
$logoutRequest5 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2);
$this->assertFalse($logoutRequest5->isValid());
$this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest5->getError());
$_GET['SigAlg'] = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1';
$this->assertFalse($logoutRequest5->isValid());
$this->assertEquals('Invalid signAlg in the recieved Logout Request', $logoutRequest5->getError());
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
$settingsInfo['strict'] = true;
$settingsInfo['security']['wantMessagesSigned'] = true;
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$_GET['SigAlg'] = $oldSigAlg;
$oldSignature = $_GET['Signature'];
unset($_GET['Signature']);
$logoutRequest6 = new OneLogin_Saml2_LogoutRequest($settings, $encodedRequest2);
$this->assertFalse($logoutRequest6->isValid());
$this->assertEquals('The Message of the Logout Request is not signed and the SP require it', $logoutRequest6->getError());
$_GET['Signature'] = $oldSignature;
$settingsInfo['idp']['certFingerprint'] = 'afe71c28ef740bc87425be13a2263d37971da1f9';
unset($settingsInfo['idp']['x509cert']);
$settings2 = new OneLogin_Saml2_Settings($settingsInfo);
$logoutRequest7 = new OneLogin_Saml2_LogoutRequest($settings2, $encodedRequest2);
$this->assertFalse($logoutRequest7->isValid());
$this->assertContains('In order to validate the sign on the Logout Request, the x509cert of the IdP is required', $logoutRequest7->getError());
}
/**
* Initiates the SLO process.
*
* @param string $returnTo The target URL the user should be returned to after logout.
*/
public function logout($returnTo = null)
{
$sloUrl = $this->getSLOurl();
if (!isset($sloUrl)) {
throw new OneLogin_Saml2_Error('The IdP does not support Single Log Out', OneLogin_Saml2_Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED);
}
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings);
$samlRequest = $logoutRequest->getRequest();
$parameters = array('SAMLRequest' => $samlRequest);
if (!empty($returnTo)) {
$parameters['RelayState'] = $returnTo;
} else {
$parameters['RelayState'] = OneLogin_Saml2_Utils::getSelfURLNoQuery();
}
$security = $this->_settings->getSecurityData();
if (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned']) {
$signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState']);
$parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
$parameters['Signature'] = $signature;
}
$this->redirectTo($sloUrl, $parameters);
}
