* from the request into the session object to be used later.
*
*/
if (isset($_REQUEST['SAMLRequest'])) {
try {
$binding = SAML2_Binding::getCurrentBinding();
$authnrequest = $binding->receive();
if (!$authnrequest instanceof SAML2_AuthnRequest) {
throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.');
}
$requestid = $authnrequest->getId();
$issuer = $authnrequest->getIssuer();
if ($issuer === NULL) {
throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.');
}
sspmod_saml2_Message::validateMessage($metadata->getMetaDataConfig($issuer, 'saml20-sp-remote'), $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted'), $authnrequest);
/*
* Create an assoc array of the request to store in the session cache.
*/
$requestcache = array('RequestID' => $requestid, 'Issuer' => $issuer, 'RelayState' => $authnrequest->getRelayState());
$spentityid = $requestcache['Issuer'];
$spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
$consumerURL = $authnrequest->getAssertionConsumerServiceURL();
if ($consumerURL !== NULL) {
$consumerArray = SimpleSAML_Utilities::arrayize($spmetadata['AssertionConsumerService']);
if (in_array($consumerURL, $consumerArray, TRUE)) {
$requestcache['ConsumerURL'] = $consumerURL;
} else {
SimpleSAML_Logger::warning('Authentication request from ' . var_export($spentityid, TRUE) . ' contains invalid AssertionConsumerService URL. Was ' . var_export($consumerURL, TRUE) . ', could be ' . var_export($consumerArray, TRUE) . '.');
}
}
*/
} elseif (isset($_REQUEST['SAMLResponse'])) {
SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: Got SAML response');
$binding = SAML2_Binding::getCurrentBinding();
try {
$logoutResponse = $binding->receive();
if (!$logoutResponse instanceof SAML2_LogoutResponse) {
throw new Exception('Received a response which wasn\'t a LogoutResponse ' . 'on logout endpoint. Was: ' . get_class($logoutResponse));
}
$spEntityId = $logoutResponse->getIssuer();
if ($spEntityId === NULL) {
throw new Exception('Missing issuer in logout response.');
}
SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: SAML response parsed. Issuer is: ' . $spEntityId);
$spMetadata = $metadata->getMetadataConfig($spEntityId, 'saml20-sp-remote');
sspmod_saml2_Message::validateMessage($spMetadata, $idpMetadata, $logoutResponse);
} catch (Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTRESPONSE', $exception);
}
/* Fetch the $logoutInfo variable based on the InResponseTo attribute of the response. */
fetchLogoutInfo($logoutResponse->getInResponseTo());
$session->set_sp_logout_completed($spEntityId);
SimpleSAML_Logger::info('SAML2.0 - IDP.SingleLogoutService: got LogoutResponse from ' . $spEntityId);
} elseif (array_key_exists('LogoutID', $_GET)) {
/* This is a response from bridged SLO. */
SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: Got response from bridged SLO.');
/* Fetch the $logoutInfo variable. */
fetchLogoutInfo($_GET['LogoutID']);
} elseif (array_key_exists('ReturnTo', $_GET)) {
/* We have a ReturnTo - this is IdP initialized SLO. */
$logoutInfo['RelayState'] = $_GET['ReturnTo'];
$source = SimpleSAML_Auth_Source::getById($sourceId);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $sourceId);
}
$binding = SAML2_Binding::getCurrentBinding();
$message = $binding->receive();
$idpEntityId = $message->getIssuer();
if ($idpEntityId === NULL) {
/* Without an issuer we have no way to respond to the message. */
throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.');
}
$spEntityId = $source->getEntityId();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
$spMetadata = $source->getMetadata();
sspmod_saml2_Message::validateMessage($idpMetadata, $spMetadata, $message);
if ($message instanceof SAML2_LogoutResponse) {
$relayState = $message->getRelayState();
if ($relayState === NULL) {
/* Somehow, our RelayState has been lost. */
throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.');
}
if (!$message->isSuccess()) {
SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml2_Message::getResponseError($message));
}
$state = SimpleSAML_Auth_State::loadState($relayState, sspmod_saml2_Auth_Source_SP::STAGE_LOGOUTSENT);
SimpleSAML_Auth_Source::completeLogout($state);
} elseif ($message instanceof SAML2_LogoutRequest) {
SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId);
SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
/* Notify source of logout, so that it may call logout callbacks. */
* If we get an LogoutRequest then we initiate the logout process.
*/
if (isset($_REQUEST['SAMLRequest'])) {
SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: Got SAML reuqest');
$binding = SAML2_Binding::getCurrentBinding();
try {
$logoutrequest = $binding->receive();
if (!$logoutrequest instanceof SAML2_LogoutRequest) {
throw new Exception('Not a valid logout request.');
}
$spEntityId = $logoutrequest->getIssuer();
if ($spEntityId === NULL) {
throw new Exception('Missing issuer in logout request.');
}
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
sspmod_saml2_Message::validateMessage($spMetadata, $idpMetadata, $logoutrequest);
} catch (Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception);
}
// Extract some parameters from the logout request
#$requestid = $logoutrequest->getRequestID();
$requester = $logoutrequest->getIssuer();
#$relayState = $logoutrequest->getRelayState();
$responder = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $logoutrequest->getIssuer());
SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $requester . ' ' . $responder);
$session->doLogout();
/* Fill in the $logoutInfo associative array with information about this logout request. */
$logoutInfo['Issuer'] = $logoutrequest->getIssuer();
$logoutInfo['RequestID'] = $logoutrequest->getId();
$relayState = $logoutrequest->getRelayState();
