/**
* Tests the OneLogin_Saml2_LogoutResponse Constructor.
* The creation of a deflated SAML Logout Response
*
* @covers OneLogin_Saml2_LogoutResponse
*/
public function testCreateDeflatedSAMLLogoutResponseURLParameter()
{
$inResponseTo = 'ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e';
$responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings);
$responseBuilder->build($inResponseTo);
$parameters = array('SAMLResponse' => $responseBuilder->getResponse());
$logoutUrl = OneLogin_Saml2_Utils::redirect('http://idp.example.com/SingleLogoutService.php', $parameters, true);
$this->assertRegExp('#^http://idp\\.example\\.com\\/SingleLogoutService\\.php\\?SAMLResponse=#', $logoutUrl);
parse_str(parse_url($logoutUrl, PHP_URL_QUERY), $exploded);
// parse_url already urldecode de params so is not required.
$payload = $exploded['SAMLResponse'];
$decoded = base64_decode($payload);
$inflated = gzinflate($decoded);
$this->assertRegExp('#^<samlp:LogoutResponse#', $inflated);
}
public function testWeCanChooseToDeflateAResponseBody()
{
$message = file_get_contents(TEST_ROOT . '/data/logout_responses/logout_response_deflated.xml.base64');
//Test that we can choose not to compress the request payload.
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
//Compression is currently turned on in settings.
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$logoutResponse = new OneLogin_Saml2_LogoutResponse($settings, $message);
$payload = $logoutResponse->getResponse(false);
$decoded = base64_decode($payload);
$this->assertRegExp('#^<samlp:LogoutResponse#', $decoded);
//Test that we can choose not to compress the request payload.
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings2.php';
//Compression is currently turned on in settings.
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$logoutResponse = new OneLogin_Saml2_LogoutResponse($settings, $message);
$payload = $logoutResponse->getResponse(true);
$decoded = base64_decode($payload);
$decompressed = gzinflate($decoded);
$this->assertRegExp('#^<samlp:LogoutResponse#', $decompressed);
}
/**
* Process the SAML Logout Response / Logout Request sent by the IdP.
*
* @param boolean $keepLocalSession When false will destroy the local session, otherwise will keep it
* @param string $requestId The ID of the LogoutRequest sent by this SP to the IdP
*/
public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false)
{
$this->_errors = array();
$samlResponse = null;
if (isset($_GET) && isset($_GET['SAMLResponse'])) {
$samlResponse = $_GET['SAMLResponse'];
} else {
if (isset($_POST) && isset($_POST['SAMLResponse'])) {
$samlResponse = $_POST['SAMLResponse'];
}
}
$relayState = null;
if (isset($_GET['RelayState'])) {
$relayState = $_GET['RelayState'];
} else {
if ($_POST['RelayState']) {
$relayState = $_POST['RelayState'];
}
}
$samlRequest = null;
if (isset($_GET) && isset($_GET['SAMLRequest'])) {
$samlRequest = $_GET['SAMLRequest'];
} else {
if (isset($_POST) && isset($_POST['SAMLRequest'])) {
$samlRequest = $_POST['SAMLRequest'];
}
}
if ($samlResponse) {
$logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $samlResponse);
if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) {
$this->_errors[] = 'invalid_logout_response';
$this->_errorReason = $logoutResponse->getError();
} else {
if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) {
$this->_errors[] = 'logout_not_success';
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
}
}
} else {
if ($samlRequest) {
$logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $samlRequest);
if (!$logoutRequest->isValid($retrieveParametersFromServer)) {
$this->_errors[] = 'invalid_logout_request';
$this->_errorReason = $logoutRequest->getError();
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
$inResponseTo = $logoutRequest->id;
$responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings);
$responseBuilder->build($inResponseTo);
$logoutResponse = $responseBuilder->getResponse();
$parameters = array('SAMLResponse' => $logoutResponse);
if ($relayState) {
$parameters['RelayState'] = $relayState;
}
$security = $this->_settings->getSecurityData();
if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) {
$signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']);
$parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
$parameters['Signature'] = $signature;
}
$sloUrlWithParameters = $this->redirectTo($this->getSLOurl(), $parameters, true);
}
} else {
$this->_errors[] = 'invalid_binding';
throw new OneLogin_Saml2_Error('SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding', OneLogin_Saml2_Error::SAML_LOGOUTMESSAGE_NOT_FOUND);
}
}
}
/**
* Process the SAML Logout Response / Logout Request sent by the IdP.
*
* @param boolean $keepLocalSession When false will destroy the local session, otherwise will destroy it
* @param string $requestId The ID of the LogoutRequest sent by this SP to the IdP
*/
public function processSLO($keepLocalSession = false, $requestId = null)
{
$this->_errors = array();
if (isset($_GET) && isset($_GET['SAMLResponse'])) {
$logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $_GET['SAMLResponse']);
if (!$logoutResponse->isValid($requestId)) {
$this->_errors[] = 'invalid_logout_response';
} else {
if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) {
$this->_errors[] = 'logout_not_success';
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
}
}
} else {
if (isset($_GET) && isset($_GET['SAMLRequest'])) {
$decoded = base64_decode($_GET['SAMLRequest']);
$request = gzinflate($decoded);
if (!OneLogin_Saml2_LogoutRequest::isValid($this->_settings, $request)) {
$this->_errors[] = 'invalid_logout_request';
} else {
if (!$keepLocalSession) {
OneLogin_Saml2_Utils::deleteLocalSession();
}
$inResponseTo = OneLogin_Saml2_LogoutRequest::getID($request);
$responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings);
$responseBuilder->build($inResponseTo);
$logoutResponse = $responseBuilder->getResponse();
$parameters = array('SAMLResponse' => $logoutResponse);
if (isset($_GET['RelayState'])) {
$parameters['RelayState'] = $_GET['RelayState'];
}
$security = $this->_settings->getSecurityData();
if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) {
$signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']);
$parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
$parameters['Signature'] = $signature;
}
$this->redirectTo($this->getSLOurl(), $parameters);
}
} else {
$this->_errors[] = 'invalid_binding';
throw new OneLogin_Saml2_Error('SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding', OneLogin_Saml2_Error::SAML_LOGOUTMESSAGE_NOT_FOUND);
}
}
}
