/** * Single Logout Service */ public function slsAction() { if ($this->getRequest()->getPost('RelayState')) { $this->_redirectUrl($this->getRequest()->getPost('RelayState')); return; } $samlRequest = $this->getRequest()->getPost('SAMLRequest'); $oneLoginSettings = new OneLogin_Saml2_Settings(Mage::helper('hukmedia_wso2/config')->getWso2SamlConfig()); $logoutRequest = new OneLogin_Saml2_LogoutRequest($oneLoginSettings, $samlRequest); $logoutRequestRaw = $logoutRequest->getRequestRaw(); $sessionIndex = current($logoutRequest->getSessionIndexes($logoutRequestRaw)); $sessionIndexModel = Mage::getModel('hukmedia_wso2/sessionindex'); $sessionIndexModel->loadBySessionIndex($sessionIndex); /* destroy the session from incomming wso2 logout request */ session_destroy(); /* load the magento customer session and destroy */ /* this is a ugly solution, how can a session be loaded by id or somtheing else? */ /* someting like ... /* $session = Mage::getSingleton('core/session')->loadByAnyId($sessionIndexModel->getMagentoSessionId()) */ /* $session->logout()->renew() */ /* i'm not happy with this solution :'-( */ session_id($sessionIndexModel->getMagentoSessionId()); session_start(); session_destroy(); $sessionIndexModel->delete(); }
/** * Get URL to follow to get logged out * @return string */ public function getLogoutUrl() { if (empty($GLOBALS['sugar_config']['SAML_SLO'])) { return; } $auth = new OneLogin_Saml2_Auth(SAMLAuthenticate::loadSettings()); $req = new OneLogin_Saml2_LogoutRequest($auth->getSettings()); return $GLOBALS['sugar_config']['SAML_SLO'] . "?SAMLRequest=" . urlencode($req->getRequest()); }
/** * Tests the logout method of the OneLogin_Saml2_Auth class * Case nameID loaded after process SAML Response * * @covers OneLogin_Saml2_Auth::logout * @runInSeparateProcess */ public function testLogoutNameID() { $message = file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64'); $_POST['SAMLResponse'] = $message; $this->_auth->processResponse(); $nameIdFromResponse = $this->_auth->getNameId(); try { $nameId = 'my_name_id'; $this->_auth->logout(); // Do not ever get here $this->assertFalse(true); } catch (Exception $e) { $this->assertContains('Cannot modify header information', $e->getMessage()); $trace = $e->getTrace(); $targetUrl = getUrlFromRedirect($trace); $parsedQuery = getParamsFromUrl($targetUrl); $sloUrl = $this->_settingsInfo['idp']['singleLogoutService']['url']; $this->assertContains($sloUrl, $targetUrl); $this->assertArrayHasKey('SAMLRequest', $parsedQuery); $logoutRequest = gzinflate(base64_decode($parsedQuery['SAMLRequest'])); $nameIdFromRequest = OneLogin_Saml2_LogoutRequest::getNameId($logoutRequest); $this->assertEquals($nameIdFromResponse, $nameIdFromRequest); } }
/** * Initiates the SLO process. * * @param string $returnTo The target URL the user should be returned to after logout. * @param array $parameters Extra parameters to be added to the GET * @param string $nameId The NameID that will be set in the LogoutRequest. * @param string $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process). */ public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null) { assert('is_array($parameters)'); $sloUrl = $this->getSLOurl(); if (empty($sloUrl)) { throw new OneLogin_Saml2_Error('The IdP does not support Single Log Out', OneLogin_Saml2_Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED); } if (empty($nameId) && !empty($this->_nameid)) { $nameId = $this->_nameid; } $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex); $samlRequest = $logoutRequest->getRequest(); $parameters['SAMLRequest'] = $samlRequest; if (!empty($returnTo)) { $parameters['RelayState'] = $returnTo; } else { $parameters['RelayState'] = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery(); } $security = $this->_settings->getSecurityData(); if (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned']) { $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState'], $security['signatureAlgorithm']); $parameters['SigAlg'] = $security['signatureAlgorithm']; $parameters['Signature'] = $signature; } return $this->redirectTo($sloUrl, $parameters); }
* additional information regarding copyright ownership. * The Apereo Foundation licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file except in * compliance with the License. You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ session_start(); require_once '_toolkit_loader.php'; $samlSettings = new OneLogin_Saml2_Settings(); $idpData = $samlSettings->getIdPData(); if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) { $sloUrl = $idpData['singleLogoutService']['url']; } else { throw new Exception("The IdP does not support Single Log Out"); } if (isset($_SESSION['IdPSessionIndex']) && !empty($_SESSION['IdPSessionIndex'])) { $logoutRequest = new OneLogin_Saml2_LogoutRequest($samlSettings, null, $_SESSION['IdPSessionIndex']); } else { $logoutRequest = new OneLogin_Saml2_LogoutRequest($samlSettings); } $samlRequest = $logoutRequest->getRequest(); $parameters = array('SAMLRequest' => $samlRequest); $url = OneLogin_Saml2_Utils::redirect($sloUrl, $parameters, true); header("Location: {$url}");
/** * Tests the isValid method of the OneLogin_Saml2_LogoutRequest * * @covers OneLogin_Saml2_LogoutRequest::isValid */ public function testIsInValidSign() { $currentURL = OneLogin_Saml2_Utils::getSelfURLNoQuery(); $this->_settings->setStrict(false); $_GET = array('SAMLRequest' => 'lVLBitswEP0Vo7tjeWzJtki8LIRCYLvbNksPewmyPc6K2pJqyXQ/v1LSQlroQi/DMJr33rwZbZ2cJysezNms/gt+X9H55G2etBOXlx1ZFy2MdMoJLWd0wvfieP/xQcCGCrsYb3ozkRvI+wjpHC5eGU2Sw35HTg3lA8hqZFwWFcMKsStpxbEsxoLXeQN9OdY1VAgk+YqLC8gdCUQB7tyKB+281D6UaF6mtEiBPudcABcMXkiyD26Ulv6CevXeOpFlVvlunb5ttEmV3ZjlnGn8YTRO5qx0NuBs8kzpAd829tXeucmR5NH4J/203I8el6gFRUqbFPJnyEV51Wq30by4TLW0/9ZyarYTxt4sBsjUYLMZvRykl1Fxm90SXVkfwx4P++T4KSafVzmpUcVJ/sfSrQZJPphllv79W8WKGtLx0ir8IrVTqD1pT2MH3QAMSs4KTvui71jeFFiwirOmprwPkYW063+5uRq4urHiiC4e8hCX3J5wqAEGaPpw9XB5JmkBdeDqSlkz6CmUXdl0Qae5kv2F/1384wu3PwE=', 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'Signature' => 'XCwCyI5cs7WhiJlB5ktSlWxSBxv+6q2xT3c8L7dLV6NQG9LHWhN7gf8qNsahSXfCzA0Ey9dp5BQ0EdRvAk2DIzKmJY6e3hvAIEp1zglHNjzkgcQmZCcrkK9Czi2Y1WkjOwR/WgUTUWsGJAVqVvlRZuS3zk3nxMrLH6f7toyvuJc='); $request = gzinflate(base64_decode($_GET['SAMLRequest'])); $encodedRequest = $_GET['SAMLRequest']; $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest); $this->assertTrue($logoutRequest->isValid()); $this->_settings->setStrict(true); $logoutRequest2 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest); $this->assertFalse($logoutRequest2->isValid()); $this->assertContains('The LogoutRequest was received at', $logoutRequest2->getError()); $this->_settings->setStrict(false); $oldSignature = $_GET['Signature']; $_GET['Signature'] = 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVf3333='; $logoutRequest3 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest); $this->assertFalse($logoutRequest3->isValid()); $this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError()); $_GET['Signature'] = $oldSignature; $oldSigAlg = $_GET['SigAlg']; unset($_GET['SigAlg']); $this->assertTrue($logoutRequest3->isValid()); $oldRelayState = $_GET['RelayState']; $_GET['RelayState'] = 'http://example.com/relaystate'; $this->assertFalse($logoutRequest3->isValid()); $this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError()); $this->_settings->setStrict(true); $request2 = str_replace('https://pitbulk.no-ip.org/newonelogin/demo1/index.php?sls', $currentURL, $request); $request2 = str_replace('https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php', 'http://idp.example.com/', $request2); $deflatedRequest2 = gzdeflate($request2); $encodedRequest2 = base64_encode($deflatedRequest2); $_GET['SAMLRequest'] = $encodedRequest2; $logoutRequest4 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2); $this->assertFalse($logoutRequest4->isValid()); $this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest4->getError()); $this->_settings->setStrict(false); $logoutRequest5 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2); $this->assertFalse($logoutRequest5->isValid()); $this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest5->getError()); $_GET['SigAlg'] = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'; $this->assertFalse($logoutRequest5->isValid()); $this->assertEquals('Invalid signAlg in the recieved Logout Request', $logoutRequest5->getError()); $settingsDir = TEST_ROOT . '/settings/'; include $settingsDir . 'settings1.php'; $settingsInfo['strict'] = true; $settingsInfo['security']['wantMessagesSigned'] = true; $settings = new OneLogin_Saml2_Settings($settingsInfo); $_GET['SigAlg'] = $oldSigAlg; $oldSignature = $_GET['Signature']; unset($_GET['Signature']); $logoutRequest6 = new OneLogin_Saml2_LogoutRequest($settings, $encodedRequest2); $this->assertFalse($logoutRequest6->isValid()); $this->assertEquals('The Message of the Logout Request is not signed and the SP require it', $logoutRequest6->getError()); $_GET['Signature'] = $oldSignature; $settingsInfo['idp']['certFingerprint'] = 'afe71c28ef740bc87425be13a2263d37971da1f9'; unset($settingsInfo['idp']['x509cert']); $settings2 = new OneLogin_Saml2_Settings($settingsInfo); $logoutRequest7 = new OneLogin_Saml2_LogoutRequest($settings2, $encodedRequest2); $this->assertFalse($logoutRequest7->isValid()); $this->assertContains('In order to validate the sign on the Logout Request, the x509cert of the IdP is required', $logoutRequest7->getError()); }
/** * Initiates the SLO process. * * @param string $returnTo The target URL the user should be returned to after logout. */ public function logout($returnTo = null) { $sloUrl = $this->getSLOurl(); if (!isset($sloUrl)) { throw new OneLogin_Saml2_Error('The IdP does not support Single Log Out', OneLogin_Saml2_Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED); } $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings); $samlRequest = $logoutRequest->getRequest(); $parameters = array('SAMLRequest' => $samlRequest); if (!empty($returnTo)) { $parameters['RelayState'] = $returnTo; } else { $parameters['RelayState'] = OneLogin_Saml2_Utils::getSelfURLNoQuery(); } $security = $this->_settings->getSecurityData(); if (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned']) { $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState']); $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1; $parameters['Signature'] = $signature; } $this->redirectTo($sloUrl, $parameters); }