/** * Tests the isValid method of the OneLogin_Saml2_LogoutRequest * * @covers OneLogin_Saml2_LogoutRequest::isValid */ public function testIsInValidSign() { $currentURL = OneLogin_Saml2_Utils::getSelfURLNoQuery(); $this->_settings->setStrict(false); $_GET = array('SAMLRequest' => 'lVLBitswEP0Vo7tjeWzJtki8LIRCYLvbNksPewmyPc6K2pJqyXQ/v1LSQlroQi/DMJr33rwZbZ2cJysezNms/gt+X9H55G2etBOXlx1ZFy2MdMoJLWd0wvfieP/xQcCGCrsYb3ozkRvI+wjpHC5eGU2Sw35HTg3lA8hqZFwWFcMKsStpxbEsxoLXeQN9OdY1VAgk+YqLC8gdCUQB7tyKB+281D6UaF6mtEiBPudcABcMXkiyD26Ulv6CevXeOpFlVvlunb5ttEmV3ZjlnGn8YTRO5qx0NuBs8kzpAd829tXeucmR5NH4J/203I8el6gFRUqbFPJnyEV51Wq30by4TLW0/9ZyarYTxt4sBsjUYLMZvRykl1Fxm90SXVkfwx4P++T4KSafVzmpUcVJ/sfSrQZJPphllv79W8WKGtLx0ir8IrVTqD1pT2MH3QAMSs4KTvui71jeFFiwirOmprwPkYW063+5uRq4urHiiC4e8hCX3J5wqAEGaPpw9XB5JmkBdeDqSlkz6CmUXdl0Qae5kv2F/1384wu3PwE=', 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'Signature' => 'XCwCyI5cs7WhiJlB5ktSlWxSBxv+6q2xT3c8L7dLV6NQG9LHWhN7gf8qNsahSXfCzA0Ey9dp5BQ0EdRvAk2DIzKmJY6e3hvAIEp1zglHNjzkgcQmZCcrkK9Czi2Y1WkjOwR/WgUTUWsGJAVqVvlRZuS3zk3nxMrLH6f7toyvuJc='); $request = gzinflate(base64_decode($_GET['SAMLRequest'])); $encodedRequest = $_GET['SAMLRequest']; $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest); $this->assertTrue($logoutRequest->isValid()); $this->_settings->setStrict(true); $logoutRequest2 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest); $this->assertFalse($logoutRequest2->isValid()); $this->assertContains('The LogoutRequest was received at', $logoutRequest2->getError()); $this->_settings->setStrict(false); $oldSignature = $_GET['Signature']; $_GET['Signature'] = 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVf3333='; $logoutRequest3 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest); $this->assertFalse($logoutRequest3->isValid()); $this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError()); $_GET['Signature'] = $oldSignature; $oldSigAlg = $_GET['SigAlg']; unset($_GET['SigAlg']); $this->assertTrue($logoutRequest3->isValid()); $oldRelayState = $_GET['RelayState']; $_GET['RelayState'] = 'http://example.com/relaystate'; $this->assertFalse($logoutRequest3->isValid()); $this->assertContains('Signature validation failed. Logout Request rejected', $logoutRequest3->getError()); $this->_settings->setStrict(true); $request2 = str_replace('https://pitbulk.no-ip.org/newonelogin/demo1/index.php?sls', $currentURL, $request); $request2 = str_replace('https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php', 'http://idp.example.com/', $request2); $deflatedRequest2 = gzdeflate($request2); $encodedRequest2 = base64_encode($deflatedRequest2); $_GET['SAMLRequest'] = $encodedRequest2; $logoutRequest4 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2); $this->assertFalse($logoutRequest4->isValid()); $this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest4->getError()); $this->_settings->setStrict(false); $logoutRequest5 = new OneLogin_Saml2_LogoutRequest($this->_settings, $encodedRequest2); $this->assertFalse($logoutRequest5->isValid()); $this->assertEquals('Signature validation failed. Logout Request rejected', $logoutRequest5->getError()); $_GET['SigAlg'] = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'; $this->assertFalse($logoutRequest5->isValid()); $this->assertEquals('Invalid signAlg in the recieved Logout Request', $logoutRequest5->getError()); $settingsDir = TEST_ROOT . '/settings/'; include $settingsDir . 'settings1.php'; $settingsInfo['strict'] = true; $settingsInfo['security']['wantMessagesSigned'] = true; $settings = new OneLogin_Saml2_Settings($settingsInfo); $_GET['SigAlg'] = $oldSigAlg; $oldSignature = $_GET['Signature']; unset($_GET['Signature']); $logoutRequest6 = new OneLogin_Saml2_LogoutRequest($settings, $encodedRequest2); $this->assertFalse($logoutRequest6->isValid()); $this->assertEquals('The Message of the Logout Request is not signed and the SP require it', $logoutRequest6->getError()); $_GET['Signature'] = $oldSignature; $settingsInfo['idp']['certFingerprint'] = 'afe71c28ef740bc87425be13a2263d37971da1f9'; unset($settingsInfo['idp']['x509cert']); $settings2 = new OneLogin_Saml2_Settings($settingsInfo); $logoutRequest7 = new OneLogin_Saml2_LogoutRequest($settings2, $encodedRequest2); $this->assertFalse($logoutRequest7->isValid()); $this->assertContains('In order to validate the sign on the Logout Request, the x509cert of the IdP is required', $logoutRequest7->getError()); }
/** * Process the SAML Logout Response / Logout Request sent by the IdP. * * @param boolean $keepLocalSession When false will destroy the local session, otherwise will keep it * @param string $requestId The ID of the LogoutRequest sent by this SP to the IdP */ public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false) { $this->_errors = array(); $samlResponse = null; if (isset($_GET) && isset($_GET['SAMLResponse'])) { $samlResponse = $_GET['SAMLResponse']; } else { if (isset($_POST) && isset($_POST['SAMLResponse'])) { $samlResponse = $_POST['SAMLResponse']; } } $relayState = null; if (isset($_GET['RelayState'])) { $relayState = $_GET['RelayState']; } else { if ($_POST['RelayState']) { $relayState = $_POST['RelayState']; } } $samlRequest = null; if (isset($_GET) && isset($_GET['SAMLRequest'])) { $samlRequest = $_GET['SAMLRequest']; } else { if (isset($_POST) && isset($_POST['SAMLRequest'])) { $samlRequest = $_POST['SAMLRequest']; } } if ($samlResponse) { $logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $samlResponse); if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) { $this->_errors[] = 'invalid_logout_response'; $this->_errorReason = $logoutResponse->getError(); } else { if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) { $this->_errors[] = 'logout_not_success'; } else { if (!$keepLocalSession) { OneLogin_Saml2_Utils::deleteLocalSession(); } } } } else { if ($samlRequest) { $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, $samlRequest); if (!$logoutRequest->isValid($retrieveParametersFromServer)) { $this->_errors[] = 'invalid_logout_request'; $this->_errorReason = $logoutRequest->getError(); } else { if (!$keepLocalSession) { OneLogin_Saml2_Utils::deleteLocalSession(); } $inResponseTo = $logoutRequest->id; $responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings); $responseBuilder->build($inResponseTo); $logoutResponse = $responseBuilder->getResponse(); $parameters = array('SAMLResponse' => $logoutResponse); if ($relayState) { $parameters['RelayState'] = $relayState; } $security = $this->_settings->getSecurityData(); if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) { $signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']); $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1; $parameters['Signature'] = $signature; } $sloUrlWithParameters = $this->redirectTo($this->getSLOurl(), $parameters, true); } } else { $this->_errors[] = 'invalid_binding'; throw new OneLogin_Saml2_Error('SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding', OneLogin_Saml2_Error::SAML_LOGOUTMESSAGE_NOT_FOUND); } } }
/** * Process the SAML Logout Response / Logout Request sent by the IdP. * * @param boolean $keepLocalSession When false will destroy the local session, otherwise will destroy it * @param string $requestId The ID of the LogoutRequest sent by this SP to the IdP */ public function processSLO($keepLocalSession = false, $requestId = null) { $this->_errors = array(); if (isset($_GET) && isset($_GET['SAMLResponse'])) { $logoutResponse = new OneLogin_Saml2_LogoutResponse($this->_settings, $_GET['SAMLResponse']); if (!$logoutResponse->isValid($requestId)) { $this->_errors[] = 'invalid_logout_response'; } else { if ($logoutResponse->getStatus() !== OneLogin_Saml2_Constants::STATUS_SUCCESS) { $this->_errors[] = 'logout_not_success'; } else { if (!$keepLocalSession) { OneLogin_Saml2_Utils::deleteLocalSession(); } } } } else { if (isset($_GET) && isset($_GET['SAMLRequest'])) { $decoded = base64_decode($_GET['SAMLRequest']); $request = gzinflate($decoded); if (!OneLogin_Saml2_LogoutRequest::isValid($this->_settings, $request)) { $this->_errors[] = 'invalid_logout_request'; } else { if (!$keepLocalSession) { OneLogin_Saml2_Utils::deleteLocalSession(); } $inResponseTo = OneLogin_Saml2_LogoutRequest::getID($request); $responseBuilder = new OneLogin_Saml2_LogoutResponse($this->_settings); $responseBuilder->build($inResponseTo); $logoutResponse = $responseBuilder->getResponse(); $parameters = array('SAMLResponse' => $logoutResponse); if (isset($_GET['RelayState'])) { $parameters['RelayState'] = $_GET['RelayState']; } $security = $this->_settings->getSecurityData(); if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) { $signature = $this->buildResponseSignature($logoutResponse, $parameters['RelayState']); $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1; $parameters['Signature'] = $signature; } $this->redirectTo($this->getSLOurl(), $parameters); } } else { $this->_errors[] = 'invalid_binding'; throw new OneLogin_Saml2_Error('SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding', OneLogin_Saml2_Error::SAML_LOGOUTMESSAGE_NOT_FOUND); } } }