* from the request into the session object to be used later. * */ if (isset($_REQUEST['SAMLRequest'])) { try { $binding = SAML2_Binding::getCurrentBinding(); $authnrequest = $binding->receive(); if (!$authnrequest instanceof SAML2_AuthnRequest) { throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.'); } $requestid = $authnrequest->getId(); $issuer = $authnrequest->getIssuer(); if ($issuer === NULL) { throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.'); } sspmod_saml2_Message::validateMessage($metadata->getMetaDataConfig($issuer, 'saml20-sp-remote'), $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted'), $authnrequest); /* * Create an assoc array of the request to store in the session cache. */ $requestcache = array('RequestID' => $requestid, 'Issuer' => $issuer, 'RelayState' => $authnrequest->getRelayState()); $spentityid = $requestcache['Issuer']; $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote'); $consumerURL = $authnrequest->getAssertionConsumerServiceURL(); if ($consumerURL !== NULL) { $consumerArray = SimpleSAML_Utilities::arrayize($spmetadata['AssertionConsumerService']); if (in_array($consumerURL, $consumerArray, TRUE)) { $requestcache['ConsumerURL'] = $consumerURL; } else { SimpleSAML_Logger::warning('Authentication request from ' . var_export($spentityid, TRUE) . ' contains invalid AssertionConsumerService URL. Was ' . var_export($consumerURL, TRUE) . ', could be ' . var_export($consumerArray, TRUE) . '.'); } }
*/ } elseif (isset($_REQUEST['SAMLResponse'])) { SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: Got SAML response'); $binding = SAML2_Binding::getCurrentBinding(); try { $logoutResponse = $binding->receive(); if (!$logoutResponse instanceof SAML2_LogoutResponse) { throw new Exception('Received a response which wasn\'t a LogoutResponse ' . 'on logout endpoint. Was: ' . get_class($logoutResponse)); } $spEntityId = $logoutResponse->getIssuer(); if ($spEntityId === NULL) { throw new Exception('Missing issuer in logout response.'); } SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: SAML response parsed. Issuer is: ' . $spEntityId); $spMetadata = $metadata->getMetadataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml2_Message::validateMessage($spMetadata, $idpMetadata, $logoutResponse); } catch (Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTRESPONSE', $exception); } /* Fetch the $logoutInfo variable based on the InResponseTo attribute of the response. */ fetchLogoutInfo($logoutResponse->getInResponseTo()); $session->set_sp_logout_completed($spEntityId); SimpleSAML_Logger::info('SAML2.0 - IDP.SingleLogoutService: got LogoutResponse from ' . $spEntityId); } elseif (array_key_exists('LogoutID', $_GET)) { /* This is a response from bridged SLO. */ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: Got response from bridged SLO.'); /* Fetch the $logoutInfo variable. */ fetchLogoutInfo($_GET['LogoutID']); } elseif (array_key_exists('ReturnTo', $_GET)) { /* We have a ReturnTo - this is IdP initialized SLO. */ $logoutInfo['RelayState'] = $_GET['ReturnTo'];
$source = SimpleSAML_Auth_Source::getById($sourceId); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $sourceId); } $binding = SAML2_Binding::getCurrentBinding(); $message = $binding->receive(); $idpEntityId = $message->getIssuer(); if ($idpEntityId === NULL) { /* Without an issuer we have no way to respond to the message. */ throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.'); } $spEntityId = $source->getEntityId(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote'); $spMetadata = $source->getMetadata(); sspmod_saml2_Message::validateMessage($idpMetadata, $spMetadata, $message); if ($message instanceof SAML2_LogoutResponse) { $relayState = $message->getRelayState(); if ($relayState === NULL) { /* Somehow, our RelayState has been lost. */ throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.'); } if (!$message->isSuccess()) { SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml2_Message::getResponseError($message)); } $state = SimpleSAML_Auth_State::loadState($relayState, sspmod_saml2_Auth_Source_SP::STAGE_LOGOUTSENT); SimpleSAML_Auth_Source::completeLogout($state); } elseif ($message instanceof SAML2_LogoutRequest) { SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId); SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId); /* Notify source of logout, so that it may call logout callbacks. */
* If we get an LogoutRequest then we initiate the logout process. */ if (isset($_REQUEST['SAMLRequest'])) { SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: Got SAML reuqest'); $binding = SAML2_Binding::getCurrentBinding(); try { $logoutrequest = $binding->receive(); if (!$logoutrequest instanceof SAML2_LogoutRequest) { throw new Exception('Not a valid logout request.'); } $spEntityId = $logoutrequest->getIssuer(); if ($spEntityId === NULL) { throw new Exception('Missing issuer in logout request.'); } $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml2_Message::validateMessage($spMetadata, $idpMetadata, $logoutrequest); } catch (Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception); } // Extract some parameters from the logout request #$requestid = $logoutrequest->getRequestID(); $requester = $logoutrequest->getIssuer(); #$relayState = $logoutrequest->getRelayState(); $responder = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $logoutrequest->getIssuer()); SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $requester . ' ' . $responder); $session->doLogout(); /* Fill in the $logoutInfo associative array with information about this logout request. */ $logoutInfo['Issuer'] = $logoutrequest->getIssuer(); $logoutInfo['RequestID'] = $logoutrequest->getId(); $relayState = $logoutrequest->getRelayState();