function sendQuery($dataId, $url, $nameId)
{
assert('is_string($dataId)');
assert('is_string($url)');
assert('is_array($nameId)');
SimpleSAML_Logger::debug('attributequery - sending request');
$query = new SAML2_AttributeQuery();
$query->setRelayState($dataId);
$query->setDestination($url);
$query->setIssuer($GLOBALS['spEntityId']);
$query->setNameId($nameId);
$binding = new SAML2_HTTPRedirect();
$binding->send($query);
}
/**
* Send a logout response.
*
* @param array &$state The logout state array.
*/
public static function sendLogoutResponse(SimpleSAML_IdP $idp, array $state)
{
assert('isset($state["saml:SPEntityId"])');
assert('isset($state["saml:RequestId"])');
assert('array_key_exists("saml:RelayState", $state)');
// Can be NULL.
$spEntityId = $state['saml:SPEntityId'];
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
$lr = sspmod_saml_Message::buildLogoutResponse($idpMetadata, $spMetadata);
$lr->setInResponseTo($state['saml:RequestId']);
$lr->setRelayState($state['saml:RelayState']);
if (isset($state['core:Failed']) && $state['core:Failed']) {
$partial = TRUE;
$lr->setStatus(array('Code' => SAML2_Const::STATUS_SUCCESS, 'SubCode' => SAML2_Const::STATUS_PARTIAL_LOGOUT));
SimpleSAML_Logger::info('Sending logout response for partial logout to SP ' . var_export($spEntityId, TRUE));
} else {
$partial = FALSE;
SimpleSAML_Logger::debug('Sending logout response to SP ' . var_export($spEntityId, TRUE));
}
SimpleSAML_Stats::log('saml:idp:LogoutResponse:sent', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'partial' => $partial));
$binding = new SAML2_HTTPRedirect();
$binding->send($lr);
}
$spEntityId = $source->getEntityId();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
$spMetadata = $source->getMetadata();
sspmod_saml2_Message::validateMessage($idpMetadata, $spMetadata, $message);
if ($message instanceof SAML2_LogoutResponse) {
$relayState = $message->getRelayState();
if ($relayState === NULL) {
/* Somehow, our RelayState has been lost. */
throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.');
}
if (!$message->isSuccess()) {
SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml2_Message::getResponseError($message));
}
$state = SimpleSAML_Auth_State::loadState($relayState, sspmod_saml2_Auth_Source_SP::STAGE_LOGOUTSENT);
SimpleSAML_Auth_Source::completeLogout($state);
} elseif ($message instanceof SAML2_LogoutRequest) {
SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId);
SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
/* Notify source of logout, so that it may call logout callbacks. */
$source->onLogout($idpEntityId);
/* Create an send response. */
$lr = sspmod_saml2_Message::buildLogoutResponse($spMetadata, $idpMetadata);
$lr->setRelayState($message->getRelayState());
$lr->setInResponseTo($message->getId());
$binding = new SAML2_HTTPRedirect();
$binding->setDestination(sspmod_SAML2_Message::getDebugDestination());
$binding->send($lr);
} else {
throw new SimpleSAML_Error_BadRequest('Unknown message received on logout endpoint: ' . get_class($message));
}
$ar->setAssertionConsumerServiceURL($assertionConsumerServiceURL);
$ar->setRelayState($_REQUEST['RelayState']);
if ($isPassive) {
$ar->setIsPassive(TRUE);
}
if ($forceAuthn) {
$ar->setForceAuthn(TRUE);
}
if (array_key_exists('IDPList', $spmetadata)) {
$IDPList = array_unique(array_merge($IDPList, $spmetadata['IDPList']));
}
if (isset($_GET['IDPList']) && !empty($_GET['IDPList'])) {
$providers = $_GET['IDPList'];
if (!is_array($providers)) {
$providers = array($providers);
}
$IDPList = array_merge($IDPList, $providers);
}
$ar->setIDPList($IDPList);
/* Save request information. */
$info = array();
$info['RelayState'] = $_REQUEST['RelayState'];
if (array_key_exists('OnError', $_REQUEST)) {
$info['OnError'] = $_REQUEST['OnError'];
}
$session->setData('SAML2:SP:SSO:Info', $ar->getId(), $info);
$b = new SAML2_HTTPRedirect();
$b->send($ar);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
}
/**
* Start a SAML 2 logout operation.
*
* @param array $state The logout state.
*/
public function startSLO2(&$state)
{
assert('is_array($state)');
assert('array_key_exists("saml:logout:IdP", $state)');
assert('array_key_exists("saml:logout:NameID", $state)');
assert('array_key_exists("saml:logout:SessionIndex", $state)');
$id = SimpleSAML_Auth_State::saveState($state, 'saml:slosent');
$idp = $state['saml:logout:IdP'];
$nameId = $state['saml:logout:NameID'];
$sessionIndex = $state['saml:logout:SessionIndex'];
$idpMetadata = $this->getIdPMetadata($idp);
$endpoint = $idpMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), FALSE);
if ($endpoint === FALSE) {
SimpleSAML_Logger::info('No logout endpoint for IdP ' . var_export($idp, TRUE) . '.');
return;
}
$lr = sspmod_saml_Message::buildLogoutRequest($this->metadata, $idpMetadata);
$lr->setNameId($nameId);
$lr->setSessionIndex($sessionIndex);
$lr->setRelayState($id);
$encryptNameId = $idpMetadata->getBoolean('nameid.encryption', NULL);
if ($encryptNameId === NULL) {
$encryptNameId = $this->metadata->getBoolean('nameid.encryption', FALSE);
}
if ($encryptNameId) {
$lr->encryptNameId(sspmod_saml_Message::getEncryptionKey($idpMetadata));
}
$b = new SAML2_HTTPRedirect();
$b->send($lr);
assert('FALSE');
}
*/
if (array_key_exists('Issuer', $logoutInfo)) {
$spMetadata = $metadata->getMetaDataConfig($logoutInfo['Issuer'], 'saml20-sp-remote');
// Find the relaystate if cached.
$relayState = isset($logoutInfo['RelayState']) ? $logoutInfo['RelayState'] : null;
/* Create a Logout Response. */
$rg = sspmod_saml2_Message::buildLogoutResponse($idpMetadata, $spMetadata);
$rg->setInResponseTo($logoutInfo['RequestID']);
$rg->setRelayState($relayState);
$httpredirect = new SAML2_HTTPRedirect();
/*
* If the user is not logged into any other SPs, send the LogoutResponse immediately
*/
if (count($sparray) + count($sparrayNoLogout) === 0) {
$httpredirect->setDestination(sspmod_SAML2_Message::getDebugDestination());
$httpredirect->send($rg);
} else {
$logoutresponse = $httpredirect->getRedirectURL($rg);
}
} elseif (array_key_exists('RelayState', $logoutInfo)) {
SimpleSAML_Utilities::redirect($logoutInfo['RelayState']);
exit;
} else {
echo 'You are logged out';
exit;
}
} catch (Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATELOGOUTRESPONSE', $exception);
}
$spmeta = $metadata->getMetaData($requester, 'saml20-sp-remote');
$spname = $requester;
/**
* Start a SAML 2 logout operation.
*
* @param array $state The logout state.
*/
public function startSLO2(&$state)
{
assert('is_array($state)');
assert('array_key_exists("saml:logout:IdP", $state)');
assert('array_key_exists("saml:logout:NameID", $state)');
assert('array_key_exists("saml:logout:SessionIndex", $state)');
$id = SimpleSAML_Auth_State::saveState($state, 'saml:slosent');
$idp = $state['saml:logout:IdP'];
$nameId = $state['saml:logout:NameID'];
$sessionIndex = $state['saml:logout:SessionIndex'];
$idpMetadata = $this->getIdPMetadata($idp);
$endpoint = $idpMetadata->getString('SingleLogoutService', FALSE);
if ($endpoint === FALSE) {
SimpleSAML_Logger::info('No logout endpoint for IdP ' . var_export($idp, TRUE) . '.');
return;
}
$lr = sspmod_saml2_Message::buildLogoutRequest($this->metadata, $idpMetadata);
$lr->setNameId($nameId);
$lr->setSessionIndex($sessionIndex);
$lr->setRelayState($id);
$b = new SAML2_HTTPRedirect();
$b->setDestination(sspmod_SAML2_Message::getDebugDestination());
$b->send($lr);
assert('FALSE');
}
/**
* Handle logout operation.
*
* @param array $state The logout state.
*/
public function logout(&$state)
{
assert('is_array($state)');
assert('array_key_exists(self::LOGOUT_IDP, $state)');
assert('array_key_exists(self::LOGOUT_NAMEID, $state)');
assert('array_key_exists(self::LOGOUT_SESSIONINDEX, $state)');
$id = SimpleSAML_Auth_State::saveState($state, self::STAGE_LOGOUTSENT);
$idp = $state[self::LOGOUT_IDP];
$nameId = $state[self::LOGOUT_NAMEID];
$sessionIndex = $state[self::LOGOUT_SESSIONINDEX];
if (array_key_exists('value', $nameId)) {
/*
* This session was saved by an old version of simpleSAMLphp.
* Convert to the new NameId format.
*
* TODO: Remove this conversion once every session should use the new format.
*/
$nameId['Value'] = $nameId['value'];
unset($nameId['value']);
}
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $metadata->getMetaDataConfig($idp, 'saml20-idp-remote');
$lr = sspmod_saml2_Message::buildLogoutRequest($this->metadata, $idpMetadata);
$lr->setNameId($nameId);
$lr->setSessionIndex($sessionIndex);
$lr->setRelayState($id);
$b = new SAML2_HTTPRedirect();
$b->setDestination(sspmod_SAML2_Message::getDebugDestination());
$b->send($lr);
assert('FALSE');
}
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
try {
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $session->getAuthData('saml2', 'saml:sp:IdP');
if ($idpEntityId === NULL) {
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User not authenticated with an IdP.');
SimpleSAML_Utilities::redirect($returnTo);
}
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
$SLOendpoint = $idpMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
if ($SLOendpoint === NULL) {
$session->doLogout('saml2');
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No supported SingleLogoutService endpoint in IdP.');
SimpleSAML_Utilities::redirect($returnTo);
}
$spEntityId = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-hosted');
$nameId = $session->getAuthData('saml2', 'saml:sp:NameID');
$lr = sspmod_saml_Message::buildLogoutRequest($spMetadata, $idpMetadata);
$lr->setNameId($nameId);
$lr->setSessionIndex($session->getAuthData('saml2', 'saml:sp:SessionIndex'));
$session->doLogout('saml2');
/* Save the $returnTo url until the user returns from the IdP. */
$session->setData('spLogoutReturnTo', $lr->getId(), $returnTo);
SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: SP (' . $spEntityId . ') is sending logout request to IdP (' . $idpEntityId . ')');
$b = new SAML2_HTTPRedirect();
$b->send($lr);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
}
