Search in sources :

Example 26 with LogoutResponse

use of com.sun.identity.saml2.protocol.LogoutResponse in project OpenAM by OpenRock.

the class SPSingleLogout method processLogoutRequest.

/**
     * Gets and processes the Single <code>LogoutRequest</code> from IDP.
     *
     * @param request the HttpServletRequest.
     * @param response the HttpServletResponse.
     * @param out the print writer for writing out presentation
     * @param samlRequest <code>LogoutRequest</code> in the
     *          XML string format.
     * @param relayState the target URL on successful
     * <code>LogoutRequest</code>.
     * @throws SAML2Exception if error processing
     *          <code>LogoutRequest</code>.
     * @throws SessionException if error processing
     *          <code>LogoutRequest</code>.
     */
public static void processLogoutRequest(HttpServletRequest request, HttpServletResponse response, PrintWriter out, String samlRequest, String relayState) throws SAML2Exception, SessionException {
    String method = "processLogoutRequest : ";
    if (debug.messageEnabled()) {
        debug.message(method + "samlRequest : " + samlRequest);
        debug.message(method + "relayState : " + relayState);
    }
    String rmethod = request.getMethod();
    String binding = SAML2Constants.HTTP_REDIRECT;
    if (rmethod.equals("POST")) {
        binding = SAML2Constants.HTTP_POST;
    }
    String metaAlias = SAML2MetaUtils.getMetaAliasByUri(request.getRequestURI());
    if ((SPCache.isFedlet) && ((metaAlias == null) || (metaAlias.length() == 0))) {
        List spMetaAliases = sm.getAllHostedServiceProviderMetaAliases("/");
        if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
            // get first one
            metaAlias = (String) spMetaAliases.get(0);
        }
        if ((metaAlias == null) || (metaAlias.length() == 0)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
        }
    }
    String realm = SAML2Utils.getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
    String spEntityID = sm.getEntityByMetaAlias(metaAlias);
    if (!SAML2Utils.isSPProfileBindingSupported(realm, spEntityID, SAML2Constants.SLO_SERVICE, binding)) {
        throw new SAML2Exception(SAML2Utils.bundle.getString("unsupportedBinding"));
    }
    LogoutRequest logoutReq = null;
    if (rmethod.equals("POST")) {
        logoutReq = LogoutUtil.getLogoutRequestFromPost(samlRequest, response);
    } else if (rmethod.equals("GET")) {
        String decodedStr = SAML2Utils.decodeFromRedirect(samlRequest);
        if (decodedStr == null) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("nullDecodedStrFromSamlRequest"));
        }
        logoutReq = ProtocolFactory.getInstance().createLogoutRequest(decodedStr);
    }
    if (logoutReq == null) {
        if (debug.messageEnabled()) {
            debug.message("SPSingleLogout:processLogoutRequest: logoutReq " + "is null");
        }
        return;
    }
    String location = null;
    String idpEntityID = logoutReq.getIssuer().getValue();
    // invoke SPAdapter preSingleLogoutProcess : IDP initiated HTTP
    //String userId = preSingleLogoutProcess(spEntityID, realm, request, 
    //    response, null, logoutReq, null, SAML2Constants.HTTP_REDIRECT); 
    boolean needToVerify = SAML2Utils.getWantLogoutRequestSigned(realm, spEntityID, SAML2Constants.SP_ROLE);
    if (debug.messageEnabled()) {
        debug.message(method + "metaAlias : " + metaAlias);
        debug.message(method + "realm : " + realm);
        debug.message(method + "idpEntityID : " + idpEntityID);
        debug.message(method + "spEntityID : " + spEntityID);
    }
    if (needToVerify == true) {
        boolean valid = false;
        if (rmethod.equals("POST")) {
            valid = LogoutUtil.verifySLORequest(logoutReq, realm, idpEntityID, spEntityID, SAML2Constants.SP_ROLE);
        } else {
            String queryString = request.getQueryString();
            valid = SAML2Utils.verifyQueryString(queryString, realm, SAML2Constants.SP_ROLE, idpEntityID);
        }
        if (!valid) {
            debug.error("SPSingleLogout.processLogoutRequest: " + "Invalid signature in SLO Request.");
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidSignInRequest"));
        }
        SPSSODescriptorElement spsso = sm.getSPSSODescriptor(realm, spEntityID);
        String loc = getSLOResponseLocationOrLocation(spsso, binding);
        if (!SAML2Utils.verifyDestination(logoutReq.getDestination(), loc)) {
            throw new SAML2Exception(SAML2Utils.bundle.getString("invalidDestination"));
        }
    }
    // get IDPSSODescriptor
    IDPSSODescriptorElement idpsso = sm.getIDPSSODescriptor(realm, idpEntityID);
    if (idpsso == null) {
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
    }
    List slosList = idpsso.getSingleLogoutService();
    if (slosList == null) {
        String[] data = { idpEntityID };
        LogUtil.error(Level.INFO, LogUtil.SLO_NOT_FOUND, data, null);
        throw new SAML2Exception(SAML2Utils.bundle.getString("sloServiceListNotfound"));
    }
    location = LogoutUtil.getSLOResponseServiceLocation(slosList, binding);
    if (location == null || location.length() == 0) {
        location = LogoutUtil.getSLOServiceLocation(slosList, binding);
        if (location == null || location.length() == 0) {
            debug.error("Unable to find the IDP's single logout " + "response service with the HTTP-Redirect binding");
            throw new SAML2Exception(SAML2Utils.bundle.getString("sloResponseServiceLocationNotfound"));
        } else {
            if (debug.messageEnabled()) {
                debug.message("SP's single logout response service location = " + location);
            }
        }
    } else {
        if (debug.messageEnabled()) {
            debug.message("IDP's single logout response service location = " + location);
        }
    }
    List partners = IDPProxyUtil.getSPSessionPartners(request);
    //IDP Proxy Case
    if (partners != null && !partners.isEmpty()) {
        LogoutResponse logoutRespon = processLogoutRequest(logoutReq, spEntityID, realm, request, response, false, false, binding, true);
        logoutRespon.setDestination(XMLUtils.escapeSpecialCharacters(location));
        IDPProxyUtil.sendIDPInitProxyLogoutRequest(request, response, out, logoutRespon, location, spEntityID, idpEntityID, binding, realm);
    } else {
        LogoutResponse logoutRes = processLogoutRequest(logoutReq, spEntityID, realm, request, response, true, binding, true);
        logoutRes.setDestination(XMLUtils.escapeSpecialCharacters(location));
        LogoutUtil.sendSLOResponse(response, request, logoutRes, location, relayState, realm, spEntityID, SAML2Constants.SP_ROLE, idpEntityID, binding);
    }
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) LogoutResponse(com.sun.identity.saml2.protocol.LogoutResponse) SPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement) List(java.util.List) ArrayList(java.util.ArrayList) LogoutRequest(com.sun.identity.saml2.protocol.LogoutRequest) IDPSSODescriptorElement(com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)

Aggregations

SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)19 LogoutResponse (com.sun.identity.saml2.protocol.LogoutResponse)14 List (java.util.List)9 SessionException (com.sun.identity.plugin.session.SessionException)8 SingleLogoutServiceElement (com.sun.identity.saml2.jaxb.metadata.SingleLogoutServiceElement)8 IDPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement)7 IOException (java.io.IOException)7 SPSSODescriptorElement (com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement)6 SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)6 LogoutRequest (com.sun.identity.saml2.protocol.LogoutRequest)6 SOAPException (javax.xml.soap.SOAPException)6 Element (org.w3c.dom.Element)6 Status (com.sun.identity.saml2.protocol.Status)5 HashMap (java.util.HashMap)5 SAML2TokenRepositoryException (org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException)5 Issuer (com.sun.identity.saml2.assertion.Issuer)4 ArrayList (java.util.ArrayList)4 SOAPMessage (javax.xml.soap.SOAPMessage)4 BaseConfigType (com.sun.identity.saml2.jaxb.entityconfig.BaseConfigType)3 FedletAdapter (com.sun.identity.saml2.plugins.FedletAdapter)3