IdP-initiated logout for current user

Perform Single Logout for the current user when a logout is initiated
in the IdP.

A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.

https://fedorahosted.org/ipsilon/ticket/87

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>

1 files changed, 9 insertions, 2 deletions

diff --git a/ipsilon/providers/saml2/sessions.py b/ipsilon/providers/saml2/sessions.py
index fb1f646..5931734 100644
--- a/ipsilon/providers/saml2/sessions.py
+++ b/ipsilon/providers/saml2/sessions.py
@@ -140,12 +140,16 @@ class SAMLSessionsContainer(Log):
 
         self.sessions_logging_out[session.provider_id] = session
 
-    def get_next_logout(self):
+    def get_next_logout(self, remove=True):
         """
         Get the next session in the logged-in state and move
         it to the logging_out state.  Return the session that is
         found.
 
+        :param remove: for IdP-initiated logout we can't remove the
+                       session otherwise when the request comes back
+                       in the user won't be seen as being logged-on.
+
         Return None if no more sessions in login state.
         """
         try:
@@ -153,7 +157,10 @@ class SAMLSessionsContainer(Log):
         except IndexError:
             return None
 
-        session = self.sessions.pop(provider_id)
+        if remove:
+            session = self.sessions.pop(provider_id)
+        else:
+            session = self.sessions.itervalues().next()
 
         if provider_id in self.sessions_logging_out:
             self.sessions_logging_out.pop(provider_id)