diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2015-03-30 11:42:10 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2015-04-01 22:53:55 -0400 |
| commit | 5497278fab59361c5b6bc5d3c17407128b924b9a (patch) | |
| tree | ae9035eb197295c1bb27335a8e29ef531e9d6872 /ipsilon/providers/saml2idp.py | |
| parent | f7150fdefeb58ab4e33f742969ebbc6019f45b08 (diff) | |
| download | ipsilon-5497278fab59361c5b6bc5d3c17407128b924b9a.tar.gz ipsilon-5497278fab59361c5b6bc5d3c17407128b924b9a.tar.xz ipsilon-5497278fab59361c5b6bc5d3c17407128b924b9a.zip | |
IdP-initiated logout for current user
Perform Single Logout for the current user when a logout is initiated
in the IdP.
A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.
https://fedorahosted.org/ipsilon/ticket/87
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Diffstat (limited to 'ipsilon/providers/saml2idp.py')
| -rw-r--r-- | ipsilon/providers/saml2idp.py | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index 8ff512c..9bc75b3 100644 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -298,6 +298,8 @@ Provides SAML 2.0 authentication infrastructure. """ self._debug('Failed to init SAML2 provider: %r' % e) return None + self._root.logout.add_handler(self.name, self.idp_initiated_logout) + # Import all known applications data = self.get_data() for idval in data: @@ -320,6 +322,45 @@ Provides SAML 2.0 authentication infrastructure. """ if self.admin: self.admin.add_sps() + def idp_initiated_logout(self): + """ + Logout all SP sessions when the logout comes from the IdP. + + For the current user only. + """ + self._debug("IdP-initiated SAML2 logout") + us = UserSession() + + saml_sessions = us.get_provider_data('saml2') + if saml_sessions is None: + self._debug("No SAML2 sessions to logout") + return + session = saml_sessions.get_next_logout(remove=False) + if session is None: + return + + # Add a fake session to indicate where the user should + # be redirected to when all SP's are logged out. + idpurl = self._root.instance_base_url() + saml_sessions.add_session("_idp_initiated_logout", + idpurl, + "") + init_session = saml_sessions.find_session_by_provider(idpurl) + init_session.set_logoutstate(idpurl, "idp_initiated_logout", None) + saml_sessions.start_logout(init_session) + + logout = self.idp.get_logout_handler() + logout.setSessionFromDump(session.session.dump()) + logout.initRequest(session.provider_id) + try: + logout.buildRequestMsg() + except lasso.Error, e: + self.error('failure to build logout request msg: %s' % e) + raise cherrypy.HTTPRedirect(400, 'Failed to log out user: %s ' + % e) + + raise cherrypy.HTTPRedirect(logout.msgUrl) + class IdpMetadataGenerator(object): |