1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
Single Log Out
SP
/singleLogout (* normative, Single Logout Service URL *)
logout = lasso_logout_new(server, lassoProviderTypeSp)
IF NOT lasso_is_liberty_query(query)
# Logout initiated by SP, now
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
lasso_logout_init_request(logout, idpProviderId, lassoHttpMethodAny)
# if idpProviderId is NULL the first one defined in the metadata will be picked
# if third param http method is lassoHttpMethodAny, then lasso retrieves
# the first http mehtod supported by both providers, else check
# the passed http method is supported.
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(logout)->request)
lasso_lib_authn_request_set_relayState(request, relayState)
# relayState is an optional value set by the SP
lasso_logout_build_request_msg(logout)
IF LASSO_PROFILE(logout)->msg_body != NULL
SOAP CALL
TO LASSO_PROFILE(logout)->msg_url
BODY LASSO_PROFILE(logout)->msg_body
lasso_logout_process_response_msg(logout, soap_answer_message)
IF error AND error != LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE
BOOM
/* ??? there is something here about identity and sessions ??? */
IF LASSO_PROFILE(logout)->msg_body == NULL
REDIRECT TO LASSO_PROFILE(logout)->msg_url
DISPLAY HTML PAGE
<h1>OK</h1>
END
# Logout initiated by IdP
lasso_logout_process_request_msg(logout, /query string/)
# use LASSO_PROFILE(logout)->nameIdentifier->content to get identity and session
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
lasso_logout_validate_request(logout)
IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
identity = lasso_profile_get_identity(LASSO_PROFILE(login))
# save identity;
# serialization with lasso_identity_dump(identity)
IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
session = lasso_profile_get_session(LASSO_PROFILE(login))
# save session;
# serialization with lasso_session_dump(session)
lasso_logout_build_response_msg(logout)
IF LASSO_PROFILE(logout)->msg_body
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body)
ELSE
REDIRECT TO LASSO_PROFILE(logout)->msg_url
IdP
/singleLogout (* normative, Single Log-Out service URL *)
logout = lasso_logout_new(server, lassoProviderTypeIdp)
IF lasso_is_liberty_query(query)
lasso_logout_process_request_msg(logout, /query string/)
# get identity and session from LASSO_PROFILE(logout)->nameIdentifier
ELSE
# initiate logout
# get identity and session from user authentication
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
other_sp = lasso_logout_get_next_providerID(logout)
WHILE other_sp
lasso_logout_init_request(logout, other_sp, lassoHttpMethodAny)
lasso_logout_build_request_msg(logout)
IF LASSO_PROFILE(logout)->msg_body
SOAP CALL
TO LASSO_PROFILE(logout)->msg_url
BODY LASSO_PROFILE(logout)->msg_body
lasso_logout_process_response_msg(logout, soap_answer_message)
other_sp = lasso_logout_get_next_providerID(logout)
lasso_logout_reset_providerID_index(logout)
other_sp = lasso_logout_get_next_providerID(logout)
IF other_sp
lasso_logout_init_request(logout, other_sp, lassoHttpMethodRedirect)
lasso_logout_build_request_msg(logout)
REDIRECT TO LASSO_PROFILE(logout)->msg_url
DISPLAY HTML PAGE
<h1>OK</h1>
IdP
/soapEndPoint (* normative, SOAP endpoint *)
soap_msg # is the received SOAP message body
request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
IF request_type IS lassoRequestTypeLogout
logout = lasso_logout_new(server);
lasso_logout_process_request_msg(logout, soap_msg);
# get identity and session from LASSO_PROFILE(logout)->nameIdentifier
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
lasso_logout_validate_request(logout)
if error LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE
lasso_logout_build_request_msg(logout)
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
# write down identity and session here
other_sp = lasso_logout_get_next_providerID(logout)
WHILE other_sp
lasso_logout_init_request(logout, other_sp, lassoHttpMethodAny)
lasso_logout_build_request_msg(logout)
SOAP CALL
TO LASSO_PROFILE(logout)->msg_url
BODY LASSO_PROFILE(logout)->msg_body
lasso_logout_process_response_msg(logout, soap_answer_message)
other_sp = lasso_logout_get_next_providerID(logout)
lasso_logout_build_response_msg(logout)
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
SP
/soapEndPoint (* normative, SOAP endpoint *)
soap_msg # is the received SOAP message body
request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
IF request_type IS lassoRequestTypeLogout
logout = lasso_logout_new(server);
lasso_logout_process_request_msg(logout, soap_msg);
# sth to do with identity and session around here
lasso_logout_validate_request(logout)
lasso_logout_build_response_msg(logout)
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
|