You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: TUTORIAL.md
+155-2Lines changed: 155 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -358,7 +358,7 @@ For the $saml_request_id you need to retrieve it from wherever it was stored dur
358
358
359
359
The call to $assertion->valid validates the following for the assertion:
360
360
361
-
1. That the $issuer configure in your application is the $audience of the assertion
361
+
1. That the $issuer configured in your application is the $audience of the assertion
362
362
2. That the $saml_request_id is the InResponseTo of the assertion
363
363
3. That the current time is within the NotBefore and NotAfter datetimes of the assertion
364
364
@@ -401,7 +401,160 @@ As a developer you need to review what is returned in the SAML2 Assertion from t
401
401
402
402
Regardless, the attributes of the assertion will contain those values, It is up to your application to use or ignore them as you see fit.
403
403
404
-
## Step 3: Generating the Service Provider (SP) Metadata (Optional)
404
+
## Step 3: Service Provider initiated LogoutRequest (Optional)
405
+
406
+
The Service Provider (SP) can initiate a LogoutRequest to the Identity Provider (IdP). This is optional and the IdP can support Single Logout (SLO) which will initiate a process to logout all IdP logins sharing the session.
407
+
408
+
The process begins with the creation of the LogoutRequest XML with the correct values and then it is sent to the IdP via a Browser Redirect.
409
+
410
+
The following is from Foswiki's SamlLoginContrib function:
411
+
```
412
+
413
+
# Foswiki's SamlLoginContrib stores the Assertions session_index
414
+
my $sessionindex = $this->getSessionValue('saml_session_index');
415
+
416
+
my $idp = Net::SAML2::IdP->new_from_url(
417
+
 url => $this->{Saml}{ metadata},
418
+
 cacert => $this->{Saml}{ cacert },
419
+
 );
420
+

421
+
my $logoutrequest = Net::SAML2::Protocol::LogoutRequest->new(
# The $url is then sent to the browser as a redirect to initiate the logout.
441
+
442
+
```
443
+
The IdP will respond with a LogoutResponse that is sent to the browser via a HTTP-POST or an HTTP-Redirect depending on the SP's configuration at the IdP (the SP metadata would specify the slo_url that is supported).
444
+
445
+
The SP would process the LogoutResponse and if it was a sucessful response invalidate the user's session at the SP.
446
+
447
+
The following is from Foswiki's SamlLoginContrib function:
448
+
```
449
+
# Foswiki's SamlLoginContrib stores the Assertions session_index
450
+
# my $sessionindex = $this->getAndClearSessionValue('saml_session_index');
my ($response, $relaystate) = $redirect->verify($uri);
469
+

470
+
if ($response) {
471
+
 my $logout = Net::SAML2::Protocol::LogoutResponse->new_from_xml(
472
+
 xml => $response
473
+
 );
474
+

475
+
 if ($logout->status eq 'urn:oasis:names:tc:SAML:2.0:status:Success') {
476
+
 deleteSession(...)
477
+
 }
478
+
 }
479
+
480
+
```
481
+
482
+
### Creating the LogoutRequest
483
+
484
+
## Step 4: IdP initiated LogoutRequest (Optional)
485
+
486
+
The Identity Provider (IdP) can intiate a LogoutRequest to the Service Provider (SP). There is no guarantee that this IdP initiated message will even get received by the SP as it requires the IdP to send a HTTP-GET request directly to the SP. It works outside the typical browser interaction for SAML. Indeed for many internal applications there is no direct internet access allowed to the SP application.
487
+
488
+
The process begins when the SP receives an unsolicated HTTP-GET request from the IdP. The SP must decode that LogoutRequest and process it to logout the user locally.
489
+
490
+
### Handling the LogoutRequest
491
+
492
+
The SP needs to create the Net::SAML2::IdP object as is done above (in this case using new_from_xml but could be new_from_url).
493
+
494
+
```
495
+
my $idp = Net::SAML2::IdP->new_from_xml(
496
+
xml => $metadata, # URL where the xml is located
497
+
cacert => $cacert2, # Filename of the Identity Providers CACert
498
+
);
499
+
500
+
```
501
+
Create the Net::SAML2::Binding::Redirect object. Note the sls_force_lcase_url_encoding is used if the IdP sends a URL that has meen URL encoded with lower case characters %2f instead of %2F.
502
+
503
+
```
504
+
my $redirect = Net::SAML2::Binding::Redirect->new(
Verify signature on the URL, decode the request and retrieve the XML request and RelayState.
515
+
516
+
```
517
+
my ($request, $relaystate) = $redirect->verify($get_request);
518
+
519
+
```
520
+
Create the LogoutRequest object from the decoded XML request.
521
+
522
+
```
523
+
my $logoutrequest = Net::SAML2::Protocol::LogoutRequest->new_from_xml(xml => $request);
524
+
525
+
```
526
+
527
+
The data that the SP requires is in the resulting Net::SAML2::Protocol::LogoutRequest object. The SP should perform a local logout of the nameid specified in the LogoutRequest. The session *should* be the session that the IdP sent in the Assertion (need to review). In general however the user associated with the nameid should have their session invalidated and the should be user forced to login again on next access.
The logout response should be sent to the IdP by the SP after the local user's session has been invalidated. The LogoutResponse is created by creating the Net::SAML2::Protocol::LogoutResponse object with the correct values. The response_to is the id from the LogoutRequest. It is the LogoutRequest to which the LogoutRespones is related. Below shows the issue and the destination as the opposite of the same values from the LogoutRequest. The issuer in the request is likely where the LogoutResponse should be sent (the destination). More properly the issuer should be the $sp->{issuer} and the destination the $idp->{slo_url}->{urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect}.
541
+
542
+
```
543
+
my $logoutresponse = Net::SAML2::Protocol::LogoutResponse->new(
544
+
issuer => $logoutrequest->{destination},
545
+
destination => $logoutrequest->{issuer},
546
+
status => "urn:oasis:names:tc:SAML:2.0:status:Success",
547
+
response_to => $logoutrequest->{id},
548
+
);
549
+
```
550
+
551
+
Once you have created the LogoutResponse you sign the XML version of the LogoutResponse using the Net::SAML2::Binding::Redirect. This results in a URL that the SP must use in a GET request to inform the IdP that the session was properly invalidated by the SP.
552
+
553
+
```
554
+
my $logoutrequestsigned = $redirect->sign($logoutresponse->as_xml);
555
+
```
556
+
557
+
## Step 5: Generating the Service Provider (SP) Metadata (Optional)
405
558
406
559
Some Identity Providers allow you to import a XML file that has the Service Provider settings. This allows you to ensure that the settings defined in your application are the same as those configured as the Service Provider settings in Identity Provider.
0 commit comments