This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 1.4.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit d380248927b3f4b0e8a57d059e2c5e0d8a1f9c67 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Fri Jul 13 15:21:03 2018 +0100 FEDIZ-221 - Redirecting back to RP logout endpoint --- .../idp/beans/samlsso/AuthnRequestParser.java | 22 +++++++++++++++++++--- .../webapp/WEB-INF/flows/saml-validate-request.xml | 14 +++++++++----- .../main/webapp/WEB-INF/views/signoutresponse.jsp | 2 +- .../org/apache/cxf/fediz/systests/idp/IdpTest.java | 3 +++ .../src/test/resources/realma/entities-realma.xml | 6 ++++-- 5 files changed, 36 insertions(+), 11 deletions(-) diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java index b0730d3..b120d89 100644 --- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java +++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java @@ -178,6 +178,24 @@ public class AuthnRequestParser { } public String retrieveConsumerURL(RequestContext context) { + // If it's a LogoutRequest we just want to get the logout endpoint from the configuration + SAMLLogoutRequest logoutRequest = + (SAMLLogoutRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_LOGOUT_REQUEST); + if (logoutRequest != null) { + Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig"); + String realm = retrieveRealm(context); + Application serviceConfig = idpConfig.findApplication(realm); + if (serviceConfig != null) { + String logoutEndpoint = serviceConfig.getLogoutEndpoint(); + if (logoutEndpoint != null) { + LOG.debug("Attempting to use the configured logout endpoint: {}", logoutEndpoint); + return logoutEndpoint; + } + } + LOG.debug("No LogoutEndpoint has been configured for this application"); + return "/"; + } + SAMLAuthnRequest authnRequest = (SAMLAuthnRequest)WebUtils.getAttributeFromFlowScope(context, IdpConstants.SAML_AUTHN_REQUEST); @@ -195,9 +213,7 @@ public class AuthnRequestParser { if (serviceConfig != null) { String racs = serviceConfig.getPassiveRequestorEndpoint(); LOG.debug("Attempting to use the configured passive requestor endpoint instead: {}", racs); - if (racs != null) { - return racs; - } + return racs; } return null; diff --git a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml index 3122fcf..4e62885 100644 --- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml +++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml @@ -223,7 +223,7 @@ <view-state id="viewSignoutConfirmation" view="signoutconfirmationresponse"> <transition on="submit" to="produceSAMLLogoutResponse"/> - <transition on="cancel" to="redirect" /> + <!-- <transition on="cancel" to="redirect" /> --> </view-state> <action-state id="produceSAMLLogoutResponse"> @@ -238,17 +238,18 @@ <transition to="invalidateSessionAction" /> </action-state> - <action-state id="invalidateSessionAction"> + <decision-state id="invalidateSessionAction"> <on-entry> <!-- store the realmConfigMap in the request map before we invalidate the session below. Its needed in the signoutresponse.jsp page --> <set name="externalContext.requestMap.realmConfigMap" value="externalContext.sessionMap.realmConfigMap"/> <evaluate expression="homeRealmReminder.removeCookie(flowRequestContext)" /> + <evaluate expression="logoutAction.submit(flowRequestContext)" /> </on-entry> - <evaluate expression="logoutAction.submit(flowRequestContext)" /> - <transition to="signOutFormResponseView" /> - </action-state> + <if test="flowScope.idpConfig.isAutomaticRedirectToRpAfterLogout()" + then="signOutFormResponseView" else="showLogoutResponsePage" /> + </decision-state> <!-- normal exit point for logout --> <!-- browser redirection (self-submitted form 'samlsignoutresponseform.jsp') --> @@ -259,6 +260,9 @@ <evaluate expression="flowScope.logoutResponse" result="requestScope.samlResponse" /> </on-entry> </end-state> + + <!-- normal exit point for logout --> + <end-state id="showLogoutResponsePage" view="signoutresponse" /> <!-- abnormal exit point --> <decision-state id="viewBadRequest"> diff --git a/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp b/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp index 429c026..c75a7f1 100644 --- a/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp +++ b/services/idp/src/main/webapp/WEB-INF/views/signoutresponse.jsp @@ -33,7 +33,7 @@ while (iterator.hasNext()) { Application next = iterator.next().getValue(); - if (next != null) { + if (next != null && "http://docs.oasis-open.org/wsfed/federation/200706".equals(next.getProtocol())) { %> <%= next.getServiceDisplayName() %> <img src="<%=next.getPassiveRequestorEndpoint() + "?" + FederationConstants.PARAM_ACTION diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java index 41ed6bc..d3b5636 100644 --- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java +++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -1723,8 +1723,11 @@ public class IdpTest { // Check Response HtmlForm responseForm = signoutPage.getFormByName("samlsignoutresponseform"); + Assert.assertEquals("https://localhost:8080/logout";, responseForm.getActionAttribute()); String responseValue = responseForm.getInputByName("SAMLResponse").getAttributeNS(null, "value"); Assert.assertNotNull(responseValue); + String receivedRelayState = responseForm.getInputByName("RelayState").getAttributeNS(null, "value"); + Assert.assertEquals(relayState, receivedRelayState); byte[] deflatedToken = Base64Utility.decode(responseValue); InputStream tokenStream = new ByteArrayInputStream(deflatedToken); diff --git a/systests/samlsso/src/test/resources/realma/entities-realma.xml b/systests/samlsso/src/test/resources/realma/entities-realma.xml index 2948e39..7bbc430 100644 --- a/systests/samlsso/src/test/resources/realma/entities-realma.xml +++ b/systests/samlsso/src/test/resources/realma/entities-realma.xml @@ -93,6 +93,7 @@ <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA"; /> <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/saml"; /> <property name="rpSingleSignOutConfirmation" value="true"/> + <property name="automaticRedirectToRpAfterLogout" value="true"/> <property name="supportedProtocols"> <util:list> <value>urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser @@ -151,12 +152,13 @@ <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" /> - <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"; /> + <property name="protocol" value="urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser" /> <property name="serviceDisplayName" value="Fedizhelloworld" /> - <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="serviceDescription" value="Web Application to illustrate SAML SSO" /> <property name="role" value="ApplicationServiceType" /> <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> <property name="lifeTime" value="3600" /> + <property name="logoutEndpoint" value="https://localhost:8080/logout"; /> <property name="passiveRequestorEndpointConstraint" value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" /> <property name="validatingCertificate" value="realma.cert" />
