def testGetIDFromSAMLLogoutRequest(self):
"""
Tests the get_id method of the OneLogin_Saml2_LogoutRequest
"""
logout_request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request.xml'))
id = OneLogin_Saml2_Logout_Request.get_id(logout_request)
self.assertEqual('ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e', id)
dom = parseString(logout_request)
id2 = OneLogin_Saml2_Logout_Request.get_id(dom)
self.assertEqual('ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e', id2)
def testGetIDFromDeflatedSAMLLogoutRequest(self):
"""
Tests the get_id method of the OneLogin_Saml2_LogoutRequest
"""
deflated_logout_request = self.file_contents(join(self.data_path, 'logout_requests', 'logout_request_deflated.xml.base64'))
logout_request = OneLogin_Saml2_Utils.decode_base64_and_inflate(deflated_logout_request)
id = OneLogin_Saml2_Logout_Request.get_id(logout_request)
self.assertEqual('ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e', id)
def process_slo(self, keep_local_session=False, request_id=None, delete_session_cb=None):
"""
Process the SAML Logout Response / Logout Request sent by the IdP.
:param keep_local_session: When false will destroy the local session, otherwise will destroy it
:type keep_local_session: bool
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:returns: Redirection url
"""
self.__errors = []
if 'get_data' in self.__request_data and 'SAMLResponse' in self.__request_data['get_data']:
logout_response = OneLogin_Saml2_Logout_Response(self.__settings, self.__request_data['get_data']['SAMLResponse'])
if not logout_response.is_valid(self.__request_data, request_id):
self.__errors.append('invalid_logout_response')
self.__error_reason = logout_response.get_error()
elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS:
self.__errors.append('logout_not_success')
elif not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
elif 'get_data' in self.__request_data and 'SAMLRequest' in self.__request_data['get_data']:
logout_request = OneLogin_Saml2_Logout_Request(self.__settings, self.__request_data['get_data']['SAMLRequest'])
if not logout_request.is_valid(self.__request_data):
self.__errors.append('invalid_logout_request')
self.__error_reason = logout_request.get_error()
else:
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
in_response_to = OneLogin_Saml2_Logout_Request.get_id(OneLogin_Saml2_Utils.decode_base64_and_inflate(self.__request_data['get_data']['SAMLRequest']))
response_builder = OneLogin_Saml2_Logout_Response(self.__settings)
response_builder.build(in_response_to)
logout_response = response_builder.get_response()
parameters = {'SAMLResponse': logout_response}
if 'RelayState' in self.__request_data['get_data']:
parameters['RelayState'] = self.__request_data['get_data']['RelayState']
security = self.__settings.get_security_data()
if 'logoutResponseSigned' in security and security['logoutResponseSigned']:
parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
parameters['Signature'] = self.build_response_signature(logout_response, parameters.get('RelayState', None))
return self.redirect_to(self.get_slo_url(), parameters)
else:
self.__errors.append('invalid_binding')
raise OneLogin_Saml2_Error(
'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND
)
def process_slo(self, keep_local_session=False, request_id=None, delete_session_cb=None):
"""
Process the SAML Logout Response / Logout Request sent by the IdP.
:param keep_local_session: When false will destroy the local session, otherwise will destroy it
:type keep_local_session: bool
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:returns: Redirection url
"""
self.__errors = []
if 'get_data' in self.__request_data and 'SAMLResponse' in self.__request_data['get_data']:
logout_response = OneLogin_Saml2_Logout_Response(self.__settings, self.__request_data['get_data']['SAMLResponse'])
if not logout_response.is_valid(self.__request_data, request_id):
self.__errors.append('invalid_logout_response')
elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS:
self.__errors.append('logout_not_success')
elif not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
elif 'get_data' in self.__request_data and 'SAMLRequest' in self.__request_data['get_data']:
request = OneLogin_Saml2_Utils.decode_base64_and_inflate(self.__request_data['get_data']['SAMLRequest'])
if not OneLogin_Saml2_Logout_Request.is_valid(self.__settings, request, self.__request_data):
self.__errors.append('invalid_logout_request')
else:
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
in_response_to = OneLogin_Saml2_Logout_Request.get_id(request)
response_builder = OneLogin_Saml2_Logout_Response(self.__settings)
response_builder.build(in_response_to)
logout_response = response_builder.get_response()
parameters = {'SAMLResponse': logout_response}
if 'RelayState' in self.__request_data['get_data']:
parameters['RelayState'] = self.__request_data['get_data']['RelayState']
security = self.__settings.get_security_data()
if 'logoutResponseSigned' in security and security['logoutResponseSigned']:
parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
parameters['Signature'] = self.build_response_signature(logout_response, parameters.get('RelayState', None))
return self.redirect_to(self.get_slo_url(), parameters)
else:
self.__errors.append('invalid_binding')
raise OneLogin_Saml2_Error(
'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND
)
def SAML_process_logout_request(self):
'''
HANDLE BACK CHANNEL LOGOUT POST FROM ASTRA
We recieve this message when the user has logged out
of another control panel, and must end their SAML session.
AN HTTP POST is not supported by the SAML Library, so
we have to manually process it.
'''
current_app.logger.debug(
'SAML_process_logout_request - POST DATA:{0}'.format(
self.saml_req))
saml_data = self.saml_req.get("post_data").get('SAMLRequest', None)
if saml_data is None:
current_app.logger.debug('>>>>>>>> SAML REQUEST NOT FOUND')
return abort(400)
# this is not a url, it uses the pre-loaded saml json settings
settings = OneLogin_Saml2_Settings(current_app.config["saml_settings"])
logout_request = OneLogin_Saml2_Logout_Request(settings, saml_data)
if not logout_request.is_valid({}):
current_app.logger.debug('>>>>>>>> SAML REQUEST IS NOT VALID')
return abort(400)
data = self.SAML_decode_logout_request(saml_data)
for session_index in \
OneLogin_Saml2_Logout_Request.get_session_indexes(data):
current_app.logger.debug(
"*** LOGOUT SESSION: {0}".format(session_index))
self.clear_session(session_index)
saml_response = OneLogin_Saml2_Logout_Response(settings)
saml_response.build(OneLogin_Saml2_Logout_Request.get_id(data))
response = make_response(
urllib.urlencode(
{'SAMLResponse': saml_response.get_response(False)}))
response.headers['Content-Type'] = 'application/x-www-form-urlencoded'
return response
