def logout(self, request, data, binding):
conf = get_config(request=request)
state = StateCache(request.session)
client = Saml2Client(conf, state_cache=state,
identity_cache=IdentityCache(request.session))
if 'SAMLResponse' in data:
# Logout started by us
client.parse_logout_request_response(data['SAMLResponse'], binding)
http_response = logout_completed()
else:
# Logout started by IdP
subject_id = _get_subject_id(request.session)
if subject_id is None:
http_response = logout_completed()
else:
http_info = client.handle_logout_request(data['SAMLRequest'], subject_id, binding,
relay_state=data.get('RelayState', ''))
http_response = HttpResponseRedirect(get_location(http_info))
state.sync()
user = request.user
if user.is_anonymous:
return http_response
Token.objects.get(user=user).delete()
auth.logout(request)
event_logger.saml2_auth.info(
'User {user_username} with full name {user_full_name} logged out successfully with SAML2.',
event_type='auth_logged_out_with_saml2', event_context={'user': user}
)
return http_response
def test_logout_service_global(self):
settings.SAML_CONFIG = conf.create_conf(sp_host='sp.example.com',
idp_hosts=['idp.example.com'])
self.do_login()
# now simulate a global logout process initiated by another SP
subject_id = views._get_subject_id(self.client.session)
instant = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
saml_request = '<samlp:LogoutRequest ID="_9961abbaae6d06d251226cb25e38bf8f468036e57e" Version="2.0" IssueInstant="%s" Destination="http://sp.example.com/saml2/ls/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:NameID SPNameQualifier="http://sp.example.com/saml2/metadata/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">%s</saml:NameID><samlp:SessionIndex>_1837687b7bc9faad85839dbeb319627889f3021757</samlp:SessionIndex></samlp:LogoutRequest>' % (
instant, subject_id)
response = self.client.get('/ls/', {
'SAMLRequest': deflate_and_base64_encode(saml_request),
})
self.assertEquals(response.status_code, 302)
location = response['Location']
url = urlparse.urlparse(location)
self.assertEquals(url.hostname, 'idp.example.com')
self.assertEquals(url.path,
'/simplesaml/saml2/idp/SingleLogoutService.php')
params = urlparse.parse_qs(url.query)
self.assert_('SAMLResponse' in params)
saml_response = params['SAMLResponse'][0]
expected_response = """<?xml version='1.0' encoding='UTF-8'?>
<samlp:LogoutResponse Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="a140848e7ce2bce834d7264ecdde0151" InResponseTo="_9961abbaae6d06d251226cb25e38bf8f468036e57e" IssueInstant="2010-09-05T09:10:12Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>"""
xml = decode_base64_and_inflate(saml_response)
self.assertSAMLRequestsEquals(expected_response, xml)
def test_logout_service_global(self):
settings.SAML_CONFIG = conf.create_conf(sp_host='sp.example.com',
idp_hosts=['idp.example.com'])
self.do_login()
# now simulate a global logout process initiated by another SP
subject_id = views._get_subject_id(self.client.session)
instant = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
saml_request = '<samlp:LogoutRequest ID="_9961abbaae6d06d251226cb25e38bf8f468036e57e" Version="2.0" IssueInstant="%s" Destination="http://sp.example.com/saml2/ls/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.com/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:NameID SPNameQualifier="http://sp.example.com/saml2/metadata/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">%s</saml:NameID><samlp:SessionIndex>_1837687b7bc9faad85839dbeb319627889f3021757</samlp:SessionIndex></samlp:LogoutRequest>' % (
instant, subject_id)
response = self.client.get(
'/ls/', {
'SAMLRequest': deflate_and_base64_encode(saml_request),
})
self.assertEquals(response.status_code, 302)
location = response['Location']
url = urlparse.urlparse(location)
self.assertEquals(url.hostname, 'idp.example.com')
self.assertEquals(url.path,
'/simplesaml/saml2/idp/SingleLogoutService.php')
params = urlparse.parse_qs(url.query)
self.assert_('SAMLResponse' in params)
saml_response = params['SAMLResponse'][0]
expected_response = """<?xml version='1.0' encoding='UTF-8'?>
<samlp:LogoutResponse Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="a140848e7ce2bce834d7264ecdde0151" InResponseTo="_9961abbaae6d06d251226cb25e38bf8f468036e57e" IssueInstant="2010-09-05T09:10:12Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>"""
xml = decode_base64_and_inflate(saml_response)
self.assertSAMLRequestsEquals(expected_response, xml)
def test_logout_service_global(self):
settings.SAML_CONFIG = conf.create_conf(
sp_host='sp.example.com',
idp_hosts=['idp.example.com'],
metadata_file='remote_metadata_one_idp.xml',
)
self.do_login()
# now simulate a global logout process initiated by another SP
subject_id = views._get_subject_id(self.client.session)
instant = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
saml_request = """<?xml version='1.0' encoding='UTF-8'?>
<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_9961abbaae6d06d251226cb25e38bf8f468036e57e" Version="2.0" IssueInstant="%s" Destination="http://sp.example.com/saml2/ls/"><saml:Issuer>https://idp.example.com/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:NameID SPNameQualifier="http://sp.example.com/saml2/metadata/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">%s</saml:NameID><samlp:SessionIndex>_1837687b7bc9faad85839dbeb319627889f3021757</samlp:SessionIndex></samlp:LogoutRequest>""" % (
instant, subject_id.text)
response = self.client.get(
reverse('saml2_ls'), {
'SAMLRequest': deflate_and_base64_encode(saml_request),
})
self.assertEqual(response.status_code, 302)
location = response['Location']
url = urlparse(location)
self.assertEqual(url.hostname, 'idp.example.com')
self.assertEqual(url.path,
'/simplesaml/saml2/idp/SingleLogoutService.php')
params = parse_qs(url.query)
self.assertIn('SAMLResponse', params)
saml_response = params['SAMLResponse'][0]
if 'Response xmlns' not in decode_base64_and_inflate(
saml_response).decode('utf-8'):
raise Exception('Not a valid Response')
def logout_ls_saml2_view(request, config_loader_path=None,
next_page=None):
"""SAML Logout Response endpoint
The IdP will send the logout response to this view,
which will process it with pysaml2 help and log the user
out.
Note that the IdP can request a logout even when
we didn't initiate the process as a single logout
request started by another SP.
"""
logger.debug('Logout service started')
"""Turn off saml2 """
_set_saml2_auth_used(request.session, False)
conf = get_config(config_loader_path, request)
state = StateCache(request.session)
client = Saml2Client(conf, state_cache=state,
identity_cache=IdentityCache(request.session),
logger=logger)
if 'SAMLResponse' in request.GET: # we started the logout
logger.debug('Receiving a logout response from the IdP')
response = client.logout_response(request.GET['SAMLResponse'],
binding=BINDING_HTTP_REDIRECT)
state.sync()
if response and response[1] == '200 Ok':
return logout_view(request)
else:
logger.error('Unknown error during the logout')
return HttpResponse('Error during logout')
elif 'SAMLRequest' in request.GET: # logout started by the IdP
logger.debug('Receiving a logout request from the IdP')
subject_id = _get_subject_id(request.session)
if subject_id is None:
logger.warning(
'The session does not contain the subject id for user %s. Performing local logout'
% request.user)
auth.logout(request)
return HttpResponse('Error during logout')
else:
response, success = client.logout_request(request.GET, subject_id)
state.sync()
if success:
logout_view(request)
assert response[0][0] == 'Location'
url = response[0][1]
return HttpResponseRedirect(url)
elif response is not None:
assert response[0][0] == 'Location'
url = response[0][1]
return HttpResponseRedirect(url)
else:
logger.error('Unknown error during the logout')
return HttpResponse('Error during logout')
else:
logger.error('No SAMLResponse or SAMLRequest parameter found')
raise Http404('No SAMLResponse or SAMLRequest parameter found')
def get(self, request, *args, **kwargs):
state, client = self.get_state_client(request)
subject_id = djangosaml2_views._get_subject_id(request.saml_session)
try:
identity = client.users.get_identity(subject_id,
check_not_on_or_after=False)
except AttributeError:
return HttpResponse("No active SAML identity found. "
"Are you sure you have logged in via SAML?")
return render(request, "spid_echo_attributes.html",
{"attributes": identity[0]})
def sign_out(request):
response = None
if settings.RELATE_SIGN_IN_BY_SAML2_ENABLED:
from djangosaml2.views import _get_subject_id, logout as saml2_logout
if _get_subject_id(request.session) is not None:
response = saml2_logout(request)
auth_logout(request)
if response is not None:
return response
else:
return redirect("relate-home")
def echo_attrs(request,
config_loader=config_settings_loader,
template='auth/echo_attributes.html'):
"""Example view that echo the SAML attributes of an user"""
state = StateCache(request.session)
conf = get_config_loader(config_loader, request)
client = Saml2Client(conf, state_cache=state,
identity_cache=IdentityCache(request.session),
logger=logger)
subject_id = _get_subject_id(request.session)
identity = client.users.get_identity(subject_id,
check_not_on_or_after=False)
return render_to_response(template, {'attributes': identity[0]},
context_instance=RequestContext(request))
def sign_out(request, redirect_field_name=REDIRECT_FIELD_NAME):
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
response = None
if settings.RELATE_SIGN_IN_BY_SAML2_ENABLED:
from djangosaml2.views import _get_subject_id, logout as saml2_logout
if _get_subject_id(request.session) is not None:
response = saml2_logout(request)
auth_logout(request)
if response is not None:
return response
elif redirect_to:
return redirect(redirect_to)
else:
return redirect("relate-home")
def sign_out(request, redirect_field_name=REDIRECT_FIELD_NAME):
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
response = None
if settings.RELATE_SIGN_IN_BY_SAML2_ENABLED:
from djangosaml2.views import _get_subject_id, logout as saml2_logout
if _get_subject_id(request.session) is not None:
response = saml2_logout(request)
auth_logout(request)
if response is not None:
return response
elif redirect_to:
return redirect(redirect_to)
else:
return redirect("relate-home")
def logout_saml2_view(request, config_loader_path=None, config_loader=config_settings_loader):
"""SAML Logout Request initiator
This view initiates the SAML2 Logout request
using the pysaml2 library to create the LogoutRequest.
"""
logger.debug('logout_saml2_view: Logout process started')
state = StateCache(request.session)
conf = get_config(config_loader_path, request)
#conf = get_config_loader(config_loader, request)
client = Saml2Client(conf, state_cache=state,
identity_cache=IdentityCache(request.session),
logger=logger)
subject_id = _get_subject_id(request.session)
session_id, code, head, body = client.global_logout(subject_id)
headers = dict(head)
state.sync()
logger.debug('logout_saml2_view: Redirecting to the IdP to continue the logout process')
return HttpResponseRedirect(headers['Location'])
def get(self, request):
state = StateCache(request.session)
conf = get_config(request=request)
client = Saml2Client(conf, state_cache=state, identity_cache=IdentityCache(request.session))
subject_id = _get_subject_id(request.session)
if subject_id is None:
return logout_failed(_('You cannot be logged out.'))
try:
result = client.global_logout(subject_id)
except KeyError:
return logout_failed(_('You are not logged in any IdP/AA.'))
state.sync()
if not result:
return logout_failed(_('You are not logged in any IdP/AA.'))
# Logout is supported only from 1 IdP
binding, http_info = result.values()[0]
return HttpResponseRedirect(get_location(http_info))
def sign_out(request, redirect_field_name=REDIRECT_FIELD_NAME):
if not request.user.is_authenticated:
messages.add_message(request, messages.ERROR,
_("You've already signed out."))
return redirect("relate-home")
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
response = None
if settings.RELATE_SIGN_IN_BY_SAML2_ENABLED:
from djangosaml2.views import _get_subject_id, logout as saml2_logout
if _get_subject_id(request.session) is not None:
response = saml2_logout(request)
auth_logout(request)
if response is not None:
return response
elif redirect_to:
return redirect(redirect_to)
else:
return redirect("relate-home")
def sign_out(request, redirect_field_name=REDIRECT_FIELD_NAME):
if not request.user.is_authenticated:
messages.add_message(request, messages.ERROR,
_("You've already signed out."))
return redirect("relate-home")
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
response = None
if settings.RELATE_SIGN_IN_BY_SAML2_ENABLED:
from djangosaml2.views import _get_subject_id, logout as saml2_logout
if _get_subject_id(request.session) is not None:
response = saml2_logout(request)
auth_logout(request)
if response is not None:
return response
elif redirect_to:
return redirect(redirect_to)
else:
return redirect("relate-home")
def spid_logout(request, config_loader_path=None, **kwargs):
"""SAML Logout Request initiator
This view initiates the SAML2 Logout request
using the pysaml2 library to create the LogoutRequest.
"""
if not request.user.is_authenticated:
return HttpResponseRedirect(settings.LOGOUT_REDIRECT_URL)
state = StateCache(request.saml_session)
conf = get_config(config_loader_path, request)
client = Saml2Client(conf,
state_cache=state,
identity_cache=IdentityCache(request.saml_session))
# whatever happens, however, the user will be logged out of this sp
auth.logout(request)
state.sync()
subject_id = djangosaml2_views._get_subject_id(request.saml_session)
if subject_id is None:
logger.warning(
f"The session does not contain the subject id for user {request.user}"
)
logger.error(
f"Looks like the user {subject_id} is not logged in any IdP/AA")
return HttpResponseBadRequest("You are not logged in any IdP/AA")
slo_req = saml2.samlp.LogoutRequest()
slo_req.destination = subject_id.name_qualifier
# spid-testenv2 preleva l'attribute consumer service dalla authnRequest (anche se questo sta già nei metadati...)
slo_req.attribute_consuming_service_index = "0"
issuer = saml2.saml.Issuer()
issuer.name_qualifier = client.config.entityid
issuer.text = client.config.entityid
issuer.format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
slo_req.issuer = issuer
# message id
slo_req.id = saml2.s_utils.sid()
slo_req.version = saml2.VERSION # "2.0"
slo_req.issue_instant = saml2.time_util.instant()
# oggetto
slo_req.name_id = subject_id
try:
session_info = client.users.get_info_from(slo_req.name_id,
subject_id.name_qualifier,
False)
except KeyError as e:
logger.error(f"SPID Logout error: {e}")
return HttpResponseRedirect("/")
session_indexes = [session_info["session_index"]]
# aggiungere session index
if session_indexes:
sis = []
for si in session_indexes:
if isinstance(si, saml2.samlp.SessionIndex):
sis.append(si)
else:
sis.append(saml2.samlp.SessionIndex(text=si))
slo_req.session_index = sis
slo_req.protocol_binding = SAML2_DEFAULT_BINDING
assertion_consumer_service_url = client.config._sp_endpoints[
"assertion_consumer_service"][0][0]
slo_req.assertion_consumer_service_url = assertion_consumer_service_url
slo_req_signed = client.sign(
slo_req,
sign_prepare=False,
sign_alg=settings.SPID_SIG_ALG,
digest_alg=settings.SPID_DIG_ALG,
)
_req_str = slo_req_signed
logger.debug(
f"LogoutRequest to {subject_id.name_qualifier}: {repr_saml_request(_req_str)}"
)
slo_location = client.metadata.single_logout_service(
subject_id.name_qualifier, SAML2_DEFAULT_BINDING,
"idpsso")[0]["location"]
if not slo_location:
error_message = f"Unable to know SLO endpoint in {subject_id.name_qualifier}"
logger.error(error_message)
return HttpResponse(error_message)
http_info = client.apply_binding(
SAML2_DEFAULT_BINDING,
_req_str,
slo_location,
sign=True,
sigalg=settings.SPID_SIG_ALG,
)
state.sync()
return HttpResponse(http_info["data"])
def spid_logout(request, config_loader_path=None, **kwargs):
"""SAML Logout Request initiator
This view initiates the SAML2 Logout request
using the pysaml2 library to create the LogoutRequest.
"""
state = StateCache(request.session)
conf = get_config(config_loader_path, request)
client = Saml2Client(conf, state_cache=state,
identity_cache=IdentityCache(request.session))
subject_id = _get_subject_id(request.session)
if subject_id is None:
logger.warning(
'The session does not contain the subject id for user %s',
request.user)
logger.error("Looks like the user %s is not logged in any IdP/AA", subject_id)
return HttpResponseBadRequest("You are not logged in any IdP/AA")
slo_req = saml2.samlp.LogoutRequest()
binding = settings.SPID_DEFAULT_BINDING
location_fixed = subject_id.name_qualifier
location = location_fixed
slo_req.destination = location_fixed
# spid-testenv2 preleva l'attribute consumer service dalla authnRequest (anche se questo sta già nei metadati...)
slo_req.attribute_consuming_service_index = "0"
# import pdb; pdb.set_trace()
issuer = saml2.saml.Issuer()
issuer.name_qualifier = client.config.entityid
issuer.text = client.config.entityid
issuer.format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
slo_req.issuer = issuer
# message id
slo_req.id = saml2.s_utils.sid()
slo_req.version = saml2.VERSION # "2.0"
slo_req.issue_instant = saml2.time_util.instant()
# oggetto
slo_req.name_id = subject_id
session_info = client.users.get_info_from(slo_req.name_id,
subject_id.name_qualifier,
False)
session_indexes = [session_info['session_index']]
# aggiungere session index
if session_indexes:
sis = []
for si in session_indexes:
if isinstance(si, saml2.samlp.SessionIndex):
sis.append(si)
else:
sis.append(saml2.samlp.SessionIndex(text=si))
slo_req.session_index = sis
slo_req.protocol_binding = binding
assertion_consumer_service_url = client.config._sp_endpoints['assertion_consumer_service'][0][0]
slo_req.assertion_consumer_service_url = assertion_consumer_service_url
slo_req_signed = client.sign(slo_req, sign_prepare=False,
sign_alg=settings.SPID_ENC_ALG,
digest_alg=settings.SPID_DIG_ALG)
session_id = slo_req.id
_req_str = slo_req_signed
logger.debug('LogoutRequest to {}: {}'.format(subject_id.name_qualifier,
repr_saml(_req_str)))
# get slo from metadata
slo_location = None
# for k,v in client.metadata.metadata.items():
# idp_nq = v.entity.get(subject_id.name_qualifier)
# if idp_nq:
# slo_location = idp_nq['idpsso_descriptor'][0]['single_logout_service'][0]['location']
slo_location = client.metadata.single_logout_service(subject_id.name_qualifier,
binding,
"idpsso")[0]['location']
if not slo_location:
logger.error('Unable to know SLO endpoint in {}'.format(subject_id.name_qualifier))
return HttpResponse(text_type(e))
http_info = client.apply_binding(binding,
_req_str,
slo_location,
sign=True,
sigalg=settings.SPID_ENC_ALG)
state.sync()
return HttpResponse(http_info['data'])