def testIsInvalidXML(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
Case Invalid XML
"""
message = OneLogin_Saml2_Utils.deflate_and_base64_encode(
'<xml>invalid</xml>')
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {}
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
response = OneLogin_Saml2_Logout_Response(settings, message)
self.assertTrue(response.is_valid(request_data))
settings.set_strict(True)
response_2 = OneLogin_Saml2_Logout_Response(settings, message)
self.assertFalse(response_2.is_valid(request_data))
def testGetStatus(self):
"""
Tests the get_status method of the OneLogin_Saml2_LogoutResponse
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
response = OneLogin_Saml2_Logout_Response(settings, message)
status = response.get_status()
self.assertEquals(status, OneLogin_Saml2_Constants.STATUS_SUCCESS)
dom = parseString(
OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
status_code_node = dom.getElementsByTagName('samlp:StatusCode')[0]
status_code_node.parentNode.removeChild(status_code_node)
xml = dom.toxml()
message_2 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_2 = OneLogin_Saml2_Logout_Response(settings, message_2)
self.assertIsNone(response_2.get_status())
def testConstructor(self):
"""
Tests the OneLogin_Saml2_LogoutResponse Constructor.
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
response = OneLogin_Saml2_Logout_Response(settings, message)
self.assertRegexpMatches(response.document.toxml(),
'<samlp:LogoutResponse')
def testQuery(self):
"""
Tests the private method __query of the OneLogin_Saml2_LogoutResponse
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
response = OneLogin_Saml2_Logout_Response(settings, message)
issuer = response.get_issuer()
self.assertEquals('http://idp.example.com/', issuer)
def testIsInValidDestination(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
Case invalid Destination
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {}
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
settings.set_strict(False)
response = OneLogin_Saml2_Logout_Response(settings, message)
self.assertTrue(response.is_valid(request_data))
settings.set_strict(True)
response_2 = OneLogin_Saml2_Logout_Response(settings, message)
self.assertFalse(response_2.is_valid(request_data))
self.assertIn('The LogoutResponse was received at',
response_2.get_error())
# Empty destination
dom = parseString(
OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
dom.firstChild.setAttribute('Destination', '')
xml = dom.toxml()
message_3 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_3 = OneLogin_Saml2_Logout_Response(settings, message_3)
self.assertTrue(response_3.is_valid(request_data))
# No destination
dom.firstChild.removeAttribute('Destination')
xml = dom.toxml()
message_4 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_4 = OneLogin_Saml2_Logout_Response(settings, message_4)
self.assertTrue(response_4.is_valid(request_data))
def testGetIssuer(self):
"""
Tests the get_issuer of the OneLogin_Saml2_LogoutResponse
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
response = OneLogin_Saml2_Logout_Response(settings, message)
issuer = response.get_issuer()
self.assertEquals('http://idp.example.com/', issuer)
dom = parseString(
OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
issuer_node = dom.getElementsByTagName('saml:Issuer')[0]
issuer_node.parentNode.removeChild(issuer_node)
xml = dom.toxml()
message_2 = OneLogin_Saml2_Utils.deflate_and_base64_encode(xml)
response_2 = OneLogin_Saml2_Logout_Response(settings, message_2)
issuer_2 = response_2.get_issuer()
self.assertIsNone(issuer_2)
def testBuildWithStatus(self):
"""
Tests the build method when called specifying a non-default status for the LogoutResponse.
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
response_builder = OneLogin_Saml2_Logout_Response(settings)
response_builder.build(
"InResponseValue",
status=OneLogin_Saml2_Constants.STATUS_REQUESTER)
generated_encoded_response = response_builder.get_response()
# Parse and verify the status of the response, as the receiver will do:
parsed_response = OneLogin_Saml2_Logout_Response(
settings, generated_encoded_response)
expectedFragment = (
' <samlp:Status>\n'
' <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />\n'
' </samlp:Status>\n')
self.assertIn(expectedFragment, parsed_response.get_xml())
self.assertEqual(parsed_response.get_status(),
OneLogin_Saml2_Constants.STATUS_REQUESTER)
def testIsInValidRequestId(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
Case invalid request Id
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {}
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
message = self.file_contents(
join(self.data_path, 'logout_responses',
'logout_response_deflated.xml.base64'))
plain_message = compat.to_string(
OneLogin_Saml2_Utils.decode_base64_and_inflate(message))
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
plain_message = plain_message.replace(
'http://stuff.com/endpoints/endpoints/sls.php', current_url)
message = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message)
request_id = 'invalid_request_id'
settings.set_strict(False)
response = OneLogin_Saml2_Logout_Response(settings, message)
self.assertTrue(response.is_valid(request_data, request_id))
settings.set_strict(True)
response_2 = OneLogin_Saml2_Logout_Response(settings, message)
self.assertFalse(response_2.is_valid(request_data, request_id))
self.assertIn('The InResponseTo of the Logout Response:',
response_2.get_error())
with self.assertRaisesRegexp(
Exception, 'The InResponseTo of the Logout Response:'):
response_2.is_valid(request_data,
request_id,
raise_exceptions=True)
def testGetXML(self):
"""
Tests that we can get the logout response XML directly without
going through intermediate steps
"""
response = self.file_contents(join(self.data_path, 'logout_responses', 'logout_response.xml'))
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
logout_response_generated = OneLogin_Saml2_Logout_Response(settings)
logout_response_generated.build("InResponseValue")
expectedFragment = (
'Destination="http://idp.example.com/SingleLogoutService.php"\n'
' InResponseTo="InResponseValue"\n>\n'
' <saml:Issuer>http://stuff.com/endpoints/metadata.php</saml:Issuer>\n'
' <samlp:Status>\n'
' <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />\n'
' </samlp:Status>\n'
'</samlp:LogoutResponse>'
)
self.assertIn(expectedFragment, logout_response_generated.get_xml())
logout_response_processed = OneLogin_Saml2_Logout_Response(settings, OneLogin_Saml2_Utils.deflate_and_base64_encode(response))
self.assertEqual(response, logout_response_processed.get_xml())
def testIsValidRaisesExceptionWhenRaisesArgumentIsTrue(self):
message = OneLogin_Saml2_Utils.deflate_and_base64_encode('<xml>invalid</xml>')
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {}
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
settings.set_strict(True)
response = OneLogin_Saml2_Logout_Response(settings, message)
self.assertFalse(response.is_valid(request_data))
with self.assertRaisesRegexp(OneLogin_Saml2_ValidationError, "Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd"):
response.is_valid(request_data, raise_exceptions=True)
def SAML_process_logout_request(self):
'''
HANDLE BACK CHANNEL LOGOUT POST FROM ASTRA
We recieve this message when the user has logged out
of another control panel, and must end their SAML session.
AN HTTP POST is not supported by the SAML Library, so
we have to manually process it.
'''
current_app.logger.debug(
'SAML_process_logout_request - POST DATA:{0}'.format(
self.saml_req))
saml_data = self.saml_req.get("post_data").get('SAMLRequest', None)
if saml_data is None:
current_app.logger.debug('>>>>>>>> SAML REQUEST NOT FOUND')
return abort(400)
# this is not a url, it uses the pre-loaded saml json settings
settings = OneLogin_Saml2_Settings(current_app.config["saml_settings"])
logout_request = OneLogin_Saml2_Logout_Request(settings, saml_data)
if not logout_request.is_valid({}):
current_app.logger.debug('>>>>>>>> SAML REQUEST IS NOT VALID')
return abort(400)
data = self.SAML_decode_logout_request(saml_data)
for session_index in \
OneLogin_Saml2_Logout_Request.get_session_indexes(data):
current_app.logger.debug(
"*** LOGOUT SESSION: {0}".format(session_index))
self.clear_session(session_index)
saml_response = OneLogin_Saml2_Logout_Response(settings)
saml_response.build(OneLogin_Saml2_Logout_Request.get_id(data))
response = make_response(
urllib.urlencode(
{'SAMLResponse': saml_response.get_response(False)}))
response.headers['Content-Type'] = 'application/x-www-form-urlencoded'
return response
def testCreateDeflatedSAMLLogoutResponseURLParameter(self):
"""
Tests the OneLogin_Saml2_LogoutResponse Constructor.
The creation of a deflated SAML Logout Response
"""
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
in_response_to = 'ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e'
response_builder = OneLogin_Saml2_Logout_Response(settings)
response_builder.build(in_response_to)
parameters = {'SAMLResponse': response_builder.get_response()}
logout_url = OneLogin_Saml2_Utils.redirect('http://idp.example.com/SingleLogoutService.php', parameters, True)
self.assertRegexpMatches(logout_url, r'^http://idp\.example\.com\/SingleLogoutService\.php\?SAMLResponse=')
url_parts = urlparse(logout_url)
exploded = parse_qs(url_parts.query)
inflated = OneLogin_Saml2_Utils.decode_base64_and_inflate(exploded['SAMLResponse'][0])
self.assertRegexpMatches(inflated, '^<samlp:LogoutResponse')
def testIsValidSignUsingX509certMulti(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {
'SAMLResponse': 'fZHbasJAEIZfJey9ZrNZc1gSodRSBKtQxYveyGQz1kCyu2Q24OM3jS21UHo3p++f4Z+CoGud2th3O/hXJGcNYXDtWkNqapVs6I2yQA0pAx2S8lrtH142Ssy5cr31VtuW3SH/E0CEvW+sYcF6VbLTIktFLMWZgxQR8DSP85wDB4GJGMOqShYVaoBUsOCIPY1kyUahEScacG3Ig/FjiUdyxuOZ4IcoUVGq4vSNBSsk3xjwE3Xx3qkwJD+cz3NtuxBN7WxjPN1F1NLcXdwob77tONiS7bZPm93zenvCqopxgVJmuU50jREsZF4noKWAOuNZJbNznnBky+LTDDVd2S+/dje1m+MVOtfidEER3g8Vt2fsPfiBfmePtsbgCO2A/9tL07TaD1ojEQuXtw0/ouFfD19+AA==',
'RelayState': 'http://stuff.com/endpoints/endpoints/index.php',
'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
'Signature': 'OV9c4R0COSjN69fAKCpV7Uj/yx6/KFxvbluVCzdK3UuortpNMpgHFF2wYNlMSG9GcYGk6p3I8nB7Z+1TQchMWZOlO/StjAqgtZhtpiwPcWryNuq8vm/6hnJ3zMDhHTS7F8KG4qkCXmJ9sQD3Y31UNcuygBwIbNakvhDT5Qo9Nsw='
}
}
settings_info = self.loadSettingsJSON('settings8.json')
settings_info['strict'] = False
settings = OneLogin_Saml2_Settings(settings_info)
logout_response = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertTrue(logout_response.is_valid(request_data))
def process_slo(self,
keep_local_session=False,
request_id=None,
delete_session_cb=None):
"""
Process the SAML Logout Response / Logout Request sent by the IdP.
:param keep_local_session: When false will destroy the local session, otherwise will destroy it
:type keep_local_session: bool
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:returns: Redirection url
"""
self.__errors = []
self.__error_reason = None
post_data = 'post_data' in self._SpidSaml2Auth__request_data and self._SpidSaml2Auth__request_data[
'post_data']
get_data = 'get_data' in self._SpidSaml2Auth__request_data and self._SpidSaml2Auth__request_data[
'get_data']
method = 'redirect'
if post_data:
get_data = post_data
method = 'post'
elif get_data and 'SAMLResponse' in get_data:
logout_response = SpidSaml2LogoutResponse(self.__settings,
get_data['SAMLResponse'],
method)
self._OneLogin_Saml2_Auth__last_response = logout_response.get_xml(
)
if not self.validate_response_signature(get_data):
self.__errors.append('invalid_logout_response_signature')
self.__errors.append(
'Signature validation failed. Logout Response rejected')
if not logout_response.is_valid(self.__request_data, request_id):
self.__errors.append('invalid_logout_response')
self.__error_reason = logout_response.get_error()
elif logout_response.get_status(
) != OneLogin_Saml2_Constants.STATUS_SUCCESS:
self.__errors.append('logout_not_success')
else:
self._OneLogin_Saml2_Auth__last_message_id = logout_response.id
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(
delete_session_cb)
elif get_data and 'SAMLRequest' in get_data:
logout_request = OneLogin_Saml2_Logout_Request(
self.__settings, get_data['SAMLRequest'])
self._OneLogin_Saml2_Auth__last_request = logout_request.get_xml()
if not self.validate_request_signature(get_data):
self.__errors.append("invalid_logout_request_signature")
self.__errors.append(
'Signature validation failed. Logout Request rejected')
elif not logout_request.is_valid(self.__request_data):
self.__errors.append('invalid_logout_request')
self.__error_reason = logout_request.get_error()
else:
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(
delete_session_cb)
in_response_to = logout_request.id
self._OneLogin_Saml2_Auth__last_message_id = logout_request.id
response_builder = OneLogin_Saml2_Logout_Response(
self.__settings, method)
response_builder.build(in_response_to)
self._OneLogin_Saml2_Auth__last_response = response_builder.get_xml(
)
logout_response = response_builder.get_response()
parameters = {'SAMLResponse': logout_response}
if 'RelayState' in self._OneLogin_Saml2_Auth__request_data[
'get_data']:
parameters['RelayState'] = self.__request_data['get_data'][
'RelayState']
security = self._OneLogin_Saml2_Auth__settings.get_security_data(
)
if security['logoutResponseSigned']:
self.add_response_signature(parameters,
security['signatureAlgorithm'])
return self.redirect_to(self.get_slo_url(), parameters)
else:
self.__errors.append('invalid_binding')
raise OneLogin_Saml2_Error(
'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND)
def testIsInValidSign(self):
"""
Tests the is_valid method of the OneLogin_Saml2_LogoutResponse
"""
request_data = {
'http_host': 'example.com',
'script_name': 'index.html',
'get_data': {}
}
settings = OneLogin_Saml2_Settings(self.loadSettingsJSON())
settings.set_strict(False)
request_data['get_data'] = {
'SAMLResponse': 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A',
'RelayState': 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php',
'SigAlg': 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
'Signature': 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='
}
response = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertTrue(response.is_valid(request_data))
relayState = request_data['get_data']['RelayState']
del request_data['get_data']['RelayState']
inv_response = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(inv_response.is_valid(request_data))
request_data['get_data']['RelayState'] = relayState
settings.set_strict(True)
response_2 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_2.is_valid(request_data))
self.assertIn('Invalid issuer in the Logout Response', response_2.get_error())
settings.set_strict(False)
old_signature = request_data['get_data']['Signature']
request_data['get_data']['Signature'] = 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVf3333='
response_3 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_3.is_valid(request_data))
self.assertIn('Signature validation failed. Logout Response rejected', response_3.get_error())
request_data['get_data']['Signature'] = old_signature
old_signature_algorithm = request_data['get_data']['SigAlg']
del request_data['get_data']['SigAlg']
response_4 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertTrue(response_4.is_valid(request_data))
request_data['get_data']['RelayState'] = 'http://example.com/relaystate'
response_5 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_5.is_valid(request_data))
self.assertIn('Signature validation failed. Logout Response rejected', response_5.get_error())
settings.set_strict(True)
current_url = OneLogin_Saml2_Utils.get_self_url_no_query(request_data)
plain_message_6 = OneLogin_Saml2_Utils.decode_base64_and_inflate(request_data['get_data']['SAMLResponse'])
plain_message_6 = plain_message_6.replace('https://pitbulk.no-ip.org/newonelogin/demo1/index.php?sls', current_url)
plain_message_6 = plain_message_6.replace('https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php', 'http://idp.example.com/')
request_data['get_data']['SAMLResponse'] = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message_6)
response_6 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_6.is_valid(request_data))
self.assertIn('Signature validation failed. Logout Response rejected', response_6.get_error())
settings.set_strict(False)
response_7 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_7.is_valid(request_data))
self.assertIn('Signature validation failed. Logout Response rejected', response_7.get_error())
request_data['get_data']['SigAlg'] = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
response_8 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_8.is_valid(request_data))
self.assertIn('Signature validation failed. Logout Response rejected', response_8.get_error())
settings_info = self.loadSettingsJSON()
settings_info['strict'] = True
settings_info['security']['wantMessagesSigned'] = True
settings = OneLogin_Saml2_Settings(settings_info)
request_data['get_data']['SigAlg'] = old_signature_algorithm
old_signature = request_data['get_data']['Signature']
del request_data['get_data']['Signature']
request_data['get_data']['SAMLResponse'] = OneLogin_Saml2_Utils.deflate_and_base64_encode(plain_message_6)
response_9 = OneLogin_Saml2_Logout_Response(settings, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_9.is_valid(request_data))
self.assertIn('The Message of the Logout Response is not signed and the SP require it', response_9.get_error())
request_data['get_data']['Signature'] = old_signature
settings_info['idp']['certFingerprint'] = 'afe71c28ef740bc87425be13a2263d37971da1f9'
del settings_info['idp']['x509cert']
settings_2 = OneLogin_Saml2_Settings(settings_info)
response_10 = OneLogin_Saml2_Logout_Response(settings_2, request_data['get_data']['SAMLResponse'])
self.assertFalse(response_10.is_valid(request_data))
self.assertIn('In order to validate the sign on the Logout Response, the x509cert of the IdP is required', response_10.get_error())
def process_slo(self,
keep_local_session=False,
request_id=None,
delete_session_cb=None):
"""
Process the SAML Logout Response / Logout Request sent by the IdP.
:param keep_local_session: When false will destroy the local session, otherwise will destroy it
:type keep_local_session: bool
:param request_id: The ID of the LogoutRequest sent by this SP to the IdP
:type request_id: string
:returns: Redirection url
"""
self.__errors = []
if 'get_data' in self.__request_data and 'SAMLResponse' in self.__request_data[
'get_data']:
logout_response = OneLogin_Saml2_Logout_Response(
self.__settings,
self.__request_data['get_data']['SAMLResponse'])
if not logout_response.is_valid(self.__request_data, request_id):
self.__errors.append('invalid_logout_response')
self.__error_reason = logout_response.get_error()
elif logout_response.get_status(
) != OneLogin_Saml2_Constants.STATUS_SUCCESS:
self.__errors.append('logout_not_success')
elif not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
elif 'get_data' in self.__request_data and 'SAMLRequest' in self.__request_data[
'get_data']:
logout_request = OneLogin_Saml2_Logout_Request(
self.__settings,
self.__request_data['get_data']['SAMLRequest'])
if not logout_request.is_valid(self.__request_data):
self.__errors.append('invalid_logout_request')
self.__error_reason = logout_request.get_error()
else:
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(
delete_session_cb)
in_response_to = logout_request.id
response_builder = OneLogin_Saml2_Logout_Response(
self.__settings)
response_builder.build(in_response_to)
logout_response = response_builder.get_response()
parameters = {'SAMLResponse': logout_response}
if 'RelayState' in self.__request_data['get_data']:
parameters['RelayState'] = self.__request_data['get_data'][
'RelayState']
else:
parameters[
'RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(
self.__request_data)
security = self.__settings.get_security_data()
if 'logoutResponseSigned' in security and security[
'logoutResponseSigned']:
parameters['SigAlg'] = security['signatureAlgorithm']
parameters['Signature'] = self.build_response_signature(
logout_response, parameters.get('RelayState', None),
security['signatureAlgorithm'])
return self.redirect_to(self.get_slo_url(), parameters)
else:
self.__errors.append('invalid_binding')
raise OneLogin_Saml2_Error(
'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding',
OneLogin_Saml2_Error.SAML_LOGOUTMESSAGE_NOT_FOUND)
