Skip to content
This repository has been archived by the owner on Nov 29, 2022. It is now read-only.

SES-7: Single Logout #27

Closed
spring-projects-issues opened this issue Aug 27, 2009 · 2 comments
Closed

SES-7: Single Logout #27

spring-projects-issues opened this issue Aug 27, 2009 · 2 comments
Labels
in: core An issue in spring-security-saml-core type: jira An issue that was migrated from JIRA
Milestone
saml-1.0.0.RC1

Comments

@spring-projects-issues
Copy link

Mandus Elfving (Migrated from SES-7) said:

Implement support for Single Logout.

According to the thread at http://jira.springframework.org/browse/SEC-1004 Aslak Knutsen has already implemented it and could maybe be contacted for a working implementation?
@spring-projects-issues
Copy link
Author

Girish Kolantra Ramadevan said:

In AbstractProfileBase.java, the sendMessage method is written as follows

protected void sendMessage(boolean sign, SignableSAMLObject message, Endpoint endpoint, HttpServletResponse response) throws SAMLException, MessageEncodingException {

    BasicSAMLMessageContext<SAMLObject, SignableSAMLObject, SAMLObject> samlContext = new BasicSAMLMessageContext<SAMLObject, SignableSAMLObject, SAMLObject>();
    samlContext.setOutboundMessageTransport(new HttpServletResponseAdapter(response, false));
    samlContext.setOutboundSAMLMessage(message);
    samlContext.setPeerEntityEndpoint(endpoint);

    if (sign) {
        samlContext.setOutboundSAMLMessageSigningCredential(getSPSigningCredential());
    }

    MessageEncoder encoder = getEncoder(endpoint.getBinding());
    encoder.encode(samlContext);

}

In org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder the getEndpointURL is written as

protected String getEndpointURL(SAMLMessageContext messageContext) throws MessageEncodingException {
Endpoint endpoint = messageContext.getPeerEntityEndpoint();
if (endpoint == null) {
throw new MessageEncodingException("Endpoint for relying party was null.");
}

    if (messageContext.getOutboundMessage() instanceof StatusResponseType
            && !DatatypeHelper.isEmpty(endpoint.getResponseLocation())) {
        return endpoint.getResponseLocation();
    } else {
        if (DatatypeHelper.isEmpty(endpoint.getLocation())) {
            throw new MessageEncodingException("Relying party endpoint location was null or empty.");
        }
        return endpoint.getLocation();
    }
}

If you notice, AbstractProfileBase.sendMessage(..) above calls samlContext.setOutboundSAMLMessage(message); so the line messageContext.getOutboundMessage() in BaseSAML2MessageEncoder.getEndpointURL(..) would return null. So even for response messages (like saml logout response) the endpoint.getLocation() would be used as destination and not endpoint.getResponseLocation() (this is the one to be used for response messages).

should we not add a line
samlContext.setOutboundMessage(message);

in AbstractProfileBase.sendMessage(..) above ?

@spring-projects-issues
Copy link
Author

Vladimir Schäfer said:

Yes Girish, you're right, the outboundMessage should be set in order to be correctly processed inside OpenSAML.
The call was added in revision 79.

@spring-projects-issues spring-projects-issues added in: core An issue in spring-security-saml-core Closed type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@SanthoshEnricher SanthoshEnricher mentioned this issue Sep 14, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
in: core An issue in spring-security-saml-core type: jira An issue that was migrated from JIRA
Milestone
saml-1.0.0.RC1
Development

No branches or pull requests
1 participant
@spring-projects-issues