Skip to content

Implement Single Logout Protocol #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
+65 −11
Open

Implement Single Logout Protocol #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5706630
Add handler for /sso/sls endpoint for SingleLogoutService.
gonzomir Oct 31, 2018
bf94b24
Send LogoutRequest to IdP when user logs out.
gonzomir Oct 31, 2018
c3fd698
Stop fatal error on logout
Mar 5, 2019
395eb24
Fix SLS error message
Mar 12, 2019
aa1ccb7
Change default saml settings overrideable by wpsimplesaml_idp_metadat…
Mar 12, 2019
03d95d4
Merge pull request #6 from Skyscanner/fix/error-message
spacedmonkey Mar 12, 2019
a18dea8
Merge pull request #7 from Skyscanner/fix/allow-override
spacedmonkey Mar 12, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 4 additions & 10 deletions inc/admin/namespace.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,16 +73,10 @@ function get_config() {
return [];
}

$settings['sp'] = [
'entityId' => $sp_home_url,
'assertionConsumerService' => [
'url' => $sp_base_url . 'verify',
],
'singleLogoutService' => [
'url' => $sp_base_url . 'sls',
],
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
];
$settings['sp']['entityId'] = $sp_home_url;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't guarantee $settings['sp'] is set any more.

Suggested change
$settings['sp']['entityId'] = $sp_home_url;
if ( ! isset( $settings['sp'] ) {
$settings['sp'] = [];
}
$settings['sp']['entityId'] = $sp_home_url;

$settings['sp']['assertionConsumerService'] = [ 'url' => $sp_base_url . 'verify' ];
$settings['sp']['singleLogoutService'] = [ 'url' => $sp_base_url . 'sls' ];
$settings['sp']['NameIDFormat'] = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';

return $settings;
}
Expand Down
62 changes: 61 additions & 1 deletion inc/namespace.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,15 @@ function bootstrap() {
add_action( 'template_redirect', __NAMESPACE__ . '\\endpoint', 9 );
add_action( 'login_message', __NAMESPACE__ . '\\login_form_link' );
add_action( 'wp_authenticate', __NAMESPACE__ . '\\authenticate_with_sso' );
add_action( 'wp_logout', __NAMESPACE__ . '\\go_home' );
add_action( 'wp_logout', __NAMESPACE__ . '\\logout' );

add_action( 'wpsimplesaml_action_login', __NAMESPACE__ . '\\cross_site_sso' );
add_action( 'wpsimplesaml_action_verify', __NAMESPACE__ . '\\cross_site_sso' );
add_action( 'wpsimplesaml_action_sls', __NAMESPACE__ . '\\cross_site_sso' );

add_action( 'wpsimplesaml_action_login', __NAMESPACE__ . '\\action_login' );
add_action( 'wpsimplesaml_action_verify', __NAMESPACE__ . '\\action_verify' );
add_action( 'wpsimplesaml_action_sls', __NAMESPACE__ . '\\action_sls' );
add_action( 'wpsimplesaml_action_metadata', __NAMESPACE__ . '\\action_metadata' );

add_action( 'wpsimplesaml_user_created', __NAMESPACE__ . '\\map_user_roles', 10, 2 );
Expand Down Expand Up @@ -273,6 +275,43 @@ function action_verify() {
}
}

/**
* Handle sso/sls endpoint.
*
* @action wpsimplesaml_action_sls
*/
function action_sls() {
$saml = instance();

try {
/*
* If it's logout request, we just clear the user session. The user will be redirected to
* the IdP by the php-saml.
* If it's logout responce, the IdP has ended user's session, php-saml will not do
* anything else, so we will redirect at the end.
*/
$saml->processSLO( false, null, true, __NAMESPACE__ . '\signout' );
} catch ( \Exception $e ) {
$errors = $e->getMessage();
}

if ( $errors ) {
/* translators: %s = error message */
wp_die( sprintf( esc_html__( 'Error: Could not parse the logout response, please forward this error to your administrator: "%s"', 'wp-simple-saml' ), esc_html( $errors ) ) );
}

if ( ! empty( $saml->getErrors() ) ) {
$errors = implode( ', ', $saml->getErrors() );

/* translators: %s = error message */
wp_die( sprintf( esc_html__( 'Error: Could not parse the logout response, please forward this error to your administrator: "%s"', 'wp-simple-saml' ), esc_html( $errors ) ) );
}

$redirect_url = get_redirection_url();
wp_safe_redirect( $redirect_url );
exit;
}

/**
* Output metadata of SP
*
Expand Down Expand Up @@ -533,6 +572,27 @@ function signon( $user ) {
wp_set_auth_cookie( $user->ID, true, is_ssl() );
}

/**
* Sign out the user, delete session and auth cookie.
*/
function signout() {
wp_destroy_current_session();
wp_clear_auth_cookie();
}

/**
* Send LogoutRequest to IdP when user logs out.
*/
function logout() {
// Bail if no SAML2_Auth instance is available, mainly if no configuration was found
if ( ! instance() ) {
return;
}

$redirect_url = get_redirection_url();
instance()->logout( $redirect_url );
}

/**
* Forward IdP response to another site
*
Expand Down