SAML: validate SLO request before building other SP SLO request (#111)
This commit is contained in:
Clément Oudot
parent
aa190c7f35
commit
174026f44c
|
|
@ -329,14 +329,16 @@ sub issuerForUnAuthUser {
|
|||
$self->returnSOAPMessage();
|
||||
}
|
||||
|
||||
# Validate request if no previous error
|
||||
unless ( $self->validateLogoutRequest($logout) ) {
|
||||
$self->lmLog( "SLO request is not valid", 'error' );
|
||||
$self->returnSOAPMessage();
|
||||
}
|
||||
|
||||
# Try to send SLO request trough SOAP
|
||||
my $logout_dump = $logout->dump;
|
||||
$self->resetProviderIdIndex($logout);
|
||||
while ( my $providerID = $self->getNextProviderId($logout) ) {
|
||||
|
||||
# Do not process logout on SP that initiate the logout request
|
||||
next if ( $sp =~ /^$providerID$/ );
|
||||
|
||||
# Send logout request
|
||||
my ( $rstatus, $rmethod, $rinfo ) =
|
||||
$self->sendLogoutRequestToServiceProvider( $logout,
|
||||
|
|
@ -351,21 +353,6 @@ sub issuerForUnAuthUser {
|
|||
}
|
||||
}
|
||||
|
||||
# Rebuild Lasso::Logout object. All data have already been checked.
|
||||
$logout = $self->createLogout( $server, $logout_dump );
|
||||
if ($session) {
|
||||
$self->setSessionFromDump( $logout, $session );
|
||||
}
|
||||
if ($identity) {
|
||||
$self->setIdentityFromDump( $logout, $identity );
|
||||
}
|
||||
|
||||
# Validate request if no previous error
|
||||
unless ( $self->validateLogoutRequest($logout) ) {
|
||||
$self->lmLog( "SLO request is not valid", 'error' );
|
||||
$self->returnSOAPMessage();
|
||||
}
|
||||
|
||||
# Set RelayState
|
||||
if ($relaystate) {
|
||||
$logout->msg_relayState($relaystate);
|
||||
|
|
@ -1664,36 +1651,26 @@ sub issuerForAuthUser {
|
|||
return PE_ERROR
|
||||
unless ( $self->checkDestination( $logout->request, $url ) );
|
||||
|
||||
# Get session index
|
||||
my $session_index;
|
||||
eval { $session_index = $logout->request()->SessionIndex; };
|
||||
|
||||
# Proceed to logout on all others SP
|
||||
my $logout_dump = $logout->dump;
|
||||
my $provider_nb =
|
||||
$self->sendLogoutRequestToServiceProviders($logout);
|
||||
|
||||
# Rebuild Lasso::Logout object. All data have already been checked.
|
||||
$logout = $self->createLogout( $server, $logout_dump );
|
||||
if ($session) {
|
||||
$self->setSessionFromDump( $logout, $session );
|
||||
}
|
||||
if ($identity) {
|
||||
$self->setIdentityFromDump( $logout, $identity );
|
||||
}
|
||||
|
||||
# Validate request if no previous error
|
||||
unless ( $self->validateLogoutRequest($logout) ) {
|
||||
$self->lmLog( "SLO request is not valid", 'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Prepare logout on all others SP
|
||||
my $provider_nb =
|
||||
$self->sendLogoutRequestToServiceProviders($logout);
|
||||
|
||||
# Set RelayState
|
||||
if ($relaystate) {
|
||||
$logout->msg_relayState($relaystate);
|
||||
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
|
||||
}
|
||||
|
||||
# Get session index
|
||||
my $session_index;
|
||||
eval { $session_index = $logout->request()->SessionIndex; };
|
||||
|
||||
# SLO requests without session index are not accepted
|
||||
if ( $@ or !defined $session_index ) {
|
||||
$self->lmLog(
|
||||
|
|
|
|||
|
|
@ -2464,9 +2464,6 @@ sub sendLogoutRequestToServiceProviders {
|
|||
my $providersCount = 0;
|
||||
my $info = '';
|
||||
|
||||
# Get EntityID
|
||||
my $entityID = $logout->remote_providerID();
|
||||
|
||||
# Reset providerID into Lasso::Logout object
|
||||
$self->resetProviderIdIndex($logout);
|
||||
|
||||
|
|
@ -2488,9 +2485,6 @@ sub sendLogoutRequestToServiceProviders {
|
|||
# appropriate logout request (HTTP,POST,SOAP).
|
||||
while ( my $providerID = $self->getNextProviderId($logout) ) {
|
||||
|
||||
# Do not process logout on SP that initiate the logout request
|
||||
next if ( $entityID && $entityID =~ /^$providerID$/ );
|
||||
|
||||
# Send logout request
|
||||
my ( $rstatus, $rmethod, $rinfo ) =
|
||||
$self->sendLogoutRequestToServiceProvider( $logout, $providerID,
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user