ePrivacy and GPDR Cookie Consent by Cookie Consent

Single Log Out with OpenSAML

To logout an user from the SP an LogoutRequest is sent. The data needed about the user is the SessionIndex and NameID from the data recived at login. I my case in the Assertion in the Artifact Resolve Response.

 1//IPR Ergogroup AS
 2public static void doSynchronousLogout(final HttpSession sessionToLogout, final SAMLMetaData metaData) throws SOAPException, SecurityException, ValidationException, IllegalArgumentException, java.lang.SecurityException, IllegalAccessException, MarshallingException, SignatureException {
 3   NameID nameId = (NameID)sessionToLogout.getAttribute("SAMLNameID");
 4   String sessionIndex = (String)sessionToLogout.getAttribute("SAMLSessionIndex");
 5 
 6   Body body = buildSAMLObjectWithDefaultName(Body.class);
 7 
 8   LogoutRequest logoutRequest = genererateLogoutRequest(nameId, sessionIndex, metaData);
 9   signLogoutRequest(logoutRequest);
10   body.getUnknownXMLObjects().add(logoutRequest);
11   nameId.detach();
12   Envelope envelope = buildSAMLObjectWithDefaultName(Envelope.class);
13   envelope.setBody(body);
14 
15   SAMLUtil.logSAMLObject(envelope);
16 
17   BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();
18 
19   soapContext.setOutboundMessage(envelope);
20 
21   HttpClientBuilder clientBuilder = new HttpClientBuilder();
22 
23   HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), new BasicParserPool());
24 
25   String sloServiceURL = null;
26   for (SingleLogoutService sls : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
27      if (sls.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
28         sloServiceURL = sls.getLocation();
29      }
30   }
31   soapClient.send(sloServiceURL, soapContext);
32 
33   Envelope soapResponse = (Envelope)soapContext.getInboundMessage();
34 
35   SAMLUtil.logSAMLObject(soapResponse);
36 
37   validateSLOResponse(soapResponse, logoutRequest.getID());
38   verifySLOResponseSignature(soapResponse);
39   processSLOResponse(soapResponse);
40   
41}
42 
43  
44private static LogoutRequest genererateLogoutRequest(final NameID nameId, final String sessionIndex, final SAMLMetaData metaData) throws IllegalArgumentException, java.lang.SecurityException, IllegalAccessException {
45   LogoutRequest logoutRequest = buildSAMLObjectWithDefaultName(LogoutRequest.class);
46 
47   logoutRequest.setID(SAMLUtil.getSecureRandomIdentifier());
48 
49   for (SingleLogoutService sls : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
50      if (sls.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
51         logoutRequest.setDestination(sls.getLocation());
52      }
53   }
54 
55   logoutRequest.setIssueInstant(new DateTime());
56 
57   Issuer issuer = buildSAMLObjectWithDefaultName(Issuer.class);
58   issuer.setValue(EvoteProperties.getProperty("SPEntityId"));
59   logoutRequest.setIssuer(issuer);
60 
61   SessionIndex sessionIndexElement = buildSAMLObjectWithDefaultName(SessionIndex.class);
62  
63   sessionIndexElement.setSessionIndex(sessionIndex);
64   logoutRequest.getSessionIndexes().add(sessionIndexElement);
65 
66   logoutRequest.setNameID(nameId);
67   return logoutRequest;
68}
LogoutRequest sent:

 1<?xml version="1.0"?>
 2<saml2p:logoutrequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" destination="http://myIDP.test.com:80/opensso/IDPSloSoap/metaAlias/idp1" id="_b39909314c537670d58b60136d98ce5f" issueinstant="2011-01-20T18:57:09.144Z" version="2.0">
 3  <saml2:issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">my-alias
 4</saml2:issuer>
 5  <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 6    <ds:signedinfo>
 7      <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
 8        <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
 9          <ds:reference uri="#_b39909314c537670d58b60136d98ce5f">
10            <ds:transforms>
11              <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
12                <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
13		</ds:transform>
14              </ds:transform>
15            </ds:transforms>
16            <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
17              <ds:digestvalue>Sn7qX8Yf4Pcs6SLl4Yn0NyEx6P0=</ds:digestvalue>
18            </ds:digestmethod>
19          </ds:reference>
20        </ds:signaturemethod>
21      </ds:canonicalizationmethod>
22    </ds:signedinfo>
23    <ds:signaturevalue>cE3wgjeM+45uk/XVNQl+1NZKeRwRzFnJN9xaL/36vnXqu6eLBqs8eqdQ2a+yY9UkZz0gU1NrTqUMQgIANw1WfkL2a+sxQqqu2p4ggXKNwHiMWbyfPEUkxQM4wSwr3ECObjyVqrgPDA+4TiDyqPj2NBtZGo8WU3fvpOGQkQN19f0=</ds:signaturevalue>
24    <ds:keyinfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://www.w3.org/2000/09/xmldsig#">
25      <ds:x509data>
26        <ds:x509certificate>CERT/ds:x509certificate>
27      </ds:x509data>
28    </ds:keyinfo>
29  </ds:signature>
30  <saml:nameid xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" namequalifier="idporten" spnamequalifier="steras-idporten">puEYi51x6aylfgXbBJTLSTTxOqck</saml:nameid>
31  <saml2p:sessionindex>s2ce6f528812bbf545358af381cc864c575e9cb901</saml2p:sessionindex>
32</saml2p:logoutrequest>

This is the resulting LogoutResponse in my case:

 1<?xml version="1.0"?>
 2<?xml version="1.0"?>
 3<samlp:logoutresponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" id="sbf42f25f0d38af69316533b7b3ea46d509585e32" inresponseto="_b39909314c537670d58b60136d98ce5f" issueinstant="2011-01-20T18:57:09Z" version="2.0">
 4  <saml:issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp-alias
 5</saml:issuer>
 6  <signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 7    <signedinfo>
 8      <canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
 9        <signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
10          <reference uri="#sbf42f25f0d38af69316533b7b3ea46d509585e32">
11            <transforms>
12              <transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
13                <transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
14		</transform>
15              </transform>
16            </transforms>
17            <digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
18              <digestvalue>CDFFLlD2FX8fjlPJLKpJZRusnx0=</digestvalue>
19            </digestmethod>
20          </reference>
21        </signaturemethod>
22      </canonicalizationmethod>
23    </signedinfo>
24    <signaturevalue>
25cKgVEfLR48x7urpH+TV+V1gHYnVhc/ErkMhwp17rjAMfjHKHk0EPgH2+aOV7Z83udbfr0RPKF5Zd
26Mg0zq1KIm29RsqUsUYNKKNiYPlEkBIoHPcc2AhftpA/VNRjea7q2W9+y6XV2YWjzGnArrfflv1KM
271t5C89Vz/VB0jQdJvMU=
28</signaturevalue>
29  </signature>
30  <samlp:status>
31    <samlp:statuscode value="urn:oasis:names:tc:SAML:2.0:status:Success">
32</samlp:statuscode>
33    <samlp:statusmessage>
34Request is done successfully
35</samlp:statusmessage>
36  </samlp:status>
37</samlp:logoutresponse>