+ Only use HTTP-Redirect to start the logout. This is guaranteed
+ to be supported in SAML 2.
+ """
+ self.debug("IdP-initiated SAML2 logout")
+ us = UserSession()
+ user = us.get_user()
+
+ saml_sessions = self.sessionfactory
+ # pylint: disable=unused-variable
+ (mech, session) = saml_sessions.get_next_logout(
+ logout_mechs=[lasso.SAML2_METADATA_BINDING_REDIRECT])
+ if session is None:
+ return
+
+ logout = self.idp.get_logout_handler()
+ logout.setSessionFromDump(session.login_session)
+ logout.initRequest(session.provider_id)
+ try:
+ logout.buildRequestMsg()
+ except lasso.Error, e:
+ self.error('failure to build logout request msg: %s' % e)
+ raise cherrypy.HTTPRedirect(400, 'Failed to log out user: %s '
+ % e)
+
+ # Add a fake session to indicate where the user should
+ # be redirected to when all SP's are logged out.
+ idpurl = self._root.instance_base_url()
+ session_id = "_" + uuid.uuid4().hex.upper()
+ saml_sessions.add_session(session_id, idpurl, user.name, "", "",
+ [lasso.SAML2_METADATA_BINDING_REDIRECT])
+ init_session = saml_sessions.get_session_by_id(session_id)
+ saml_sessions.start_logout(init_session, relaystate=idpurl)
+
+ # Add the logout request id we just created to the session to be
+ # logged out so that when it responds we can find the right
+ # session.
+ session.set_logoutstate(request_id=logout.request.id)
+ saml_sessions.start_logout(session, initial=False)
+
+ self.debug('Sending initial logout request to %s' % logout.msgUrl)
+ raise cherrypy.HTTPRedirect(logout.msgUrl)
+
+
+class IdpMetadataGenerator(object):
+
+ def __init__(self, url, idp_cert, expiration=None):
+ self.meta = metadata.Metadata(metadata.IDP_ROLE, expiration)
+ self.meta.set_entity_id('%s/saml2/metadata' % url)
+ self.meta.add_certs(idp_cert, idp_cert)
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
+ '%s/saml2/SSO/POST' % url)
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-redirect'],
+ '%s/saml2/SSO/Redirect' % url)
+ if is_lasso_ecp_enabled():
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-soap'],
+ '%s/saml2/SSO/SOAP' % url)
+ self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
+ '%s/saml2/SLO/Redirect' % url)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
+ self.meta.add_allowed_name_format(
+ lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
+
+ def output(self, path=None):
+ return self.meta.output(path)
+
+
+class Installer(ProviderInstaller):