Single Log Out with OpenSAML

本文介绍了一种使用SAML协议实现单点登出的方法。通过构造并发送LogoutRequest来登出用户会话,同时处理了登出响应验证及签名验证等关键步骤。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

To logout an user from the SP an LogoutRequest is sent. The data needed about the user is the SessionIndex and NameID from the data recived at login. I my case in the Assertion in the Artifact Resolve Response.

//IPR Ergogroup AS
public static void doSynchronousLogout(final HttpSession sessionToLogout, final SAMLMetaData metaData) throws SOAPException, SecurityException, ValidationException, IllegalArgumentException, java.lang.SecurityException, IllegalAccessException, MarshallingException, SignatureException {

  NameID nameId = (NameID)sessionToLogout.getAttribute("SAMLNameID");
  String sessionIndex = (String)sessionToLogout.getAttribute("SAMLSessionIndex");

  
   Body body = buildSAMLObjectWithDefaultName(Body.class);

   LogoutRequest logoutRequest = genererateLogoutRequest(nameId, sessionIndex, metaData);
   signLogoutRequest(logoutRequest);
   body.getUnknownXMLObjects().add(logoutRequest);
   nameId.detach();
   Envelope envelope = buildSAMLObjectWithDefaultName(Envelope.class);
   envelope.setBody(body);

   SAMLUtil.logSAMLObject(envelope);

   BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();

   soapContext.setOutboundMessage(envelope);

   HttpClientBuilder clientBuilder = new HttpClientBuilder();

   HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), new BasicParserPool());

    String sloServiceURL = null;
    for (SingleLogoutService sls : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
     if (sls.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
      sloServiceURL = sls.getLocation();
     }
    }
    soapClient.send(sloServiceURL, soapContext);

    Envelope soapResponse = (Envelope)soapContext.getInboundMessage();

    SAMLUtil.logSAMLObject(soapResponse);

    validateSLOResponse(soapResponse, logoutRequest.getID());
    verifySLOResponseSignature(soapResponse);
    processSLOResponse(soapResponse);
  
 }

 
 private static LogoutRequest genererateLogoutRequest(final NameID nameId, final String sessionIndex, final SAMLMetaData metaData) throws IllegalArgumentException, java.lang.SecurityException, IllegalAccessException {
  LogoutRequest logoutRequest = buildSAMLObjectWithDefaultName(LogoutRequest.class);

  logoutRequest.setID(SAMLUtil.getSecureRandomIdentifier());

  for (SingleLogoutService sls : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) {
   if (sls.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
    logoutRequest.setDestination(sls.getLocation());
   }
  }

  logoutRequest.setIssueInstant(new DateTime());

  Issuer issuer = buildSAMLObjectWithDefaultName(Issuer.class);
  issuer.setValue(EvoteProperties.getProperty("SPEntityId"));
  logoutRequest.setIssuer(issuer);

  SessionIndex sessionIndexElement = buildSAMLObjectWithDefaultName(SessionIndex.class);

  sessionIndexElement.setSessionIndex(sessionIndex);
  logoutRequest.getSessionIndexes().add(sessionIndexElement);

  logoutRequest.setNameID(nameId);
  return logoutRequest;
 }

LogoutRequest sent:

my-alias


Sn7qX8Yf4Pcs6SLl4Yn0NyEx6P0=


cE3wgjeM+45uk/XVNQl+1NZKeRwRzFnJN9xaL/36vnXqu6eLBqs8eqdQ2a+yY9UkZz0gU1NrTqUMQgIANw1WfkL2a+sxQqqu2p4ggXKNwHiMWbyfPEUkxQM4wSwr3ECObjyVqrgPDA+4TiDyqPj2NBtZGo8WU3fvpOGQkQN19f0=


MIIBrzCCARigAwIBAgIETTWluTANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExFzdGVyYXMuZXZh
bGcuZXJnbzAeFw0xMTAxMTgxNDM3NDVaFw0yMTAxMTUxNDM3NDVaMBwxGjAYBgNVBAMTEXN0ZXJh
cy5ldmFsZy5lcmdvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy96UiOiuQcDQMVNorHKWC
u8lAqHCpdgL8SEKsBven1e9Bek5VSspQdyh8Q/t8hmISZq0oEEvtcbZivV1hGQKQIWjTU/utSxGl
ZDbPNweuxNH6JHiNzDSzbNiMkdBJcy/Szfdx8HGpbnpXrpU+ICNnQl5Ee2V48hlkcH7jwlCMzwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBABxQKfXHtomdAlXd+umpCyUUOgcs5shu4HHXr9m48H+YPCXs
kLwqzDe49WWaX9h7cLClVsHviAccno52Pj7mQfjKgvg1J3JHhTLINTrbgZ1e7mNtiJ9Lez2awbIt
v7RKU+R2AyiU6wHsjPGN+CQuiT9lZNWQMOih1R+yHT04kkl8



puEYi51x6aylfgXbBJTLSTTxOqck
s2ce6f528812bbf545358af381cc864c575e9cb901

This is the resulting LogoutResponse in my case:

idp-alias


CDFFLlD2FX8fjlPJLKpJZRusnx0=


cKgVEfLR48x7urpH+TV+V1gHYnVhc/ErkMhwp17rjAMfjHKHk0EPgH2+aOV7Z83udbfr0RPKF5Zd
Mg0zq1KIm29RsqUsUYNKKNiYPlEkBIoHPcc2AhftpA/VNRjea7q2W9+y6XV2YWjzGnArrfflv1KM
1t5C89Vz/VB0jQdJvMU=


Request is done successfully

转载于:https://www.cnblogs.com/xzs603/archive/2013/01/07/2849754.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值