Problem in Logout request for Post binding

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem in Logout request for Post binding

rahul sharma
Hi, I have implemented single sign-on in my project recently usinf OpenSAML
V3.3. I implemented the sign-on and its working but now I need to implement
the Single Logout feature. I have created a logout request but Could not
find any help to send this logout request using the post binding.

My logout request is -  
private LogoutRequest prepareLogoutRequest(String username, String
sessionIndex) {
        LogoutRequest logoutRequest = new
LogoutRequestBuilder().buildObject();

        DateTime issueInstant = new DateTime();

        Issuer issuer = new IssuerBuilder().buildObject();
        issuer.setValue(SAMLConfiguration.spEntityId());

        NameID nameId = new NameIDBuilder().buildObject();
       
nameId.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        nameId.setValue(username);

        SessionIndex sessionIndexElement = new
SessionIndexBuilder().buildObject();
        sessionIndexElement.setSessionIndex(sessionIndex);

        //  sets the mandatory attributes of a SAML 2.0 Request
        logoutRequest.setID(newId());
        logoutRequest.setIssueInstant(issueInstant);

        logoutRequest.setDestination(idpEndpoint.getLocation());
        //  time at which the request expires, after which the recipient may
discard the message
        logoutRequest.setNotOnOrAfter(new DateTime(issueInstant.getMillis()
+ (5 * 60 * 1000)));
        logoutRequest.setIssuer(issuer);
        logoutRequest.setNameID(nameId);
        logoutRequest.getSessionIndexes().add(sessionIndexElement);
        //  indicates the reason for the logout
        logoutRequest.setReason("Single Logout");

        return logoutRequest;
    }

Now I don't know what to do next to post my logout request to the IDP.
I tried the code below to send the request but no luck

final MessageContext<SAMLObject> mc = new MessageContext<SAMLObject>();
            mc.setMessage(logoutRequest);

try {
                final HTTPPostEncoder pe = new HTTPPostEncoder();
                pe.setHttpServletResponse(response);
                pe.setMessageContext(mc);
                pe.initialize();
                pe.prepareContext();
                pe.encode();
            } catch (final MessageEncodingException |
ComponentInitializationException e) {
                logger.warn("SAML2Request generation failed: {}",
e.getMessage(), e);
            }

*This is the error I got *- SAML2Request generation failed: VelocityEngine
must be supplied
net.shibboleth.utilities.java.support.component.ComponentInitializationException:
VelocityEngine must be supplied
        at
org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.doInitialize(HTTPPostEncoder.java:128)
~[opensaml-saml-impl-3.3.0.jar:na]
        at
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:61)
~[java-support-7.3.0.jar:na]
        at
com.ixonos.idcs.mup.servlet.IDPLogoutServlet.service(IDPLogoutServlet.java:111)
~[classes/:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
[tomcat-embed-core-7.0.47.jar:7.0.47]
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
[tomcat-embed-core-7.0.47.jar:7.0.47]
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
[tomcat-embed-core-7.0.47.jar:7.0.47]
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
[tomcat-embed-core-7.0.47.jar:7.0.47]
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
[tomcat-embed-core-7.0.47.jar:7.0.47]
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
[tomcat-embed-core-7.0.47.jar:7.0.47]
        at com.ixonos.mup.profile.SessionFilter.doFilter(SessionFilter.java:99)
[mup-1.3.11-SNAPSHOT.jar:na]
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
[tomcat-embed-core-7.0.47.jar:7.0.47]
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
[tomcat-embed-core-7.0.47.jar:7.0.47]




Please help me to achieve this task. Thanks in advance!



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Developers-f1660781.html
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem in Logout request for Post binding

Brent Putman


On 1/15/20 1:03 PM, rahul sharma wrote:
try {
                final HTTPPostEncoder pe = new HTTPPostEncoder();
                pe.setHttpServletResponse(response);
                pe.setMessageContext(mc);
                pe.initialize();
                pe.prepareContext();
                pe.encode();
            } catch (final MessageEncodingException |
ComponentInitializationException e) {
                logger.warn("SAML2Request generation failed: {}",
e.getMessage(), e);
            }

*This is the error I got *- SAML2Request generation failed: VelocityEngine
must be supplied 
net.shibboleth.utilities.java.support.component.ComponentInitializationException:
VelocityEngine must be supplied
	at
org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.doInitialize(HTTPPostEncoder.java:128)


The error is pretty self-explanatory.  You must supply a VelocityEngine instance to the HTTPPostEncoder instance via the corresponding setter before you call initialize() on it.


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem in Logout request for Post binding

Luis Rodríguez Fernández
Hello Rahul,

Long time ago in a galaxy far, far away I implemented a SAML2Logout servlet for Oracle WebLogic: https://github.com/cerndb/wls-cern-sso/blob/master/saml2slo/src/ch/cern/security/saml2/servlet/SAML2sloServlet.java Maybe it can be of your help. It makes no use of the opensaml API but builds the SAMLResponse correctly. You can have a look at the this answer https://stackoverflow.com/questions/8150096/construct-a-signed-saml2-logout-request

Hope it helps,

Luis








El mié., 15 ene. 2020 a las 23:49, Brent Putman (<[hidden email]>) escribió:


On 1/15/20 1:03 PM, rahul sharma wrote:
try {
                final HTTPPostEncoder pe = new HTTPPostEncoder();
                pe.setHttpServletResponse(response);
                pe.setMessageContext(mc);
                pe.initialize();
                pe.prepareContext();
                pe.encode();
            } catch (final MessageEncodingException |
ComponentInitializationException e) {
                logger.warn("SAML2Request generation failed: {}",
e.getMessage(), e);
            }

*This is the error I got *- SAML2Request generation failed: VelocityEngine
must be supplied 
net.shibboleth.utilities.java.support.component.ComponentInitializationException:
VelocityEngine must be supplied
	at
org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder.doInitialize(HTTPPostEncoder.java:128)


The error is pretty self-explanatory.  You must supply a VelocityEngine instance to the HTTPPostEncoder instance via the corresponding setter before you call initialize() on it.

--
To unsubscribe from this list send an email to [hidden email]


--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem in Logout request for Post binding

rahul sharma
In reply to this post by Brent Putman
Hi Brent,
             Thanks for your reply. I am completely new to this SAML thing.
Let me explain my situation.

1. user opens my application, home page is displayed.
2. Click on login button, then user is redirected to the IDP login page.
3. Now user enter his credentials to login, then IDP send SAML response to
the assertion consumer provided in SP metadata.xml.
4. my Assertion consumer servlet parses the response and validates its
signature and allows the user to access the application.
5. Now user is done with his work and logout from my application then I
clear all the session for my application and user is redirected to the first
page with login button.
6. Now user clicks the login button again and is redirected to the idp login
but this time IDP session is already thereso IDP sends the SAML response,
and user is again inside my app.

Now I want to logout the user completely so I need to send a SLO request to
the IDP, to clear the IDP session.

Bindings in IDP Metadata are -

<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://dev.jp.hondaweb.com/sps/hondasaml20fed/saml20/sloinitial?RequestBinding=HTTPPost"/>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://dev.jp.hondaweb.com/sps/hondasaml20fed/saml20/login"/>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://dev.jp.hondaweb.com/sps/hondasaml20fed/saml20/login"/>


So I have to use the post binding to send the SLO request. I found some
examples to prepare the SLO request on
https://www.programcreek.com/java-api-examples/?api=org.opensaml.saml2.core.LogoutRequest
<https://www.programcreek.com/java-api-examples/?api=org.opensaml.saml2.core.LogoutRequest>  

But how to send the prepared logout request to the IDP?
I have posted my current code in last email but It does not send any request
anywhere. If I am on right track then please tell me what I am missing or
what to do next to send the SLO req to IDP.


Thanks,
Rahul




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Developers-f1660781.html
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem in Logout request for Post binding

Brent Putman


On 1/16/20 10:01 AM, rahul sharma wrote:


But how to send the prepared logout request to the IDP?
I have posted my current code in last email but It does not send any request
anywhere. If I am on right track then please tell me what I am missing or
what to do next to send the SLO req to IDP.


The issue is not with any of the actual login flow itself that you described.  The issue is that the Java encoder class you are using to send the logout request simply requires you to supply an instance of VelocityEngine in order to use it.  Velocity is a templating framework/library and is used by OpenSAML to render the HTML of the POST binding you are using.  You must instantiate an instance of the VelocityEngine class and pass it to the encoder class via setVelocityEngine(...) before you call initialize() on the encoder instance.



--
To unsubscribe from this list send an email to [hidden email]