Skip to content

Commit

Permalink
Fix SAML logout: needs to specify InResponseTo
Browse files Browse the repository at this point in the history 
<samlp:LogoutResponse/> must contain the InResponseTo= attribute which
contains the value from the <samlp:LogoutRequest>
  • Loading branch information
@spaceone
spaceone committed Jun 11, 2020
1 parent cc6f220 commit 0856142
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
1 change: 1 addition & 0 deletions app/meteor-accounts-saml/server/saml_server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,7 @@ const middleware = function(req, res, next) {
const { response } = _saml.generateLogoutResponse({
nameID: result.nameID,
sessionIndex: result.idpSession,
ID: result.ID,
});

_saml.logoutResponseToUrl(response, function(err, url) {
Expand Down
8 changes: 5 additions & 3 deletions app/meteor-accounts-saml/server/saml_utils.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,16 +111,17 @@ SAML.prototype.generateAuthorizeRequest = function(req) {
return request;
};

SAML.prototype.generateLogoutResponse = function() {
SAML.prototype.generateLogoutResponse = function(options) {
const id = `_${ this.generateUniqueID() }`;
const instant = this.generateInstant();

const inResponseTo = options.ID ? `InResponseTo="${ options.ID }" ` : '';

const response = `${ '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" '
+ 'ID="' }${ id }" `
+ 'Version="2.0" '
+ `IssueInstant="${ instant }" `
+ `Destination="${ this.options.idpSLORedirectURL }" `
+ inResponseTo
+ '>'
+ `<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">${ this.options.issuer }</saml:Issuer>`
+ '<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>'
Expand Down Expand Up @@ -389,6 +390,7 @@ SAML.prototype.validateLogoutRequest = function(samlRequest, callback) {
try {
const sessionNode = request.getElementsByTagNameNS('*', 'SessionIndex')[0];
const nameIdNode = request.getElementsByTagNameNS('*', 'NameID')[0];
const ID = request.getAttribute('ID');

if (!nameIdNode) {
throw new Error('SAML Logout Request: No NameID node found');
Expand All @@ -397,7 +399,7 @@ SAML.prototype.validateLogoutRequest = function(samlRequest, callback) {
const idpSession = sessionNode.childNodes[0].nodeValue;
const nameID = nameIdNode.childNodes[0].nodeValue;

return callback(null, { idpSession, nameID });
return callback(null, { idpSession, nameID, ID });
} catch (e) {
console.error(e);
debugLog(`Caught error: ${ e }`);
Expand Down

0 comments on commit 0856142

Please sign in to comment.