feat(slo-redirect): added support for slo redirect

* modified logout vm views Signed-off-by: Rolain Djeumen <[email protected]>
GluuFederation · Jun 21, 2024 · 41af91a · 41af91a
1 parent 977670c
commit 41af91a
Show file tree

Hide file tree

Showing 4 changed files with 217 additions and 2 deletions.
diff --git a/shib-oxauth-authn/src/main/java/org/gluu/idp/externalauth/ShibOxAuthAuthServlet.java b/shib-oxauth-authn/src/main/java/org/gluu/idp/externalauth/ShibOxAuthAuthServlet.java
@@ -76,7 +76,7 @@
  * @author Yuriy Movchan
  * @version 0.1, 09/13/2018
  */
-@WebServlet(name = "ShibOxAuthAuthServlet", urlPatterns = { "/Authn/oxAuth/*" })
+@WebServlet(name = "ShibOxAuthAuthServlet", urlPatterns = { "/ceva/auth/*" })
 public class ShibOxAuthAuthServlet extends HttpServlet {
 
     private static final long serialVersionUID = -4864851392327422662L;

diff --git a/shib-oxauth-authn/src/main/java/org/gluu/idp/service/GluuCustomViewService.java b/shib-oxauth-authn/src/main/java/org/gluu/idp/service/GluuCustomViewService.java
@@ -1,13 +1,16 @@
 package org.gluu.idp.service;
 
 import java.util.function.Function;
+import java.util.Iterator;
 
 import net.shibboleth.idp.profile.context.RelyingPartyContext;
 import org.gluu.idp.model.GluuVanillaTrustRelationship;
 import org.gluu.idp.service.GluuVanillaTrustRelationshipService;
 
 import org.opensaml.messaging.context.navigate.ChildContextLookup;
 import org.opensaml.profile.context.ProfileRequestContext;
+import net.shibboleth.idp.profile.context.MultiRelyingPartyContext;
+import net.shibboleth.idp.session.context.LogoutContext;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -25,7 +28,17 @@ public GluuCustomViewService(final GluuVanillaTrustRelationshipService trService
         this.trService = trService;
     }
 
-    public String getRelyingPartyLogoutRedirectUrl(final ProfileRequestContext prContext) {
+    public String getRelyingPartyLogoutRedirectUrl(final ProfileRequestContext prContext, final MultiRelyingPartyContext mrpContext, LogoutContext logoutContext)  {
+
+
+        String ret = getRelyingPartyLogoutRedirectUrlFromPrContext(prContext);
+        if(ret == null) {
+            ret = getRelyingPartyLogoutRedirectUrlFromMultiRpContext(mrpContext,logoutContext);
+        }
+        return ret;
+    }
+
+    private String getRelyingPartyLogoutRedirectUrlFromPrContext(final ProfileRequestContext prContext) {
 
         try {
             log.debug("Getting logout url for the currently active relying party");
@@ -46,4 +59,29 @@ public String getRelyingPartyLogoutRedirectUrl(final ProfileRequestContext prCon
             return null;
         }
     }
+
+    private String getRelyingPartyLogoutRedirectUrlFromMultiRpContext(final MultiRelyingPartyContext mrpContext, final LogoutContext logoutContext) {
+
+        try {
+            log.debug("Getting logout url from MultiRelyingPartyContext and/or LogoutContext");
+            if(mrpContext == null || logoutContext == null) {
+                log.debug("MultiRelyingPartyContext object is null");
+                return null;
+            }
+
+            for(String relyingPartyId : logoutContext.getSessionMap().keySet()) {
+                log.debug("Processing relying party with id " + relyingPartyId);
+                GluuVanillaTrustRelationship tr = trService.findTrustRelationshipByRelyingParty(relyingPartyId);
+                if(tr != null && tr.getSpLogoutRedirectUrl() != null && !tr.getSpLogoutRedirectUrl().isEmpty()) {
+                    return tr.getSpLogoutRedirectUrl();
+                }
+            }
+            log.debug("No RelyingPartyContext iterated upon has a logout url");
+            return null;
+        }catch(Exception e) {
+            log.debug("Error while fetching logout url from MultiRelyingPartyContext",e);
+            return null;
+        }
+    }
+
 }
diff --git a/static/src/main/patches/020.update-auth-urls.patch b/static/src/main/patches/020.update-auth-urls.patch
@@ -0,0 +1,12 @@
+diff -aurN shibboleth-idp.orig/flows/authn/oxAuth/oxauth-authn-beans.xml shibboleth-idp/flows/authn/oxAuth/oxauth-authn-beans.xml
+--- shibboleth-idp.orig/flows/authn/oxAuth/oxauth-authn-beans.xml	2024-05-24 15:22:12.054834000 +0100
++++ shibboleth-idp/flows/authn/oxAuth/oxauth-authn-beans.xml	2024-05-24 17:38:18.034225689 +0100
+@@ -21,7 +21,7 @@
+
+        <!-- Default strategy function to obtain the external path. -->
+        <bean id="shibboleth.authn.oxAuth.externalAuthnPathStrategy" parent="shibboleth.Functions.Constant"
+-             c:target="#{getObject('shibboleth.authn.oxAuth.externalAuthnPath') ?: '%{idp.authn.oxAuth.externalAuthnPath:contextRelative:Authn/oxAuth}'.trim()}" />
++             c:target="#{getObject('shibboleth.authn.oxAuth.externalAuthnPath') ?: '%{idp.authn.oxAuth.externalAuthnPath:contextRelative:ceva/auth}'.trim()}" />
+
+        <import resource="conditional:%{idp.home}/conf/authn/oxauth-authn-config.xml" />
+
diff --git a/static/src/main/patches/021.update-logout-vm-views.patch b/static/src/main/patches/021.update-logout-vm-views.patch
@@ -0,0 +1,165 @@
+diff -aurN shibboleth-idp.orig/views/logout.vm shibboleth-idp/views/logout.vm
+--- shibboleth-idp.orig/views/logout.vm	2024-05-27 08:35:36.905698000 +0100
++++ shibboleth-idp/views/logout.vm	2024-05-27 14:03:48.764149244 +0100
+@@ -6,7 +6,7 @@
+ ## flowRequestContext - the Spring Web Flow RequestContext
+ ## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+ ## profileRequestContext - root of context tree
+-## logoutContext - context with SPSession details for logout operation
++## logoutContext - context with SPSession details for logout operationAll
+ ## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata
+ ## encoder - HTMLEncoder class
+ ## request - HttpServletRequest
+@@ -20,7 +20,7 @@
+ #end
+ #set ($promptForIdP = $logoutContext and !$logoutContext.getIdPSessions().isEmpty())
+ #set ($promptForSP = $logoutContext and !$logoutContext.getSessionMap().isEmpty())
+-#set ($gluuLogoutRedirectUrl = $custom.getRelyingPartyLogoutRedirectUrl($profileRequestContext))
++#set ($gluuLogoutRedirectUrl = $custom.getRelyingPartyLogoutRedirectUrl($profileRequestContext,$multiRPContext,$logoutContext))
+ #set ($gluuLogoutRedirectMethod="get")
+ <!DOCTYPE html>
+ <html>
+@@ -30,103 +30,35 @@
+         <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+         <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0">
+         #if ($promptForSP)
+-            <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=propagate">
++            <!-- <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=propagate"> -->
+         #elseif ($promptForIdP)
+-            <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=local">
++            <!-- <meta http-equiv="refresh" content="10;url=$flowExecutionUrl&_eventId=local"> -->
+         #end
+         <link rel="stylesheet" type="text/css" href="$request.getContextPath()#springMessageText("idp.css", "/css/placeholder.css")">
+     </head>
+
+    <body>
+-        <main class="main">
+-            <header>
+-                <img class="main-logo" src="$request.getContextPath()/servlet/logo" alt="#springMessageText("idp.logo.alt-text", "logo")" />
+-            </header>
+-
+-            <section>
+-                <div class="output-message">
+-                    <p><strong>Note for deployers:</strong> This page is displayed when a logout operation at the Identity Provider completes.
+-                    This page is an example and should be customized. It is not fully internationalized because the presentation will be a highly localized decision,
+-                    and we don't have a good suggestion for a default.</p>
+-                </div>
+-    
+-            #if ($rpContext)
+-              <p>#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")</p>
+-              <blockquote>
+-              #if ($rpUIContext)
+-                  $encoder.encodeForHTML($rpUIContext.getServiceName())
+-              #else
+-                  $encoder.encodeForHTML($rpContext.getRelyingPartyId())
+-              #end
+-              </blockquote>
+-              <br>
+-            #end
+-            
+-            #if ($promptForIdP or $promptForSP)
+-              <p>#springMessageText("idp.logout.prompt", "Choose one of the following, or wait a few seconds for the default.")</p>
+-              <br>
+-
+-              <form id="propagate_form" method="POST" action="$flowExecutionUrl">
+-                
+-                  <p><button id="logout_local" type="submit" name="_eventId" value="local">#springMessageText("idp.logout.idponly", "Logout Locally")</button></p>
+-                  <p>#springMessageText("idp.logout.idponly.caption", "End your SSO session.")</p>
+-            #end
+-
+-            #if ($promptForSP)
+-                  <p><button id="logout_propagate" type="submit" name="_eventId" value="propagate">#springMessageText("idp.logout.global", "Logout Globally")</button></p>
+-                  <p>#springMessageText("idp.logout.global.caption", "End your SSO session and attempt logout of services accessed during session.")</p>
+-                  <p>#springMessageText("idp.logout.contactServices", "If instructed, the system will attempt to contact the following services:")</p>
+-                  <ol>
+-                  #foreach ($sp in $logoutContext.getSessionMap().keySet())
+-                    #set ($rpCtx = $multiRPContext.getRelyingPartyContextById($sp))
+-                    #if ($rpCtx)
+-                      #set ($rpUIContext = $rpCtx.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))
+-                    #end
+-                    #if ($rpUIContext and $rpUIContext.getServiceName())
+-                      <li>$encoder.encodeForHTML($rpUIContext.getServiceName())</li>
+-                    #else
+-                      <li>$encoder.encodeForHTML($sp)</li>
+-                    #end
+-                  #end
+-                  </ol>
+-            #end
+-
+-            #if ($promptForIdP)
+-                  <p><button class="button--secondary" id="logout_cancel" type="submit" name="_eventId" value="end">#springMessageText("idp.logout.cancel", "Cancel")</button></p>
+-                  <p>#springMessageText("idp.logout.cancel.caption", "Cancel logout and retain your SSO session.")</p>
+-            #end
+-            
+-            #if ($promptForIdP or $promptForSP)
+-              </form>
+-            #else
+-                <p><strong>#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")</strong></p>
+-                <!-- Complete the flow by adding a hidden iframe. -->
+-                <iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
+-
+-                <!-- gluu logout redirect url -->
+-                #if($gluuLogoutRedirectUrl)
+-                <p>
+-                  <strong>
+-                   #springMessageText("idp.gluulogout.redirect-msg","You will be redirected shortly")
+-                  </strong>
+-                </p>
+-                <form id="f_logout_redirect" method="$gluuLogoutRedirectMethod" action="$gluuLogoutRedirectUrl">
+-                  <p>
+-                    <button class="button-secondary" type="submit" name="_gluu_action" value="redirect">
++      <main class="main">
++      
++       <section>
++         #if($gluuLogoutRedirectUrl)
++         <div class="output-message">
++           <p><strong>#springMessageText("idp.gluulogout.redirect-msg","You will be redirected shortly...")</strong></p>
++           <iframe style="display:none" src="$flowExecutionUrl&_eventId=proceed"></iframe>
++           <form id="f_logout_redirect" method="$gluuLogoutRedirectMethod" action="$gluuLogoutRedirectUrl">
++             <p>
++               <button class="button-secondary" type="submit" name="_gluu_action" value="redirect">
+                       #springMessageText("idp.gluu.logout.button","Click here if it's taking too long")
+-                    </button>
+-                  </p>
+-                </form>
+-                #end
+-            #end
+-
+-                <ul>
+-                    <li><a href="#springMessageText("idp.url.password.reset", '#')">#springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+-                    <li><a href="#springMessageText("idp.url.helpdesk", '#')">#springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+-                </ul>
+-            </section>
+-            #if($gluuLogoutRedirectUrl)
+-            <script type="text/javascript">
++               </button>
++             </p>
++           </form>
++         </div>
++         #end
++         
++       </section>
++       
++       #if($gluuLogoutRedirectUrl)
++         <script type="text/javascript">
+              function performRedirect() {
+
+                 var redir_form = document.getElementById("f_logout_redirect");
+@@ -135,13 +67,8 @@
+                 }
+              }
+              setTimeout(performRedirect,5000); // 5 seconds , making sure the hidden iframe to complete the flow has run 
+-            </script>
+-            #end
+-        </main>
+-        <footer class="footer">
+-            <div class="cc">
+-                <p>#springMessageText("idp.footer", "Insert your footer text here.")</p>
+-            </div>
+-        </footer>
+-    </body>
++        </script>
++      #end
++      </main>
++   </body>
+ </html>