From 41af91a0a031815c4cb55bb1cda030e205b1b9be Mon Sep 17 00:00:00 2001 From: Rolain Djeumen Date: Fri, 21 Jun 2024 08:04:41 +0100 Subject: [PATCH] feat(slo-redirect): added support for slo redirect * modified logout vm views Signed-off-by: Rolain Djeumen --- .../externalauth/ShibOxAuthAuthServlet.java | 2 +- .../idp/service/GluuCustomViewService.java | 40 ++++- .../main/patches/020.update-auth-urls.patch | 12 ++ .../patches/021.update-logout-vm-views.patch | 165 ++++++++++++++++++ 4 files changed, 217 insertions(+), 2 deletions(-) create mode 100644 static/src/main/patches/020.update-auth-urls.patch create mode 100644 static/src/main/patches/021.update-logout-vm-views.patch diff --git a/shib-oxauth-authn/src/main/java/org/gluu/idp/externalauth/ShibOxAuthAuthServlet.java b/shib-oxauth-authn/src/main/java/org/gluu/idp/externalauth/ShibOxAuthAuthServlet.java index 060ec2a..2607764 100644 --- a/shib-oxauth-authn/src/main/java/org/gluu/idp/externalauth/ShibOxAuthAuthServlet.java +++ b/shib-oxauth-authn/src/main/java/org/gluu/idp/externalauth/ShibOxAuthAuthServlet.java @@ -76,7 +76,7 @@ * @author Yuriy Movchan * @version 0.1, 09/13/2018 */ -@WebServlet(name = "ShibOxAuthAuthServlet", urlPatterns = { "/Authn/oxAuth/*" }) +@WebServlet(name = "ShibOxAuthAuthServlet", urlPatterns = { "/ceva/auth/*" }) public class ShibOxAuthAuthServlet extends HttpServlet { private static final long serialVersionUID = -4864851392327422662L; diff --git a/shib-oxauth-authn/src/main/java/org/gluu/idp/service/GluuCustomViewService.java b/shib-oxauth-authn/src/main/java/org/gluu/idp/service/GluuCustomViewService.java index eca93b0..6c9bb5d 100644 --- a/shib-oxauth-authn/src/main/java/org/gluu/idp/service/GluuCustomViewService.java +++ b/shib-oxauth-authn/src/main/java/org/gluu/idp/service/GluuCustomViewService.java @@ -1,6 +1,7 @@ package org.gluu.idp.service; import java.util.function.Function; +import java.util.Iterator; import net.shibboleth.idp.profile.context.RelyingPartyContext; import org.gluu.idp.model.GluuVanillaTrustRelationship; @@ -8,6 +9,8 @@ import org.opensaml.messaging.context.navigate.ChildContextLookup; import org.opensaml.profile.context.ProfileRequestContext; +import net.shibboleth.idp.profile.context.MultiRelyingPartyContext; +import net.shibboleth.idp.session.context.LogoutContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -25,7 +28,17 @@ public GluuCustomViewService(final GluuVanillaTrustRelationshipService trService this.trService = trService; } - public String getRelyingPartyLogoutRedirectUrl(final ProfileRequestContext prContext) { + public String getRelyingPartyLogoutRedirectUrl(final ProfileRequestContext prContext, final MultiRelyingPartyContext mrpContext, LogoutContext logoutContext) { + + + String ret = getRelyingPartyLogoutRedirectUrlFromPrContext(prContext); + if(ret == null) { + ret = getRelyingPartyLogoutRedirectUrlFromMultiRpContext(mrpContext,logoutContext); + } + return ret; + } + + private String getRelyingPartyLogoutRedirectUrlFromPrContext(final ProfileRequestContext prContext) { try { log.debug("Getting logout url for the currently active relying party"); @@ -46,4 +59,29 @@ public String getRelyingPartyLogoutRedirectUrl(final ProfileRequestContext prCon return null; } } + + private String getRelyingPartyLogoutRedirectUrlFromMultiRpContext(final MultiRelyingPartyContext mrpContext, final LogoutContext logoutContext) { + + try { + log.debug("Getting logout url from MultiRelyingPartyContext and/or LogoutContext"); + if(mrpContext == null || logoutContext == null) { + log.debug("MultiRelyingPartyContext object is null"); + return null; + } + + for(String relyingPartyId : logoutContext.getSessionMap().keySet()) { + log.debug("Processing relying party with id " + relyingPartyId); + GluuVanillaTrustRelationship tr = trService.findTrustRelationshipByRelyingParty(relyingPartyId); + if(tr != null && tr.getSpLogoutRedirectUrl() != null && !tr.getSpLogoutRedirectUrl().isEmpty()) { + return tr.getSpLogoutRedirectUrl(); + } + } + log.debug("No RelyingPartyContext iterated upon has a logout url"); + return null; + }catch(Exception e) { + log.debug("Error while fetching logout url from MultiRelyingPartyContext",e); + return null; + } + } + } diff --git a/static/src/main/patches/020.update-auth-urls.patch b/static/src/main/patches/020.update-auth-urls.patch new file mode 100644 index 0000000..5cd25fd --- /dev/null +++ b/static/src/main/patches/020.update-auth-urls.patch @@ -0,0 +1,12 @@ +diff -aurN shibboleth-idp.orig/flows/authn/oxAuth/oxauth-authn-beans.xml shibboleth-idp/flows/authn/oxAuth/oxauth-authn-beans.xml +--- shibboleth-idp.orig/flows/authn/oxAuth/oxauth-authn-beans.xml 2024-05-24 15:22:12.054834000 +0100 ++++ shibboleth-idp/flows/authn/oxAuth/oxauth-authn-beans.xml 2024-05-24 17:38:18.034225689 +0100 +@@ -21,7 +21,7 @@ + + + ++ c:target="#{getObject('shibboleth.authn.oxAuth.externalAuthnPath') ?: '%{idp.authn.oxAuth.externalAuthnPath:contextRelative:ceva/auth}'.trim()}" /> + + + diff --git a/static/src/main/patches/021.update-logout-vm-views.patch b/static/src/main/patches/021.update-logout-vm-views.patch new file mode 100644 index 0000000..2981e11 --- /dev/null +++ b/static/src/main/patches/021.update-logout-vm-views.patch @@ -0,0 +1,165 @@ +diff -aurN shibboleth-idp.orig/views/logout.vm shibboleth-idp/views/logout.vm +--- shibboleth-idp.orig/views/logout.vm 2024-05-27 08:35:36.905698000 +0100 ++++ shibboleth-idp/views/logout.vm 2024-05-27 14:03:48.764149244 +0100 +@@ -6,7 +6,7 @@ + ## flowRequestContext - the Spring Web Flow RequestContext + ## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl) + ## profileRequestContext - root of context tree +-## logoutContext - context with SPSession details for logout operation ++## logoutContext - context with SPSession details for logout operationAll + ## multiRPContext - context with RelyingPartyContexts and possibly SP UI information from the metadata + ## encoder - HTMLEncoder class + ## request - HttpServletRequest +@@ -20,7 +20,7 @@ + #end + #set ($promptForIdP = $logoutContext and !$logoutContext.getIdPSessions().isEmpty()) + #set ($promptForSP = $logoutContext and !$logoutContext.getSessionMap().isEmpty()) +-#set ($gluuLogoutRedirectUrl = $custom.getRelyingPartyLogoutRedirectUrl($profileRequestContext)) ++#set ($gluuLogoutRedirectUrl = $custom.getRelyingPartyLogoutRedirectUrl($profileRequestContext,$multiRPContext,$logoutContext)) + #set ($gluuLogoutRedirectMethod="get") + + +@@ -30,103 +30,35 @@ + + + #if ($promptForSP) +- ++ + #elseif ($promptForIdP) +- ++ + #end + + + + +-
+-
+- +-
+- +-
+-
+-

Note for deployers: This page is displayed when a logout operation at the Identity Provider completes. +- This page is an example and should be customized. It is not fully internationalized because the presentation will be a highly localized decision, +- and we don't have a good suggestion for a default.

+-
+- +- #if ($rpContext) +-

#springMessageText("idp.logout.sp-initiated", "You have been logged out of the following service:")

+-
+- #if ($rpUIContext) +- $encoder.encodeForHTML($rpUIContext.getServiceName()) +- #else +- $encoder.encodeForHTML($rpContext.getRelyingPartyId()) +- #end +-
+-
+- #end +- +- #if ($promptForIdP or $promptForSP) +-

#springMessageText("idp.logout.prompt", "Choose one of the following, or wait a few seconds for the default.")

+-
+- +-
+- +-

+-

#springMessageText("idp.logout.idponly.caption", "End your SSO session.")

+- #end +- +- #if ($promptForSP) +-

+-

#springMessageText("idp.logout.global.caption", "End your SSO session and attempt logout of services accessed during session.")

+-

#springMessageText("idp.logout.contactServices", "If instructed, the system will attempt to contact the following services:")

+-
    +- #foreach ($sp in $logoutContext.getSessionMap().keySet()) +- #set ($rpCtx = $multiRPContext.getRelyingPartyContextById($sp)) +- #if ($rpCtx) +- #set ($rpUIContext = $rpCtx.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext")) +- #end +- #if ($rpUIContext and $rpUIContext.getServiceName()) +-
  1. $encoder.encodeForHTML($rpUIContext.getServiceName())
  2. +- #else +-
  3. $encoder.encodeForHTML($sp)
  4. +- #end +- #end +-
+- #end +- +- #if ($promptForIdP) +-

+-

#springMessageText("idp.logout.cancel.caption", "Cancel logout and retain your SSO session.")

+- #end +- +- #if ($promptForIdP or $promptForSP) +-
+- #else +-

#springMessageText("idp.logout.complete", "The logout operation is complete, and no other services appear to have been accessed during this session.")

+- +- +- +- +- #if($gluuLogoutRedirectUrl) +-

+- +- #springMessageText("idp.gluulogout.redirect-msg","You will be redirected shortly") +- +-

+-
+-

+- +-

+-
+- #end +- #end +- +- +-
+- #if($gluuLogoutRedirectUrl) +- +- #end +-
+- +- ++ ++ #end ++ ++ +