successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex

Closes #23528 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2023-09-26 10:10:50 +03:00 · 2023-09-26 10:10:50 +03:00 · 24f105e8fc
commit 24f105e8fc
parent d61b1ddb09
4 changed files with 27 additions and 1 deletions
--- a/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
+++ b/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
@ -329,8 +329,20 @@ public class SAMLEndpoint {
        }

        protected Response logoutRequest(LogoutRequestType request, String relayState) {
-            String brokerUserId = config.getAlias() + "." + request.getNameID().getValue();
+            if (request.getNameID() == null && request.getBaseID() == null && request.getEncryptedID() == null){
+                logger.error("SAML IdP Logout request must contain at least one of BaseID, NameID and EncryptedID");
+                event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
+                return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_LOGOUT_FAILURE);
+            }
+
            if (request.getSessionIndex() == null || request.getSessionIndex().isEmpty()) {
+                if (request.getNameID() == null){
+                    //TODO this need to be implemented
+                    logger.error("SAML IdP Logout request contains BaseID or EncryptedID without Session Index");
+                    event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
+                    return ErrorPage.error(session, null, Response.Status.NOT_IMPLEMENTED, Messages.IDENTITY_PROVIDER_LOGOUT_FAILURE);
+                }
+                String brokerUserId = config.getAlias() + "." + request.getNameID().getValue();
                AtomicReference<LogoutRequestType> ref = new AtomicReference<>(request);
                session.sessions().getUserSessionByBrokerUserIdStream(realm, brokerUserId)
                        .filter(userSession -> userSession.getState() != UserSessionModel.State.LOGGING_OUT &&
--- a/services/src/main/java/org/keycloak/services/messages/Messages.java
+++ b/services/src/main/java/org/keycloak/services/messages/Messages.java
@ -248,6 +248,8 @@ public class Messages {

    public static final String IDENTITY_PROVIDER_LOGIN_FAILURE = "identityProviderLoginFailure";

+    public static final String IDENTITY_PROVIDER_LOGOUT_FAILURE = "identityProviderLogoutFailure";
+
    public static final String INSUFFICIENT_LEVEL_OF_AUTHENTICATION = "insufficientLevelOfAuthentication";

    public static final String SUCCESS_LOGOUT = "successLogout";
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/saml/CreateLogoutRequestStepBuilder.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/saml/CreateLogoutRequestStepBuilder.java
@ -16,6 +16,7 @@
 */
 package org.keycloak.testsuite.util.saml;

+import org.keycloak.dom.saml.v2.assertion.BaseIDAbstractType;
 import org.keycloak.testsuite.util.SamlClientBuilder;
 import org.keycloak.dom.saml.v2.assertion.NameIDType;
 import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
@ -41,6 +42,7 @@ public class CreateLogoutRequestStepBuilder extends SamlDocumentStepBuilder<Logo

    private Supplier<String> sessionIndex = () -> null;
    private Supplier<NameIDType> nameId = () -> null;
+    private Supplier<BaseIDAbstractType> baseId = () -> null;
    private Supplier<String> relayState = () -> null;
    private String signingPublicKeyPem;  // TODO: should not be needed
    private String signingPrivateKeyPem;
@ -95,6 +97,10 @@ public class CreateLogoutRequestStepBuilder extends SamlDocumentStepBuilder<Logo
        return nameId.get();
    }

+    public BaseIDAbstractType baseId() {
+        return baseId.get();
+    }
+
    public CreateLogoutRequestStepBuilder nameId(NameIDType nameId) {
        this.nameId = () -> nameId;
        return this;
@ -105,6 +111,11 @@ public class CreateLogoutRequestStepBuilder extends SamlDocumentStepBuilder<Logo
        return this;
    }

+    public CreateLogoutRequestStepBuilder baseId(Supplier<BaseIDAbstractType> baseId) {
+        this.baseId = baseId;
+        return this;
+    }
+
    public CreateLogoutRequestStepBuilder signWith(String signingPrivateKeyPem, String signingPublicKeyPem) {
        return signWith(signingPrivateKeyPem, signingPublicKeyPem, null);
    }
--- a/themes/src/main/resources/theme/base/login/messages/messages_en.properties
+++ b/themes/src/main/resources/theme/base/login/messages/messages_en.properties
@ -225,6 +225,7 @@ expiredActionMessage=Action expired. Please continue with login now.
 expiredActionTokenNoSessionMessage=Action expired.
 expiredActionTokenSessionExistsMessage=Action expired. Please start again.
 sessionLimitExceeded=There are too many sessions
+identityProviderLogoutFailure=SAML IdP Logout Failure

 missingFirstNameMessage=Please specify first name.
 missingLastNameMessage=Please specify last name.