SAML improvements

aduan · Jan 24, 2019 · d31efbd · d31efbd
1 parent 428bae6
commit d31efbd
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 4 deletions.
diff --git a/documentation/docs/release-notes.md b/documentation/docs/release-notes.md
@@ -20,6 +20,7 @@ title: Release notes&#58;
 - Added `UserInfoOidcAuthenticator` to authenticate a user based on an access token received from an OpenID Connect login process
 - Updated the OpenID Connect/JWT dependencies (v6)
 - Added `DirectBearerAuthClient`
+- Handled the inResponseTo and the RelayState in the logout response (SAML)
 
 **v3.4.0**:
 

diff --git a/pac4j-saml/src/main/java/org/pac4j/saml/credentials/extractor/SAML2CredentialsExtractor.java b/pac4j-saml/src/main/java/org/pac4j/saml/credentials/extractor/SAML2CredentialsExtractor.java
@@ -34,7 +34,7 @@ public class SAML2CredentialsExtractor implements CredentialsExtractor<SAML2Cred
 
     protected final String spLogoutResponseBindingType;
 
-    protected final SAML2LogoutResponseBuilder saml2LogoutResponseBuilder;
+    protected SAML2LogoutResponseBuilder saml2LogoutResponseBuilder;
 
     protected final SAML2LogoutResponseMessageSender saml2LogoutResponseMessageSender;
 
@@ -58,7 +58,8 @@ public SAML2Credentials extract(final WebContext context) {
 
             // return a logout response if necessary
             final LogoutResponse logoutResponse = this.saml2LogoutResponseBuilder.build(samlContext);
-            this.saml2LogoutResponseMessageSender.sendMessage(samlContext, logoutResponse, null);
+            this.saml2LogoutResponseMessageSender.sendMessage(samlContext, logoutResponse,
+                samlContext.getSAMLBindingContext().getRelayState());
 
             final Pac4jSAMLResponse adapter = samlContext.getProfileRequestContextOutboundMessageTransportResponse();
             if (spLogoutResponseBindingType.equalsIgnoreCase(SAMLConstants.SAML2_POST_BINDING_URI)) {
@@ -75,4 +76,12 @@ public SAML2Credentials extract(final WebContext context) {
             return credentials;
         }
     }
+
+    public SAML2LogoutResponseBuilder getSaml2LogoutResponseBuilder() {
+        return saml2LogoutResponseBuilder;
+    }
+
+    public void setSaml2LogoutResponseBuilder(final SAML2LogoutResponseBuilder saml2LogoutResponseBuilder) {
+        this.saml2LogoutResponseBuilder = saml2LogoutResponseBuilder;
+    }
 }
diff --git a/pac4j-saml/src/main/java/org/pac4j/saml/logout/impl/SAML2LogoutResponseBuilder.java b/pac4j-saml/src/main/java/org/pac4j/saml/logout/impl/SAML2LogoutResponseBuilder.java
@@ -3,10 +3,12 @@
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.opensaml.core.xml.XMLObjectBuilderFactory;
+import org.opensaml.saml.common.SAMLObject;
 import org.opensaml.saml.common.SAMLObjectBuilder;
 import org.opensaml.saml.common.SAMLVersion;
 import org.opensaml.saml.common.messaging.context.SAMLSelfEntityContext;
 import org.opensaml.saml.saml2.core.*;
+import org.opensaml.saml.saml2.core.impl.RequestAbstractTypeImpl;
 import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder;
 import org.opensaml.saml.saml2.metadata.SingleLogoutService;
 import org.pac4j.saml.context.SAML2MessageContext;
@@ -52,6 +54,10 @@ protected final LogoutResponse buildLogoutResponse(final SAML2MessageContext con
         response.setVersion(SAMLVersion.VERSION_20);
         response.setDestination(ssoService.getLocation());
         response.setStatus(getSuccess());
+        final SAMLObject originalMessage = context.getMessage();
+        if (originalMessage != null && originalMessage instanceof RequestAbstractTypeImpl) {
+            response.setInResponseTo(((RequestAbstractTypeImpl) originalMessage).getID());
+        }
 
         return response;
     }

diff --git a/pac4j-saml/src/main/java/org/pac4j/saml/profile/impl/AbstractSAML2MessageReceiver.java b/pac4j-saml/src/main/java/org/pac4j/saml/profile/impl/AbstractSAML2MessageReceiver.java
@@ -1,5 +1,6 @@
 package org.pac4j.saml.profile.impl;
 
+import org.opensaml.saml.common.SAMLObject;
 import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
 import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
 import org.opensaml.saml.common.xml.SAMLConstants;
@@ -40,7 +41,9 @@ public Credentials receiveMessage(final SAML2MessageContext context) {
         final AbstractPac4jDecoder decoder = getDecoder(webContext);
 
         final SAML2MessageContext decodedCtx = new SAML2MessageContext(decoder.getMessageContext());
-        decodedCtx.setMessage(decoder.getMessageContext().getMessage());
+        final SAMLObject message = decoder.getMessageContext().getMessage();
+        decodedCtx.setMessage(message);
+        context.setMessage(message);
         decodedCtx.setSAMLMessageStorage(context.getSAMLMessageStorage());
 
         final SAMLBindingContext bindingContext = decodedCtx.getParent()
@@ -51,7 +54,9 @@ public Credentials receiveMessage(final SAML2MessageContext context) {
         decodedCtx.getSAMLBindingContext().setHasBindingSignature(bindingContext.hasBindingSignature());
         decodedCtx.getSAMLBindingContext().setIntendedDestinationEndpointURIRequired(bindingContext
             .isIntendedDestinationEndpointURIRequired());
-        decodedCtx.getSAMLBindingContext().setRelayState(bindingContext.getRelayState());
+        final String relayState = bindingContext.getRelayState();
+        decodedCtx.getSAMLBindingContext().setRelayState(relayState);
+        context.getSAMLBindingContext().setRelayState(relayState);
 
         final AssertionConsumerService acsService = context.getSPAssertionConsumerService();
         decodedCtx.getSAMLEndpointContext().setEndpoint(acsService);