I wanted to login

/But it was too long/ So I logged out /It was not much shorter/
2004-09-20 14:29:56 +00:00 · 2004-09-20 14:29:56 +00:00 · 38b0c08b95
parent 867b6fc5f8
commit 38b0c08b95
2 changed files with 320 additions and 0 deletions
--- a/docs/lasso-book/single-logout.process
+++ b/docs/lasso-book/single-logout.process
@ -0,0 +1,149 @@
+Single Log Out
+    SP
+        /singleLogout (* normative, Single Logout Service URL *)
+            logout = lasso_logout_new(server, lassoProviderTypeSp)
+
+            lasso_logout_process_request_msg(logout, /query string/)
+            IF error IS LASSO_PROFILE_ERROR_INVALID_QUERY
+                # Logout initiated by SP, now
+                lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
+                lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
+                lasso_logout_init_request(logout, idpProviderId, lassoHttpMethodAny)
+                    # if idpProviderId is NULL the first one defined in the metadata will be picked
+                request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(logout)->request)
+                lasso_lib_authn_request_set_relayState(request, relayState)
+                    # relayState is an optional value set by the SP
+                lasso_logout_build_request_msg(logout)
+
+                IF LASSO_PROFILE(logout)->msg_body != NULL
+                    SOAP CALL
+                        TO LASSO_PROFILE(logout)->msg_url
+                        BODY LASSO_PROFILE(logout)->msg_body
+                    lasso_logout_process_response_msg(logout, soap_answer_message)
+                    IF error AND error != LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE
+                        BOOM
+                
+                /* ??? there is something here about identity and sessions ??? */
+
+                IF LASSO_PROFILE(logout)->msg_body == NULL
+                    REDIRECT TO LASSO_PROFILE(logout)->msg_url
+
+                DISPLAY HTML PAGE
+                    <h1>OK</h1>
+
+            ELIF NOT error
+                # Logout initiated by IdP
+
+                # use LASSO_PROFILE(logout)->nameIdentifier to get identity and session
+                lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
+                lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
+                lasso_logout_validate_request(logout)
+
+                IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
+                    identity = lasso_profile_get_identity(LASSO_PROFILE(login))
+                    # save identity;
+                    #   serialization with lasso_identity_dump(identity)
+
+                IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
+                    session = lasso_profile_get_session(LASSO_PROFILE(login))
+                    # save session;
+                    #   serialization with lasso_session_dump(session)
+                
+                lasso_logout_build_response_msg(logout)
+
+                IF LASSO_PROFILE(logout)->msg_body
+                    ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body)
+                ELSE
+                    REDIRECT TO LASSO_PROFILE(logout)->msg_url
+         
+    IdP
+        /singleLogout (* normative, Single Log-Out service URL *)
+            logout = lasso_logout_new(server, lassoProviderTypeIdp)
+            lasso_logout_process_request_msg(logout, /query string/, lassoHttpMethodRedirect)
+            IF error AND error IS NOT LASSO_PROFILE_ERROR_INVALID_QUERY
+                BOOM
+
+            IF error LASSO_PROFILE_ERROR_INVALID_QUERY
+                # initiate logout
+                # get identity and session from user authentication
+            ELSE
+                # get identity and session from LASSO_PROFILE(logout)->nameIdentifier
+
+            lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
+            lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
+
+            other_sp = lasso_logout_get_next_providerID(logout)
+            WHILE other_sp
+                lasso_logout_init_request(logout, other_sp, lassoHttpMethodAny)
+                lasso_logout_build_request_msg(logout)
+                IF LASSO_PROFILE(logout)->msg_body
+                    SOAP CALL
+                        TO LASSO_PROFILE(logout)->msg_url
+                        BODY LASSO_PROFILE(logout)->msg_body
+                    lasso_logout_process_response_msg(logout,
+                                soap_answer_message, lassoHttpMethodSoap)
+                other_sp = lasso_logout_get_next_providerID(logout)
+
+            lasso_logout_reset_providerID_index(logout)
+            other_sp = lasso_logout_get_next_providerID(logout)
+            IF other_sp
+                lasso_logout_init_request(logout, other_sp, lassoHttpMethodRedirect)
+                lasso_logout_build_request_msg(logout)
+                REDIRECT TO LASSO_PROFILE(logout)->msg_url
+
+           
+            DISPLAY HTML PAGE
+                <h1>OK</h1>
+
+    IdP
+        /soapEndPoint (* normative, SOAP endpoint *)
+            soap_msg # is the received SOAP message body
+            request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
+
+            IF request_type IS lassoRequestTypeLogout
+                logout = lasso_logout_new(server);
+                lasso_logout_process_request_msg(logout, soap_msg);
+
+                # get identity and session from LASSO_PROFILE(logout)->nameIdentifier
+                lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
+                lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
+
+                lasso_logout_validate_request(logout)
+                if error LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE
+                    lasso_logout_build_request_msg(logout)
+                    ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
+
+                # write down identity and session here
+
+                other_sp = lasso_logout_get_next_providerID(logout)
+
+                WHILE other_sp
+                    lasso_logout_init_request(logout, other_sp, lassoHttpMethodAny)
+                    lasso_logout_build_request_msg(logout)
+                    SOAP CALL
+                        TO LASSO_PROFILE(logout)->msg_url
+                        BODY LASSO_PROFILE(logout)->msg_body
+                    lasso_logout_process_response_msg(logout,
+                                soap_answer_message, lassoHttpMethodSoap)
+                    other_sp = lasso_logout_get_next_providerID(logout)
+
+                lasso_logout_build_response_msg(logout)
+                ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
+
+    SP
+        /soapEndPoint (* normative, SOAP endpoint *)
+
+            soap_msg # is the received SOAP message body
+            request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
+
+            IF request_type IS lassoRequestTypeLogout
+                logout = lasso_logout_new(server);
+                lasso_logout_process_request_msg(logout, soap_msg);
+
+                # sth to do with identity and session around here
+                lasso_logout_validate_request(logout)
+
+                lasso_logout_build_response_msg(logout)
+                ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
+
+
--- a/docs/lasso-book/single-sign-on.process
+++ b/docs/lasso-book/single-sign-on.process
@ -0,0 +1,171 @@
+Single Sign On
+    SP
+        /login (* url not normative *)
+            login = lasso_login_new(server)
+            lasso_login_init_authn_request(login, method)
+                # method = lassoHttpMethodRedirect or lassoHttpMethodPost
+            request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(login)->request)
+            lasso_lib_authn_request_set_forceAuthn(request, TRUE)
+            lasso_lib_authn_request_set_nameIDPolicy(request, policy)
+                # policy is one of:
+                #  - lassoLibNameIDPolicyTypeFederated
+                #  - (...)
+            lasso_lib_authn_request_set_consent(request, consent)
+                # consent is one of:
+                #  - lassoLibConsentObtained
+            lasso_lib_authn_request_set_relayState(request, relayState)
+                # relayState is an optional value set by the SP
+            lasso_login_build_authn_request_msg(login, idpProviderId)
+                # if idpProviderId is NULL the first one defined in the metadata will be picked
+            
+            IF lassoHttpMethodRedirect
+                REDIRECT TO LASSO_PROFILE(login)->msg_url
+            
+            IF lassoHttpMethodPost
+                DISPLAY HTML FORM
+                    <form action="** LASSO_PROFILE(login)->msg_url **" method="post">
+                     <input type="hidden" name="LAREQ"
+		     	value="** LASSO_PROFILE(login)->msg_body **"/>
+                    </form>
+
+
+    IdP
+        /singleSignOn (* normative, Single Sign On service URL *)
+            login = lasso_login_new(server)
+            lasso_profile_set_identity_from_dump(LASSO_PROFILE(login), identity_dump)
+                # if identity_dump exists
+            lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump)
+                # if session_dump exists
+            IF METHOD IS GET
+                authn_request_msg = /query string/
+            IF METHOD IS POST
+                authn_request_msg = /form submitted LAREQ field/
+            lasso_login_init_from_authn_request_msg(login, authn_request_msg)
+
+            IF lasso_login_must_authenticate(login)
+                # proceed to authentication
+                # may serialize login object now: lasso_login_dump(login)  
+
+                # (...)
+
+                # may be coming back from another function; another url
+                # unserialize with lasso_login_new_from_dump(dump)
+                userAuthenticated = TRUE
+
+            ELSE
+                userAuthenticated = TRUE
+                    # or FALSE if it was not authenticated previously
+
+            authenticationMethod = lassoSamlAuthenticationMethodPassword
+                # or lassoSamlAuthenticationMethodSoftwarePki or others
+                # (see ...)
+                # this is how the user has been authenticated
+
+            reauthenticationTime = "2004-04-01T00:00:00Z"
+                # this is when the user will have to be reauthenticated
+
+            IF login->protocolProfile IS lassoLoginProtocolProfileBrwsArt
+                lasso_login_build_artifact_msg(login, userAuthenticated,
+                    authenticationMethod, reauthenticationTime,
+                    lassoHttpMethodRedirect)
+
+            IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost
+                lasso_login_build_authn_response_msg(login, userAuthenticated,
+                    authenticationMethod, reauthenticationTime)
+
+            # map LASSO_PROFILE(login)->nameIdentifier to user
+            # (write this down in a database)
+
+            IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
+                identity = lasso_profile_get_identity(LASSO_PROFILE(login))
+                # save identity;
+                #   serialization with lasso_identity_dump(identity)
+
+            IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
+                session = lasso_profile_get_session(LASSO_PROFILE(login))
+                # save session;
+                #   serialization with lasso_session_dump(session)
+
+
+            IF login->protocolProfile IS lassoLoginProtocolProfileBrwsArt
+                assertion = lasso_login_get_assertion(login)
+                # save assertion; mapped to login->assertionArtifact  (|1|)
+                #   serialization with lasso_node_export(LASSO_NODE(assertion))
+                #    !!! LAME !!!
+        
+                REDIRECT TO LASSO_PROFILE(login)->msg_url
+
+            IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost
+                DISPLAY HTML FORM
+                    <form action="** LASSO_PROFILE(login)->msg_url **" method="post">
+                     <input type="hidden" name="LARES"
+		     	value="** LASSO_PROFILE(login)->msg_body **"/>
+                    </form>
+
+
+    SP
+        /assertionConsumer (* normative, assertion consumer service URL *)
+            login = lasso_login_new(server)
+            IF METHOD IS GET OR SUBMITTED FORM HAS LAREQ FIELD
+                    IF METHOD IS GET
+                        authn_request_msg = /query string/
+                        relayState = /query string, RelayState var/
+                        method = lassoHttpMethodRedirect
+                    IF METHOD IS POST
+                        authn_request_msg = /form submitted LAREQ field/
+                        relayState = /form submitted RelayState field/
+                        method = lassoHttpMethodPost
+
+                    lasso_login_init_request(login, authn_request_msg, method)
+                    lasso_login_build_request_msg(login)
+
+                    SOAP CALL ---------------------------------------------------------\
+                        TO LASSO_PROFILE(login)->msg_url                               |
+                        BODY LASSO_PROFILE(login)->msg_body
+
+                    lasso_login_process_response_msg(login, soap_answer_message)
+
+            ELSE IF SUBMITTED FORM HAS LARES FIELD
+                response_msg = /form submitted LARED field/
+                lasso_login_process_authn_response_msg(login, response_msg)
+                relayState = LASSO_PROFILE(login)->msg_RelayState
+
+            nameIdentifier = LASSO_PROFILE(login)->nameIdentifier
+
+            IF known nameIdentifier
+                # GET BACK identity_dump and session_dump
+                lasso_profile_set_identity_from_dump(LASSO_PROFILE(login, identity_dump)
+                lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump)
+
+            lasso_login_accept_sso(login)
+            
+            IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
+                identity = lasso_profile_get_identity(LASSO_PROFILE(login))
+                # save identity;
+                #   serialization with lasso_identity_dump(identity)
+
+            IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
+                session = lasso_profile_get_session(LASSO_PROFILE(login))
+                # save session;
+                #   serialization with lasso_session_dump(session)
+
+            
+            REDIRECT anywhere
+
+
+    IdP                                                                                |
+        /soapEndPoint (* normative, SOAP endpoint *)                              <----/
+            soap_msg # is the received SOAP message body
+            request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
+
+            IF request_type IS lassoRequestTypeLogin
+                login = lasso_login_new(server);
+                lasso_login_process_request_msg(login, soap_msg);
+                
+                # retrieve assertion_dump saved in (|1|) (and then delete it)
+                lasso_login_set_assertion_from_dump(login, assertion_dump)
+
+                lasso_login_build_response_msg(login)
+
+                ANSWER SOAP REQUEST WITH: LASSO_PROFILE(login)->msg_body
+