I wanted to login
/But it was too long/ So I logged out /It was not much shorter/
This commit is contained in:
parent
867b6fc5f8
commit
38b0c08b95
|
@ -0,0 +1,149 @@
|
|||
Single Log Out
|
||||
SP
|
||||
/singleLogout (* normative, Single Logout Service URL *)
|
||||
logout = lasso_logout_new(server, lassoProviderTypeSp)
|
||||
|
||||
lasso_logout_process_request_msg(logout, /query string/)
|
||||
IF error IS LASSO_PROFILE_ERROR_INVALID_QUERY
|
||||
# Logout initiated by SP, now
|
||||
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
|
||||
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
|
||||
lasso_logout_init_request(logout, idpProviderId, lassoHttpMethodAny)
|
||||
# if idpProviderId is NULL the first one defined in the metadata will be picked
|
||||
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(logout)->request)
|
||||
lasso_lib_authn_request_set_relayState(request, relayState)
|
||||
# relayState is an optional value set by the SP
|
||||
lasso_logout_build_request_msg(logout)
|
||||
|
||||
IF LASSO_PROFILE(logout)->msg_body != NULL
|
||||
SOAP CALL
|
||||
TO LASSO_PROFILE(logout)->msg_url
|
||||
BODY LASSO_PROFILE(logout)->msg_body
|
||||
lasso_logout_process_response_msg(logout, soap_answer_message)
|
||||
IF error AND error != LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE
|
||||
BOOM
|
||||
|
||||
/* ??? there is something here about identity and sessions ??? */
|
||||
|
||||
IF LASSO_PROFILE(logout)->msg_body == NULL
|
||||
REDIRECT TO LASSO_PROFILE(logout)->msg_url
|
||||
|
||||
DISPLAY HTML PAGE
|
||||
<h1>OK</h1>
|
||||
|
||||
ELIF NOT error
|
||||
# Logout initiated by IdP
|
||||
|
||||
# use LASSO_PROFILE(logout)->nameIdentifier to get identity and session
|
||||
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
|
||||
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
|
||||
lasso_logout_validate_request(logout)
|
||||
|
||||
IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
|
||||
identity = lasso_profile_get_identity(LASSO_PROFILE(login))
|
||||
# save identity;
|
||||
# serialization with lasso_identity_dump(identity)
|
||||
|
||||
IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
|
||||
session = lasso_profile_get_session(LASSO_PROFILE(login))
|
||||
# save session;
|
||||
# serialization with lasso_session_dump(session)
|
||||
|
||||
lasso_logout_build_response_msg(logout)
|
||||
|
||||
IF LASSO_PROFILE(logout)->msg_body
|
||||
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body)
|
||||
ELSE
|
||||
REDIRECT TO LASSO_PROFILE(logout)->msg_url
|
||||
|
||||
IdP
|
||||
/singleLogout (* normative, Single Log-Out service URL *)
|
||||
logout = lasso_logout_new(server, lassoProviderTypeIdp)
|
||||
lasso_logout_process_request_msg(logout, /query string/, lassoHttpMethodRedirect)
|
||||
IF error AND error IS NOT LASSO_PROFILE_ERROR_INVALID_QUERY
|
||||
BOOM
|
||||
|
||||
IF error LASSO_PROFILE_ERROR_INVALID_QUERY
|
||||
# initiate logout
|
||||
# get identity and session from user authentication
|
||||
ELSE
|
||||
# get identity and session from LASSO_PROFILE(logout)->nameIdentifier
|
||||
|
||||
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
|
||||
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
|
||||
|
||||
other_sp = lasso_logout_get_next_providerID(logout)
|
||||
WHILE other_sp
|
||||
lasso_logout_init_request(logout, other_sp, lassoHttpMethodAny)
|
||||
lasso_logout_build_request_msg(logout)
|
||||
IF LASSO_PROFILE(logout)->msg_body
|
||||
SOAP CALL
|
||||
TO LASSO_PROFILE(logout)->msg_url
|
||||
BODY LASSO_PROFILE(logout)->msg_body
|
||||
lasso_logout_process_response_msg(logout,
|
||||
soap_answer_message, lassoHttpMethodSoap)
|
||||
other_sp = lasso_logout_get_next_providerID(logout)
|
||||
|
||||
lasso_logout_reset_providerID_index(logout)
|
||||
other_sp = lasso_logout_get_next_providerID(logout)
|
||||
IF other_sp
|
||||
lasso_logout_init_request(logout, other_sp, lassoHttpMethodRedirect)
|
||||
lasso_logout_build_request_msg(logout)
|
||||
REDIRECT TO LASSO_PROFILE(logout)->msg_url
|
||||
|
||||
|
||||
DISPLAY HTML PAGE
|
||||
<h1>OK</h1>
|
||||
|
||||
IdP
|
||||
/soapEndPoint (* normative, SOAP endpoint *)
|
||||
soap_msg # is the received SOAP message body
|
||||
request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
|
||||
|
||||
IF request_type IS lassoRequestTypeLogout
|
||||
logout = lasso_logout_new(server);
|
||||
lasso_logout_process_request_msg(logout, soap_msg);
|
||||
|
||||
# get identity and session from LASSO_PROFILE(logout)->nameIdentifier
|
||||
lasso_profile_set_identity_from_dump(LASSO_PROFILE(logout), identity_dump)
|
||||
lasso_profile_set_session_from_dump(LASSO_PROFILE(logout), session_dump)
|
||||
|
||||
lasso_logout_validate_request(logout)
|
||||
if error LASSO_LOGOUT_ERROR_UNSUPPORTED_PROFILE
|
||||
lasso_logout_build_request_msg(logout)
|
||||
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
|
||||
|
||||
# write down identity and session here
|
||||
|
||||
other_sp = lasso_logout_get_next_providerID(logout)
|
||||
|
||||
WHILE other_sp
|
||||
lasso_logout_init_request(logout, other_sp, lassoHttpMethodAny)
|
||||
lasso_logout_build_request_msg(logout)
|
||||
SOAP CALL
|
||||
TO LASSO_PROFILE(logout)->msg_url
|
||||
BODY LASSO_PROFILE(logout)->msg_body
|
||||
lasso_logout_process_response_msg(logout,
|
||||
soap_answer_message, lassoHttpMethodSoap)
|
||||
other_sp = lasso_logout_get_next_providerID(logout)
|
||||
|
||||
lasso_logout_build_response_msg(logout)
|
||||
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
|
||||
|
||||
SP
|
||||
/soapEndPoint (* normative, SOAP endpoint *)
|
||||
|
||||
soap_msg # is the received SOAP message body
|
||||
request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
|
||||
|
||||
IF request_type IS lassoRequestTypeLogout
|
||||
logout = lasso_logout_new(server);
|
||||
lasso_logout_process_request_msg(logout, soap_msg);
|
||||
|
||||
# sth to do with identity and session around here
|
||||
lasso_logout_validate_request(logout)
|
||||
|
||||
lasso_logout_build_response_msg(logout)
|
||||
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(logout)->msg_body
|
||||
|
||||
|
|
@ -0,0 +1,171 @@
|
|||
Single Sign On
|
||||
SP
|
||||
/login (* url not normative *)
|
||||
login = lasso_login_new(server)
|
||||
lasso_login_init_authn_request(login, method)
|
||||
# method = lassoHttpMethodRedirect or lassoHttpMethodPost
|
||||
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(login)->request)
|
||||
lasso_lib_authn_request_set_forceAuthn(request, TRUE)
|
||||
lasso_lib_authn_request_set_nameIDPolicy(request, policy)
|
||||
# policy is one of:
|
||||
# - lassoLibNameIDPolicyTypeFederated
|
||||
# - (...)
|
||||
lasso_lib_authn_request_set_consent(request, consent)
|
||||
# consent is one of:
|
||||
# - lassoLibConsentObtained
|
||||
lasso_lib_authn_request_set_relayState(request, relayState)
|
||||
# relayState is an optional value set by the SP
|
||||
lasso_login_build_authn_request_msg(login, idpProviderId)
|
||||
# if idpProviderId is NULL the first one defined in the metadata will be picked
|
||||
|
||||
IF lassoHttpMethodRedirect
|
||||
REDIRECT TO LASSO_PROFILE(login)->msg_url
|
||||
|
||||
IF lassoHttpMethodPost
|
||||
DISPLAY HTML FORM
|
||||
<form action="** LASSO_PROFILE(login)->msg_url **" method="post">
|
||||
<input type="hidden" name="LAREQ"
|
||||
value="** LASSO_PROFILE(login)->msg_body **"/>
|
||||
</form>
|
||||
|
||||
|
||||
IdP
|
||||
/singleSignOn (* normative, Single Sign On service URL *)
|
||||
login = lasso_login_new(server)
|
||||
lasso_profile_set_identity_from_dump(LASSO_PROFILE(login), identity_dump)
|
||||
# if identity_dump exists
|
||||
lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump)
|
||||
# if session_dump exists
|
||||
IF METHOD IS GET
|
||||
authn_request_msg = /query string/
|
||||
IF METHOD IS POST
|
||||
authn_request_msg = /form submitted LAREQ field/
|
||||
lasso_login_init_from_authn_request_msg(login, authn_request_msg)
|
||||
|
||||
IF lasso_login_must_authenticate(login)
|
||||
# proceed to authentication
|
||||
# may serialize login object now: lasso_login_dump(login)
|
||||
|
||||
# (...)
|
||||
|
||||
# may be coming back from another function; another url
|
||||
# unserialize with lasso_login_new_from_dump(dump)
|
||||
userAuthenticated = TRUE
|
||||
|
||||
ELSE
|
||||
userAuthenticated = TRUE
|
||||
# or FALSE if it was not authenticated previously
|
||||
|
||||
authenticationMethod = lassoSamlAuthenticationMethodPassword
|
||||
# or lassoSamlAuthenticationMethodSoftwarePki or others
|
||||
# (see ...)
|
||||
# this is how the user has been authenticated
|
||||
|
||||
reauthenticationTime = "2004-04-01T00:00:00Z"
|
||||
# this is when the user will have to be reauthenticated
|
||||
|
||||
IF login->protocolProfile IS lassoLoginProtocolProfileBrwsArt
|
||||
lasso_login_build_artifact_msg(login, userAuthenticated,
|
||||
authenticationMethod, reauthenticationTime,
|
||||
lassoHttpMethodRedirect)
|
||||
|
||||
IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost
|
||||
lasso_login_build_authn_response_msg(login, userAuthenticated,
|
||||
authenticationMethod, reauthenticationTime)
|
||||
|
||||
# map LASSO_PROFILE(login)->nameIdentifier to user
|
||||
# (write this down in a database)
|
||||
|
||||
IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
|
||||
identity = lasso_profile_get_identity(LASSO_PROFILE(login))
|
||||
# save identity;
|
||||
# serialization with lasso_identity_dump(identity)
|
||||
|
||||
IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
|
||||
session = lasso_profile_get_session(LASSO_PROFILE(login))
|
||||
# save session;
|
||||
# serialization with lasso_session_dump(session)
|
||||
|
||||
|
||||
IF login->protocolProfile IS lassoLoginProtocolProfileBrwsArt
|
||||
assertion = lasso_login_get_assertion(login)
|
||||
# save assertion; mapped to login->assertionArtifact (|1|)
|
||||
# serialization with lasso_node_export(LASSO_NODE(assertion))
|
||||
# !!! LAME !!!
|
||||
|
||||
REDIRECT TO LASSO_PROFILE(login)->msg_url
|
||||
|
||||
IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost
|
||||
DISPLAY HTML FORM
|
||||
<form action="** LASSO_PROFILE(login)->msg_url **" method="post">
|
||||
<input type="hidden" name="LARES"
|
||||
value="** LASSO_PROFILE(login)->msg_body **"/>
|
||||
</form>
|
||||
|
||||
|
||||
SP
|
||||
/assertionConsumer (* normative, assertion consumer service URL *)
|
||||
login = lasso_login_new(server)
|
||||
IF METHOD IS GET OR SUBMITTED FORM HAS LAREQ FIELD
|
||||
IF METHOD IS GET
|
||||
authn_request_msg = /query string/
|
||||
relayState = /query string, RelayState var/
|
||||
method = lassoHttpMethodRedirect
|
||||
IF METHOD IS POST
|
||||
authn_request_msg = /form submitted LAREQ field/
|
||||
relayState = /form submitted RelayState field/
|
||||
method = lassoHttpMethodPost
|
||||
|
||||
lasso_login_init_request(login, authn_request_msg, method)
|
||||
lasso_login_build_request_msg(login)
|
||||
|
||||
SOAP CALL ---------------------------------------------------------\
|
||||
TO LASSO_PROFILE(login)->msg_url |
|
||||
BODY LASSO_PROFILE(login)->msg_body
|
||||
|
||||
lasso_login_process_response_msg(login, soap_answer_message)
|
||||
|
||||
ELSE IF SUBMITTED FORM HAS LARES FIELD
|
||||
response_msg = /form submitted LARED field/
|
||||
lasso_login_process_authn_response_msg(login, response_msg)
|
||||
relayState = LASSO_PROFILE(login)->msg_RelayState
|
||||
|
||||
nameIdentifier = LASSO_PROFILE(login)->nameIdentifier
|
||||
|
||||
IF known nameIdentifier
|
||||
# GET BACK identity_dump and session_dump
|
||||
lasso_profile_set_identity_from_dump(LASSO_PROFILE(login, identity_dump)
|
||||
lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump)
|
||||
|
||||
lasso_login_accept_sso(login)
|
||||
|
||||
IF lasso_profile_is_identity_dirty(LASSO_PROFILE(login))
|
||||
identity = lasso_profile_get_identity(LASSO_PROFILE(login))
|
||||
# save identity;
|
||||
# serialization with lasso_identity_dump(identity)
|
||||
|
||||
IF lasso_profile_is_session_dirty(LASSO_PROFILE(login))
|
||||
session = lasso_profile_get_session(LASSO_PROFILE(login))
|
||||
# save session;
|
||||
# serialization with lasso_session_dump(session)
|
||||
|
||||
|
||||
REDIRECT anywhere
|
||||
|
||||
|
||||
IdP |
|
||||
/soapEndPoint (* normative, SOAP endpoint *) <----/
|
||||
soap_msg # is the received SOAP message body
|
||||
request_type = lasso_profile_get_request_type_from_soap_msg(soap_msg);
|
||||
|
||||
IF request_type IS lassoRequestTypeLogin
|
||||
login = lasso_login_new(server);
|
||||
lasso_login_process_request_msg(login, soap_msg);
|
||||
|
||||
# retrieve assertion_dump saved in (|1|) (and then delete it)
|
||||
lasso_login_set_assertion_from_dump(login, assertion_dump)
|
||||
|
||||
lasso_login_build_response_msg(login)
|
||||
|
||||
ANSWER SOAP REQUEST WITH: LASSO_PROFILE(login)->msg_body
|
||||
|
Loading…
Reference in New Issue