32N/A<%--

32N/A DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.

606N/A

851N/A Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved

32N/A

32N/A The contents of this file are subject to the terms

32N/A of the Common Development and Distribution License

32N/A (the License). You may not use this file except in

32N/A compliance with the License.

32N/A

32N/A You can obtain a copy of the License at

32N/A https://opensso.dev.java.net/public/CDDLv1.0.html or

32N/A opensso/legal/CDDLv1.0.txt

32N/A See the License for the specific language governing

32N/A permission and limitations under the License.

32N/A

32N/A When distributing Covered Code, include this CDDL

32N/A Header Notice in each file and include the License file

32N/A at opensso/legal/CDDLv1.0.txt.

32N/A If applicable, add the following below the CDDL Header,

32N/A with the fields enclosed by brackets [] replaced by

32N/A your own identifying information:

32N/A "Portions Copyrighted [year] [name of copyright owner]"

32N/A

32N/A $Id: idpSingleLogoutInit.jsp,v 1.9 2009/10/15 00:00:41 exu Exp $

32N/A

32N/A Portions Copyrighted 2010-2013 ForgeRock AS

32N/A--%>

32N/A

32N/A

851N/A<%@ page import="com.iplanet.am.util.SystemProperties" %>

32N/A<%@ page import="com.sun.identity.plugin.session.SessionException" %>

32N/A<%@ page import="com.sun.identity.plugin.session.SessionManager" %>

32N/A<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>

493N/A<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>

32N/A<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>

32N/A<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>

851N/A<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>

32N/A<%@ page import="com.sun.identity.saml2.profile.IDPSingleLogout" %>

32N/A<%@ page import="com.sun.identity.saml2.profile.LogoutUtil" %>

606N/A<%@ page import="java.util.HashMap" %>

32N/A<%@ page import="org.owasp.esapi.ESAPI" %>

32N/A<%@ page import="java.io.PrintWriter" %>

32N/A

<%--

idpSingleLogoutInit.jsp

- initiates the LogoutRequest at the Identity Provider.

Required parameters to this jsp are :

- binding - binding used for this request

Some of the other optional parameters are :

"RelayState" - the target URL on successful Single Logout

"goto" - the target URL on successful Single Logout.

"RelayState" takes precedence to "goto" parameter.

"Destination" - A URI Reference indicating the address to

which the request has been sent.

"Consent" - Specifies a URI a SAML defined identifier

known as Consent Identifiers.

"Extension" - Specifies a list of Extensions as list of

String objects.

"logoutAll" - Specifies IDP sends slo request to SP without any session

index.

Check the SAML2 Documentation for supported parameters.

--%>

<%

// Retrieve the Request Query Parameters

// binding are the required query parameters

// binding - binding used for this request

try {

String relayState = request.getParameter(SAML2Constants.RELAY_STATE);

if ((relayState == null) || (relayState.length() == 0)) {

relayState = request.getParameter(SAML2Constants.GOTO);

}

if (!ESAPI.validator().isValidInput("HTTP Query String: " + relayState, relayState, "HTTPQueryString", 2000, true)) {

relayState = null;

}

Object ssoToken = null;

try {

ssoToken = SessionManager.getProvider().getSession(request);

} catch (SessionException e) {

String intermmediatePage = SystemProperties.get(

"openam.idpsloinit.nosession.intermmediate.page", "");

if ( intermmediatePage.length() != 0 ) {

if (relayState != null) {

intermmediatePage = intermmediatePage + "?RelayState=" + relayState;

}

response.sendRedirect(intermmediatePage);

} else {

if (relayState != null && SAML2Utils.isRelayStateURLValid(request, relayState, SAML2Constants.IDP_ROLE) &&

ESAPI.validator().isValidInput("HTTP URL Value: " + relayState, relayState, "URL", 2000, true)) {

response.sendRedirect(relayState);

} else {

%>

<jsp:forward

page="/saml2/jsp/default.jsp?message=idpSloSuccess" />

<%

}

}

return;

}

if (ssoToken == null) {

SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,

"nullSSOToken", SAML2Utils.bundle.getString("nullSSOToken"));

return;

}

String[] values = SessionManager.getProvider().

getProperty(ssoToken, SAML2Constants.IDP_META_ALIAS);

String metaAlias = null;

if (values != null && values.length > 0) {

metaAlias = values[0];

}

if (metaAlias == null) {

SessionManager.getProvider().invalidateSession(ssoToken, request, response);

if (relayState != null && SAML2Utils.isRelayStateURLValid(request, relayState, SAML2Constants.IDP_ROLE)) {

response.sendRedirect(relayState);

} else {

%>

<jsp:forward

page="/saml2/jsp/default.jsp?message=idpSloSuccess" />

<%

}

return;

}

String idpEntityID =

SAML2Utils.getSAML2MetaManager().getEntityByMetaAlias(metaAlias);

String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);

String binding = LogoutUtil.getSLOBindingInfo(request, metaAlias,

SAML2Constants.SP_ROLE, idpEntityID);

if (!SAML2Utils.isIDPProfileBindingSupported(

realm, idpEntityID, SAML2Constants.SLO_SERVICE, binding))

{

SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,

"unsupportedBinding",

SAML2Utils.bundle.getString("unsupportedBinding"));

return;

}

String logoutAll = request.getParameter(SAML2Constants.LOGOUT_ALL);

/**

* Parses the request parameters and builds the Logout

* Request to be sent to the SP.

*

* @param request the HttpServletRequest.

* @param response the HttpServletResponse.

* @param binding binding used for this request.

* @param paramsMap Map of all other parameters.

* Following parameters names with their respective

* String values are allowed in this paramsMap.

* "RelayState" - the target URL on successful Single Logout

* "Destination" - A URI Reference indicating the address to

* which the request has been sent.

* "Consent" - Specifies a URI a SAML defined identifier

* known as Consent Identifiers.

* "Extension" - Specifies a list of Extensions as list of

* String objects.

* @throws SAML2Exception if error initiating request to SP.

*/

HashMap paramsMap = new HashMap();

paramsMap.put("metaAlias", metaAlias);

paramsMap.put(SAML2Constants.ROLE, SAML2Constants.IDP_ROLE);

paramsMap.put(SAML2Constants.BINDING, binding);

paramsMap.put("Destination", request.getParameter("Destination"));

paramsMap.put("Consent", request.getParameter("Consent"));

paramsMap.put("Extension", request.getParameter("Extension"));

if (relayState != null) {

paramsMap.put(SAML2Constants.RELAY_STATE, relayState);

}

if (logoutAll != null) {

paramsMap.put(SAML2Constants.LOGOUT_ALL, logoutAll);

}

IDPSingleLogout.initiateLogoutRequest(request,response, new PrintWriter(out, true),

binding,paramsMap);

if (!response.isCommitted()) {

if (relayState != null && SAML2Utils.isRelayStateURLValid(request, relayState, SAML2Constants.IDP_ROLE)) {

response.sendRedirect(relayState);

} else {

%>

<jsp:forward

page="/saml2/jsp/default.jsp?message=idpSloSuccess" />

<%

}

}

} catch (SAML2Exception sse) {

SAML2Utils.debug.error("Error sending Logout Request " , sse);

SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,

"LogoutRequestProcessingError",

SAML2Utils.bundle.getString("LogoutRequestProcessingError") + " " +

sse.getMessage());

return;

} catch (Exception e) {

SAML2Utils.debug.error("Error processing Request ",e);

SAMLUtils.sendError(request, response, response.SC_BAD_REQUEST,

"LogoutRequestProcessingError",

SAML2Utils.bundle.getString("LogoutRequestProcessingError") + " " +

e.getMessage());

return;

}

%>