spSingleLogoutInit.jsp revision 3255ecb0c201e1edcf5c0c9c1cfc033ffc1a2195
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan The contents of this file are subject to the terms
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan of the Common Development and Distribution License
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan (the License). You may not use this file except in
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan compliance with the License.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan You can obtain a copy of the License at
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan https://opensso.dev.java.net/public/CDDLv1.0.html or
61ea54c309169801a1833f99729723071c24c047Dirk Hogan See the License for the specific language governing
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan permission and limitations under the License.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan When distributing Covered Code, include this CDDL
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan Header Notice in each file and include the License file
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell If applicable, add the following below the CDDL Header,
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan with the fields enclosed by brackets [] replaced by
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan your own identifying information:
61ea54c309169801a1833f99729723071c24c047Dirk Hogan "Portions Copyrighted [year] [name of copyright owner]"
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan $Id: spSingleLogoutInit.jsp,v 1.13 2009/10/15 00:01:11 exu Exp $
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan Portions Copyrighted 2012-2014 ForgeRock AS
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.plugin.session.SessionManager" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.plugin.session.SessionException" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml.common.SAMLUtils" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.common.SAML2Utils" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.common.SAML2Constants" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.meta.SAML2MetaManager" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.meta.SAML2MetaUtils" %>
61ea54c309169801a1833f99729723071c24c047Dirk Hogan<%@ page import="com.sun.identity.saml2.common.SAML2Exception" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.profile.LogoutUtil" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.profile.SPCache" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="com.sun.identity.saml2.profile.SPSingleLogout" %>
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell<%@ page import="java.util.HashMap" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="java.util.List" %>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan<%@ page import="org.owasp.esapi.ESAPI" %>
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell - initiates the LogoutRequest at the Service Provider.
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell Required parameters to this jsp are :
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell "binding" - binding used for this request
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "NameIDValue" - NameID value for the user. Required in fedlet case.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "SessionIndex" - Session that has this sessionIndex is to be single logout.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan Required in fedlet case.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "idpEntityID" - Identifier for identity provider. Required for fedlet case.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan If binding is not set, this parameter is used to find the
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan default binding.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan Some of the other optional parameters are :
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "RelayState" - the target URL on successful Single Logout
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "goto" - the target URL on successful Single Logout.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "RelayState" takes precedence to "goto" parameter.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "Destination" - A URI Reference indicating the address to
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan which the request has been sent.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "Consent" - Specifies a URI a SAML defined identifier
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan known as Consent Identifiers.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "Extension" - Specifies a list of Extensions as list of
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan String objects.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan "spEntityID" - Fedlet's entity ID. Used in fedlet case. When it is missing,
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan first sp from metadata is used.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan Check the SAML2 Documentation for supported parameters.
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan // Retrieves the Request Query Parameters
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan // Binding are the required query parameters
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan // binding - binding used for this request
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan String RelayState = request.getParameter(SAML2Constants.RELAY_STATE);
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell if (RelayState == null || RelayState.isEmpty()) {
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell RelayState = request.getParameter(SAML2Constants.GOTO);
4aa5badd5f4858577979ba105aa80ff34e84feccCraig McDonnell if (!ESAPI.validator().isValidInput("RelayState", RelayState, "HTTPQueryString", 2000, true)) {
cf7084cf20623b8a2d7da2cc101288f2cf516d67Craig McDonnell RelayState = null;
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan String metaAlias = null;
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan Object ssoToken = null;
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan ssoToken = SessionManager.getProvider().getSession(request);
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan } catch (SessionException se) {
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan ssoToken = null;
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan String spEntityID = null;
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan SAML2MetaManager manager = new SAML2MetaManager();
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan if (ssoToken == null) {
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan //There is no local session, so we can't perform the logout on the IdP,
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan //let's just return with HTTP 200
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan if (RelayState != null && !RelayState.isEmpty()
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
8231a76e6bca1a96161b0c9851a3d6c49041a559Dirk Hogan <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan String[] values = SessionManager.getProvider().
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan getProperty(ssoToken, SAML2Constants.SP_METAALIAS);
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan if (values != null && values.length > 0) {
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan metaAlias = values[0];
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan spEntityID = request.getParameter("spEntityID");
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan if ((spEntityID == null) || (spEntityID.length() == 0)) {
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan List spMetaAliases =
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan manager.getAllHostedServiceProviderMetaAliases("/");
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan if ((spMetaAliases != null) && !spMetaAliases.isEmpty()) {
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan // get first one
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan metaAlias = (String) spMetaAliases.get(0);
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan SPSSOConfigElement spConfig =
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan manager.getSPSSOConfig("/", spEntityID);
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan if (spConfig != null) {
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan if (metaAlias == null) {
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan SessionManager.getProvider().invalidateSession(
61ea54c309169801a1833f99729723071c24c047Dirk Hogan ssoToken, request, response);
61ea54c309169801a1833f99729723071c24c047Dirk Hogan } catch (SessionException se) {
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan if (RelayState != null && SAML2Utils.isRelayStateURLValid(request, RelayState, SAML2Constants.SP_ROLE)
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan && ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
698087e79b077b3fd51ea24a83cdd9b2c979d26eDirk Hogan <jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
String idpEntityID = request.getParameter("idpEntityID");
String binding = LogoutUtil.getSLOBindingInfo(request, metaAlias,
SAML2Constants.SP_ROLE, idpEntityID);
spEntityID = manager.getEntityByMetaAlias(metaAlias);
String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
* this parameter is /realm_name/SP_name.
if (SPCache.isFedlet) {
String sessionIndex = request.getParameter("SessionIndex");
if ((sessionIndex == null) || (sessionIndex.length() == 0)) {
SAML2Utils.bundle.getString("nullSessionIndex"));
paramsMap.put("SessionIndex", sessionIndex);
String nameID = request.getParameter("NameIDValue");
if ((nameID == null) || (nameID.length() == 0)) {
SAML2Utils.bundle.getString("nullNameID"));
spEntityID = manager.getEntityByMetaAlias(metaAlias);
SAMLUtils.sendError(request, response,
SAML2Utils.bundle.getString("nullIDPEntityID"));
paramsMap.put("metaAlias", metaAlias);
paramsMap.put("idpEntityID", idpEntityID);
if (RelayState == null || RelayState.isEmpty()) {
RelayState = SAML2Utils.getAttributeValueFromSSOConfig(
realm, spEntityID, SAML2Constants.SP_ROLE,
String sessionIndex = request.getParameter("sessionIndex");
SPSingleLogout.initiateLogoutRequest( request,response,
if (RelayState != null && !RelayState.isEmpty()
&& ESAPI.validator().isValidInput("RelayState", RelayState, "URL", 2000, true)) {
response.sendRedirect(RelayState);
<jsp:forward page="/saml2/jsp/default.jsp?message=spSloSuccess"/>
SAML2Utils.debug.error("Error sending Logout Request " , sse);
SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
sse.getMessage());
SAML2Utils.debug.error("Error initializing Request ",e);
SAML2Utils.bundle.getString("LogoutRequestCreationError") + " " +
e.getMessage());