Single Log Out with OpenSAML
To logout an user from the SP an LogoutRequest is sent. The data needed about the user is the SessionIndex and NameID from the data recived at login. I my case in the Assertion in the Artifact Resolve Response.
//IPR Ergogroup AS public static void doSynchronousLogout(final HttpSession sessionToLogout, final SAMLMetaData metaData) throws SOAPException, SecurityException, ValidationException, IllegalArgumentException, java.lang.SecurityException, IllegalAccessException, MarshallingException, SignatureException { NameID nameId = (NameID)sessionToLogout.getAttribute("SAMLNameID"); String sessionIndex = (String)sessionToLogout.getAttribute("SAMLSessionIndex"); Body body = buildSAMLObjectWithDefaultName(Body.class); LogoutRequest logoutRequest = genererateLogoutRequest(nameId, sessionIndex, metaData); signLogoutRequest(logoutRequest); body.getUnknownXMLObjects().add(logoutRequest); nameId.detach(); Envelope envelope = buildSAMLObjectWithDefaultName(Envelope.class); envelope.setBody(body); SAMLUtil.logSAMLObject(envelope); BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext(); soapContext.setOutboundMessage(envelope); HttpClientBuilder clientBuilder = new HttpClientBuilder(); HttpSOAPClient soapClient = new HttpSOAPClient(clientBuilder.buildClient(), new BasicParserPool()); String sloServiceURL = null; for (SingleLogoutService sls : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) { if (sls.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) { sloServiceURL = sls.getLocation(); } } soapClient.send(sloServiceURL, soapContext); Envelope soapResponse = (Envelope)soapContext.getInboundMessage(); SAMLUtil.logSAMLObject(soapResponse); validateSLOResponse(soapResponse, logoutRequest.getID()); verifySLOResponseSignature(soapResponse); processSLOResponse(soapResponse); } private static LogoutRequest genererateLogoutRequest(final NameID nameId, final String sessionIndex, final SAMLMetaData metaData) throws IllegalArgumentException, java.lang.SecurityException, IllegalAccessException { LogoutRequest logoutRequest = buildSAMLObjectWithDefaultName(LogoutRequest.class); logoutRequest.setID(SAMLUtil.getSecureRandomIdentifier()); for (SingleLogoutService sls : metaData.getIdpEntityDescriptor().getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleLogoutServices()) { if (sls.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) { logoutRequest.setDestination(sls.getLocation()); } } logoutRequest.setIssueInstant(new DateTime()); Issuer issuer = buildSAMLObjectWithDefaultName(Issuer.class); issuer.setValue(EvoteProperties.getProperty("SPEntityId")); logoutRequest.setIssuer(issuer); SessionIndex sessionIndexElement = buildSAMLObjectWithDefaultName(SessionIndex.class); sessionIndexElement.setSessionIndex(sessionIndex); logoutRequest.getSessionIndexes().add(sessionIndexElement); logoutRequest.setNameID(nameId); return logoutRequest; }
LogoutRequest sent:
my-alias Sn7qX8Yf4Pcs6SLl4Yn0NyEx6P0= cE3wgjeM+45uk/XVNQl+1NZKeRwRzFnJN9xaL/36vnXqu6eLBqs8eqdQ2a+yY9UkZz0gU1NrTqUMQgIANw1WfkL2a+sxQqqu2p4ggXKNwHiMWbyfPEUkxQM4wSwr3ECObjyVqrgPDA+4TiDyqPj2NBtZGo8WU3fvpOGQkQN19f0= MIIBrzCCARigAwIBAgIETTWluTANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExFzdGVyYXMuZXZh bGcuZXJnbzAeFw0xMTAxMTgxNDM3NDVaFw0yMTAxMTUxNDM3NDVaMBwxGjAYBgNVBAMTEXN0ZXJh cy5ldmFsZy5lcmdvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy96UiOiuQcDQMVNorHKWC u8lAqHCpdgL8SEKsBven1e9Bek5VSspQdyh8Q/t8hmISZq0oEEvtcbZivV1hGQKQIWjTU/utSxGl ZDbPNweuxNH6JHiNzDSzbNiMkdBJcy/Szfdx8HGpbnpXrpU+ICNnQl5Ee2V48hlkcH7jwlCMzwID AQABMA0GCSqGSIb3DQEBBQUAA4GBABxQKfXHtomdAlXd+umpCyUUOgcs5shu4HHXr9m48H+YPCXs kLwqzDe49WWaX9h7cLClVsHviAccno52Pj7mQfjKgvg1J3JHhTLINTrbgZ1e7mNtiJ9Lez2awbIt v7RKU+R2AyiU6wHsjPGN+CQuiT9lZNWQMOih1R+yHT04kkl8 puEYi51x6aylfgXbBJTLSTTxOqck s2ce6f528812bbf545358af381cc864c575e9cb901
This is the resulting LogoutResponse in my case:
idp-alias CDFFLlD2FX8fjlPJLKpJZRusnx0= cKgVEfLR48x7urpH+TV+V1gHYnVhc/ErkMhwp17rjAMfjHKHk0EPgH2+aOV7Z83udbfr0RPKF5Zd Mg0zq1KIm29RsqUsUYNKKNiYPlEkBIoHPcc2AhftpA/VNRjea7q2W9+y6XV2YWjzGnArrfflv1KM 1t5C89Vz/VB0jQdJvMU= Request is done successfully