Add Single Logout endpoint

Author: adricasti

identity_provider.go

@@ -110,6 +110,7 @@ type IdentityProvider struct {
 	SignatureMethod         string
 	ValidDuration           *time.Duration
 	ResponseFormTemplate    *template.Template
+	SLOURL                  url.URL // SAML Single Logout URL
 }
 
 // Metadata returns the metadata structure for this identity provider.
@@ -186,6 +187,23 @@ func (idp *IdentityProvider) Metadata() *EntityDescriptor {
 		}
 	}
 
+	// Add Single Logout Service endpoints to IDPSSODescriptor
+	for i, idpSSODescriptor := range ed.IDPSSODescriptors {
+		if idp.SLOURL.String() != "" {
+			idpSSODescriptor.SingleLogoutServices = []Endpoint{
+				{
+					Binding:  HTTPRedirectBinding,
+					Location: idp.SLOURL.String(),
+				},
+				{
+					Binding:  HTTPPostBinding,
+					Location: idp.SLOURL.String(),
+				},
+			}
+			ed.IDPSSODescriptors[i] = idpSSODescriptor
+		}
+	}
+
 	return ed
 }
 

samlidp/samlidp.go

@@ -30,6 +30,7 @@ type Options struct {
 //
 //	/metadata     - the SAML metadata
 //	/sso          - the SAML endpoint to initiate an authentication flow
+//	/slo          - the SAML endpoint for single logout
 //	/login        - prompt for a username and password if no session established
 //	/login/:shortcut - kick off an IDP-initiated authentication flow
 //	/services     - RESTful interface to Service objects
@@ -54,6 +55,8 @@ func New(opts Options) (*Server, error) {
 	metadataURL.Path += "/metadata"
 	ssoURL := opts.URL
 	ssoURL.Path += "/sso"
+	sloURL := opts.URL
+	sloURL.Path += "/slo"
 	loginURL := opts.URL
 	loginURL.Path += "/login"
 	logr := opts.Logger
@@ -70,6 +73,7 @@ func New(opts Options) (*Server, error) {
 			Certificate: opts.Certificate,
 			MetadataURL: metadataURL,
 			SSOURL:      ssoURL,
+			SLOURL:      sloURL,
 			LoginURL:    loginURL,
 		},
 		logger:            logr,
@@ -102,6 +106,7 @@ func (s *Server) InitializeHTTP() {
 	mux.HandleFunc("/sso", func(w http.ResponseWriter, r *http.Request) {
 		s.IDP.ServeSSO(w, r)
 	})
+	mux.HandleFunc("/slo", s.HandleSLO)
 
 	mux.HandleFunc("/login", s.HandleLogin)
 	mux.HandleFunc("/login/{shortcut}", s.HandleIDPInitiated)

samlidp/session.go

@@ -201,3 +201,40 @@ func (s *Server) HandleDeleteSession(w http.ResponseWriter, r *http.Request) {
 	}
 	w.WriteHeader(http.StatusNoContent)
 }
+
+// HandleSLO handles the SAML Single Logout endpoint. It invalidates the user's session
+// and returns a simple confirmation page.
+func (s *Server) HandleSLO(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		s.logger.Printf("ERROR: Failed to parse form: %s", err)
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+
+	// Check for session cookie
+	sessionCookie, err := r.Cookie("session")
+	if err == nil {
+		// Delete the session
+		if err := s.Store.Delete(fmt.Sprintf("/sessions/%s", sessionCookie.Value)); err != nil {
+			if err != ErrNotFound {
+				s.logger.Printf("ERROR: Failed to delete session: %s", err)
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				return
+			}
+		}
+
+		// Clear the session cookie
+		http.SetCookie(w, &http.Cookie{
+			Name:     "session",
+			Value:    "",
+			MaxAge:   -1,
+			HttpOnly: true,
+			Secure:   r.URL.Scheme == "https",
+			Path:     "/",
+		})
+	}
+
+	// Return a simple logout confirmation page
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Write([]byte("<html><body><h1>Logout Successful</h1><p>You have been logged out.</p></body></html>"))
+}