| 1 |
efrain |
1 |
<?php
|
|
|
2 |
|
|
|
3 |
// Implements logout for Shibboleth authenticated users according to:
|
|
|
4 |
// - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator
|
|
|
5 |
// - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPNotify
|
|
|
6 |
|
|
|
7 |
require_once("../../config.php");
|
|
|
8 |
|
|
|
9 |
require_once($CFG->dirroot."/auth/shibboleth/auth.php");
|
|
|
10 |
|
|
|
11 |
$action = optional_param('action', '', PARAM_ALPHA);
|
|
|
12 |
$redirect = optional_param('return', '', PARAM_URL);
|
|
|
13 |
|
|
|
14 |
// Find out whether host supports https
|
|
|
15 |
$protocol = 'http://';
|
|
|
16 |
if (is_https()) {
|
|
|
17 |
$protocol = 'https://';
|
|
|
18 |
}
|
|
|
19 |
|
|
|
20 |
// If the shibboleth plugin is not enable, throw an exception.
|
|
|
21 |
if (!is_enabled_auth('shibboleth')) {
|
|
|
22 |
throw new moodle_exception(get_string('pluginnotenabled', 'auth', 'shibboleth'));
|
|
|
23 |
}
|
|
|
24 |
|
|
|
25 |
// Front channel logout.
|
|
|
26 |
$inputstream = file_get_contents("php://input");
|
|
|
27 |
if ($action == 'logout' && !empty($redirect)) {
|
|
|
28 |
|
|
|
29 |
if (isloggedin($USER) && $USER->auth == 'shibboleth') {
|
|
|
30 |
// Logout user from application.
|
|
|
31 |
require_logout();
|
|
|
32 |
}
|
|
|
33 |
|
|
|
34 |
// Finally, send user to the return URL.
|
|
|
35 |
redirect($redirect);
|
|
|
36 |
|
|
|
37 |
} else if (!empty($inputstream)) {
|
|
|
38 |
|
|
|
39 |
// Back channel logout.
|
|
|
40 |
// Set SOAP header.
|
|
|
41 |
$server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl');
|
|
|
42 |
$server->addFunction("LogoutNotification");
|
|
|
43 |
$server->handle();
|
|
|
44 |
|
|
|
45 |
} else {
|
|
|
46 |
|
|
|
47 |
// Return WSDL.
|
|
|
48 |
header('Content-Type: text/xml');
|
|
|
49 |
|
|
|
50 |
echo <<<WSDL
|
|
|
51 |
<?xml version ="1.0" encoding ="UTF-8" ?>
|
|
|
52 |
<definitions name="LogoutNotification"
|
|
|
53 |
targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
|
|
|
54 |
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify"
|
|
|
55 |
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
|
|
|
56 |
xmlns="http://schemas.xmlsoap.org/wsdl/">
|
|
|
57 |
|
|
|
58 |
<!--
|
|
|
59 |
This page either has to be called with the GET arguments 'action' and 'return' via
|
|
|
60 |
a redirect from the Shibboleth Service Provider logout handler (front-channel
|
|
|
61 |
logout) or via a SOAP request by a Shibboleth Service Provider (back-channel
|
|
|
62 |
logout).
|
|
|
63 |
Because neither of these two variants seems to be the case, the WSDL file for
|
|
|
64 |
the web service is returned.
|
|
|
65 |
|
|
|
66 |
For more information see:
|
|
|
67 |
- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator
|
|
|
68 |
- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPNotify
|
|
|
69 |
-->
|
|
|
70 |
|
|
|
71 |
<types>
|
|
|
72 |
<schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
|
|
|
73 |
xmlns="http://www.w3.org/2000/10/XMLSchema"
|
|
|
74 |
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify">
|
|
|
75 |
|
|
|
76 |
<simpleType name="string">
|
|
|
77 |
<restriction base="string">
|
|
|
78 |
<minLength value="1"/>
|
|
|
79 |
</restriction>
|
|
|
80 |
</simpleType>
|
|
|
81 |
|
|
|
82 |
<element name="OK" type="notify:OKType"/>
|
|
|
83 |
<complexType name="OKType">
|
|
|
84 |
<sequence/>
|
|
|
85 |
</complexType>
|
|
|
86 |
|
|
|
87 |
</schema>
|
|
|
88 |
</types>
|
|
|
89 |
|
|
|
90 |
<message name="getLogoutNotificationRequest">
|
|
|
91 |
<part name="SessionID" type="notify:string" />
|
|
|
92 |
</message>
|
|
|
93 |
|
|
|
94 |
<message name="getLogoutNotificationResponse" >
|
|
|
95 |
<part name="OK"/>
|
|
|
96 |
</message>
|
|
|
97 |
|
|
|
98 |
<portType name="LogoutNotificationPortType">
|
|
|
99 |
<operation name="LogoutNotification">
|
|
|
100 |
<input message="getLogoutNotificationRequest"/>
|
|
|
101 |
<output message="getLogoutNotificationResponse"/>
|
|
|
102 |
</operation>
|
|
|
103 |
</portType>
|
|
|
104 |
|
|
|
105 |
<binding name="LogoutNotificationBinding" type="notify:LogoutNotificationPortType">
|
|
|
106 |
<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
|
|
|
107 |
<operation name="LogoutNotification">
|
|
|
108 |
<soap:operation soapAction="urn:xmethods-logout-notification#LogoutNotification"/>
|
|
|
109 |
</operation>
|
|
|
110 |
</binding>
|
|
|
111 |
|
|
|
112 |
<service name="LogoutNotificationService">
|
|
|
113 |
<port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding">
|
|
|
114 |
<soap:address location="{$protocol}{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}"/>
|
|
|
115 |
</port>
|
|
|
116 |
</service>
|
|
|
117 |
</definitions>
|
|
|
118 |
WSDL;
|
|
|
119 |
exit;
|
|
|
120 |
}
|
|
|
121 |
/******************************************************************************/
|
|
|
122 |
|
|
|
123 |
/**
|
|
|
124 |
* Handles SOAP Back-channel logout notification
|
|
|
125 |
*
|
|
|
126 |
* @param string $spsessionid SP-provided Shibboleth Session ID
|
|
|
127 |
* @return SoapFault or void if everything was fine
|
|
|
128 |
*/
|
|
|
129 |
function LogoutNotification($spsessionid) {
|
|
|
130 |
$sessionclass = \core\session\manager::get_handler_class();
|
|
|
131 |
switch ($sessionclass) {
|
|
|
132 |
case '\core\session\file':
|
|
|
133 |
return \auth_shibboleth\helper::logout_file_session($spsessionid);
|
|
|
134 |
case '\core\session\database':
|
|
|
135 |
return \auth_shibboleth\helper::logout_db_session($spsessionid);
|
|
|
136 |
default:
|
|
|
137 |
throw new moodle_exception("Shibboleth logout not implemented for '$sessionclass'");
|
|
|
138 |
}
|
|
|
139 |
// If no SoapFault was thrown, the function will return OK as the SP assumes.
|
|
|
140 |
}
|