Validating SLO responses

[achingbrain]

I can generate a SLO request like this:

strategy.logout({
  ...
}, function createdLogoutUrl(error, requestUrl) {
  reply.redirect(requestUrl);
});

The user gets redirected to the SAML IdP which then redirects them back to the URL defined in the Location attribute of the SingleLogoutService element in the SP's metadata file, so far, so good, but the GET redirection from the IdP contains a SAMLResponse as part of the query string.

I can see there's a validatePostResponse method on the SAML class - how would I go about validating a GET response?

[ploer]

I'm afraid the logout functionality was added by a different maintainer, and I'm not too familiar with it (don't use it myself).

But I think the answer is that this library doesn't support validating that response.

If you can help me understand your use case (what you are looking to validate in that response), I'm happy to help brainstorm on how the library might be adapted to support it.

[achingbrain]

The log out response from ADFS looks a lot like the login response (in that it has has SAMLResponse, Signature and SigAlg properties) only they are delivered via a GET instead of a POST.

The SAMLResponse is a base64 encoded string that once turned into a Buffer needs to be run through zlib.inflateRaw. After inflation is looks something like this (this one is from ADFS):

<samlp:LogoutResponse 
  ID="_599ba260b0f1d969" Version="2.0" 
  IssueInstant="2015-05-26T08:52:12.648Z" 
  Destination="https://service.provider.address/logout" 
  Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" 
  InResponseTo="_e8b728d55ef3db403a48" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://path.to.identity.provider/adfs/services/trust</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
</samlp:LogoutResponse>

/LogoutResponse[@Destination] is the value you provide in the metadata file for /EntityDescriptor/SPSSODescriptor/SingleLogoutService[@Location] and is where the user is redirected to after logging out.

/LogoutResponse/Status/StatusCode[@Value] determines whether the request succeeded - the possible values are documented as:

Status code	Description
urn:oasis:names:tc:SAML:2.0:status:Success	The request succeeded.
urn:oasis:names:tc:SAML:2.0:status:Requester	The request could not be performed due to an error on the part of the requester.
urn:oasis:names:tc:SAML:2.0:status:Responder	The request could not be performed due to an error on the part of the SAML responder or SAML authority.
urn:oasis:names:tc:SAML:2.0:status:VersionMismatch	The SAML responder could not process the request because the version of the request message was incorrect.

[sibelius]

@achingbrain where should I put SingleLogoutService and Location ?

is this already in this package?