FEATURE: single logout only triggered if idpSLORedirectURL is set.

9 years ago · 900bea5d17
parent 7abb2d843e
commit 900bea5d17
2 changed files with 51 additions and 13 deletions
--- a/packages/meteor-accounts-saml/saml_client.js
+++ b/packages/meteor-accounts-saml/saml_client.js
@ -6,19 +6,22 @@ if (!Accounts.saml) {

 // Override the standard logout behaviour.
 //
-// If we find a saml_provider in our session, we will initiate logout
-// from rocketchat via saml.
+// If we find a samlProvider in our session, and we are using single
+// logout we will initiate logout from rocketchat via saml.

-var originalLogout = Meteor.logout;
+var MeteorLogout = Meteor.logout;

 Meteor.logout = function() {
-	var provider = Session.get('saml_provider');
+	var provider = Session.get('samlProvider'),
+			usingSingleLogout = Session.get('usingSingleLogout');
 	if (provider) {
-		Session.set('saml_provider', false);
-		return Meteor.logoutWithSaml({ provider: provider });
-	} else {
-		return originalLogout.apply(Meteor, arguments);
+		Session.set('samlProvider', false);
+		Session.set('usingSingleLogout', false);
+		if (usingSingleLogout) {
+			return Meteor.logoutWithSaml({ provider: provider });
+		}
 	}
+	return MeteorLogout.apply(Meteor, arguments);
 };

 var openCenteredPopup = function(url, width, height) {
@ -91,8 +94,9 @@ Accounts.saml.initiateLogin = function(options, callback, dimensions) {
 	}, 100);
 };

+
 Meteor.loginWithSaml = function(options, callback) {
-	Session.set('saml_provider', options.provider);
+	Session.set('samlProvider', options.provider);
 	options = options || {};
 	var credentialToken = Random.id();
 	options.credentialToken = credentialToken;
@ -106,6 +110,15 @@ Meteor.loginWithSaml = function(options, callback) {
 			userCallback: callback
 		});
 	});
+
+	// Record if we are doing single logout with the idp.
+
+	Meteor.call('usingSingleLogout', options.provider, function (err, res) {
+		if (! err) {
+			Session.set('usingSingleLogout', res);
+		}
+		console.log('usingSingleLogout', res);
+	});
 };

 Meteor.logoutWithSaml = function(options/*, callback*/) {
--- a/packages/meteor-accounts-saml/saml_server.js
+++ b/packages/meteor-accounts-saml/saml_server.js
@ -15,16 +15,41 @@ var fiber = Npm.require('fibers');
 var connect = Npm.require('connect');
 RoutePolicy.declare('/_saml/', 'network');

+/**
+ * Fetch SAML provider configs for given 'provider'.
+ */
+function getSamlProviderConfig(provider) {
+	if (! provider) {
+		throw new Meteor.Error('no-saml-provider',
+													 'SAML internal error',
+													 { method: 'getSamlProviderConfig' });
+	}
+	var samlProvider = function(element) {
+		return (element.provider === provider);
+	};
+	return Accounts.saml.settings.providers.filter(samlProvider)[0];
+}
+
 Meteor.methods({
+
+	/**
+	 * Return true if the saml provider is configured to use single logout.
+	 *
+	 * Single logout will be applied if idpSLORedirectURL has been set.
+	 */
+	usingSingleLogout: function(provider) {
+		var providerConfig = getSamlProviderConfig(provider);
+		if (!providerConfig) return false;
+		if (providerConfig.idpSLORedirectURL) return true;
+		return false;
+	},
+
 	samlLogout: function(provider) {
 		// Make sure the user is logged in before initiate SAML SLO
 		if (!Meteor.userId()) {
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', { method: 'samlLogout' });
 		}
-		var samlProvider = function(element) {
-			return (element.provider === provider);
-		};
-		var providerConfig = Accounts.saml.settings.providers.filter(samlProvider)[0];
+		var providerConfig = getSamlProviderConfig(provider);

 		if (Accounts.saml.settings.debug) {
 			console.log('Logout request from ' + JSON.stringify(providerConfig));