auth/shibboleth/logout.php

   1 <?php
   2
   3 // Implements logout for Shibboleth authenticated users according to:
   4 // - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator
   5 // - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPNotify
   6
   7 require_once("../../config.php");
   8
   9 require_once($CFG->dirroot."/auth/shibboleth/auth.php");
  10
  11 $action = optional_param('action', '', PARAM_ALPHA);
  12 $redirect = optional_param('return', '', PARAM_URL);
  13
  14 // Find out whether host supports https
  15 $protocol = 'http://';
  16 if (is_https()) {
  17     $protocol = 'https://';
  18 }
  19
  20 // If the shibboleth plugin is not enable, throw an exception.
  21 if (!is_enabled_auth('shibboleth')) {
  22     throw new moodle_exception(get_string('pluginnotenabled', 'auth', 'shibboleth'));
  23 }
  24
  25 // Front channel logout.
  26 $inputstream = file_get_contents("php://input");
  27 if ($action == 'logout' && !empty($redirect)) {
  28
  29     if (isloggedin($USER) && $USER->auth == 'shibboleth') {
  30         // Logout user from application.
  31         require_logout();
  32     }
  33
  34     // Finally, send user to the return URL.
  35     redirect($redirect);
  36
  37 } else if (!empty($inputstream)) {
  38
  39     // Back channel logout.
  40     // Set SOAP header.
  41     $server = new SoapServer($protocol.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'/LogoutNotification.wsdl');
  42     $server->addFunction("LogoutNotification");
  43     $server->handle();
  44
  45 } else {
  46
  47     // Return WSDL.
  48     header('Content-Type: text/xml');
  49
  50     echo <<<WSDL
  51 <?xml version ="1.0" encoding ="UTF-8" ?>
  52 <definitions name="LogoutNotification"
  53   targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
  54   xmlns:notify="urn:mace:shibboleth:2.0:sp:notify"
  55   xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
  56   xmlns="http://schemas.xmlsoap.org/wsdl/">
  57
  58 <!--
  59 This page either has to be called with the GET arguments 'action' and 'return' via
  60 a redirect from the Shibboleth Service Provider logout handler (front-channel
  61 logout) or via a SOAP request by a Shibboleth Service Provider (back-channel
  62 logout).
  63 Because neither of these two variants seems to be the case, the WSDL file for
  64 the web service is returned.
  65
  66 For more information see:
  67 - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLogoutInitiator
  68 - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPNotify
  69 -->
  70
  71     <types>
  72        <schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
  73            xmlns="http://www.w3.org/2000/10/XMLSchema"
  74            xmlns:notify="urn:mace:shibboleth:2.0:sp:notify">
  75
  76             <simpleType name="string">
  77                 <restriction base="string">
  78                     <minLength value="1"/>
  79                 </restriction>
  80             </simpleType>
  81
  82             <element name="OK" type="notify:OKType"/>
  83             <complexType name="OKType">
  84                 <sequence/>
  85             </complexType>
  86
  87         </schema>
  88     </types>
  89
  90     <message name="getLogoutNotificationRequest">
  91         <part name="SessionID" type="notify:string" />
  92     </message>
  93
  94     <message name="getLogoutNotificationResponse" >
  95         <part name="OK"/>
  96     </message>
  97
  98     <portType name="LogoutNotificationPortType">
  99         <operation name="LogoutNotification">
 100             <input message="getLogoutNotificationRequest"/>
 101             <output message="getLogoutNotificationResponse"/>
 102         </operation>
 103     </portType>
 104
 105     <binding name="LogoutNotificationBinding" type="notify:LogoutNotificationPortType">
 106         <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/>
 107         <operation name="LogoutNotification">
 108             <soap:operation soapAction="urn:xmethods-logout-notification#LogoutNotification"/>
 109         </operation>
 110     </binding>
 111
 112     <service name="LogoutNotificationService">
 113           <port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding">
 114             <soap:address location="{$protocol}{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}"/>
 115           </port>
 116     </service>
 117 </definitions>
 118 WSDL;
 119     exit;
 120 }
 121 /******************************************************************************/
 122
 123 /**
 124  * Handles SOAP Back-channel logout notification
 125  *
 126  * @param string $spsessionid SP-provided Shibboleth Session ID
 127  * @return SoapFault or void if everything was fine
 128  */
 129 function LogoutNotification($spsessionid) {
 130     $sessionclass = \core\session\manager::get_handler_class();
 131     switch ($sessionclass) {
 132         case '\core\session\file':
 133             return \auth_shibboleth\helper::logout_file_session($spsessionid);
 134         case '\core\session\database':
 135             return \auth_shibboleth\helper::logout_db_session($spsessionid);
 136         default:
 137             throw new moodle_exception("Shibboleth logout not implemented for '$sessionclass'");
 138     }
 139     // If no SoapFault was thrown, the function will return OK as the SP assumes.
 140 }