added standard SAML logout method using metadata

2017-12-05 00:14:31 +01:00 · 2017-12-05 00:14:31 +01:00 · 60086d5d15
parent 049a8a4547
commit 60086d5d15
2 changed files with 33 additions and 8 deletions
--- a/app/views.py
+++ b/app/views.py
@ -380,18 +380,38 @@ def login():
            error = e.message['desc'] if 'desc' in e.message else e
            return render_template('register.html', error=error)

-@app.route('/logout')
-def logout():
+def clear_session():
    session.pop('user_id', None)
    session.pop('github_token', None)
    session.pop('google_token', None)
    session.clear()
    logout_user()
-    if app.config.get('SAML_LOGOUT_REDIRECT'):
-	return redirect(app.config.get('SAML_LOGOUT_REDIRECT'))
-    else:
-    	return redirect(url_for('login'))

+@app.route('/logout')
+def logout():
+    if app.config.get('SAML_ENABLED') and session['samlSessionIndex'] and app.config.get('SAML_LOGOUT'):
+        req = utils.prepare_flask_request(request)
+        auth = utils.init_saml_auth(req)
+        if app.config.get('SAML_LOGOUT_URL'):
+            return auth.logout(redirect_url = app.config.get('SAML_LOGOUT_URL'))
+        return auth.logout()
+    clear_session()
+    redirect_url = url_for('login')
+    return redirect(url_for('login'))
+
+@app.route('/saml/sls')
+def saml_logout():
+    req = utils.prepare_flask_request(request)
+    auth = utils.init_saml_auth(req)
+    url = auth.process_slo(delete_session_cb=clear_session())
+    errors = auth.get_errors()
+    if len(errors) == 0:
+        if url is not None:
+            return redirect(url)
+        else:
+            return redirect(url_for('index'))
+    else:
+        return render_template('errors/SAML.html', errors=errors)

@app.route('/dashboard', methods=['GET', 'POST'])
@login_required
--- a/config_template.py
+++ b/config_template.py
@ -92,8 +92,13 @@ SAML_METADATA_CACHE_LIFETIME = 1
 SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
 SAML_SP_CONTACT_NAME = '<contact name>'
 SAML_SP_CONTACT_MAIL = '<contact mail>'
-## uncomment to redirect to the given URL on logout
-# SAML_LOGOUT_REDIRECT = 'https://<idp>/logout'
+#Use SAML standard logout mechanism retreived from idp metadata
+#If configured false don't care about SAML session on logout.
+#Logout from PowerDNS-Admin only and keep SAML session authenticated.
+SAML_LOGOUT = False
+#Configure to redirect to a different url then PowerDNS-Admin login after SAML logout
+#for example redirect to google.com after successful saml logout
+#SAML_LOGOUT_URL = 'https://google.com'

 #Default Auth
 BASIC_ENABLED = True