idp/saml2: do not accept logout request missing a NameID (fixes #24214)
Lasso should fail in the process_logout_request(), it does not, we handle it here.
This commit is contained in:
parent
700786714f
commit
038697aae9
|
@ -1410,6 +1410,10 @@ def slo(request):
|
|||
title=_('You are being redirected to "%s"') % provider.name)
|
||||
logger.info('asynchronous slo from %s' % logout.remoteProviderId)
|
||||
# Filter sessions
|
||||
if not logout.request.nameId:
|
||||
logger.warning('slo refused, no NameID in the SLO request')
|
||||
return return_logout_error(request, logout,
|
||||
AUTHENTIC_STATUS_CODE_MISSING_NAMEID)
|
||||
all_sessions = LibertySession.get_for_nameid_and_session_indexes(
|
||||
logout.server.providerId, logout.remoteProviderId,
|
||||
logout.request.nameId, logout.request.sessionIndexes)
|
||||
|
|
|
@ -555,6 +555,9 @@ class LibertySession(models.Model):
|
|||
|
||||
@classmethod
|
||||
def get_for_nameid_and_session_indexes(cls, issuer_id, provider_id, name_id, session_indexes):
|
||||
if not name_id:
|
||||
# logout request did not contain any NameID, bad !
|
||||
return LibertySession.objects.none()
|
||||
kwargs = nameid2kwargs(name_id)
|
||||
name_id_qualifier = kwargs['name_id_qualifier']
|
||||
qs = LibertySession.objects.filter(provider_id=provider_id,
|
||||
|
|
Loading…
Reference in New Issue