Fix #106. Make Request ids accesible

Author: pitbulk

README.md

@@ -496,6 +496,12 @@ The login method can recieve 2 more optional parameters:
 * force_authn  When true the AuthNReuqest will set the ForceAuthn='true'
 * is_passive   When true the AuthNReuqest will set the Ispassive='true'
 
+If a match on the future SAMLResponse ID and the AuthNRequest ID to be sent is required, that AuthNRequest ID must to be extracted and stored for future validation, we can get that ID by
+
+```python
+auth.get_last_request_id()
+```
+
 #### The SP Endpoints ####
 
 Related to the SP there are 3 important endpoints: The metadata view, the ACS view and the SLS view. 
@@ -679,6 +685,12 @@ Also there are 2 optional parameters that can be set:
 SAML Response with a NameId, then this NameId will be used.
 * session_index. SessionIndex that identifies the session of the user.
 
+If a match on the LogoutResponse ID and the LogoutRequest ID to be sent is required, that LogoutRequest ID must to be extracted and stored for future validation, we can get that ID by
+
+```python
+auth.get_last_request_id()
+```
+
 ####Example of a view that initiates the SSO request and handles the response (is the acs target)####
 
 We can code a unique file that initiates the SSO process, handle the response, get the attributes, initiate the slo and processes the logout response.
@@ -754,6 +766,7 @@ Main class of OneLogin Python Toolkit
 * ***get_last_error_reason*** Returns the reason of the last error
 * ***get_sso_url*** Gets the SSO url.
 * ***get_slo_url*** Gets the SLO url.
+* ***get_last_request_id*** The ID of the last Request SAML message generated.
 * ***build_request_signature*** Builds the Signature of the SAML Request.
 * ***build_response_signature*** Builds the Signature of the SAML Response.
 * ***get_settings*** Returns the settings info.

demo-django/demo/views.py

@@ -39,6 +39,10 @@ def index(request):
 
     if 'sso' in req['get_data']:
         return HttpResponseRedirect(auth.login())
+        # If AuthNRequest ID need to be stored in order to later validate it, do instead
+        # sso_built_url = auth.login()
+        # request.session['AuthNRequestID'] = auth.get_last_request_id()
+        # return HttpResponseRedirect(sso_built_url)
     elif 'sso2' in req['get_data']:
         return_to = OneLogin_Saml2_Utils.get_self_url(req) + reverse('attrs')
         return HttpResponseRedirect(auth.login(return_to))
@@ -51,19 +55,33 @@ def index(request):
             session_index = request.session['samlSessionIndex']
 
         return HttpResponseRedirect(auth.logout(name_id=name_id, session_index=session_index))
+
+        # If LogoutRequest ID need to be stored in order to later validate it, do instead
+        # slo_built_url = auth.logout(name_id=name_id, session_index=session_index)
+        # request.session['LogoutRequestID'] = auth.get_last_request_id()
+        #return HttpResponseRedirect(slo_built_url)
     elif 'acs' in req['get_data']:
-        auth.process_response()
+        request_id = None
+        if 'AuthNRequestID' in request.session:
+            request_id = request.session['AuthNRequestID']
+
+        auth.process_response(request_id=request_id)
         errors = auth.get_errors()
         not_auth_warn = not auth.is_authenticated()
         if not errors:
+            if 'AuthNRequestID' in request.session:
+                del request.session['AuthNRequestID']
             request.session['samlUserdata'] = auth.get_attributes()
             request.session['samlNameId'] = auth.get_nameid()
             request.session['samlSessionIndex'] = auth.get_session_index()
             if 'RelayState' in req['post_data'] and OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
                 return HttpResponseRedirect(auth.redirect_to(req['post_data']['RelayState']))
     elif 'sls' in req['get_data']:
+        request_id = None
+        if 'LogoutRequestID' in request.session:
+            request_id = request.session['LogoutRequestID']
         dscb = lambda: request.session.flush()
-        url = auth.process_slo(delete_session_cb=dscb)
+        url = auth.process_slo(request_id=request_id, delete_session_cb=dscb)
         errors = auth.get_errors()
         if len(errors) == 0:
             if url is not None:

src/onelogin/saml2/auth.py

@@ -58,6 +58,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         self.__authenticated = False
         self.__errors = []
         self.__error_reason = None
+        self.__last_request_id = None
 
     def get_settings(self):
         """
@@ -151,6 +152,8 @@ def process_slo(self, keep_local_session=False, request_id=None, delete_session_
                 parameters = {'SAMLResponse': logout_response}
                 if 'RelayState' in self.__request_data['get_data']:
                     parameters['RelayState'] = self.__request_data['get_data']['RelayState']
+                else:
+                    parameters['RelayState'] = OneLogin_Saml2_Utils.get_self_url_no_query(self.__request_data)
 
                 security = self.__settings.get_security_data()
                 if 'logoutResponseSigned' in security and security['logoutResponseSigned']:
@@ -257,6 +260,13 @@ def get_attribute(self, name):
             value = self.__attributes[name]
         return value
 
+    def get_last_request_id(self):
+        """
+        :returns: The ID of the last Request SAML message generated.
+        :rtype: string
+        """
+        return self.__last_request_id
+
     def login(self, return_to=None, force_authn=False, is_passive=False):
         """
         Initiates the SSO process.
@@ -274,6 +284,8 @@ def login(self, return_to=None, force_authn=False, is_passive=False):
         """
         authn_request = OneLogin_Saml2_Authn_Request(self.__settings, force_authn, is_passive)
 
+        self.__last_request_id = authn_request.get_id()
+
         saml_request = authn_request.get_request()
         parameters = {'SAMLRequest': saml_request}
 
@@ -315,6 +327,8 @@ def logout(self, return_to=None, name_id=None, session_index=None):
 
         logout_request = OneLogin_Saml2_Logout_Request(self.__settings, name_id=name_id, session_index=session_index)
 
+        self.__last_request_id = logout_request.id
+
         saml_request = logout_request.get_request()
 
         parameters = {'SAMLRequest': logout_request.get_request()}

src/onelogin/saml2/constants.py

@@ -80,6 +80,7 @@ class OneLogin_Saml2_Constants(object):
     NSMAP = {
         'samlp': NS_SAMLP,
         'saml': NS_SAML,
+        'md': NS_MD,
         'ds': NS_DS,
         'xenc': NS_XENC
     }