Implement SAML SOAP logout

Author: guimard

packages/issuer-saml/src/issuer.ts

@@ -17,6 +17,8 @@ import {
   AuthnContext,
   nameIdFormatToUrn,
   extractSamlMessage,
+  extractSamlFromSoap,
+  wrapInSoapEnvelope,
   buildPostForm,
   type HttpMethodType,
   type Logger,
@@ -347,6 +349,60 @@ export class SAMLIssuer {
     };
   }
 
+  /**
+   * Process SOAP LogoutRequest and build SOAP response
+   * @param soapEnvelope - Raw SOAP envelope XML
+   * @param sessionId - Session ID for restoring session state
+   * @returns SOAP response envelope as string
+   */
+  async processSoapLogout(
+    soapEnvelope: string,
+    sessionId?: string,
+  ): Promise<string> {
+    // Extract SAML message from SOAP envelope
+    const samlMessage = extractSamlFromSoap(soapEnvelope);
+    if (!samlMessage) {
+      throw new Error("No SAML message found in SOAP envelope");
+    }
+
+    this.logger.debug(
+      `SAML Issuer: Processing SOAP logout, message length: ${samlMessage.length}`,
+    );
+
+    const server = this.serverManager.getServer();
+    const logout = new Logout(server);
+
+    // Restore session if available
+    if (sessionId) {
+      const samlSession = await this.config.getSAMLSession?.(sessionId);
+      if (samlSession?._lassoSessionDump) {
+        logout.session = Session.fromDump(samlSession._lassoSessionDump);
+      }
+    }
+
+    // Process the logout request with SOAP method
+    logout.processRequestMsg(samlMessage, HttpMethod.SOAP);
+    logout.validateRequest();
+
+    const providerEntityId = logout.remoteProviderId || "";
+    this.logger.info(
+      `SAML Issuer: SOAP LogoutRequest from ${providerEntityId}`,
+    );
+
+    // Build the response
+    const result = logout.buildResponseMsg();
+
+    // Get the SAML response body
+    const samlResponse = result.responseBody || "";
+
+    this.logger.info(
+      `SAML Issuer: Built SOAP LogoutResponse for ${providerEntityId}`,
+    );
+
+    // Wrap in SOAP envelope
+    return wrapInSoapEnvelope(samlResponse);
+  }
+
   /**
    * Initiate IdP-initiated logout
    */

packages/issuer-saml/src/router.ts

@@ -160,36 +160,58 @@ export function createSAMLIssuerRouter(
   );
 
   /**
-   * POST /singleLogoutSOAP - SLO endpoint (SOAP)
+   * POST /singleLogoutSOAP - SLO endpoint (SOAP binding)
+   * Expects raw XML SOAP envelope in request body
    */
   router.post(
     "/singleLogoutSOAP",
-    async (req: Request, res: Response, next: NextFunction) => {
+    express.text({ type: ["text/xml", "application/soap+xml"] }),
+    async (req: SAMLRequest, res: Response, _next: NextFunction) => {
       try {
-        // SOAP binding handling
-        const soapBody = req.body;
+        // Get raw SOAP envelope from body
+        const soapEnvelope =
+          typeof req.body === "string" ? req.body : String(req.body);
 
-        // Extract SAML message from SOAP envelope
-        // This is a simplified implementation
-        const context = await issuer.processLogoutRequest({
-          method: "POST",
-          body: { SAMLRequest: soapBody },
-        });
-
-        const response = await issuer.buildLogoutResponse(context);
-
-        // Wrap response in SOAP envelope
-        const soapResponse = `<?xml version="1.0" encoding="UTF-8"?>
+        if (!soapEnvelope || soapEnvelope.length === 0) {
+          res.status(400).set("Content-Type", "text/xml").send(`<?xml version="1.0" encoding="UTF-8"?>
 <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
-    ${response.formData?.SAMLResponse || ""}
+    <soap:Fault>
+      <faultcode>soap:Client</faultcode>
+      <faultstring>Empty SOAP body</faultstring>
+    </soap:Fault>
   </soap:Body>
-</soap:Envelope>`;
+</soap:Envelope>`);
+          return;
+        }
+
+        // Get session ID if available
+        const sessionId = config.getSessionId?.(req) || undefined;
+
+        // Process SOAP logout and get SOAP response
+        const soapResponse = await issuer.processSoapLogout(
+          soapEnvelope,
+          sessionId,
+        );
 
         res.set("Content-Type", "text/xml");
         res.send(soapResponse);
       } catch (err) {
-        next(err);
+        // Return SOAP fault on error
+        const errorMessage =
+          err instanceof Error ? err.message : "Unknown error";
+        res
+          .status(500)
+          .set("Content-Type", "text/xml")
+          .send(`<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <soap:Fault>
+      <faultcode>soap:Server</faultcode>
+      <faultstring>${errorMessage.replace(/[<>&"']/g, (c) => ({ "<": "&lt;", ">": "&gt;", "&": "&amp;", '"': "&quot;", "'": "&apos;" })[c] || c)}</faultstring>
+    </soap:Fault>
+  </soap:Body>
+</soap:Envelope>`);
       }
     },
   );

packages/lib-saml/src/index.ts

@@ -31,6 +31,10 @@ export {
   escapeXml,
   buildUrl,
   parseQueryString,
+  // SOAP utilities
+  extractSamlFromSoap,
+  wrapInSoapEnvelope,
+  isSoapEnvelope,
 } from "./utils";
 
 // Export lasso loader utilities
@@ -44,6 +48,11 @@ export {
   SignatureMethod,
   NameIdFormat,
   AuthnContext,
+  // Runtime class wrappers
+  Login,
+  Logout,
+  Identity,
+  Session,
 } from "./lasso-loader";
 
 // Re-export lasso types with full names
@@ -56,9 +65,3 @@ export type {
   HttpMethodType,
   SignatureMethodType,
 } from "./lasso-loader";
-
-// Backward-compatible type aliases (without Lasso prefix)
-export type { LassoLogin as Login } from "./lasso-loader";
-export type { LassoLogout as Logout } from "./lasso-loader";
-export type { LassoIdentity as Identity } from "./lasso-loader";
-export type { LassoSession as Session } from "./lasso-loader";