public async Task Saml2Handler_SignOutAsync_InitiatesSignOutIfConfigured()
{
var context = new Saml2HandlerTestContext();
context.Subject.options.IdentityProviders.Default.SingleLogoutServiceUrl = new Uri("https://idp.example.com/Logout");
context.Subject.options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
context.HttpContext.User = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[]
{
new Claim(Saml2ClaimTypes.LogoutNameIdentifier, ",,,,NameId", null, "https://idp.example.com"),
new Claim(Saml2ClaimTypes.SessionIndex, "SessionId", null, "https://idp.example.com")
}, "Federation"));
IAuthenticationSignOutHandler subject = context.Subject;
var props = new AuthenticationProperties()
{
RedirectUri = "/loggedout"
};
await subject.SignOutAsync(props);
context.HttpContext.Response.Body.Length.Should().Be(0, "when using redirect binding, nothing should be written to body");
context.HttpContext.Response.StatusCode.Should().Be(303, "when using redirect binding, status code shoulde be 303");
context.HttpContext.Response.Headers["Location"].Single().Should().StartWith("https://idp.example.com/Logout?SAMLRequest=",
"location should be set for outbound redirect binding");
context.HttpContext.Response.Cookies.Received().Append(
Arg.Is <string>(s => s.StartsWith(StoredRequestState.CookieNameBase)),
Arg.Is <string>(s => new StoredRequestState(StubDataProtector.Unprotect(HttpRequestData.GetBinaryData(s)))
.ReturnUrl.OriginalString == "/loggedout"),
Arg.Any <CookieOptions>());
}
public async Task Saml2Handler_SignOutAsync_RedirectsIfLogoutDisabled()
{
var context = new Saml2HandlerTestContext();
context.Subject.options.IdentityProviders.Default
.SingleLogoutServiceUrl.Should().BeNull("this test assumes that the idp doesn't support logout.");
IAuthenticationSignOutHandler subject = context.Subject;
var redirectUri = "https://sp.example.com/loggedout";
var props = new AuthenticationProperties()
{
RedirectUri = redirectUri
};
await subject.SignOutAsync(props);
context.HttpContext.Response.Body.Length.Should().Be(0, "if logout is disabled, nothing should be written to body");
context.HttpContext.Response.StatusCode.Should().Be(303, "if logout is disabled, a redirect to logged out page should be done.");
context.HttpContext.Response.Headers["Location"].Single().Should().Be(redirectUri, "if logout is disabled a redirect to logged out page should be done.");
context.HttpContext.Response.Headers.TryGetValue("Set-Cookie", out StringValues _).Should().BeFalse("if logout is disabled, no cookies should be altered");
}
public AuthenticationRequestSignOutHandlerWrapper(IAuthenticationSignOutHandler inner, IHttpContextAccessor httpContextAccessor)
: base((IAuthenticationRequestHandler)inner, httpContextAccessor)
{
_inner = inner;
}
