Adding Logout Callback for Logging Purpose

[Arie K]

Hi all,

We're using Simple SAML PHP as SAML2 IDP and SPs. We have successfully
add a processing filter to log all login activity in our IdP. But we
haven't found a way to log logout request (SLO).

Is there any documentation regarding this?

Thanks in advance,
--
Arie Karhendana

[Olav Morken]

On Sun, Jan 31, 2010 at 17:16:14 +0700, Arie K wrote:
> Hi all,
>
> We're using Simple SAML PHP as SAML2 IDP and SPs. We have successfully
> add a processing filter to log all login activity in our IdP. But we
> haven't found a way to log logout request (SLO).
>
> Is there any documentation regarding this?

First of all, simpleSAMLphp logs the following when receiving a logout
request from the IdP:

simplesamlphp - NOTICE: STAT [58bfcff286] saml20-idp-SLO idpinit <SP entity ID> <IDP entity ID>

(Note that the format of this line is subject to chagne in the future).

If you cannot use the existing log entry, you can add a logout callback
by using the registerLogoutHandler function in the session class. This
is undocumented, and I cannot guarantee that the function call will be
present in future versions. It will be in 1.6, but beyond that I do not
know.

The callback can be used like this:

$session = SimpleSAML_Session::getInstance();
$session->registerLogoutHandler('classname', 'functionname');

'classname' must be the name of a class that the simpleSAMLphp class
loader can find. I.e. it must either be in a module, or part of the
"core" classes.

The function will not receive any parameters, and must be declared as
"public static". Take a look at lib/SimpleSAML/AuthMemCookie.php and
www/authmemcookie.php for an example.

--
Olav Morken