Handle SLO logout requests from IdP via POST
Some IdPs send their SLO logout requests via POST. To handle them we need to add an entry in the routing table. Further, we need to hack around the issue, that php-saml only handles GET by copying the request from $_POST to $_GET. This solves #82. Signed-off-by: Frieder Schrempf <frieder.schrempf@online.de>
This commit is contained in:
parent
3f64725f26
commit
413c7a9239
|
@ -48,6 +48,12 @@ return [
|
|||
'url' => '/saml/sls',
|
||||
'verb' => 'GET',
|
||||
],
|
||||
[
|
||||
'name' => 'SAML#singleLogoutService',
|
||||
'url' => '/saml/sls',
|
||||
'verb' => 'POST',
|
||||
'postfix' => 'slspost',
|
||||
],
|
||||
[
|
||||
'name' => 'SAML#notProvisioned',
|
||||
'url' => '/saml/notProvisioned',
|
||||
|
|
|
@ -319,6 +319,13 @@ class SAMLController extends Controller {
|
|||
public function singleLogoutService() {
|
||||
$isFromGS = ($this->config->getSystemValue('gs.enabled', false) &&
|
||||
$this->config->getSystemValue('gss.mode', '') === 'master');
|
||||
|
||||
// Some IDPs send the SLO request via POST, but OneLogin php-saml only handles GET.
|
||||
// To hack around this issue we copy the request from _POST to _GET.
|
||||
if(!empty($_POST['SAMLRequest'])) {
|
||||
$_GET['SAMLRequest'] = $_POST['SAMLRequest'];
|
||||
}
|
||||
|
||||
$isFromIDP = !$isFromGS && !empty($_GET['SAMLRequest']);
|
||||
|
||||
if($isFromIDP) {
|
||||
|
|
|
@ -54,6 +54,12 @@ class Test extends TestCase {
|
|||
'url' => '/saml/sls',
|
||||
'verb' => 'GET',
|
||||
],
|
||||
[
|
||||
'name' => 'SAML#singleLogoutService',
|
||||
'url' => '/saml/sls',
|
||||
'verb' => 'POST',
|
||||
'postfix' => 'slspost',
|
||||
],
|
||||
[
|
||||
'name' => 'SAML#notProvisioned',
|
||||
'url' => '/saml/notProvisioned',
|
||||
|
|
Loading…
Reference in New Issue