From 413c7a92390c27100f0abf1641562b27485dea1b Mon Sep 17 00:00:00 2001
From: Frieder Schrempf <frieder.schrempf@online.de>
Date: Sat, 8 Jun 2019 19:13:00 +0200
Subject: [PATCH] Handle SLO logout requests from IdP via POST

Some IdPs send their SLO logout requests via POST. To handle
them we need to add an entry in the routing table.
Further, we need to hack around the issue, that php-saml only
handles GET by copying the request from $_POST to $_GET.

This solves #82.

Signed-off-by: Frieder Schrempf <frieder.schrempf@online.de>
---
 appinfo/routes.php                | 6 ++++++
 lib/Controller/SAMLController.php | 7 +++++++
 tests/unit/AppInfo/RoutesTest.php | 6 ++++++
 3 files changed, 19 insertions(+)

diff --git a/appinfo/routes.php b/appinfo/routes.php
index 3676ca5..63e5ca9 100644
--- a/appinfo/routes.php
+++ b/appinfo/routes.php
@@ -48,6 +48,12 @@ return [
 			'url' => '/saml/sls',
 			'verb' => 'GET',
 		],
+		[
+			'name' => 'SAML#singleLogoutService',
+			'url' => '/saml/sls',
+			'verb' => 'POST',
+			'postfix' => 'slspost',
+		],
 		[
 			'name' => 'SAML#notProvisioned',
 			'url' => '/saml/notProvisioned',
diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php
index 50bec66..e289840 100644
--- a/lib/Controller/SAMLController.php
+++ b/lib/Controller/SAMLController.php
@@ -319,6 +319,13 @@ class SAMLController extends Controller {
 	public function singleLogoutService() {
 		$isFromGS = ($this->config->getSystemValue('gs.enabled', false) &&
 					 $this->config->getSystemValue('gss.mode', '') === 'master');
+
+		// Some IDPs send the SLO request via POST, but OneLogin php-saml only handles GET.
+		// To hack around this issue we copy the request from _POST to _GET.
+		if(!empty($_POST['SAMLRequest'])) {
+			$_GET['SAMLRequest'] = $_POST['SAMLRequest'];
+		}
+
 		$isFromIDP = !$isFromGS && !empty($_GET['SAMLRequest']);
 
 		if($isFromIDP) {
diff --git a/tests/unit/AppInfo/RoutesTest.php b/tests/unit/AppInfo/RoutesTest.php
index e806fa9..b8e71b0 100644
--- a/tests/unit/AppInfo/RoutesTest.php
+++ b/tests/unit/AppInfo/RoutesTest.php
@@ -54,6 +54,12 @@ class Test extends TestCase  {
 					'url' => '/saml/sls',
 					'verb' => 'GET',
 				],
+				[
+					'name' => 'SAML#singleLogoutService',
+					'url' => '/saml/sls',
+					'verb' => 'POST',
+					'postfix' => 'slspost',
+				],
 				[
 					'name' => 'SAML#notProvisioned',
 					'url' => '/saml/notProvisioned',