Browse Source

Allow setting of "retrieveParametersFromServer"

Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change.

Until we have considered a better solution for this, this adds a new checkbox that one can configure.

Ref https://github.com/nextcloud/user_saml/issues/403

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
master
Lukas Reschke 1 year ago
parent
commit
8afcb434dc
  1. 10
      lib/Controller/SAMLController.php
  2. 4
      lib/SAMLSettings.php
  3. 3
      lib/Settings/Admin.php

10
lib/Controller/SAMLController.php

@ -418,8 +418,14 @@ class SAMLController extends Controller {
$stay = true ; // $auth will return the redirect URL but won't perform the redirect himself
if ($isFromIDP) {
$keepLocalSession = true ; // do not let processSLO to delete the entire session. Let userSession->logout do the job
$targetUrl = $auth->processSLO($keepLocalSession, null, false, null, $stay);
$targetUrl = $auth->processSLO(
$this->SAMLSettings->usesSloWebServerDecode(),
null,
false,
null,
$stay
);
$errors = $auth->getErrors();
if (!empty($errors)) {
foreach($errors as $error) {

4
lib/SAMLSettings.php

@ -88,6 +88,10 @@ class SAMLSettings {
return ($setting === '1' && $type === 'saml');
}
public function usesSloWebServerDecode() : bool {
return $this->config->getAppValue('user_saml', 'security-sloWebServerDecode', '0') === '1';
}
/**
* get config for given IDP
*

3
lib/Settings/Admin.php

@ -90,7 +90,8 @@ class Admin implements ISettings {
'signatureAlgorithm' => [
'type' => 'line',
'text' => $this->l10n->t('Algorithm that the toolkit will use on signing process.')
]
],
'sloWebServerDecode' => $this->l10n->t('Retrieve query parameters from $_SERVER. Some SAML servers require this on SLO requests.'),
];
$generalSettings = [
'uid_mapping' => [

Loading…
Cancel
Save