From 0bb4bcf23c2fd594ad31adb780422a5f5a628b15 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 4 May 2021 17:28:58 +0200 Subject: [PATCH] Allow setting of "retrieveParametersFromServer" Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change. Until we have considered a better solution for this, this adds a new checkbox that one can configure. Ref https://github.com/nextcloud/user_saml/issues/403 Signed-off-by: Lukas Reschke --- lib/Controller/SAMLController.php | 8 +++++++- lib/SAMLSettings.php | 4 ++++ lib/Settings/Admin.php | 3 ++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php index 3f3400795..f80eeef1c 100644 --- a/lib/Controller/SAMLController.php +++ b/lib/Controller/SAMLController.php @@ -418,7 +418,13 @@ public function singleLogoutService() { $stay = true ; // $auth will return the redirect URL but won't perform the redirect himself if($isFromIDP){ $keepLocalSession = true ; // do not let processSLO to delete the entire session. Let userSession->logout do the job - $targetUrl = $auth->processSLO($keepLocalSession, null, false, null, $stay); + $targetUrl = $auth->processSLO( + $this->SAMLSettings->usesSloWebServerDecode(), + null, + false, + null, + $stay + ); } else { // If request is not from IDP, we must send him the logout request $parameters = array(); diff --git a/lib/SAMLSettings.php b/lib/SAMLSettings.php index d25fa16a0..29a68395e 100644 --- a/lib/SAMLSettings.php +++ b/lib/SAMLSettings.php @@ -88,6 +88,10 @@ public function allowMultipleUserBackEnds() { return ($setting === '1' && $type === 'saml'); } + public function usesSloWebServerDecode() : bool { + return $this->config->getAppValue('user_saml', 'security-sloWebServerDecode', '0') === '1'; + } + /** * get config for given IDP * diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php index 6a7cf874d..5ed13dc03 100644 --- a/lib/Settings/Admin.php +++ b/lib/Settings/Admin.php @@ -90,7 +90,8 @@ public function getForm() { 'signatureAlgorithm' => [ 'type' => 'line', 'text' => $this->l10n->t('Algorithm that the toolkit will use on signing process.') - ] + ], + 'sloWebServerDecode' => $this->l10n->t('Retrieve query parameters from $_SERVER. Some SAML servers require this on SLO requests.'), ]; $generalSettings = [ 'uid_mapping' => [