Skip to content

Commit

Permalink
Allow setting of "retrieveParametersFromServer"
Browse files Browse the repository at this point in the history
Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (SAML-Toolkits/php-saml#466), but it seems upstream doesn't want to perform this change.

Until we have considered a better solution for this, this adds a new checkbox that one can configure.

Ref #403

Signed-off-by: Lukas Reschke <[email protected]>
  • Loading branch information
LukasReschke committed May 4, 2021
1 parent 6f51a92 commit 8afcb43
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 3 deletions.
10 changes: 8 additions & 2 deletions lib/Controller/SAMLController.php
Original file line number Diff line number Diff line change
Expand Up @@ -418,8 +418,14 @@ public function singleLogoutService() {
$stay = true ; // $auth will return the redirect URL but won't perform the redirect himself
if ($isFromIDP) {
$keepLocalSession = true ; // do not let processSLO to delete the entire session. Let userSession->logout do the job
$targetUrl = $auth->processSLO($keepLocalSession, null, false, null, $stay);

$targetUrl = $auth->processSLO(
$this->SAMLSettings->usesSloWebServerDecode(),
null,
false,
null,
$stay
);

$errors = $auth->getErrors();
if (!empty($errors)) {
foreach($errors as $error) {
Expand Down
4 changes: 4 additions & 0 deletions lib/SAMLSettings.php
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,10 @@ public function allowMultipleUserBackEnds() {
return ($setting === '1' && $type === 'saml');
}

public function usesSloWebServerDecode() : bool {
return $this->config->getAppValue('user_saml', 'security-sloWebServerDecode', '0') === '1';
}

/**
* get config for given IDP
*
Expand Down
3 changes: 2 additions & 1 deletion lib/Settings/Admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,8 @@ public function getForm() {
'signatureAlgorithm' => [
'type' => 'line',
'text' => $this->l10n->t('Algorithm that the toolkit will use on signing process.')
]
],
'sloWebServerDecode' => $this->l10n->t('Retrieve query parameters from $_SERVER. Some SAML servers require this on SLO requests.'),
];
$generalSettings = [
'uid_mapping' => [
Expand Down

0 comments on commit 8afcb43

Please sign in to comment.