diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php index 61c4cc5b6..dc8b5b801 100644 --- a/lib/Controller/SAMLController.php +++ b/lib/Controller/SAMLController.php @@ -418,8 +418,14 @@ public function singleLogoutService() { $stay = true ; // $auth will return the redirect URL but won't perform the redirect himself if ($isFromIDP) { $keepLocalSession = true ; // do not let processSLO to delete the entire session. Let userSession->logout do the job - $targetUrl = $auth->processSLO($keepLocalSession, null, false, null, $stay); - + $targetUrl = $auth->processSLO( + $this->SAMLSettings->usesSloWebServerDecode(), + null, + false, + null, + $stay + ); + $errors = $auth->getErrors(); if (!empty($errors)) { foreach($errors as $error) { diff --git a/lib/SAMLSettings.php b/lib/SAMLSettings.php index d25fa16a0..29a68395e 100644 --- a/lib/SAMLSettings.php +++ b/lib/SAMLSettings.php @@ -88,6 +88,10 @@ public function allowMultipleUserBackEnds() { return ($setting === '1' && $type === 'saml'); } + public function usesSloWebServerDecode() : bool { + return $this->config->getAppValue('user_saml', 'security-sloWebServerDecode', '0') === '1'; + } + /** * get config for given IDP * diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php index 6a7cf874d..5ed13dc03 100644 --- a/lib/Settings/Admin.php +++ b/lib/Settings/Admin.php @@ -90,7 +90,8 @@ public function getForm() { 'signatureAlgorithm' => [ 'type' => 'line', 'text' => $this->l10n->t('Algorithm that the toolkit will use on signing process.') - ] + ], + 'sloWebServerDecode' => $this->l10n->t('Retrieve query parameters from $_SERVER. Some SAML servers require this on SLO requests.'), ]; $generalSettings = [ 'uid_mapping' => [