Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed SAML logout for ADFS #2902

Merged
merged 3 commits into from
Oct 23, 2021
Merged

Fixed SAML logout for ADFS #2902

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
75749ef
Fixed SAML logout for ADFS.
Aug 30, 2021
234dd26
Fixes for CodeStyle
Aug 30, 2021
07408ec
Fixes for CodeStyle vol.2
Aug 30, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .env.example.complete
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,11 @@ SAML2_ONELOGIN_OVERRIDES=null
SAML2_DUMP_USER_DETAILS=false
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_AUTHNCONTEXT=true
SAML2_SP_CERTIFICATE=null
SAML2_SP_PRIVATEKEY=null
SAML2_SP_NAME_ID_Format=null
SAML2_SP_NAME_ID_SP_NAME_QUALIFIER=null
SAML2_RETRIEVE_PARAMETERS_FROM_SERVER=false

# SAML group sync configuration
# Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/
Expand Down
10 changes: 8 additions & 2 deletions app/Auth/Access/Saml2Service.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,11 @@ public function logout(): array
$returnRoute = url('/');

try {
$url = $toolKit->logout($returnRoute, [], null, null, true);
$email = auth()->user()['email'];
$nameIdFormat = env('SAML2_SP_NAME_ID_Format', null);
$nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null);

$url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier);
$id = $toolKit->getLastRequestID();
} catch (Error $error) {
if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
Expand Down Expand Up @@ -117,7 +121,9 @@ public function processAcsResponse(?string $requestId): ?User
public function processSlsResponse(?string $requestId): ?string
{
$toolkit = $this->getToolkit();
$redirect = $toolkit->processSLO(true, $requestId, false, null, true);
$retrieveParametersFromServer = env('SAML2_RETRIEVE_PARAMETERS_FROM_SERVER', false);

$redirect = $toolkit->processSLO(true, $requestId, $retrieveParametersFromServer, null, true);

$errors = $toolkit->getErrors();

Expand Down
7 changes: 5 additions & 2 deletions app/Config/saml2.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,8 @@
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => '',
'privateKey' => '',
'x509cert' => env('SAML2_SP_CERTIFICATE', ''),
'privateKey' => env('SAML2_SP_PRIVATEKEY', ''),
],
// Identity Provider Data that we want connect with our SP
'idp' => [
Expand Down Expand Up @@ -147,6 +147,9 @@
// Multiple forced values can be passed via a space separated array, For example:
// SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT,
'logoutRequestSigned' => env('SAML2_LOGOUT_REQUEST_SIGNED', false),
'logoutResponseSigned' => env('SAML2_LOGOUT_RESPONSE_SIGNED', false),
'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false),
],
],

Expand Down