use nameid in SAML SLO request (#5077)

fix #4964
elabftw · May 10, 2024 · de9ee04 · de9ee04
1 parent 4411072
commit de9ee04
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/src/Auth/Saml.php b/src/Auth/Saml.php
@@ -88,6 +88,8 @@ public function encodeToken(int $idpId): string
                 // Configures a new claim, called "uid"
                 ->withClaim('sid', $this->getSessionIndex())
                 ->withClaim('idp_id', $idpId)
+                ->withClaim('nameid', $this->SamlAuthLib->getNameId())
+                ->withClaim('nameid_format', $this->SamlAuthLib->getNameIdFormat())
                 // Builds a new token
                 ->getToken($config->signer(), $config->signingKey());
         return $token->toString();
@@ -107,7 +109,12 @@ public static function decodeToken(string $token): array
             }
             $conf->validator()->assert($parsedToken, ...$conf->validationConstraints());
 
-            return array($parsedToken->claims()->get('sid'), $parsedToken->claims()->get('idp_id'));
+            return array(
+                $parsedToken->claims()->get('sid'),
+                $parsedToken->claims()->get('idp_id'),
+                $parsedToken->claims()->get('nameid'),
+                $parsedToken->claims()->get('nameid_format'),
+            );
         } catch (CannotDecodeContent | InvalidTokenStructure | RequiredConstraintsViolated) {
             throw new UnauthorizedException('Decoding JWT Token failed');
         }

diff --git a/web/app/logout.php b/web/app/logout.php
@@ -74,8 +74,10 @@
         $samlToken = $App->Request->cookies->getString('saml_token');
         $sessionIndex = null;
         $idpId = null;
+        $nameid = null;
+        $nameidFormat = null;
         if (!empty($samlToken)) {
-            [$sessionIndex, $idpId] = SamlAuth::decodeToken($samlToken);
+            [$sessionIndex, $idpId, $nameid, $nameidFormat] = SamlAuth::decodeToken($samlToken);
         }
     } catch (Exception $e) {
         // log error and show general error message
@@ -156,8 +158,8 @@
         // do not attempt SLO if no SLO is configured/supported
         if (!empty($settings['idp']['singleLogoutService']['url'])) {
             // initiate SAML SLO
-            $samlAuthLib->logout($redirectUrl, array(), null, $sessionIndex ?? null);
-            exit;
+            // src: https://github.com/SAML-Toolkits/php-saml/blob/master/lib/Saml2/Auth.php#L549
+            $samlAuthLib->logout($redirectUrl, array(), $nameid, $sessionIndex, false, $nameidFormat);
         }
     } catch (Exception $e) {
         // log error and show general error message