From 0bb4bcf23c2fd594ad31adb780422a5f5a628b15 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 4 May 2021 17:28:58 +0200 Subject: [PATCH 1/3] Allow setting of "retrieveParametersFromServer" Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change. Until we have considered a better solution for this, this adds a new checkbox that one can configure. Ref https://github.com/nextcloud/user_saml/issues/403 Signed-off-by: Lukas Reschke --- lib/Controller/SAMLController.php | 8 +++++++- lib/SAMLSettings.php | 4 ++++ lib/Settings/Admin.php | 3 ++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php index 3f3400795..f80eeef1c 100644 --- a/lib/Controller/SAMLController.php +++ b/lib/Controller/SAMLController.php @@ -418,7 +418,13 @@ public function singleLogoutService() { $stay = true ; // $auth will return the redirect URL but won't perform the redirect himself if($isFromIDP){ $keepLocalSession = true ; // do not let processSLO to delete the entire session. Let userSession->logout do the job - $targetUrl = $auth->processSLO($keepLocalSession, null, false, null, $stay); + $targetUrl = $auth->processSLO( + $this->SAMLSettings->usesSloWebServerDecode(), + null, + false, + null, + $stay + ); } else { // If request is not from IDP, we must send him the logout request $parameters = array(); diff --git a/lib/SAMLSettings.php b/lib/SAMLSettings.php index d25fa16a0..29a68395e 100644 --- a/lib/SAMLSettings.php +++ b/lib/SAMLSettings.php @@ -88,6 +88,10 @@ public function allowMultipleUserBackEnds() { return ($setting === '1' && $type === 'saml'); } + public function usesSloWebServerDecode() : bool { + return $this->config->getAppValue('user_saml', 'security-sloWebServerDecode', '0') === '1'; + } + /** * get config for given IDP * diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php index 6a7cf874d..5ed13dc03 100644 --- a/lib/Settings/Admin.php +++ b/lib/Settings/Admin.php @@ -90,7 +90,8 @@ public function getForm() { 'signatureAlgorithm' => [ 'type' => 'line', 'text' => $this->l10n->t('Algorithm that the toolkit will use on signing process.') - ] + ], + 'sloWebServerDecode' => $this->l10n->t('Retrieve query parameters from $_SERVER. Some SAML servers require this on SLO requests.'), ]; $generalSettings = [ 'uid_mapping' => [ From 4be94df792a44ac9c01d3936660c5d941cdf433f Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 4 May 2021 17:36:32 +0200 Subject: [PATCH 2/3] Add new checkbox to AdminTest Signed-off-by: Lukas Reschke --- tests/unit/Settings/AdminTest.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/unit/Settings/AdminTest.php b/tests/unit/Settings/AdminTest.php index 23311697d..7a97eb88e 100644 --- a/tests/unit/Settings/AdminTest.php +++ b/tests/unit/Settings/AdminTest.php @@ -83,7 +83,8 @@ public function formDataProvider() { 'signatureAlgorithm' => [ 'type' => 'line', 'text' => 'Algorithm that the toolkit will use on signing process.' - ] + ], + 'sloWebServerDecode' => 'Retrieve query parameters from $_SERVER. Some SAML servers require this on SLO requests.', ]; $generalSettings = [ 'idp0_display_name' => [ From d5389c4b6f8ff6ba1c90c89c14d1313576bdbcd0 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 5 May 2021 13:25:54 +0200 Subject: [PATCH 3/3] Actually replace $retrieveParametersFromServer parameter Signed-off-by: Lukas Reschke --- lib/Controller/SAMLController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php index f80eeef1c..5b1f37e26 100644 --- a/lib/Controller/SAMLController.php +++ b/lib/Controller/SAMLController.php @@ -419,9 +419,9 @@ public function singleLogoutService() { if($isFromIDP){ $keepLocalSession = true ; // do not let processSLO to delete the entire session. Let userSession->logout do the job $targetUrl = $auth->processSLO( - $this->SAMLSettings->usesSloWebServerDecode(), + $keepLocalSession, null, - false, + $this->SAMLSettings->usesSloWebServerDecode(), null, $stay );