Added sessionindex to SAML2 single logout request to idp

ssddanbrown · ssddanbrown · commit 8c738aedee34 · 2023-04-28T13:55:25.000+01:00
related to #3936
diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
@@ -67,7 +67,7 @@ public function logout(User $user): array
                 $returnRoute,
                 [],
                 $user->email,
-                null,
+                session()->get('saml2_session_index'),
                 true,
                 Constants::NAMEID_EMAIL_ADDRESS
             );
@@ -118,6 +118,7 @@ public function processAcsResponse(?string $requestId, string $samlResponse): ?U
 
         $attrs = $toolkit->getAttributes();
         $id = $toolkit->getNameId();
+        session()->put('saml2_session_index', $toolkit->getSessionIndex());
 
         return $this->processLoginCallback($id, $attrs);
     }
diff --git a/tests/Auth/Saml2Test.php b/tests/Auth/Saml2Test.php
@@ -193,6 +193,9 @@ public function test_logout_sls_flow()
         $req = $this->post('/saml2/logout');
         $redirect = $req->headers->get('location');
         $this->assertStringStartsWith('http://saml.local/saml2/idp/SingleLogoutService.php', $redirect);
+        $sloData = $this->parseSamlDataFromUrl($redirect, 'SAMLRequest');
+        $this->assertStringContainsString('<samlp:SessionIndex>_4fe7c0d1572d64b27f930aa6f236a6f42e930901cc</samlp:SessionIndex>', $sloData);
+
         $this->withGet(['SAMLResponse' => $this->sloResponseData], $handleLogoutResponse);
     }
 
@@ -379,11 +382,16 @@ protected function getAuthnRequest(): string
     {
         $req = $this->post('/saml2/login');
         $location = $req->headers->get('Location');
-        $query = explode('?', $location)[1];
+        return $this->parseSamlDataFromUrl($location, 'SAMLRequest');
+    }
+
+    protected function parseSamlDataFromUrl(string $url, string $paramName): string
+    {
+        $query = explode('?', $url)[1];
         $params = [];
         parse_str($query, $params);
 
-        return gzinflate(base64_decode($params['SAMLRequest']));
+        return gzinflate(base64_decode($params[$paramName]));
     }
 
     protected function withGet(array $options, callable $callback)
