Handle SLO logout requests from IdP via POST

fschrempf · fschrempf · commit 6efb743e611f · 2019-06-08T19:13:00.000+02:00
Some IdPs send their SLO logout requests via POST. To handle them we need to add an entry in the routing table. Further, we need to hack around the issue, that php-saml only handles GET by copying the request from $_POST to $_GET. This solves nextcloud#82. Signed-off-by: Frieder Schrempf <fr.sc@online.de>
diff --git a/appinfo/routes.php b/appinfo/routes.php
@@ -48,6 +48,12 @@
 			'url' => '/saml/sls',
 			'verb' => 'GET',
 		],
+		[
+			'name' => 'SAML#singleLogoutService',
+			'url' => '/saml/sls',
+			'verb' => 'POST',
+			'postfix' => 'slopost',
+		],
 		[
 			'name' => 'SAML#notProvisioned',
 			'url' => '/saml/notProvisioned',
diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php
@@ -319,6 +319,13 @@ public function assertionConsumerService() {
 	public function singleLogoutService() {
 		$isFromGS = ($this->config->getSystemValue('gs.enabled', false) &&
 					 $this->config->getSystemValue('gss.mode', '') === 'master');
+
+		// Some IDPs send the SLO request via POST, but OneLogin php-saml only handles GET.
+		// To hack around this issue we copy the request from _POST to _GET.
+		if(!empty($_POST['SAMLRequest'])) {
+			$_GET['SAMLRequest'] = $_POST['SAMLRequest'];
+		}
+
 		$isFromIDP = !$isFromGS && !empty($_GET['SAMLRequest']);
 
 		if($isFromIDP) {
