diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2021-05-04 18:28:58 +0300 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2021-05-04 18:28:58 +0300 |
| commit | 8afcb434dcfcc88ac2d3317aa686c7c21d52ffff (patch) | |
| tree | 4e89ad6994a35069290e25c41c30bf3176cf363a /lib | |
| parent | 6f51a9223d27ea7288b9efbddbc5043d8ac51907 (diff) | |
Allow setting of "retrieveParametersFromServer"
Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change.
Until we have considered a better solution for this, this adds a new checkbox that one can configure.
Ref https://github.com/nextcloud/user_saml/issues/403
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/Controller/SAMLController.php | 10 | ||||
| -rw-r--r-- | lib/SAMLSettings.php | 4 | ||||
| -rw-r--r-- | lib/Settings/Admin.php | 3 |
3 files changed, 14 insertions, 3 deletions
diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php index 61c4cc5b..dc8b5b80 100644 --- a/lib/Controller/SAMLController.php +++ b/lib/Controller/SAMLController.php @@ -418,8 +418,14 @@ class SAMLController extends Controller { $stay = true ; // $auth will return the redirect URL but won't perform the redirect himself if ($isFromIDP) { $keepLocalSession = true ; // do not let processSLO to delete the entire session. Let userSession->logout do the job - $targetUrl = $auth->processSLO($keepLocalSession, null, false, null, $stay); - + $targetUrl = $auth->processSLO( + $this->SAMLSettings->usesSloWebServerDecode(), + null, + false, + null, + $stay + ); + $errors = $auth->getErrors(); if (!empty($errors)) { foreach($errors as $error) { diff --git a/lib/SAMLSettings.php b/lib/SAMLSettings.php index d25fa16a..29a68395 100644 --- a/lib/SAMLSettings.php +++ b/lib/SAMLSettings.php @@ -88,6 +88,10 @@ class SAMLSettings { return ($setting === '1' && $type === 'saml'); } + public function usesSloWebServerDecode() : bool { + return $this->config->getAppValue('user_saml', 'security-sloWebServerDecode', '0') === '1'; + } + /** * get config for given IDP * diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php index 6a7cf874..5ed13dc0 100644 --- a/lib/Settings/Admin.php +++ b/lib/Settings/Admin.php @@ -90,7 +90,8 @@ class Admin implements ISettings { 'signatureAlgorithm' => [ 'type' => 'line', 'text' => $this->l10n->t('Algorithm that the toolkit will use on signing process.') - ] + ], + 'sloWebServerDecode' => $this->l10n->t('Retrieve query parameters from $_SERVER. Some SAML servers require this on SLO requests.'), ]; $generalSettings = [ 'uid_mapping' => [ |