search

SAML-Toolkits / php-saml

Simple SAML toolkit for PHP
MIT License
1.21k stars 462 forks source link

Need to accept POST SLO SAML response #584

Closed mkhyman closed 2 months ago

mkhyman commented 2 months ago

My IDP uses POST to send SLO saml responses.

As far as I can tell it is a simple change but I can't create pull requests.

Auth::processSLO needs to change from:

if (isset($_GET['SAMLResponse'])) {
  $logoutResponse = new LogoutResponse($this->_settings, $_GET['SAMLResponse']);

to:

if (isset($_GET['SAMLResponse']) || isset($_POST['SAMLResponse'])) {
  if (isset($_GET['SAMLResponse'])) {
    $logoutResponse = new LogoutResponse($this->getSettings(), $_GET['SAMLResponse']);
  } else {
    $logoutResponse = new LogoutResponse($this->getSettings(), $_POST['SAMLResponse']);
  }

with the wording of the error message at bottom reflecting this change.

pitbulk commented 2 months ago

Is not that easy, you will need also to be able to validate Signatures embedded.

mkhyman commented 2 months ago

ok, yes you are right, I did not take into account $logoutResponse->isValid(..) internally uses $_GET however that is not insurmountable since either the required data could be passed in to the method (my preference) or a similar approach which checks in both $_GET and $_POST could be done. Neither is difficult.

If you give me permission to create pull requests i can show u what I mean if you want.