From: Dan Brown <redacted>
Date: Fri, 28 Apr 2023 12:54:51 +0000 (+0100)
Subject: Added sessionindex to SAML2 single logout request to idp
X-Git-Tag: v23.05~1^2~7
X-Git-Url: http://source.bookstackapp.com/bookstack/commitdiff_plain/8c738aedee343826c3be7efc8b130d7e9966216f

Added sessionindex to SAML2 single logout request to idp

related to  #3936
---

diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
index a95e3b1d2..24efd7f64 100644
--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -67,7 +67,7 @@ class Saml2Service
                 $returnRoute,
                 [],
                 $user->email,
-                null,
+                session()->get('saml2_session_index'),
                 true,
                 Constants::NAMEID_EMAIL_ADDRESS
             );
@@ -118,6 +118,7 @@ class Saml2Service
 
         $attrs = $toolkit->getAttributes();
         $id = $toolkit->getNameId();
+        session()->put('saml2_session_index', $toolkit->getSessionIndex());
 
         return $this->processLoginCallback($id, $attrs);
     }
diff --git a/tests/Auth/Saml2Test.php b/tests/Auth/Saml2Test.php
index 0ee419610..1a3e4abbe 100644
--- a/tests/Auth/Saml2Test.php
+++ b/tests/Auth/Saml2Test.php
@@ -193,6 +193,9 @@ class Saml2Test extends TestCase
         $req = $this->post('/saml2/logout');
         $redirect = $req->headers->get('location');
         $this->assertStringStartsWith('http://saml.local/saml2/idp/SingleLogoutService.php', $redirect);
+        $sloData = $this->parseSamlDataFromUrl($redirect, 'SAMLRequest');
+        $this->assertStringContainsString('<samlp:SessionIndex>_4fe7c0d1572d64b27f930aa6f236a6f42e930901cc</samlp:SessionIndex>', $sloData);
+
         $this->withGet(['SAMLResponse' => $this->sloResponseData], $handleLogoutResponse);
     }
 
@@ -379,11 +382,16 @@ class Saml2Test extends TestCase
     {
         $req = $this->post('/saml2/login');
         $location = $req->headers->get('Location');
-        $query = explode('?', $location)[1];
+        return $this->parseSamlDataFromUrl($location, 'SAMLRequest');
+    }
+
+    protected function parseSamlDataFromUrl(string $url, string $paramName): string
+    {
+        $query = explode('?', $url)[1];
         $params = [];
         parse_str($query, $params);
 
-        return gzinflate(base64_decode($params['SAMLRequest']));
+        return gzinflate(base64_decode($params[$paramName]));
     }
 
     protected function withGet(array $options, callable $callback)