Merge branch 'master' of https://github.com/theodor-franke/BookStack into theodor...

diff --git a/.env.example.complete b/.env.example.complete
index 4188751654e8c22491f8f07e2b82fe4dc10fa95f..a29afaafd014f600cd90784f39d04b1b76841670 100644 (file)
--- a/.env.example.complete
+++ b/.env.example.complete
@@ -232,6 +232,11 @@ SAML2_ONELOGIN_OVERRIDES=null
 SAML2_DUMP_USER_DETAILS=false
 SAML2_AUTOLOAD_METADATA=false
 SAML2_IDP_AUTHNCONTEXT=true
+SAML2_SP_CERTIFICATE=null
+SAML2_SP_PRIVATEKEY=null
+SAML2_SP_NAME_ID_Format=null
+SAML2_SP_NAME_ID_SP_NAME_QUALIFIER=null
+SAML2_RETRIEVE_PARAMETERS_FROM_SERVER=false
 
 # SAML group sync configuration
 # Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/

diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
index 9c208832aba1b43aafb4864dae60991865502f45..58f999709e881fab60142017a4d1e9cef56b572c 100644 (file)
--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -65,7 +65,11 @@ class Saml2Service
         $returnRoute = url('/');
 
         try {
-            $url = $toolKit->logout($returnRoute, [], null, null, true);
+            $email = auth()->user()['email'];
+            $nameIdFormat = env('SAML2_SP_NAME_ID_Format', null);
+            $nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null);
+
+            $url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier);
             $id = $toolKit->getLastRequestID();
         } catch (Error $error) {
             if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
@@ -124,7 +128,9 @@ class Saml2Service
     public function processSlsResponse(?string $requestId): ?string
     {
         $toolkit = $this->getToolkit();
-        $redirect = $toolkit->processSLO(true, $requestId, false, null, true);
+        $retrieveParametersFromServer = env('SAML2_RETRIEVE_PARAMETERS_FROM_SERVER', false);
+
+        $redirect = $toolkit->processSLO(true, $requestId, $retrieveParametersFromServer, null, true);
 
         $errors = $toolkit->getErrors();
 

diff --git a/app/Config/saml2.php b/app/Config/saml2.php
index fe311057c1b1a3a14507334f2f422747de9e573c..3c4319100a1d67f8d841e1b5e8625e734d923776 100644 (file)
--- a/app/Config/saml2.php
+++ b/app/Config/saml2.php
@@ -80,8 +80,8 @@ return [
             'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
             // Usually x509cert and privateKey of the SP are provided by files placed at
             // the certs folder. But we can also provide them with the following parameters
-            'x509cert'   => '',
-            'privateKey' => '',
+            'x509cert'   => env('SAML2_SP_CERTIFICATE', ''),
+            'privateKey' => env('SAML2_SP_PRIVATEKEY', ''),
         ],
         // Identity Provider Data that we want connect with our SP
         'idp' => [
@@ -147,6 +147,9 @@ return [
             // Multiple forced values can be passed via a space separated array, For example:
             // SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
             'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT,
+            'logoutRequestSigned'   => env('SAML2_LOGOUT_REQUEST_SIGNED', false),
+            'logoutResponseSigned'  => env('SAML2_LOGOUT_RESPONSE_SIGNED', false),
+            'lowercaseUrlencoding'  => env('SAML2_LOWERCASE_URLENCODING', false),
         ],
     ],