From 75749ef336848269d770f7f3b2bf7c9fb9d42479 Mon Sep 17 00:00:00 2001
From: Franke <franth@lra.local>
Date: Mon, 30 Aug 2021 14:35:11 +0200
Subject: [PATCH 1/3] Fixed SAML logout for ADFS.
---
.env.example.complete | 5 +++++
app/Auth/Access/Saml2Service.php | 12 ++++++++++--
app/Config/saml2.php | 7 +++++--
3 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/.env.example.complete b/.env.example.complete
index 26df8f3cb..58e4e4754 100644
--- a/.env.example.complete
+++ b/.env.example.complete
@@ -224,6 +224,11 @@ SAML2_ONELOGIN_OVERRIDES=null
SAML2_DUMP_USER_DETAILS=false
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_AUTHNCONTEXT=true
+SAML2_SP_CERTIFICATE=null
+SAML2_SP_PRIVATEKEY=null
+SAML2_SP_NAME_ID_Format=null
+SAML2_SP_NAME_ID_SP_NAME_QUALIFIER=null
+SAML2_RETRIEVE_PARAMETERS_FROM_SERVER=false
# SAML group sync configuration
# Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/
diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
index 6cbfdac0b..e72aef979 100644
--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -61,8 +61,14 @@ class Saml2Service extends ExternalAuthService
$returnRoute = url('/');
try {
- $url = $toolKit->logout($returnRoute, [], null, null, true);
+ $email = auth()->user()['email'];
+ $nameIdFormat = env('SAML2_SP_NAME_ID_Format', null);
+ $nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null);
+
+
+ $url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier);
$id = $toolKit->getLastRequestID();
+
} catch (Error $error) {
if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
throw $error;
@@ -117,7 +123,9 @@ class Saml2Service extends ExternalAuthService
public function processSlsResponse(?string $requestId): ?string
{
$toolkit = $this->getToolkit();
- $redirect = $toolkit->processSLO(true, $requestId, false, null, true);
+ $retrieveParametersFromServer = env('SAML2_RETRIEVE_PARAMETERS_FROM_SERVER', false);
+
+ $redirect = $toolkit->processSLO(true, $requestId, $retrieveParametersFromServer, null, true);
$errors = $toolkit->getErrors();
diff --git a/app/Config/saml2.php b/app/Config/saml2.php
index fe311057c..709931fc6 100644
--- a/app/Config/saml2.php
+++ b/app/Config/saml2.php
@@ -80,8 +80,8 @@ return [
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
- 'x509cert' => '',
- 'privateKey' => '',
+ 'x509cert' => env('SAML2_SP_CERTIFICATE', ''),
+ 'privateKey' => env('SAML2_SP_PRIVATEKEY', ''),
],
// Identity Provider Data that we want connect with our SP
'idp' => [
@@ -147,6 +147,9 @@ return [
// Multiple forced values can be passed via a space separated array, For example:
// SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT,
+ 'logoutRequestSigned' => env('', false),
+ 'logoutResponseSigned' => env('', false),
+ 'lowercaseUrlencoding' => env('', false)
],
],
From 234dd26d22478451c17e648cc820fac2db081dff Mon Sep 17 00:00:00 2001
From: Franke <franth@lra.local>
Date: Mon, 30 Aug 2021 14:43:35 +0200
Subject: [PATCH 2/3] Fixes for CodeStyle
---
app/Auth/Access/Saml2Service.php | 2 --
app/Config/saml2.php | 6 +++---
2 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
index e72aef979..339701d27 100644
--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -65,10 +65,8 @@ class Saml2Service extends ExternalAuthService
$nameIdFormat = env('SAML2_SP_NAME_ID_Format', null);
$nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null);
-
$url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier);
$id = $toolKit->getLastRequestID();
-
} catch (Error $error) {
if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
throw $error;
diff --git a/app/Config/saml2.php b/app/Config/saml2.php
index 709931fc6..ad6dfe1f9 100644
--- a/app/Config/saml2.php
+++ b/app/Config/saml2.php
@@ -147,9 +147,9 @@ return [
// Multiple forced values can be passed via a space separated array, For example:
// SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT,
- 'logoutRequestSigned' => env('', false),
- 'logoutResponseSigned' => env('', false),
- 'lowercaseUrlencoding' => env('', false)
+ 'logoutRequestSigned' => env('SAML2_LOGOUT_REQUEST_SIGNED', false),
+ 'logoutResponseSigned' => env('SAML2_LOGOUT_RESPONSE_SIGNED', false),
+ 'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false)
],
],
From 07408ec11243995ef6bfded34d87f455336d9460 Mon Sep 17 00:00:00 2001
From: Franke <franth@lra.local>
Date: Mon, 30 Aug 2021 14:44:52 +0200
Subject: [PATCH 3/3] Fixes for CodeStyle vol.2
---
app/Config/saml2.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/Config/saml2.php b/app/Config/saml2.php
index ad6dfe1f9..3c4319100 100644
--- a/app/Config/saml2.php
+++ b/app/Config/saml2.php
@@ -149,7 +149,7 @@ return [
'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT,
'logoutRequestSigned' => env('SAML2_LOGOUT_REQUEST_SIGNED', false),
'logoutResponseSigned' => env('SAML2_LOGOUT_RESPONSE_SIGNED', false),
- 'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false)
+ 'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false),
],
],