SAML2: Fixed non-spec point of logout, Improved redirect location

This changes the point-of-logout to be within the initial part of the SAML logout flow, as per 5.3.2 of the SAML spec, processing step 2. This also improves the logout redirect handling to use the global redirect suggestion so that auto-login handling is properly taken into account. Added tests to cover. Manual testing performed against keycloak. For #4713
2026-01-03 23:42:28 +03:00 · 2023-12-08 18:38:52 +00:00
parent 4c0b7f3123
commit 8cbaa3e27c
3 changed files with 71 additions and 19 deletions
--- a/tests/Auth/Saml2Test.php
+++ b/tests/Auth/Saml2Test.php
@@ -181,7 +181,7 @@ class Saml2Test extends TestCase
        ]);

        $handleLogoutResponse = function () {
-            $this->assertTrue($this->isAuthenticated());
+            $this->assertFalse($this->isAuthenticated());

            $req = $this->get('/saml2/sls');
            $req->assertRedirect('/');
@@ -214,6 +214,55 @@ class Saml2Test extends TestCase
        $this->assertFalse($this->isAuthenticated());
    }

+    public function test_logout_sls_flow_logs_user_out_before_redirect()
+    {
+        config()->set([
+            'saml2.onelogin.strict' => false,
+        ]);
+
+        $this->followingRedirects()->post('/saml2/acs', ['SAMLResponse' => $this->acsPostData]);
+        $this->assertTrue($this->isAuthenticated());
+
+        $req = $this->post('/saml2/logout');
+        $redirect = $req->headers->get('location');
+        $this->assertStringStartsWith('http://saml.local/saml2/idp/SingleLogoutService.php', $redirect);
+        $this->assertFalse($this->isAuthenticated());
+    }
+
+    public function test_logout_sls_request_redirect_prevents_auto_login_when_enabled()
+    {
+        config()->set([
+            'saml2.onelogin.strict' => false,
+            'auth.auto_initiate' => true,
+            'services.google.client_id' => false,
+            'services.github.client_id' => false,
+        ]);
+
+        $this->followingRedirects()->post('/saml2/acs', ['SAMLResponse' => $this->acsPostData]);
+
+        $req = $this->post('/saml2/logout');
+        $redirect = $req->headers->get('location');
+        $this->assertStringContainsString(urlencode(url('/login?prevent_auto_init=true')), $redirect);
+    }
+
+    public function test_logout_sls_response_endpoint_redirect_prevents_auto_login_when_enabled()
+    {
+        config()->set([
+            'saml2.onelogin.strict' => false,
+            'auth.auto_initiate' => true,
+            'services.google.client_id' => false,
+            'services.github.client_id' => false,
+        ]);
+
+        $this->followingRedirects()->post('/saml2/acs', ['SAMLResponse' => $this->acsPostData]);
+
+        $this->withGet(['SAMLResponse' => $this->sloResponseData], function () {
+            $req = $this->get('/saml2/sls');
+            $redirect = $req->headers->get('location');
+            $this->assertEquals(url('/login?prevent_auto_init=true'), $redirect);
+        });
+    }
+
    public function test_dump_user_details_option_works()
    {
        config()->set([