From 75749ef336848269d770f7f3b2bf7c9fb9d42479 Mon Sep 17 00:00:00 2001 From: Franke Date: Mon, 30 Aug 2021 14:35:11 +0200 Subject: [PATCH 1/3] Fixed SAML logout for ADFS. --- .env.example.complete | 5 +++++ app/Auth/Access/Saml2Service.php | 12 ++++++++++-- app/Config/saml2.php | 7 +++++-- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.env.example.complete b/.env.example.complete index 26df8f3cb..58e4e4754 100644 --- a/.env.example.complete +++ b/.env.example.complete @@ -224,6 +224,11 @@ SAML2_ONELOGIN_OVERRIDES=null SAML2_DUMP_USER_DETAILS=false SAML2_AUTOLOAD_METADATA=false SAML2_IDP_AUTHNCONTEXT=true +SAML2_SP_CERTIFICATE=null +SAML2_SP_PRIVATEKEY=null +SAML2_SP_NAME_ID_Format=null +SAML2_SP_NAME_ID_SP_NAME_QUALIFIER=null +SAML2_RETRIEVE_PARAMETERS_FROM_SERVER=false # SAML group sync configuration # Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/ diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php index 6cbfdac0b..e72aef979 100644 --- a/app/Auth/Access/Saml2Service.php +++ b/app/Auth/Access/Saml2Service.php @@ -61,8 +61,14 @@ class Saml2Service extends ExternalAuthService $returnRoute = url('/'); try { - $url = $toolKit->logout($returnRoute, [], null, null, true); + $email = auth()->user()['email']; + $nameIdFormat = env('SAML2_SP_NAME_ID_Format', null); + $nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null); + + + $url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier); $id = $toolKit->getLastRequestID(); + } catch (Error $error) { if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) { throw $error; @@ -117,7 +123,9 @@ class Saml2Service extends ExternalAuthService public function processSlsResponse(?string $requestId): ?string { $toolkit = $this->getToolkit(); - $redirect = $toolkit->processSLO(true, $requestId, false, null, true); + $retrieveParametersFromServer = env('SAML2_RETRIEVE_PARAMETERS_FROM_SERVER', false); + + $redirect = $toolkit->processSLO(true, $requestId, $retrieveParametersFromServer, null, true); $errors = $toolkit->getErrors(); diff --git a/app/Config/saml2.php b/app/Config/saml2.php index fe311057c..709931fc6 100644 --- a/app/Config/saml2.php +++ b/app/Config/saml2.php @@ -80,8 +80,8 @@ return [ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', // Usually x509cert and privateKey of the SP are provided by files placed at // the certs folder. But we can also provide them with the following parameters - 'x509cert' => '', - 'privateKey' => '', + 'x509cert' => env('SAML2_SP_CERTIFICATE', ''), + 'privateKey' => env('SAML2_SP_PRIVATEKEY', ''), ], // Identity Provider Data that we want connect with our SP 'idp' => [ @@ -147,6 +147,9 @@ return [ // Multiple forced values can be passed via a space separated array, For example: // SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" 'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT, + 'logoutRequestSigned' => env('', false), + 'logoutResponseSigned' => env('', false), + 'lowercaseUrlencoding' => env('', false) ], ], From 234dd26d22478451c17e648cc820fac2db081dff Mon Sep 17 00:00:00 2001 From: Franke Date: Mon, 30 Aug 2021 14:43:35 +0200 Subject: [PATCH 2/3] Fixes for CodeStyle --- app/Auth/Access/Saml2Service.php | 2 -- app/Config/saml2.php | 6 +++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php index e72aef979..339701d27 100644 --- a/app/Auth/Access/Saml2Service.php +++ b/app/Auth/Access/Saml2Service.php @@ -65,10 +65,8 @@ class Saml2Service extends ExternalAuthService $nameIdFormat = env('SAML2_SP_NAME_ID_Format', null); $nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null); - $url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier); $id = $toolKit->getLastRequestID(); - } catch (Error $error) { if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) { throw $error; diff --git a/app/Config/saml2.php b/app/Config/saml2.php index 709931fc6..ad6dfe1f9 100644 --- a/app/Config/saml2.php +++ b/app/Config/saml2.php @@ -147,9 +147,9 @@ return [ // Multiple forced values can be passed via a space separated array, For example: // SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" 'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT, - 'logoutRequestSigned' => env('', false), - 'logoutResponseSigned' => env('', false), - 'lowercaseUrlencoding' => env('', false) + 'logoutRequestSigned' => env('SAML2_LOGOUT_REQUEST_SIGNED', false), + 'logoutResponseSigned' => env('SAML2_LOGOUT_RESPONSE_SIGNED', false), + 'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false) ], ], From 07408ec11243995ef6bfded34d87f455336d9460 Mon Sep 17 00:00:00 2001 From: Franke Date: Mon, 30 Aug 2021 14:44:52 +0200 Subject: [PATCH 3/3] Fixes for CodeStyle vol.2 --- app/Config/saml2.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Config/saml2.php b/app/Config/saml2.php index ad6dfe1f9..3c4319100 100644 --- a/app/Config/saml2.php +++ b/app/Config/saml2.php @@ -149,7 +149,7 @@ return [ 'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT, 'logoutRequestSigned' => env('SAML2_LOGOUT_REQUEST_SIGNED', false), 'logoutResponseSigned' => env('SAML2_LOGOUT_RESPONSE_SIGNED', false), - 'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false) + 'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false), ], ],