Skip to content

Commit edddaf9

Browse files
feat(saml2): support manual IdP Single Logout via "slo" config key (#1452)
1 parent 2f8120a commit edddaf9

2 files changed

Lines changed: 27 additions & 1 deletion

File tree

src/Saml2/Provider.php

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,7 @@ public static function additionalConfigKeys(): array
149149
'metadata',
150150
'ttl',
151151
'acs',
152+
'slo',
152153
'entityid',
153154
'certificate',
154155
'sp_acs',
@@ -270,6 +271,7 @@ protected function sendMessage(SamlMessage $message, string $bindingType): HttpF
270271
protected function getIdentityProviderEntityDescriptorManually(): EntityDescriptor
271272
{
272273
$acs = $this->getConfig('acs');
274+
$slo = $this->getConfig('slo');
273275
$entityId = $this->getConfig('entityid');
274276
$certificate = $this->getConfig('certificate');
275277

@@ -281,7 +283,20 @@ protected function getIdentityProviderEntityDescriptorManually(): EntityDescript
281283

282284
$builder = new SimpleEntityDescriptorBuilder($entityId, $acs, $acs, $x509);
283285

284-
return $builder->get();
286+
$entityDescriptor = $builder->get();
287+
288+
// SimpleEntityDescriptorBuilder only emits a SingleSignOnService, so when an IdP Single Logout location is
289+
// configured manually (via "slo"), advertise it here. Without this, logoutResponse() cannot resolve the IdP
290+
// logout endpoint unless the IdP is configured through metadata instead.
291+
if ($slo) {
292+
$idpSsoDescriptor = $entityDescriptor->getFirstIdpSsoDescriptor();
293+
294+
foreach ([SamlConstants::BINDING_SAML2_HTTP_REDIRECT, SamlConstants::BINDING_SAML2_HTTP_POST] as $binding) {
295+
$idpSsoDescriptor->addSingleLogoutService(new SingleLogoutService($slo, $binding));
296+
}
297+
}
298+
299+
return $entityDescriptor;
285300
}
286301

287302
protected function getIdpEntityDescriptorFromXml(string $xml): EntityDescriptor

src/Saml2/README.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,6 +182,17 @@ To publish the SingleLogoutService in your service provider metadata, you also h
182182
],
183183
```
184184

185+
When the Identity Provider is configured through `metadata`, its SingleLogoutService location is read from that metadata automatically. When configuring the Identity Provider manually (using `acs`), there is no metadata to read it from, so provide the IdP's Single Logout URL with the `slo` key:
186+
```php
187+
'saml2' => [
188+
'acs' => 'https://idp.co/auth/sso', // the IDP's Single Sign-On URL
189+
'slo' => 'https://idp.co/auth/slo', // the IDP's Single Logout URL
190+
'entityid' => 'http://saml.to/trust',
191+
'certificate' => 'MIIC4jCCAcqgAwIBAgIQbDO5YO....',
192+
],
193+
```
194+
Without `slo`, `logoutResponse()` cannot resolve the IdP logout endpoint for a manually configured Identity Provider.
195+
185196
### Signing and encryption
186197

187198
SAML2 supports the signing and encryption of messages and assertions. Many Identity Providers make one or both mandatory. To enable this feature, you can generate a certificate for your application and provide it in `config/services.php` as:

0 commit comments

Comments
 (0)