From fb6ad867731f976771ed60597daf25498960f8aa Mon Sep 17 00:00:00 2001 From: Iain Beeston Date: Tue, 17 Jan 2017 13:14:20 +0000 Subject: [PATCH] feat: include SessionIndex in logout requests Some idp's use the sessionindex rather than the uid to find the correct session to sign out. I've made this work by saving it in the session alongside the uid, then putting it back into the logout request where ruby-saml can handle it, and include it in the logout request --- lib/omniauth/strategies/saml.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/omniauth/strategies/saml.rb b/lib/omniauth/strategies/saml.rb index c0b5f71..40eeda6 100644 --- a/lib/omniauth/strategies/saml.rb +++ b/lib/omniauth/strategies/saml.rb @@ -159,7 +159,7 @@ def other_phase Hash[found_attributes] end - extra { { :raw_info => @attributes, :response_object => @response_object } } + extra { { :raw_info => @attributes, :session_index => @session_index, :response_object => @response_object } } def find_attribute_by(keys) keys.each do |key| @@ -182,6 +182,7 @@ def handle_response(raw_response, opts, settings) response.is_valid? @name_id = response.name_id + @session_index = response.sessionindex @attributes = response.attributes @response_object = response @@ -190,6 +191,7 @@ def handle_response(raw_response, opts, settings) end session["saml_uid"] = @name_id + session["saml_session_index"] = @session_index yield end @@ -220,6 +222,7 @@ def handle_logout_response(raw_response, settings) session.delete("saml_uid") session.delete("saml_transaction_id") + session.delete("saml_session_index") redirect(slo_relay_state) end @@ -254,6 +257,10 @@ def generate_logout_request(settings) settings.name_identifier_value = session["saml_uid"] end + if settings.sessionindex.nil? + settings.sessionindex = session["saml_session_index"] + end + logout_request.create(settings, RelayState: slo_relay_state) end end