Merge pull request #125 from hundio/slo-session-destruction

feat: Support for configurable IdP SLO session destruction
omniauth · Feb 11, 2017 · cb8aa6d · cb8aa6d
2 parents ae2fd67 + 586bf89
commit cb8aa6d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -89,6 +89,10 @@ The service provider metadata used to ease configuration of the SAML SP in the I
 * `:idp_slo_target_url` - The URL to which the single logout request and response should
   be sent. This would be on the identity provider. Optional.
 
+* `:idp_slo_session_destroy` - A proc that accepts up to two parameters (the rack environment, and the session),
+  and performs whatever tasks are necessary to log out the current user from your application.
+  See the example listed under "Single Logout." Defaults to calling `#clear` on the session. Optional.
+
 * `:slo_default_relay_state` - The value to use as default `RelayState` for single log outs. The
   value can be a string, or a `Proc` (or other object responding to `call`). The `request`
   instance will be passed to this callable if it has an arity of 1. If the value is a string,
@@ -196,6 +200,18 @@ class SessionsController < Devise::SessionsController
 end
 ```
 
+By default, omniauth-saml attempts to log the current user out of your application by clearing the session.
+This may not be enough for some authentication solutions (e.g. [Clearance](https://github.com/thoughtbot/clearance/)).
+Instead, you may set the `:idp_slo_session_destroy` option to a proc that performs the necessary logout tasks.
+
+Example `:idp_slo_session_destroy` setting for Clearance compatibility:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :saml, idp_slo_session_destroy: proc { |env, _session| env[:clearance].sign_out }, ...
+end
+```
+
 ## Authors
 
 Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).
diff --git a/lib/omniauth/strategies/saml.rb b/lib/omniauth/strategies/saml.rb
@@ -29,6 +29,7 @@ def self.inherited(subclass)
       }
       option :slo_default_relay_state
       option :uid_attribute
+      option :idp_slo_session_destroy, proc { |_env, session| session.clear }
 
       def request_phase
         options[:assertion_consumer_service_url] ||= callback_url
@@ -230,7 +231,7 @@ def handle_logout_request(raw_request, settings)
           logout_request.name_id == session["saml_uid"]
 
           # Actually log out this session
-          session.clear
+          options[:idp_slo_session_destroy].call @env, session
 
           # Generate a response to the IdP.
           logout_request_id = logout_request.id