Add option :slo_enabled to opt-out (diable) from SLO endpoints completely #243
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…for-slo-disabled-scenario Add Not Implemented handling when SLO disabled
gerardo-navarro
changed the title
gerardo-navarro
changed the title
Contributor
Author
|
@fh1ch @bufferoverflow Hi 👋 Can you please have a look at this PR when you have the time. |
There was a problem hiding this comment.
Pull Request Overview
This PR adds the ability to disable Single Logout (SLO) functionality in the SAML OmniAuth strategy by introducing a new :slo_enabled configuration option that defaults to true.
- Adds
:slo_enabledoption with a default value oftrueto maintain backward compatibility - Returns HTTP 501 Not Implemented when SLO is disabled for both
/auth/saml/sloand/auth/saml/spsloendpoints - Includes comprehensive test coverage for the new disabled SLO behavior
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| lib/omniauth/strategies/saml.rb | Adds slo_enabled option, helper methods to check if SLO is enabled, and logic to return 501 response when disabled |
| spec/omniauth/strategies/saml_spec.rb | Adds test coverage for both SLO endpoints when SLO is disabled, verifying 501 status and response body |
| README.md | Documents the new :slo_enabled configuration option and explains how disabling SLO affects endpoint behavior |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fh1ch
approved these changes
Nov 7, 2025
Contributor
fh1ch
left a comment
fh1ch
left a comment
There was a problem hiding this comment.
@gerardo-navarro really nice work here, thanks a lot 🙇
All good from my end, over to @bufferoverflow for the final merge.
bufferoverflow
approved these changes
Nov 7, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds support for disabling Single Logout (SLO) in the SAML strategy by introducing a new configuration option. When SLO is disabled, the related endpoints will return an HTTP 501 Not Implemented response. The documentation and tests have been updated to reflect this new behavior.
Why this change is needed
What changed
slo_enabled.slo_enabled: true.How to validate locally
slo_enabled(or set false) and hit/users/auth/saml/spslo→ expect 501.slo_enabled: true, restart, hit same endpoint → previous SLO behavior (redirect/logout flow).?RelayState=//attacker.test) withslo_enabled: false→ no redirect (501).