Added SAML singleLogoutService capabilities

app/Auth/Access/Saml2Service.php

@@ -4,10 +4,12 @@ use BookStack\Auth\User;
 use BookStack\Auth\UserRepo;
 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\SamlException;
+use Exception;
 use Illuminate\Support\Str;
 use OneLogin\Saml2\Auth;
 use OneLogin\Saml2\Error;
 use OneLogin\Saml2\IdPMetadataParser;
+use OneLogin\Saml2\ValidationError;
 
 /**
  * Class Saml2Service
@@ -33,7 +35,7 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Initiate a login flow.
-     * @throws \OneLogin\Saml2\Error
+     * @throws Error
      */
     public function login(): array
     {
@@ -45,25 +47,50 @@ class Saml2Service extends ExternalAuthService
         ];
     }
 
+    /**
+     * Initiate a logout flow.
+     * @throws Error
+     */
+    public function logout(): array
+    {
+        $toolKit = $this->getToolkit();
+        $returnRoute = url('/');
+
+        try {
+            $url = $toolKit->logout($returnRoute, [], null, null, true);
+            $id = $toolKit->getLastRequestID();
+        } catch (Error $error) {
+            if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
+                throw $error;
+            }
+
+            $this->actionLogout();
+            $url = '/';
+            $id = null;
+        }
+
+        return ['url' => $url, 'id' => $id];
+    }
+
     /**
      * Process the ACS response from the idp and return the
      * matching, or new if registration active, user matched to the idp.
      * Returns null if not authenticated.
      * @throws Error
      * @throws SamlException
-     * @throws \OneLogin\Saml2\ValidationError
+     * @throws ValidationError
      * @throws JsonDebugException
      */
     public function processAcsResponse(?string $requestId): ?User
     {
-        $toolkit = $this->getToolkit();
-        $toolkit->processResponse($requestId);
-        $errors = $toolkit->getErrors();
-
         if (is_null($requestId)) {
             throw new SamlException(trans('errors.saml_invalid_response_id'));
         }
 
+        $toolkit = $this->getToolkit();
+        $toolkit->processResponse($requestId);
+        $errors = $toolkit->getErrors();
+
         if (!empty($errors)) {
             throw new Error(
                 'Invalid ACS Response: '.implode(', ', $errors)
@@ -80,6 +107,36 @@ class Saml2Service extends ExternalAuthService
         return $this->processLoginCallback($id, $attrs);
     }
 
+    /**
+     * Process a response for the single logout service.
+     * @throws Error
+     */
+    public function processSlsResponse(?string $requestId): ?string
+    {
+        $toolkit = $this->getToolkit();
+        $redirect = $toolkit->processSLO(true, $requestId, false, null, true);
+
+        $errors = $toolkit->getErrors();
+
+        if (!empty($errors)) {
+            throw new Error(
+                'Invalid SLS Response: '.implode(', ', $errors)
+            );
+        }
+
+        $this->actionLogout();
+        return $redirect;
+    }
+
+    /**
+     * Do the required actions to log a user out.
+     */
+    protected function actionLogout()
+    {
+        auth()->logout();
+        session()->invalidate();
+    }
+
     /**
      * Get the metadata for this service provider.
      * @throws Error
@@ -103,8 +160,8 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Load the underlying Onelogin SAML2 toolkit.
-     * @throws \OneLogin\Saml2\Error
-     * @throws \Exception
+     * @throws Error
+     * @throws Exception
      */
     protected function getToolkit(): Auth
     {

app/Http/Controllers/Auth/LoginController.php

@@ -146,4 +146,23 @@ class LoginController extends Controller
         session()->put('social-callback', 'login');
         return $this->socialAuthService->startLogIn($socialDriver);
     }
+
+    /**
+     * Log the user out of the application.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Illuminate\Http\Response
+     */
+    public function logout(Request $request)
+    {
+        if (config('saml2.enabled') && session()->get('last_login_type') === 'saml2') {
+            return redirect('/saml2/logout');
+        }
+
+        $this->guard()->logout();
+
+        $request->session()->invalidate();
+
+        return $this->loggedOut($request) ?: redirect('/');
+    }
 }

app/Http/Controllers/Auth/Saml2Controller.php

@@ -31,6 +31,20 @@ class Saml2Controller extends Controller
         return redirect($loginDetails['url']);
     }
 
+    /**
+     * Start the logout flow via SAML2.
+     */
+    public function logout()
+    {
+        $logoutDetails = $this->samlService->logout();
+
+        if ($logoutDetails['id']) {
+            session()->flash('saml2_logout_request_id', $logoutDetails['id']);
+        }
+
+        return redirect($logoutDetails['url']);
+    }
+
     /*
      * Get the metadata for this SAML2 service provider.
      */
@@ -48,7 +62,9 @@ class Saml2Controller extends Controller
      */
     public function sls()
     {
-        // TODO
+        $requestId = session()->pull('saml2_logout_request_id', null);
+        $redirect = $this->samlService->processSlsResponse($requestId) ?? '/';
+        return redirect($redirect);
     }
 
     /**
@@ -65,6 +81,7 @@ class Saml2Controller extends Controller
             return redirect('/login');
         }
 
+        session()->put('last_login_type', 'saml2');
         return redirect()->intended();
     }
 

routes/web.php

@@ -219,8 +219,7 @@ Route::post('/register', 'Auth\RegisterController@postRegister');
 // SAML routes
 // TODO - Prevent access without SAML2 enabled via middleware
 Route::get('/saml2/login', 'Auth\Saml2Controller@login');
-// TODO - Handle logout?
-//    Route::get('/saml2/logout', 'Auth\Saml2Controller@logout');
+Route::get('/saml2/logout', 'Auth\Saml2Controller@logout');
 Route::get('/saml2/metadata', 'Auth\Saml2Controller@metadata');
 Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
 Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');