Restore logout-behaviour for IdP's that do not send a saml:NameID in their LogoutRequest

05f28414 · Tim van Dijen · 2932e1e3 · 05f28414
Commit 05f28414 authored 1 year ago by Tim van Dijen
--- a/modules/saml/src/Auth/Source/SP.php
+++ b/modules/saml/src/Auth/Source/SP.php
@@ -1045,7 +1045,12 @@ class SP extends Auth\Source
        Assert::keyExists($state, 'saml:logout:Type');

        $logoutType = $state['saml:logout:Type'];
-        Assert::oneOf($logoutType, ['saml2']);
+        Assert::oneOf($logoutType, ['saml1', 'saml2']);
+
+        // State variable saml:logout:Type is set to saml1 by us if we cannot properly logout the user
+        if ($logoutType === 'saml1') {
+            return null;
+        }

        return $this->startSLO2($this->config, $state);
    }