bugfix: SLO was broken due to incorrect handling of NameID objects.

The sspmod_saml_SP_Logout_Store::logoutSessions() method was still expecting the NameID to be an array.

modules/saml/lib/SP/LogoutStore.php

@@ -210,11 +210,11 @@ class sspmod_saml_SP_LogoutStore {
 	 * Log out of the given sessions.
 	 *
 	 * @param string $authId  The authsource ID.
-	 * @param array $nameId  The NameID of the user.
+	 * @param \SAML2\XML\saml\NameID $nameId The NameID of the user.
 	 * @param array $sessionIndexes  The SessionIndexes we should log out of. Logs out of all if this is empty.
 	 * @returns int|FALSE  Number of sessions logged out, or FALSE if not supported.
 	 */
-	public static function logoutSessions($authId, array $nameId, array $sessionIndexes) {
+	public static function logoutSessions($authId, $nameId, array $sessionIndexes) {
 		assert('is_string($authId)');
 
 		$store = \SimpleSAML\Store::getInstance();
@@ -223,8 +223,11 @@ class sspmod_saml_SP_LogoutStore {
 			return FALSE;
 		}
 
-		/* Normalize NameID. */
-		ksort($nameId);
+		// serialize and anonymize the NameID
+		// TODO: remove this conditional statement
+		if (is_array($nameId)) {
+			$nameId = \SAML2\XML\saml\NameID::fromArray($nameId);
+		}
 		$strNameId = serialize($nameId);
 		$strNameId = sha1($strNameId);