From c59c12beee95a94e44ad96fdfefd4efdd8f1bb27 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 18 Dec 2007 13:09:32 +0000
Subject: [PATCH] SAML2:SingleLogoutService - Handle logout request without a
 valid session.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@126 44740490-163a-0410-bde0-09ae8108e29a
---
 www/saml2/idp/SingleLogoutService.php | 29 +++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php
index 07723ee2d..0f4715fdf 100644
--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -28,6 +28,35 @@ if (isset($_GET['SAMLRequest'])) {
 
 	$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
 	$logoutrequest = $binding->decodeLogoutRequest($_GET);
+
+
+	/* Check if we have a valid session. */
+	if($session === NULL) {
+		/* Invalid session. To prevent the user from being unable to
+		 * log out from the service provider, we should just return a
+		 * LogoutResponse pretending that the logout was successful to
+		 * the SP that sent the LogoutRequest.
+		 */
+
+		$spentityid = $logoutrequest->getIssuer();
+
+		/* Generate the response. */
+		$response = new SimpleSAML_XML_SAML20_LogoutResponse($config,
+			$metadata);
+		$responseText = $response->generate($idpentityid, $spentityid,
+			$logoutrequest->getRequestID(), 'IdP');
+
+		/* Retrieve the relay state from the request. */
+		$relayState = $logoutrequest->getRelayState();
+
+		/* Send the response using the HTTP-Redirect binding. */
+		$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config,
+			$metadata);
+		$binding->sendMessage($responseText, $spentityid, $relayState,
+			'SingleLogoutService', 'SAMLResponse', 'IdP');
+		exit;
+	}
+
 	
 	$session->setAuthenticated(false);
 
-- 
GitLab