nextcloud#161 fix IDP-initiated Logout

Signed-off-by: Dylann Cordel <[email protected]>

lib/Controller/SAMLController.php

@@ -316,23 +316,37 @@ public function assertionConsumerService() {
 	 * @throws Error
 	 */
 	public function singleLogoutService() {
-
-		$pass = $this->request->passesCSRFCheck();
-		$isGlobalScaleEnabled = $this->config->getSystemValue('gs.enabled', false);
-		$gssMode = $this->config->getSystemValue('gss.mode', '');
-		if (!$pass && $isGlobalScaleEnabled && $gssMode === 'master') {
+		$targetUrl = null;
+		$isFromGS = ($this->config->getSystemValue('gs.enabled', false) &&
+				     $this->config->getSystemValue('gss.mode', '') === 'master');
+		$isFromIDP = !$isFromGS && !empty($_GET['SAMLRequest']);
+
+		if($isFromGS) {
+			// Request is from master GlobalScale
+			// Request validity is check via a JSON Web Token
 			$jwt = $this->request->getParam('jwt', '');
 			$pass = $this->isValidJwt($jwt);
-		}
-
-		if($pass) {
+		} else {
 			$idp = $this->session->get('user_saml.Idp');
 			$auth = new Auth($this->SAMLSettings->getOneLoginSettingsArray($idp));
-			$returnTo = null;
+			if($isFromIDP){
+				// requests comes from the IDP so let it manage the logout
+				// (or raise Error if request is invalid)
+				$this->userSession->logout();
+				// processSLO will do the redirection himself
+				return $auth->processSLO();
+			} else {
+				// standard request : need read CRSF check
+				$pass = $this->request->passesCSRFCheck();
+			}
+		}
+
+		if($pass){
+			$this->userSession->logout();
+			// If request is not from IDP, we must send him the logout request
 			$parameters = array();
 			$nameId = $this->session->get('user_saml.samlNameId');
 			$sessionIndex = $this->session->get('user_saml.samlSessionIndex');
-			$this->userSession->logout();
 			$targetUrl = $auth->logout($returnTo, $parameters, $nameId, $sessionIndex, true);
 		} else {
 			$targetUrl = $this->urlGenerator->getAbsoluteURL('/');