Restore logout-behaviour for IdP's that do not send a saml:NameID in their LogoutRequest

tvdijen · tvdijen · commit 05f28414431e · 2023-11-13T18:49:36.000+01:00
diff --git a/modules/saml/src/Auth/Source/SP.php b/modules/saml/src/Auth/Source/SP.php
@@ -1045,7 +1045,12 @@ public function logout(array &$state): ?Response
         Assert::keyExists($state, 'saml:logout:Type');
 
         $logoutType = $state['saml:logout:Type'];
-        Assert::oneOf($logoutType, ['saml2']);
+        Assert::oneOf($logoutType, ['saml1', 'saml2']);
+
+        // State variable saml:logout:Type is set to saml1 by us if we cannot properly logout the user
+        if ($logoutType === 'saml1') {
+            return null;
+        }
 
         return $this->startSLO2($this->config, $state);
     }
