Bugfix: Set destination on signed LogoutResponse for POST and Redirect bindings

tvdijen · tvdijen · commit ee4f938aaff1 · 2023-07-19T13:24:40.000+02:00
diff --git a/modules/saml/src/Controller/ServiceProvider.php b/modules/saml/src/Controller/ServiceProvider.php
@@ -566,6 +566,9 @@ public function singleLogoutService(Request $request, string $sourceId): Respons
             $lr->setRelayState($message->getRelayState());
             $lr->setInResponseTo($message->getId());
 
+            // If we set a key, we're sending a signed message
+            $signedMessage = $lr->getSignatureKey() ? true : false;
+
             if ($numLoggedOut < count($sessionIndexes)) {
                 Logger::warning('Logged out of ' . $numLoggedOut . ' of ' . count($sessionIndexes) . ' sessions.');
             }
@@ -578,17 +581,14 @@ public function singleLogoutService(Request $request, string $sourceId): Respons
                 ]
             );
 
+            $dst = $dst['Location'];
             if (!($binding instanceof SOAP)) {
                 $binding = Binding::getBinding($dst['Binding']);
                 if (isset($dst['ResponseLocation'])) {
                     $dst = $dst['ResponseLocation'];
-                } else {
-                    $dst = $dst['Location'];
                 }
-                $binding->setDestination($dst);
-            } else {
-                $lr->setDestination($dst['Location']);
             }
+            $lr->setDestination($dst);
 
             $psrResponse = $binding->send($lr);
             $httpFoundationFactory = new HttpFoundationFactory();
