From c7a8eb48ee4e6d2119193d76981cbd3af400c97a Mon Sep 17 00:00:00 2001
From: Florian Best <best@univention.de>
Date: Thu, 11 Jun 2020 11:22:58 +0200
Subject: [PATCH] Fix SAML logout: needs to specify InResponseTo

<samlp:LogoutResponse/> must contain the InResponseTo= attribute which
contains the value from the <samlp:LogoutRequest>
---
 app/meteor-accounts-saml/server/saml_server.js | 1 +
 app/meteor-accounts-saml/server/saml_utils.js  | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/meteor-accounts-saml/server/saml_server.js b/app/meteor-accounts-saml/server/saml_server.js
index eb89fd9fb68a..b91706c8ec62 100644
--- a/app/meteor-accounts-saml/server/saml_server.js
+++ b/app/meteor-accounts-saml/server/saml_server.js
@@ -592,6 +592,7 @@ const middleware = function(req, res, next) {
 						const { response } = _saml.generateLogoutResponse({
 							nameID: result.nameID,
 							sessionIndex: result.idpSession,
+							ID: result.ID,
 						});
 
 						_saml.logoutResponseToUrl(response, function(err, url) {
diff --git a/app/meteor-accounts-saml/server/saml_utils.js b/app/meteor-accounts-saml/server/saml_utils.js
index 1d9e9af06983..2b09b3f1d102 100644
--- a/app/meteor-accounts-saml/server/saml_utils.js
+++ b/app/meteor-accounts-saml/server/saml_utils.js
@@ -111,16 +111,16 @@ SAML.prototype.generateAuthorizeRequest = function(req) {
 	return request;
 };
 
-SAML.prototype.generateLogoutResponse = function() {
+SAML.prototype.generateLogoutResponse = function(options) {
 	const id = `_${ this.generateUniqueID() }`;
 	const instant = this.generateInstant();
 
-
 	const response = `${ '<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  '
 		+ 'ID="' }${ id }" `
 		+ 'Version="2.0" '
 		+ `IssueInstant="${ instant }" `
 		+ `Destination="${ this.options.idpSLORedirectURL }" `
+		+ `${ options.ID ? `InResponseTo="${ options.ID }" ` : '' }`
 		+ '>'
 		+ `<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">${ this.options.issuer }</saml:Issuer>`
 		+ '<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>'
@@ -389,6 +389,7 @@ SAML.prototype.validateLogoutRequest = function(samlRequest, callback) {
 		try {
 			const sessionNode = request.getElementsByTagNameNS('*', 'SessionIndex')[0];
 			const nameIdNode = request.getElementsByTagNameNS('*', 'NameID')[0];
+			const ID = request.getAttribute('ID');
 
 			if (!nameIdNode) {
 				throw new Error('SAML Logout Request: No NameID node found');
@@ -397,7 +398,7 @@ SAML.prototype.validateLogoutRequest = function(samlRequest, callback) {
 			const idpSession = sessionNode.childNodes[0].nodeValue;
 			const nameID = nameIdNode.childNodes[0].nodeValue;
 
-			return callback(null, { idpSession, nameID });
+			return callback(null, { idpSession, nameID, ID });
 		} catch (e) {
 			console.error(e);
 			debugLog(`Caught error: ${ e }`);