You are here

Home » API reference » OpenID Connect Microsoft Azure Active Directory client 8 » WindowsAadSSOController.php » WindowsAadSSOController

public function WindowsAadSSOController::signout in OpenID Connect Microsoft Azure Active Directory client 8

Same name and namespace in other branches
  1. 2.0.x src/Controller/WindowsAadSSOController.php \Drupal\openid_connect_windows_aad\Controller\WindowsAadSSOController::signout()

Single Sign Out callback to log the current user out.

Called by Windows Azure AD when a user logs out of their SSO session from another application such as Office 365.

Return value

\Symfony\Component\HttpFoundation\Response Either a 200 or 403 response without any content.

1 string reference to 'WindowsAadSSOController::signout'
openid_connect_windows_aad.routing.yml in ./openid_connect_windows_aad.routing.yml
openid_connect_windows_aad.routing.yml

File

src/Controller/WindowsAadSSOController.php, line 62

Class

WindowsAadSSOController
Controller routines for Azure AD single sign out user routes.

Namespace

Drupal\openid_connect_windows_aad\Controller

Code

public function signout() {
  $configuration = $this
    ->config('openid_connect.settings.windows_aad');
  $settings = $configuration
    ->get('settings');
  $enabled = $configuration
    ->get('enabled');

  // Check that the windows_aad client is enabled and so is SSOut.
  if ($enabled && isset($settings['enable_single_sign_out']) && $settings['enable_single_sign_out']) {

    // Ensure the user has a connected account.
    $user = \Drupal::currentUser();
    $connected_accounts = $this->authmap
      ->getConnectedAccounts($user);
    $connected = $connected_accounts && isset($connected_accounts['windows_aad']);
    $logged_in = $user
      ->isAuthenticated();

    // Only log the user out if they are logged in and have a connected
    // account. Return a 200 OK in any case since all is good.
    if ($logged_in && $connected) {
      user_logout();
    }
    return new Response('', Response::HTTP_OK);
  }

  // Likely a misconfiguration since SSOut attempts should not be made to the
  // logout uri unless it has been configured in Azure AD; if you had
  // configured it in Azure AD then you should have also enabled SSOut in the
  // OpenID Connect settings. Also, a possible malicious CSRF attempt. Log a
  // warning either way.
  $this->logger
    ->warning('Windows AAD Single Sign Out attempt, but SSOut has not been enabled in the OpenID Connect Windows AAD configuration.');
  return new Response('', Response::HTTP_FORBIDDEN);
}