You are here

public function SamlService::logout in SAML Authentication 8.3

Same name and namespace in other branches
  1. 8 src/SamlService.php \Drupal\samlauth\SamlService::logout()
  2. 8.2 src/SamlService.php \Drupal\samlauth\SamlService::logout()
  3. 4.x src/SamlService.php \Drupal\samlauth\SamlService::logout()

Initiates a SAML2 logout flow and redirects to the IdP.

Parameters

string $return_to: (optional) The path to return the user to after successful processing by the IdP.

array $parameters: (optional) Extra query parameters to add to the returned redirect URL.

Return value

string The URL of the single logout service to redirect to, including query parameters.

File

src/SamlService.php, line 597

Class

SamlService
Governs communication between the SAML toolkit and the IdP / login behavior.

Namespace

Drupal\samlauth

Code

public function logout($return_to = NULL, array $parameters = []) {

  // Log the Drupal user out at the start of the process if they were still
  // logged in. Official SAML documentation usually specifies (as far as it
  // does) that we should log the user out after getting redirected from the
  // IdP instead, at /saml/sls. However
  // - Between calling logout() and all those redirects there is a lot that
  //   could go wrong which would then influence users' ability to log out of
  //   Drupal.
  // - There's no real downside to doing it now, either for the user or for
  //   our code (which already explicitly supports handling users who were
  //   previously logged out of Drupal).
  // - Site administrators may also want this endpoint to work for logging
  //   out non-SAML users. (Otherwise how are they going to display
  //   different login links for different users?) PLEASE NOTE however, that
  //   this is not the primary purpose of this method; it is to enable both
  //   logged-in and already-logged-out Drupal users to start a SAML logout
  //   process - i.e. to be redirected to the IdP. So a side effect is that
  //   non-SAML users are also redirected to the IdP unnecessarily. It may be
  //   possible to prevent this - but that will need to be tested carefully.
  $saml_session_data = $this
    ->drupalLogoutHelper();

  // Start the SAML logout process. If the user was already logged out before
  // this method was called, we won't have any SAML session data so won't be
  // able to tell the IdP which session should be logging out. Even so, the
  // SAML Toolkit is able to create a generic LogoutRequest, and for at least
  // some IdPs that's enough to log the user out from the IdP if applicable
  // (because they have their own browser/cookie based session handling) and
  // return a SAMLResponse indicating success. (Maybe there's some way to
  // modify the Drupal logout process to keep the SAML session data available
  // but we won't explore that until there's a practical situation where
  // that's clearly needed.)
  // @todo should we check session expiration time before sending a logout
  //   request to the IdP? (What would an IdP do if it received an old
  //   session index? Is it better to not redirect, and throw an error on
  //   our side?)
  // @todo include nameId(SP)NameQualifier?
  $url = $this
    ->getSamlAuth('logout')
    ->logout($return_to, $parameters, $saml_session_data['name_id'] ?? NULL, $saml_session_data['session_index'] ?? NULL, TRUE, $saml_session_data['name_id_format'] ?? NULL);
  if ($this->configFactory
    ->get('samlauth.authentication')
    ->get('debug_log_saml_out')) {
    $this->logger
      ->debug('Sending SAML logout request: <pre>@message</pre>', [
      '@message' => $this
        ->getSamlAuth('logout')
        ->getLastRequestXML(),
    ]);
  }
  return $url;
}