Skip to content

Fix shibboleth sso logout #10719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Hufschmidt wants to merge 5 commits into
base: release_10
Choose a base branch
from
Open

Fix shibboleth sso logout #10719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
19a6017
Add missing ilInitialisation::initILIAS() to shib_logout (simiar to s…
Hufschmidt Dec 15, 2025
1d09f8e
Replace deprecated $HTTP_RAW_POST_DATA in shib_logout.php
Hufschmidt Dec 15, 2025
21d5d95
Improve formating of fallback shib_logout SOAP response
Hufschmidt Dec 15, 2025
e818a5d
Add missing shibboleth_session_id information to stored session data …
Hufschmidt Dec 15, 2025
77326ba
Stored session data is not a nested array (anymore) fix for shib_logo…
Hufschmidt Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions components/ILIAS/AuthShibboleth/classes/class.ilAuthProviderShibboleth.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ public function doAuthentication(ilAuthStatus $status): bool
return false;
}

ilSession::set('shibboleth_session_id', $_SERVER['Shib-Session-ID']);
return true;
}
}
51 changes: 24 additions & 27 deletions components/ILIAS/AuthShibboleth/resources/shib_logout.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,10 @@
*****************************************************************************/
/** @noRector */
require_once("../vendor/composer/vendor/autoload.php");
ilContext::init(ilContext::CONTEXT_SHIBBOLETH);
ilInitialisation::initILIAS();
global $DIC;

$q = $DIC->http()->wrapper()->query();
if (
$q->has('return')
Expand All @@ -38,7 +41,7 @@
// stored in the application's session data.
// See function LogoutNotification below

elseif (!empty($HTTP_RAW_POST_DATA)) {
elseif (!empty(file_get_contents('php://input'))) {
ilContext::init(ilContext::CONTEXT_SOAP);

// Load ILIAS libraries and initialise ILIAS in non-web context
Expand All @@ -64,16 +67,15 @@

echo <<<WSDL
<?xml version ="1.0" encoding ="UTF-8" ?>
<definitions name="LogoutNotification"
targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/">
<definitions name="LogoutNotification" targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/">

<types>
<schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
xmlns="http://www.w3.org/2000/10/XMLSchema"
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify">
<schema targetNamespace="urn:mace:shibboleth:2.0:sp:notify"
xmlns="http://www.w3.org/2000/10/XMLSchema"
xmlns:notify="urn:mace:shibboleth:2.0:sp:notify">

<simpleType name="string">
<restriction base="string">
Expand All @@ -93,7 +95,7 @@
<part name="SessionID" type="notify:string" />
</message>

<message name="getLogoutNotificationResponse" >
<message name="getLogoutNotificationResponse">
<part name="OK"/>
</message>

Expand All @@ -112,9 +114,9 @@
</binding>

<service name="LogoutNotificationService">
<port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding">
<port name="LogoutNotificationPort" binding="notify:LogoutNotificationBinding">
<soap:address location="{$url}"/>
</port>
</port>
</service>
</definitions>
WSDL;
Expand All @@ -136,20 +138,15 @@ function LogoutNotification($SessionID)
$q = "SELECT session_id, data FROM usr_session WHERE expires > 'NOW()'";
$r = $ilDB->query($q);

while ($session_entry = $r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) {
$user_session = unserializesession($session_entry['data']);

// Look for session with matching Shibboleth session id
// and then delete this ilias session
foreach ($user_session as $user_session_entry) {
if (is_array($user_session_entry)
&& array_key_exists('shibboleth_session_id', $user_session_entry)
&& $user_session_entry['shibboleth_session_id'] == $SessionID
) {
// Delete this session entry
if (ilSession::_destroy($session_entry['session_id']) !== true) {
return new SoapFault('LogoutError', 'Could not delete session entry in database.');
}
while ($session = $r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) {
$session_data = unserializesession($session['data']);
if (is_array($session_data)
&& array_key_exists('shibboleth_session_id', $session_data)
&& $session_data['shibboleth_session_id'] == $SessionID
) {
// Delete this session entry
if (ilSession::_destroy($session['session_id']) !== true) {
return new SoapFault('LogoutError', 'Could not delete session entry in database.');
}
}
}
Expand All @@ -167,4 +164,4 @@ function unserializesession($serialized_string)
}

return ($variables);
}
}
Loading