saml: Rework SP-initiated logout config to support IdP-level config.

This gives more flexibility on a server with multiple organizations and SAML IdPs. Such a server can have some organizations handled by IdPs with SLO set up, and some without it set up. In such a scenario, having a generic True/False server-wide setting is insufficient and instead being able to specify the IdPs/orgs for SLO is needed.
2025-11-03 05:23:35 +00:00 · 2022-11-12 21:44:02 +01:00
parent e8f3b87b17
commit 3f55c10685
8 changed files with 33 additions and 25 deletions
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -2882,11 +2882,11 @@ class SAMLSPInitiatedLogout:
    @classmethod
    def slo_request_to_idp(
        cls, request: HttpRequest, return_to: Optional[str] = None
-    ) -> Optional[HttpResponse]:
+    ) -> HttpResponse:
        """
        Generates the redirect to the IdP's SLO endpoint with
-        the appropriately generated LogoutRequest or None if the session
-        wasn't authenticated via SAML.
+        the appropriately generated LogoutRequest. This should only be called
+        on requests with a session that was indeed obtained via SAML.
        """

        user_profile = request.user
@@ -2900,7 +2900,7 @@ class SAMLSPInitiatedLogout:

        idp_name = cls.get_logged_in_user_idp(request)
        if idp_name is None:
-            return None
+            raise AssertionError("User not logged in via SAML")

        idp = saml_backend.get_idp(idp_name)
        auth = saml_backend._create_saml_auth(idp)
--- a/zproject/default_settings.py
+++ b/zproject/default_settings.py
@@ -92,8 +92,6 @@ SOCIAL_AUTH_SAML_SECURITY_CONFIG: Dict[str, Any] = {}
 # the limit_to_subdomains setting to be considered valid:
 SAML_REQUIRE_LIMIT_TO_SUBDOMAINS = False

-SAML_ENABLE_SP_INITIATED_SINGLE_LOGOUT = False
-
 # Historical name for SOCIAL_AUTH_GITHUB_KEY; still allowed in production.
 GOOGLE_OAUTH2_CLIENT_ID: Optional[str] = None

--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -450,6 +450,9 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, Any] = {
        ## default, Zulip asks the user whether they want to create an
        ## account or try to log in again using another method.
        # "auto_signup": False,
+        ## Determines whether Service Provider initiated SAML Single Logout should be enabled.
+        ## Note that IdP-initiated Single Logout must be configured before enabling this.
+        # "sp_initiated_logout_enabled": False,
    },
 }

@@ -494,9 +497,6 @@ SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {
 #    }
 # }

-# This setting allows enabling of SP-initiated logout with SAML.
-# SAML_ENABLE_SP_INITIATED_SINGLE_LOGOUT = True
-
 ########
 ## Apple authentication ("Sign in with Apple").
 ##
--- a/zproject/settings_types.py
+++ b/zproject/settings_types.py
@@ -12,6 +12,7 @@ class SAMLIdPConfigDict(TypedDict, total=False):
    entity_id: str
    url: str
    slo_url: str
+    sp_initiated_logout_enabled: bool
    attr_user_permanent_id: str
    attr_first_name: str
    attr_last_name: str
--- a/zproject/test_extra_settings.py
+++ b/zproject/test_extra_settings.py
@@ -245,6 +245,7 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, SAMLIdPConfigDict] = {
        "entity_id": "https://idp.testshib.org/idp/shibboleth",
        "url": "https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO",
        "slo_url": "https://idp.testshib.org/idp/profile/SAML2/Redirect/Logout",
+        "sp_initiated_logout_enabled": True,
        "x509cert": get_from_file_if_exists("zerver/tests/fixtures/saml/idp.crt"),
        "attr_user_permanent_id": "email",
        "attr_first_name": "first_name",