add getSLOResponseUrl(), add check for setting ['singleLogoutService']['responseUrl']

Author: mwey

lib/Saml2/Auth.php

@@ -285,7 +285,7 @@ public function processSLO($keepLocalSession = false, $requestId = null, $retrie
                     $parameters['Signature'] = $signature;
                 }
 
-                return $this->redirectTo($this->getSLOurl(), $parameters, $stay);
+                return $this->redirectTo($this->getSLOResponseUrl(), $parameters, $stay);
             }
         } else {
             $this->_errors[] = 'invalid_binding';
@@ -581,6 +581,21 @@ public function getSLOurl()
         return $url;
     }
 
+    /**
+     * Gets the SLO response url.
+     *
+     * @return string|null The response url of the Single Logout Service
+     */
+    public function getSLOResponseUrl()
+    {
+        $url = null;
+        $idpData = $this->_settings->getIdPData();
+        if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['responseUrl'])) {
+            return $idpData['singleLogoutService']['responseUrl'];
+        }
+        return $this->getSLOurl();
+    }
+
     /**
      * Gets the ID of the last AuthNRequest or LogoutRequest generated by the Service Provider.
      *

lib/Saml2/Settings.php

@@ -531,6 +531,14 @@ public function checkIdPSettings($settings)
                 $errors[] = 'idp_slo_url_invalid';
             }
 
+            if (isset($idp['singleLogoutService'])
+                && isset($idp['singleLogoutService']['responseUrl'])
+                && !empty($idp['singleLogoutService']['responseUrl'])
+                && !filter_var($idp['singleLogoutService']['responseUrl'], FILTER_VALIDATE_URL)
+            ) {
+                $errors[] = 'idp_slo_response_url_invalid';
+            }
+
             if (isset($settings['security'])) {
                 $security = $settings['security'];