Skip to content

SessionIndex from original AuthnResponse is needed for logout but not exposed #2

Description

@quantatheist

Hi, first of all, thank you for this high-level package!

I tried to migrate my existing low-level SAML code and noticed what looks like a small mismatch in the cookbook.
The logout request documentation shows that sendLogoutRequest() accepts a sessionIndex parameter, which should be taken from the “original AuthnResponse” (see https://litesaml.github.io/cookbook/docs/single-logout/logout-request/#send-a-logout-request).

However, when handling an authentication response with ServiceProviderWrapper::handleAuthnResponse(), the returned high-level AuthnResponse does not seem to expose the SessionIndex from the AuthnStatement (see https://litesaml.github.io/cookbook/docs/authentication/authn-response#reading-attributes).
So, when using the high-level API, I currently need to grab the SessionIndex the “old” low-level way by reading the assertion manually.

I suggest exposing the SessionIndex on the high-level AuthnResponse, for example as $authnResponse->sessionIndex.The value should already be available after LightSAML has parsed or decrypted the assertion, because AuthnStatement::deserialize() reads the SessionIndex attribute via attributesFromXml(), which ultimately calls setSessionIndex() through AbstractSamlModel::singleAttributeFromXml().

I hope this makes sense. I am still getting familiar with the high-level API, so I might be missing something. If there is already a recommended way to obtain the SessionIndex, I would be happy to learn about it. I can provide more details or test a possible change if that would be helpful.

Have a nice week!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions