Fix SLO on POST-binding

tvdijen · tvdijen · commit ceae92db9898 · 2023-07-31T12:04:00.000+02:00
diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
@@ -8,6 +8,7 @@ See the upgrade notes for specific information about upgrading.
 ## Version 2.0.5
 
 * Never expose the cron-API if secret is not properly configured (#1831)
+* Fixed a bug where IdP-initiated SLO using the HTTP-POST binding wasn't properly dealt with
 
 ## Version 2.0.4
 
diff --git a/modules/saml/src/Controller/SingleLogout.php b/modules/saml/src/Controller/SingleLogout.php
@@ -87,6 +87,10 @@ public function singleLogout(Request $request): Response
             return $idp->doLogoutRedirect(
                 $httpUtils->checkURLAllowed($request->query->get('ReturnTo'))
             );
+        } elseif ($request->request->has('ReturnTo')) {
+            return $idp->doLogoutRedirect(
+                $httpUtils->checkURLAllowed($request->request->get('ReturnTo'))
+            );
         }
 
         try {
