From c02d4651105de74d6d5027015fa43d94a69b1308 Mon Sep 17 00:00:00 2001
From: Kirill Roskolii <kirill.roskolii@catalyst.net.nz>
Date: Fri, 31 Jan 2025 07:48:01 +1300
Subject: [PATCH 1/2] Do not confuse Settings::getIdPSLOResponseUrl() with bad
 example

---
 settings_example.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/settings_example.php b/settings_example.php
index 14205f92..a3808e24 100644
--- a/settings_example.php
+++ b/settings_example.php
@@ -95,7 +95,7 @@
             'url' => '',
             // URL location of the IdP where the SP will send the SLO Response (ResponseLocation)
             // if not set, url for the SLO Request will be used
-            'responseUrl' => '',
+            // 'responseUrl' => '',
             // SAML protocol binding to be used when returning the <Response>
             // message.  SAML Toolkit supports for this endpoint the
             // HTTP-Redirect binding only

From 99c5d56599157a6d888d4b4dd811d83b4e82230a Mon Sep 17 00:00:00 2001
From: Kirill Roskolii <kirill.roskolii@catalyst.net.nz>
Date: Fri, 31 Jan 2025 08:15:29 +1300
Subject: [PATCH 2/2] Improve IdP configuration validation

---
 lib/Saml2/Settings.php | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php
index 660f56cc..77b8d707 100644
--- a/lib/Saml2/Settings.php
+++ b/lib/Saml2/Settings.php
@@ -543,26 +543,19 @@ public function checkIdPSettings($settings)
                 $errors[] = 'idp_entityId_not_found';
             }
 
-            if (!isset($idp['singleSignOnService'])
-                || !isset($idp['singleSignOnService']['url'])
-                || empty($idp['singleSignOnService']['url'])
-            ) {
+            if (!isset($idp['singleSignOnService']['url'])) {
                 $errors[] = 'idp_sso_not_found';
             } else if (!filter_var($idp['singleSignOnService']['url'], FILTER_VALIDATE_URL)) {
                 $errors[] = 'idp_sso_url_invalid';
             }
 
-            if (isset($idp['singleLogoutService'])
-                && isset($idp['singleLogoutService']['url'])
-                && !empty($idp['singleLogoutService']['url'])
+            if (isset($idp['singleLogoutService']['url'])
                 && !filter_var($idp['singleLogoutService']['url'], FILTER_VALIDATE_URL)
             ) {
                 $errors[] = 'idp_slo_url_invalid';
             }
 
-            if (isset($idp['singleLogoutService'])
-                && isset($idp['singleLogoutService']['responseUrl'])
-                && !empty($idp['singleLogoutService']['responseUrl'])
+            if (isset($idp['singleLogoutService']['responseUrl'])
                 && !filter_var($idp['singleLogoutService']['responseUrl'], FILTER_VALIDATE_URL)
             ) {
                 $errors[] = 'idp_slo_response_url_invalid';