From fed79fc4e719cd7b15c53deb4268d04ce2832564 Mon Sep 17 00:00:00 2001
From: Roman Barbun <romanbarbun@gmail.com>
Date: Mon, 27 Oct 2025 14:56:22 +1100
Subject: [PATCH 1/6] Changed Nginx configuration rules to allow serving static
 assets for SAML auto-post.

---
 .docker/images/nginx/location_prepend_simplesamlphp.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.docker/images/nginx/location_prepend_simplesamlphp.conf b/.docker/images/nginx/location_prepend_simplesamlphp.conf
index 190e5e9a4..ec5896e12 100644
--- a/.docker/images/nginx/location_prepend_simplesamlphp.conf
+++ b/.docker/images/nginx/location_prepend_simplesamlphp.conf
@@ -19,3 +19,10 @@ location ~ /${LAGOON_PROJECT:-govcms}-saml/module.php/saml/sp/(saml2-logout\.php
         }
 }
 
+# Serve only static assets (JS/CSS/images) for SAML auto-post page.
+location ^~ /${LAGOON_PROJECT:-govcms}-saml/assets/ {
+    alias /app/vendor/simplesamlphp/simplesamlphp/public/assets/;
+    access_log off;
+    expires 1h;
+    add_header Cache-Control "public";
+}

From da08c198d1c31e1a4d2a9f32a1f83d73c4c854e6 Mon Sep 17 00:00:00 2001
From: Roman Barbun <romanbarbun@gmail.com>
Date: Fri, 7 Nov 2025 13:07:46 +1100
Subject: [PATCH 2/6] Disabled SP-initiated SLO by default.

---
 .docker/config/simplesaml/metadata/saml20-idp-remote.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.docker/config/simplesaml/metadata/saml20-idp-remote.php b/.docker/config/simplesaml/metadata/saml20-idp-remote.php
index 67d4ea76d..e9c761487 100644
--- a/.docker/config/simplesaml/metadata/saml20-idp-remote.php
+++ b/.docker/config/simplesaml/metadata/saml20-idp-remote.php
@@ -2,6 +2,7 @@
 
 $idpBaseURL = getenv('SIMPLESAMLPHP_IDP_BASE_URL');
 $idpEntityId = getenv('SIMPLESAMLPHP_IDP_ENTITYID') ?: $idpBaseURL;
+$singleLogOut = getenv('SIMPLESAMLPHP_SP_SLO') ?: false;
 $fallbackBinding = getenv('SIMPLESAMLPHP_IDP_DEFAULT_BINDING');
 
 $bindingKeys = [
@@ -23,7 +24,7 @@
     $envVar = getenv($key);
 
     // Special for LOGOUT: fallback to non-logout sibling if present.
-    if (str_contains($key, 'LOGOUT') && empty($envVar)) {
+    if (str_contains($key, 'LOGOUT') && empty($envVar) && $singleLogOut) {
         $nonLogoutKey = str_replace('LOGOUT_', '', $key);
         $envVar = getenv($nonLogoutKey);
     }

From e70c04a8771192a908300f0b45351fd978c773d2 Mon Sep 17 00:00:00 2001
From: Roman Barbun <romanbarbun@gmail.com>
Date: Thu, 13 Nov 2025 12:14:20 +1100
Subject: [PATCH 3/6] Removed SLO changes.

---
 .docker/config/simplesaml/metadata/saml20-idp-remote.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.docker/config/simplesaml/metadata/saml20-idp-remote.php b/.docker/config/simplesaml/metadata/saml20-idp-remote.php
index e9c761487..67d4ea76d 100644
--- a/.docker/config/simplesaml/metadata/saml20-idp-remote.php
+++ b/.docker/config/simplesaml/metadata/saml20-idp-remote.php
@@ -2,7 +2,6 @@
 
 $idpBaseURL = getenv('SIMPLESAMLPHP_IDP_BASE_URL');
 $idpEntityId = getenv('SIMPLESAMLPHP_IDP_ENTITYID') ?: $idpBaseURL;
-$singleLogOut = getenv('SIMPLESAMLPHP_SP_SLO') ?: false;
 $fallbackBinding = getenv('SIMPLESAMLPHP_IDP_DEFAULT_BINDING');
 
 $bindingKeys = [
@@ -24,7 +23,7 @@
     $envVar = getenv($key);
 
     // Special for LOGOUT: fallback to non-logout sibling if present.
-    if (str_contains($key, 'LOGOUT') && empty($envVar) && $singleLogOut) {
+    if (str_contains($key, 'LOGOUT') && empty($envVar)) {
         $nonLogoutKey = str_replace('LOGOUT_', '', $key);
         $envVar = getenv($nonLogoutKey);
     }

From 05ca1a0693f88cea79836d39b73719cd9ef76c64 Mon Sep 17 00:00:00 2001
From: barbun <roman.barbun@salsa.digital>
Date: Wed, 11 Feb 2026 17:16:42 +1100
Subject: [PATCH 4/6] Added env var to allow error URL override. (#520)

Co-authored-by: Roman Barbun <romanbarbun@gmail.com>
---
 .docker/config/simplesaml/metadata/saml20-idp-remote.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.docker/config/simplesaml/metadata/saml20-idp-remote.php b/.docker/config/simplesaml/metadata/saml20-idp-remote.php
index 67d4ea76d..514b664f4 100644
--- a/.docker/config/simplesaml/metadata/saml20-idp-remote.php
+++ b/.docker/config/simplesaml/metadata/saml20-idp-remote.php
@@ -47,6 +47,7 @@
 $metadata[$idpEntityId] = [
   'entityid' => $idpEntityId,
   'contacts' => [],
+  'errorURL' => getenv('SIMPLESAMLPHP_SP_ERROR_URL') ?: null,
   'metadata-set' => 'saml20-idp-remote',
   'sign.authnrequest' => filter_var(getenv('SIMPLESAMLPHP_IDP_SIGN_AUTH'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ?? true,
   'SingleSignOnService' => [],

From 76018d5b7e5b0c3199f76f99baad943e6fa22bca Mon Sep 17 00:00:00 2001
From: barbun <robarcover@gmail.com>
Date: Mon, 2 Mar 2026 12:21:26 +1100
Subject: [PATCH 5/6] Narrowed down the Nginx rules.

---
 .docker/images/nginx/location_prepend_simplesamlphp.conf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.docker/images/nginx/location_prepend_simplesamlphp.conf b/.docker/images/nginx/location_prepend_simplesamlphp.conf
index ec5896e12..bd63c96fe 100644
--- a/.docker/images/nginx/location_prepend_simplesamlphp.conf
+++ b/.docker/images/nginx/location_prepend_simplesamlphp.conf
@@ -19,9 +19,9 @@ location ~ /${LAGOON_PROJECT:-govcms}-saml/module.php/saml/sp/(saml2-logout\.php
         }
 }
 
-# Serve only static assets (JS/CSS/images) for SAML auto-post page.
-location ^~ /${LAGOON_PROJECT:-govcms}-saml/assets/ {
-    alias /app/vendor/simplesamlphp/simplesamlphp/public/assets/;
+# Serve auto-submit JS for SAML auto-post page (HTTP-POST binding).
+location = /${LAGOON_PROJECT:-govcms}-saml/assets/base/js/post.js {
+    alias /app/vendor/simplesamlphp/simplesamlphp/public/assets/base/js/post.js;
     access_log off;
     expires 1h;
     add_header Cache-Control "public";

From 73728bce1b0aa37f6a08dcbe4f0962e826210b96 Mon Sep 17 00:00:00 2001
From: barbun <robarcover@gmail.com>
Date: Mon, 2 Mar 2026 15:46:42 +1100
Subject: [PATCH 6/6] Removed header for auto-submit JS location.

---
 .docker/images/nginx/location_prepend_simplesamlphp.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.docker/images/nginx/location_prepend_simplesamlphp.conf b/.docker/images/nginx/location_prepend_simplesamlphp.conf
index bd63c96fe..9566f7bd2 100644
--- a/.docker/images/nginx/location_prepend_simplesamlphp.conf
+++ b/.docker/images/nginx/location_prepend_simplesamlphp.conf
@@ -24,5 +24,4 @@ location = /${LAGOON_PROJECT:-govcms}-saml/assets/base/js/post.js {
     alias /app/vendor/simplesamlphp/simplesamlphp/public/assets/base/js/post.js;
     access_log off;
     expires 1h;
-    add_header Cache-Control "public";
 }