Ensure non-nil fingerprint for SAML logout

app/controllers/saml_idp_controller.rb

@@ -35,8 +35,9 @@ def logout
     decode_request(raw_saml_request)
 
     # Plumb the fingerprint through to the internal service_provider representation
-    if saml_request && matching_cert
-      saml_request.service_provider.fingerprint = Fingerprinter.fingerprint_cert(matching_cert)
+    if saml_request&.service_provider
+      saml_request.service_provider.fingerprint =
+         Fingerprinter.fingerprint_cert(matching_cert || current_service_provider.ssl_certs.first)
     end
 
     track_logout_event

spec/controllers/saml_idp_controller_spec.rb

@@ -43,6 +43,32 @@
 
       delete :logout, params: { SAMLRequest: 'foo' }
     end
+
+    let(:service_provider) do
+      create(:service_provider,
+             cert: nil, # override singular cert
+             certs: ['saml_test_sp'],
+             active: true)
+    end
+
+    let(:wrong_cert_settings) do
+      sp1_saml_settings.tap do |settings|
+        settings.issuer = service_provider.issuer
+        settings.certificate = File.read(Rails.root.join('certs', 'sp', 'saml_test_sp2.crt'))
+        settings.private_key = OpenSSL::PKey::RSA.new(
+          File.read(Rails.root + 'keys/saml_test_sp2.key'),
+        ).to_pem
+      end
+    end
+
+    it 'rejects requests from a wrong cert' do
+      request_url = OneLogin::RubySaml::Logoutrequest.new.create(wrong_cert_settings)
+      saml_request = UriService.params(request_url)[:SAMLRequest]
+
+      delete :logout, params: { SAMLRequest: saml_request }
+
+      expect(response).to be_bad_request
+    end
   end
 
   describe '/api/saml/metadata' do

spec/support/fake_saml_logout_request.rb

@@ -1,4 +1,6 @@
 class FakeSamlLogoutRequest
+  attr_accessor :fingerprint
+
   def service_provider
     self
   end