18F · orenyk · May 11, 2022 · May 11, 2022
diff --git a/app/services/saml_endpoint.rb b/app/services/saml_endpoint.rb
@@ -35,8 +35,13 @@ def x509_certificate
   def saml_metadata
     config = SamlIdp.config.dup
     config.single_service_post_location += suffix
-    config.single_logout_service_post_location += suffix
-    config.remote_logout_service_post_location += suffix
+    if IdentityConfig.store.include_slo_in_saml_metadata
+      config.single_logout_service_post_location += suffix
+      config.remote_logout_service_post_location += suffix
+    else
+      config.single_logout_service_post_location = nil
+      config.remote_logout_service_post_location = nil
+    end
 
     SamlIdp::MetadataBuilder.new(
       config,

diff --git a/config/application.yml.default b/config/application.yml.default
@@ -102,6 +102,7 @@ idv_private_key: 'LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlCT2dJQkFBSkJBS3
 idv_send_link_attempt_window_in_minutes: 10
 idv_send_link_max_attempts: 5
 in_person_proofing_enabled: true
+include_slo_in_saml_metadata: false
 liveness_checking_enabled: false
 logins_per_ip_track_only_mode: false
 # LexisNexis #####################################################

diff --git a/lib/identity_config.rb b/lib/identity_config.rb
@@ -176,6 +176,7 @@ def self.build_store(config_map)
     config.add(:idv_send_link_attempt_window_in_minutes, type: :integer)
     config.add(:idv_send_link_max_attempts, type: :integer)
     config.add(:in_person_proofing_enabled, type: :boolean)
+    config.add(:include_slo_in_saml_metadata, type: :boolean)
     config.add(:lexisnexis_base_url, type: :string)
     config.add(:lexisnexis_request_mode, type: :string)
     config.add(:lexisnexis_account_id, type: :string)

diff --git a/spec/features/saml/multiple_endpoints_spec.rb b/spec/features/saml/multiple_endpoints_spec.rb
@@ -91,20 +91,35 @@
       )
     end
 
-    it 'includes the front-channel logout url' do
-      visit endpoint_metadata_path
+    it 'does not include logout urls if configured' do
+      allow(IdentityConfig.store).to receive(:include_slo_in_saml_metadata).
+        and_return(false)
       document = REXML::Document.new(page.html)
       logout_nodes = REXML::XPath.match(document, '//SingleLogoutService')
-      expect(logout_nodes.count { |n| n['Location'].match?(%r{/api/saml/logout\d{4}}) }).
-        to eq(2)
+      expect(logout_nodes.count).to be_zero
     end
 
-    it 'includes the remote logout url' do
-      visit endpoint_metadata_path
-      document = REXML::Document.new(page.html)
-      logout_nodes = REXML::XPath.match(document, '//SingleLogoutService')
-      expect(logout_nodes.count { |n| n['Location'].match?(%r{/api/saml/remotelogout\d{4}}) }).
-        to eq(1)
+    context 'when configured to include logout endpoints' do
+      before do
+        allow(IdentityConfig.store).to receive(:include_slo_in_saml_metadata).
+          and_return(true)
+      end
+
+      it 'includes the front-channel logout url' do
+        visit endpoint_metadata_path
+        document = REXML::Document.new(page.html)
+        logout_nodes = REXML::XPath.match(document, '//SingleLogoutService')
+        expect(logout_nodes.count { |n| n['Location'].match?(%r{/api/saml/logout\d{4}}) }).
+          to eq(2)
+      end
+
+      it 'includes the remote logout url' do
+        visit endpoint_metadata_path
+        document = REXML::Document.new(page.html)
+        logout_nodes = REXML::XPath.match(document, '//SingleLogoutService')
+        expect(logout_nodes.count { |n| n['Location'].match?(%r{/api/saml/remotelogout\d{4}}) }).
+          to eq(1)
+      end
     end
   end
 end
diff --git a/spec/services/saml_endpoint_spec.rb b/spec/services/saml_endpoint_spec.rb
@@ -76,6 +76,22 @@
       result = subject.saml_metadata
 
       expect(result.configurator.single_service_post_location).to match(%r{api/saml/auth2022\Z})
+    end
+
+    it 'does not include the SingLogoutService endpoints when configured' do
+      allow(IdentityConfig.store).to receive(:include_slo_in_saml_metadata).
+        and_return(false)
+      result = subject.saml_metadata
+
+      expect(result.configurator.single_logout_service_post_location).to be_nil
+      expect(result.configurator.remote_logout_service_post_location).to be_nil
+    end
+
+    it 'includes the SingLogoutService endpoints when configured' do
+      allow(IdentityConfig.store).to receive(:include_slo_in_saml_metadata).
+        and_return(true)
+      result = subject.saml_metadata
+
       expect(result.configurator.single_logout_service_post_location).to match(
         %r{api/saml/logout2022\Z},
       )