From 4959281164ac2d02a75b24b18eece3b53f236761 Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Wed, 24 Jun 2020 08:56:13 +0200
Subject: [PATCH] fix optional SAML/Shibboleth login fails when proxying as
 form field with name "auth=saml" get lost

---
 api/js/login.js       | 11 +++++++++--
 api/src/Auth.php      |  7 -------
 api/src/Auth/Saml.php |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/api/js/login.js b/api/js/login.js
index f059254644..eeb0ca12f3 100644
--- a/api/js/login.js
+++ b/api/js/login.js
@@ -59,12 +59,19 @@ egw_LAB.wait(function()
 		]);
 
 		// automatic submit of SAML IdP selection
-		jQuery('select.onChangeSubmit').on('change', function() {
+		jQuery('select[name="auth=saml"]').on('change', function() {
 			if (this.value) {
-				this.form.method = 'GET';
+				this.form.method = 'get';
+				jQuery(this.form).append('<input type="hidden" name="auth" value="saml"/>');
+				jQuery(this.form).append('<input type="hidden" name="idp" value="'+this.value+'"/>');
 				this.form.submit();
 			}
 		});
+		// or optional SAML login with a button for a single IdP
+		jQuery('input[type="submit"][name="auth=saml"]').on('click', function(){
+			this.form.method = 'get';
+			jQuery(this.form).append('<input type="hidden" name="auth" value="saml"/>');
+		});
 	});
 });
 
diff --git a/api/src/Auth.php b/api/src/Auth.php
index 6523e9ad56..edf83b9b44 100644
--- a/api/src/Auth.php
+++ b/api/src/Auth.php
@@ -128,13 +128,6 @@ class Auth
 		{
 			$type = $_REQUEST['auth'];
 		}
-		elseif (($auth = array_filter($_REQUEST, function($key)
-			{
-				return substr($key, 0, 5) === 'auth=';
-			}, ARRAY_FILTER_USE_KEY)) && !empty(current($auth)))
-		{
-			$type = substr(key($auth), 5);
-		}
 		// to not allow enabling all sort of auth plugins by simply calling login.php?auth=xyz we require the
 		// plugin to be enabled via "${auth}_discovery" server config
 		if (!empty($type) && empty($GLOBALS['egw_info']['server'][$type.'_discovery']))
diff --git a/api/src/Auth/Saml.php b/api/src/Auth/Saml.php
index 06096be1ce..bfeef46a39 100644
--- a/api/src/Auth/Saml.php
+++ b/api/src/Auth/Saml.php
@@ -113,8 +113,8 @@ class Saml implements BackendSSO
 	{
 		// login (redirects to IdP)
 		$as = new SimpleSAML\Auth\Simple(self::$auth_source);
-		$as->requireAuth(preg_match('|^https://|', $_REQUEST['auth=saml']) ?
-			['saml:idp' => $_REQUEST['auth=saml']] : []);
+		$as->requireAuth(preg_match('|^https://|', $_REQUEST['idp']) ?
+			['saml:idp' => $_REQUEST['idp']] : []);
 
 		/* cleanup session for EGroupware: currently NOT used as we share the session with SimpleSAMLphp
 		$session = SimpleSAML\Session::getSessionFromRequest();