Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Ligonsker's avatar

How to check if the user is logged in to SSO using SAML on all routes?

Hello,

I've followed the steps of the package 24Slides/laravel-saml2 to setup SAML on my app: https://github.com/24Slides/laravel-saml2?tab=readme-ov-file#laravel-54-saml-service-provider

The setup seems to be correct, and a login URL was created:

https://example.com/saml2/some-long-uuid/login

When I hit this endpoint, it redirects to the login URL on the Microsoft Azure login website of the company.

However, I want to add a check if a user is logged in to every route on web.php. But I couldn't find the right way to do that, and there is no mention of it in the docs.

What I want to do is that whenever a user is visiting any URL on web.php (or a defined group), it will check if the user is logged via the SAML2 SSO, and if yes, continue to the link, otherwise, redirect him to the Microsoft Azure login page.

So far I was only able to do it if I specifically visit the login https://example.com/saml2/some-long-uuid/login url

Thanks

0 likes
11 replies
martinbean's avatar

@ligonsker You wouldn’t. You use the SAML endpoint to identify a user, and then use those details to authenticate the user in your app (creating a session for them).

You then need to handle two potential actions:

  • If the user logs out of your application, you need to tell the identity provider they’ve logged out so the session is ended.
  • If the user ends their SSO session via some other means, your application should have an endpoint to be notified, so that you can clear their authenticated session in your application as well.

These are described in the README of the very project you posted: https://github.com/24Slides/laravel-saml2?tab=readme-ov-file#logging-out

1 like
Ligonsker's avatar

@martinbean But how can I make sure the user is logged out, if he logged out from another SSO app but in Laravel the session is still active?

For example, the Laravel session expiry time is 2 hours. Then the user logs in to SSO via the Laravel app, and it creates a session for 2 hours.

Then, 1 hour later he logs out of the SSO from another app. When he comes back to the Laravel app, the Laravel session is still active and he will not be logged out.

Then how can I do that? Do I need to check with the IdP upon every request? (which might be very slow)? Or there's some different way to do that

martinbean's avatar

But how can I make sure the user is logged out, if he logged out from another SSO app but in Laravel the session is still active?

@Ligonsker I told you above?

If the user ends their SSO session via some other means, your application should have an endpoint to be notified, so that you can clear their authenticated session in your application as well.

The README of the project you linked also mentions it at https://github.com/24Slides/laravel-saml2?tab=readme-ov-file#logging-out:

By logging out of the global SSO Session. In this case the IdP will notify you on /saml2/{uuid}/slo endpoint (already provided).

1 like
Ligonsker's avatar

I don't think this is the same thing, What you showed, is just a way to log out the global session from the Laravel app, for example have a "Logout" button inside the Laravel app itself that will redirect to the IdP session logout.

If I understand correctly, both ways in the example in the docs are done from within the Laravel app itself, it's just that one directly redirects to the IdP, and one terminates the Laravel session.

These example don't tell you what happens when a user logs out a completely entire app within the organization that also uses the same SSO session

However, that gave me an idea: I will set the Laravel session to a short time, and then it will check with the IdP more frequently

martinbean's avatar

I don't think this is the same thing, What you showed, is just a way to log out the global session from the Laravel app, for example have a "Logout" button inside the Laravel app itself that will redirect to the IdP session logout.

@ligonsker They’re not the same thing! Why would there be two bullet points describing exactly the same scenario? I even pointed you to the endpoint that’s hit in your app when a user logs out of a completely different app, and the identity provider is telling you to end the session.

  1. One is if the user logs out of your app. You then need to notify the identity provider to close the global session.
  2. The other is if the global session is ended elsewhere (i.e. the user logging out of a completely different app). Then your app will be notified: “This user’s global session has ended. Please log them out of your app.”
Ligonsker's avatar

@martinbean @martinbean I don't think so, how can it be possible? Let's say my Laravel app is on myapp.example.com and a user logs out the IdP session on someotherapp.example.com - they are completely two different apps in the organization.

How can a logout button clicked on a completely different website, notify the user on the Laravel app.

I am still not sure though how is the /saml2/{uuid}/slo supposed to be used

martinbean's avatar

How can a logout button clicked on a completely different website, notify the user on the Laravel app.

@Ligonsker Because that app would close the SSO session, which in turn would notify your app, “Hey, the SSO session’s been terminated. Please log the user out of your application.”

1 like
Ligonsker's avatar

@martinbean Ok so I think I got it but it didn't work from some reason.

I added the slo route to web.php:

Route::get('/saml2/{uuid}/slo', [SamlController::class, 'test_slo']);

And then in the controller:

public function test_slo(Request $request)
{
	Log::debug("Someone signed out");
}

However nothing appears in the logs when I log out a user.

I also searched in the code of this package and I can't find anything about /saml2/{uuid}/slo (but they say it's "already provided")

Ligonsker's avatar

@martinbean Is there a chance there's a mistake in the docs and they meant: saml2/{uuid}/sls instead of saml2/{uuid}/slo? Because they say saml2/{uuid}/slo is already provided but I couldn't find it anywhere in the code of the package, but I did find saml2/{uuid}/sls:

    Route::get('/{uuid}/sls', array(
        'as' => 'saml.sls',
        'uses' => 'Slides\Saml2\Http\Controllers\Saml2Controller@sls',
    ));

(Source: https://github.com/24Slides/laravel-saml2/blob/master/src/Http/routes.php)

martinbean's avatar

Is ther a chance there's a mistake in the docs and they meant: saml2/{uuid}/sls instead of saml2/{uuid}/slo?

@Ligonsker Ask the package maintainers…?

I don’t know as I’ve never used the package. I just read the docs after you linked to it.

1 like

Please or to participate in this conversation.