feat: include SessionIndex in logout requests

Some idp's use the sessionindex rather than the uid to find the correct
session to sign out. I've made this work by saving it in the session
alongside the uid, then putting it back into the logout request where
ruby-saml can handle it, and include it in the logout request

Author: iainbeeston

lib/omniauth/strategies/saml.rb

@@ -159,7 +159,7 @@ def other_phase
         Hash[found_attributes]
       end
 
-      extra { { :raw_info => @attributes, :response_object =>  @response_object } }
+      extra { { :raw_info => @attributes, :session_index => @session_index, :response_object =>  @response_object } }
 
       def find_attribute_by(keys)
         keys.each do |key|
@@ -182,6 +182,7 @@ def handle_response(raw_response, opts, settings)
 
         response.is_valid?
         @name_id = response.name_id
+        @session_index = response.sessionindex
         @attributes = response.attributes
         @response_object = response
 
@@ -190,6 +191,7 @@ def handle_response(raw_response, opts, settings)
         end
 
         session["saml_uid"] = @name_id
+        session["saml_session_index"] = @session_index
         yield
       end
 
@@ -220,6 +222,7 @@ def handle_logout_response(raw_response, settings)
 
         session.delete("saml_uid")
         session.delete("saml_transaction_id")
+        session.delete("saml_session_index")
 
         redirect(slo_relay_state)
       end
@@ -254,6 +257,10 @@ def generate_logout_request(settings)
           settings.name_identifier_value = session["saml_uid"]
         end
 
+        if settings.sessionindex.nil?
+          settings.sessionindex = session["saml_session_index"]
+        end
+
         logout_request.create(settings, RelayState: slo_relay_state)
       end
     end