Fix shibboleth sso logout

[Hufschmidt]

As mentioned here (and now also here), there are a bunch of issues with the shib_logout.php SSO/global logout handling.

The initial HTTP 500 error was already fixed in 9.x, but not applied to 10.
This PR now also fixes all other outstanding bugs/issues that prevented shibboleth SSO logout to work here.

Note that this was tested with our own ILIAS 9 instance, but since no other changes apart from directory structure have happened between 9 and 10 this should also work.

Commits have been split into the issues they fix:

1. Fixes HTTP 500 php error, because $DIC->http() is only available after ILIAS was initialized
2. The variable $HTTP_RAW_POST_DATA has been deprecated since PHP 5.5 and prevented this IF statement from ever being triggered, but is vital for SSO via shibboleth back channel to work
3. Is an optional commit to fix indentation of fallback soap response
4. Adds the missing shibboleth_session_id $_SESSION information that will be stored by ilSession as data column into the usr_session table. This information is required by shib_logout.php to find the correct session to destroy upon sso logout.
5. Fixes an issue where shib_logout.php treated the data field fetched from the usr_session table as an array of arrays, but it just contains the key/value content of previous $_SESSION variable, no for loop required. This also does a small cosmetic change to some variable names.

EDIT: Fixed include path for ILIAS10.

[Hufschmidt]

Additionally there is another issue/design flaw in regard to the required SSO logout user flow.

For SSO logout to work correctly, that means for an ILIAS logout to also trigger logout of other SPs connected to the the same IdP the user must be redirected to /Shibboleth.sso/Logout after successfull local logout. This will redirect the user to the appropriate IdP, which in turn triggers SSO logout for all other active SPs via their back-channel. Currently ILIAS simply redirects the user to its own logout page [1], but this means you are only logged out of ILIAS, no other SP.

We have implemented the correct behaviour for ILIAS 9, but since this is now nearing its end of feature updates I've ported this change to ILIAS 10 as well. I'll attach this change as a Patch-File only since I think this might ideally need some improvements, eg.:

• Make SSO logout configurable (enable/disable) as it necessitate that the user leaves the platform via the aforementioned redirect
• Ideally this target should probably be implemented in the ConfigurableLogoutTarget class instead, which currently only looks at the globally configured logout target. In its current state this could already be configured to redirect to the shibboleth logout URL, but this means it would be enabled globally for all accounts, regardless of their (current) authentication method!

Patch: 0001-Shibboleth-sessions-must-redirect-the-user-to-Shibbo.patch

---

[1] This target is now configurable with ILIAS 10, but currently only applies globally!