From 9295e7a87b8f83c920cb318d90bc3fe7bbd4c504 Mon Sep 17 00:00:00 2001
From: Thomas Burkhalter <new.mysteryman@gmail.com>
Date: Fri, 11 Sep 2020 18:38:59 +0200
Subject: [PATCH] Skip forgery protection on SAML callbacks

---
 app/controllers/application_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 3621b76bd..7275b8e50 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -9,6 +9,7 @@
 class ApplicationController < ActionController::Base
   before_action :set_sentry_request_context
   protect_from_forgery with: :exception
+  skip_forgery_protection if: :saml_callback_path? # HACK: https://github.com/heartcombo/devise/issues/5210
 
   # before_action :authenticate
   before_action :store_employee_location!, if: :storable_location?
@@ -101,4 +102,8 @@ def set_sentry_request_context
   def set_sentry_user_context
     Raven.user_context(id: current_user.try(:id), name: current_user.try(:shortname)) if ENV['SENTRY_DSN']
   end
+
+  def saml_callback_path?
+    request.fullpath == '/employees/auth/saml/callback'
+  end
 end