Describe the bug IDP sends logout request to SP (implemented with spring security 5.6.1). That request correctly does not contain NameID, but either BaseID or EncryptedID, both of which are fine according to SAML2 standard (see OASIS, Logout Request MUST have one of NameID, BaseID, EncryptedId).
The bug is in the private method validateName, it should not only consider NameId but also BaseId and EncryptedID from the Request to validate.
See here: https://github.com/spring-projects/spring-security/blob/ad907457eeeee46da101215f5408d3cd98de4881/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java#L156
To Reproduce Have an IDP send correct Logout Request with EncryptedID as Principal / Name Identifier. Spring Security SAML2 (OpenSamlLogoutRequestValidator) invalidates the request, hence no logout is done
Expected behavior Spring should validate standard-conformant logout requests and hence allow a logout request sent from IDP to log out the principal from the SP.
Sample
I could provide one if really necessary, but just compare the SAML2 Standard regarding the Logout Request (see "core" here http://saml.xml.org/saml-specifications or here ->) from the http://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf Section 3.7.1 Line 2676:
against https://github.com/spring-projects/spring-security/blob/main/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java](https://github.com/spring-projects/spring-security/blob/ad907457eeeee46da101215f5408d3cd98de4881/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java#L162)
Comment From: jzheaux
Thanks for the suggestion, @bitrecycling. I think the decryption key can be obtained from the RelyingPartyRegistration.
Are you able to provide a PR that adds this feature?
Comment From: bitrecycling
@jzheaux I try to provide a PR, let me check out the contribution guidlines and setup everything. It will likely take a couple of days, I have another project to work on.
BTW: I still I think it's a bug, not an improvement :). Spring is not adhering to the SAML2 standard IMO.
Comment From: bitrecycling
@jzheaux I did not reach you on gitter, I could provide a PR soon, but I cannot push my branch to the repo. Do I need privileges from you or shall I provide the PR in another way (e.g. as patch file or in a forked repo)?
Comment From: bitrecycling
@jzheaux https://github.com/spring-projects/spring-security/pull/10689
Comment From: jzheaux
I still I think it's a bug, not an improvement :)
I see where you are coming from. We reserve bugs for when a feature is broken, not when one is missing. As a separate example, it's not a bug that Spring Security won't accept assertions using the Artifact binding, even though that's part of the SAML spec.
Comment From: bitrecycling
I see, thanks for the clarification