I don’t know if it’s a bug, or it’s just an unrealized feature, but I decided to create a bug.

I'm trying to move from spring-security-saml2-core to spring-security-saml2-service-provider, because the first library is deprecated.

I want send SamlLogout request. I see that in the new version of the development library, they added the ability to write http.saml2Logout(Customizer.withDefaults()). I use it, but I can not get desired result. I send request on \logout\saml2\slo and I don't see result. In code I see class Saml2LogoutRequestFilter. I think that this class should send SamlLogoutRequest, but it requires SamlRequest in params. Where I should get this param? I think than Saml2LogoutRequestResolver create it, but I can not find where.

In old library class SingleLogoutProfileImpl sent LogoutRequest.

I Use spring-security 5.6.1

Comment From: boukewoudstra

I am in the same process and I needed some hacks to get this working, this was one of them. For login the CSRF token is automatically ignored, but for the logout you have to configure this manually like:

http.csrf().ignoringAntMatchers("/logout/saml2/slo");

It would be nice if Spring security would automatically provide this exclusion or at least document this. You can detect this problem by raising your log level in your application.properties: logging.level.root=DEBUG

You can set the logout success-url by the way simply through: http.logout() .logoutSuccessUrl("https://www.anysiteyouwant.nl");

( I was searching to configure this in the saml2Logout configuration, but these options did not work. )

Comment From: jzheaux

Saml2LogoutRequestFilter and Saml2LogoutResponseFilter are placed before the CsrfFilter, so I think something more is going on here. For example, these two filters are skipped if the request doesn't match, which would cause CsrfFilter to be invoked.

@boukewoudstra, can you please provide a sample that reproduces your issue and file it in a separate ticket?

Comment From: jzheaux

@fink-artem, the request endpoint is for the IdP to send you a LogoutRequest. That is, Saml2LogoutRequestFilter is for IdP-initiated logout.

If you want to initiate logout, you should be able to send a POST /logout to your application, the same as with other logout mechanisms. This will send a LogoutRequest to the IdP as detailed in the documentation.

Does the above address your question?

Comment From: boukewoudstra

I can not reproduce the CSRF problem anymore. Sorry for the confusion around that. It was probably a mistake of the configuration on my side.

Comment From: fink-artem

@jzheaux Thank for your answer. It is really help me.

Comment From: EmanuelCozariz

I'll still post here, maybe someone will see: "This will send a LogoutRequest to the IdP as detailed [in the documentation]"

From what I understand Saml2LogoutRequest is only created by the OpenSaml3LogoutRequestResolver -> that is in turn invoked by the Saml2RelyingPartyInitiatedLogoutSuccessHandler Do we need to add this Saml2RelyingPartyInitiatedLogoutSuccessHandler to the standard spring logout filter?