Spring Security Return a logout response with an error status when validation of the logout request fails

Expected Behavior Saml2LogoutRequestFilter should return a logout response back to the user agent when validation errors happen. This would allow the logout flow to continue to other SPs involved in the session and not block the user agent. see https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf#1161 for more details.

Current Behavior

Right now Saml2LogoutRequestFilter terminates the logout flow when an error happens see Saml2LogoutRequestFilter#122 and so on. It should instead construct a logout response with an appropriate status and pass that along the user agent.

Comment From: jzheaux

I think this makes sense, @1livv since the spec says at https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf#1256 (emphasis mine):

The session participant/authority MUST process the message as defined in [SAMLCore]. After processing the message or upon encountering an error, the entity MUST issue a message containing an appropriate status code to the requesting identity provider to complete the SAML protocol exchange.