Spring Security No HTTP Session Created for SP Initaited SLO

I am currently on Saml2-Service-Provider 5.8.9 and I am in the process of implementing a SP Initated SLO.

To initiated the SLO I make a POST /logout, which as expected triggers the LogoutFilter to send a Saml2LogoutRequest to the IDP, once it sends this request it invalidates its session.

The request goes to the IDP end and IDP terminates its session (VERIFIED), but when the SP receives the LogoutResponse from the IDP it does not have any session and thus fails as it returns logoutRequest as null (https://github.com/spring-projects/spring-security/blob/main/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/Saml2LogoutResponseFilter.java#L121)

Thus my SP SLO fails with:

HTTP ERROR 400 Failed to find associated LogoutRequest
URI:  /logout/saml2/slo
400
Failed to find associated LogoutRequest
default

I am unsure as to why this is happening, any pointers on how to go about this would help me.

Below are logs of the same!

INFO: POST "/logout"

RegexRequestMatcher: Checking match of request : '/logout'; against '.*/saml2/.*'
RegexRequestMatcher: Checking match of request : '/logout'; against '/logout'
FilterChainProxy: Securing POST /logout
FilterChainProxy: Invoking DisableEncodeUrlFilter (1/20)
FilterChainProxy: Invoking WebAsyncManagerIntegrationFilter (2/20)
FilterChainProxy: Invoking SecurityContextPersistenceFilter (3/20)
HttpSessionSecurityContextRepository: Retrieved SecurityContextImpl [Authentication=Saml2Authentication [Principal=org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal@5e8117cc, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.19.24.145, SessionId=null], Granted Authorities=[AUTH_MGMT_POWER_OPS] from SPRING_SECURITY_CONTEXT
org.springframework.security.web.context.SecurityContextPersistenceFilter: Set SecurityContextHolder to SecurityContextImpl [Authentication=Saml2Authentication [Principal=org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal@5e8117cc, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.19.24.145, SessionId=null], Granted Authorities=[AUTH_MGMT_POWER_OPS]
     .
     .
FilterChainProxy: Invoking LogoutFilter (8/20)
LogoutFilter: Logging out [Saml2Authentication [Principal=org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal@5e8117cc, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.19.24.145, SessionId=null], Granted Authorities=[AUTH_MGMT_POWER_OPS]

SecurityContextLogoutHandler: Invalidated session 36119c1f-221e-48a2-962a-d65becfad85c

org.springframework.security.web.context.HttpSessionSecurityContextRepository: Did not store empty SecurityContext
org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlLogoutRequestResolver: Attempting to resolve registrationId from Saml2Authentication [Principal=org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal@5e8117cc, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=10.19.24.145, SessionId=null], Granted Authorities=[AUTH_MGMT_POWER_OPS]
org.springframework.security.web.DefaultRedirectStrategy: Redirecting to https://dev-74229794.okta.com/app/dev-74229794_cmspring589_1/exkez43116GgvUiIf5d7/slo/saml?SAMLRequest=nZLLbtswEEV%2FReCeokjrYRGW06J
HttpSessionSecurityContextRepository: Did not store empty SecurityContext
SecurityContextPersistenceFilter: Cleared SecurityContextHolder to complete request

INFO: "/logout/saml2/slo" - LogoutResponse

FilterChainProxy: Securing POST /logout/saml2/slo
FilterChainProxy: Invoking DisableEncodeUrlFilter (1/20)
FilterChainProxy: Invoking WebAsyncManagerIntegrationFilter (2/20)
FilterChainProxy: Invoking SecurityContextPersistenceFilter (3/20)

HttpSessionSecurityContextRepository: No HttpSession currently exists

HttpSessionSecurityContextRepository: Created SecurityContextImpl [Null authentication]
SecurityContextPersistenceFilter: Set SecurityContextHolder to empty SecurityContext
FilterChainProxy: Invoking HeaderWriterFilter (4/20)
FilterChainProxy: Invoking Saml2LogoutRequestFilter (5/20)
FilterChainProxy: Invoking Saml2LogoutResponseFilter (6/20)    
 logout.Saml2LogoutResponseFilter: Did not process logout response since could not find associated LogoutRequest
HttpSessionSecurityContextRepository: Did not store empty SecurityContext
HttpSessionSecurityContextRepository: Did not store empty SecurityContext
SecurityContextPersistenceFilter: Cleared SecurityContextHolder to complete request

Comment From: jzheaux

It appears you may have configured your application for local logout, so when you POST to logout, the session gets terminated. IOW, the local endpoint should not be invalidating the session.

Will you please share your filter chain configuration?

Comment From: siddharth-78

Set invalidateSession to false in the configure(HttpSecurity) method and it works fine