I am currently on Saml2-Service-Provider 5.8.9 and I am in the process of implementing a SP Initated SLO.
To initiated the SLO I make a POST /logout/slo/metadata , which as expected triggers the LogoutFilter to send a Saml2LogoutRequest to the IDP, once it sends this request it invalidates its session.
When the response is sent to /logout/request/metadata. It redirect me to login?error
Logs before redirecting to error page Saml2LogoutResponseFilter - Did not process logout response since could not find associated LogoutRequest in saml
Security Configuration:
OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
provider.setResponseAuthenticationConverter(token -> {
Saml2Authentication authentication = OpenSamlAuthenticationProvider
.createDefaultResponseAuthenticationConverter()
.convert(token);
Assertion assertion = token.getResponse().getAssertions().get(0);
AuthnStatement statement = CollectionUtils.firstElement(assertion.getAuthnStatements());
String sessionIndex = statement.getSessionIndex();
DefaultSaml2AuthenticatedPrincipal principal = (DefaultSaml2AuthenticatedPrincipal) authentication.getPrincipal();
principal.getAttributes().put("sessionIndex", Arrays.asList(sessionIndex));
return new Saml2Authentication(principal, authentication.getSaml2Response(), AuthorityUtils.createAuthorityList("ROLE_USER"));
});
http
.authorizeRequests(authorizeRequests ->
authorizeRequests
.anyRequest().authenticated()
)
.saml2Login(saml2 -> {
saml2
.relyingPartyRegistrationRepository(relyingPartyRegistrationRepository())
.loginProcessingUrl("/login/saml20/{registrationId}")
.authenticationManager(new ProviderManager(provider));
}
)
.saml2Logout(
saml2 -> {
saml2
.logoutUrl("/logout/slo/{registrationId}")
.logoutRequest((request) -> request.logoutUrl("/logout/request/{registrationId}"))
.logoutResponse((response) -> response.logoutUrl("/logout/request/{registrationId}"));
}
)
;
@Value("${private.key}") RSAPrivateKey key;
@Value("${public.certificate}") X509Certificate certificate;
@Bean
RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
Saml2X509Credential credential = Saml2X509Credential.signing(key, certificate);
RelyingPartyRegistration registration = RelyingPartyRegistrations
.fromMetadataLocation("https://ap.example.org/metadata")
.registrationId("metadata")
.assertionConsumerServiceLocation("{baseUrl}/login/saml20/{registrationId}")
.singleLogoutServiceLocation("{baseUrl}/logout/request/{registrationId}")
.singleLogoutServiceResponseLocation("{baseUrl}/logout/request/{registrationId}")
.singleLogoutServiceBinding(Saml2MessageBinding.REDIRECT)
.signingX509Credentials((signing) -> signing.add(credential))
.build();
return new InMemoryRelyingPartyRegistrationRepository(registration);
}
Comment From: singhishere003
Does please anyone from team can help me with above query?
Comment From: jzheaux
Hi, @singhishere003, sorry for the delay. Given that your application correctly creates the LogoutRequest, but then cannot find it upon redirect makes me wonder if the session cookie is being provided on the redirect back to your relying party.
Can you confirm whether or not this is happening, given a sample 302 from the RP to the IdP, including response headers, and then the subsequent POST to the RP, including the request headers?
You may be affected by https://github.com/spring-projects/spring-security/issues/14297 and https://github.com/spring-projects/spring-security/issues/14793, though if so, I would think login would also fail in the same way.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.