In the case of AP initated logout Request, logout responses are not getting generated. I initially created a issue https://github.com/spring-projects/spring-security/issues/16051 that time I was using our own company IDP and I was not sure whether the issue is at our IDP end or not. Now, I tried the same configuration using salesforce which supports AP initiated logout. I am facing the same issue. spring security is not sending the Logout Response back, even though the logout response is generating without any error when debugging.
Sales force is generating the SAML request:
LogoutRequest:
https://data-speed-5705.my.salesforce.com
qGWt9rJk5GCIk4xoDdwG4EWQk/0=
TQmsZF+Xb1mE777sORdSmQUXpOnWmn2T5oHMJqruagWhb2cmP5QL0TFYevYpzqetVwiZFMDxSAkIuHf9zt0wW4YKKdHcIfUTKZ5N9ednDZloXUtRdtBV071zSByLfp1vsqdAXj5kmMell6JzuBl3FsI2Hs2etJHvXX15TmSTP6MbZCj4Qhxb9h8PJU744XQpBfn/8NIHOD83JaDIcum2/y87E6A2KhFQvtXUDNs8UBfrX4elYyL5d9NtZXVXN5/K/lOSFk+GOvErfE1NHZAwJwX87DYaQpM0ccwDOejk78Xu0q/Ui6CbvFD6lVcQ22M1vtLgpGvQnXZHNOZTZ+Ou5g==
MIIErDCCA5SgAwIBAgIOAZM/eY5SAAAAAFgAgkEwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM
H1NlbGZTaWduZWRDZXJ0XzE4Tm92MjAyNF8xMzMyMzExGDAWBgNVBAsMDzAwRGROMDAwMDBQRHYz
aDEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV
BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMjQxMTE4MTMzMjMxWhcNMjUxMTE4MTIwMDAwWjCBkDEo
MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMThOb3YyMDI0XzEzMzIzMTEYMBYGA1UECwwPMDBEZE4w
MDAwMFBEdjNoMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj
bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANMPqG6rT3tBmPRpI/mpQHZn66eQ0Ivdo8cjuc8u0Kl3TWVTf+4dX2HF1drMyw6Eqt9aOqyZ
ROqlz789BFgysxnI9xL/2hagsg7NgJ1VWnb0/MbiNXvbCcKmg8cSemDHhIMzJaaCVH54rh+zr+ES
UF0RnYZTFxuut1GU8UNIMsLnuhOIoYqQ8Df7eh/yKNax69M4agT3gZ0335X96FnbUe7l5+S3oPIs
qRMAMHJnnj0JB9o82JVFceZ8I2PM/Flxm3bG4P68+21lgEg1UQu9yLmoGLnTNU700YFeZq5rAXxn
3QzqMEbZi9ankB6I0XkTKR8yUe+gK7zum2R0iG/81J8CAwEAAaOCAQAwgf0wHQYDVR0OBBYEFDY0
GY724HGLSWsU3PGCOUmyF0uyMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUNjQZjvbg
cYtJaxTc8YI5SbIXS7KhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzE4Tm92MjAy
NF8xMzMyMzExGDAWBgNVBAsMDzAwRGROMDAwMDBQRHYzaDEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgGT
P3mOUgAAAABYAIJBMA0GCSqGSIb3DQEBCwUAA4IBAQAuZTpHHSmNGEv0svIx1OaNAkyusDHOf3OY
9Ntn10GNv/Au72U0OKxoWBjmlcB6SsVf+I+vyiR5um848bC4QV3VIlfJTMDExMjxPGUItrUtl2SS
Md5hejNmkAl/6SglFVYc2XhLPAnI2exqFKjtMwj4IKLJaAcLbxRu8d7TRSm9h+2zbWeXKJCU5WlF
Ux6uzX2hFgDa3UldSb6iTZ4NDrhwxavN2ZthhQ6D5kupO9TYLoRobHIJUeEn28EpskYcBtVHEyRz
oypZwZ/WDHMGc1M3Y9FhmUh3bLt2GYO9mKwz7vP3llwlgA5MmTCRKzCnE73X9C3ikBYvx4eOJamp
DflF
sasi
00DdN00000PDv3h0AkdN0000093tL9
In the logs I could see the logout response generated as
https://mysamlexamplesp.com:8443
But I don't see the response going to the IDP when checking with saml tracer in chrome.
I am not sure how to provide test cases to test as it is AP initiated logout. Let me know any reference if its possible I am not aware.
This is my sample for salesforce: https://github.com/sasirekha98/samlExample.
I checked the samples provided for spring security : https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/saml2/login which as per the readme says "saml2Logout() supports RP- and AP-initiated SAML 2.0 Single Logout via the HTTP-POST and HTTP-REDIRECT bindings against the Okta SAML 2.0 IDP reference implementation." but okta does not support IDP initiated logout when okta acts as the IDP https://support.okta.com/help/s/article/Is-IDPinitiated-Single-LogOut-supported?language=en_US#:~:text=Okta%20does%20not%20support%20IDP,utilizing%20a%20custom%20SAML%20application. So, I am not sure how to test this with Okta either.
Let me know If you need any other information.
Comment From: sasirekha98
I am closing the issue, the issue is due to the responses are getting blocked by the chrome as the X-FRAME-OPTIONS is set to deny by the spring security, when I updated the headers configuration headers.frameOptions, it worked. so closing the issue.