Expected Behavior
The SAML Single Logout (initiated by relying party) should use LogoutConfigurer.getLogoutRequestMatcher(...), combined with Saml2LogoutConfigurer.Saml2RequestMatcher to detect logout requests.
It would also be great if the logoutMatcher could be customized, because Saml2LogoutConfigurer.Saml2RequestMatcher is not always desirable.
Current Behavior
Currently, only a single logout URL can be configured with Saml2LogoutConfigurer, while LogoutConfigurer allows full customization of the RequestMatcher. If that matcher is not a simple "must be a POST to a single URL", the LogoutFilter created by Saml2LogoutConfigurer cannot be configured appropriately.
Context
I have an application with different logout URLs that redirect the user to different logout success URLs. That requires a complex RequestMatcher in LogoutConfigurer, and it cannot currently be done in Saml2LogoutConfigurer.
Workaround: Configure an ObjectPostProcessor on Saml2LogoutConfigurer that creates the LogoutFilter from scratch.
Naming might get a bit messy here, because logoutRequestMatcher might mean "request matcher for the logout" or "matcher for the SAML LogoutRequest".
Comment From: jzheaux
@chschu thanks for posting this.
Workaround: Configure an ObjectPostProcessor on Saml2LogoutConfigurer that creates the LogoutFilter from scratch.
I wonder why this is. Can you not call setLogoutRequestMatcher on the LogoutFilter passed to your ObjectPostProcessor?
The SAML Single Logout (initiated by relying party) should use LogoutConfigurer.getLogoutRequestMatcher(...), combined with Saml2LogoutConfigurer.Saml2RequestMatcher to detect logout requests.
This makes sense since it seems quite odd that an application would configure logout to have a custom URL and then leave saml2Logout using /logout. It does seem that logout's custom URL should influence saml2Logout's.
Can you provide a PR along these lines that determines Saml2LogoutConfigurer's request matcher like so:
- If the application provided a
logoutUrl, use it - Otherwise, if the application has a
LogoutConfigurer, use its request matcher combined withSaml2RequestMatcher - Otherwise, default to
POST /logout
Since this would be a breaking change, I'm still thinking about whether it can go into a 5.x release or whether it needs to wait until 6.x. Either way, a PR is welcome.
It would also be great if the logoutMatcher could be customized, because Saml2LogoutConfigurer.Saml2RequestMatcher is not always desirable.
I think this is already possible using an object post-processor. I think we should leave the DSL as simple as possible for the time being. We can always revisit if it appears there is a lot of demand for this.
Comment From: chschu
I wonder why this is. Can you not call
setLogoutRequestMatcheron theLogoutFilterpassed to yourObjectPostProcessor?
Oh, of course. I have overlooked this.
I'll provide a PR for Saml2LogoutConfigurer's request matcher.
Comment From: tommai78101
Hello to all, may I ask what's the current status of this issue? I'm currently using v5.8.3.
Comment From: akhil-lm
Hi @jzheaux, I've a customized url '/saml/logout' (method = GET) for Single Logout, that I need to use for Saml2 Logout. Ideally, when the 'Saml2RelyingPartyInitiatedLogoutFilter' is created in Saml2LogoutConfigurer, I need the requestMatcher url for it to be '/saml/logout' instead of the default '/logout' and method should be GET instead of the default POST.
'I wonder why this is. Can you not call setLogoutRequestMatcher on the LogoutFilter passed to your ObjectPostProcessor?' -
I understand that the above statement would be a way to achieve the mapping of my customized url '/saml/logout' with Saml2RelyingPartyInitiatedLogoutFilter, but I don't exactly understand how to implement such ObjectPostProcessor configuration. I tried many mapping configurations for it, but they didn't work out.
Is there any example or resource for the implementation quoted above that you could point me to? Thanks. cc : @chschu Was the Saml2LogoutConfigurer's request matcher implemented? I still couldn't find one.
Comment From: jzheaux
Thanks for reaching out, @akhil-lm. Will you please post that instead to StackOverflow and add the link here? We can continue that conversation over there. In that way, this ticket can continue to stay focused on the proposed feature.
Comment From: jzheaux
After some consideration, I don't think that we should do this. We can get the same value by adding Saml2LogoutConfigurer#logoutRequestMatcher and remain passive.
Is someone able to provide a PR that adds this method?