SpringBoot Allow customization of single logout in auto-configured SAML relying party registration

Currently a auto configured relying party registration cannot be modified afterwards.

In my case i configured a ssaml single logout url via Spring Security. But i cannot set the configured logout url to autoconfigured RelyingPartyRegistration.singleLogoutServiceLocation.

  @Bean
  SecurityFilterChain securityFilterChain(HttpSecurity http, RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) throws Exception {
    RelyingPartyRegistrationResolver relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository);
    Saml2MetadataFilter metadataFilter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
    return http
      .saml2Login(Customizer.withDefaults())
      .saml2Logout(Customizer.withDefaults())
      .addFilterBefore(
        metadataFilter,
        Saml2WebSsoAuthenticationFilter.class
      )
      .build();
  }

I add the Saml2MetadataFilter filter together with the OpenSamlMetadataResolver to make the relying party metadata available. The OpenSamlMetadataResolver use the data from the RelyingPartyRegistration. Problem is know that the logout url is not part of the metadata because its not set in the RelyingPartyRegistration.

A solution could be to provide a way to customize the autoconfigured RelyingPartyRegistration before is is created. Same think as it already exist for the RestTemplate with the RestTemplateCustomizer.

My current workaround is to skip the autocinfiguration and create and register the RelyingPartyRegistration by myself with my own RelyingPartyRegistrationRepository bean.

Comment From: mhalbritter

I wonder why we only made some properties of the RelyingPartyRegistration configurable via Saml2RelyingPartyProperties. Maybe we should add singleLogoutServiceLocation in there, too? This would be more straightforward than adding RelyingPartyRegistrationCustomizer.

Comment From: mhalbritter

singleLogoutServiceLocation is new in Spring Security and our auto-configuration has been written before. We should add the singleLogoutServiceLocation to our properties to support that usecase.

@ugrave Would that solve your problem?

Comment From: ugrave

This should work for me.

There also some other missing: singleLogoutServiceBinding​, singleLogoutServiceResponseLocation and nameIdFormat. Some of them are filled with values from the IDP metadata if available. (ex. the singleLogoutServiceLocation and singleLogoutServiceBinding​ are filled with the values of asserting party details returned by the IDP metadata).

In my case the values are not filled by the IDP because its not supporting IDP initialized logout.

Comment From: bameur

Hello. if I understand correctly, the SLO is not currently compatible with autconfiguration based on the config parameters. We need to code the instantiation of the RelyingPartyRegistration to be able to insert the slo conf! Is that right? Thank you in advance.

Comment From: mhalbritter

Yes, see the workaround in the first message.

Comment From: bameur

Thank you @mhalbritter. will the next update contain the necessary config for the SLO. I just want to know if I should schedule the adaptation of my projects or I'm waiting for the update.

Comment From: wilkinsona

We can't say for certain at this time. As shown by its milestone, we hope to address this issue in Spring Boot 2.7 but that's not guaranteed. It may have to be deferred until a later milestone if other work takes priority.

Comment From: marcusdacoregio

To align with the Single Logout properties in RelyingPartyRegistration I think the following properties have to be added:

spring:
    security:
        saml2:
            relyingparty:
                one:
                    ...
                    slo:
                        location: /logout/saml2/slo # RelyingPartyRegistration::singleLogoutServiceLocation
                        response-location: /logout/saml2/slo # RelyingPartyRegistration::singleLogoutServiceResponseLocation
                        binding: POST # RelyingPartyRegistration::singleLogoutServiceBinding
                    identityprovider:
                        ...
                        singlelogout:
                            location: ... # RelyingPartyRegistration#AssertingPartyDetails::singleLogoutServiceLocation
                            response-location: ... # RelyingPartyRegistration#AssertingPartyDetails::singleLogoutServiceResponseLocation
                            binding: POST # RelyingPartyRegistration#AssertingPartyDetails::singleLogoutServiceBinding

The RelyingPartyRegistration::singleLogoutServiceLocation is required in order to activate the Single Logout for the tenant.