Logout at SP is not happening in the case of AP initiated in Saml2 when Saml2MessageBinding is REDIRECT

[sasirekha98]

In the AP initiated LogoutRequest LogoutResponse is not reaching the IDP.

Currently I have this configuration
@bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

return http.
csrf(csrf -> csrf.disable()).
authorizeHttpRequests((authz) -> authz
.requestMatchers(new AntPathRequestMatcher("/samlLogin")).authenticated()
.requestMatchers(new AntPathRequestMatcher("/*")).permitAll()
)
.saml2Login(Customizer.withDefaults())
.saml2Metadata(Customizer.withDefaults())
.saml2Logout(Customizer.withDefaults())
.securityContext(securityContext -> securityContext.
securityContextRepository(new HttpSessionSecurityContextRepository())
)
.build();
}

@bean
public RelyingPartyRegistrationRepository registrationRepository() {

RelyingPartyRegistration registration =RelyingPartyRegistrations.
fromMetadataLocation("idp.xml").
registrationId(registrationId)
.entityId(spEntityID)
.nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient")
.singleLogoutServiceBinding(Saml2MessageBinding.POST)
.singleLogoutServiceLocation(LogoutServiceLocation)
.signingX509Credentials(credential -> credential.add(asSigningCredential()))
.decryptionX509Credentials(decryptioncredential -> decryptioncredential.add(asDecryptionCredential()))
.build();
return new InMemoryRelyingPartyRegistrationRepository(registration);
}
I see the logout request from the IDP to the SP coming properly. I also see that my logout response is generated properly when I debug it goes to the Saml2LogoutRequestFilter and it is generating the Saml2LogoutResponse properly as well I do not see any error but still the IDP does not receive any logoutResponse nor the session is cleared at the SP. In the logs

2024-11-08 18:03:45 DEBUG o.a.x.s.utils.DigesterOutputStream - Pre-digested input:
2024-11-08 18:03:45 DEBUG o.a.x.s.utils.DigesterOutputStream - <saml2p:LogoutResponse xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https:inforsts/idp/samlSLO" ID="LR71aaf86c-46e9-4e74-b713-1df71f15c2da" InResponseTo="_1c7b9b6475e13434fff5c2e8a2286878" IssueInstant="2024-11-08T12:33:45.888Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.com:443</saml2:Issuer>saml2p:Status<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode></saml2p:Status></saml2p:LogoutResponse>
2024-11-08 18:03:45 DEBUG o.a.x.s.utils.SignerOutputStream - Canonicalized SignedInfo:
2024-11-08 18:03:45 DEBUG o.a.x.s.utils.SignerOutputStream - <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
<ds:Reference URI="#LR71aaf86c-46e9-4e74-b713-1df71f15c2da">
ds:Transforms
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
ds:DigestValue2t7PoCNN4cnijQH54VmV62w2eEryZ7BghBblG91uCII=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>

After that there is no log to trace what happened and why the session is not cleared.

When I do change the singlelogout.binding: REDIRECT the logout response reaches successfully the IDP. Since the IDP has logged out the user, when I try to access any endpoint it still says the user is authenticated and I am still able to get the principal. Even though the logout happened successfully, while debugging I am able to see that it cleared the securityContextRepository in the SecurityContextLogoutHandler.logout but still the session exists.

StackoverFlow Link : https://stackoverflow.com/questions/79164188/saml-logout-response-is-not-getting-generated

[sjohnr]

@sasirekha98 I am sorry that you have not yet received an answer to your question on stackoverflow, but please do not cross-post. We prefer to use GitHub issues only for bugs and enhancements. Please consider adding a minimal sample that reproduces this issue if you feel this is a genuine bug.

Please keep in mind the information in the link above if providing sample, as the sample should be minimal and reproducible by the person checking out the code. In gh-16091, you link to a sample which appears not to be reproducible given dependencies on a local filesystem and an external IdP. Ideally, the sample would provide a test that mocks external dependencies so you can isolate the problem to Spring Security.

I'm going to close this issue in favor of the SO question.

[sasirekha98]

@sjohnr I am actually using our own company IDP so I am not able to give access, thats the reason I am not able to provide the sample to reproduce as well.
For the session, I am able to figure out the reason why it fails, its due to the samesite issue. In case of the AP initiated Logout request I am not seeing the JSESSION ID coming cause of that its failing to invalidate the session.
But, I am still not sure why it is not sending any logout responses.

And for the #16091 I am not sure why you are not able to reproduce , I am still able to reproduce the issue.