Open spring-projects-issues opened 9 years ago
Johannes Larsson said:
My customer experience the same problem. They have 2 spring saml applications where IDP initiated SLO fails.
Once the IDP sends a SAML SLO request to Spring SAML, its just doing a local logout and returning the logout page (/logout.jsp). This is using default configuration. If there are more than one SP logged in the SLO flow will be stuck at the Spring-SAML-Security applications.
The page its 'stuck' or locally loggged out is logoff.do?SAMLRequest=....
Johannes Larsson said:
Resolved, this only seem to be a issue with the POST SLO binding. Configure redirect is the workaround.
<!-- Filter automatically generates default SP metadata -->
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="bindingsSLO" value="redirect" />
</bean>
</constructor-arg>
</bean>
<!-- Logout handler terminating local session -->
<bean id="logoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="true"/>
</bean>
Mohit Jain said:
I have made the above mentioned changes but problem still persist. Authentication object is always coming null as securitycontextholder doesnt have authentication credentials. Please help me out to figure out that how we can get the authentication object.
Vladimir Schäfer said:
The Security Context is created during authentication and the call SecurityContextHolder.getContext().getAuthentication(); should therefore be returning a non-null value. If it is null it either means that the user's session has already been terminated, or your IDP is making a direct HTTP call instead of using user's browser to deliver the logout message. This is not supported by the SAML specification. This issue is known to happen at least with the WSO2IS IDP, is this your provider as well?
Sree Ganesh Thyagarajan said:
Hi Vladimir,
I am using spring security for SAML integration with my application. The application is performing SSO properly. But when I try to do Single Logout, I am getting an error in the logout response as "No user logged in". I am using Microsoft AD and ADFS. Please find my status code and error message.
saml2p:Status
saml2p:StatusMessageNo user is logged in/saml2p:StatusMessage
/saml2p:Status
Please provide your inputs on the same. Thanks.
Regards, Sree
Jeremy Simon said:
I am a user of WSO2 IS 5.0.0 and running into this issue right now as well. I have three questions about this:
Answers appreciated!
Same here:
else if (context.getInboundSAMLMessage() instanceof LogoutRequest) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
SAMLCredential credential = null;
if (auth != null) {
credential = (SAMLCredential) auth.getCredentials();
}
Old thread, but anyone looking at this should note: I've seen this behavior because the SLO request is coming directly from the WSO2 server, not from the user. Check your server logs and note what IP address the SLO request is coming from.
I'm getting a AnonymousAuthenticationToken instead for some reason , which gives SAMLCredentials as empty string and I get a ClassCastException, Authentication auth = SecurityContextHolder.getContext().getAuthentication(); SAMLCredential credential = null; if (auth != null) { credential = (SAMLCredential) auth.getCredentials(); } Please help!!, @vschafer
Hi rmangesh1988
Did you ever find a solution for your issue? I see this same behaviour when user logs out on a different SP, and the session has timed out on our side. Is the session still alive, SLO works fine.
Hubert Wagener (Migrated from SES-159) said:
SingleLogout is not functional.
Logout requests issued by the IDP fail.
More verbose: Consider in the SingleLogout the IDP sent a logout request like
In SAMLLogoutProcessingFilter.processLogout(..) the credential are computed as
Actually I don't understand how (and where) the credentials of the user " demo@xxx.de" are (or should be) put into the security context when called from the IDP like given above.
What happens is: The logout request fails with an exception (due to null credential) thrown at:
SingleLogoutProfileImpl.processLogoutRequest(...)
Sure the session of the user should be destroyed, but I don't see where this case is considered in the code. Can you please help in understanding?