search

spring-attic / spring-security-saml

SAML extension for the Spring Security project
Other
419 stars 479 forks source link

SES-175: Single Logout Response is never signed #145

Open spring-projects-issues opened 8 years ago

spring-projects-issues commented 8 years ago

John Chan (Migrated from SES-175) said:

Regardless of the setting when , the LogoutResponse is never signed.

This is because line 242 in org.springframework.security.saml.websso.SingleLogoutProfileImpl.java boolean signMessage = context.getPeerExtendedMetadata().isRequireLogoutResponseSigned() is always false.

By SAML standards, I believe this should always be true but if I interpret the intent correctly, this should be changed to: boolean signMessage = context.getLocalExtendedMetadata().isRequireLogoutResponseSigned()

It seems that some IdPs don't enforce the signing (OpenAM for instance). However, Ping Federate does.

MikeN123 commented 8 years ago

You'll want to set the extended metadata for your IdP, something like this should work:

        <property name="extendedMetadata">
            <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                <property name="requireLogoutResponseSigned" value="true" />
            </bean>
        </property>