14:15:21.139 [XNIO-1 task-2] DEBUG FilterChainProxy - Securing POST /saml/logout
14:15:21.144 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Retrieved SecurityContextImpl [Authentication=Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG SecurityContextPersistenceFilter - Set SecurityContextHolder to SecurityContextImpl [Authentication=Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG Saml2LogoutConfigurer$Saml2RelyingPartyInitiatedLogoutFilter - Logging out [Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Did not store empty SecurityContext
14:15:21.145 [XNIO-1 task-2] TRACE OpenSamlLogoutRequestResolver - Attempting to resolve registrationId from Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]
14:15:21.146 [XNIO-1 task-2] TRACE Saml2RelyingPartyInitiatedLogoutSuccessHandler - Returning 401 since no logout request generated
14:15:21.147 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Did not store empty SecurityContext
14:15:21.147 [XNIO-1 task-2] DEBUG SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request
Expected behavior
It should redirect to / after logout, regardless of whether the asserting party was sent an SLO request.
Additional
The OpenSamlLogoutRequestResolver returned null here:
if (registration.getAssertingPartyDetails().getSingleLogoutServiceLocation() == null) {
return null;
}
I'm guessing the intent is that the 401 triggers a redirect back to /login, but it should use the same mechanism as the regular logout in case someone is not using the default configuration.
Describe the bug When I POST to the SAML
logoutUrl
, a 401 response is returned.To Reproduce
Expected behavior It should redirect to / after logout, regardless of whether the asserting party was sent an SLO request.
Additional The
OpenSamlLogoutRequestResolver
returnednull
here:I'm guessing the intent is that the 401 triggers a redirect back to /login, but it should use the same mechanism as the regular logout in case someone is not using the default configuration.