401 on SAML logout if asserting party did not sign reponse

[OrangeDog]

Describe the bug Spring Security is unable to complete SLO successfully if the asserting party (IdP) does not sign the SAMLResponse.

To Reproduce Configure Spring Security with an appropriate asserting party. For example, ssocircle.com behaves like this and provides free registration. Make a local POST request to the logoutUrl (e.g. /logout).

15:56:44.555 [XNIO-1 task-4] DEBUG Saml2LogoutResponseFilter - Failed to validate LogoutResponse: [[invalid_signature] Missing signature algorithm for object [s89652e27611a5f8e733de5740a858c3c92b7c7a6]]

Expected behavior A signed SAMLResponse is not required for SLO.

Additional An example (decoded) response that triggers this:

<samlp:LogoutResponse  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s002717a127d695922d9c6247f1d9dfc12beda1dc" Version="2.0" IssueInstant="2024-05-21T14:40:21Z" Destination="https://localhost:8443/saml/SingleLogout" InResponseTo="LR6585d0d1-439d-44f0-bde0-51444dc46e02">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.ssocircle.com</saml:Issuer>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>
</samlp:LogoutResponse>