Not generating saml2: LogoutResponse and there is no logs to trace what happened

[sasirekha98]

In the AP initiated LogoutRequest LogoutResponse is not reaching the IDP.

Currently I have this configuration @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

return http.
        csrf(csrf -> csrf.disable()).
        authorizeHttpRequests((authz) -> authz
                .requestMatchers(new AntPathRequestMatcher("/samlLogin")).authenticated()
                .requestMatchers(new AntPathRequestMatcher("/*")).permitAll()
            )
        .saml2Login(Customizer.withDefaults())
        .saml2Metadata(Customizer.withDefaults())
        .saml2Logout(Customizer.withDefaults())
        .securityContext(securityContext -> securityContext.
                  securityContextRepository(new HttpSessionSecurityContextRepository())
            )
        .build();

}

@Bean

public RelyingPartyRegistrationRepository registrationRepository() {

RelyingPartyRegistration registration =RelyingPartyRegistrations.
fromMetadataLocation("idp.xml").
registrationId(registrationId)
.entityId(spEntityID)
.nameIdFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:transient")
.singleLogoutServiceBinding(Saml2MessageBinding.POST)
.singleLogoutServiceLocation(LogoutServiceLocation)
 .signingX509Credentials(credential -> credential.add(asSigningCredential()))
.decryptionX509Credentials(decryptioncredential -> decryptioncredential.add(asDecryptionCredential()))
.build();
return new InMemoryRelyingPartyRegistrationRepository(registration);

} I see the logout request from the IDP to the SP coming properly. I also see that my logout response is generated properly when I debug it goes to the Saml2LogoutRequestFilter and it is generating the Saml2LogoutResponse properly as well I do not see any error but still the IDP does not receive any logoutResponse nor the session is cleared at the SP. In the logs

2024-11-08 18:03:45 DEBUG o.a.x.s.utils.DigesterOutputStream - Pre-digested input: 2024-11-08 18:03:45 DEBUG o.a.x.s.utils.DigesterOutputStream - https://sp.com:443</saml2:Issuer></saml2p:StatusCode></saml2p:Status></saml2p:LogoutResponse> 2024-11-08 18:03:45 DEBUG o.a.x.s.utils.SignerOutputStream - Canonicalized SignedInfo: 2024-11-08 18:03:45 DEBUG o.a.x.s.utils.SignerOutputStream -

2t7PoCNN4cnijQH54VmV62w2eEryZ7BghBblG91uCII= After that there is no log to trace what happened and why the session is not cleared. updated: I still feel something is wrong here. When I do change the singlelogout.binding: REDIRECT the logout response reaches successfully the IDP. Since the IDP has logged out the user, when I try to access any endpoint it still says the user is authenticated and I am still able to get the principal. Even though the logout happened successfully, while debugging I am able to see that it cleared the securityContextRepository in the SecurityContextLogoutHandler.logout but still the session exists.

[jzheaux]

Thanks for getting in touch, @sasirekha98! It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (and we can continue talking about logging over there) or add more detail if you feel this is a genuine bug.

[sasirekha98]

Thanks @jzheaux . Here is the stackover flow link. https://stackoverflow.com/questions/79164188/saml-logout-response-is-not-getting-generated It's very difficult to figure out what's wrong since there is no logging after that. I tried the same with the samples provided as well same issue. So it will be helpful to know where it's going wrong.

[sasirekha98]

@jzheaux The same configuration when I change singlelogout.binding to REDIRECT. The request is reaching properly to the IDP. I still think some issue. DefaultRedirectStrategy is redirecting properly to the IDP but when I change it to POST I don't see the logout response going.