OpenSamlLogoutRequestValidator invalidates correct SAML2 Logout Request

[bitrecycling]

Describe the bug
IDP sends logout request to SP (implemented with spring security 5.6.1). That request correctly does not contain NameID, but either BaseID or EncryptedID, both of which are fine according to SAML2 standard (see OASIS, Logout Request MUST have one of NameID, BaseID, EncryptedId).

The bug is in the private method validateName, it should not only consider NameId but also BaseId and EncryptedID from the Request to validate.

See here:

spring-security/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java

Line 156 in ad90745

private Consumer<Collection<Saml2Error>> validateName(LogoutRequest request, Authentication authentication) {

To Reproduce
Have an IDP send correct Logout Request with EncryptedID as Principal / Name Identifier. Spring Security SAML2 (OpenSamlLogoutRequestValidator) invalidates the request, hence no logout is done

Expected behavior
Spring should validate standard-conformant logout requests and hence allow a logout request sent from IDP to log out the principal from the SP.

Sample
I could provide one if really necessary, but just compare the SAML2 Standard regarding the Logout Request (see "core" here http://saml.xml.org/saml-specifications or here ->) from the http://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf Section 3.7.1 Line 2676:
saml:BaseID or saml:NameID or saml:EncryptedID [Required]

against https://github.com/spring-projects/spring-security/blob/main/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java](https://github.com/spring-projects/spring-security/blob/ad907457eeeee46da101215f5408d3cd98de4881/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java#L162)

[jzheaux]

Thanks for the suggestion, @bitrecycling. I think the decryption key can be obtained from the RelyingPartyRegistration.

Are you able to provide a PR that adds this feature?

[bitrecycling]

@jzheaux I try to provide a PR, let me check out the contribution guidlines and setup everything. It will likely take a couple of days, I have another project to work on.

BTW: I still I think it's a bug, not an improvement :). Spring is not adhering to the SAML2 standard IMO.

[bitrecycling]

@jzheaux I did not reach you on gitter, I could provide a PR soon, but I cannot push my branch to the repo. Do I need privileges from you or shall I provide the PR in another way (e.g. as patch file or in a forked repo)?

[bitrecycling]

@jzheaux #10689