401 on SAML logout if asserting party does not support SLO #15122

OrangeDog · 2024-05-21T13:40:40Z

Describe the bug
When I POST to the SAML logoutUrl, a 401 response is returned.

To Reproduce

.logout(logout -> logout.invalidateHttpSession(false))  // issue #14853
.saml2Login(saml -> saml
    .authenticationRequestUri("/saml/authenticate/{registrationId}")
    .loginPage("/saml/discovery")
    .loginProcessingUrl("/saml/SSO")
)
.saml2Logout(saml -> saml
    .logoutUrl("/saml/logout")
    .logoutRequest(request -> request.logoutUrl("/saml/SingleLogout"))
    .logoutResponse(response -> response.logoutUrl("/saml/SingleLogout"))
)

14:15:21.139 [XNIO-1 task-2] DEBUG FilterChainProxy - Securing POST /saml/logout
14:15:21.144 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Retrieved SecurityContextImpl [Authentication=Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG SecurityContextPersistenceFilter - Set SecurityContextHolder to SecurityContextImpl [Authentication=Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG Saml2LogoutConfigurer$Saml2RelyingPartyInitiatedLogoutFilter - Logging out [Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Did not store empty SecurityContext
14:15:21.145 [XNIO-1 task-2] TRACE OpenSamlLogoutRequestResolver - Attempting to resolve registrationId from Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]
14:15:21.146 [XNIO-1 task-2] TRACE Saml2RelyingPartyInitiatedLogoutSuccessHandler - Returning 401 since no logout request generated
14:15:21.147 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Did not store empty SecurityContext
14:15:21.147 [XNIO-1 task-2] DEBUG SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request

Expected behavior
It should redirect to / after logout, regardless of whether the asserting party was sent an SLO request.

Additional
The OpenSamlLogoutRequestResolver returned null here:

if (registration.getAssertingPartyDetails().getSingleLogoutServiceLocation() == null) {
    return null;
}

I'm guessing the intent is that the 401 triggers a redirect back to /login, but it should use the same mechanism as the regular logout in case someone is not using the default configuration.

The text was updated successfully, but these errors were encountered:

OrangeDog added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 21, 2024

jzheaux added in: saml2 An issue in SAML2 modules type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

401 on SAML logout if asserting party does not support SLO #15122

401 on SAML logout if asserting party does not support SLO #15122

OrangeDog commented May 21, 2024

401 on SAML logout if asserting party does not support SLO #15122

401 on SAML logout if asserting party does not support SLO #15122

Comments

OrangeDog commented May 21, 2024