Skip to content

Invalid order of query paramerter in SAMLResponse for an AP-Initiated SLO #18324

New issue
New issue
Open
Open
Invalid order of query paramerter in SAMLResponse for an AP-Initiated SLO#18324
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@kartikvarma

Description

@kartikvarma
kartikvarma
opened on Dec 16, 2025

Describe the bug
In an AP-Initiated SLO, the signed response for the HTTP redirect binding with relaystate is incorrect. The AP fails to validate the signature.

The relying party, after validating the logout request in the Saml2LogoutRequestFilter, delegates the task of resolving the response to BaseOpenSamlLogoutResponseResolver.

Here, the response XML is constructed. If the binging is an HTTP POST, the LogoutResponse is signed; otherwise, the XML is deflated-encoded, and the signing parameters (HashMap) are signed. If the LogoutRequest has a relay state, the map of signing parameters includes it.

OpenSaml4Template.OpenSaml4SignatureConfigurer.sign takes a Map and then constructs the query string, and then signs it. Here, the actual parameter order that Spring Security uses for HTTP-Redirect binding is incorrect. (basically loses the order because of HashMap).

To Reproduce
Run the below sample code with jbang

jbang run TestSigningMethod.java

Expected behavior
A signed SLO SAML Response should have the query parameter in the correct order.

Sample

///usr/bin/env jbang "$0" "$@" ; exit $?

//DEPS org.springframework:spring-web:6.0.10


import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;

public class TestSigningMethod {

	Map<String, String> components = new LinkedHashMap<>();

	public static void main(String[] args) {
                // Simulating the BaseOpenSamlLogoutResponseResolver.resolve()
		Map<String, String> params = new HashMap<>();
		TestSigningMethod tsm = new TestSigningMethod();
		params.put("SAMLResponse", "value1");
		params.put("RelayState", "value2");
		tsm.sign(params);

	}
        
        // simulating OpenSaml4Template.OpenSaml4SignatureConfigurer.sign()
	public void sign(Map<String, String> params) {
		components.putAll(params);
		UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
		for (Map.Entry<String, String> component : this.components.entrySet()) {
			builder.queryParam(component.getKey(),
					UriUtils.encode(component.getValue(), StandardCharsets.ISO_8859_1));
		}
		String queryString = builder.build(true).toString().substring(1);
		System.out.println(queryString);
	}
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions