Spring Security SAML signature validation issue #12346
Description
Describe the bug
After upgrading the Spring Security to version 5.8.0 signature validation of the SAML Logout Response won't work.
According to the SAML specification order of query params for signature should be:
To construct the signature, a string consisting of the concatenation of the RelayState (if present), SigAlg, and SAMLRequest (or SAMLResponse) query string parameters (each one URLencoded) is constructed in one of the following ways (ordered as below): SAMLRequest=value&RelayState=value&SigAlg=value SAMLResponse=value&RelayState=value&SigAlg=value
But in the Spring Security 5.8.0/6.0.0, content is just query parameters without the Signature param and without care about mentioned above order of params.
The issue was caused by this change.
To Reproduce
IdP redirects to the URL where the query param RelayState is not in the middle e.g.
SAMLResponse=someContentHere&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&RelayState=a7d72218-c3e6-44b1-b3ba-e0dbca8ea8a9
Example IdP: OneLogin
Expected behavior
Content for signature validation should be ordered as described in the SAML 2.0 specification.
Also, encoded query param values (SigAlg, RelayState, SAMLRequest, etc) should be unchanged as described here.