Open
Description
Describe the bug
When I POST to the SAML logoutUrl, a 401 response is returned.
To Reproduce
.logout(logout -> logout.invalidateHttpSession(false)) // issue #14853
.saml2Login(saml -> saml
.authenticationRequestUri("/saml/authenticate/{registrationId}")
.loginPage("/saml/discovery")
.loginProcessingUrl("/saml/SSO")
)
.saml2Logout(saml -> saml
.logoutUrl("/saml/logout")
.logoutRequest(request -> request.logoutUrl("/saml/SingleLogout"))
.logoutResponse(response -> response.logoutUrl("/saml/SingleLogout"))
)14:15:21.139 [XNIO-1 task-2] DEBUG FilterChainProxy - Securing POST /saml/logout
14:15:21.144 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Retrieved SecurityContextImpl [Authentication=Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG SecurityContextPersistenceFilter - Set SecurityContextHolder to SecurityContextImpl [Authentication=Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG Saml2LogoutConfigurer$Saml2RelyingPartyInitiatedLogoutFilter - Logging out [Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]]
14:15:21.144 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Did not store empty SecurityContext
14:15:21.145 [XNIO-1 task-2] TRACE OpenSamlLogoutRequestResolver - Attempting to resolve registrationId from Saml2Authentication [Principal=User(...), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=d39d3aab-9fa4-47e1-9e08-f83036c405e8], Granted Authorities=[ROLE_USER, ROLE_ADMIN]]
14:15:21.146 [XNIO-1 task-2] TRACE Saml2RelyingPartyInitiatedLogoutSuccessHandler - Returning 401 since no logout request generated
14:15:21.147 [XNIO-1 task-2] DEBUG HttpSessionSecurityContextRepository - Did not store empty SecurityContext
14:15:21.147 [XNIO-1 task-2] DEBUG SecurityContextPersistenceFilter - Cleared SecurityContextHolder to complete request
Expected behavior
It should redirect to / after logout, regardless of whether the asserting party was sent an SLO request.
Additional
The OpenSamlLogoutRequestResolver returned null here:
if (registration.getAssertingPartyDetails().getSingleLogoutServiceLocation() == null) {
return null;
}I'm guessing the intent is that the 401 triggers a redirect back to /login, but it should use the same mechanism as the regular logout in case someone is not using the default configuration.