CODEWITHSUNDEEP
spring-securityspring-bootspring-saml
Anuj Soni
Anuj Soni

Reputation: 43

Spring SAML - Global logout not working after hitting URL '/saml/logout'

Accoriding to the Spring SAML Extension document :

Local logout terminates only the local session and doesn't affect neither session at IDP, nor sessions at other SPs where user logged in using single sign-on. Local logout can be initialized at scheme://server:port/contextPath/saml/logout?local=true.

For global logout, we have to hit the scheme://server:port/contextPath/saml/logout URL, but for me, it only logs out from the local session, but doesn't logout from the IDP.

This is the [WebSecurityConfig] (https://github.com/vdenotaris/spring-boot-security-saml-sample/blob/master/src/main/java/com/vdenotaris/spring/boot/security/saml/web/config/WebSecurityConfig.java) , that I'm using to create the SAML SP. My question is, am I doing something wrong here? or is this a problem because of the IDP I'm using (can't mention the IDP as it's one of my firm's SAML SSO). Or do I have to define any global logout handler here? If yes, How?

Upvotes: 1

Views: 6679

Answers (2)

shagun akarsh
shagun akarsh

Reputation: 159

Global Logout in case of Single Sign On (SSO) needs support from both the service providers (SP) as well as the Identity Providers (IdP). What you are doing is only enabling the Global Logout endpoint from the SP side which only ensures that the SP will generate a Global Logout request to itself & to the IdP (depending on the SAML profiles/bindings you are using), now how the IdP handles it depends on IdP as well.

In SSO a session at IdP, a session at SP and cookies at user-agent is set on login. To facilitate a single global logout there comes a gap between user expectations and technical limitations. I suggest you to read about SLO issues here: https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues

Shibboleth IdPv3 has provided partial support for Single Logout using both front-channeling (user-agent involved in sending logout to all SPs & IdP) as well as back-channeling (user-agent sends logout request to current SP & IdP, the IdP in turn sends logout request to all logged-in SPs). You can read how Shibboleth IdP v3.2.0 handles logout here: https://wiki.shibboleth.net/confluence/display/IDP30/LogoutConfiguration

Upvotes: 2

jeremy simon
jeremy simon

Reputation: 611

I would check the IdP metadata that you have configured. It sounds like an endpoint specified is wrong so it's not receiving what it needs.

With that said, you ought to confirm whether there has been any activity on your IdP's logs regarding any form of logout. Consider DEBUG or TRACE level.

Upvotes: 0

Related Questions