spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Return a logout response with an error status when validation of the logout request fails

Open 1livv opened this issue 1 year ago • 1 comments

Expected Behavior Saml2LogoutRequestFilter should return a logout response back to the user agent when validation errors happen. This would allow the logout flow to continue to other SPs involved in the session and not block the user agent. see https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf#1161 for more details.

Current Behavior

Right now Saml2LogoutRequestFilter terminates the logout flow when an error happens see Saml2LogoutRequestFilter#122 and so on. It should instead construct a logout response with an appropriate status and pass that along the user agent.

1livv avatar Feb 18 '24 18:02 1livv

I think this makes sense, @1livv since the spec says at https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf#1256 (emphasis mine):

The session participant/authority MUST process the <LogoutRequest> message as defined in [SAMLCore]. After processing the message or upon encountering an error, the entity MUST issue a <LogoutResponse> message containing an appropriate status code to the requesting identity provider to complete the SAML protocol exchange.

jzheaux avatar Feb 26 '24 22:02 jzheaux

Closing in favor of #14676

jzheaux avatar Jun 02 '25 19:06 jzheaux