spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Invalid order of query paramerter in SAMLResponse for an AP-Initiated SLO

Open kartikvarma opened this issue 1 month ago • 0 comments

Describe the bug In an AP-Initiated SLO, the signed response for the HTTP redirect binding with relaystate is incorrect. The AP fails to validate the signature.

The relying party, after validating the logout request in the Saml2LogoutRequestFilter, delegates the task of resolving the response to BaseOpenSamlLogoutResponseResolver.

Here, the response XML is constructed. If the binging is an HTTP POST, the LogoutResponse is signed; otherwise, the XML is deflated-encoded, and the signing parameters (HashMap) are signed. If the LogoutRequest has a relay state, the map of signing parameters includes it.

OpenSaml4Template.OpenSaml4SignatureConfigurer.sign takes a Map and then constructs the query string, and then signs it. Here, the actual parameter order that Spring Security uses for HTTP-Redirect binding is incorrect. (basically loses the order because of HashMap).

To Reproduce Run the below sample code with jbang

jbang run TestSigningMethod.java

Expected behavior A signed SLO SAML Response should have the query parameter in the correct order.

Sample


///usr/bin/env jbang "$0" "$@" ; exit $?

//DEPS org.springframework:spring-web:6.0.10


import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;

public class TestSigningMethod {

	Map<String, String> components = new LinkedHashMap<>();

	public static void main(String[] args) {
                // Simulating the BaseOpenSamlLogoutResponseResolver.resolve()
		Map<String, String> params = new HashMap<>();
		TestSigningMethod tsm = new TestSigningMethod();
		params.put("SAMLResponse", "value1");
		params.put("RelayState", "value2");
		tsm.sign(params);

	}
        
        // simulating OpenSaml4Template.OpenSaml4SignatureConfigurer.sign()
	public void sign(Map<String, String> params) {
		components.putAll(params);
		UriComponentsBuilder builder = UriComponentsBuilder.newInstance();
		for (Map.Entry<String, String> component : this.components.entrySet()) {
			builder.queryParam(component.getKey(),
					UriUtils.encode(component.getValue(), StandardCharsets.ISO_8859_1));
		}
		String queryString = builder.build(true).toString().substring(1);
		System.out.println(queryString);
	}
}

kartikvarma avatar Dec 16 '25 04:12 kartikvarma