Support sending SAML 2.0 LogoutRequest to the IdP (Single Logout)

[jeanblanchard]

Expected Behavior

It would be nice to be able to send a samlp:LogoutRequest to the SAML Identity Provider, to trigger a Single Logout.

Current Behavior

Currently you can only do a local logout (=invalidate the session), but you stay authenticated to the IdP.
In an authentication-required app, this means that, as soon as you log out locally, you get immediately redirected to the IdP, which logs you right back in.
In effect, this means there is no way to logout at all, except by invalidating the session directly on the IdP (for those that allow it)

[fpagliar]

Is there any alternative currently available for this?

Right now it seems like given spring-security-saml is out of support, the upgrade path would be to implement your own copy of SingleLogoutProfileImpl, SAMLLogoutProcessingFilter, SAMLLogoutFilter from the old project, and a brand new initialization of OpenSAML in the new setup given that OpenSamlImplementation is package private.

[jzheaux]

@fpagliar, I don't believe there are any existing alternatives. But, since it sounds like you might be producing a solution anyway, I wonder if you'd be interested in contributing it back?

I'm thinking that it would make sense to create an implementation of LogoutSuccessHandler similar in nature to OidcClientInitiatedLogoutSuccessHandler but that would generate a <LogoutRequest> instead. I think it also makes sense to introduce a filter that knows how to process a <LogoutResponse>.

[fpagliar]

I'm looking at this and will be glad to contribute when possible. Might not get a full-fledged generic solution but it will at least be a good first approach to iterate on.

@jzheaux I'm wondering a bit on refactoring from the current structure. Looking at LogoutRequest and LogoutResponse, the basic structure of the bindings and request processing are basically the same. So extracting the common patterns from Saml2WebSsoAuthenticationRequestFilter and Saml2WebSsoAuthenticationFilter seems like a good approach. The handling of what to do on failed cases for a SLO flow is a gray area that will need some work.
How does that sound?

[jzheaux]

@fpagliar, I agree that there are some common patterns across these filters. Would you care to share some of these thoughts over on #8887 which seems to be thinking along the same lines as your last comment?

[julisch94]

Hey there! We are waiting for this issue to be implemented. Just wanted to check in real quick.. Is there any progress yet? Thanks a lot.

[scho]

@fpagliar
Would you mind sharing what you have so far?

[ThomasHeil]

Waiting for this, too. I think in times when browsers tend to restore sessions even beyond close+reopen (who made this up?), a proper logout is definitely needed and should be prioritized accordingly.