Allow customization of single logout in auto-configured SAML relying party registration

[ugrave]

Currently a auto configured relying party registration cannot be modified afterwards.

In my case i configured a ssaml single logout url via Spring Security. But i cannot set the configured logout url to autoconfigured RelyingPartyRegistration.singleLogoutServiceLocation.

  @Bean
  SecurityFilterChain securityFilterChain(HttpSecurity http, RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) throws Exception {
    RelyingPartyRegistrationResolver relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository);
    Saml2MetadataFilter metadataFilter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
    return http
      .saml2Login(Customizer.withDefaults())
      .saml2Logout(Customizer.withDefaults())
      .addFilterBefore(
        metadataFilter,
        Saml2WebSsoAuthenticationFilter.class
      )
      .build();
  }

I add the Saml2MetadataFilter filter together with the OpenSamlMetadataResolver to make the relying party metadata available.
The OpenSamlMetadataResolver use the data from the RelyingPartyRegistration.
Problem is know that the logout url is not part of the metadata because its not set in the RelyingPartyRegistration.

A solution could be to provide a way to customize the autoconfigured RelyingPartyRegistration before is is created.
Same think as it already exist for the RestTemplate with the RestTemplateCustomizer.

My current workaround is to skip the autocinfiguration and create and register the RelyingPartyRegistration by myself with my own RelyingPartyRegistrationRepository bean.

[mhalbritter]

I wonder why we only made some properties of the RelyingPartyRegistration configurable via Saml2RelyingPartyProperties. Maybe we should add singleLogoutServiceLocation in there, too?
This would be more straightforward than adding RelyingPartyRegistrationCustomizer.

[mhalbritter]

singleLogoutServiceLocation is new in Spring Security and our auto-configuration has been written before. We should add the singleLogoutServiceLocation to our properties to support that usecase.

@ugrave Would that solve your problem?

[ugrave]

This should work for me.

There also some other missing: singleLogoutServiceBinding​, singleLogoutServiceResponseLocation and nameIdFormat.
Some of them are filled with values from the IDP metadata if available. (ex. the singleLogoutServiceLocation and singleLogoutServiceBinding​ are filled with the values of asserting party details returned by the IDP metadata).

In my case the values are not filled by the IDP because its not supporting IDP initialized logout.

[bameur]

Hello.
if I understand correctly, the SLO is not currently compatible with autconfiguration based on the config parameters. We need to code the instantiation of the RelyingPartyRegistration to be able to insert the slo conf!
Is that right?
Thank you in advance.

[mhalbritter]

Yes, see the workaround in the first message.

[bameur]

Thank you @mhalbritter.
will the next update contain the necessary config for the SLO. I just want to know if I should schedule the adaptation of my projects or I'm waiting for the update.