Saml2LogoutConfigurer: Use RequestMatcher from LogoutConfigurer

[chschu]

Expected Behavior

The SAML Single Logout (initiated by relying party) should use LogoutConfigurer.getLogoutRequestMatcher(...), combined with Saml2LogoutConfigurer.Saml2RequestMatcher to detect logout requests.

It would also be great if the logoutMatcher could be customized, because Saml2LogoutConfigurer.Saml2RequestMatcher is not always desirable.

Current Behavior

Currently, only a single logout URL can be configured with Saml2LogoutConfigurer, while LogoutConfigurer allows full customization of the RequestMatcher. If that matcher is not a simple "must be a POST to a single URL", the LogoutFilter created by Saml2LogoutConfigurer cannot be configured appropriately.

Context

I have an application with different logout URLs that redirect the user to different logout success URLs. That requires a complex RequestMatcher in LogoutConfigurer, and it cannot currently be done in Saml2LogoutConfigurer.

Workaround: Configure an ObjectPostProcessor on Saml2LogoutConfigurer that creates the LogoutFilter from scratch.

Naming might get a bit messy here, because logoutRequestMatcher might mean "request matcher for the logout" or "matcher for the SAML LogoutRequest".

[jzheaux]

@chschu thanks for posting this.

Workaround: Configure an ObjectPostProcessor on Saml2LogoutConfigurer that creates the LogoutFilter from scratch.

I wonder why this is. Can you not call setLogoutRequestMatcher on the LogoutFilter passed to your ObjectPostProcessor?

The SAML Single Logout (initiated by relying party) should use LogoutConfigurer.getLogoutRequestMatcher(...), combined with Saml2LogoutConfigurer.Saml2RequestMatcher to detect logout requests.

This makes sense since it seems quite odd that an application would configure logout to have a custom URL and then leave saml2Logout using /logout. It does seem that logout's custom URL should influence saml2Logout's.

Can you provide a PR along these lines that determines Saml2LogoutConfigurer's request matcher like so:

• If the application provided a logoutUrl, use it
• Otherwise, if the application has a LogoutConfigurer, use its request matcher combined with Saml2RequestMatcher
• Otherwise, default to POST /logout

Since this would be a breaking change, I'm still thinking about whether it can go into a 5.x release or whether it needs to wait until 6.x. Either way, a PR is welcome.

It would also be great if the logoutMatcher could be customized, because Saml2LogoutConfigurer.Saml2RequestMatcher is not always desirable.

I think this is already possible using an object post-processor. I think we should leave the DSL as simple as possible for the time being. We can always revisit if it appears there is a lot of demand for this.

[chschu]

I wonder why this is. Can you not call setLogoutRequestMatcher on the LogoutFilter passed to your ObjectPostProcessor?

Oh, of course. I have overlooked this.

I'll provide a PR for Saml2LogoutConfigurer's request matcher.

[tommai78101]

Hello to all, may I ask what's the current status of this issue? I'm currently using v5.8.3.

[akhil-lm]

Hi @jzheaux, I've a customized url '/saml/logout' (method = GET) for Single Logout, that I need to use for Saml2 Logout. Ideally, when the 'Saml2RelyingPartyInitiatedLogoutFilter' is created in Saml2LogoutConfigurer, I need the requestMatcher url for it to be '/saml/logout' instead of the default '/logout' and method should be GET instead of the default POST.

'I wonder why this is. Can you not call setLogoutRequestMatcher on the LogoutFilter passed to your ObjectPostProcessor?' -

I understand that the above statement would be a way to achieve the mapping of my customized url '/saml/logout' with Saml2RelyingPartyInitiatedLogoutFilter, but I don't exactly understand how to implement such ObjectPostProcessor configuration. I tried many mapping configurations for it, but they didn't work out.

Is there any example or resource for the implementation quoted above that you could point me to? Thanks.
cc : @chschu Was the Saml2LogoutConfigurer's request matcher implemented? I still couldn't find one.

[jzheaux]

Thanks for reaching out, @akhil-lm. Will you please post that instead to StackOverflow and add the link here? We can continue that conversation over there. In that way, this ticket can continue to stay focused on the proposed feature.