Skip to content

Allow customization of single logout in auto-configured SAML relying party registration #30128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ugrave opened this issue Mar 9, 2022 · 8 comments
Closed

Allow customization of single logout in auto-configured SAML relying party registration #30128

ugrave opened this issue Mar 9, 2022 · 8 comments
Assignees
@scottfrederick
Labels
type: enhancement A general enhancement
Milestone
2.7.0

Comments

@ugrave
Copy link

ugrave commented Mar 9, 2022

Currently a auto configured relying party registration cannot be modified afterwards.

In my case i configured a ssaml single logout url via Spring Security. But i cannot set the configured logout url to autoconfigured RelyingPartyRegistration.singleLogoutServiceLocation.

  @Bean
  SecurityFilterChain securityFilterChain(HttpSecurity http, RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) throws Exception {
    RelyingPartyRegistrationResolver relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository);
    Saml2MetadataFilter metadataFilter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
    return http
      .saml2Login(Customizer.withDefaults())
      .saml2Logout(Customizer.withDefaults())
      .addFilterBefore(
        metadataFilter,
        Saml2WebSsoAuthenticationFilter.class
      )
      .build();
  }

I add the Saml2MetadataFilter filter together with the OpenSamlMetadataResolver to make the relying party metadata available.
The OpenSamlMetadataResolver use the data from the RelyingPartyRegistration.
Problem is know that the logout url is not part of the metadata because its not set in the RelyingPartyRegistration.

A solution could be to provide a way to customize the autoconfigured RelyingPartyRegistration before is is created.
Same think as it already exist for the RestTemplate with the RestTemplateCustomizer.

My current workaround is to skip the autocinfiguration and create and register the RelyingPartyRegistration by myself with my own RelyingPartyRegistrationRepository bean.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 9, 2022
@mhalbritter
Copy link
Contributor

mhalbritter commented Mar 9, 2022
edited
Loading

I wonder why we only made some properties of the RelyingPartyRegistration configurable via Saml2RelyingPartyProperties. Maybe we should add singleLogoutServiceLocation in there, too?
This would be more straightforward than adding RelyingPartyRegistrationCustomizer.

@mhalbritter
Copy link
Contributor

singleLogoutServiceLocation is new in Spring Security and our auto-configuration has been written before. We should add the singleLogoutServiceLocation to our properties to support that usecase.

@ugrave Would that solve your problem?

@mhalbritter mhalbritter added status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement labels Mar 10, 2022
@mhalbritter mhalbritter added this to the 2.7.x milestone Mar 10, 2022
@ugrave
Copy link
Author

ugrave commented Mar 11, 2022
edited by wilkinsona
Loading

This should work for me.

There also some other missing: singleLogoutServiceBinding​, singleLogoutServiceResponseLocation and nameIdFormat.
Some of them are filled with values from the IDP metadata if available. (ex. the singleLogoutServiceLocation and singleLogoutServiceBinding​ are filled with the values of asserting party details returned by the IDP metadata).

In my case the values are not filled by the IDP because its not supporting IDP initialized logout.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 11, 2022
@mhalbritter mhalbritter removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Mar 11, 2022
@wilkinsona wilkinsona mentioned this issue Mar 28, 2022
Closed
@bameur
Copy link

bameur commented Mar 29, 2022

Hello.
if I understand correctly, the SLO is not currently compatible with autconfiguration based on the config parameters. We need to code the instantiation of the RelyingPartyRegistration to be able to insert the slo conf!
Is that right?
Thank you in advance.

@mhalbritter
Copy link
Contributor

Yes, see the workaround in the first message.

@bameur
Copy link

bameur commented Mar 29, 2022

Thank you @mhalbritter.
will the next update contain the necessary config for the SLO. I just want to know if I should schedule the adaptation of my projects or I'm waiting for the update.

@wilkinsona
Copy link
Member

We can't say for certain at this time. As shown by its milestone, we hope to address this issue in Spring Boot 2.7 but that's not guaranteed. It may have to be deferred until a later milestone if other work takes priority.

@wilkinsona wilkinsona changed the title Allow customization of auto configure saml relying party registration Allow customization of auto-configured saml relying party registration Apr 11, 2022
@wilkinsona wilkinsona mentioned this issue Apr 12, 2022
Closed
@marcusdacoregio
Copy link

To align with the Single Logout properties in RelyingPartyRegistration I think the following properties have to be added:

spring:
    security:
        saml2:
            relyingparty:
                one:
                    ...
                    slo:
                        location: /logout/saml2/slo # RelyingPartyRegistration::singleLogoutServiceLocation
                        response-location: /logout/saml2/slo # RelyingPartyRegistration::singleLogoutServiceResponseLocation
                        binding: POST # RelyingPartyRegistration::singleLogoutServiceBinding
                    identityprovider:
                        ...
                        singlelogout:
                            location: ... # RelyingPartyRegistration#AssertingPartyDetails::singleLogoutServiceLocation
                            response-location: ... # RelyingPartyRegistration#AssertingPartyDetails::singleLogoutServiceResponseLocation
                            binding: POST # RelyingPartyRegistration#AssertingPartyDetails::singleLogoutServiceBinding

The RelyingPartyRegistration::singleLogoutServiceLocation is required in order to activate the Single Logout for the tenant.

@scottfrederick scottfrederick self-assigned this Apr 19, 2022
@scottfrederick scottfrederick changed the title Allow customization of auto-configured saml relying party registration Allow customization of single logout in auto-configured SAML relying party registration Apr 19, 2022
@marcusdacoregio marcusdacoregio mentioned this issue May 4, 2022
Open
@mbhave mbhave modified the milestones: 2.7.x, 2.7.0 May 17, 2022
@mbhave mbhave closed this as completed in 7d459a1 May 17, 2022
This was referenced Jun 17, 2022
Closed
Closed
Closed
Closed
Closed
This was referenced Jun 22, 2022
Closed
Closed
Closed
@jvalkeal jvalkeal mentioned this issue Mar 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@scottfrederick scottfrederick

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
2.7.0
Development

No branches or pull requests
8 participants
@scottfrederick @ugrave @wilkinsona @mbhave @bameur @marcusdacoregio @spring-projects-issues @mhalbritter