Back-channel logout request format in Spring Security SAML

Question

I am working on implementing single logout functionality when Spring Security SAML extension is used. In this scenario, a back-channel request has to be sent to Spring security SAML Single Logout endpoint from the identity provider(WSO2 identity server), when initiating single logout request from another application. The issue is in the format of the back-channel logout request sent to the spring security application. I have tried to send the requests in following [1] and [2] formats, but received [3] and [4] as the responses respectively.

Please help me on identifying the proper format that need to be sent as the back-channel logout request to the Spring Security application.

[1]SAML request :

    <saml2p:LogoutRequest>
    <saml2:Issuer>...</saml2:Issuer>...
    </saml2p:LogoutRequest>

[2]SAML SOAP binding :

    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
    <saml2p:LogoutRequest>
    <saml2:Issuer>...</saml2:Issuer>...
    </saml2p:LogoutRequest>
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>

[3]Response : Moved Temporarily, Status Code : 302

[4]Response : Internal Server Error, Status Code : 500

Reference :

http://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-quick-start.html

https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

Frank Frank · Accepted Answer · 2015-11-05T22:11:03

I have a similar question about single logout. So I append mine to yours. In my scenario, it is front-channel binding using the Http-Redirect. I would like to know what happens behind the scene in Spring Security SAML extension when initiating single logout request from other applications. Which servlets or filters run under this circumstance, so I can use my code to clean up something I put in Single Sign On step.

Thanks a lot.

Back-channel logout request format in Spring Security SAML

1 Answers