How to include relayState parameter in SAML single Logout request using Spring SAML extension

0
votes

I am using Spring SAML extension and PingFederate as a IDP server. Now when I am initiating global logout from SP (service provider) then it only invalidate the SP session not IDP server session. Means even after global logout when I again try to login (using SP initiated)then it allow to login directly without asking user login credentials.

I noticed that in SAML single logout request relayState parameter is missing, though it is there in other SP application that is working fine (demo SP application provided by PingFederate). I tried to add relayState property in securityContext.xml file (refer below snippet) but still relayState is not a part of logout request parameter.

<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
    <property name="defaultProfileOptions">
        <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
            <property name="relayState" value="http://192.168.1.73:8080/adeptia"/>
            <property name="includeScoping" value="true"/>
        </bean>
    </property>
</bean>

Please let me know what is the use of relayState parameter and what's the possible value and how to include it in SAML logout request.

1
javaspring-samlpingfederate

1 Answers

1
votes

You should be able to pass relay state by extending SingleLogoutProfileImpl - method sendLogoutRequest. You can call context.setRelayState() to get the value in, and then super to do the rest of the logic.

During response phase the relay value will be available in the processLogoutResponse, again in the context object.

There's no explicit feature for sending of the relay during Single Logout in Spring SAML.