We have identified that using the SAML add-on works fine except for the so-called ‘IDP initiated logout’. This works as well but the SP needs to send a logout response. This is done, but it is not signed. It turns out that the Spring SAML library, that is used by the add-on, does not sign these responses by default. The requireLogoutResponseSigned property needs to be set to true but by default is false.
This could be changed by configuration as it is stated here. But applying as such does not work as it is not compatible with the add-on which takes a different approach to this. The extended metadata seems to be handled differently from what the Spring library is using and the logout seems to be handled by the Spring library only (no interference from the add-on as far as we can see).
So, we cannot set the the flag as we need to and the add-on does not provide an option to configure it differently. As such we are stuck, catch-22.
We really need the logout response to be signed and thus would need to have the option of setting the flag requireLogoutResponseSigned to true. Any advice on how to do this?
Extend the com.haulmont.addon.saml.saml.internal.impl.SamlConnectionsMetadataManagerImpl class from the SAML add-on. There is a method called generateSpProvider in which the ExtendedMetadata for SP is being created:
If you haven’t already had the saml-dispatcher-spring.xml configuration in your project, create it in the web-module and fill it with the content of saml-dispatcher-spring.xml.
Replace the class of the metadata bean with your SamlConnectionsMetadataManagerImpl implementation.
In the web-app.properties set the property pointing to the saml configuration file: saml.springContextConfig = com/sample/.../saml-dispatcher-spring.xml.
Thanks for following up on this. Much appreciated!
We already extended the com.haulmont.addon.saml.saml.internal.impl.SamlConnectionsMetadataManagerImpl class but had an override on the getDefaultExtendedMetadata() and getExtendedMetadata() functions. From your comment - and our experience - I understand that this does not work?
Your approach also leads me to think that if we were able to override org.springframework.security.saml.metadata.MetadataGenerator it would work as well. Correct?
Anyway, we will give this a try; hopefully it works (crossed fingers). If so, I will update the ticket to let you know.