SAML 2.0 Single Logout Support

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -72,6 +72,7 @@
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.config.annotation.web.configurers.openid.OpenIDLoginConfigurer;
 import org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer;
+import org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -2209,6 +2210,143 @@ public HttpSecurity saml2Login(Customizer<Saml2LoginConfigurer<HttpSecurity>> sa
 		return HttpSecurity.this;
 	}
 
+	/**
+	 * Configures logout support for an SAML 2.0 Relying Party. <br>
+	 * <br>
+	 *
+	 * Implements the <b>Single Logout Profile, using POST and REDIRECT bindings</b>, as
+	 * documented in the
+	 * <a target="_blank" href="https://docs.oasis-open.org/security/saml/">SAML V2.0
+	 * Core, Profiles and Bindings</a> specifications. <br>
+	 * <br>
+	 *
+	 * As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting
+	 * Party to sent a logout request to. The representation of the relying party and the
+	 * asserting party is contained within {@link RelyingPartyRegistration}. <br>
+	 * <br>
+	 *
+	 * {@link RelyingPartyRegistration}(s) are composed within a
+	 * {@link RelyingPartyRegistrationRepository}, which is <b>required</b> and must be
+	 * registered with the {@link ApplicationContext} or configured via
+	 * {@link #saml2Login(Customizer)}.<br>
+	 * <br>
+	 *
+	 * The default configuration provides an auto-generated logout endpoint at
+	 * <code>&quot;/logout&quot;</code> and redirects to <code>/login?logout</code> when
+	 * logout completes. <br>
+	 * <br>
+	 *
+	 * <p>
+	 * <h2>Example Configuration</h2>
+	 *
+	 * The following example shows the minimal configuration required, using a
+	 * hypothetical asserting party.
+	 *
+	 * <pre>
+	 *	&#064;EnableWebSecurity
+	 *	&#064;Configuration
+	 *	public class Saml2LogoutSecurityConfig {
+	 *		&#064;Bean
+	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
+	 *			http
+	 *				.authorizeRequests((authorize) -> authorize
+	 *					.anyRequest().authenticated()
+	 *				)
+	 *				.saml2Login(withDefaults())
+	 *				.saml2Logout(withDefaults());
+	 *			return http.build();
+	 *		}
+	 *
+	 *		&#064;Bean
+	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
+	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
+	 *					.withMetadataLocation("https://ap.example.org/metadata")
+	 *					.registrationId("simple")
+	 *					.build();
+	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
+	 *		}
+	 *	}
+	 * </pre>
+	 *
+	 * <p>
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 * @since 5.6
+	 */
+	public HttpSecurity saml2Logout(Customizer<Saml2LogoutConfigurer<HttpSecurity>> saml2LogoutCustomizer)
+			throws Exception {
+		saml2LogoutCustomizer.customize(getOrApply(new Saml2LogoutConfigurer<>(getContext())));
+		return HttpSecurity.this;
+	}
+
+	/**
+	 * Configures logout support for an SAML 2.0 Relying Party. <br>
+	 * <br>
+	 *
+	 * Implements the <b>Single Logout Profile, using POST and REDIRECT bindings</b>, as
+	 * documented in the
+	 * <a target="_blank" href="https://docs.oasis-open.org/security/saml/">SAML V2.0
+	 * Core, Profiles and Bindings</a> specifications. <br>
+	 * <br>
+	 *
+	 * As a prerequisite to using this feature, is that you have a SAML v2.0 Asserting
+	 * Party to sent a logout request to. The representation of the relying party and the
+	 * asserting party is contained within {@link RelyingPartyRegistration}. <br>
+	 * <br>
+	 *
+	 * {@link RelyingPartyRegistration}(s) are composed within a
+	 * {@link RelyingPartyRegistrationRepository}, which is <b>required</b> and must be
+	 * registered with the {@link ApplicationContext} or configured via
+	 * {@link #saml2Login()}.<br>
+	 * <br>
+	 *
+	 * The default configuration provides an auto-generated logout endpoint at
+	 * <code>&quot;/logout&quot;</code> and redirects to <code>/login?logout</code> when
+	 * logout completes. <br>
+	 * <br>
+	 *
+	 * <p>
+	 * <h2>Example Configuration</h2>
+	 *
+	 * The following example shows the minimal configuration required, using a
+	 * hypothetical asserting party.
+	 *
+	 * <pre>
+	 *	&#064;EnableWebSecurity
+	 *	&#064;Configuration
+	 *	public class Saml2LogoutSecurityConfig {
+	 *		&#064;Bean
+	 *		public SecurityFilterChain web(HttpSecurity http) throws Exception {
+	 *			http
+	 *				.authorizeRequests()
+	 *					.anyRequest().authenticated()
+	 *					.and()
+	 *				.saml2Login()
+	 *					.and()
+	 *				.saml2Logout();
+	 *			return http.build();
+	 *		}
+	 *
+	 *		&#064;Bean
+	 *		public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() {
+	 *			RelyingPartyRegistration registration = RelyingPartyRegistrations
+	 *					.withMetadataLocation("https://ap.example.org/metadata")
+	 *					.registrationId("simple")
+	 *					.build();
+	 *			return new InMemoryRelyingPartyRegistrationRepository(registration);
+	 *		}
+	 *	}
+	 * </pre>
+	 *
+	 * <p>
+	 * @return the {@link Saml2LoginConfigurer} for further customizations
+	 * @throws Exception
+	 * @since 5.6
+	 */
+	public Saml2LogoutConfigurer<HttpSecurity> saml2Logout() throws Exception {
+		return getOrApply(new Saml2LogoutConfigurer<>(getContext()));
+	}
+
 	/**
 	 * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0
 	 * Provider. <br>

config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java

@@ -250,10 +250,11 @@ public LogoutConfigurer<H> permitAll(boolean permitAll) {
 	 * {@link SimpleUrlLogoutSuccessHandler} using the {@link #logoutSuccessUrl(String)}.
 	 * @return the {@link LogoutSuccessHandler} to use
 	 */
-	private LogoutSuccessHandler getLogoutSuccessHandler() {
+	public LogoutSuccessHandler getLogoutSuccessHandler() {
 		LogoutSuccessHandler handler = this.logoutSuccessHandler;
 		if (handler == null) {
 			handler = createDefaultSuccessHandler();
+			this.logoutSuccessHandler = handler;
 		}
 		return handler;
 	}
@@ -312,7 +313,7 @@ private String getLogoutSuccessUrl() {
 	 * Gets the {@link LogoutHandler} instances that will be used.
 	 * @return the {@link LogoutHandler} instances. Cannot be null.
 	 */
-	List<LogoutHandler> getLogoutHandlers() {
+	public List<LogoutHandler> getLogoutHandlers() {
 		return this.logoutHandlers;
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java

@@ -47,6 +47,7 @@
 import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter;
 import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.DefaultSaml2AuthenticationRequestContextResolver;
+import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestContextResolver;
 import org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter;
 import org.springframework.security.web.authentication.AuthenticationConverter;
@@ -204,9 +205,7 @@ protected RequestMatcher createLoginProcessingUrlMatcher(String loginProcessingU
 	@Override
 	public void init(B http) throws Exception {
 		registerDefaultCsrfOverride(http);
-		if (this.relyingPartyRegistrationRepository == null) {
-			this.relyingPartyRegistrationRepository = getSharedOrBean(http, RelyingPartyRegistrationRepository.class);
-		}
+		relyingPartyRegistrationRepository(http);
 		this.saml2WebSsoAuthenticationFilter = new Saml2WebSsoAuthenticationFilter(getAuthenticationConverter(http),
 				this.loginProcessingUrl);
 		setAuthenticationRequestRepository(http, this.saml2WebSsoAuthenticationFilter);
@@ -256,6 +255,13 @@ public void configure(B http) throws Exception {
 		}
 	}
 
+	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(B http) {
+		if (this.relyingPartyRegistrationRepository == null) {
+			this.relyingPartyRegistrationRepository = getSharedOrBean(http, RelyingPartyRegistrationRepository.class);
+		}
+		return this.relyingPartyRegistrationRepository;
+	}
+
 	private void setAuthenticationRequestRepository(B http,
 			Saml2WebSsoAuthenticationFilter saml2WebSsoAuthenticationFilter) {
 		saml2WebSsoAuthenticationFilter.setAuthenticationRequestRepository(getAuthenticationRequestRepository(http));
@@ -264,7 +270,8 @@ private void setAuthenticationRequestRepository(B http,
 	private AuthenticationConverter getAuthenticationConverter(B http) {
 		if (this.authenticationConverter == null) {
 			return new Saml2AuthenticationTokenConverter(
-					new DefaultRelyingPartyRegistrationResolver(this.relyingPartyRegistrationRepository));
+					(RelyingPartyRegistrationResolver) new DefaultRelyingPartyRegistrationResolver(
+							this.relyingPartyRegistrationRepository));
 		}
 		return this.authenticationConverter;
 	}
@@ -390,8 +397,9 @@ private Saml2AuthenticationRequestContextResolver getContextResolver(B http) {
 			Saml2AuthenticationRequestContextResolver resolver = getBeanOrNull(http,
 					Saml2AuthenticationRequestContextResolver.class);
 			if (resolver == null) {
-				return new DefaultSaml2AuthenticationRequestContextResolver(new DefaultRelyingPartyRegistrationResolver(
-						Saml2LoginConfigurer.this.relyingPartyRegistrationRepository));
+				RelyingPartyRegistrationResolver relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(
+						Saml2LoginConfigurer.this.relyingPartyRegistrationRepository);
+				return new DefaultSaml2AuthenticationRequestContextResolver(relyingPartyRegistrationResolver);
 			}
 			return resolver;
 		}