5

I've implemented SSO using Spring Security SAML. Here is what currently working for me:

When I try to access any resource at SP, I'm redirected to my IdP(idp.ssocircle.com in my case) if I'm not logged in already. After successful authentication at IDP, I'm redirected back to SP and authorize the incoming SAML response and create a session for the respective user. Everything is cool till here! But when I log out from my IDP(by clicking logout from idp.ssocircle.com externally), I shouldn't be able to access my SP which is not happening in my case. Now what I'm thinking to do is may be write a new filter which checks for a valid session at IDP before processing any request on SP. I've searched a lot but couldn't find any solution to my problem.

Please give inputs on how can I implement this filter or is there any other way of doing this? Any suggestions are appreciated.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
abhilash
  • 785
  • 1
  • 10
  • 19

1 Answers1

4

Does your IDP support and correctly initialize Single Logout? If so it could be related to this issue, just update to latest Spring SAML version or change property invalidateHttpSession in your logout handler to true:

<bean id="logoutSessionHandler"
  class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
  <property name="invalidateHttpSession" value="true"/>
</bean>
Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • What I wanted to know was if a session is already created at SP and then I logout from IdP manually (i.e., without sending any logout request from SP) should I still be able to access the resource at SP? In the current case I'm still able to access SP without any session at IDP for that user. I've tried setting the above property true, still it behaves the same way or may be it is the way it should behave! – abhilash Apr 16 '14 at 07:01
  • 1
    Once you logout from IDP there are two options: IDP either starts a Single Logout process (= it tries to terminate session in all connected SPs), or it just terminates local IDP session and doesn't propagate the logout to other places. In case of SSOCircle - it doesn't perform Single Logout, so once you logout from SSO Circle your SP session should still be active. – Vladimír Schäfer Apr 16 '14 at 10:37
  • Valdi... I am trying to achieve same thing so I updated spring-security-saml2-core to RC3. Then I start getting issue like SecurityContextHolder.getContext().getAuthentication().getPrincipal() is returning userName instead of UsernamePasswordAuthenticationToken object. So Everything started failing. Any idea how to get UserInfo object instead of UserName. – ManojP Apr 17 '15 at 13:48