When the SAML logout handler is called, how do I identify the user and what relevant sessions are being invalidated?
The LogoutHandler interface has:
void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication);
Is the following something that can be assumed?
ExpiringUsernameAuthenticationToken auth = (ExpiringUsernameAuthenticationToken) authentication;
SAMLCredential credentials = (SAMLCredential)auth.getCredentials();
String nameId = credentials.getNameID().getValue();
When NameId is transient, is it ok to assume that it stays the same within one particular session? I could not find concrete evidence from SAML documentation. I only know that it is not persistent across multiple sessions.
Should I actually use SessionIndex instead of NameId? Is it possible that Service Provider gets a logout request that has transient NameId with multiple SessionIndexes?
The actual problem: when user is authenticated, I need to create custom authentication token, and tie it in database to SAML SessionIndex/NameId (which ever is the proper one). When user logouts, I need to remove the corresponding custom token from the database using the same id that was used in login. How could I accomplish this with Spring SAML?
