Add Single Logout Support

Closes gh-8731

Author: jzheaux

docs/manual/src/docs/asciidoc/_includes/servlet/saml2/saml2-login.adoc

@@ -1048,20 +1048,302 @@ filter.setRequestMatcher(new AntPathRequestMatcher("/saml2/metadata", "GET"));
 [[servlet-saml2login-logout]]
 === Performing Single Logout
 
-Spring Security does not yet support single logout.
+Spring Security ships with support for RP- and AP-initiated SAML 2.0 Single Logout.
 
-Generally speaking, though, you can achieve this by creating and registering a custom `LogoutSuccessHandler` and `RequestMatcher`:
+Briefly, there are two use cases Spring Security supports:
+
+* **RP-Initiated** - Your application has an endpoint that, when POSTed to, will send a `saml2:LogoutRequest` to the asserting party.
+Thereafter, the asserting party will send back a `saml2:LogoutResponse` and your application will complete its logout at that point
+* **AP-Initiated** - Your application has an endpoint that will receive a `saml2:LogoutRequest` from the asserting party.
+Your application will complete its logout at that point and then send a `saml2:LogoutResponse` to the asserting party.
+
+=== Minimal Configuration for Single Logout
+
+To use Spring Security's SAML 2.0 Single Logout feature, you will need the following things:
+
+* First, the asserting party must support SAML 2.0 Single Logout
+* Second, the asserting party should be configured to sign and POST `saml2:LogoutRequest` s and `saml2:LogoutResponse` s your application's `/logout` endpoint
+* Third, your application must have a PKCS#8 private key and X.509 certificate for signing `saml2:LogoutRequest` s and `saml2:LogoutResponse` s
+
+==== RP-Initiated Single Logout
+
+Given those, then for RP-initiated Single Logout, you can begin from the initial minimal example and add the following configuration:
+
+[source,java]
+----
+@Value("${private.key}") RSAPrivateKey key;
+@Value("${public.certificate}") X509Certificate certificate;
+
+@Bean
+RelyingPartyRegistrationRepository registrations() {
+    RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
+            .fromMetadataLocation("https://ap.example.org/metadata")
+            .registrationId("id")
+            .signingX509Credentials((signing) -> signing.add(Saml2X509Credential.signing(key, certificate))) <1>
+            .build();
+    return new InMemoryRelyingPartyRegistrationRepository(relyingPartyRegistration);
+}
+
+@Bean
+SecurityFilterChain web(HttpSecurity http, RelyingPartyRegistrationRepository registrations) throws Exception {
+	RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations);
+
+    http
+        .authorizeRequests((authorize) -> authorize
+            .anyRequest().authenticated()
+        )
+        .saml2Login(withDefaults())
+        .logout((logout) -> logout.addLogoutHandler(logoutHandler(registrationResolver)))
+        .addFilterBefore(filter(registrationResolver), LogoutFilter.class)
+        .csrf((csrf) -> csrf.ignoringRequestMatchers(hasLogoutResponse("/logout", "POST")));
+
+    return http.build();
+}
+
+private RequestMatcher hasLogoutResponse(String endpoint, String method) {
+	AntPathRequestMatcher logout = new AndPathRequestMatcher(endpoint, method);
+    return (request) -> logout.matches(request) && request.getParameter("SAMLResponse") != null;
+}
+
+private Filter filter(RelyingPartyRegistrationResolver registrationResolver) { <2>
+    OpenSamlLogoutRequestResolver delegate = new OpenSamlLogoutRequestResolver(registrationResolver);
+    Saml2LogoutRequestResolver logoutRequestResolver = (request, authentication) ->
+            delegate.resolveLogoutRequest(request, authentication)
+                    .logoutRequest((logoutRequest) -> logoutRequest.setIssueInstant(DateTime.now()));
+    return new Saml2RelyingPartyInitiatedLogoutFilter(logoutRequestResolver);
+}
+
+private LogoutHandler logoutHandler(RelyingPartyRegistrationResolver registrationResolver) { <3>
+    return new OpenSamlLogoutResponseHandler(relyingPartyRegistrationResolver);
+}
+----
+<1> - First, add your signing key to the `RelyingPartyRegistration` instance or to <<servlet-saml2login-rpr-duplicated,multiple instances>>
+<2> - Second, supply a `Filter` for initiating Single Logout, sending a `saml2:LogoutRequest` to the asserting party
+<3> - Third, supply the `LogoutHandler` s needed to handle the `saml2:LogoutResponse` s sent from the asserting party.
+
+==== Runtime Expectations for RP-Initiated
+
+Given the above configuration any logged in user can send a `POST /saml2/logout` to your application.
+Your application will then do the following:
+
+1. Use a `Saml2LogoutRequestResolver` to create, sign, and serialize a `<saml2:LogoutRequest>` based on the <<servlet-saml2login-relyingpartyregistration,`RelyingPartyRegistration`>> associated with the currently logged-in user.
+2. Send a redirect or post to the asserting party based on the <<servlet-saml2login-relyingpartyregistration,`RelyingPartyRegistration`>>
+3. Deserialize, verify, and process the `<saml2:LogoutResponse>` sent by the asserting party
+4. Logout the user and redirect to any configured successful logout endpoint
+
+[TIP]
+If your asserting party does not send `<saml2:LogoutResponse>` s when logout is complete, the asserting party can still send a `POST /logout` and then there is no need to configure the `Saml2LogoutResponseHandler`.
+
+==== AP-Initiated Single Logout
+
+Instead of RP-initiated Single Logout, you can again begin from the initial minimal example and add the following configuration to achieve AP-initiated Single Logout:
+
+[source,java]
+----
+@Value("${private.key}") RSAPrivateKey key;
+@Value("${public.certificate}") X509Certificate certificate;
+
+@Bean
+RelyingPartyRegistrationRepository registrations() {
+    RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
+            .fromMetadataLocation("https://ap.example.org/metadata")
+            .registrationId("id")
+            .signingX509Credentials((signing) -> signing.add(Saml2X509Credential.signing(key, certificate))) <1>
+            .build();
+    return new InMemoryRelyingPartyRegistrationRepository(relyingPartyRegistration);
+}
+
+@Bean
+SecurityFilterChain web(HttpSecurity http, RelyingPartyRegistrationRepository registrations) throws Exception {
+	RelyingPartyRegistrationResolver registrationResolver = new DefaultRelyingPartyRegistrationResolver(registrations);
+
+    http
+        .authorizeRequests((authorize) -> authorize
+            .anyRequest().authenticated()
+        )
+        .saml2Login(withDefaults())
+        .logout((logout) -> logout
+            .addLogoutHandler(logoutHandler(registrationResolver))
+            .logoutSuccessHandler(logoutSuccessHandler(registrationResolver))
+        )
+        .csrf((csrf) -> csrf.ignoringRequestMatchers(hasLogoutRequest("/logout", "POST")));
+
+    return http.build();
+}
+
+private RequestMatcher hasLogoutRequest(String endpoint, String method) {
+	AntPathRequestMatcher logout = new AndPathRequestMatcher(endpoint, method);
+    return (request) -> logout.matches(request) && request.getParameter("SAMLRequest") != null;
+}
+
+private LogoutHandler logoutHandler(RelyingPartyRegistrationResolver registrationResolver) { <2>
+    return new OpenSamlLogoutRequestHandler(relyingPartyRegistrationResolver);
+}
+
+private LogoutSuccessHandler logoutSuccessHandler(RelyingPartyRegistrationResolver registrationResolver) { <3>
+    OpenSamlLogoutResponseResolver delegate = new OpenSamlLogoutResponseResolver(registrationResolver);
+    Saml2LogoutResponsetResolver logoutResponseResolver = (request, authentication) ->
+            delegate.resolveLogoutResponse(request, authentication)
+                    .logoutResponse((logoutResponse) -> logoutResponse.setIssueInstant(DateTime.now()));
+    return new Saml2AssertingPartyInitiatedLogoutSuccessHandler(logoutResponseResolver);
+}
+----
+<1> - First, add your signing key to the `RelyingPartyRegistration` instance or to <<servlet-saml2login-rpr-duplicated,multiple instances>>
+<2> - Second, supply the `LogoutHandler` needed to handle the `saml2:LogoutRequest` s sent from the asserting party.
+<3> - Third, supply a `LogoutSuccessHandler` for completing Single Logout, sending a `saml2:LogoutResponse` to the asserting party
+
+==== Runtime Expectations for AP-Initiated
+
+Given the above configuration, an asserting party can send a `POST /logout` to your application that includes a `<saml2:LogoutRequest>`
+Your application will then do the following:
+
+1. Use a `Saml2LogoutRequestHandler` to deserialize, verify, and process the `<saml2:LogoutRequest>` sent by the asserting party
+2. Logout the user
+3. Create, sign, and serialize a `<saml2:LogoutResponse>` based on the <<servlet-saml2login-relyingpartyregistration,`RelyingPartyRegistration`>> associated with the just logged-out user
+4. Send a redirect or post to the asserting party based on the <<servlet-saml2login-relyingpartyregistration,`RelyingPartyRegistration`>>
+
+[TIP]
+If your asserting party does not expect you do send a `<saml2:LogoutResponse>` s when logout is complete, you may not need to configure a `LogoutSuccessHandler`
+
+[NOTE]
+In the event that you need to support both logout flows, you can combine the above to configurations.
+
+=== Configuring Logout Endpoints
+
+There are two default endpoints that Spring Security's SAML 2.0 Single Logout support exposes:
+* `/saml2/logout` - the endpoint for initiating single logout with an asserting party
+* `/logout` - the endpoint for receiving logout requests and responses from an asserting party
+
+Because the user is already logged in, the `registrationId` is already known.
+For this reason, `+{registrationId}+` is not part of these URLs by default.
+
+The first URL is not customizable at this point since this is not a URL that gets configured with the asserting party.
+As such the need to customize this endpoint is minimal, though this can be added to the support down the road.
+
+The second URL is customizable through Spring Security's <<jc-logout,general-purpose logout support>>.
+
+For example, if you are migrating your existing relying party over to Spring Security, your asserting party may already be pointing to `GET /SLOService.saml2`.
+To reduce changes in configuration for the asserting party, you can configure `logout` in the DSL like so:
 
 [source,java]
 ----
 http
     // ...
-    .logout(logout -> logout
-        .logoutSuccessHandler(myCustomSuccessHandler())
-        .logoutRequestMatcher(myRequestMatcher())
-    )
+    .logout((logout) -> logout
+        .logoutRequestMatcher(new AntPathRequestMatcher("/SLOService.saml2", "POST"))
+        // add logout handlers
+    );
 ----
 
-The success handler will send logout requests to the asserting party.
+In redirect circumstances it's important to maintain your defense mechanisms for CSRF Logout.
+You can configure your SAML 2.0 logout as a GET by only matching when there is a `SAMLRequest` (or `SAMLResponse`) present, like so:
 
-The request matcher will detect logout requests from the asserting party.
+[source,java]
+----
+http
+    // ...
+    .logout((logout) -> logout
+        .logoutRequestMatcher(hasLogoutRequest("/SLOService.saml2", "GET"))
+        // add logout handlers
+    );
+----
+
+=== Customizing `<saml2:LogoutRequest>` Resolution
+
+It's common to need to set other values in the `<saml2:LogoutRequest>` than the defaults that Spring Security provides.
+
+By default, Spring Security will issue a `<saml2:LogoutRequest>` and supply:
+
+* The `Destination` attribute - from `RelyingPartyRegistration#getAssertingPartyDetails#getSingleLogoutServiceLocation`
+* The `ID` attribute - a GUID
+* The `<Issuer>` element - from `RelyingPartyRegistration#getEntityId`
+* The `<NameID>` element - from `Authentication#getName`
+
+To add other values, you can use delegation, like so:
+
+[source,java]
+----
+OpenSamlLogoutRequestResolver delegate = new OpenSamlLogoutRequestResolver(registrationResolver);
+return (request, response, authentication) -> {
+	OpenSamlLogoutRequestPartial partial = delegate.resolveLogoutRequest(request, response, authentication); <1>
+	partial.name(((Saml2AuthenticatedPrincipal) authentication.getPrincipal()).getFirstAttribute("CustomAttribute")); <2>
+	partial.logoutRequest((logoutRequest) -> logoutRequest.setIssueInstant(DateTime.now()));
+	return partial.logoutRequest(); <3>
+};
+----
+<1> - Spring Security partially applies the values to a `<saml2:LogoutRequest>`
+<2> - Your application specifies customizations
+<3> - You complete the invocation by calling `request()`
+
+[NOTE]
+Support for OpenSAML 4 is coming.
+In anticipation of that, `OpenSamlLogoutRequestResolver` does not add an `IssueInstant`.
+Once OpenSAML 4 support is added, the default will be able to appropriate negotiate that datatype change, meaning you will no longer have to set it.
+
+=== Customizing `<saml2:LogoutResponse>` Resolution
+
+It's common to need to set other values in the `<saml2:LogoutResponse>` than the defaults that Spring Security provides.
+
+By default, Spring Security will issue a `<saml2:LogoutResponse>` and supply:
+
+* The `Destination` attribute - from `RelyingPartyRegistration#getAssertingPartyDetails#getSingleLogoutServiceResponseLocation`
+* The `ID` attribute - a GUID
+* The `<Issuer>` element - from `RelyingPartyRegistration#getEntityId`
+* The `<Status>` element - `SUCCESS`
+
+To add other values, you can use delegation, like so:
+
+[source,java]
+----
+OpenSamlLogoutResponseResolver delegate = new OpenSamlLogoutResponseResolver(registrationResolver);
+return (request, response, authentication) -> {
+	OpenSamlLogoutResponsePartial partial = delegate.resolveLogoutResponse(request, response, authentication); <1>
+    if (checkOtherPrevailingConditions()) {
+        partial.status(StatusCode.PARTIAL_LOGOUT); <2>
+    }
+	partial.logoutResponse((logoutResponse) -> logoutResponse.setIssueInstant(DateTime.now()));
+	return partial.logoutResponse(); <3>
+};
+----
+<1> - Spring Security partially applies the values to a `<saml2:LogoutResponse>`
+<2> - Your application specifies customizations
+<3> - You complete the invocation by calling `response()`
+
+[NOTE]
+Support for OpenSAML 4 is coming.
+In anticipation of that, `OpenSamlLogoutResponseResolver` does not add an `IssueInstant`.
+Once OpenSAML 4 support is added, the default will be able to appropriate negotiate that datatype change, meaning you will no longer have to set it.
+
+=== Customizing `<saml2:LogoutRequest>` Validation
+
+To customize validation, you can implement your own `LogoutHandler`.
+At this point, the validation is minimal, so you may be able to first delegate to the default `LogoutHandler` like so:
+
+[source,java]
+----
+LogoutHandler logoutHandler(RelyingPartyRegistrationResolver registrationResolver) {
+	OpenSamlLogoutRequestHandler delegate = new OpenSamlLogoutRequestHandler(registrationResolver);
+	return (request, response, authentication) -> {
+		delegate.logout(request, response, authentication); // verify signature, issuer, destination, and principal name
+		LogoutRequest logoutRequest = // ... parse using OpenSAML
+        // perform custom validation
+	}
+}
+----
+
+=== Customizing `<saml2:LogoutResponse>` Validation
+
+To customize validation, you can implement your own `LogoutHandler`.
+At this point, the validation is minimal, so you may be able to first delegate to the default `LogoutHandler` like so:
+
+[source,java]
+----
+LogoutHandler logoutHandler(RelyingPartyRegistrationResolver registrationResolver) {
+	OpenSamlLogoutResponseHandler delegate = new OpenSamlLogoutResponseHandler(registrationResolver);
+	return (request, response, authentication) -> {
+		delegate.logout(request, response, authentication); // verify signature, issuer, destination, and status
+		LogoutResponse logoutResponse = // ... parse using OpenSAML
+        // perform custom validation
+	}
+}
+----

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2ErrorCodes.java

@@ -37,6 +37,13 @@ public interface Saml2ErrorCodes {
 	 */
 	String MALFORMED_RESPONSE_DATA = "malformed_response_data";
 
+	/**
+	 * Request is invalid in a general way.
+	 *
+	 * @since 5.5
+	 */
+	String INVALID_REQUEST = "invalid_request";
+
 	/**
 	 * Response is invalid in a general way.
 	 *