I want to know the what is really happening with Spring SAML for SP and testing it with ADFS as the IDP, As the SLO that I am expecting is not happening.
- Spring Boot Version : 2.1.8.RELEASE
- Java version : 1.8
- ADFS version : 2.0
Note: I am using a single user credentials on all the different browsers Ex : user/user@123
I am following below steps to achieve the SSO
- Get list of IDP from SP
- Select and login in one of the IDP with the given IDP login page
- IDP sends a request to
/saml/SSO - Authentication successful and the session starts
Now in this process whenever I open an another SP and try to login with the same IDP it logs me in automatically.
For SLO below are the steps I am following
- I am initiating a SLO request by hitting the SP at
/saml/logoutthat is further handled bySAMLLogoutFilter - Session is invalidated
- I see a LogoutRequest in the logs of all the SP's logged in on the browser A.
- Logout successful, Now it asks for credentials for all the SP's in the browser A.
When I try SSO on different browsers it asks for credentials once for each browser on the first SP and the rest of the SP's are logged in automatically which I can understand as other browsers has no data of the user session to which the user wants to login, but after all the SP's are logged in from different browsers, I guess IDP knows the connected SP's and as per my understanding it should logout all the SP's across the browser when a SLO is initiated from any of the SP.
But the problem is when a SLO is initiated from the browser A, I see logout requests as well as the SP's are logged out only those were logged in on the same browser A and the rest browsers B and C SP's are still logged in and they do not ask for the credentials if the /saml/logout is not initiated explicitly for that browser instance
SLO Example
SP1, SP2 are logged in with Browser A
SP3 logged in with Browser B
SP4 and SP5 are logged in with Browser C
SLO initiated from Brower A - SP2 then SP1 is logged out but SP3,4 and 5 are still logged in