This is related to Spring Security SAML One Login Global Single Logout LogoutRequest Parsing Issue
The problem here is that the NameID format is not matching, as per:
private boolean equalsNameID(NameID a, NameID b) {
boolean equals = !differ(a.getSPProvidedID(), b.getSPProvidedID());
equals = equals && !differ(a.getValue(), b.getValue());
equals = equals && !differ(a.getFormat(), b.getFormat());
equals = equals && !differ(a.getNameQualifier(), b.getNameQualifier());
equals = equals && !differ(a.getSPNameQualifier(), b.getSPNameQualifier());
equals = equals && !differ(a.getSPProvidedID(), b.getSPProvidedID());
return equals;
}
It's failing ONLY on:
equals = equals && !differ(a.getFormat(), b.getFormat());
Upon debugging, I found out the following values:
a.getFormat() = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (from Spring SAML)
b.getFormat() = null (from OneLogin acting as the IdP)
Is it possible to turn off the format check in Spring SAML via extended metadata properties (or in some other way)?