Extend Saml2AuthenticationInfo to also provide the NameID value for SAML 2.0 Single Logout

chschu · chschu · commit 387f00dc5da4 · 2022-06-06T20:38:13.000+02:00
Issue gh-10820
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticatedPrincipal.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticatedPrincipal.java
@@ -77,6 +77,11 @@ default String getRelyingPartyRegistrationId() {
 		return null;
 	}
 
+	@Override
+	default String getNameId() {
+		return getName();
+	}
+
 	@Override
 	default List<String> getSessionIndexes() {
 		return Collections.emptyList();
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationInfo.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationInfo.java
@@ -18,6 +18,7 @@
 
 import java.util.List;
 
+import org.opensaml.saml.saml2.core.NameID;
 import org.opensaml.saml.saml2.core.SessionIndex;
 
 import org.springframework.security.core.Authentication;
@@ -41,6 +42,12 @@ public interface Saml2AuthenticationInfo {
 	 */
 	String getRelyingPartyRegistrationId();
 
+	/**
+	 * Get the {@link NameID} value of the authenticated principal
+	 * @return the {@link NameID} value of the authenticated principal
+	 */
+	String getNameId();
+
 	/**
 	 * Get the {@link SessionIndex} values of the authenticated principal
 	 * @return the {@link SessionIndex} values of the authenticated principal
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/OpenSamlLogoutRequestResolver.java
@@ -126,16 +126,19 @@ Saml2LogoutRequest resolve(HttpServletRequest request, Authentication authentica
 		issuer.setValue(registration.getEntityId());
 		logoutRequest.setIssuer(issuer);
 		NameID nameId = this.nameIdBuilder.buildObject();
-		nameId.setValue(authentication.getName());
 		logoutRequest.setNameID(nameId);
 		Saml2AuthenticationInfo info = Saml2AuthenticationInfo.fromAuthentication(authentication);
 		if (info != null) {
+			nameId.setValue(info.getNameId());
 			for (String index : info.getSessionIndexes()) {
 				SessionIndex sessionIndex = this.sessionIndexBuilder.buildObject();
 				sessionIndex.setSessionIndex(index);
 				logoutRequest.getSessionIndexes().add(sessionIndex);
 			}
 		}
+		else {
+			nameId.setValue(authentication.getName());
+		}
 		logoutRequestConsumer.accept(registration, logoutRequest);
 		if (logoutRequest.getID() == null) {
 			logoutRequest.setID("LR" + UUID.randomUUID());
