Spring saml - 单点注销

时间:2015-03-02 21:38:02

标签: spring spring-saml

我已经使用spring-saml建立了一个联盟。 SSO流程运行正常,但单点注销存在问题。

问题#1是我从我的SP拨打saml / logout后,它从Idp注销,也从我的SP注销,但它没有重定向到Idp登录页面。

问题#2是当我让其他SP参与我的SP的过程时,不知何故我的SP断链并且它将其他SP引导到我的SP注销页面,而不是Idp注销页面。

这是我的配置:

   @Bean
public MethodInvokingFactoryBean socketFactoryInitialization() {
    MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
    methodInvokingFactoryBean.setTargetClass(Protocol.class);
    methodInvokingFactoryBean.setTargetMethod("registerProtocol");
    Object[] args = {"https", socketFactoryProtocol()};
    methodInvokingFactoryBean.setArguments(args);
    return methodInvokingFactoryBean;
}

@Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
    WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
    webSSOProfileOptions.setIncludeScoping(false);
    return webSSOProfileOptions;
}

// Entry point to initialize authentication, default values taken from
// properties file
@Bean
public SAMLEntryPoint samlEntryPoint() {
    SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
    samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
    return samlEntryPoint;
}

// Setup advanced info about metadata
@Bean
public ExtendedMetadata extendedMetadata() {
    ExtendedMetadata extendedMetadata = new ExtendedMetadata();
    extendedMetadata.setIdpDiscoveryEnabled(false);
    extendedMetadata.setSignMetadata(true);
    return extendedMetadata;
}

// IDP Discovery Service
@Bean
public SAMLDiscovery samlIDPDiscovery() {
    SAMLDiscovery idpDiscovery = new SAMLDiscovery();
    idpDiscovery.setIdpSelectionPath("/saml/idpSelection");
    return idpDiscovery;
}

@Bean
@Qualifier("idp-ssocircle")
public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider()
    throws MetadataProviderException {

    DefaultResourceLoader loader = new DefaultResourceLoader();
    Resource resource = loader.getResource("classpath:/saml/idp.xml");
    FilesystemMetadataProvider fileSystemMetaDataProvider = null;
    try {
        fileSystemMetaDataProvider = new FilesystemMetadataProvider(resource.getFile());
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } 


    fileSystemMetaDataProvider.setParserPool(parserPool());

    ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(fileSystemMetaDataProvider, extendedMetadata());
    extendedMetadataDelegate.setMetadataTrustCheck(false);
    extendedMetadataDelegate.setMetadataRequireSignature(false);
    return extendedMetadataDelegate;
}

// IDP Metadata configuration - paths to metadata of IDPs in circle of trust
// is here
// Do no forget to call iniitalize method on providers
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
    List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
    providers.add(ssoCircleExtendedMetadataProvider());
    return new CachingMetadataManager(providers);
}

// Filter automatically generates default SP metadata
@Bean
public MetadataGenerator metadataGenerator() {

    log.debug("Application Base URL: " + env.getProperty("applicationBaseURL"));

    MetadataGenerator metadataGenerator = new MetadataGenerator();      
    metadataGenerator.setBindingsSLO(Arrays.asList("Redirect", "POST"));

    metadataGenerator.setRequestSigned(false);
    metadataGenerator.setEntityId(env.getProperty("applicationBaseURL"));
    metadataGenerator.setExtendedMetadata(extendedMetadata());
    metadataGenerator.setIncludeDiscoveryExtension(false);
    String url = env.getProperty("applicationBaseURL");
    metadataGenerator.setEntityBaseURL(url);

    return metadataGenerator;
}

// The filter is waiting for connections on URL suffixed with filterSuffix
// and presents SP metadata there
@Bean
public MetadataDisplayFilter metadataDisplayFilter() {
    return new MetadataDisplayFilter();
}

// Handler deciding where to redirect user after successful login
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
    SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
        new SavedRequestAwareAuthenticationSuccessHandler();
    successRedirectHandler.setDefaultTargetUrl("/#/login");
    return successRedirectHandler;
}

// Handler deciding where to redirect user after failed login
@Bean
public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
    SimpleUrlAuthenticationFailureHandler failureHandler =
        new SimpleUrlAuthenticationFailureHandler();
    failureHandler.setUseForward(true);
    failureHandler.setDefaultFailureUrl("/#/error");
    return failureHandler;
}

@Bean
public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
    SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
    samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
    samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager());
    samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
    return samlWebSSOHoKProcessingFilter;
}

// Processing filter for WebSSO profile messages
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
    SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
    samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
    samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
    samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
    return samlWebSSOProcessingFilter;
}

@Bean
public MetadataGeneratorFilter metadataGeneratorFilter() {
    return new MetadataGeneratorFilter(metadataGenerator());
}

// Handler for successful logout
@Bean
public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
    SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
    return successLogoutHandler;
}

// Logout handler terminating local session
@Bean
public SecurityContextLogoutHandler logoutHandler() {
    SecurityContextLogoutHandler logoutHandler =
        new SecurityContextLogoutHandler();
    logoutHandler.setInvalidateHttpSession(true);
    logoutHandler.setClearAuthentication(true);
    return logoutHandler;
}

// Filter processing incoming logout messages
// First argument determines URL user will be redirected to after successful
// global logout
@Bean
public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
    return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler());
}

// Overrides default logout processing filter with the one processing SAML
// messages
@Bean
public SAMLLogoutFilter samlLogoutFilter() {
    return new SAMLLogoutFilter(successLogoutHandler(),
        new LogoutHandler[] { logoutHandler() },
        new LogoutHandler[] { logoutHandler() });
}

// Bindings
private ArtifactResolutionProfile artifactResolutionProfile() {
    final ArtifactResolutionProfileImpl artifactResolutionProfile =
        new ArtifactResolutionProfileImpl(httpClient());
    artifactResolutionProfile.setProcessor(new SAMLProcessorImpl(soapBinding()));
    return artifactResolutionProfile;
}

@Bean
public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) {
    return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile());
}

@Bean
public HTTPSOAP11Binding soapBinding() {
    return new HTTPSOAP11Binding(parserPool());
}

@Bean
public HTTPPostBinding httpPostBinding() {
    return new HTTPPostBinding(parserPool(), velocityEngine());
}

@Bean
public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
    return new HTTPRedirectDeflateBinding(parserPool());
}

@Bean
public HTTPSOAP11Binding httpSOAP11Binding() {
    return new HTTPSOAP11Binding(parserPool());
}

@Bean
public HTTPPAOS11Binding httpPAOS11Binding() {
    return new HTTPPAOS11Binding(parserPool());
}

这是我的日志:

    22:08:45.062 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.064 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.065 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.066 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
22:08:45.070 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: https://idp.server.com:443/fsso
22:08:45.070 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://idp.server.com:443/fsso
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
22:08:45.071 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Deflating and Base64 encoding SAML message
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Marshalling message
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Building URL to redirect client to
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generating signature with key type 'RSA', algorithm URI 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' over query string 'SAMLRequest=nZLbbtswDIbv9xSGbgvH8iG2I8QuWgQFjHVblrQF2jtaphMBtpSZctfHr5wsQ3dAge1GEAjyI%2F%2BfXF6%2B9J33jAMpowsWzjjzUEvTKL0r2P3djZ%2Bzy%2FLDkqDvooO4NTsz2g1%2BG5Gst3KP0mCPpXtrDySCAKQ0o7bkN%2Fg8%2B461ND3h4DrM3E8kSRy0RCaoVuttZzbYqAGlDXq0cNUpoMCVBao5MK9aFQwWKYZJmiDupIQ4rVOeIs%2F2ebpo3KQV0YiVJgvaFizi4dznsc%2BjuygUPBfJfMaz8Il5D2d90aTPKdYkTooKNg5aGCBFQkOPJKwU26tPt8KlisNgrJGmY%2BXJAHFsOLwlvA8Actonf1g5%2BePs6YyEbm%2FIipznPFgGb8HnNp8dqFp5N2bowb7fYYqoxm%2BPqcIOoEmhtsybGF9H6FSrcPjX9TBvu%2F4L4M%2F52X95ET%2FWLWYXcv1xk0WL6%2Fsv%2Bb6zPYYXa5WeHTl5UJ4vb4s0rbDSDb6UFKVtDUku87iGOosQQpnEnMdNNk9CcOwsalE2PPxB%2B63%2BZ%2FSXey5fAQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1'
22:08:45.075 [DEBUG] o.o.x.s.SigningUtil - Computing signature over input using private key of type RSA and JCA algorithm ID SHA1withRSA
22:08:45.103 [DEBUG] o.o.x.s.SigningUtil - Computed signature: 2b169f61974c194392a165a727652977da7847dd011e46acf69f57372ee3e680953fa12a27b0611b658f020104dfa5a4e6edec36cbb02a4eaa68f490b5cc40a940d36792fea9c96e4e334e0d1ce4a7d41dcdf8590b8557805cd752aebd01e59d5575f6b55ab804e381a71c46523ff5cd72a3e783a31c008cc4a350a8348aaec161928344c286c96b3dffbec05d2652db602d4501c086cdc21896ee67125da4774795507ecd8e1e0fbdd76febefd5313d15d784f832b083ceed40b45e452daedeb732e81911e7e3319aa2af9a0c22fa4bfcf21c92ac35cb204f3a478d7ef5e8d52fc0bfe2ca21877c66f7cf3240b896eef3155ca3972a78fefd20341ee0db6f41
22:08:45.103 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generated digital signature value (base64-encoded) KxafYZdMGUOSoWWnJ2Upd9p4R90BHkas9p9XNy7j5oCVP6EqJ7BhG2WPAgEE36Wk5u3sNsuwKk6qaPSQtcxAqUDTZ5L+qcluTjNODRzkp9QdzfhZC4VXgFzXUq69AeWdVXX2tVq4BOOBpxxGUj/1zXKj54OjHACMxKNQqDSKrsFhkoNEwobJaz3/vsBdJlLbYC1FAcCGzcIYlu5nEl2kd0eVUH7Njh4Pvddv6+/VMT0V14T4MrCDzu1AtF5FLa7etzLoGRHn4zGaoq+aDCL6S/zyHJKsNcsgTzpHjX716NUvwL/iyiGHfGb3zzJAuJbu8xVco5cqeP79IDQe4NtvQQ==
22:08:45.105 [DEBUG] PROTOCOL_MESSAGE - 
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest
    Destination="https://idp.server.com:443/fsso/IDPSloRedirect/metaAlias/dev/idp"
    ID="a96e1464eegcca36b606e07h869d0"
    IssueInstant="2015-03-02T21:08:45.071Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/</saml2:Issuer>
    <saml2:NameID
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
        NameQualifier="https://idp.server.com:443/fsso"
        SPNameQualifier="http://localhost:8080/" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">3Ybfe7+cPKR729BUO8hltme1+Pi6</saml2:NameID>
    <saml2p:SessionIndex>s26fba48c83bab72ea1c43003d7541afe772fecd01</saml2p:SessionIndex>
</saml2p:LogoutRequest>

22:08:45.105 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Successfully encoded message.
22:08:46.345 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.347 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.348 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.349 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
22:08:46.351 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
22:08:46.352 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded RelayState: null
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Base64 decoding and inflating SAML message
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Parsing message stream into DOM document
22:08:46.355 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Unmarshalling message DOM
22:08:46.356 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Message succesfully unmarshalled
22:08:46.357 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded SAML message
22:08:46.357 [DEBUG] o.o.s.b.d.BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
22:08:46.358 [DEBUG] PROTOCOL_MESSAGE - 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse
    Destination="http://localhost:8080//saml/SingleLogout"
    ID="s8ce9d2c8fd0758d2755ed7256479469b8c686665"
    InResponseTo="a96e1464eegcca36b606e07h869d0"
    IssueInstant="2015-03-02T21:08:45Z" Version="2.0"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.server.com:443/fsso</saml:Issuer>
<samlp:Status
            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
            Value="urn:oasis:names:tc:SAML:2.0:status:Success" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
</samlp:StatusCode>
</samlp:Status>
</samlp:LogoutResponse>

22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
22:08:46.358 [INFO] o.o.c.b.s.SAMLProtocolMessageXMLSignatureSecurityPolicyRule - SAML protocol message was not signed, skipping XML signature processing
22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Successfully decoded message.
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Intended message destination endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Actual message receiver endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
22:08:48.145 [DEBUG] c.c.c.s.Http401UnauthorizedEntryPoint - Pre-authenticated entry point called. Rejecting access

有人可以帮我设置配置

由于

1 个答案:

答案 0 :(得分:3)

Spring SAML应在成功单次注销后调用您的bean successLogoutHandler()。您可以将属性defaultTargetUrl设置为IDP登录页面的网址,将alwaysUseDefaultTargetUrl设置为true,以便用户在注销后始终发送到该位置。