我已经使用spring-saml建立了一个联盟。 SSO流程运行正常,但单点注销存在问题。
问题#1是我从我的SP拨打saml / logout后,它从Idp注销,也从我的SP注销,但它没有重定向到Idp登录页面。
问题#2是当我让其他SP参与我的SP的过程时,不知何故我的SP断链并且它将其他SP引导到我的SP注销页面,而不是Idp注销页面。
这是我的配置:
@Bean
public MethodInvokingFactoryBean socketFactoryInitialization() {
MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
methodInvokingFactoryBean.setTargetClass(Protocol.class);
methodInvokingFactoryBean.setTargetMethod("registerProtocol");
Object[] args = {"https", socketFactoryProtocol()};
methodInvokingFactoryBean.setArguments(args);
return methodInvokingFactoryBean;
}
@Bean
public WebSSOProfileOptions defaultWebSSOProfileOptions() {
WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
webSSOProfileOptions.setIncludeScoping(false);
return webSSOProfileOptions;
}
// Entry point to initialize authentication, default values taken from
// properties file
@Bean
public SAMLEntryPoint samlEntryPoint() {
SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
return samlEntryPoint;
}
// Setup advanced info about metadata
@Bean
public ExtendedMetadata extendedMetadata() {
ExtendedMetadata extendedMetadata = new ExtendedMetadata();
extendedMetadata.setIdpDiscoveryEnabled(false);
extendedMetadata.setSignMetadata(true);
return extendedMetadata;
}
// IDP Discovery Service
@Bean
public SAMLDiscovery samlIDPDiscovery() {
SAMLDiscovery idpDiscovery = new SAMLDiscovery();
idpDiscovery.setIdpSelectionPath("/saml/idpSelection");
return idpDiscovery;
}
@Bean
@Qualifier("idp-ssocircle")
public ExtendedMetadataDelegate ssoCircleExtendedMetadataProvider()
throws MetadataProviderException {
DefaultResourceLoader loader = new DefaultResourceLoader();
Resource resource = loader.getResource("classpath:/saml/idp.xml");
FilesystemMetadataProvider fileSystemMetaDataProvider = null;
try {
fileSystemMetaDataProvider = new FilesystemMetadataProvider(resource.getFile());
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
fileSystemMetaDataProvider.setParserPool(parserPool());
ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(fileSystemMetaDataProvider, extendedMetadata());
extendedMetadataDelegate.setMetadataTrustCheck(false);
extendedMetadataDelegate.setMetadataRequireSignature(false);
return extendedMetadataDelegate;
}
// IDP Metadata configuration - paths to metadata of IDPs in circle of trust
// is here
// Do no forget to call iniitalize method on providers
@Bean
@Qualifier("metadata")
public CachingMetadataManager metadata() throws MetadataProviderException {
List<MetadataProvider> providers = new ArrayList<MetadataProvider>();
providers.add(ssoCircleExtendedMetadataProvider());
return new CachingMetadataManager(providers);
}
// Filter automatically generates default SP metadata
@Bean
public MetadataGenerator metadataGenerator() {
log.debug("Application Base URL: " + env.getProperty("applicationBaseURL"));
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setBindingsSLO(Arrays.asList("Redirect", "POST"));
metadataGenerator.setRequestSigned(false);
metadataGenerator.setEntityId(env.getProperty("applicationBaseURL"));
metadataGenerator.setExtendedMetadata(extendedMetadata());
metadataGenerator.setIncludeDiscoveryExtension(false);
String url = env.getProperty("applicationBaseURL");
metadataGenerator.setEntityBaseURL(url);
return metadataGenerator;
}
// The filter is waiting for connections on URL suffixed with filterSuffix
// and presents SP metadata there
@Bean
public MetadataDisplayFilter metadataDisplayFilter() {
return new MetadataDisplayFilter();
}
// Handler deciding where to redirect user after successful login
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler =
new SavedRequestAwareAuthenticationSuccessHandler();
successRedirectHandler.setDefaultTargetUrl("/#/login");
return successRedirectHandler;
}
// Handler deciding where to redirect user after failed login
@Bean
public SimpleUrlAuthenticationFailureHandler authenticationFailureHandler() {
SimpleUrlAuthenticationFailureHandler failureHandler =
new SimpleUrlAuthenticationFailureHandler();
failureHandler.setUseForward(true);
failureHandler.setDefaultFailureUrl("/#/error");
return failureHandler;
}
@Bean
public SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter() throws Exception {
SAMLWebSSOHoKProcessingFilter samlWebSSOHoKProcessingFilter = new SAMLWebSSOHoKProcessingFilter();
samlWebSSOHoKProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOHoKProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOHoKProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOHoKProcessingFilter;
}
// Processing filter for WebSSO profile messages
@Bean
public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
samlWebSSOProcessingFilter.setAuthenticationManager(authenticationManager());
samlWebSSOProcessingFilter.setAuthenticationSuccessHandler(successRedirectHandler());
samlWebSSOProcessingFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
return samlWebSSOProcessingFilter;
}
@Bean
public MetadataGeneratorFilter metadataGeneratorFilter() {
return new MetadataGeneratorFilter(metadataGenerator());
}
// Handler for successful logout
@Bean
public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
return successLogoutHandler;
}
// Logout handler terminating local session
@Bean
public SecurityContextLogoutHandler logoutHandler() {
SecurityContextLogoutHandler logoutHandler =
new SecurityContextLogoutHandler();
logoutHandler.setInvalidateHttpSession(true);
logoutHandler.setClearAuthentication(true);
return logoutHandler;
}
// Filter processing incoming logout messages
// First argument determines URL user will be redirected to after successful
// global logout
@Bean
public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
return new SAMLLogoutProcessingFilter(successLogoutHandler(), logoutHandler());
}
// Overrides default logout processing filter with the one processing SAML
// messages
@Bean
public SAMLLogoutFilter samlLogoutFilter() {
return new SAMLLogoutFilter(successLogoutHandler(),
new LogoutHandler[] { logoutHandler() },
new LogoutHandler[] { logoutHandler() });
}
// Bindings
private ArtifactResolutionProfile artifactResolutionProfile() {
final ArtifactResolutionProfileImpl artifactResolutionProfile =
new ArtifactResolutionProfileImpl(httpClient());
artifactResolutionProfile.setProcessor(new SAMLProcessorImpl(soapBinding()));
return artifactResolutionProfile;
}
@Bean
public HTTPArtifactBinding artifactBinding(ParserPool parserPool, VelocityEngine velocityEngine) {
return new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfile());
}
@Bean
public HTTPSOAP11Binding soapBinding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPostBinding httpPostBinding() {
return new HTTPPostBinding(parserPool(), velocityEngine());
}
@Bean
public HTTPRedirectDeflateBinding httpRedirectDeflateBinding() {
return new HTTPRedirectDeflateBinding(parserPool());
}
@Bean
public HTTPSOAP11Binding httpSOAP11Binding() {
return new HTTPSOAP11Binding(parserPool());
}
@Bean
public HTTPPAOS11Binding httpPAOS11Binding() {
return new HTTPPAOS11Binding(parserPool());
}
这是我的日志:
22:08:45.062 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.062 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:45.063 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.064 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.064 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:45.065 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:45.065 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:45.066 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
22:08:45.068 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
22:08:45.070 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: https://idp.server.com:443/fsso
22:08:45.070 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of https://idp.server.com:443/fsso
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
22:08:45.071 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Deflating and Base64 encoding SAML message
22:08:45.071 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Marshalling message
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Building URL to redirect client to
22:08:45.074 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generating signature with key type 'RSA', algorithm URI 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' over query string 'SAMLRequest=nZLbbtswDIbv9xSGbgvH8iG2I8QuWgQFjHVblrQF2jtaphMBtpSZctfHr5wsQ3dAge1GEAjyI%2F%2BfXF6%2B9J33jAMpowsWzjjzUEvTKL0r2P3djZ%2Bzy%2FLDkqDvooO4NTsz2g1%2BG5Gst3KP0mCPpXtrDySCAKQ0o7bkN%2Fg8%2B461ND3h4DrM3E8kSRy0RCaoVuttZzbYqAGlDXq0cNUpoMCVBao5MK9aFQwWKYZJmiDupIQ4rVOeIs%2F2ebpo3KQV0YiVJgvaFizi4dznsc%2BjuygUPBfJfMaz8Il5D2d90aTPKdYkTooKNg5aGCBFQkOPJKwU26tPt8KlisNgrJGmY%2BXJAHFsOLwlvA8Actonf1g5%2BePs6YyEbm%2FIipznPFgGb8HnNp8dqFp5N2bowb7fYYqoxm%2BPqcIOoEmhtsybGF9H6FSrcPjX9TBvu%2F4L4M%2F52X95ET%2FWLWYXcv1xk0WL6%2Fsv%2Bb6zPYYXa5WeHTl5UJ4vb4s0rbDSDb6UFKVtDUku87iGOosQQpnEnMdNNk9CcOwsalE2PPxB%2B63%2BZ%2FSXey5fAQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1'
22:08:45.075 [DEBUG] o.o.x.s.SigningUtil - Computing signature over input using private key of type RSA and JCA algorithm ID SHA1withRSA
22:08:45.103 [DEBUG] o.o.x.s.SigningUtil - Computed signature: 2b169f61974c194392a165a727652977da7847dd011e46acf69f57372ee3e680953fa12a27b0611b658f020104dfa5a4e6edec36cbb02a4eaa68f490b5cc40a940d36792fea9c96e4e334e0d1ce4a7d41dcdf8590b8557805cd752aebd01e59d5575f6b55ab804e381a71c46523ff5cd72a3e783a31c008cc4a350a8348aaec161928344c286c96b3dffbec05d2652db602d4501c086cdc21896ee67125da4774795507ecd8e1e0fbdd76febefd5313d15d784f832b083ceed40b45e452daedeb732e81911e7e3319aa2af9a0c22fa4bfcf21c92ac35cb204f3a478d7ef5e8d52fc0bfe2ca21877c66f7cf3240b896eef3155ca3972a78fefd20341ee0db6f41
22:08:45.103 [DEBUG] o.o.s.b.e.HTTPRedirectDeflateEncoder - Generated digital signature value (base64-encoded) KxafYZdMGUOSoWWnJ2Upd9p4R90BHkas9p9XNy7j5oCVP6EqJ7BhG2WPAgEE36Wk5u3sNsuwKk6qaPSQtcxAqUDTZ5L+qcluTjNODRzkp9QdzfhZC4VXgFzXUq69AeWdVXX2tVq4BOOBpxxGUj/1zXKj54OjHACMxKNQqDSKrsFhkoNEwobJaz3/vsBdJlLbYC1FAcCGzcIYlu5nEl2kd0eVUH7Njh4Pvddv6+/VMT0V14T4MrCDzu1AtF5FLa7etzLoGRHn4zGaoq+aDCL6S/zyHJKsNcsgTzpHjX716NUvwL/iyiGHfGb3zzJAuJbu8xVco5cqeP79IDQe4NtvQQ==
22:08:45.105 [DEBUG] PROTOCOL_MESSAGE -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:LogoutRequest
Destination="https://idp.server.com:443/fsso/IDPSloRedirect/metaAlias/dev/idp"
ID="a96e1464eegcca36b606e07h869d0"
IssueInstant="2015-03-02T21:08:45.071Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/</saml2:Issuer>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="https://idp.server.com:443/fsso"
SPNameQualifier="http://localhost:8080/" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">3Ybfe7+cPKR729BUO8hltme1+Pi6</saml2:NameID>
<saml2p:SessionIndex>s26fba48c83bab72ea1c43003d7541afe772fecd01</saml2p:SessionIndex>
</saml2p:LogoutRequest>
22:08:45.105 [DEBUG] o.o.w.m.e.BaseMessageEncoder - Successfully encoded message.
22:08:46.345 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain a descriptor for entity http://localhost:8080/
22:08:46.345 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.ChainingMetadataProvider - Checking child metadata provider for entity descriptor with entity ID: http://localhost:8080/
22:08:46.346 [DEBUG] o.o.s.m.p.AbstractMetadataProvider - Searching for entity descriptor with an entity ID of http://localhost:8080/
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.347 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.347 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Building credential from keystore entry for entityID apollo, usage type UNSPECIFIED
22:08:46.348 [DEBUG] o.o.x.s.c.KeyStoreCredentialResolver - Processing PrivateKeyEntry from keystore
22:08:46.348 [DEBUG] o.o.x.s.c.c.EvaluableCredentialCriteriaRegistry - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
22:08:46.349 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/dom/defer-node-expansion'
22:08:46.351 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://javax.xml.XMLConstants/feature/secure-processing'
22:08:46.352 [DEBUG] o.o.x.p.StaticBasicParserPool - Setting DocumentBuilderFactory attribute 'http://apache.org/xml/features/disallow-doctype-decl'
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded RelayState: null
22:08:46.354 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Base64 decoding and inflating SAML message
22:08:46.354 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Parsing message stream into DOM document
22:08:46.355 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Unmarshalling message DOM
22:08:46.356 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Message succesfully unmarshalled
22:08:46.357 [DEBUG] o.o.s.b.d.HTTPRedirectDeflateDecoder - Decoded SAML message
22:08:46.357 [DEBUG] o.o.s.b.d.BaseSAML2MessageDecoder - Extracting ID, issuer and issue instant from status response
22:08:46.358 [DEBUG] PROTOCOL_MESSAGE -
<?xml version="1.0" encoding="UTF-8"?>
<samlp:LogoutResponse
Destination="http://localhost:8080//saml/SingleLogout"
ID="s8ce9d2c8fd0758d2755ed7256479469b8c686665"
InResponseTo="a96e1464eegcca36b606e07h869d0"
IssueInstant="2015-03-02T21:08:45Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.server.com:443/fsso</saml:Issuer>
<samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
</samlp:StatusCode>
</samlp:Status>
</samlp:LogoutResponse>
22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
22:08:46.358 [DEBUG] o.o.c.b.s.BaseSAMLSimpleSignatureSecurityPolicyRule - HTTP request was not signed via simple signature mechanism, skipping
22:08:46.358 [INFO] o.o.c.b.s.SAMLProtocolMessageXMLSignatureSecurityPolicyRule - SAML protocol message was not signed, skipping XML signature processing
22:08:46.358 [DEBUG] o.o.w.m.d.BaseMessageDecoder - Successfully decoded message.
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Checking SAML message intended destination endpoint against receiver endpoint
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Intended message destination endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - Actual message receiver endpoint: http://localhost:8080//saml/SingleLogout
22:08:46.358 [DEBUG] o.o.c.b.d.BaseSAMLMessageDecoder - SAML message intended destination endpoint matched recipient endpoint
22:08:48.145 [DEBUG] c.c.c.s.Http401UnauthorizedEntryPoint - Pre-authenticated entry point called. Rejecting access
有人可以帮我设置配置
由于
答案 0 :(得分:3)
Spring SAML应在成功单次注销后调用您的bean successLogoutHandler()。您可以将属性defaultTargetUrl设置为IDP登录页面的网址,将alwaysUseDefaultTargetUrl设置为true,以便用户在注销后始终发送到该位置。