I am using SimpleSamlPHP 2.x as an Identity Provider (IDP) along with Spring Boot 2.7. My Spring SAML Security (spring-security-saml2-service-provider) version is 5.7.5 (recently updated).
Currently, I can perform SAML Single Logout (SLO) without any issues using the GET /logout request. However, this triggers a confirmation dialog in Spring Security, asking "Do you want to logout?" I'd like to bypass this dialog and perform a direct logout.
To achieve this, I tried using a form-based POST /logout from my Angular frontend app. I included the XSRF token in the header and _csrf in the payload. The process successfully triggers SLO and returns a 302 status code, which then redirects to the IDP. The SAMLRequest in the redirect URL looks like this: https://my-idp:8443/sso/module.php/saml/idp/singleLogout?SAMLRequest=***.
However, the browser displays a CORS error:
The error, "(redirected from 'http://localhost:8000/service-provider/logout')", originating from 'http://localhost:8000', is blocked by the CORS policy. The preflight request's access control check failed, as there is no 'Access-Control-Allow-Origin' header on the requested resource.
My post request from my FE angular is as
`logMeOut(){
const csrfToken = this.getCookie('XSRF-TOKEN');
const formData = new FormData();
formData.append('_csrf', csrfToken);
const headers = new HttpHeaders({
'Content-Type': 'application/x-www-form-urlencoded',
'XSRF-TOKEN': csrfToken,
});
const options = {
headers,
withCredentials: true, // Include cookies in the request
};
this.http.post(‘/service-provider/logout', formData, options).subscribe(() => {
console.log("Logout Success ")
});
}`