Add NameID to SAML 2.0 Authentication Info

chschu · jzheaux · commit 02a8c416aaaf · 2025-06-10T17:21:03.000-06:00
Issue gh-10820
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticatedPrincipal.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticatedPrincipal.java
@@ -77,6 +77,11 @@ default String getRelyingPartyRegistrationId() {
 		return null;
 	}
 
+	@Override
+	default String getNameId() {
+		return getName();
+	}
+
 	@Override
 	default List<String> getSessionIndexes() {
 		return Collections.emptyList();
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationInfo.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationInfo.java
@@ -18,6 +18,7 @@
 
 import java.util.List;
 
+import org.opensaml.saml.saml2.core.NameID;
 import org.opensaml.saml.saml2.core.SessionIndex;
 
 import org.springframework.security.core.Authentication;
@@ -41,6 +42,12 @@ public interface Saml2AuthenticationInfo {
 	 */
 	String getRelyingPartyRegistrationId();
 
+	/**
+	 * Get the {@link NameID} value of the authenticated principal
+	 * @return the {@link NameID} value of the authenticated principal
+	 */
+	String getNameId();
+
 	/**
 	 * Get the {@link SessionIndex} values of the authenticated principal
 	 * @return the {@link SessionIndex} values of the authenticated principal
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/BaseOpenSamlLogoutRequestResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/logout/BaseOpenSamlLogoutRequestResolver.java
@@ -147,16 +147,19 @@ public Saml2LogoutRequest resolve(HttpServletRequest request, Authentication aut
 		issuer.setValue(entityId);
 		logoutRequest.setIssuer(issuer);
 		NameID nameId = this.nameIdBuilder.buildObject();
-		nameId.setValue(authentication.getName());
 		logoutRequest.setNameID(nameId);
 		Saml2AuthenticationInfo info = Saml2AuthenticationInfo.fromAuthentication(authentication);
 		if (info != null) {
+			nameId.setValue(info.getNameId());
 			for (String index : info.getSessionIndexes()) {
 				SessionIndex sessionIndex = this.sessionIndexBuilder.buildObject();
 				sessionIndex.setValue(index);
 				logoutRequest.getSessionIndexes().add(sessionIndex);
 			}
 		}
+		else {
+			nameId.setValue(authentication.getName());
+		}
 		logoutRequest.setIssueInstant(Instant.now(this.clock));
 		this.parametersConsumer
 			.accept(new LogoutRequestParameters(request, registration, authentication, logoutRequest));
