From 20c252982e9427e9b8ee8bf0df396f38cc3bf92e Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Fri, 17 Dec 2021 16:05:39 -0700
Subject: [PATCH] Remove SAML 2.0 Logout Default

Closes gh-10607
---
 docs/modules/ROOT/pages/servlet/saml2/logout.adoc            | 5 +++++
 .../service/registration/RelyingPartyRegistration.java       | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/modules/ROOT/pages/servlet/saml2/logout.adoc b/docs/modules/ROOT/pages/servlet/saml2/logout.adoc
index 04c6ed0f949..9dba271b78c 100644
--- a/docs/modules/ROOT/pages/servlet/saml2/logout.adoc
+++ b/docs/modules/ROOT/pages/servlet/saml2/logout.adoc
@@ -35,6 +35,7 @@ RelyingPartyRegistrationRepository registrations() {
     RelyingPartyRegistration registration = RelyingPartyRegistrations
             .fromMetadataLocation("https://ap.example.org/metadata")
             .registrationId("id")
+            .singleLogoutServiceLocation("{baseUrl}/logout/saml2/slo")
             .signingX509Credentials((signing) -> signing.add(credential)) <1>
             .build();
     return new InMemoryRelyingPartyRegistrationRepository(registration);
@@ -73,6 +74,10 @@ Also, your application can participate in an AP-initiated logout when the assert
 3. Create, sign, and serialize a `<saml2:LogoutResponse>` based on the xref:servlet/saml2/login/overview.adoc#servlet-saml2login-relyingpartyregistration[`RelyingPartyRegistration`] associated with the just logged-out user
 4. Send a redirect or post to the asserting party based on the xref:servlet/saml2/login/overview.adoc#servlet-saml2login-relyingpartyregistration[`RelyingPartyRegistration`]
 
+NOTE: Adding `saml2Logout` adds the capability for logout to the service provider.
+Because it is an optional capability, you need to enable it for each individual `RelyingPartyRegistration`.
+You can do this by setting the `RelyingPartyRegistration.Builder#singleLogoutServiceLocation` property.
+
 == Configuring Logout Endpoints
 
 There are three behaviors that can be triggered by different endpoints:
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
index 239e58acb10..9b002e1fd25 100644
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
@@ -1014,7 +1014,7 @@ public static final class Builder {
 
 		private Saml2MessageBinding assertionConsumerServiceBinding = Saml2MessageBinding.POST;
 
-		private String singleLogoutServiceLocation = "{baseUrl}/logout/saml2/slo";
+		private String singleLogoutServiceLocation;
 
 		private String singleLogoutServiceResponseLocation;