Spring SAML - Is it mandatory to call SAML local logout when user signs off from application?

Question

As per the answer from the link, I understand that if SAML local logout (/saml/logout?local=true) is invoked Spring-SAML will clean the local cookies. So, I have modified the logout logic in my application to invoke it.

All looks good till now. But my application have session timeout set to 20 minutes in web.xml.

<session-config>
        <session-timeout>20</session-timeout>
</session-config>

In case of user inactive for 20 minutes or browser is closed by the user, session will be destroyed by the container silently. In that case SAML Logout is not invoked.

Questions:

1. Does Spring-SAML maintains any references once user is authenticated after SAML response is received?
2. If yes, where does it maintain references (session or somewhere else)? Any alternative way to clean them up?
3. What are the implications if we do not call SAML local logout?

My worry is that if the references are not cleaned up, It might cause memory leaks in a long run of the application.

Answer 1

By default all state of Spring SAML is stored in HttpSession (as part of Spring Security context in object SAMLCredential) and will be cleaned at session timeout (or more precisely at time when your container decides to perform the session cleanup after expiration).

It is exactly the same as with any other authentication method supported by Spring Security, so you don't need to worry about not calling the local logout.