LPD-20041 SamlIdpSpSession is an IDP managed model so the SP should n…

…ot interact with it directly. We can avoid deletion of SamlSpSession and session invalidation for the paths used for SP LogoutResponse handling.

modules/dxp/apps/saml/saml-impl/src/main/java/com/liferay/saml/internal/servlet/filter/SpSessionTerminationSamlPortalFilter.java

@@ -7,9 +7,8 @@
 
 import com.liferay.portal.kernel.log.Log;
 import com.liferay.portal.kernel.log.LogFactoryUtil;
-import com.liferay.saml.persistence.model.SamlIdpSpSession;
+import com.liferay.saml.helper.SamlHttpRequestHelper;
 import com.liferay.saml.persistence.model.SamlSpSession;
-import com.liferay.saml.persistence.service.SamlIdpSpSessionLocalService;
 import com.liferay.saml.runtime.servlet.profile.SingleLogoutProfile;
 
 import javax.servlet.Filter;
@@ -72,14 +71,15 @@ protected void doProcessFilter(
 			httpServletRequest);
 
 		if ((samlSpSession != null) && samlSpSession.isTerminated()) {
-			_singleLogoutProfile.terminateSpSession(
-				httpServletRequest, httpServletResponse);
+			String requestPath = _samlHttpRequestHelper.getRequestPath(
+				httpServletRequest);
 
-			SamlIdpSpSession samlIdpSpSession =
-				_samlIdpSpSessionLocalService.fetchSamlIdpSpSession(
-					samlSpSession.getSamlSpSessionId());
+			if (!requestPath.equals("/c/portal/logout") &&
+				!requestPath.equals("/c/portal/saml/slo")) {
+
+				_singleLogoutProfile.terminateSpSession(
+					httpServletRequest, httpServletResponse);
 
-			if (samlIdpSpSession == null) {
 				_singleLogoutProfile.logout(
 					httpServletRequest, httpServletResponse);
 			}
@@ -97,7 +97,7 @@ protected Log getLog() {
 		SpSessionTerminationSamlPortalFilter.class);
 
 	@Reference
-	private SamlIdpSpSessionLocalService _samlIdpSpSessionLocalService;
+	private SamlHttpRequestHelper _samlHttpRequestHelper;
 
 	private ServletContext _servletContext;