My product uses only Identity Provider initialized SSO and it works fine. Requests to http://localhost:8080/saml/SSO are validated. For correct requests a session is created, for wrong ones I am getting status 401.
I have problem with incoming requests to other endpoints (ones that should be secured), like http://localhost:8080/messages
When request has correct, authenticated session id it works fine. But for not authenticated requests, I am redirected to my Identity provider page, with URL
https:///sso/SSO?SAMLRequest=
How to disable that behavior? I want just to reject those requests with 'Authentication failed' response, without any interaction with Identity provider.
Simply remove the SAMLEntryPoint which is responsible for initialization of SP SSO. Spring Security will then use the default entry point which should behave as you expect. You will still be able to send SAML messages to /saml/SSO.
Edit: Detailed steps are given below
Create bean implementing org.springframework.security.web.AuthenticationEntryPoint
Simplest imlementation is <bean name="http403ForbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
Use that bean in <security:http entry-point-ref="http403ForbiddenEntryPoint">
Remove <bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">