I've made an implementation based on this with a FilesystemMetadataProvider: https://github.com/vdenotaris/spring-boot-security-saml-sample
To make the SSL handshake work for the artifact binding I had to put/trust the CA certificate for the IDP in the java keystore used by the keyManager.
I would rather have used the cacerts on the jre in case the IDP changed CA, but I haven't been able to find any property to set so that Spring SAML looks inside that instead.
Also this answer suggest that the cacert is ignored altogheter: Spring Security SAML - HTTPS connections
Why is the cacert ignored in Spring SAML? This seems like a deficiency for me.
I have checked that the CA for the IDP is in the cacert file for my jre. If i remove the beans related to TLS/socket factory from the config it still fails.
Yes, cacerts is ignored. Spring SAML uses custom implementations for handling of trust, with an intention of providing more control over the system's security. You can always quite easily copy over all certificates from cacerts to samlKeystore.