I have a Spring-SAML app with Okta as IDP. I'm doing IDP initiated flow and get this exception :
org.opensaml.common.SAMLException: Endpoint with message binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and URL https://<myCompanyUrl>.com/saml/SSO wasn't found in local metadata
When I look at my local metadata I see:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://<server IP address> :<server port>/saml/SSO" index="0" isDefault="true"/>
Looks like it is trying to match a URL containing a hostname to a URL with a server IP address. The location field is auto-generated. Does anybody know what configuration option affects this?
UPDATE 1
here is my metadataGeneratorFilter config :
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="https://myHostname/myApp"/>
</bean>
</constructor-arg>
</bean>
All right mystery solved:
Per Spring-SAML documentation , when you are in a reverse-proxy / load balancer set up you have to make sure to specify
<property name="entityBaseURL" value="https://www.myserver.com/spring-security-saml2-sample"/>
See SPRING-SAML documentation 10.1 Reverse proxies and load balancers