I am using SAML feature set in Spring Security Core 5 (not Spring Security SAML extension, which is obsolete). So far I can bring up the example and login to IdP without issue, even it is in my localhost. However, I would like to extract my SP metadata to provide to my IdP. When I access the SP metadata URL (http://localhost:8080/saml2/service-provider-metadata/simplesamlphp), the sample redirected me to the IdP login page. Seems all paths are protected. I customized with WebSecurityConfigurerAdapter, but when I accessed SP metadata URL, it returned 404.
What is the correct SP metadata URL? How to retrieve it?
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/saml2/service-provider-metadata/**")
.permitAll()
.anyRequest().authenticated()
.and()
.saml2Login();
}
}
Update on 26 Jun 2020
The code search result of SPSSODescriptor is empty in Spring Security Github, but not in Spring Security SAML extension Github. Is it there is new way to setup SAML SP without metadata?
It is because Spring Security team still have not implemented the SAML 2.0 SP Metadata Endpoint in Spring Security v5.3 and below. See here and here for details.
Update: It has been implemented after 6 Aug 2020