Describe the bug Binding value of POST provided in IdP metadata overridden by default value of REDIRECT
To Reproduce Configure IdP via metadata, containing either: - a single SingleSignOnService - multiple SingleSignOnService, with POST being first
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://path/to/sso/url" />
Expected behavior Auth requests should be done via HTTP POST, but the default of REDIRECT in registration properties overrides the metadata value. See Saml2RelyingPartyRegistrationConfiguration.mapIdentityProvider() when no IdP properties are set, other than the metadata location.
Note: it is possible to workaround by adding a property to set the binding to POST, but that shouldn't be necessary.
Comment From: jzheaux
Hi, @darrenpm, thanks for the report. I agree that the metadata binding value should take precedence when an application does not specify a binding value property.
Since Saml2RelyingPartyRegistrationConfiguration is a Spring Boot file, I think it would be best if this issue were filed in the Spring Boot project. Would you mind reporting it there, please?
Comment From: darrenpm
Sure: https://github.com/spring-projects/spring-boot/issues/26454