Expected Behavior
In the saml2 service provider there is a filter, Saml2WebSsoAuthenticationRequestFilter, who generate a html output to do the SAML POST. In the body onload there is a document.forms[0].submit() performed.
Current Behavior
This is inline javascript and thus a CSP vulnerability and will not accepted in an assessment.
In the SAML extension we are using today, we have made a small change by adding a javascript file which is loaded in html file, to do the form post. I don't know how it can ben done in the current setup as here the html form in memory created and not with template as in SAML extension.
Comment From: jzheaux
Duplicate of https://github.com/spring-projects/spring-security/issues/9529