Describe the bug spring-security-saml2-service-provider RelyingPartyRegistration chooses the wrong RelyingPartyRegistration.Builder from metadata
public static RelyingPartyRegistration.Builder fromMetadata(InputStream source) {
return collectionFromMetadata(source).iterator().next();
}
"randomly" just chooses the first available element. This makes it impossible for org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyRegistrationConfiguration to choose the correct builder.
To Reproduce You can experience this issue with metadata files that contain multiple providers. One example is located in https://virtu-ds.csc.fi/fed/virtu/virtu-metadata-v7.xml
Expected behavior The library should provide a method that allows choosing the provider based on entity-id (https://github.com/spring-projects/spring-security/blob/371541a5cfee80e149d3a5308c63f0f81aeb6e2a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java#L75) so that the Spring Boot autoconfiguration can use that.
Sample No sample project, but sample usage can be found here: https://github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java#L80
Alternative Spring Boot autoconfiguration starts to use
public static Collection<RelyingPartyRegistration.Builder> collectionFromMetadata(InputStream source) {
return relyingPartyRegistrationConverter.convert(source);
}
and handles the filtering itself.
Comment From: marcusdacoregio
Hi @lasselindqvist, thanks for the report.
I don't think it is currently possible to configure multiple providers using Spring Boot properties, see this issue. I believe that you are better doing the configuration yourself like in this example.