I'm using Spring Security SAML2 for authentication in my application. We're populating the identity provider details using its metadata URL. Based on my understanding, when reading the IDP metadata from URL, a relying party registration will be automatically created with verification credential. Consequently, there's no need to manually configure verification credentials if the metadata URI is supplied to the asserting party. Is my understanding correct?

spring:
  security:
    saml2:
      relyingparty:
        registration:
          okta:
            entity-id: https://my-application.com/okta/
            identityprovider:
              entity-id: http://www.okta.com/787hjhg
              singlesignon.sign-request: true
            assertingparty:
              metadata-uri: https://dev-678.okta.com/app/exka/sso/saml/metadata
            decryption:
              credentials:
                - private-key-location: classpath:my-private-decryption.key
                  certificate-location: classpath:my-public-decryption.crt
            signing:
              credentials:
                - private-key-location: classpath:my-private-signing.key
                  certificate-location: classpath:my-private-signing.key
            acs:
              location: https://my-application.com/saml2/SSO

I assume if my metadata URL has IDP public key then I do not require to configure like

spring:
  security:
    saml2:
      relyingparty:
        registration:
          okta:
            entity-id: https://my-application.com/okta/
            identityprovider:
              entity-id: http://www.okta.com/787hjhg
              singlesignon.sign-request: true
            assertingparty:
              metadata-uri: https://dev-678.okta.com/app/exka/sso/saml/metadata
              verification:
                credentials:
                  - certificate-location: classpath:idp-public.crt
            decryption:
              credentials:
                - private-key-location: classpath:my-private-decryption.key
                  certificate-location: classpath:my-public-decryption.crt
            signing:
              credentials:
                - private-key-location: classpath:my-private-signing.key
                  certificate-location: classpath:my-private-signing.key
            acs:
              location: https://my-application.com/saml2/SSO

Comment From: sjohnr

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, based on your description, I'm unsure if you're asking a question or reporting a bug. If you are reporting a bug, please add more information or a minimal sample that reproduces the issue. For now, I'm going to close this but if I've misunderstood and you're able to provide more information, I will be happy to re-open the issue.

Comment From: sumeetpri

Remarkably strange, since the introduction of ChatGPT, there has been a noticeable decrease in responses on Stack Overflow. I've attempted to seek answers on Stack Overflow multiple times, but it seems that there is currently a reduced number of users providing responses on the platform. Questions are going unanswered.

I've also attempted to inquire about the same issue on Stack Overflow at this link: https://stackoverflow.com/questions/77012311/verification-credentials-with-saml2-metadata-in-spring-security-via-metadata

Comment From: sjohnr

See also spring-projects/spring-boot#33747