Spring Security Allow metadata download without Asserting Party details being known

Expected Behavior Saml2MetadataFilter should be able to return a metadata for a registration without Asserting Party details.

Context The Asserting Party/IdP details might not be available during the metadata download step, if the metadata exchange is done first by uploading the SP metadata to the IdP and after uploading the IdP metadata to the SP.

The old library maintained separately SP/IdP registrations and you can download a SP metadata without having its corresponding IdP configured.

Comment From: sumeetpri

+1 I have a similar requirement in which asserting Party details are dynamically loaded from database , but service provider should be able to generate its metadata without asserting Party details.

Comment From: 1livv

Hi,

A workaround for this is to use a separate implementation of RelyingPartyRegistrationRepository just for the download metadata workflow, that fills the asserting party details with dummy values that are not used in the download metadata flow anyway

Comment From: jzheaux

Thanks for suggesting this, I think that it would be a good idea. As this was requested in https://github.com/spring-projects/spring-security/issues/11369, I'll close this as a duplicate, and we can continue the conversation over there.