SpringBoot SingleSignOnService Binding from SAML IdP metadata gets overridden by default

Note: originally created as a Spring Security bug: https://github.com/spring-projects/spring-security/issues/9744

Describe the bug Binding value of POST provided in IdP metadata overridden by default value of REDIRECT

To Reproduce Configure IdP via metadata, containing either: - a single SingleSignOnService - multiple SingleSignOnService, with POST being first

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://path/to/sso/url" />

Expected behavior Auth requests should be done via HTTP POST, but the default of REDIRECT in registration properties overrides the metadata value. See Saml2RelyingPartyRegistrationConfiguration.mapIdentityProvider() when no IdP properties are set, other than the metadata location.

Note: it is possible to workaround by adding a property to set the binding to POST, but that shouldn't be necessary.

Comment From: mbhave

At the moment, there isn't a way for us to tell the difference between a user-configured binding and the default REDIRECT. We would need to change the default for Saml2MessageBinding in Saml2RelyingPartyProperties to null, so that we can decide whether to use the one from the metadata or the explicitly configured one.