With thanks to @Anubhav-2000 and @jvalkeal, as diagnosed in https://github.com/spring-projects/spring-security/issues/12810, there are some situations where deprecated identityprovider properties are ignored. Consider this YAML:
spring:
security:
saml2:
relyingparty:
registration:
adfs:
identityprovider:
entity-id: https://idp.example.com/issuer
verification:
credentials:
- certificate-location: "classpath:idp.crt"
singlesignon:
url: https://idp.example.com/issuer/sso
sign-request: false
In this case the certificate location is ignored. This happens because the assertingparty properties that replaced identityprovider has a default non-null value of Verification. It and its empty List<Credential> is then used and the configured location of classpath:idp.crt is ignored.
Another symptom of this is that warnings are not logged about all of the deprecated properties. With the above YAML, the following is logged:
2023-03-09 09:59:22.213 WARN 69586 --- [ main] ml2RelyingPartyRegistrationConfiguration : Property 'spring.security.saml2.relyingparty.registration.identityprovider.adfs.entity-id' is deprecated, please use 'spring.security.saml2.relyingparty.registration.assertingparty.adfs.entity-id' instead
2023-03-09 09:59:24.152 WARN 69586 --- [ main] ml2RelyingPartyRegistrationConfiguration : Property 'spring.security.saml2.relyingparty.registration.identityprovider.adfs.singlesignon.url' is deprecated, please use 'spring.security.saml2.relyingparty.registration.assertingparty.adfs.singlesignon.url' instead
2023-03-09 09:59:25.123 WARN 69586 --- [ main] ml2RelyingPartyRegistrationConfiguration : Property 'spring.security.saml2.relyingparty.registration.identityprovider.adfs.singlesignon.sign-request' is deprecated, please use 'spring.security.saml2.relyingparty.registration.assertingparty.adfs.singlesignon.sign-request' instead