SpringBoot Saml2RelyingPartyRegistrationConfiguration chooses the wrong RelyingPartyRegistration.Builder

Saml2RelyingPartyRegistrationConfiguration chooses the wrong RelyingPartyRegistration.Builder when using a metadata file with multiple providers. It always just chooses the first one it finds, when it actually should chooses the one with the correct entity-id.

The method now is:

    private RelyingPartyRegistration asRegistration(String id, Registration properties) {
        AssertingPartyProperties assertingParty = new AssertingPartyProperties(properties, id);
        boolean usingMetadata = StringUtils.hasText(assertingParty.getMetadataUri());
        Builder builder = (usingMetadata)
                ? RelyingPartyRegistrations.fromMetadataLocation(assertingParty.getMetadataUri()).registrationId(id)
                : RelyingPartyRegistration.withRegistrationId(id);
....

when it could be for example:

    private RelyingPartyRegistration asRegistration(String id, Registration properties) {
        AssertingPartyProperties assertingParty = new AssertingPartyProperties(properties, id);
        boolean usingMetadata = StringUtils.hasText(assertingParty.getMetadataUri());
        Builder builder = (usingMetadata)
                ? RelyingPartyRegistrations.collectionFromMetadataLocation(assertingParty.getMetadataUri())
                .stream().filter(builder -> properties.getEntityId().equals(builder.build().getEntityId()))
                .registrationId(id)
                : RelyingPartyRegistration.withRegistrationId(id);
....

This can be tested with metadata files that have multiple providers, such as https://virtu-ds.csc.fi/fed/virtu/virtu-metadata-v7.xml

Comment From: philwebb

Closing in favor of PR #35902