search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
91 stars 12 forks source link

IdP Saml v2 - Metadata url leads to 404 #2316

Open beezerk23 opened 1 year ago

beezerk23 commented 1 year ago

IdP Saml v2 - Metadata url leads to 404

Description

When creating a Saml v2 IdP you get this metadata url: Metadata URL: | https://FUSIONAUTH/samlv2/sp/metadata/SOME_UUID

This URL for me always leads to a 404. I found out that if you remove the /sp so the url be https://FUSIONAUTH/samlv2/metadata/SOME_UUID if works fine and gives you the metadata xml.

Is the url without /sp the correct one or is there another issue?

Affects versions

1.45.1

Steps to reproduce

Create a SAML v2 IdP with nonsense data. After creating click on the View/Search icon, copy the metadata url and paste it into your browser window.

Expected behavior

The given metadata url should work without removing parts of it.

Screenshots

Platform

Community guidelines

Additional context

mooreds commented 1 year ago

Replicated this on 1.45.3

robotdan commented 1 year ago

I believe this is working as designed.

This will occur unless you enable for at least one application. When it is disabled, a 404 will be returned.

Ideally we would return a 404 w/out a body. We could leave this open to make that change.

beezerk23 commented 1 year ago

@robotdan Is this somewhere documented? Because right now it just seems odd. We had the use case that we needed to create the IdP to provide the metadata url to a third party for them to set it up on their side. So at this point the IdP is not usable but needs to be enabled on an application for the metadata url to work?

robotdan commented 1 year ago

So at this point the IdP is not usable but needs to be enabled on an application for the metadata url to work?

This is correct. Why do you want the meta data URL to work if you are not going to enable it for the application? Maybe I don't understand the use case.

n00borama commented 11 months ago

@robotdan The SAML dance when setting up IdPs is one where one end has to go first to produce metadata for the other. We choose to go first and give our customers an easier time setting up by importing the metadata. At the point where we setup, we're using an example.com endpoint and are not attaching to an app. The IdP config is essentially 'dummy' until the customer complete's their end and we revisit and finalise ours. Either this intended behaviour needs to be more clear, that if you don't attach an app you can't receive metadata. Or it should provide metadata regardless. Does anything change in the metadata when it is attached to an app? I would think the endpoint, entityID, etc, remain the same?