With the scenario of IDP and SP share the same entityID, and the IDP provider is set first on metadata manager provider list, the populateLocalEntity method in SAMLContextProviderImpl.java, gets IDP descriptor and IDP extended metadata,
making the context be loaded whit the wrong entityDescriptor, extendedMetadata, and wrong LocalSigningCredential when the IDP has one set.
initializeProviderData in MetadataManager validates IDP and SP entityID by separate, so I think is valid scenario having same IDP and SP entityID.
protected void populateLocalEntity(SAMLMessageContext samlContext) throws MetadataProviderException {
String localEntityId = samlContext.getLocalEntityId();
QName localEntityRole = samlContext.getLocalEntityRole();
if (localEntityId == null) {
throw new MetadataProviderException("No hosted service provider is configured and no alias was selected");
}
EntityDescriptor entityDescriptor = metadata.getEntityDescriptor(localEntityId);
RoleDescriptor roleDescriptor = metadata.getRole(localEntityId, localEntityRole, SAMLConstants.SAML20P_NS);
ExtendedMetadata extendedMetadata = metadata.getExtendedMetadata(localEntityId);
if (entityDescriptor == null || roleDescriptor == null) {
throw new MetadataProviderException("Metadata for entity " + localEntityId + " and role " + localEntityRole + " wasn't found");
}
samlContext.setLocalEntityMetadata(entityDescriptor);
samlContext.setLocalEntityRoleMetadata(roleDescriptor);
samlContext.setLocalExtendedMetadata(extendedMetadata);
if (extendedMetadata.getSigningKey() != null) {
samlContext.setLocalSigningCredential(keyManager.getCredential(extendedMetadata.getSigningKey()));
} else {
samlContext.setLocalSigningCredential(keyManager.getDefaultCredential());
}
}
With the scenario of IDP and SP share the same entityID, and the IDP provider is set first on metadata manager provider list, the populateLocalEntity method in SAMLContextProviderImpl.java, gets IDP descriptor and IDP extended metadata, making the context be loaded whit the wrong entityDescriptor, extendedMetadata, and wrong LocalSigningCredential when the IDP has one set.
initializeProviderData in MetadataManager validates IDP and SP entityID by separate, so I think is valid scenario having same IDP and SP entityID.
Thanks for your Attention.