I found that in some cases spring uses getDefaultIDP() method from MetadataManager (https://github.com/spring-projects/spring-security-saml/blob/main/core/src/main/java/org/springframework/security/saml/metadata/MetadataManager.java#L815) and i can't understand why does it return first idp that it can found in case if default idp is not specified. Is it a good idea to return first one idp instead of throwing exception? I think that if someone has not specified this field he expects that metadata manager will not return random idp (it can be a random customer). It will be unacceptable for someone, if the samlEntryPoint will redirect users to a random customer (in case if we didn't specify entity id when we are going through the link SAMLAPPLICATION/login?disco=true or in the case of idp discovery).
Am i right?
Can it be because of incorrect configuration of an application?
Could i disable it without using custom filter that will block SAMLAPPLICATION/login?disco=true requests or extending spring-security-saml or using default idp field to specify default idp?
Hello, i am new to spring security saml.
I am supporting an application that uses saml.
I found that in some cases spring uses getDefaultIDP() method from MetadataManager (https://github.com/spring-projects/spring-security-saml/blob/main/core/src/main/java/org/springframework/security/saml/metadata/MetadataManager.java#L815) and i can't understand why does it return first idp that it can found in case if default idp is not specified. Is it a good idea to return first one idp instead of throwing exception? I think that if someone has not specified this field he expects that metadata manager will not return random idp (it can be a random customer). It will be unacceptable for someone, if the samlEntryPoint will redirect users to a random customer (in case if we didn't specify entity id when we are going through the link SAMLAPPLICATION/login?disco=true or in the case of idp discovery).
Am i right? Can it be because of incorrect configuration of an application? Could i disable it without using custom filter that will block SAMLAPPLICATION/login?disco=true requests or extending spring-security-saml or using default idp field to specify default idp?