The value of saml.sso.metadata-generator.entity-base-url must not end in a slash - if it does, Spring Security SAML will generate invalid URLs for in the assertions.
For example, with saml.sso.metadata-generator.entity-base-url=http://localhost:8080/ the authentication assertion generated is:
The problem is caused in org.springframework.security.saml.metadata.MetadataGenerator.getServerURL(String, String, String, Map<String, String>), it's called as getServerURL("http://localhost:8080/", null, "/saml/SSO", null) and returns "http://localhost:8080//saml/SSO"
I suggest that either:
a validation pattern be placed on com.github.ulisesbocchio.spring.boot.security.saml.properties.MetadataGeneratorProperties.entityBaseUrl such as @Pattern(regexp = "[^\\/]$", message="must not end in /")
The trailing slash be stripped when the property is set
The value of
saml.sso.metadata-generator.entity-base-url
must not end in a slash - if it does, Spring Security SAML will generate invalid URLs for in the assertions.For example, with
saml.sso.metadata-generator.entity-base-url=http://localhost:8080/
the authentication assertion generated is:The problem is caused in
org.springframework.security.saml.metadata.MetadataGenerator.getServerURL(String, String, String, Map<String, String>)
, it's called asgetServerURL("http://localhost:8080/", null, "/saml/SSO", null)
and returns"http://localhost:8080//saml/SSO"
I suggest that either:
com.github.ulisesbocchio.spring.boot.security.saml.properties.MetadataGeneratorProperties.entityBaseUrl
such as@Pattern(regexp = "[^\\/]$", message="must not end in /")