saml.sso.metadata-generator.entity-base-url must not end in /

[candrews]

The value of saml.sso.metadata-generator.entity-base-url must not end in a slash - if it does, Spring Security SAML will generate invalid URLs for in the assertions.

For example, with saml.sso.metadata-generator.entity-base-url=http://localhost:8080/ the authentication assertion generated is:

<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://localhost:8080//saml/SSO" Destination="https://REDACTED/sso/saml/authenticate" ForceAuthn="false" ID="a1gafgbc456ed2ibhdcbdgc5b17107" IsPassive="false" IssueInstant="2018-04-27T14:35:31.456Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost</saml2:Issuer><saml2p:Scoping ProxyCount="2"/></saml2p:AuthnRequest>

The problem is caused in org.springframework.security.saml.metadata.MetadataGenerator.getServerURL(String, String, String, Map<String, String>), it's called as getServerURL("http://localhost:8080/", null, "/saml/SSO", null) and returns "http://localhost:8080//saml/SSO"

I suggest that either:

1. a validation pattern be placed on com.github.ulisesbocchio.spring.boot.security.saml.properties.MetadataGeneratorProperties.entityBaseUrl such as @Pattern(regexp = "[^\\/]$", message="must not end in /")
2. The trailing slash be stripped when the property is set

[candrews]

Reported upstream at https://github.com/spring-projects/spring-security-saml/pull/238

[ulisesbocchio]

thanks @candrews feel free to submit pull request for either of your suggested solutions