Skip to content

restore saml entity id alias#3966

Merged
duanemay merged 4 commits into
developfrom
pr/restore-saml-entityIDAlias
Jun 29, 2026
Merged

restore saml entity id alias#3966
duanemay merged 4 commits into
developfrom
pr/restore-saml-entityIDAlias

Conversation

@fhanik

@fhanik fhanik commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

The fix to #3661 was incomplete. It allowed the SP initiated authentication to work, but missing piece is IDP initiated authentication

The fix is server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRelyingPartyRegistrationRepositoryConfig.java line 113. The rest of the PR is test cases and documentation.

fhanik added 4 commits June 26, 2026 09:30
…a URL

When login.entityID is a full URL (e.g. https://example.com/uaa) and
login.saml.entityIDAlias is not set, UaaRelyingPartyRegistrationResolver
derives the alias as the full URL while the repo derives it as just the
hostname. The resulting endsWith mismatch causes the resolver to fall
through to DefaultRelyingPartyRegistrationRepository (stub cert), which
cannot validate the IdP-signed assertion → redirect to /saml_error.

Adds IdpInitiatedSsoWithUrlEntityIdTests to SamlAuthenticationMockMvcTests
and a responseWithAssertionsForDestination helper to Saml2TestUtils. The
new test intentionally fails until the fix is applied.
…yID is a URL

When login.entityID is a full URL and login.saml.entityIDAlias is not
configured, UaaRelyingPartyRegistrationResolver was using the full URL as
the alias fallback while SamlRelyingPartyRegistrationRepositoryConfig (the
repo) was already extracting just the hostname via
UaaStringUtils.getHostIfArgIsURL(). This mismatch caused the resolver's
endsWith check to always fail for URL-form entity IDs, forcing the fallback
to DefaultRelyingPartyRegistrationRepository (stub cert) → "Invalid
signature" for IDP-initiated SSO.

Fix: apply the same getHostIfArgIsURL derivation in the resolver bean so
both code paths agree on the alias without requiring operators to explicitly
set login.saml.entityIDAlias. Behaviour is unchanged when entityID is
already a plain hostname (getHostIfArgIsURL returns it as-is).

Partial fix introduced in b2e36ec ("Addressing issue #3661") which updated
the repo but not the resolver.
Adds two new nested tests to SamlAuthenticationMockMvcTests that verify
IDP-initiated SSO works in non-default identity zones when login.entityID
is a plain string:

- idpInitiatedSso_subdomainZone_succeeds: zone resolved via Host header subdomain
- idpInitiatedSso_zonePathZone_succeeds: zone resolved via /z/{subdomain}/ path prefix

Both tests register a classpath-based test IdP (test-saml-idp-metadata-redirect-binding.xml)
with its entity ID explicitly stored in external_key — required because SamlIdentityProviderDefinition
classifies classpath: URLs as UNKNOWN type, preventing dynamic entity-ID resolution via
SamlIdentityProviderConfigurator.getExtendedMetadataDelegate. Setting idpEntityId before
create() causes JdbcIdentityProviderProvisioning to persist it as external_key, enabling
ConfiguratorRelyingPartyRegistrationRepository.getIdentityProviderDefinitionsForIssuer to
find the correct registration by issuer entity ID.

Also overloads createMockSamlIdpInSpZone to accept an optional idpEntityId parameter.
@github-project-automation github-project-automation Bot moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Jun 29, 2026
@duanemay duanemay merged commit 5d42e16 into develop Jun 29, 2026
28 of 29 checks passed
@duanemay duanemay deleted the pr/restore-saml-entityIDAlias branch June 29, 2026 14:49
@github-project-automation github-project-automation Bot moved this from Pending Merge | Prioritized to Done in Foundational Infrastructure Working Group Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

SAML Metadata - incorrect SAML metadata is generated when entityID is a URL

3 participants